Commit Graph

151 Commits (078ab2ff7028ebb8243ef8f5467acd7e84c26387)

Author SHA1 Message Date
Victor Julien 6440d4486c detect/firewall: support alert in default app policy
Support `alert` as a secondary action in app-layer firewall policies.

To implement this a Signature object is created per policy that uses
alert, and this is stored in a hash table. When the policy is applied
the signature is looked up and used in the PacketAlert.

Ticket: #8566.
(cherry picked from commit 2d4f1968b8)
1 month ago
Victor Julien 97e774bd6c detect/analyzer: log firewall lte rule for prior states as well
(cherry picked from commit 6e037d9783)
1 month ago
Victor Julien bac8ebf225 firewall/analyzer: include all hooks
For protocols using default 0-1 states, add support.

For others, print 'unknown' if no name is yet supported.

Ticket: #8514.
(cherry picked from commit b29226c7ea)
1 month ago
Victor Julien 017a28b6ac detect/analyzer: log actual policy for app firewall
(cherry picked from commit f7c44c4c23)
1 month ago
Shivani Bhardwaj 917c6f3da7 engine/analyzer: write rule failure report to correct file
The failure report was always just written to rules_fast_pattern.txt. In
case that setting is disabled or there's nothing fast-pattern related,
the report should be written to the usual rules_analysis.txt.

Bug 7821
11 months ago
Shivani Bhardwaj eb39dba5dd engine/analyzer: check if file pointer exists before writing
de_ctx->ea->fp_engine_analysis_fp is only initialized if
engine-analysis.rules-fast-pattern is enabled in the configuration. If
this config param is missing, this leads to segfault.

Bug 7822
11 months ago
Jeff Lucovsky bb12f197bc detect/analyzer: Include ICMP icode information
Issue: 6359

Extend the rules analysis to include ICMP icode information.
1 year ago
Jeff Lucovsky 4f9fa602fa detect/analyzer: Extend analyzer output with dsize value info
Issue: 6357
1 year ago
Shivani Bhardwaj 9046f30731 detect/analyzer: use note instead of warning
It is invalid to issue a warning based purely on pattern matching
between the matched content and certain http methods. Without a check
for which keyword exists in the rule, it makes more sense to issue this
as a general note.

Bug 5177
1 year ago
Philippe Antoine 41fcf3b356 detect: fix some -Wshorten-64-to-32 warnings
Ticket: #6186
1 year ago
Victor Julien 98372b6599 firewall: beginning of ruleset analyzer
Output a `firewall.json` with a per table list of rules.

Also output a sorted list of the threat detection rules.
1 year ago
Victor Julien 31d048ed4b firewall: start of firewall rules support
Config:

Firewall rules are like normal rule, with some key differences.

They are loaded separate, and first, from:

```yaml
firewall-rule-path: /etc/suricata/firewall/
firewall-rule-files:
  - fw.rules
```

Can also be loaded with --firewall-rules-exclusive: Mostly for QA purposes.

Allow -S with --firewall-rules-exclusive, so that firewall and threat detection
rules can be tested together.

Rules:

Differences with regular "threat detection" rules:

1. these rules are evaluated before threat detection rules

2. these rules are evaluated in the order as they appear in the rule file

3. currently only rules specifying an explicit hook at supported

   a. as a consequence, no rules will be treated as (like) IP-only, PD-only or
      DE-only

Require explicit action scope for firewall rules. Default policy is
drop for the firewall tables.

Actions:

New action "accept" is added to allow traffic in the filter tables.

New scope "accept:tx" is added to allow accepting a transaction.

Tables:

Rulesets are per table.

Table processing order: `packet:filter` -> `packet:td` -> `app:*:*` -> `app:td`.

