Commit Graph

824 Commits (1f6a15cdf3a65d9d911b734dc6a8142dec3b2a7c)

Author SHA1 Message Date
Jason Ish 5513b4ed0b rust/json: expose libjansson json_dumps
This will be temporarily used by JsonBuilder to add the ability
to extend JsonBuilder with Jansson's json_t types.
5 years ago
Victor Julien 9fd326b6c0 ssh: minor cleanups in incomplete handling 5 years ago
Victor Julien 3a2434ed4d app-layer: support Copy and Clone traits in AppLayerResult 5 years ago
Victor Julien b0288da686 app-layer: add methods to get status from AppLayerResult 5 years ago
Philippe Antoine 6373071aa3 ssh: handles incomplete record after banner
To signal incomplete data, we must return the number of
consumed bytes. When we get a banner and some records, we have
to take into account the number of bytes already consumed by
the banner parsing before reaching an incomplete record.
5 years ago
Philippe Antoine 69b4fffdae parse: move SSH parser from C to Rust 6 years ago
Philippe Antoine cb3c478525 style: compressed function headers for rustfmt 6 years ago
Philippe Antoine 6b2e7dde7d rust: export enums definition to C 6 years ago
Shivani Bhardwaj 80adf7d1cf smb: Import constants from DCERPC
Remove DCERPC constants to avoid duplicate name errors. Import the
required constants from DCERPC implementation.
6 years ago
Shivani Bhardwaj 6457754fd6 dcerpc: Replace C function calls with Rust
All the dead code in C after the Rust implementation is hereby removed.
Invalid/migrated tests have also been deleted.
All the function calls in C have been replaced with appropriate calls to
Rust functions. Same has been done for smb/detect.rs as a part of this
migration.
6 years ago
Shivani Bhardwaj 8036202c7b rust: Add DCERPC parser
This parser rewrites the DCE/RPC protocol implementation of Suricata
in Rust. More tests have been added to improve the coverage and some
fixes have been made to the tests already written in C. Most of the
valid tests from C have been imported to Rust.

File anatomy

src/dcerpc.rs
This file contains the implementation of single transactions in DCE/RPC
over TCP. It takes care of REQUEST, RESPONSE, BIND and BINDACK business
logic before and after the data parsing. DCERPCState holds the state
corresponding to a particular transaction and handles all important
aspects. It also defines any common structures and constants required
for DCE/RPC parsing irrespective of the carrier protocol.

src/dcerpc_udp.rs
This file contains the implementation of single transactions in DCE/RPC
over UDP. It takes care of REQUEST and RESPONSE parsing. It borrows the
Request and Response structs from src/dcerpc.rs.

src/detect.rs
This file contains the implementation of dce_iface and opnum detect
keywords. Both the parsing and the matching is taken care of by
functions in this file. Tests have been rewritten with the test data
from C.

src/parser.rs
This file contains all the nom parsers written for DCERPCRequest,
DCERPCResponse, DCERPCBind, DCERPCBindAck, DCERPCHeader, DCERPCHdrUdp.
It also implements functions to assemble and convert UUIDs. All the
fields have their endianness defined unless its an 8bit field or an
unusable one, then it's little endian but it won't make any difference.

src/mod.rs
This file contains all the modules of dcerpc folder which should be
taken into account during compilation.

Function calls

This is a State-wise implementation of the protocol for single
transaction only i.e. a valid state object is required to parse any
record. Function calls start with the app layer parser in C which
detects the application layer protocol to be DCE/RPC and calls the
appropriate functions in C which in turn make a call to these functions
in Rust using FFI. All the necessary information is passed from C to the
parsers and handlers in Rust.

Implementation

When a batch of input comes in, there is an analysis of whether the
input header and the direction is appropriate. Next check is about the
size of fragment. If it is as defined by the header, process goes
through else the data is buffered and more data is awaited. After this,
type of record as indicated by the header is checked. A call to the
appropriate handler is made. After the handling, State is updated with
the latest information about whatever record came in.
AppLayerResult::ok() is returned in case all went well else
AppLayerResult::err() is returned indicating something went wrong.
6 years ago
Shivani Bhardwaj 6db1f19d62 rust: Add debug_validate_bug_on macro
This macro allows to check if certain parts of the code are reachable
during fuzzing.
6 years ago
Shivani Bhardwaj 57ad609a97 rust: Add new crate uuid 6 years ago
Shivani Bhardwaj ab6b4986ce rust: Add Debug and PartialEq to AppLayerResult 6 years ago
frank honza bbe9137f20 rfb: Update incomplete handling in parser.
This commit adds an updated incomplete handling for the RFB-Parser. If
incomplete data is processed, the successfully consumed position and
length of remainder + 1 is returned. If the next packet is not empty
suricata will call the parser again.

This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
6 years ago
Philippe Antoine edcb784f1a dns: improve probe_tcp handling of incomplete data 6 years ago
Sascha Steinbiss 713c379427 rfb: make sure size calculations do not overflow
Addresses #3570 by extra checking of calculated size requests.

With the given input, the parser eventually arrived at
parser::parse_failure_reason() which parsed from the remaining four
bytes (describing the string length) that the failure string to follow
would be 4294967295 bytes long. While calculating the total size of the
data to request via AppLayerResult::incomplete(), adding the four bytes
for the parsed but not consumed string length caused the u32 length to
overflow, resulting in a much smaller value triggering the bug condition.

This problem was addressed by more careful checking of values in each step
that could overflow: one subtraction, one addition (which could overflow
the usize length values), and a final check to determine whether the result
still fit into the u32 values required by AppLayerResult::incomplete().
If so, we would safely convert the values and pass them to the result type.
If not, we simply return AppLayerResult::err() but do not erroneously and
silently request the wrong amount.
6 years ago
Pierre Chifflier 01aef49cbd rust/x509: map decoding errors to decoder events 6 years ago
Pierre Chifflier 36d2e257c6 rust/x509: use the raw serial number so leading zeros are not removed 6 years ago
Pierre Chifflier d92321d8b1 ssl/tls: use the rust decoder to decode X.509 certificates 6 years ago
Pierre Chifflier 10d9deec9f rust: add common function to exchange CString objects from/to C 6 years ago
Sascha Steinbiss 26123e05f2 rfb: use more idiomatic Rust code
Using 'if let Some()...' makes the code in these many checks more
concise and readable.
6 years ago
Frank Honza 1c8943dedd add RFB parser
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
6 years ago
Victor Julien acef21b759 app-layer: extend AppLayerResult to add convenience 6 years ago
Victor Julien 2f5834cdfa rust: merge parser.rs into applayer.rs
Both were serving the same purpose.
6 years ago
Victor Julien 21e6f1f063 app-layer: document return macros 6 years ago
Victor Julien 5b9b0b7226 nfs: switch to new 'incomplete' logic
Remove buffering code in favor of using incomplete API.
6 years ago
Victor Julien 66598f9ce7 nfs: switch to AppLayerResult 6 years ago
Victor Julien 5cd9cfb5a0 smb: update return type of GAP handling 6 years ago
Victor Julien 4bf87d30e4 smb: convert to return AppLayerResult
Support returning 'incomplete' and remove the buffering
code from the parser.
6 years ago
Victor Julien 674b8dc0fb app-layer: add 'incomplete' return logic
Allow app-layer parsers to indicate how much data they need
before being called again.
6 years ago
Victor Julien 44d3f264bf app-layer: update API to return more details
Add AppLayerResult struct as the Parser return type in
preparation of allowing returning 'Incomplete(size)' similar
to what nom in Rust allows.
6 years ago
Victor Julien 3bcf948a75 app-layer: change return codes
This patch simplifies the return codes app-layer parsers use,
in preparation of a patch set for overhauling the return type.

