suricata
detect-ja4-hash.c
Go to the documentation of this file.
1/* Copyright (C) 2023 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Sascha Steinbiss <sascha@steinbiss.name>
22 *
23 * Implements support for ja4.hash keyword.
24 */
25
26#include "suricata-common.h"
27#include "threads.h"
28#include "decode.h"
29#include "detect.h"
30
31#include "detect-parse.h"
32#include "detect-engine.h"
33#include "detect-engine-buffer.h"
34#include "detect-engine-mpm.h"
35#include "detect-engine-prefilter.h"
36#include "detect-ja4-hash.h"
37
38#include "app-layer-ssl.h"
39
40#ifndef HAVE_JA4
41static int DetectJA4SetupNoSupport(DetectEngineCtx *a, Signature *b, const char *c)
42{
43 SCLogError("no JA4 support built in");
44 return -1;
45}
46#endif /* HAVE_JA4 */
47
48#ifdef HAVE_JA4
49static int DetectJa4HashSetup(DetectEngineCtx *, Signature *, const char *);
50static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
51 const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
52 const int list_id);
53int Ja4IsDisabled(const char *type);
54static InspectionBuffer *Ja4DetectGetHash(DetectEngineThreadCtx *det_ctx,
55 const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
56 const int list_id);
57#ifdef UNITTESTS
58static void DetectJa4RegisterTests(void);
59#endif
60
61static int g_ja4_hash_buffer_id = 0;
62#endif
63
64/**
65 * \brief Registration function for keyword: ja4.hash
66 */
67void DetectJa4HashRegister(void)
68{
69 sigmatch_table[DETECT_JA4_HASH].name = "ja4.hash";
70 sigmatch_table[DETECT_JA4_HASH].alias = "ja4_hash";
71 sigmatch_table[DETECT_JA4_HASH].desc = "sticky buffer to match the JA4 hash buffer";
72 sigmatch_table[DETECT_JA4_HASH].url = "/rules/ja4-keywords.html#ja4-hash";
73#ifdef HAVE_JA4
74 sigmatch_table[DETECT_JA4_HASH].Setup = DetectJa4HashSetup;
75#ifdef UNITTESTS
76 sigmatch_table[DETECT_JA4_HASH].RegisterTests = DetectJa4RegisterTests;
77#endif
78#else /* HAVE_JA4 */
79 sigmatch_table[DETECT_JA4_HASH].Setup = DetectJA4SetupNoSupport;
80#endif /* HAVE_JA4 */
81 sigmatch_table[DETECT_JA4_HASH].flags |= SIGMATCH_NOOPT;
82 sigmatch_table[DETECT_JA4_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
83
84#ifdef HAVE_JA4
85 DetectAppLayerInspectEngineRegister("ja4.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER,
86 TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetData);
87
88 DetectAppLayerMpmRegister("ja4.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
89 GetData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE);
90
91 DetectAppLayerMpmRegister("ja4.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
92 Ja4DetectGetHash, ALPROTO_QUIC, 1);
93
94 DetectAppLayerInspectEngineRegister("ja4.hash", ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
95 DetectEngineInspectBufferGeneric, Ja4DetectGetHash);
96
97 DetectBufferTypeSetDescriptionByName("ja4.hash", "TLS JA4 hash");
98
99 g_ja4_hash_buffer_id = DetectBufferTypeGetByName("ja4.hash");
100#endif /* HAVE_JA4 */
101}
102
103#ifdef HAVE_JA4
104/**
105 * \brief this function setup the ja4.hash modifier keyword used in the rule
106 *
107 * \param de_ctx Pointer to the Detection Engine Context
108 * \param s Pointer to the Signature to which the current keyword belongs
109 * \param str Should hold an empty string always
110 *
111 * \retval 0 On success
112 * \retval -1 On failure
113 */
114static int DetectJa4HashSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
115{
116 if (SCDetectBufferSetActiveList(de_ctx, s, g_ja4_hash_buffer_id) < 0)
117 return -1;
118
119 AppProto alprotos[] = { ALPROTO_TLS, ALPROTO_QUIC, ALPROTO_UNKNOWN };
120 if (DetectSignatureSetMultiAppProto(s, alprotos) < 0) {
121 SCLogError("rule contains conflicting protocols.");
122 return -1;
123 }
124
125 /* try to enable JA4 */
126 SSLEnableJA4();
127
