Commit Graph

570 Commits (16d227b62089de5b60eea2c9898db8f825ae36de)

Author SHA1 Message Date
Jeff Lucovsky 2841bcf330 doc/config: Update flushing description
Update output flushing description to reflect EVE based approach in
documentation and config template.

Added: Provide update callout for out-of-tree output plugins.

Issue: 8286
(cherry picked from commit e7dc0d885b)
2 months ago
Philippe Antoine 2d5172aaf3 http2: bound number of http2 frames per tx
Ticket: 8289

If stream.reassembly.depth is unlimited,
an attacker controlling the 2 sides of a communication going through Suricata
can send a transition with an infinite number of headers, until suricata OOMs

Solution is to offer a configuration option to bound the number
of HTTP2 frames we store in a HTTP2 transaction, and produce an
anomaly if this bound is crossed

(cherry picked from commit 784e173278)
4 months ago
Lukas Sismis e0f2cdf7c3 hs: prune stale MPM cache files
Hyperscan MPM can cache the compiled contexts to files.
This however grows as rulesets change and leads to bloating
the system. This addition prunes the stale cache files based
on their modified file timestamp.

Part of this work incorporates new model for MPM cache stats
to split it out from the cache save function and aggregate
cache-related stats in one place (newly added pruning).

Ticket: 7893
(cherry picked from commit 15c83be61a)

hs: suppress TOCTOU stat use

To explain a bit more the TOCTOU issue found, we can consider
a case where Suricata starts to prune, yet externally somebody also
starts erasing cache files.
Right after Suricata checks the file age with the stat function,
somebody may delete or update the file of our interest.

Suricata aging decision doesn't reflect the actual state of the file.
This commit additionally adds a check for noent failure of the unlink operation
(considered as a success). The code can still delete a file that is recently
updated but was considered stale.

In the documentation-following deployments this should not happen anyway as
one cache folder should only be used by a single Suricata instance (and within
Suricata instance only one thread handles cache eviction).
Additionally, the `stat` and `unlink` command are immediatelly followed, making
this scenario extra unlikely.

Additional comment in the code explains problems of using fstat and potential
issues on Windows.

Ticket: 8244
(cherry picked from commit 0fe0390a2f)

hs/cache: cleaner and more detailed output

Reduce logging level of a minor informational message.

Split tracking of pruning by age and by version and log those
separately, where the logging only appears if something has been
removed.

Ticket: 8323
(cherry picked from commit 569ba3d26f)

hs: remove redundant file handle in HSLoadCache

HSLoadCache opened the cache file but never used the resulting handle
for reading. The actual read was done by HSReadStream which opened
the same file independently.

Removed the unused fopen/fclose pair and flattened the control flow.

Ticket: 8326
(cherry picked from commit d754b28717)

hs: use binary mode for cache file I/O

HSSaveCache wrote serialized Hyperscan databases using text mode ("w")
while HSReadStream already read them with binary mode ("rb").
Matched file reading modes to the binary format and simplified
write-size check.

Ticket: 8326
(cherry picked from commit 0cdc77b707)

hs: warn about the same cache directory

This is especially relevant for multi-instance simultaneous setups
as we might risk read/write races.

(cherry picked from commit 56c1552c3e)

hs: validate cached database against current HS installation

After deserializing a cached Hyperscan database, verify that its
version, CPU features, and mode match the current Hyperscan
installation by comparing hs_database_info output against a
reference database. Reject loading incompatible caches.

Ticket: 8326
(cherry picked from commit 2e7b12dda4)

hs: include HS platform info in cache file hash

Hash Hyperscan installation info (version, CPU features, mode)
into the cache filename. A Hyperscan upgrade or platform change
would now produce a different filename, so stale caches from an
older installation are never opened.

Ticket: 8326
(cherry picked from commit d640719413)

hs: address coverity warning in a reference string

Move the locking mechanism outside of the getter function and hold the
lock until the reference string is no longer reused.

** CID 1682023:       Concurrent data access violations  (MISSING_LOCK)
/src/util-mpm-hs-cache.c: 139           in HSGetReferenceDbInfo()

(cherry picked from commit 6ec9e5c957)
4 months ago
Philippe Antoine 354d0b2a5c doc/stream: explain absent reassembly.depth means unlimited
Ticket: 8343
4 months ago
Jason Ish bdbc38bca2 dnp3: bound the maximum number of objects per tx
Default to 2048, but provide a user configuration value.