Introduce two macros:

APP_LAYER_OK (value 0)
APP_LAYER_ERROR (value -1)

Update all parsers to use this.
6 years ago
Victor Julien 6ae66cb2bb nfs: code cleanups
Use 'if let' to replace simple 'match' statements.

Use explicit returns to easy code review.
6 years ago
Victor Julien a729d266c3 smb: fix rustc 1.42 warnings 6 years ago
Jason Ish a0e3e2d7b4 dns: register parsers from Rust
And port the C DNS tests to Rust.
6 years ago
Jason Ish 0af9a3a5f7 dns: remove C wrapper functions to Rust
Remove registration of C wrapper functions and register
the Rust functions directly for UDP.
6 years ago
Jason Ish 1b44f839e6 dns: cleanup: move event callbacks into Rust
Remove app-layer-dns-common.c as its no longer needed.
6 years ago
Jason Ish ca5a3f0f04 dns: cleanup: remove unused events
Removed events that are no longer used since the Rust
implementation of DNS:
- UnsolicitedResponse
- StateMemCapReached
- Flooded
6 years ago
Jason Ish d809b0959b dns: cleanup: move DnsGetRcode (Lua) to rust
Move the implementation of Lua DnsGetRcode to Rust.
6 years ago
Philippe Antoine 23f796a021 kerberos: fix against packet split in record size 6 years ago
Victor Julien 76dd951523 krb5/tcp: remove notice logging on failed records 6 years ago
Sascha Steinbiss 11912bd715 sip: address trailing space parsing 6 years ago
Victor Julien 74305c0486 rust/nfs: minor code cleanups 6 years ago
Victor Julien 576e92983e rust/rpc: add partial data tests 6 years ago
Pierre Chifflier 442500678b rust: use the streaming version of combinators to fix incomplete reads 6 years ago
Pierre Chifflier df9a4fd635 rust/rdp: use the streaming version of combinators to fix incomplete reads 6 years ago
Pierre Chifflier 2561da89c0 rust/rdp: fix regression introduced during nom 5 upgrade 6 years ago
Pierre Chifflier f3ddd7127c rust: Add types annotation when required
Unfortunately, the transition to nom 5 (and functions instead of macros)
has side-effects, one of them being requiring lots of types annotations
when using a parsing, for ex in a match instruction.
6 years ago
Pierre Chifflier 62e31396ae rust/ftp: upgrade to nom 5
CompleteByteSlice type has been removed, and replaced by combinators
under the nom::character::complete namespace.
6 years ago
Pierre Chifflier 1a505ccd11 rust/rdp: add custom error handling 6 years ago
Pierre Chifflier d1bf34a427 rust/smb: add custom error handling 6 years ago
Pierre Chifflier 1ab8c5763c rust: add SecBlobError custom error type for the Kerberos parser 6 years ago
Pierre Chifflier 030c9a3d86 rust: add take_until_and_consume replacement function 6 years ago
Pierre Chifflier 8664a55ee7 rust/dns: remove unneeded calls to closure! 6 years ago
Pierre Chifflier 5b809f77f1 rust: upgrade all parsers to nom 5 6 years ago
Philippe Antoine 6663246563 parser: make rust probing parsers optional 6 years ago
Victor Julien f68c255f09 nfs: implement post-GAP transaction cleanup
Close all prior transactions in the direction of the GAP, except the
file xfers. Those use their own logic described below.

After a GAP all normal transactions are closed. File transactions
are left open as they can handle GAPs in principle. However, the
GAP might have contained the closing of a file and therefore it
may remain active until the end of the flow.

This patch introduces a time based heuristic for these transactions.
After the GAP all file transactions are stamped with the current
timestamp. If 60 seconds later a file has seen no update, its marked
as closed.

This is meant to fix resource starvation issues observed in long
running SMB sessions where packet loss was causing GAPs. Due to the
similarity of the NFS and SMB parsers, this issue is fixed for NFS
as well in this patch.

Bug #3424.
Bug #3425.
6 years ago
Victor Julien d41aeccea4 smb: handle file transactions post-GAP
After a GAP all normal transactions are closed. File transactions
are left open as they can handle GAPs in principle. However, the
GAP might have contained the closing of a file and therefore it
may remain active until the end of the flow.

This patch introduces a time based heuristic for these transactions.
After the GAP all file transactions are stamped with the current
timestamp. If 60 seconds later a file has seen no update, its marked
as closed.

This is meant to fix resource starvation issues observed in long
running SMB sessions where packet loss was causing GAPs.
6 years ago
Jason Ish 80cafb2979 flow: expose last time as a function
This function returns the individual components
of the timeval in output pointers making it suitable
for use over Rust FFI.
6 years ago
Jason Ish 1e741641a6 rust: make clean fixups
For make clean, only remove gen/ if cbindgen is available.
This prevents make clean from remove gen when the headers
were bundled, but cbindgen is not available to remove them.

Unconditionally remove gen and vendor in maintainerclean.
6 years ago
Jason Ish 53aaa82deb rust: set edition to 2018 6 years ago
Jason Ish e68dfa46a6 rust: cargo fix for Rust 2018 edition 6 years ago
Jason Ish 5fbe020585 rust/cbindgen: Revert Makefile to a more pre-cbindgen state
The modifications as part of the cbindgen commit caused issues
with distcheck, revert the Makefile to how it was with the Python
generator, but still using cbindgen.