Each of the tables has some unique properties:

`packet:filter`:
- default policy is `drop:packet`
- rules are process in order
- action scopes are explicit
- `drop` or `accept` is immediate
- `accept:hook` continues to `packet:td`

`packet:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `app:*:*` or `alert/action finalize`

`app:*:*`:
- default policy is `drop:flow`
- rules are process in order
- action scopes are explicit
- `drop` is immediate
- `accept` is conditional on possible `drop` from `packet:td`
- `accept:hook` continues to `app:td`, `accept:packet` or `accept:flow`
  continues to `alert/action finalize`

`app:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `alert/action finalize`

Implementation:

During sigorder, split into packet:filter, app:*:* and general td.

Allow fw rules to work when in pass:flow mode. When firewall mode is enabled,
`pass:flow` will not skip the detection engine anymore, but instead
process the firewall rules and then apply the pass before inspecting threat
detect rules.
1 year ago
Victor Julien 4071acd659 detect: explicit action scopes
For drop and pass allow setting the scope explicitly:

        drop:flow
        drop:packet

        pass:flow
        pass:packet

Ticket: #7481.
1 year ago
Jason Ish 155706f96b jsonbuilder: prefix C API with SC 1 year ago
Jason Ish 22b77b0c56 conf: prefix conf API with SC 1 year ago
Victor Julien ce26159a03 detect: constify rule file and lines in parsing and analyzer 1 year ago
Victor Julien b649252059 detect/analyzer: add policy
Example output:

    "match_policy": {
        "actions": [
            "alert",
            "drop"
        ],
        "scope": "flow"
    },
1 year ago
Juliana Fajardini 06b506e2cd analysis: report rule state altered by other rule
Flowbits can make a rule such as a packet rule be treated as a stateful
rule, without actually changing the rule type.

Add a flag to allow reporting such cases via engine analysis.

Task #7456
1 year ago
Philippe Antoine 4ec90bd227 detect: absent keyword to test absence of sticky buffer
Ticket: 2224

It takes an argument to match only if the buffer is absent,
or it can still match if the buffer is present, but we test
the absence of some content.

For multi buffers, absent matches if there are 0 buffers.

For file keywords, absent matches if there is no file.
2 years ago
Nancy Enos 98cd2411b6 detect/analyzer: add more details for the tcp window keyword
Ticket: 6352
2 years ago
Alice Akaki 5e563b0c8b detect/analyzer: add more details for flow_age
Ticket: #6312
2 years ago
Alice Akaki fa1addae64 detect/analyzer: add more details for icmp_id
Ticket: #6360
2 years ago
Victor Julien d03660a646 detect: skip pseudo packets if sig needs real pkt
If a signature uses a condition that requires a real packet, filter
out pseudo packets as early as possible. To do this, the SignatureMask
logic is used.

This allows for the removal of checks for pseudo packets in individual
keywords `Match` functions, which will be done in a follow up commit.

Update analyzer to output the new flag.

Ticket: #7002.
2 years ago
Victor Julien 92581dbc06 detect: set ACTION_ALERT for rules that should alert
Replaces default "alert" logic and removed SIG_FLAG_NOALERT.

Instead, "noalert" unsets ACTION_ALERT. Same for flowbits:noalert and
friends.

In signature ordering rules w/o action are sorted as if they have 'alert',
which is the same behavior as before, but now implemented explicitly.

Ticket: #5466.
2 years ago
Philippe Antoine 20423fdd38 style: remove some useless return
and remove empty line before end of function
2 years ago
Philippe Antoine bd3bed6c31 detect/analyzer: add more details for tcp_mss
Issue: #6355
2 years ago
Daniel Olatunji d9148d1023 detect/analyzer: add more details for tcp_seq
Log the matched Sequence number of a packet
Issue: 6353
2 years ago
Daniel Olatunji 6d40517502 detect/analyzer: add more details for the tcp ack keyword
Issue: 6354
Added the DETECT_ACK case to detect-engine-analyzer.c
2 years ago
Victor Julien 3b8ed937d7 detect: remove DCERPC mask logic
Added nothing over alproto check already in place.
3 years ago
Victor Julien de5b8ae0b4 detect/analyzer: print int keyword values correctly
To avoid negative values to be misrepresented.