128 /* check if JA4 enabling had an effect */
129 if (!RunmodeIsUnittests() && !SSLJA4IsEnabled()) {
130 if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_JA4_HASH)) {
131 SCLogError("JA4 support is not enabled");
132 }
133 return -2;
134 }
135
136 return 0;
137}
138
139static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
140 const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
141 const int list_id)
142{
143 InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
144 if (buffer->inspect == NULL) {
145 const SSLState *ssl_state = (SSLState *)f->alstate;
146
147 if (ssl_state->client_connp.hs == NULL) {
148 return NULL;
149 }
150
151 uint8_t data[JA4_HEX_LEN];
152 SCJA4GetHash(ssl_state->client_connp.hs, (uint8_t(*)[JA4_HEX_LEN])data);
153
154 InspectionBufferSetup(det_ctx, list_id, buffer, data, 0);
155 InspectionBufferCopy(buffer, data, JA4_HEX_LEN);
156 InspectionBufferApplyTransforms(det_ctx, buffer, transforms);
157 }
158
159 return buffer;
160}
161
162static InspectionBuffer *Ja4DetectGetHash(DetectEngineThreadCtx *det_ctx,
163 const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
164 const int list_id)
165{
166 InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
167 if (buffer->inspect == NULL) {
168 uint32_t b_len = 0;
169 const uint8_t *b = NULL;
170
171 if (SCQuicTxGetJa4(txv, &b, &b_len) != 1)
172 return NULL;
173 if (b == NULL || b_len == 0)
174 return NULL;
175
176 InspectionBufferSetup(det_ctx, list_id, buffer, NULL, 0);
177 InspectionBufferCopy(buffer, (uint8_t *)b, JA4_HEX_LEN);
178 InspectionBufferApplyTransforms(det_ctx, buffer, transforms);
179 }
180 return buffer;
181}
182
183#ifdef UNITTESTS
184static int DetectJa4TestParse01(void)
185{
186 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
187
188 // invalid tests
189 Signature *s =
190 SigInit(de_ctx, "alert ip any any -> any any (sid: 1; file.data; content: \"toto\"; "
191 "ja4.hash; content: \"q13d0310h3_55b375c5d22e_cd85d2d88918\";)");
192 // cannot have file.data with ja4.hash (quic or tls)
193 FAIL_IF_NOT_NULL(s);
194 s = SigInit(de_ctx, "alert ip any any -> any any (sid: 1; "
195 "ja4.hash; content: \"q13d0310h3_55b375c5d22e_cd85d2d88918\"; file.data; "
196 "content: \"toto\";)");
197 // cannot have file.data with ja4.hash (quic or tls)
198 FAIL_IF_NOT_NULL(s);
199 s = SigInit(de_ctx, "alert smb any any -> any any (sid: 1; "
200 "ja4.hash; content: \"q13d0310h3_55b375c5d22e_cd85d2d88918\";)");
201 // cannot have alproto=smb with ja4.hash (quic or tls)
202 FAIL_IF_NOT_NULL(s);
203 s = SigInit(de_ctx, "alert ip any any -> any any (sid: 1; "
204 "ja4.hash; content: \"q13d0310h3_55b375c5d22e_cd85d2d88918\"; smb.share; "
205 "content:\"toto\";)");
206 // cannot have a smb keyword with ja4.hash (quic or tls)
207 FAIL_IF_NOT_NULL(s);
208 s = SigInit(de_ctx, "alert ip any any -> any any (sid: 1; "
209 "smb.share; content:\"toto\"; ja4.hash; content: "
210 "\"q13d0310h3_55b375c5d22e_cd85d2d88918\";)");
211 // cannot have a smb keyword with ja4.hash (quic or tls)
212 FAIL_IF_NOT_NULL(s);
213
214 // valid tests
215 s = DetectEngineAppendSig(de_ctx,
216 "alert ip any any -> any any (sid: 1; "
217 "ja4.hash; content: \"q13d0310h3_55b375c5d22e_cd85d2d88918\";)");
218 // just ja4.hash any proto
219 FAIL_IF_NULL(s);
220 s = DetectEngineAppendSig(de_ctx,
221 "alert quic any any -> any any (sid: 2; "
222 "ja4.hash; content: \"q13d0310h3_55b375c5d22e_cd85d2d88918\";)");
223 // just ja4.hash only quic
224 FAIL_IF_NULL(s);
225 s = DetectEngineAppendSig(de_ctx,
226 "alert tls any any -> any any (sid: 3; "
227 "ja4.hash; content: \"q13d0310h3_55b375c5d22e_cd85d2d88918\";)");
228 // just ja4.hash only tls
229 FAIL_IF_NULL(s);
230 s = DetectEngineAppendSig(de_ctx,
231 "alert ip any any -> any any (sid: 4; "
232 "ja4.hash; content: \"q13d0310h3_55b375c5d22e_cd85d2d88918\"; "