Also always assume we'll include the generated headers in the
distribution archive to fix make distcheck from distribution
archives with headers included, but no cbindgen.
6 years ago
Danny Browning b573c16dd5 build: cbindgen
Rust headers are now generated using cbindgen. If cbindgen is present, they can
be generated during dist, otherwise they will be available for builds.
6 years ago
Victor Julien ce0ae81d95 rust: fix vendor use on MinGW 6 years ago
Jason Ish 57b683233d rust: Don't use --frozen during build.
If sources are vendored, we get the same effect of using frozen
with a lock file, and the Cargo.lock is generated based
on the vendored sources.

This also removes the need to ship a Cargo.lock.

Fixed out of source builds with vendored sources.
6 years ago
Jason Ish c6f168eb98 rust/Makefile: Don't include Cargo.toml
There is no need to include Cargo.toml in the distribution,
it is always generated from Cargo.toml.in during
./configure.
6 years ago
Jason Ish 5ee8323028 rust: remove unnecessary parentheses (Rust 1.40 fixup)
Rust 1.40 in strict mode will now fail the build on the
presence of unnecessary parentheses.

warning: unnecessary parentheses around type
  --> src/smb/smb2_ioctl.rs:41:12
   |
41 |         -> (&mut SMBTransaction)
   |            ^^^^^^^^^^^^^^^^^^^^^ help: remove these parentheses
   |
   = note: `#[warn(unused_parens)]` on by default
6 years ago
Victor Julien f5b33a070a smb1: allow empty trans records 6 years ago
Victor Julien 40fe29de96 smb1: fix 'event' txs not getting closed
If the only reason we created a request side TX was to set an event,
we would not close it.

This patch always looks up the TX from the response side.
6 years ago
Victor Julien 129cd28058 smb/dcerpc: close request tx sooner 6 years ago
Victor Julien 44ac3e30dd smb: post-GAP handling update
Close all prior transactions in the direction of the GAP, except the
file xfers. Those use their own logic.
6 years ago
Victor Julien a7ee2ffbde smb: winreg is a DCERPC facility 6 years ago
Ciprian c9cd7559fd configure: fixing rust/cargo cross compile command
adding --target argument to cargo command line when cross compiling
6 years ago
Jason Ish e2c846d01f snmp: add tx detect flags 6 years ago
Jason Ish fa4b9d37c2 krb5: register tx detect flags
Related ticker #3345:
https://redmine.openinfosecfoundation.org/issues/3345
6 years ago
Jason Ish 8a232be77e rust: define TxDetectFlag struct and binding macros
Define a TxDetectFlag type and macros to generating C
bindings for getting and settings the tx detect
flags.
6 years ago
Jason Ish cde49ec246 rust: add tx detect flags function to registration struct 6 years ago
Victor Julien f9155aa121 files: simplify pruning logic
Since ebcc4db84a the flow worker runs
file pruning after parsing, detection and loging. This means we can
simplify the pruning logic. If a file is in state >= CLOSED, we can
prune it. Detection and outputs will have had a final chance to
process it.

Remove the calls to the pruning code from Rust. They are no longer
needed.
6 years ago
Victor Julien b4318a11e3 rust: remove build system HAVE_RUST guards 6 years ago
Jason Ish a3cdef2b4d rust: run tests with same features as build
Cargo check wasn't being passed --features so could have a different
configuration than the build.
6 years ago
Jason Ish 389272f4c7 rustup: handle rustup for sudo and su
If rustup is in use, and a user uses sudo or su for the make
install, the install may fail with a "no default toolchain"
error.

To prevent this, detect at configure if rustup is being used,
then set RUSTUP_HOME for all calls to cargo.
6 years ago
Jason Ish 6e981fd15a rust: fix build when source directory has spaces in it
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2668
6 years ago
Jason Ish f9c9548b74 configure: detect lua integer size
Lua 5.1 and 5.3 use a different integer size. Run a test program
to set the integer size used in the Rust FFI layer to Rust.
6 years ago
Jeff Lucovsky bd691778eb rust/ftp: add parser for active mode port handling 6 years ago
Jason Ish 517ecd68a9 sip: rustfmt
As this is new Rust code, format with rustfmt using default
styling.
6 years ago
Jason Ish a45a2fa1fc sip: disable by default in 5.0 6 years ago
Jason Ish fdbc2fe49c sip rust fixup: remove unused import in tests 6 years ago
Giuseppe Longo e06291922f detect/sip.response_line: add sticky buffer
Matches on response line field in SIP.
6 years ago
Giuseppe Longo 17de4a8023 detect/sip.request_line: add sticky buffer
Matches on request line field in SIP.
6 years ago
Giuseppe Longo 8939ece538 detect/sip.stat_msg: add sticky buffer
Matches on status msg field in SIP.
6 years ago
Giuseppe Longo bd2219cac6 detect/sip.stat_code: add sticky buffer
Matches on status code field in SIP.
6 years ago
Giuseppe Longo 8454122eb2 detect/sip.protocol: add sticky buffer
Matches on protocol field in SIP.
6 years ago
Giuseppe Longo 2661c5b298 detect/sip.uri: add sticky buffer
Matches on uri field in SIP.
6 years ago
Giuseppe Longo 424eead8c0 detect/sip.method: add sticky buffer
Matches on uri field in SIP.
6 years ago
Giuseppe Longo edc2a583a9 rust/sip: add SIP logger 6 years ago
Giuseppe Longo 2e975a0481 rust/sip: add parser for SIP protocol 6 years ago
Jason Ish d79c23baa3 dns/detect: dns.opcode keyword
Add a rule keyword, dns.opcode to match on the opcode flag
found in the DNS request and response headers.

Only exact matches are allowed with negation.

Examples:
  - dns.opcode:4;
  - dns.opcode:!1;
6 years ago
Victor Julien 85ba2e16ba rust/conf: don't print failed conf lookups at info level 6 years ago
Jason Ish 664605b5f1 rdp: disable rdp by default for 5.0 6 years ago
Jason Ish 0f10298990 rdp: address comments in pull request
Pull request:
https://github.com/OISF/suricata/pull/4174

- fix commit: range -> set
- OUTPUT_BUFFER_SIZE -> JSON_OUTPUT_BUFFER_SIZE
- output: check for initdata first
6 years ago
Zach Kelly caef8b5b38 protocol parser: rdp
Initial implementation of feature 2314:
1. Add protocol parser for RDP
2. Add transactions for RDP negotiation
3. Add eve logging of transactions
6 years ago
Jason Ish 5f1d21f247 dns: handle mid stream pickup on response packet
Related Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2146
6 years ago
Jason Ish 42e5065ab8 rust: update to Rust 2018 with cargo fix
Migrate to Rust 2018 edition.

