Commit Graph

1757 Commits (master)

Author SHA1 Message Date
Shivani Bhardwaj 44e098b7b3 rdp: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

RDP parser creates a transaction per request or response. Appropriate calls
to trigger raw stream inspection have been added on completion of each request
and response.

Task 7026
Bug 7004
2 months ago
Shivani Bhardwaj f709631cf7 pop3: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

POP3 has a classic request response model where a request is mapped to
a response although not by any ID. Appropriate calls to trigger raw stream
inspection have been added on completion of each request and response.

Task 7026
Bug 7004
2 months ago
Shivani Bhardwaj c0aa60c573 nfs: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

NFS has a classic request response model where each request is mapped to
a corresponding response. Additionally, there's also file tracking and
handling done as a part of these transactions. Appropriate calls to
trigger raw stream inspection have been added on completion of each
request and response.

Task 7026
Bug 7004
2 months ago
Shivani Bhardwaj 35cef72b44 stream: rename TriggerRawStreamReassembly
The functions around TriggerRawStreamReassembly are misnomers in the
current layout of the code. The functions were named appropriately when
they were created as per the structural and logical layout of the code
at the time.

These functions in today's code are being used to track, update and
trigger progress of inspection in the raw stream only. Hence, rename them
to TriggerRawStreamInspection.
2 months ago
Philippe Antoine a2b5225612 rust: bindgen SCSigMatchAppendSMToList
Ticket: 7667
2 months ago
Philippe Antoine 78034b218d rust: bindgen SCDetectSignatureSetAppProto
Ticket: 7667
2 months ago
Jeff Lucovsky f8575dab50 detect/ftp: Add ftp.completion_code keyword
Issue: 7507

Implement the ftp.completion_code sticky buffer. Multi-buffer as an FTP
command can produce multiple responses.

E.g., with the FTP command RETR
    RETR temp.txt
    150 Opening BINARY mode data connection for temp.txt (1164 bytes).
    226 Transfer complete.
2 months ago
Shivani Bhardwaj 31a395c734 pop3: fix incorrect direction matching
sawp crate has its own Direction enum as follows.

pub enum Direction {
    ToClient = 0,
    ToServer = 1,
    Unknown = 2,
}

While it is correct to send this Direction enum as argument to the
sawp_pop3 parser as it expects, it is not correct to use it where the
direction param is obtained from the internal API of Suricata.
The reason is that Suricata's definition of its Direction enum is as
follows.

pub enum Direction {
    ToServer = 0x04,
    ToClient = 0x08,
}

This can lead to issues like incorrect progress tracking of a transaction in
a direction which could cause inspection on incorrect data and buggy behavior.
2 months ago
Jeff Lucovsky 263d56fd11 detect/ftp: Add ftp.received_reply
Issue: 7506

Add a (non-sticky buffer) keyword for ftp.reply_received. This is not a
sticky buffer as the keyword relates to protocol state and not bytes
from the actual protocol exchange.

ftp.reply_received: yes|on|no|off
2 months ago
Philippe Antoine dc20129195 rust: bindgen SCDetectHelperBufferMpmRegister
Ticket: 7667
2 months ago
Philippe Antoine e2603fa820 detect/single-buf: new simple wrapper
Introduce DetectGetSingleData which does the generic wrapping,
including the transforms, using a new callback prototype
DetectTxGetBufferPtr

The goal is to replace most InspectionBufferGetDataPtr.
For this commit, we do not change every callback to keep the
change relatively small.

Focus here is to remove DetectHelperGetData as its functionality is
provided more directly by the new DetectTxGetBufferPtr.
2 months ago
Richard McConnell d81b76d852 output/tls: Allow logging of sv-handshake params
Ticket: 6695

"server_handshake" which logs the following:
1. TLS version used during handshake
2. The chosen cipher suite, excluding GREASE
3. TLS extensions, excluding GREASE
2 months ago
Richard McConnell 94c8be22d4 output/tls: Allow logging of cl-handshake params
Ticket: 6695

Add new custom log fields:

"client_handshake" which logs the following:
1. TLS version used during handshake
2. TLS extensions, excluding GREASE, SNI and ALPN
3. All cipher suites, excluding GREASE
4. All signature algorithms, excluding GREASE

The use-case is for logging TLS handshake parameters in order to survey
them, and so that JA4 hashes can be computed offline (in the case that
they're not already computed for the purposes of rule matching).
2 months ago
Richard McConnell 912030cbf4 tls: Move tls-versions to rust
This commit is designed in preparation of enabling the handshake object
to log it's own contents rather than being done on the C side.
Moving the tls versions functionality to rust has a couple of uses:
1. Allows both rust and C side to use these fields
2. Moves more of the tls related logic to rust
3. C side can still use these values because of cbindgen
2 months ago
Richard McConnell 6c1238b7bd tls: Integrate ALPNs into HandshakeParams object
Ticket: 6695

With the introduction of the HandshakeParams object we're able to
utilise the theory further by using it as the object to track the ALPNs.

