detect: generic callback for md5-like keywords

Ticket: 5634
OISF · Oct 8, 2024 · 792b8b1 · 792b8b1
1 parent 695d404
commit 792b8b1
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 145 deletions.
diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
@@ -90,6 +90,11 @@ Deprecations
  Suricata 9.0. Note that this is the standalone ``syslog`` output and
  does affect the ``eve`` outputs ability to send to syslog.
 
+Keyword changes
+~~~~~~~~~~~~~~~
+- ``ja3.hash`` and ``ja3s.hash`` no longer accept contents with non hexadecimal
+ characters, as they will never match.
+
 Logging changes
 ~~~~~~~~~~~~~~~
 - RFB security result is now consistently logged as ``security_result`` when it was

diff --git a/src/detect-engine.c b/src/detect-engine.c
@@ -4963,6 +4963,35 @@ void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
  det_ctx->events++;
 }
 
+bool DetectMd5ValidateCallback(
+ const Signature *s, const DetectContentData *cd, const char **sigerror)
+{
+ if (cd->flags & DETECT_CONTENT_NOCASE) {
+ *sigerror = "md5-like keyword should not be used together with "
+ "nocase, since the rule is automatically "
+ "lowercased anyway which makes nocase redundant.";
+ SCLogWarning("rule %u: %s", s->id, *sigerror);
+ }
+
+ if (cd->content_len != SC_MD5_HEX_LEN) {
+ *sigerror = "Invalid length for md5-like keyword (should "
+ "be 32 characters long). This rule will therefore "
+ "never match.";
+ SCLogError("rule %u: %s", s->id, *sigerror);
+ return false;
+ }
+
+ for (size_t i = 0; i < cd->content_len; ++i) {
+ if (!isxdigit(cd->content[i])) {
+ *sigerror = "Invalid md5-like string (should be string of hexadecimal characters)."
+ "This rule will therefore never match.";
+ SCLogWarning("rule %u: %s", s->id, *sigerror);
+ return false;
+ }
+ }
+ return true;
+}
+
 /*************************************Unittest*********************************/
 
 #ifdef UNITTESTS

diff --git a/src/detect-engine.h b/src/detect-engine.h
@@ -226,6 +226,9 @@ void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t
 
 void DetectEngineStateResetTxs(Flow *f);
 
+bool DetectMd5ValidateCallback(
+ const Signature *s, const DetectContentData *cd, const char **sigerror);
+
 void DeStateRegisterTests(void);
 
 #endif /* SURICATA_DETECT_ENGINE_H */
diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c
@@ -59,8 +59,7 @@
 #ifdef UNITTESTS
 static void DetectHttpUriRegisterTests(void);
 #endif
-static void DetectHttpUriSetupCallback(const DetectEngineCtx *de_ctx,
- Signature *s);
+static void DetectHttpUriSetupCallback(const DetectEngineCtx *de_ctx, Signature *s);
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
  const DetectEngineTransforms *transforms,
  Flow *_f, const uint8_t _flow_flags,
@@ -70,8 +69,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
  const int list_id);
 static int DetectHttpUriSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
 static int DetectHttpRawUriSetup(DetectEngineCtx *, Signature *, const char *);
-static void DetectHttpRawUriSetupCallback(const DetectEngineCtx *de_ctx,
- Signature *s);
+static void DetectHttpRawUriSetupCallback(const DetectEngineCtx *de_ctx, Signature *s);
 static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
  const DetectEngineTransforms *transforms,
  Flow *_f, const uint8_t _flow_flags,

diff --git a/src/detect-quic-cyu-hash.c b/src/detect-quic-cyu-hash.c
@@ -82,35 +82,6 @@ static InspectionBuffer *QuicHashGetData(DetectEngineThreadCtx *det_ctx,
  SCReturnPtr(buffer, "InspectionBuffer");
 }
 
-static bool DetectQuicHashValidateCallback(
- const Signature *s, const DetectContentData *cd, const char **sigerror)
-{
- if (cd->flags & DETECT_CONTENT_NOCASE) {
- *sigerror = BUFFER_NAME " should not be used together with "
- "nocase, since the rule is automatically "
- "lowercased anyway which makes nocase redundant.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- }
-
- if (cd->content_len != 32) {
- *sigerror = "Invalid length of the specified" BUFFER_NAME " (should "
- "be 32 characters long). This rule will therefore "
- "never match.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- return false;
- }
- for (size_t i = 0; i < cd->content_len; ++i) {
- if (!isxdigit(cd->content[i])) {
- *sigerror =
- "Invalid " BUFFER_NAME " string (should be string of hexadecimal characters)."