Credit to Danny Browning for first demontrating this:
https://github.com/OISF/suricata/pull/3604/commits
6 years ago
Shivani Bhardwaj 8bebea5d4c rust: Get rid of unneeded macros, fix warnings 6 years ago
Victor Julien 579cc9f02b const: constify decoder, app-layer, detect funcs 6 years ago
Jason Ish 8f66f39b29 rustfmt: use default rustfmt configuration
Remove our config that limited line length to 80 columns.
6 years ago
Shivani Bhardwaj f750e4ca40 configure: Remove enable-rust-debug
Get rid of enable-rust-debug flag and use enable-debug for acheiving the
desired functionality. From now, adding `--enable-debug` to `configure`
shall create an [unoptimitized + debuginfo] target. Rest behavior stays
the same.

Closes redmine ticket #3054
6 years ago
Shivani Bhardwaj 6d39f6fd7d rust: Fix deprecation warnings
Fix the following warnings by compiler,
(1) warning: use of deprecated item 'take_until_s': Please use `take_until` instead
(2) warning: `...` range patterns are deprecated

For the second warning, the builtin lint
"ellipsis_inclusive_range_pattern" has been added which causes the
following warning to show up with rustc 1.24.

warning: unknown lint: `ellipsis_inclusive_range_patterns`
  --> /home/travis/build/OISF/suricata/suricata-5.0.0-dev/rust/src/lib.rs:18:10
   |
18 | #![allow(ellipsis_inclusive_range_patterns)]
   |          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   |
   = note: #[warn(unknown_lints)] on by default

Since there is no other way to fix this, the above warning shall stay.
We need to take care of modifying this if and when the support for 1.24
as MSRV is dropped.
6 years ago
Shivani Bhardwaj bbfd706e1f rust: fix compiler warning
rustc 1.36 introduced:

error: variable does not need to be mutable
   --> src/dhcp/parser.rs:202:17
    |
202 |             let mut malformed_options = false;
    |                 ----^^^^^^^^^^^^^^^^^
    |                 |
    |                 help: remove this `mut`
    |
note: lint level defined here
   --> src/lib.rs:18:38
    |
18  | #![cfg_attr(feature = "strict", deny(warnings))]
    |                                      ^^^^^^^^
    = note: #[deny(unused_mut)] implied by #[deny(warnings)]

error: aborting due to previous error

error: Could not compile `suricata`.

Ticket #3072.
6 years ago
Pierre Chifflier af7d245a31 rust/snmp: add event when expected/received PDU versions mismatch 6 years ago
Pierre Chifflier 1880f6945c rust/snmp: use generic parsing function, for all SNMP versions
Do no restrict parsing to the version seen in the first packet, but
use a generic function, independent of the version.
6 years ago
Jeff Lucovsky 6911cc01ad rust/snmp: Support get-info-by-id 6 years ago
Jeff Lucovsky 7560b75591 rust/ntp: Support get-info-by-id 6 years ago
Jeff Lucovsky 12c2d18c8b rust/krb: Support get-info-by-id 6 years ago
Jeff Lucovsky fb01641629 rust/ikev2: Support get-info-by-id 6 years ago
Jeff Lucovsky e3ca6b43fc rust/dhcp: Support get-info-by-id 6 years ago
Jeff Lucovsky a5d9d37c34 rust/parser: Extend Rust parser for event-by-id
Extend the Rust parsing infrastructure with the "get event info by id"
calls. This changeset extends the parser structure, the C-based
registration handlers and the template parser.
6 years ago
Jeff Lucovsky 9ccc28baeb rust/smb: Implement get event by id 6 years ago
Jeff Lucovsky 643864a8f5 rust/snmp: fix libc deprecation warnings 6 years ago
Victor Julien 3f6624bf16 rust: remove libc crate dependency
Use std::os::raw instead.
6 years ago
Victor Julien 28ed0d3a18 nfs: implement get_event_info_by_id callback 6 years ago
Victor Julien 429ca858dc rust/gen: turn *mut*const T into const T ** 6 years ago
Jeff Lucovsky d568e7fadd eve/logging: 2991 Optimize logging by TX
This changeset makes changes to the TX logging path. Since the txn
is passed to the TX logger, the TX can be used directly instead of
through the TX id.
6 years ago
Jeff Lucovsky 1a1d32c6b2 make: Remove rust generated headers during clean 6 years ago
Pierre Chifflier c1b30fe9fd rust/snmp: fix libc deprecation warnings for int types 6 years ago
Pierre Chifflier bc07656ce7 rust/snmp: use snake_case when logging PDU types 6 years ago
Pierre Chifflier c60f2028e5 rust/snmp: fix missing IPPROTO_* declarations (use core) 6 years ago
Pierre Chifflier 031cbbe868 rust/snmp: fix selection of v1/v2c parser 6 years ago
Pierre Chifflier 9dfec7e734 SNMP: add the "snmp.pdu_type" detection keyword 6 years ago
Pierre Chifflier e1dd19a0eb SNMP: add the "snmp.community" detection keyword 6 years ago
Pierre Chifflier aa608e0ca2 SNMP: add the "snmp.version" detection keyword 6 years ago
Pierre Chifflier 60324740e6 SNMP: use explicit references to support build with old rust compiler 6 years ago
Pierre Chifflier 57b233f462 SNMP: start looking for transactions from end of list 6 years ago
Pierre Chifflier 6fc7fc74cb SNMP: add logger 6 years ago
Pierre Chifflier 2df840a8b8 Add SNMP (v1/v2c/v3) application layer 6 years ago
Pierre Chifflier b65896c0de Rust: expose function AppLayerParserRegisterGetTxIterator 6 years ago
Victor Julien b1d4931842 rust: fix warnings about wrong type of comments
"rustdoc does not generate documentation for macro expansions"
6 years ago
Victor Julien bf1bd407dd rust: fix libc deprecation warnings for int types 6 years ago
Victor Julien 723f1586ca ikev2: remove excess new lines 6 years ago
Victor Julien adcbac1c77 tftp: properly implement tx handling 6 years ago
Victor Julien 63ab296cca nfs: fix integer underflow
Fix int underflow that leads to Rust panic in NFS3 readdirplus
parsing.

Reported-by: Sirko Höer -- Code Intelligence for DCSO.
7 years ago
Jason Ish 8be4142aaf dhcp: verify client id len before parsing data
Verify that the client id length is at least 2 per the DHCP
protocol rfc before parsing the data.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2902
7 years ago
Jason Ish 9d75fdc6ea rust/ftp: validate port components in passive reponse
Make sure they are valid 8 bit integers before combining the
two parts into a u16 to prevent an overflow of the u16
return value.