233 "quic.version; content:\"|00|\";)");
234 // ja4.hash and a quic keyword
235 FAIL_IF_NULL(s);
236 DetectEngineCtxFree(de_ctx);
237 PASS;
238}
239
240static void DetectJa4RegisterTests(void)
241{
242 UtRegisterTest("DetectJa4TestParse01", DetectJa4TestParse01);
243}
244#endif
245
246#endif // HAVE_JA4
AppProto
uint16_t AppProto
Definition app-layer-protos.h:86
ALPROTO_TLS
@ ALPROTO_TLS
Definition app-layer-protos.h:39
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition app-layer-protos.h:29
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition app-layer-protos.h:57
SSLEnableJA4
void SSLEnableJA4(void)
if not explicitly disabled in config, enable ja4 support
Definition app-layer-ssl.c:3336
SSLJA4IsEnabled
bool SSLJA4IsEnabled(void)
return whether ja4 is effectively enabled
Definition app-layer-ssl.c:3369
TLS_STATE_CLIENT_HELLO_DONE
@ TLS_STATE_CLIENT_HELLO_DONE
Definition app-layer-ssl.h:79
type
uint16_t type
Definition decode-vlan.c:106
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition detect-engine-buffer.c:29
InspectionBufferCopy
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
Definition detect-engine-inspect-buffer.c:246
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition detect-engine-inspect-buffer.c:128
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition detect-engine-inspect-buffer.c:56
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition detect-engine-inspect-buffer.c:190
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition detect-engine-mpm.c:152
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition detect-engine-prefilter.c:1584
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition detect-engine.c:1374
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition detect-engine.c:2057
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition detect-engine.c:272
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition detect-engine.c:1277
DetectJa4HashRegister
void DetectJa4HashRegister(void)
Registration function for keyword: ja4.hash.
Definition detect-ja4-hash.c:67
DetectSignatureSetMultiAppProto
int DetectSignatureSetMultiAppProto(Signature *s, const AppProto *alprotos)
this function is used to set multiple possible app-layer protos
Definition detect-parse.c:2151
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
SigMatchSilentErrorEnabled
bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx, const enum DetectKeywordId id)
Definition detect-parse.c:330
sigmatch_table
SigTableElmt * sigmatch_table
Definition detect-parse.c:79
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition detect.h:1651
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition detect.h:1676
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition detect.h:271
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition util-unittest.h:96
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineThreadCtx_
Definition detect.h:1244
Flow_
Flow data structure.
Definition flow.h:356
Flow_::alstate
void * alstate
Definition flow.h:479
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition app-layer-ssl.h:227
SigTableElmt_::url
const char * url
Definition detect.h:1462
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
SigTableElmt_::flags
uint16_t flags
Definition detect.h:1450
SigTableElmt_::desc
const char * desc
Definition detect.h:1461
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition detect.h:1448
SigTableElmt_::alias
const char * alias
Definition detect.h:1460
SigTableElmt_::name
const char * name
Definition detect.h:1459
Signature_
Signature container.
Definition detect.h:668
str
#define str(s)
Definition suricata-common.h:308
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition suricata.c:270
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267