Actions
Bug #7331
closedPacket direction check incorrect for Lua TLS functions
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Description
I created a simple Lua rule to check for a TLS "notbefore" certificate date less than three days old. It didn't work until I changed the direction checks in util-lua-tls.c :
Lua:
function init(args)
local needs = {}
needs["tls"] = tostring(true)
return needs
end
function match(args)
local nb = TlsGetCertNotBefore()
local startts_s, lastts_s, startts_us, lastts_us = SCFlowTimestamps()
if nb == nil or startts_s == nil then
return 0
end
-- local age = (os.time() - nb) / 86400
local age = (startts_s - nb) / 86400
if age > 0 and age < 3 then
return 1
end
return 0
end
Diff:
--- src/util-lua-tls.c.safe 2024-06-13 16:14:43.648711557 +0100
+++ src/util-lua-tls.c 2024-09-24 12:52:06.802451772 +0100
@@ -64,7 +64,7 @@
SSLState *ssl_state = (SSLState *)state;
SSLStateConnp *connp = NULL;
- if (direction) {
+ if (!direction) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
@@ -105,7 +105,7 @@
SSLState *ssl_state = (SSLState *)state;
SSLStateConnp *connp = NULL;
- if (direction) {
+ if (!direction) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
@@ -146,7 +146,7 @@
SSLState *ssl_state = (SSLState *)state;
SSLStateConnp *connp = NULL;
- if (direction) {
+ if (!direction) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
@@ -287,7 +287,7 @@
SSLState *ssl_state = (SSLState *)state;
SSLStateConnp *connp = NULL;
- if (direction) {
+ if (!direction) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
Please can you check to see if this is correct? I can supply PCAPs (from our Sandbox or behaviour runs in VT) if required.
Actions