Add unit tests to check parsing of invalid ports.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2904
7 years ago
Victor Julien 24d6a16459 rust/mingw: build fixes
Fix path passed to cargo by using 'cygpath' if available.
7 years ago
Victor Julien f84667ceb7 nfs: small cleanups 7 years ago
Victor Julien 822a434036 nfs: implement midstream reverse flow support
Register special midstream version of protocol detection that
can indicate the flow is the wrong direction based on the record
properties.
7 years ago
Victor Julien 7f0bdc6621 rust/mingw: fix C glue code generator 7 years ago
Victor Julien 0301ceab13 rust/mingw: fix missing IPPROTO_* declarations
The libc crate doesn't provide these on MinGW, so define them in
our 'core' instead. We only use IPPROTO_TCP and IPPROTO_UDP.

Bug #2733
7 years ago
Victor Julien 422e4892cc proto-detect: improve midstream support
When Suricata picks up a flow it assumes the first packet is
toserver. In a perfect world without packet loss and where all
sessions neatly start after Suricata itself started, this would be
true. However, in reality we have to account for packet loss and
Suricata starting to get packets for flows already active be for
Suricata is (re)started.

The protocol records on the wire would often be able to tell us more
though. For example in SMB1 and SMB2 records there is a flag that
indicates whether the record is a request or a response. This patch
is enabling the procotol detection engine to utilize this information
to 'reverse' the flow.

There are three ways in which this is supported in this patch:

1. patterns for detection are registered per direction. If the proto
   was not recognized in the traffic direction, and midstream is
   enabled, the pattern set for the opposing direction is also
   evaluated. If that matches, the flow is considered to be in the
   wrong direction and is reversed.

2. probing parsers now have a way to feed back their understanding
   of the flow direction. They are now passed the direction as
   Suricata sees the traffic when calling the probing parsers. The
   parser can then see if its own observation matches that, and
   pass back it's own view to the caller.

3. a new pattern + probing parser set up: probing parsers can now
   be registered with a pattern, so that when the pattern matches
   the probing parser is called as well. The probing parser can
   then provide the protocol detection engine with the direction
   of the traffic.

The process of reversing takes a multi step approach as well:

a. reverse the current packets direction
b. reverse most of the flows direction sensitive flags
c. tag the flow as 'reversed'. This is because the 5 tuple is
   *not* reversed, since it is immutable after the flows creation.

Most of the currently registered parsers benefit already:

- HTTP/SMTP/FTP/TLS patterns are registered per direction already
  so they will benefit from the pattern midstream logic in (1)
  above.

- the Rust based SMB parser uses a mix of pattern + probing parser
  as described in (3) above.

- the NFS detection is purely done by probing parser and is updated
  to consider the direction in that parser.

Other protocols, such as DNS, are still to do.

Ticket: #2572
7 years ago
Victor Julien f7a41412d6 smb1: fix NT create andx records filename parsing
Use file name parsing routines that take unicode into account
and consider padding bytes as well.
7 years ago
Wesley van der Ree cc50908f8d smb: fix NT create filename parsing
parse_smb_create_andx_request_record skipped 1 byte too much before
the filename.

Fixes: #2894
7 years ago
Pierre Chifflier f90733fe3f rust/ikev2: fix events not being raised in first message
The `set_event` function requires that the transaction is already
inserted, or the event set is silently lost.
When parsing first IKEv2 message, first insert transaction, prepare
values, and borrow back inserted transaction to update it.
7 years ago
Victor Julien 25112ee7e3 rust/smb: fix and optimize record search
Get rid of struct with just a slice reference as well.
7 years ago
Pierre Chifflier 9e7f261a88 rust: fix cargo tests 7 years ago
Pierre Chifflier f22695130b rust: nom4 requires to add complete!() when using many! combinators 7 years ago
Pierre Chifflier 8c0cde36c6 rust: fix warnings for unused variables (add _) 7 years ago
Pierre Chifflier 13b7399790 rust: upgrade all parsers to nom4 7 years ago
Pierre Chifflier 2f08b3eabd rust/nom4: error_code is superseded by error_position 7 years ago
Pierre Chifflier d3011e3ee8 rust: update dependencies for nom4 transition 7 years ago
Jason Ish 93c956ebdf issue 2795: python 3 fix in Rust C header gen
The C header generation script was failing with a unicode error
in Python 3 on FreeBSD.  Fix the reading of files to properly
handle unicode in all Python 3 environments.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2794
7 years ago
Victor Julien 8b570c0293 smb: improve request/response mapping
Only use ssn_id and msg_id for mapping a response to a request.

By not using the tree_id it can always be included in the tx.hdr which
means it can be logged properly in case of IOCTL and DCERPC.
7 years ago
Pierre Chifflier 3eade88bd8 Krb5: make TCP probing function less strict, messages can be fragmented 7 years ago
Jason Ish b7083bc3a8 rust/dns/v2 - log rrtype in response
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2723
7 years ago
Jason Ish b7a58680db dns/rust - if let Some over options instead of loop.
Except in one case where the loop makes more sense for easy break
out.

Also remove one line of non-conforming debug logging.
7 years ago
Jason Ish 4163d5c360 rust/dns/lua - fix call convention to match C.
Also, when requesting the query, if the request doesn't exist,
return the query from the response. This makes it behave
more like C implementation.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2730
7 years ago
Jason Ish 87250da0fc rust/dns: add v1 dns logging
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2704
7 years ago
Victor Julien 0e40231189 app-layer: improve transaction cleanup handling
The app layers with a custom iterator would skip a tx if during
the ..Cleanup() pass a transaction was removed.

Address this by storing the current index instead of the next
index. Also pass in the next "min_tx_id" to be incremented from
the last TX. Update loops to do this increment.

Also make sure that the min_id is properly updated if the last
TX is removed when out of order.

Finally add a SMB unittest to test this.

Reported by: Ilya Bakhtin
7 years ago
Victor Julien eedf08be29 rust/filetracker: remove reachable panic
Remove reachable panic condition when an existing file chunk is not
completed. Instead trunc the file and reset.

Related to bug #2717
7 years ago
Victor Julien 1b1e136c4f nfs: improve file tracking under packet loss
In case of packet loss during an in-progress chunk the file tracker
could loose track of a file because it couldn't map the XID to a
file handle.

The file tracker would then panic if a new file was opened, as
it noticed the last chunk wasn't yet complete.

This patch tracks the file handle for a in-progress chunk in the
state, just like the tracking of the size that is left.

Bug #2717
7 years ago
Victor Julien 27f87567ca rust/nfs: improve debug output 7 years ago
Victor Julien c62273f4fd rust/smb: silence noisy debug messages 7 years ago
Victor Julien 083908f3be rust/ike2: free destate on tx free
Bug #2604
7 years ago
Jason Ish 6f00ba0659 rust: fix (again) out of tree builds
As the generated Cargo.toml is shipped as part of a release
tarball, build from the source directory but set the cargo
CARGO_TARGET_DIR to the build directory.
7 years ago
Victor Julien 4d5024255f smb/dcerpc: remove now unused ssn2maxsize_map 7 years ago
Victor Julien 4d044483cf smb/dcerpc: clean up and unify DCERPC probe logic 7 years ago
Victor Julien ac4e888597 smb2/dcerpc: probe if response data is dcerpc
If we missed the tree connect we can't know for sure if we're
reading from a (DCERPC) PIPE or not. In this case probe the data
to see if it looks like DCERPC.

