Add negation support for TLS and corresponding unit tests

[Fredamabob]

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
• I have signed the Open Information Security Foundation contribution agreement at https://suricata-ids.org/about/contribution-agreement/
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to ticket: https://redmine.openinfosecfoundation.org/issues/2269

Describe changes:

• Added support for negation operator when specifying a TLS version. SSL versions (they use separate parsers for SSL and TLS) already supported it.
• Added test cases to confirm that a negated rule behaves properly.

[codecov]

Codecov Report

Merging #5763 (105f2c4) into master (8536048) will increase coverage by 0.19%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #5763      +/-   ##
==========================================
+ Coverage   76.87%   77.07%   +0.19%     
==========================================
  Files         613      613              
  Lines      186697   186792      +95     
==========================================
+ Hits       143529   143963     +434     
+ Misses      43168    42829     -339     

Flag	Coverage Δ
fuzzcorpus	52.94% <33.33%> (+0.01%)	⬆️
suricata-verify	52.09% <0.00%> (+0.40%)	⬆️
unittests	63.13% <100.00%> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

[catenacyber]

Thanks for this @Fredamabob
I would love to have Rust replace this PARSE_REGEX
Would you be interested in doing that ?

[Fredamabob]

Thanks for this @Fredamabob
I would love to have Rust replace this PARSE_REGEX
Would you be interested in doing that ?

Hey, thanks for the feedback. I think rewriting it in Rust would be nice - but a larger task than expected. Do you think it'd be better to go with smaller changes to be safer, and open up another ticket for that?

[catenacyber]

Do you think it'd be better to go with smaller changes to be safer, and open up another ticket for that?

This PR is ok as is.
The ticket to track rustification is https://redmine.openinfosecfoundation.org/issues/3195

[catenacyber]

Does this support multiple values ?
Like either 1.1 or 1.2 ?

[Fredamabob]

Yes. It will match on values 1.0->1.3, and !1.0->!1.3

[catenacyber]

That was not what I was asking.
Is it possible with this keyword to match on TLS flows which will either be TLS 1.1 or TLS 1.2 (but not TLS 1.3, not TLS 1.0 and not SSLv2 or 3) ?

[catenacyber]

I also found out recently about SIGMATCH_HANDLE_NEGATION
Is this related ?

[Fredamabob]

Ah alright, my bad. After a bit of testing with suricata-verify, it seems that the answer may be no...
SIGMATCH_HANDLE_NEGATION appears to be very similar to the approach implemented here, it may be related - I am only aware of this now that you have mentioned it.

[Fredamabob]

@catenacyber Hi, sorry about the late reply. I can look into this if you'd like, but it might take awhile for me to get back to it.

[catenacyber]

Ok, no rush, just wanted to know if this PR still alive :-)

[Fredamabob]

Sorry for the long delay. I have updated it to use the flag SIGMATCH_HANDLE_NEGATION instead of using a new flag defined in detect-tls-version.h.

[catenacyber]

Thanks for this improvement, I think CI will fail because of the PCRE1/PCRE2 thing cf other comment. Could you please take care of that ?

[Fredamabob]

Sure, I'll take a look into that later this week!

[catenacyber]

You should now use PCRE2 which got merged in master, and no longer PCRE1...
Basically, that means you should leave untouched DetectParsePcreExec and such... and your PR should work

[catenacyber]

Looks good to me

[jlucovsky]

StreamTcpInitConfig requires a bool so please remove this and similar changes.

[Fredamabob]

Removed these changes.

[victorjulien]

Test change requested. Also generally please implement changes in a new branch and PR. This makes it easier to review. Thanks!

[victorjulien]

we're actively trying to move away from these types of unittests in favor of suricata-verify tests. The unittests that mimic traffic and setting up all the layers (packet, stream, flow, etc) are generally taking too many shortcuts that hurt us later.