- "This rule will therefore never match.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- return false;
- }
- }
- return true;
-}
-
 void DetectQuicCyuHashRegister(void)
 {
  /* quic.cyu.hash sticky buffer */
@@ -130,7 +101,7 @@ void DetectQuicCyuHashRegister(void)
 
  g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
 
- DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectQuicHashValidateCallback);
+ DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectMd5ValidateCallback);
 
  DetectBufferTypeSupportsMultiInstance(BUFFER_NAME);
 }

diff --git a/src/detect-ssh-hassh-server.c b/src/detect-ssh-hassh-server.c
@@ -118,35 +118,6 @@ static int DetectSshHasshServerSetup(DetectEngineCtx *de_ctx, Signature *s, cons
 
 }
 
-static bool DetectSshHasshServerHashValidateCallback(
- const Signature *s, const DetectContentData *cd, const char **sigerror)
-{
- if (cd->flags & DETECT_CONTENT_NOCASE) {
- *sigerror = "ssh.hassh.server should not be used together with "
- "nocase, since the rule is automatically "
- "lowercased anyway which makes nocase redundant.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- }
-
- if (cd->content_len != 32) {
- *sigerror = "Invalid length of the specified ssh.hassh.server (should "
- "be 32 characters long). This rule will therefore "
- "never match.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- return false;
- }
- for (size_t i = 0; i < cd->content_len; ++i) {
- if (!isxdigit(cd->content[i])) {
- *sigerror = "Invalid ssh.hassh.server string (should be string of hexadecimal "
- "characters)."
- "This rule will therefore never match.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- return false;
- }
- }
- return true;
-}
-
 static void DetectSshHasshServerHashSetupCallback(const DetectEngineCtx *de_ctx,
  Signature *s)
 {
@@ -195,5 +166,5 @@ void DetectSshHasshServerRegister(void)
  g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
 
  DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshServerHashSetupCallback);
- DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshServerHashValidateCallback);
+ DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectMd5ValidateCallback);
 }
diff --git a/src/detect-ssh-hassh.c b/src/detect-ssh-hassh.c
@@ -118,34 +118,6 @@ static int DetectSshHasshSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 
 }
 
-static bool DetectSshHasshHashValidateCallback(
- const Signature *s, const DetectContentData *cd, const char **sigerror)
-{
- if (cd->flags & DETECT_CONTENT_NOCASE) {
- *sigerror = "ssh.hassh should not be used together with "
- "nocase, since the rule is automatically "
- "lowercased anyway which makes nocase redundant.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- }
-
- if (cd->content_len != 32) {
- *sigerror = "Invalid length of the specified ssh.hassh (should "
- "be 32 characters long). This rule will therefore "
- "never match.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- return false;
- }
- for (size_t i = 0; i < cd->content_len; ++i) {
- if (!isxdigit(cd->content[i])) {
- *sigerror = "Invalid ssh.hassh string (should be string of hexadecimal characters)."