The HandshakeParams object is now responsible for holding all ALPNS. The
user of this HandshakeParams object i.e. JA4, can use whichever fields
are needed. So only when we generate a JA4 hash do we use the first ALPN
and require to format it. Other users of HandshakeParams may opt to use
all ALPN's i.e. during TlsAlpnGetData().
2 months ago
Richard McConnell 468a037daa tls: Introduce HandshakeParams object for tracking
Ticket: 6695

This introduction splits the use of the handshake parameters into their
own object, HandshakeParams, which is populated by the TLS decoder. The
JA4 object is now very simple. It's a simple String object (the JA4
Hash) which is generated during new().

This introduction is part of a larger idea, which is to enable
outputting these raw parameters without JA3/JA4. These handshake
parameters are the components used to generate the JA4 hash, thus it
makes sense for it to be a user of HandshakeParams.
2 months ago
Shivani Bhardwaj 91353fdb61 mqtt: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

MQTT creates a transaction per message per direction, so, a call to
trigger raw stream reassembly has been made on completion of each
transaction in the respective direction.

Optimization 7026
Bug 7004
2 months ago
Shivani Bhardwaj 42978ca9a7 modbus: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

Modbus has a classic request response model, so, a call to trigger raw
stream reassembly is added on completion of each request and response.

Optimization 7026
Bug 7004
2 months ago
Shivani Bhardwaj ca7e9f8daf ldap: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

LDAP can have multiple responses corresponding to a request. The call to
trigger raw stream reassembly has been added on common call sites that
see the completion of a request or any of the responses.

Optimization 7026
Bug 7004
2 months ago
Shivani Bhardwaj fd683ed151 krb: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

KRB5 creates a transaction based on how each input is parsed. It could
be parsed as a request or response but that is the concern of the
parser. The call to trigger raw stream reassembly has been added after
successful parsing of the respective request/response.

Optimization 7026
Bug 7004
2 months ago
Shivani Bhardwaj d0655ed30e http2: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

HTTP2 has a classic request response model, so, a call to trigger raw
stream reassembly is added on completion of each request and response.
HTTP2 parser has its own maximum reassembly setting. The call has been
added irrespective of this setting as it is prudent to make all data so
far available for inspection if maximum was reached until the maximum.

Optimization 7026
Bug 7004
2 months ago
Shivani Bhardwaj eca13b8dd8 enip: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

ENIP has a classic request response model, so, a call to trigger raw
stream reassembly is added on completion of each request and response.

Optimization 7026
Bug 7004
2 months ago
Jeff Lucovsky 07205ab057 detect/xform: Support transform identity data
Transforms that support optional strings, like from_base64 and
pcrexform, should also support identity-strings to treat transforms with
like transform options as the same.

This commit adds transform identity data handling:
- When computing a hash, include identity data from the transform
- When comparing, include the identity data from the transforms
- Omitting the "options" ptr from the transform hash/compare
- Modify xor, pcrexform and from_base64 to supply identification data for
  disambiguation in the compare/hash logic.
2 months ago
Jeff Lucovsky c6e0ba2b85 detect/ftp: Add parser for ftp.mode keyword
Issue: 7505

