Add SSL/TLS sni filter

phaag · Mar 16, 2024 · 6f4f6ad · 6f4f6ad
1 parent 69959f0
commit 6f4f6ad
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 1 deletion.
diff --git a/src/libnfdump/filter/filter.c b/src/libnfdump/filter/filter.c
@@ -720,6 +720,10 @@ static int RunExtendedFilter(const FilterEngine_t *engine, recordHandle_t *handl
                 char *str = (char *)data.dataPtr;
                 evaluate = str != NULL && (strcmp(inPtr, str) == 0 ? 1 : 0);
             } break;
+            case CMP_SUBSTRING: {
+                char *str = (char *)data.dataPtr;
+                evaluate = str != NULL && (strstr(inPtr, str) != NULL ? 1 : 0);
+            } break;
             case CMP_BINARY: {
                 void *dataPtr = data.dataPtr;
                 evaluate = dataPtr != NULL && memcmp(inPtr, dataPtr, length) == 0;

diff --git a/src/libnfdump/filter/filter.h b/src/libnfdump/filter/filter.h
@@ -71,6 +71,7 @@ typedef enum {
     CMP_IDENT,
     CMP_FLAGS,
     CMP_STRING,
+    CMP_SUBSTRING,
     CMP_BINARY,
     CMP_NET,
     CMP_IPLIST,

diff --git a/src/libnfdump/filter/grammar.y b/src/libnfdump/filter/grammar.y
@@ -1214,7 +1214,6 @@ static int AddPayloadSSL(char *type, char *arg, char *opt) {
 			yyerror("String %s is not a valid SSL/TLS version", arg);
 			return -1;
 		}
-		printf("SSL/TLS version: %s\n", opt);
 		unsigned int major, minor;
 		if (sscanf(opt, "%1u.%1u", &major, &minor) != 2 || major > 3 || minor > 3 ) {
 			yyerror("String %s is not a valid SSL/TLS version", opt);
@@ -1242,6 +1241,13 @@ static int AddPayloadSSL(char *type, char *arg, char *opt) {
 			version = major << 8;
 		}
 		return NewElement(SSLindex, OFFsslVersion, SIZEsslVersion, version, CMP_EQ, FUNC_NONE, NULLPtr);
+	} else if (strcasecmp(arg, "sni") == 0) {
+		if ( opt == NULL || strlen(opt) > 64 ) {
+			yyerror("Invalid string %s for SSL/TLS sni name", opt != NULL ? opt : "");
+			return -1;
+		}
+		data_t data = {.dataPtr=strdup(opt)};
+		return NewElement(SSLindex, OFFsslSNI, SIZEsslSNI, 0, CMP_SUBSTRING, FUNC_NONE, data);
 	}
 	yyerror("String %s is not a valid SSL/TLS filter", arg);
 	return -1;

diff --git a/src/libnfdump/ssl/ssl.h b/src/libnfdump/ssl/ssl.h
@@ -99,6 +99,7 @@ typedef struct ssl_s {
     char alpnName[ALPNmaxLen];
     char sniName[256];
 #define OFFsslSNI offsetof(ssl_t, sniName)
+#define SIZEsslSNI MemberSize(ssl_t, sniName)
 } ssl_t;
 
 void sslPrint(ssl_t *ssl);

diff --git a/src/test/nftest.c b/src/test/nftest.c
@@ -842,7 +842,10 @@ static void runTest(void) {
     CheckFilter("payload ssl defined", recordHandle, 1);
     CheckFilter("payload tls version 1.2", recordHandle, 1);
     CheckFilter("payload tls version 1.3", recordHandle, 0);
+    CheckFilter("payload ssl sni example", recordHandle, 1);
+    CheckFilter("payload ssl sni nonexist", recordHandle, 0);
     recordHandle->extensionList[SSLindex] = NULL;
+    CheckFilter("payload ssl sni example", recordHandle, 0);
 
     // ja3
     recordHandle->extensionList[JA3index] = "123456789abcdef0123456789abcdef0";