If the detection succeeds, use a special 'suricata::dcerpc' service
in the TX.

Simplify handling of DCERPC records that cross records

Update logging for the response only TXs.
7 years ago
Victor Julien 9dd7c38113 smb2: skip rest of READ response if status is not success 7 years ago
Victor Julien ae10a92bc6 rust/applayer: use correct return type for Parser
The mismatch between the types would randomly lead to the return code
of the Rust parser to be not correctly handled over the C/Rust
boundary. This would lead to the API considering a parser to be in
error state when it was not.
7 years ago
Jason Ish 58933bafc1 rust app layer template: functions to get buffers
Example functions for getting the request and response buffers.
Useful for running detection on the decoded buffers.
7 years ago
Jason Ish 01f7dcf5fd rust template parser: sample pcap 7 years ago
Jason Ish c3f1a35e28 rust: app-layer template parser and logger
The protocol is a simple request/reply based protocol that can
be hand driven with netcat.

Request  -> 12:Hello World!
Response -> 3:Byte

Its of the format <length>:<message> where length is the length
of the message, not including the length or the delimiter.
7 years ago
Jason Ish 7682b1ba74 rustfmt.toml: set to 80 char line width
The rustfmt default is 100, set to 80 to be more inline with
the Suricata C code.
7 years ago
Jason Ish 9636b9de32 rust: expose AppLayerParserStateIssetFlag to Rust. 7 years ago
Jason Ish 90dfcf4907 rust/gen-c-headers: don't attempt to split empty lines 7 years ago
Jason Ish 1c6bc5754c dhcp: check length of option before accessing
Prevent Rust index out of bounds panic.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2571
7 years ago
Jason Ish 7bc2469eb1 dhcp: remove println!() that got committed 7 years ago
Victor Julien a337908c78 rust/dhcp: free events and destate at tx end 7 years ago
Victor Julien edd0c2246c smb1: add SMB1_COMMAND_QUERY_INFO_DISK command mapping 7 years ago
Maurizio Abba bf4398b15d output-json: ensure string is json-encodable
Substitute json_string with SCJsonString custom function.
SCJsonString will ensure string passed is json-encodable (utf-8).
If it's not, the string will be converted in such a way that any
non-printable character will be encoded in its hex form.
The resulting json object will be returned.

rust modification will encode any non-printable character during its
conversion in to_cstring.
7 years ago
Victor Julien 177966970a smb: probing parser improvement 7 years ago
Victor Julien fd38989113 proto/detect: remove probing parser offset argument
Remove offset argument as it was unused.
7 years ago
Victor Julien c6e79f4410 nfs4: create tx for CREATE procedure 7 years ago
Victor Julien 90e0e3da27 nfs: fix applying nfs3 logging logic to nfs4 7 years ago
Victor Julien cb3abba1e0 nfs4: log remove procedure + add multi-proc support
Add TX creation for NFS4 transactions. Start with the 'REMOVE' procedure.

Start on logging all procs. In NFS4 COMPOUND records there are multiple
procedures. One of them can be considered the 'main' procedure, with others
as supporting utility. This patch adds the first step in supporting to
track those in the TX for logging and inspection.
7 years ago
Victor Julien ff518e5c64 nfs4: for putrootfh set 'mount root' as name 7 years ago
Victor Julien 22e0fc97f8 nfs: rename generic functions from nfs3 to nfs 7 years ago
Victor Julien d22c170c38 nfs: move v2 parsing into own file 7 years ago
Victor Julien 9b42073e54 nfs3: move nfs3 specific handling into own file 7 years ago
Victor Julien 4c09766b33 nfs: request parser cleanup 7 years ago
Victor Julien f570905f8c nfs: get rid of reachable panic statements 7 years ago
Victor Julien 8a1af5c367 nfs4: remove panic calls, set events instead 7 years ago
Victor Julien f2382356b1 nfs4: support 4.1 SEQUENCE procedure 7 years ago
Victor Julien 2b581cd6db smb: log trans2 that enable delete on close 7 years ago
Victor Julien eefac0ef95 smb1: add support for trans2 set_path_info rename 7 years ago
Victor Julien 1b86d4e1a2 smb: improve dcerpc logic
Detect whether a pipe is a dcerpc channel based on the name of the
pipe.
7 years ago
Victor Julien 7c8a078a2c smb1: improve NT Create response record parsing 7 years ago
Victor Julien 2e6014b15c rust/smb: search for record on midstream start
Calls with both START and MIDSTREAM mean the record might be cut and the
start of it could be missing. For this case, enable the same logic as is
used when catching up after a GAP. Search for the start of the record
instead of assuming it sits exactly at the start of the input data.
7 years ago
Victor Julien 905d9a1dd8 rust: define all STREAM_* types 7 years ago
Victor Julien 7bc3c3ac6e app-layer: pass STREAM_* flags to parser
Pass the STREAM_* flags to the app-layer parser functions so that
the parser can know more about how it is called.
7 years ago
Victor Julien b5bc509857 dhcp: suppress notice message at startup 7 years ago
Jason Ish d83707bef9 rust/dns - remove extra parantheses
Removes rust compiler warning.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2521
7 years ago
Jason Ish 9210d8743b rust/dhcp: Rust based DHCP decoder and logger.
This is a DHCP decoder and logger written in Rust. Unlike most
parsers, this one is stateless so responses are not matched
up to requests by Suricata. However, the output does contain
enough fields to match them up in post-processing.

Rules are included to alert of malformed or truncated options.
7 years ago
Jason Ish 1b0b74dc16 rust: a Rust ConfNode wrapper.
A Rust wrapper around the C ConfNode object. Currenlty only exposes
ConfGetChildValueBool and ConfGetChildValue.
7 years ago
Jason Ish 2ec3381600 rust/app-layer: macros to export de_state functions
These macros generate the extern "C" functions for transactions
structs that need provide functions for setting and getting
the de_state. The idea is to provide macros do avoid code
duplication and make it simpler to create an app-layer.