Add a parser for the ftp.mode command that returns the state struct. Add
a function to free the object it allocates.
2 months ago
Philippe Antoine 4af3bd9c91 rust: bindgen SCDetectHelperKeywordSetCleanCString
Ticket: 7667
2 months ago
Philippe Antoine 13449344e8 rust: bindgen SCDetectHelperKeywordRegister
Ticket: 7667
2 months ago
Philippe Antoine f909bbba68 rust: bindgen SCDetectHelperKeywordAliasRegister
Ticket: 7667
2 months ago
Philippe Antoine a7448a0c16 rust: bindgen SCDetectHelperBufferRegister
Ticket: 7667
2 months ago
Philippe Antoine 0d82e905bc rust: bindgen DetectHelperMultiBufferMpmRegister
Ticket: 7667
2 months ago
Philippe Antoine dfa4df9f54 rust: bindgen SCDetectHelperMultiBufferProgressMpmRegister
Ticket: 7667
2 months ago
Juliana Fajardini 62949b3815 pgsql: remove unused "password_message" code
``Password message`` is actually logged just as ``Password``.
Remove related dead code.
3 months ago
Juliana Fajardini 6f81caf8d4 pgsql: clearly indicate redacted password message
If a password message was seen while logging passwords was disabled
for pgsql, this would lead to an empty request being logged.
Instead of simply not logging anything when there is a password message
and this is disabled, however, log instead that said password is
redacted.

Bug #7647
3 months ago
Philippe Antoine fd7bd9c200 src: new file detect-engine-inspect-buffer.h
For InspectionBuffer structure and related functions

Bindgen it for rust, especially transforms

Ticket: 7667
3 months ago
Philippe Antoine df0dc2e8ea rust: bindgen SCDetectSignatureAddTransform
by moving it to detect-engine-buffer.h and prefixing it

Ticket: 7667
3 months ago
Philippe Antoine 1f871cdd64 rust: reuse/reexport suricata_sys DetectEngineThreadCtx
Use the bindgen'd version instead of our own recoded one
3 months ago
Philippe Antoine cf336396c3 rust: bindgen detect-engine-helper.h
Ticket: 7667

Begin by focusing on transforms
3 months ago
Jason Ish 97eaeef7d8 lua: convert SMTP functions to lib: suricata.smtp
Ticket: #7606
3 months ago
Philippe Antoine 06ad72e83e quic: ja3 getter function uses direction
so that future lua code can specify a direction
3 months ago
Jason Ish bf427c69cd rust: remaining rs_ to SC conversions 3 months ago
Jason Ish d16c014641 rust/x509: replace rs_ naming with SC 3 months ago
Jason Ish afce53c8b7 rust/websocket: replace rs_ naming with SC 3 months ago
Jason Ish 7321d7c7db rust/applayertemplate: replace rs_ naming with SC 3 months ago
Jason Ish 2c98ee73ce rust/rfb: replace rs_ naming with SC 3 months ago
Jason Ish e74b4177ac rust/nfs: rust format 3 months ago
Jason Ish 8c1bd60ab1 rust/nfs: replace rs_ naming with SC 3 months ago
Jason Ish 01ce0f92e8 rust/modbus: replace rs_ naming to SC
This was missed in the previous round.
3 months ago
Jason Ish 4e2f1de308 rust/quic: replace rs_ naming with SC 3 months ago
Jason Ish bfa0acf278 rust/ike: replace rs_ naming with SC 3 months ago
Jason Ish 717e06e351 rust/http2: replace rs_ naming with SC 3 months ago
Jason Ish af15986d41 rust/modbus: replace rs_ naming with SC 3 months ago
Jason Ish c994cfb615 rust/sip: replace rs_ naming with SC 3 months ago
Jason Ish 9b830c92dc rust/tftp: replace rs_ naming with SC 3 months ago
Jason Ish aa24276999 rust/telnet: replace rs_ naming with SC 3 months ago
Jason Ish 1c580f9001 rust/detect: replace rs_ naming with SC 3 months ago
Jason Ish 713034d0dd rust/asn1: replace rs_ naming with SC naming 3 months ago
Jason Ish 90116827fe rust/krb: rust format 3 months ago
Jason Ish 8ba0a5c8ec rust/krb: remove rs_ prefix; visibility fixes
- remove pub/no_mangle where not needed
- replace rs_ naming with SC naming
3 months ago
Jason Ish 1f30746e07 rust/dns: rs_ prefix name cleanup 3 months ago
Victor Julien 3c5ce91cbb ftp: per direction tx progress
For request side, having a tx means the request is done.

For response, wait for tx to be marked complete.

