Commit Graph

12494 Commits (1ad71b96daa2b2655691cfce2a15ccd754d9b290)
 

Author SHA1 Message Date
Jason Ish 1ad71b96da app-layer: remove tx detect state setter and getter
Instead access detect state through AppLayerParserGetTxData.
4 years ago
Jason Ish 9c67c634c1 app-layer: include DetectEngineState in AppLayerTxData
Every transaction has an existing mandatory field, tx_data. As
DetectEngineState is also mandatory, include it in tx_data.

This allows us to remove the boilerplate every app-layer has
for managing detect engine state.
4 years ago
Jason Ish f4b4d531b0 rdp: add tx iterator 4 years ago
Jason Ish 238ec953b7 krb5: use tx iterator 4 years ago
Jason Ish ef0c351953 ntp: add tx iterator 4 years ago
Jason Ish 871fb035b4 sip: add tx iterator 4 years ago
Jason Ish d6b2d7e16a ike: add tx iterator
For IKE the manual iterator functions were there, but never
registered. So this commit does add a tx iterator to ike.
4 years ago
Jason Ish 3f2d2bc12b snmp: use generic tx iterator 4 years ago
Jason Ish ac4c5ada2f dhcp: use generic tx iterator 4 years ago
Jason Ish 54e62ddf71 http2: use generic tx iterator 4 years ago
Jason Ish 6cffecfe3e template: use generic tx iterator 4 years ago
Jason Ish a936755731 nfs: use generic tx iterator 4 years ago
Jason Ish 0188a01daf rfb: use generic tx iterator 4 years ago
Jason Ish b335409690 mqtt: use generic tx iterator 4 years ago
Jason Ish d71bcd82d9 modbus: use generic tx iterator 4 years ago
Jason Ish fcfc9876ce smb: use generic tx iterator 4 years ago
Jason Ish 049d43212e rust/app-layer: provide generic implementation of iterator
Create traits for app-layer State and Transaction that allow
a generic implementation of a transaction iterator that parser
can use when the follow the common pattern for iterating
transactions.

Also convert DNS to use the generic for testing purposes.
4 years ago
Eric Leblond 6d5f59696d profiling: fix profiling with sample rate
Rules profiling was returning invalid results when used with sample
rate. The problem was that the sample condition was run twice in the
packet flow. As a result, the second pass was not initializing the
variable storing the initial CPU ticks and the resulting performance
counters were reporting invalid values.

Bug: #4836.
4 years ago
Philippe Antoine 16f4e5f31c detect: file_data keyword works on nfs protocol
Ticket: #4839
4 years ago
Shivani Bhardwaj 26c7d3cc35 http2: remove needless borrows 4 years ago
Shivani Bhardwaj f3a1e3b92e core: Remove unneeded consts 4 years ago
Shivani Bhardwaj b5a123adb1 ssh: use Direction enum 4 years ago
Shivani Bhardwaj baf30cfc05 snmp: use Direction enum 4 years ago
Shivani Bhardwaj 89cb337930 smb: use Direction enum 4 years ago
Shivani Bhardwaj 8f9f78c2d0 sip: use Direction enum 4 years ago
Shivani Bhardwaj 11c438a07d nfs: use Direction enum 4 years ago
Shivani Bhardwaj a7ac79bed7 mqtt: use Direction enum 4 years ago
Shivani Bhardwaj 209e2f17fa krb: use Direction enum 4 years ago
Shivani Bhardwaj 243960a511 ike: use Direction enum 4 years ago
Shivani Bhardwaj ee5b300ccf http2: use Direction enum 4 years ago
Shivani Bhardwaj 0c6e9ac931 files: use Direction enum 4 years ago
Shivani Bhardwaj a19d2b4e1e dns: use Direction enum 4 years ago
Shivani Bhardwaj a866499bca dcerpc: use Direction enum 4 years ago
Shivani Bhardwaj 9512bfd729 core: add Direction enum
Ticket: 3832
4 years ago
Andreas Dolp b25350ee13 doc: Fix typo in documentation of rule keyword flow 4 years ago
Philippe Antoine 6cb6225b28 tcp: rejects FIN+SYN packets as invalid
Ticket: #4569

If a FIN+SYN packet is sent, the destination may keep the
connection alive instead of starting to close it.
In this case, a later SYN packet will be ignored by the
destination.

Previously, Suricata considered this a session reuse, and thus
used the sequence number of the last SYN packet, instead of
using the one of the live connection, leading to evasion.

This commit errors on FIN+SYN so that they do not get
processed as regular FIN packets.
4 years ago
Victor Julien 50e2b973ee stream/tcp: handle RST with MD5 or AO header
Special handling for RST packets if they have an TCP MD5 or AO header option.
The options hash can't be validated. The end host might be able to validate
it, as it can have a key/password that was communicated out of band.