Bug: #6615.
3 years ago
Hadiqa Alamdar Bukhari 774f05d83d detect/analyzer: add details to flowbits keyword
Task #6309
3 years ago
Juliana Fajardini 3ecb923db1 detect/analyzer: add more details for ipopts
In addition to the ipopts keyword name, also log the ip option that was
matched on.

Task #6348
3 years ago
Jeff Lucovsky c8615bcd47 detect/analysis: Move globals to engine ctx
Issue: 6239

This commit moves the global variables associated with engine analysis
into the detect engine context. Doing so provides encapsulation of the
analysis components as well as thread-safe operation in a multi-tenant
(context) deployment.
3 years ago
Victor Julien c6d3b461a6 detect/analyzer: add the type
Per rule type record properties of the type.

Example output:

    {
        "raw": "alert udp any any -> any any (msg:\"UDP with flow direction\"; flow:to_server; sid:1001;)",
        "id": 1001,
        "gid": 1,
        "rev": 0,
        "msg": "UDP with flow direction",
        "app_proto": "unknown",
        "requirements": [],
        "type": "pkt",
        "flags": [
            "src_any",
            "dst_any",
            "sp_any",
            "dp_any",
            "toserver"
        ],
        "pkt_engines": [],
        "frame_engines": [],
        "lists": {}
    }

Ticket: #6085.
3 years ago
Victor Julien 2696fda041 detect: use explicit rule types
Instead of using flags to indicate a rule type, use an explicit `type`
field.

This will make it more clean in code paths what paths a rule is taking,
and will allow easier debugging as well as analyzer output.

Define the following fields:

- SIG_TYPE_IPONLY: sig meets IP-only criteria and is handled by the IP-only
  engine.
- SIG_TYPE_PDONLY: sig inspects protocol detection results only.
- SIG_TYPE_DEONLY: sig inspects decoder events only.
- SIG_TYPE_PKT:    sig is inspected per packet.
- SIG_TYPE_PKT_STREAM: sig is inspected against either packet payload or
  stream payload.
- SIG_TYPE_STREAM: sig is inspected against the reassembled stream
- SIG_TYPE_APPLAYER: sig is inspected against an app-layer property, but not
  against a tx engine.
- SIG_TYPE_APP_TX: sig is inspected the tx aware inspection engine(s).

Ticket: #6085.
3 years ago
Victor Julien ad88efc2d8 detect: support multi buffer matching
Multi buffer matching is implemented as a way for a rule to match
on multiple buffers within the same transaction.

Before this patch a rule like:

    dns.query; content:"example"; dns.query; content:".com";

would be equivalent to:

    dns.query; content:"example"; content:".com";

If a DNS query would request more than one name, e.g.:

    DNS: [example.net][something.com]

Eeach would be inspected to have both patterns present. Otherwise,
it would not be a match. So the rule above would not match, as neither
example.net and somthing.com satisfy both conditions at the same time.

This patch changes this behavior. Instead of the above, each time the
sticky buffer is specified, it creates a separate detection unit. Each
buffer is a "multi buffer" sticky buffer will now be evaluated against
each "instance" of the sticky buffer.

To continue with the above example:

    DNS: [example.net] <- matches 'dns.query; content:"example";'
    DNS: [something.com] <- matches 'dns.query; content:".com"'

So this would now be a match.

To make sure both patterns match in a single query string, the expression
'dns.query; content:"example"; content:".com";' still works for this.

This patch doesn't yet enable the behavior for the keywords. That is
done in a follow up patch.

To be able to implement this the internal storage of parsed rules
is changed. Until this patch and array of lists was used, where the
index was the buffer id (e.g. http_uri, dns_query). Therefore there
was only one list of matches per buffer id. As a side effect this
array was always very sparsely populated as many buffers could not
be mixed.