Remove unused states.
3 months ago
Philippe Antoine 033e0480cf detect/single-buf: helper with more explicit direction 3 months ago
Philippe Antoine dadf9012fc rust: bindgen detect-engine-buffer.h
Ticket: 7667

And prefix SCDetectBufferSetActiveList to be exported

Allows less use of suricata crate in plugin as we get the functions
prototypes from suricata_sys and they are more correct.
3 months ago
Philippe Antoine 31e30d4aa1 sdp: use rust join
It is much faster as it does not do an allocation for each element
3 months ago
Philippe Antoine 6436a5cebe websocket: limit allocation for small sizes
Fixes: 16f74c68aa ("websocket: use max window bits of 15")

We do not need to allocate 8kbytes for a small message
3 months ago
Philippe Antoine 1f2cb21786 ssh: rustfmt 3 months ago
Philippe Antoine fcac063cfe ssh: make hooks available
Allows signature like `alert ssh:request_banner_done`
3 months ago
Philippe Antoine bbc007b4d4 rust: derive for AppLayerState
To enable easily hooks for rust app-layers such as SSH
3 months ago
Jeff Lucovsky 87b7a0cef6 ftp: Apply rustfmt changes 3 months ago
Jeff Lucovsky 04bf28d6a1 app/ftp: Use common API naming
Modify the Rust API functions to conform to project naming format:
SCFTP*

Issue: 7504
3 months ago
Philippe Antoine 808f8a877a detect/multi-buf: helper with more explicit direction 3 months ago
Philippe Antoine 8ecc3efdc8 detect/multi-buf: harmonize wrapper
Introduce DetectGetMultiData which does the generic wrapping,
including the transforms.

And let each keyword do just the getter.
3 months ago
Philippe Antoine a6392ac5d4 rust: use pure rust helper for registering sticky buffers
Mark sdp and sip keywords with flags SIGMATCH_INFO_STICKY_BUFFER
as a side effect.
3 months ago
Philippe Antoine e728aae1e0 websocket: fixes substraction
Fixes: 16f74c68aa ("websocket: use max window bits of 15")
3 months ago
Philippe Antoine aa7f926ff4 detect: rust helper to register sticky buffer 3 months ago
Philippe Antoine 96afdce283 detect: rename SCSigTableElmt to SCSigTableAppLiteElmt 3 months ago
Philippe Antoine 8757ad5fd3 detect/dns: support string for dns.rrtype
Ticket: 6723
3 months ago
Philippe Antoine 44a6f7f8ca detect/dns: support string for dns.rcode
Ticket: 6723
3 months ago
Philippe Antoine 9814b698c8 detect/dns: move keywords to rust
Ticket: 7529
Ticket: 3725

Adds url for dns.opcode on the way
3 months ago
Philippe Antoine bb9b8d2460 detect: new helper to register multi-buffer with progress
This allows to use these engines for hook rules needing exact
progress (checked in SigValidate)
3 months ago
Philippe Antoine 16f74c68aa websocket: use max window bits of 15
Ticket: 7285

As this is the default for websocket, which is bigger than the
defaut for zlib usage

Also limit the decompressed content to the max-payload-size
configuration parameter also used for non-compressed content.

And also use a stateful decoder to store/remember the compression
state to be able to decompress later messages.
3 months ago
Philippe Antoine ff57a162d7 websocket: decompress single pdu message
Ticket: 7285

Previously, only messages over multiple PDUs could get decompressed
3 months ago
Alice Akaki bda0890834 detect: add email.received keyword
email.received matches on MIME EMAIL Received
This keyword maps to the EVE field email.received[]
It is a sticky buffer
Supports multiple buffer matching
Supports prefiltering

Ticket: #7599
3 months ago
Alice Akaki ca429ef5e3 detect: add email.url keyword
email.url matches on URLs extracted from an email
This keyword maps to the EVE field email.url[]
Supports multiple buffer matching
Supports prefiltering

Ticket: #7597
3 months ago
Victor Julien 88e96c9d49 detect/domain: move transform fully to rust 4 months ago
Alice Akaki d4ec5b9765 detect: add ldap.responses.attribute_type
ldap.responses.attribute_type matches on LDAP attribute type/description
This keyword maps the eve field ldap.responses[].search_result_entry.attributes[].type
It is a sticky buffer
Supports multiple buffer matching
Supports prefiltering

Ticket: #7533
4 months ago
Alice Akaki 75fb352bde detect: add ldap.request.attribute_type
ldap.request.attribute_type matches on LDAP attribute type/description
This keyword maps the following eve fields:
ldap.request.search_request.attributes[]
ldap.request.modify_request.changes[].modification.attribute_type
ldap.request.add_request.attributes[].name
ldap.request.compare_request.attribute_value_assertion.description
It is a sticky buffer
Supports multiple buffer matching
Supports prefiltering

Ticket: #7533
4 months ago
Alice Akaki 6d48acdd63 rustfmt: rust/src/ldap/detect.rs 4 months ago
Jeff Lucovsky dfc896e2a7 app/ftp: Move FTP response handling to rust
Move handling of FTP responses to Rust to improve support for FTP
keyword matching. Parsing the response line when encountered
simplifies multi-buffer matching and metadata output.