A trait would be the correct solution, but it doesn't look like
you can use traits to export extern "C" functions.
7 years ago
Jason Ish da4912dfe7 rust: add get_tx_iterator to parser registration 7 years ago
Pierre Chifflier e9ae62ed05 Kerberos 5: properly handle TCP buffering 7 years ago
Pierre Chifflier 1076c7cd47 Add krb5_err_code detection keyword 7 years ago
Pierre Chifflier d6b9c0294a Add krb5_cname and krb5_sname detection keywords 7 years ago
Pierre Chifflier 0bd81ff838 Add krb5_msg_type detection keyword 7 years ago
Pierre Chifflier 5037051161 Kerberos 5: rename weak crypto to weak encryption, and log it 7 years ago
Pierre Chifflier 6ae53a1869 Add event rules for Kerberos 5 7 years ago
Pierre Chifflier 3a017f61b0 Kerberos 5: pretty-print error code when logging 7 years ago
Pierre Chifflier 52f5c7914f Log Kerberos 5 errors 7 years ago
Pierre Chifflier 1e5f5d405f Kerberos 5: add support for TCP as well 7 years ago
Pierre Chifflier 645ba17509 Kerberos: check version in probing function 7 years ago
Pierre Chifflier fd175f2bfb Add logger for Kerberos 5 metadata 7 years ago
Pierre Chifflier 77f0c11c9e Add Kerberos 5 application layer 7 years ago
Jason Ish d73b5ee276 rust: cargo fixes for out of tree build 8 years ago
Pierre Chifflier 2d1c4420de Update ntp-parser to 0.2.0 8 years ago
Victor Julien 73d94fff73 nfs4: support records wrapped in GSSAPI integrity 8 years ago
Victor Julien 53fa2af07c nfs4: fix attr parsing corner case 8 years ago
Victor Julien 39489bc5fd nfs4: implement COMMIT parsing and handling 8 years ago
Victor Julien c7cb01b636 nfs4: parse GSSAPI init 8 years ago
Victor Julien bfa60753f9 nfs4: create link support 8 years ago
Victor Julien 06f6c15954 nfs4: initial implementation
Implements record parsing and file extraction for READs and WRITEs.

Defines all types from RFC 7530.
8 years ago
Victor Julien 75c5722b7e nfs/rpc: add parser for GSSAPI Integrity records 8 years ago
Victor Julien f40fc0293b smb: minor optimizations 8 years ago
Victor Julien f201a3761f rust: remove multi level 'experimental'
Don't treat 'external' parsers as more experimental. All parsers
depend on crates to some extend, and all have C glue code. So the
distinction doesn't really make sense.
8 years ago
Pierre Chifflier d222b9ae6c IKEv2: Use JSON arrays instead of comma-separated values 8 years ago
Pierre Chifflier bf66948ad7 IKEv2: suppress some debug output 8 years ago
Pierre Chifflier 3fbfb22204 IKEv2: remove events counter 8 years ago
Pierre Chifflier 4e4cf00c07 Remove the 'experimental' mark for IKEv2 8 years ago
Pierre Chifflier f65fafa34b IKEv2 logger: use Debug trait for IkePayloadType 8 years ago
Pierre Chifflier d94346282c Add logger for IKEv2 8 years ago
Pierre Chifflier c99b9462d7 Add new parser: IKEv2
Add a new parser for Internet Key Exchange version (IKEv2), defined in
RFC 7296.
The IKEv2 parser itself is external. The embedded code includes the
parser state and associated variables, the state machine, and the
detection code.

The parser looks the first two messages of a connection, and analyzes
the client and server proposals to check the cryptographic parameters.
8 years ago
Pierre Chifflier b810275b16 Rust: fix prototype of parsing function (make pstate mutable) 8 years ago
Pierre Chifflier 8e8f0db192 Rust: expose function AppLayerParserStateSetFlag 8 years ago
Victor Julien 91307dafd9 nfs/rpc: fix reponse parsing 8 years ago
Victor Julien b1e2783788 auth/krb5: move kerberos5 wrapper to rust root
Make it available outside of just the SMB parser.
8 years ago
Victor Julien 4d58aaae90 smb: clean up partial read/write record handling 8 years ago
Victor Julien aa8d64c2b8 smb: improve skip handling
When skipping records the skip tracker could underflow if the record
parsing had more data than expected.

Enforce the calculation by moving it into a method and make the actual
fields private.
8 years ago
Victor Julien eac7a92200 smb2: improve read/write record parsing
parse_smb2_response_read()/parse_smb2_response_write() can be called on
incomplete data, so they didn't use the read/write length field to grab
the data field. Instead it just used rest(). However in some cases
SMB2 records have trailing data, which would be included in the
READ/WRITE data.

This patch addresses this by using the length field if enough data is
available.
8 years ago
Victor Julien 53f63f7498 nfs/rpc: improve RPCv2 parser, add GssApi
Improve RPCv2 credentials parsing. Add GssApi and turn creds into
an enum.