Ticket: #8181
(cherry picked from commit 2c95f1ff44)
6 months ago
Jason Ish c03a8db521 dnp3: set a bound on the number of points per message
16384 is used as the max, but a configuration parameter has been
provided. The reason for setting an upper bound is that bit flags can
create a memory amplification as we parse them into individual data
structures.

Ticket: #8181
(cherry picked from commit 3a32bb5743)
6 months ago
Jason Ish 377c8fded8 dnp3: reduce flood threshold to 32 and make configurable
Lower the number of unreplied requests from 500 to 32 to consider a
flood. At the very least this is an anomaly given the DNP3 spec mentions
that DNP3 should only have one outstanding request at a time, with an
exception for unsolicited responses, so in practice no more than 2
should be seen.

Additionally make this value configurable by introducing the max-tx
parameter.

Ticket: #8181
(cherry picked from commit a16f087b93)
6 months ago
Shivani Bhardwaj 39d8c302af dcerpc: add upper limit on stub data
DCERPC parsers had no upper bounds when it came to extending the stub
data buffer. Traffic can be crafted to bypass some internal parser
conditions to create an indefinite buffering in the stub_data array that
can make Suricata crash.

Add a default limit of 1MiB and make it configurable for the user.

Security 8182

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
(cherry picked from commit e412215af9)
6 months ago
Victor Julien fb1d52f1bd mpm: remove remaining ac-bs references
(cherry picked from commit 08d625bb10)
7 months ago
Victor Julien dccfc4fc2e af-packet: add disable-hwtimestamp option
HW timestamping is not always reliable, so add an option to disable it.

Bug: #1954.
(cherry picked from commit 18a6a079da)
7 months ago
Victor Julien 08925eac18 firewall: add --firewall and firewall.enabled
Allows for enabling firewall mode
1 year ago
Victor Julien 0e18048ef0 firewall: move config into yaml object
To make it easier to group settings or include them.
1 year ago
Lukas Sismis 8817a959e8 threading: support thread autopinning and interface-specific affinity
Using the new configuration format, it is now possible to set CPU affinity
settings per interface.

The threading.autopin option has been added to automatically use CPUs from the
same NUMA node as the interface. The autopin option requires
hwloc-devel / hwloc-dev to be installed and --enable-hwloc flag in configure
script.

Ticket: 7036
1 year ago
Lukas Sismis 733cf34ad7 threading: transform *-cpu-set nodes from list items to nodes
Part of Ticket 2321 work to remove unnecessary lists from
the config file.

Ticket: 2321
1 year ago
Lukas Sismis 390baad7dc util-affinity: move properties of *-cpu-set node one layer up in YAML 1 year ago
Jason Ish 4a655053e8 mdns: add mdns parser, logger and detection
The mDNS support is based heavily on the DNS support, reusing the
existing DNS parser where possible. This meant adding variations on
DNS, as mDNS is a little different. Mainly being that *all* mDNS
traffic is to_server, yet there is still the concept of request and
responses.

Keywords added are:
- mdns.queries.rrname
- mdns.answers.rrname
- mdns.additionals.rrname
- mdns.authorities.rrname
- mdns.response.rrname

They are mostly in-line with the DNS keywords, except
mdns.answers.rdata which is a better than that mdns.response.rrname,
as its actually looking at the rdata, and not rrnames.

mDNS has its own logger that differs from the DNS logger:

- No grouped logging

- In answers/additionals/authorities, the rdata is logged in a field
  that is named after the rdata type. For example, "txt" data is no
  longer logged in the "rdata" field, but instead a "txt" field. We
  currently already did this in DNS for fields that were not a single
  buffer, like SOA, SRV, etc. So this makes things more consistent. And
  gives query like semantics that the "grouped" object was trying to
  provide.