Issue: 4082
4 months ago
Alex Savage 778053876b pop3: app-layer parser using sawp-pop3
This module uses the sawp-pop3 crate to parse POP3 requests and responses
Features:
- eve logging
- events for parsable but non-RFC-compliant messages

Ticket: 3243
4 months ago
Eric Leblond 585c624482 tld: add new transform
Extract the TLD from a buffer.

Ticket: #5639
4 months ago
Eric Leblond 0b031a33c6 domain: add new transformation
Ticket: #5639
4 months ago
Victor Julien 31d048ed4b firewall: start of firewall rules support
Config:

Firewall rules are like normal rule, with some key differences.

They are loaded separate, and first, from:

```yaml
firewall-rule-path: /etc/suricata/firewall/
firewall-rule-files:
  - fw.rules
```

Can also be loaded with --firewall-rules-exclusive: Mostly for QA purposes.

Allow -S with --firewall-rules-exclusive, so that firewall and threat detection
rules can be tested together.

Rules:

Differences with regular "threat detection" rules:

1. these rules are evaluated before threat detection rules

2. these rules are evaluated in the order as they appear in the rule file

3. currently only rules specifying an explicit hook at supported

   a. as a consequence, no rules will be treated as (like) IP-only, PD-only or
      DE-only

Require explicit action scope for firewall rules. Default policy is
drop for the firewall tables.

Actions:

New action "accept" is added to allow traffic in the filter tables.

New scope "accept:tx" is added to allow accepting a transaction.

Tables:

Rulesets are per table.

Table processing order: `packet:filter` -> `packet:td` -> `app:*:*` -> `app:td`.

Each of the tables has some unique properties:

`packet:filter`:
- default policy is `drop:packet`
- rules are process in order
- action scopes are explicit
- `drop` or `accept` is immediate
- `accept:hook` continues to `packet:td`

`packet:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `app:*:*` or `alert/action finalize`

`app:*:*`:
- default policy is `drop:flow`
- rules are process in order
- action scopes are explicit
- `drop` is immediate
- `accept` is conditional on possible `drop` from `packet:td`
- `accept:hook` continues to `app:td`, `accept:packet` or `accept:flow`
  continues to `alert/action finalize`

`app:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `alert/action finalize`

Implementation:

During sigorder, split into packet:filter, app:*:* and general td.

Allow fw rules to work when in pass:flow mode. When firewall mode is enabled,
`pass:flow` will not skip the detection engine anymore, but instead
process the firewall rules and then apply the pass before inspecting threat
detect rules.
4 months ago
Victor Julien 10dcc383ae detect/xbits: implement tx bits
Implement `xbits:set,mybit,track tx;` and `xbits:isset,mybit,track tx;`.

Store these in the AppLayerTxData.

Ticket: #6455.
4 months ago
Victor Julien add7d3fcf5 app-layer: API for mapping progress name vs id 4 months ago
Lukas Sismis 5e8c775d77 ssh: add option to select behavior of encrypted parts
Ticket: 6788
4 months ago
Philippe Antoine 3b271b3f5b detect: rename with prefix SCSigTablePreRegister
to make it available to rust via bindgen
4 months ago
Philippe Antoine e3ee922fbf snmp: restrict rust visibility 4 months ago
Philippe Antoine d24a3eb5f6 snmp: register protocol dynamically
Ticket: 4103
4 months ago
Philippe Antoine 640a4c8b11 snmp: make log function use the generic prototype
and cast

and also remove unneeded mut

and rustfmt
4 months ago
Philippe Antoine 6afad1af51 smb/log: configuration option for types logging
suricata.yaml output section for smb now parses a types list
and will restrict logging of transactions to these types.

By default, everything still gets logged

Remove unused rs_smb_log_json_request on the way

Ticket: 7620
4 months ago
Philippe Antoine 30af626a92 conf: extend API for rust
Will allow rust to list the values of an array such as
dns.types for outputs
4 months ago