The sender could use this to move the TCP state to 'CLOSED', leading to
a desync of the TCP session.

This patch builds on top of
843d0b7a10 ("stream: support RST getting lost/ignored")

It flags the receiver as having received an RST and moves the TCP state
into the CLOSED state. It then reverts this if the sender continues to
send traffic. In this case it sets the following event:

    stream-event:suspected_rst_inject;

Bug: #4710.
4 years ago
Philippe Antoine 3212fa7d2b ntp: fixes leak of de_state
Bug: #4752.
4 years ago
Philippe Antoine 28a3181a2d snmp: fixes leak of de_state
Bug: #4752.
4 years ago
Philippe Antoine f37240a3e2 smb: midstream probing checks for netbios message type
If it is available

Bug: #4620.
4 years ago
Philippe Antoine be617a3c1b protodetect: opposing side cannot change protocol
Ticket: #4562

As the data which triggered the opposing side
was the same protocol and not another one,
that means the protocol change failed.

Prevents a memory leak in later call of AppLayerParserParse
which would allocate a new state and leak the old one
4 years ago
Philippe Antoine f44bbbb9ad smtp: completes RSET transaction on last multiline
Bug: #4561.
4 years ago
Philippe Antoine f211a330dd swf: right input length for decompression
Also when compress_depth reaches buffer_len

Bug: #4536.
4 years ago
Philippe Antoine 8f8823b6f2 rust: right condition for both uint to be zero
Theay can overflow leading to their addition to be zero

If a NFS read reply indicates a count of 0xFFFFFFFF

Bug: #4680.
4 years ago
Philippe Antoine 689ac97d72 inspect: debug validation to ensure correct argument 4 years ago
Philippe Antoine c3339c853e detect: fixes InspectionBuffer id with transforms
When InspectionBufferGet gets called with base_id
Later InspectionBufferSetup must also be called with base_id

In case there were transforms, we had base_id != list_id

Not calling InspectionBufferSetup with the right id
resulted in leaving a dangling pointer,
because it was not added to det_ctx->inspect.to_clear_queue

Bug: #4681.
4 years ago
Victor Julien 244dd11c34 flow/manager: fix flows not evicted & freed in time
Flows have been shown to linger for a long time w/o giving up their
resources. This would lead to higher memory use and memcaps getting
reached.

Three main causes have been identified:

Slow passes hash passes. By default the flow manager will scan the
flow hash slowly. It is based on the flow timeout settings, and with
the default config it will take 4 minutes for a full scan to be
complete. This leaves a window for flows that are timed out to linger
for minutes longer than expected.

Flow Manager yields under pressure. The per row TryLock causes work
to be delayed more. The Flow manager will use trylock on a hash row
and will yield immediately if the row is busy. This means that it will
take a full pass before the row is revisited again. If the row holds
busy flows, this could happen many times in a row.

Flow Manager favors evicted flows over active flows. The Flow Manager
will only process the evicted flows if they are present. These flows
have been evicted by workers. The active flows on that hash row will
have to wait until the next hash pass. Of course by then there could
be more evicted flows.

Combined these factors could lead to flows not being considered for
freeing and logging for a very long time, potentially even indefinitly.

The patch addresses the latter two flow manager issues by no longer
using TryLock. It will now simply wait for the lock to be released and
then do its work on it. Additionally for each row both the evicted list
and the active flow list will be processed.

Bug: #4650.
4 years ago
Victor Julien ace349d4d9 af-packet: simplify tpacket-v2 setup code
Setup can no longer fail, so make the function void and remove dead
error checking code.
4 years ago
Victor Julien 2cbfcce0ac af-packet: PacketSetData can't fail; remove check
PacketSetData() can't fail unless the input pointer is NULL, which is
impossible from the af-packet paths calling it. Remove error check to
avoid possible branching.
4 years ago
Victor Julien 12252ba751 af-packet: fix if/down issues with tpacket-v2/autofp
The AFPSwitchState function would close the socket and free the
other resources when the interface went down _and_ the ref cnt was
0. However in autofp mode it was common to get to this point while
packets were still processed in the autofp worker threads, meaning
the ref cnt would not be 0. On the interface coming back up the
initialization code would overwrite the socket and rings, leading
to resource leaks.

Socket ref cnt is decremented from the v2 release callback. If the
callback would get to ref cnt 0, the packet would not be released
in the kernel, but it would (possibly) close the socket if the
iface was down, but not free other resources.

This patch changes the logic to first release the packet to the
kernel and then decrement the ref cnt and it makes the main receive
loop the only one responsible for opening and closing sockets. Wait
with closing the socket and rings until the ref count is 0, which can
happen after AFPSwitchState is called due to packets still being
processed by autofp worker threads.

Bug: #4803.
4 years ago