- Types are logged in lower case ("txt" instead of "TXT")

- Flags are logged as an array: "flags": ["aa", "z"]

Ticket: #3952
1 year ago
Lukas Sismis eb52e337da pcap-file: document capture method options 1 year ago
Richard McConnell d81b76d852 output/tls: Allow logging of sv-handshake params
Ticket: 6695

"server_handshake" which logs the following:
1. TLS version used during handshake
2. The chosen cipher suite, excluding GREASE
3. TLS extensions, excluding GREASE
1 year ago
Richard McConnell 94c8be22d4 output/tls: Allow logging of cl-handshake params
Ticket: 6695

Add new custom log fields:

"client_handshake" which logs the following:
1. TLS version used during handshake
2. TLS extensions, excluding GREASE, SNI and ALPN
3. All cipher suites, excluding GREASE
4. All signature algorithms, excluding GREASE

The use-case is for logging TLS handshake parameters in order to survey
them, and so that JA4 hashes can be computed offline (in the case that
they're not already computed for the purposes of rule matching).
1 year ago
Juliana Fajardini 6f81caf8d4 pgsql: clearly indicate redacted password message
If a password message was seen while logging passwords was disabled
for pgsql, this would lead to an empty request being logged.
Instead of simply not logging anything when there is a password message
and this is disabled, however, log instead that said password is
redacted.

Bug #7647
1 year ago
Philippe Antoine 16f74c68aa websocket: use max window bits of 15
Ticket: 7285

As this is the default for websocket, which is bigger than the
defaut for zlib usage

Also limit the decompressed content to the max-payload-size
configuration parameter also used for non-compressed content.

And also use a stateful decoder to store/remember the compression
state to be able to decompress later messages.
1 year ago
Victor Julien 57c73880db lua: enable lua rules by default
Now that sandboxing is in place, lua rule support is enabled by default.
1 year ago
Alex Savage 778053876b pop3: app-layer parser using sawp-pop3
This module uses the sawp-pop3 crate to parse POP3 requests and responses
Features:
- eve logging
- events for parsable but non-RFC-compliant messages

Ticket: 3243
1 year ago
Victor Julien 31d048ed4b firewall: start of firewall rules support
Config:

Firewall rules are like normal rule, with some key differences.

They are loaded separate, and first, from:

```yaml
firewall-rule-path: /etc/suricata/firewall/
firewall-rule-files:
  - fw.rules
```

Can also be loaded with --firewall-rules-exclusive: Mostly for QA purposes.

Allow -S with --firewall-rules-exclusive, so that firewall and threat detection
rules can be tested together.

Rules:

Differences with regular "threat detection" rules:

1. these rules are evaluated before threat detection rules

2. these rules are evaluated in the order as they appear in the rule file

3. currently only rules specifying an explicit hook at supported

   a. as a consequence, no rules will be treated as (like) IP-only, PD-only or
      DE-only

Require explicit action scope for firewall rules. Default policy is
drop for the firewall tables.

Actions:

New action "accept" is added to allow traffic in the filter tables.

New scope "accept:tx" is added to allow accepting a transaction.

Tables:

Rulesets are per table.

Table processing order: `packet:filter` -> `packet:td` -> `app:*:*` -> `app:td`.

Each of the tables has some unique properties:

`packet:filter`:
- default policy is `drop:packet`
- rules are process in order
- action scopes are explicit
- `drop` or `accept` is immediate
- `accept:hook` continues to `packet:td`

`packet:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `app:*:*` or `alert/action finalize`

`app:*:*`:
- default policy is `drop:flow`
- rules are process in order
- action scopes are explicit
- `drop` is immediate
- `accept` is conditional on possible `drop` from `packet:td`
- `accept:hook` continues to `app:td`, `accept:packet` or `accept:flow`
  continues to `alert/action finalize`

`app:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `alert/action finalize`

Implementation:

During sigorder, split into packet:filter, app:*:* and general td.

Allow fw rules to work when in pass:flow mode. When firewall mode is enabled,
`pass:flow` will not skip the detection engine anymore, but instead
process the firewall rules and then apply the pass before inspecting threat
detect rules.
1 year ago
Philippe Antoine 706a0bd99b output: option to add suricata version in eve logs
Ticket: 4853
1 year ago
Jason Ish 2fce106aec pcap-log: add bpf filter for packets that are logged
Add an optional bpf filter to pcap-log. If set, packets must match the
filter to be logged, otherwise they will be ignored.

