std::string Hash(const Unit &U) { uint8_t Hash[kSHA1NumBytes]; ComputeSHA1(U.data(), U.size(), Hash); std::stringstream SS; for (int i = 0; i < kSHA1NumBytes; i++) SS << std::hex << std::setfill('0') << std::setw(2) << (unsigned)Hash[i]; return SS.str(); }
static void CreateJSONCommunityFlowIdv6(json_t *js, const Flow *f, const uint16_t seed) { struct { uint16_t seed; uint32_t src[4]; uint32_t dst[4]; uint8_t proto; uint8_t pad0; uint16_t sp; uint16_t dp; } __attribute__((__packed__)) ipv6; uint16_t sp = f->sp; if (f->proto == IPPROTO_ICMPV6) sp = f->icmp_s.type; sp = htons(sp); uint16_t dp = f->dp; if (f->proto == IPPROTO_ICMPV6) dp = f->icmp_d.type; dp = htons(dp); ipv6.seed = htons(seed); if (FlowHashRawAddressIPv6LtU32(f->src.addr_data32, f->dst.addr_data32) || ((memcmp(&f->src, &f->dst, sizeof(f->src)) == 0) && sp < dp)) { memcpy(&ipv6.src, &f->src.addr_data32, 16); memcpy(&ipv6.dst, &f->dst.addr_data32, 16); ipv6.sp = sp; ipv6.dp = dp; } else { memcpy(&ipv6.src, &f->dst.addr_data32, 16); memcpy(&ipv6.dst, &f->src.addr_data32, 16); ipv6.sp = dp; ipv6.dp = sp; } ipv6.proto = f->proto; ipv6.pad0 = 0; uint8_t hash[20]; if (ComputeSHA1((const uint8_t *)&ipv6, sizeof(ipv6), hash, sizeof(hash)) == 1) { unsigned char base64buf[64] = "1:"; unsigned long out_len = sizeof(base64buf) - 2; if (Base64Encode(hash, sizeof(hash), base64buf+2, &out_len) == SC_BASE64_OK) { json_object_set_new(js, "community_id", json_string((const char *)base64buf)); } } }
static void CreateJSONCommunityFlowIdv4(json_t *js, const Flow *f, const uint16_t seed) { struct { uint16_t seed; uint32_t src; uint32_t dst; uint8_t proto; uint8_t pad0; uint16_t sp; uint16_t dp; } __attribute__((__packed__)) ipv4; uint32_t src = f->src.addr_data32[0]; uint32_t dst = f->dst.addr_data32[0]; uint16_t sp = f->sp; if (f->proto == IPPROTO_ICMP) sp = f->icmp_s.type; sp = htons(sp); uint16_t dp = f->dp; if (f->proto == IPPROTO_ICMP) dp = f->icmp_d.type; dp = htons(dp); ipv4.seed = htons(seed); if (ntohl(src) < ntohl(dst) || (src == dst && sp < dp)) { ipv4.src = src; ipv4.dst = dst; ipv4.sp = sp; ipv4.dp = dp; } else { ipv4.src = dst; ipv4.dst = src; ipv4.sp = dp; ipv4.dp = sp; } ipv4.proto = f->proto; ipv4.pad0 = 0; uint8_t hash[20]; if (ComputeSHA1((const uint8_t *)&ipv4, sizeof(ipv4), hash, sizeof(hash)) == 1) { unsigned char base64buf[64] = "1:"; unsigned long out_len = sizeof(base64buf) - 2; if (Base64Encode(hash, sizeof(hash), base64buf+2, &out_len) == SC_BASE64_OK) { json_object_set_new(js, "community_id", json_string((const char *)base64buf)); } } }
int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len) { uint32_t certificates_length, cur_cert_length; int i; Asn1Generic *cert; char buffer[256]; int rc; int parsed; uint8_t *start_data; uint32_t errcode = 0; if (input_len < 3) return 1; certificates_length = input[0]<<16 | input[1]<<8 | input[2]; /* check if the message is complete */ if (input_len < certificates_length + 3) return 0; start_data = input; input += 3; parsed = 3; i = 0; while (certificates_length > 0) { cur_cert_length = input[0]<<16 | input[1]<<8 | input[2]; input += 3; parsed += 3; if (input - start_data + cur_cert_length > input_len) { AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_CERTIFICATE); return -1; } cert = DecodeDer(input, cur_cert_length, &errcode); if (cert == NULL) { TLSCertificateErrCodeToWarning(ssl_state, errcode); } if (cert != NULL) { rc = Asn1DerGetSubjectDN(cert, buffer, sizeof(buffer), &errcode); if (rc != 0) { TLSCertificateErrCodeToWarning(ssl_state, errcode); } else { SSLCertsChain *ncert; //SCLogInfo("TLS Cert %d: %s\n", i, buffer); if (i == 0) { if (ssl_state->server_connp.cert0_subject == NULL) ssl_state->server_connp.cert0_subject = SCStrdup(buffer); if (ssl_state->server_connp.cert0_subject == NULL) { DerFree(cert); return -1; } } ncert = (SSLCertsChain *)SCMalloc(sizeof(SSLCertsChain)); if (ncert == NULL) { DerFree(cert); return -1; } memset(ncert, 0, sizeof(*ncert)); ncert->cert_data = input; ncert->cert_len = cur_cert_length; TAILQ_INSERT_TAIL(&ssl_state->server_connp.certs, ncert, next); } rc = Asn1DerGetIssuerDN(cert, buffer, sizeof(buffer), &errcode); if (rc != 0) { TLSCertificateErrCodeToWarning(ssl_state, errcode); } else { //SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer); if (i == 0) { if (ssl_state->server_connp.cert0_issuerdn == NULL) ssl_state->server_connp.cert0_issuerdn = SCStrdup(buffer); if (ssl_state->server_connp.cert0_issuerdn == NULL) { DerFree(cert); return -1; } } } DerFree(cert); if (i == 0 && ssl_state->server_connp.cert0_fingerprint == NULL) { int msg_len = cur_cert_length; int hash_len = 20; int out_len = 60; char out[out_len]; unsigned char *hash; hash = ComputeSHA1((unsigned char *) input, (int) msg_len); char *p = out; int j = 0; if (hash == NULL) { SCLogWarning(SC_ERR_MEM_ALLOC, "Can not allocate fingerprint string"); } else { for (j = 0; j < hash_len; j++, p += 3) { snprintf(p, 4, j == hash_len - 1 ? "%02x" : "%02x:", hash[j]); } SCFree(hash); ssl_state->server_connp.cert0_fingerprint = SCStrdup(out); if (ssl_state->server_connp.cert0_fingerprint == NULL) { SCLogWarning(SC_ERR_MEM_ALLOC, "Can not allocate fingerprint string"); } } ssl_state->server_connp.cert_input = input; ssl_state->server_connp.cert_input_len = cur_cert_length; } } i++; certificates_length -= (cur_cert_length + 3); parsed += cur_cert_length; input += cur_cert_length; } return parsed; }
std::string Hash(const Unit &U) { uint8_t Hash[kSHA1NumBytes]; ComputeSHA1(U.data(), U.size(), Hash); return Sha1ToString(Hash); }