This patch changes the internal representation. The new array is densely
packed:

    dns.query; content:"1"; dns.query; bsize:1; content:"2";

    [type: dns_query][list: content:"1";]
    [type: dns_query][list: bsize:1; content:"2";]

The new scheme allows for multiple instances of the same buffer.
These lists are then translated into multiple inspection engines
during the final setup of the rule.

Ticket: #5784.
3 years ago
Victor Julien d518416f0d detect: apply within as depth where possible
The rule lang allows for within and distance to act as depth/offset,
but internally this was not handle the same way. This patch converts
within/distance w/o a prior pattern to depth/within.
3 years ago
Victor Julien 8de2948df8 detect/analyzer: fix lists names
Simpler names that lead to cleaner json.
3 years ago
Victor Julien 325000ca2b detect/analyzer: add byte_test/byte_jump detail 3 years ago
Victor Julien 105dd636cb detect/analyzer: add content relative_next flag 3 years ago
Victor Julien 2b85ab0ba1 detect/analyzer: add more pcre detail 3 years ago
Victor Julien 0c8646959e detect/analyzer: add transform names 3 years ago
Victor Julien ebd8728219 src: fix strict-prototype warnings
Tested on Fedora 37 with clang 15.

app-layer.c:1055:27: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
void AppLayerSetupCounters()
                          ^
                           void
app-layer.c:1176:29: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
void AppLayerDeSetupCounters()
                            ^
                             void
2 errors generated.
4 years ago
Victor Julien b31ffde6f4 output: remove error codes from output 4 years ago
Victor Julien 39cf5b151a src: includes cleanup
Work towards making `suricata-common.h` only introduce system headers
and other things that are independent of complex internal Suricata
data structures.

Update files to compile after this.

Remove special DPDK handling for strlcpy and strlcat, as this caused
many compilation failures w/o including DPDK headers for all files.

Remove packet macros from decode.h and move them into their own file,
turn them into functions and rename them to match our function naming
policy.
4 years ago
Philippe Antoine 02f2602dde src: rework includes as per cppclean 4 years ago
Philippe Antoine c5cf2967b3 detect: fix integer warnings
Ticket: #4516
4 years ago
Victor Julien a0847e6c69 detect/analyzer: minor format string fixes
cppcheck flagged this as:

src/detect-engine-analyzer.c:1359:13: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
            fprintf(rule_engine_analysis_FD, "    Rule contains %d content options, %d http content options, %d pcre options, and %d pcre options with http modifiers.\n", rule_content, rule_content_http, rule_pcre, rule_pcre_http);
            ^
src/detect-engine-analyzer.c:1359:13: warning: %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
            fprintf(rule_engine_analysis_FD, "    Rule contains %d content options, %d http content options, %d pcre options, and %d pcre options with http modifiers.\n", rule_content, rule_content_http, rule_pcre, rule_pcre_http);
            ^
src/detect-engine-analyzer.c:1359:13: warning: %d in format string (no. 3) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
            fprintf(rule_engine_analysis_FD, "    Rule contains %d content options, %d http content options, %d pcre options, and %d pcre options with http modifiers.\n", rule_content, rule_content_http, rule_pcre, rule_pcre_http);
            ^
src/detect-engine-analyzer.c:1359:13: warning: %d in format string (no. 4) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
            fprintf(rule_engine_analysis_FD, "    Rule contains %d content options, %d http content options, %d pcre options, and %d pcre options with http modifiers.\n", rule_content, rule_content_http, rule_pcre, rule_pcre_http);
            ^

Bug: #5291.
4 years ago
Victor Julien 54a6dd09dd detect: pattern id assignment through hash table
Only consider active part of the pattern for mpm (so consider chop).

Move data structure to hash list table over the custom array logic.
4 years ago
Victor Julien 3352c0bee4 detect: initialization optimization
A lot of time was spent in `SigMatchListSMBelongsTo` for the `mpm_sm`.

Optimize this by keeping the value at hand during Signature parsing and
detection engine setup.
4 years ago