This allows a user to limit what is logged to disk if they have pcap-log
enabled, but still inspect all data captured.

Ticket: #6832
1 year ago
Lukas Sismis 7574be1dc6 ssh: sync the hassh setting with the defaults 1 year ago
Lukas Sismis 5e8c775d77 ssh: add option to select behavior of encrypted parts
Ticket: 6788
1 year ago
Lukas Sismis 185123a130 tls: deprecate "default" as a encryption-handling option
The default value for TLS encryption is generic and not precise.
The new keyword, "track-only" substitues the old keyword, being
more on point what action is actually taken when the TLS flow
reaches an encrypted state.
1 year ago
Philippe Antoine 6afad1af51 smb/log: configuration option for types logging
suricata.yaml output section for smb now parses a types list
and will restrict logging of transactions to these types.

By default, everything still gets logged

Remove unused rs_smb_log_json_request on the way

Ticket: 7620
1 year ago
Shivani Bhardwaj 0aea826776 util: add initial flow rate tracking implementation
In order to track flow rate and thus determine a course of action or
categorize it as elephant flow, track a flow's byte count per direction
in a ring buffer for a given time interval.

The implementation is simple and keeps overwriting the buffer and
updating the final sum. The sum of all the elements in the ring buffer
at any point in time should reflect the number of bytes for the
respective flow in the last of a given configured interval.
e.g. if the definition says that the flows must be tracked by a rate of
100k bytes in 10 seconds, the ring buffer at any point in time should
carry the total number of bytes seen by the respective flow in the last
10 seconds.

So far, the implementation only supports reading the flow rate
definition from suricata.yaml and using it to track the flows.

This solution adds up a space complexity to the existing Flow struct.
However, the added space complexity should only take effect if the
feature is in use. Since this buffer extends the Flow struct, it does
not impact the usual business logic or complexity of the code.

This implementation is currently limited to defining the time interval
of flow rate in seconds only. However, the number of seconds defined are
directly proportional to the aforementioned added space complexity as
that's the size of the ring buffer.

Feature 5647
1 year ago
Lukas Sismis 640d0985c2 dpdk: check for link up before full startup
ICE card (Intel E810) was not receiving packets immediatelly
after startup, Suricata workers would act as processing while
it was not. This eliminates the problem by only continuing
in the initialization if the link is already up.

The setting can be turned off manually from the configuraiton
file.

Ticket: 7381
1 year ago
Lukas Sismis cb997a64dc dpdk: replace global with per-thread mempools
It turned out that having global (interface-specific) mempool
that is shared by the threads of the interface is slower than
having individual mempools per queue for each interface.

The commit brings this change and should be user-invisible,
the config setting remains still as a number of objects of
all mempools summed (of that interface).

Ticket: 7382
1 year ago
Lukas Sismis 2ef2a9e26f dpdk: auto configure Rx/Tx descriptors and mempool size
Ticket: 7380
Ticket: 7373
1 year ago
Alfredo Cardigliano dfd9ef5784 ndpi: initial implementation of nDPI plugin
Ticket: #7231
1 year ago
Lukas Sismis 59c3b8912b util-mpm: prepare MPM codebase for ruleset caching 1 year ago
Shivani Bhardwaj 7f98683d45 stream: use max-region setting from suricata.yaml
1. Add key (commented) to suricata.yaml
2. Give the configured/default key preference, save a check
1 year ago
Jeff Lucovsky a654ad9c9a output/buffer: Change buffer-size default value
The buffer-size value that controls file output buffering defaults to
8k. To be consistent with previous logic, the default is being changed
to 0 (e.g., needed if there are old config files that don't specifically
enable the new value).
1 year ago
Jason Ish 7fdb08b7c7 af-packet: use tpacket v3 by default for ids mode
If "tpacket-v3" is not present in the configuration file, and we are
in IDS mode, default to "tpacket-v3".

Required moving the check for tpacket-v3 after the copy-mode
configuration, so the warning about tpacket-v3 in active modes has
been moved as well.