- "This rule will therefore never match.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- return false;
- }
- }
- return true;
-}
-
 static void DetectSshHasshHashSetupCallback(const DetectEngineCtx *de_ctx,
  Signature *s)
 {
@@ -194,6 +166,6 @@ void DetectSshHasshRegister(void)
  g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
 
  DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshHashSetupCallback);
- DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshHashValidateCallback);
+ DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectMd5ValidateCallback);
 }
 
diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c
@@ -70,10 +70,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
  const DetectEngineTransforms *transforms,
  Flow *f, const uint8_t flow_flags,
  void *txv, const int list_id);
-static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
- Signature *s);
-static bool DetectTlsJa3HashValidateCallback(
- const Signature *s, const DetectContentData *cd, const char **sigerror);
+static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx, Signature *s);
 static int g_tls_ja3_hash_buffer_id = 0;
 #endif
 
@@ -112,8 +109,7 @@ void DetectTlsJa3HashRegister(void)
  DetectBufferTypeRegisterSetupCallback("ja3.hash",
  DetectTlsJa3HashSetupCallback);
 
- DetectBufferTypeRegisterValidateCallback("ja3.hash",
- DetectTlsJa3HashValidateCallback);
+ DetectBufferTypeRegisterValidateCallback("ja3.hash", DetectMd5ValidateCallback);
 
  g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3.hash");
 #endif /* HAVE_JA3 */
@@ -178,26 +174,6 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
  return buffer;
 }
 
-static bool DetectTlsJa3HashValidateCallback(
- const Signature *s, const DetectContentData *cd, const char **sigerror)
-{
- if (cd->flags & DETECT_CONTENT_NOCASE) {
- *sigerror = "ja3.hash should not be used together with "
- "nocase, since the rule is automatically "
- "lowercased anyway which makes nocase redundant.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- }
-
- if (cd->content_len == SC_MD5_HEX_LEN)
- return true;
-
- *sigerror = "Invalid length of the specified JA3 hash (should "
- "be 32 characters long). This rule will therefore "
- "never match.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- return false;
-}
-
 static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
  Signature *s)
 {

diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c
@@ -70,10 +70,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
  const DetectEngineTransforms *transforms,
  Flow *f, const uint8_t flow_flags,
  void *txv, const int list_id);
-static void DetectTlsJa3SHashSetupCallback(const DetectEngineCtx *de_ctx,
- Signature *s);
-static bool DetectTlsJa3SHashValidateCallback(
- const Signature *s, const DetectContentData *cd, const char **sigerror);
+static void DetectTlsJa3SHashSetupCallback(const DetectEngineCtx *de_ctx, Signature *s);
 static int g_tls_ja3s_hash_buffer_id = 0;
 #endif
 
@@ -111,8 +108,7 @@ void DetectTlsJa3SHashRegister(void)
  DetectBufferTypeRegisterSetupCallback("ja3s.hash",
  DetectTlsJa3SHashSetupCallback);
 
- DetectBufferTypeRegisterValidateCallback("ja3s.hash",
- DetectTlsJa3SHashValidateCallback);
+ DetectBufferTypeRegisterValidateCallback("ja3s.hash", DetectMd5ValidateCallback);
 
  g_tls_ja3s_hash_buffer_id = DetectBufferTypeGetByName("ja3s.hash");
 #endif /* HAVE_JA3 */
@@ -176,26 +172,6 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
  return buffer;
 }
 
-static bool DetectTlsJa3SHashValidateCallback(
- const Signature *s, const DetectContentData *cd, const char **sigerror)
-{
- if (cd->flags & DETECT_CONTENT_NOCASE) {
- *sigerror = "ja3s.hash should not be used together with "
- "nocase, since the rule is automatically "
- "lowercased anyway which makes nocase redundant.";
- SCLogWarning("rule %u: %s", s->id, *sigerror);
- }
-
- if (cd->content_len == SC_MD5_HEX_LEN)
- return true;
-
- *sigerror = "Invalid length of the specified JA3S hash (should "
- "be 32 characters long). This rule will therefore "
- "never match.";
- SCLogError("rule %u: %s", s->id, *sigerror);
- return false;
-}
-
 static void DetectTlsJa3SHashSetupCallback(const DetectEngineCtx *de_ctx,
  Signature *s)
 {