Ticket: #4798
1 year ago
Jason Ish 374762d202 af-packet: remove use-mmap option
This option is obsolete and was not used in 7.0 as tpacket-v1 support
was removed (see ticket #4796).
1 year ago
Philippe Antoine a7713db709 detect: add configurable limits for datasets
Ticket: 7615

Avoids signatures setting extreme hash sizes, which would lead to very
high memory use.

Default to allowing:
- 65536 per dataset
- 16777216 total

To override these built-in defaults:

```yaml
datasets:
  # Limits for per rule dataset instances to avoid rules using too many
  # resources.
  limits:
    # Max value for per dataset `hashsize` setting
    #single-hashsize: 65536
    # Max combined hashsize values for all datasets.
    #total-hashsizes: 16777216
```
1 year ago
Jason Ish 5871c6458c af-packet: make tpacket-v2 block size configurable
With the change of the default tpacket-v2 block size from 32k to 128k,
allow it to be configurable for users who may want to make it larger,
or revert it back to the pre 7.0.9 default of 32k.

Ticket: #7458
1 year ago
Philippe Antoine b9b797f1f4 detect: non infinite default value for inspection-recursion-limit
So that empty config are protected by this setting as was intended.

Set to unlimited for fuzz testing.
1 year ago
Jeff Lucovsky 49d4686144 main/flush: Support periodic flush logs
Issue: 3449
1 year ago
Jeff Lucovsky 92b2aebe75 conf/output: Buffering related config settings
This commit adds 2 EVE output buffering settings
- buffer-size value which specifies the amount of buffering, if any,
  for regular/file output types.
- flush-interval Specifies the cadence at which Suricata will direct
  detect threads to flush EVE output.

Issue: 3449
1 year ago
Jason Ish c3716ac56b output-lua: lua module search path configuration
By default, use an empty search path. This gives us a predictable
default. If a user needs access to external modules, the search path
must be set in the configuration file.

Ticket: #7169
1 year ago
Cole Dishington c46308957f flow: optionally use pkt recursion for hash
If a Suricata inline IPS device is routing traffic over a
non-encrypted tunnel, like IPv6 tunnels, packets in a flow
will be dropped and not be matched. e.g.

The following example is a Suricata inline IPS with an IPv6 tunnel:
request: IPv4]ICMP] -> |IPS| -> IPv6]IPv4]ICMP]
reply:              <- |IPS| <- IPv6]IPv4]ICMP]
Both the IPv4 request and IPv6 reply will be seen by Suricata on
ingress. The flows will not be matched due to flow recursion level.

Optionally use pkt recursion level in flow hash. Excluding recursion
level in flow hash allows matching of packet flows and defrag on an
inline IPS Suricata scenario where the IPS device is a tunnel
terminator.

Feature: 6260
1 year ago
Philippe Antoine bdcb593738 detect: improve tx_id guessing for unidirectional protocols
So we get:
1. request arrives - buffered due to not ackd
2. response arrives, acks request - request is now parsed, response isn't
3. ack for response, response parsed. Then detect runs for request,
generates alert. We now have 2 txs. txid will be 0 from AppLayerParserGetTransactionInspectId

But txid 1 is unidirectional in the other way, so we can use txid 0
metadata for logging

Ticket: 7449
2 years ago
Victor Julien 6882bcb3e5 stream: add TCP urgent handling options
TCP urgent handling is a complex topic due to conflicting RFCs and
implementations.

Until now the URG flag and urgent pointer values were simply ignored,
leading to an effective "inline" processing of urgent data. Many
implementations however, do not default to this behavior.

Many actual implementations use the urgent mechanism to send 1 byte of
data out of band to the application.

Complicating the matter is that the way the urgent logic is handled is
generally configurable both of the OS and the app level. So from the
network it is impossible to know with confidence what the settings are.

This patch adds the following policies:

`stream.reassembly.urgent.policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- oob (out of band): treat the last byte as out of band

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

For the `oob` option, tracking of a sequence number offset is required,
as the OOB data does "consume" sequence number space. This is limited to
64k. For this reason, there is a second policy:

`stream.reassembly.urgent.oob-limit-policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

Bug: #7411.
2 years ago
Philippe Antoine f426ee3ee2 detect: rename stream_log variables
to better reflect their true meaning
2 years ago