Minor cleanups and optimizations.
8 years ago
Victor Julien 47ebef3af8 nfs: minor cleanup 8 years ago
Victor Julien ea1e13cb00 smb: suppress notice messages 8 years ago
Pierre Chifflier 576b8ef722 SMB: simplify code 8 years ago
Pierre Chifflier cf5de0c58e SMB: use String::from_utf8_lossy in logging functions 8 years ago
Pierre Chifflier b5529e4ffb SMB: use kerberos-parser to extract Real and PrincipalName 8 years ago
Victor Julien 0dfb3f0e7f smb1: extract rename info from TRANS2
Exclude TRANS2 from generic TX lookup bypass.
8 years ago
Victor Julien 8eeda113c8 smb1: add parsing for RENAME command 8 years ago
Victor Julien 7b61f2c589 smb2: log renames 8 years ago
Victor Julien 15978d4e85 smb: if filename is missing, use '<unknown>' 8 years ago
Jason Ish 27fd521420 eve/dns/v2: support eve/dns v2 in rust 8 years ago
Jason Ish 57d9574839 rust/json: expose more of jansson to rust 8 years ago
Victor Julien 71742ed52b smb: share can't be <share_root> 8 years ago
Victor Julien bc193242ad smb1: add OPEN_ANDX command name for logging 8 years ago
Victor Julien 32b19fac99 smb2: don't log/track each READ/WRITE/etc 8 years ago
Victor Julien fb986abe81 smb: log file FID/GUID as fuid 8 years ago
Victor Julien 816bd022a6 smb1: improve non nt-status handling
Support SRV error, with a couple of codes.
Rename statux field to status_code.
8 years ago
Victor Julien 0519807639 smb1: ignore tree_id in session setup 8 years ago
Victor Julien 286c054472 smb: improve nbss/smb record detection 8 years ago
Victor Julien 7ab071a58d rust/smb: implement minimal record parsing in probing 8 years ago
Victor Julien 283be3cade smb2: break out ioctl handling 8 years ago
Victor Julien bf08285602 smb2: parse async records 8 years ago
Victor Julien 5c26020714 smb2: add ioctl transactions to log the funcs 8 years ago
Victor Julien 75265ec376 smb2: map ioctl funcs to names
List is based on Wireshark's list.
8 years ago
Victor Julien 7cd66516f0 smb: use formal MS names for disposition 8 years ago
Victor Julien f7ed749d4f smb: disable debug output 8 years ago
Victor Julien eed492547c smb1: extract server guid from negotiate 8 years ago
Victor Julien 6d56edc3de smb2: log client and server guid from negotiate 8 years ago
Victor Julien c56f5e11ca smb2: log share type 8 years ago
Victor Julien d75ebdb981 smb: log create empty filename as '<share_root>' like Bro does 8 years ago
Victor Julien fcbeab70a4 smb1: log create 'service' fields 8 years ago
Victor Julien 90e2abaac4 smb1: use generic string parsing for trans 8 years ago
Victor Julien 76917a8732 smb1: generic smb string parse func 8 years ago
Victor Julien 668c747aee smb1: more exact tree connect record parsing 8 years ago
Victor Julien 0ed00cf104 smb: move common parsing funcs into own file 8 years ago
Victor Julien 1c701dc50e smb: make string parsing functions public 8 years ago
Victor Julien 1d4aac1d4d smb1: set event on empty/malformed dialect 8 years ago
Victor Julien c91242e71c smb: rename file to filename in output 8 years ago
Victor Julien caf29e92b3 smb1: parse and log timestamps in CREATE 8 years ago
Victor Julien 0e05ef7369 smb2: parse and log timestamps in CREATE 8 years ago
Victor Julien 28f16e38ac smb1: disable 'generic tx's for common commands
Don't create a generic TX for each READ, WRITE, TRANS, TRANS2,
except if they cause events to trigger.
8 years ago
Victor Julien 78cd92a933 smb: generic event per trans/read/write for tx events 8 years ago
Victor Julien 05992f1772 smb: fix event handling when no tx is available 8 years ago
Victor Julien be615c9fbc smb: small cleanups, fixes and optimizations 8 years ago
Victor Julien dab055d8c8 smb: update to der-parser 0.5.1 8 years ago
Victor Julien 0d69e7b8c2 smb: remove unused dialects from state 8 years ago
Victor Julien ad1bc7f473 smb1: minor debug improvment 8 years ago
Victor Julien a44504a1bf smb: redo gap catch up handling 8 years ago
Victor Julien 7114d5d25b smb1: parser cleanups 8 years ago
Victor Julien d9e43d3e63 smb: cleaner server component parsing 8 years ago
Victor Julien ecbf10da70 smb2: improve write error handling 8 years ago
Victor Julien b34392051d smb3: parse transform records 8 years ago
Victor Julien 894a73ee06 smb2: add missing commands and improve ioctl err handling 8 years ago
Victor Julien 170edf7c44 smb1: improve error handling 8 years ago
Victor Julien 7ceb67138f smb: add status 8 years ago
Victor Julien 98b926bf72 smb1: implement WRITE_AND_CLOSE 8 years ago
Victor Julien 595557eb8d smb1: locking andx may have no response 8 years ago
Victor Julien 7dff9b9969 smb/nbss: work around bad traffic 8 years ago
Victor Julien 8bef120898 smb: session setup improvements
Improve ntlmssp version extraction and logging, make its data structures
optional. Extract native os/lm from smb1 ssn setup.

Move session setup handling into their own files.

Only log auth data for the session setup tx.
8 years ago
Victor Julien 75d7c9d64a rust/smb: initial support
Implement SMB app-layer parser for SMB1/2/3. Features:
- file extraction
- eve logging
- existing dce keyword support
- smb_share/smb_named_pipe keyword support (stickybuffers)
- auth meta data extraction (ntlmssp, kerberos5)
8 years ago
Pierre Chifflier b69acaadf5 Rust: add 'debug' feature
The 'debug' feature is enabled if suricata was configured with the
--enabled-debug' flag.
If enabled, the SCLogDebug format and calls the logging function as
usual. Otherwise, this macro is a no-op (similarly to the C code).
8 years ago
Victor Julien 053022931c rust/json: add array_append_string 8 years ago
Victor Julien 73fac478a2 rust/dns: fix nom verbose error mode 8 years ago
Jason Ish c411519605 app-layer: remove has events callback - not used 8 years ago
Pierre Chifflier 92b537d028 rust: update 'external' api for app layer changes
Remove unused HasTxDetectState function and remove state argument
from SetTxDetectState.

Update NTP code.
8 years ago
Victor Julien f815027cdf rust/dns: simplify tx freeing
Now that we no longer need the state when freeing a TX, we can simply
do cleanup from the Drop trait.
8 years ago
Victor Julien 7548944b49 app-layer: remove unused HasTxDetectState call
Also remove the now useless 'state' argument from the SetTxDetectState
calls. For those app-layer parsers that use a state == tx approach,
the state pointer is passed as tx.

Update app-layer parsers to remove the unused call and update the
modified call.
8 years ago
Victor Julien 1c270cae13 nfs: remove old test code 8 years ago
Victor Julien e96d9c1159 app-layer: add tx iterator API
Until now, the transaction space is assumed to be terse. Transactions
are handled sequentially so the difference between the lowest and highest
active tx id's is small. For this reason the logic of walking every id
between the 'minimum' and max id made sense. The space might look like:

    [..........TTTT]

Here the looping starts at the first T and loops 4 times.

This assumption isn't a great fit though. A protocol like NFS has 2 types
of transactions. Long running file transfer transactions and short lived
request/reply pairs are causing the id space to be sparse. This leads to
a lot of unnecessary looping in various parts of the engine, but most
prominently: detection, tx house keeping and tx logging.

    [.T..T...TTTT.T]

Here the looping starts at the first T and loops for every spot, even
those where no tx exists anymore.

Cases have been observed where the lowest tx id was 2 and the highest
was 50k. This lead to a lot of unnecessary looping.

This patch add an alternative approach. It allows a protocol to register
an iterator function, that simply returns the next transaction until
all transactions are returned. To do this it uses a bit of state the
caller must keep.

The registration is optional. If no iterator is registered the old
behaviour will be used.
8 years ago
Victor Julien 6e82df274d rust: update dependencies 8 years ago
Victor Julien dfae3297a5 rust: don't gen C headers if Rust isn't enabled 8 years ago
Pascal Delalande 80f2fbac6e rust/tftp: eve logging with rust 8 years ago
Clement Galland b9cf49e933 rust/tftp: add tftp parsing and logging
TFTP parsing and logging written in Rust.
Log on eve.json the type of request (read or write), the name of the file and
the mode.

Example of output:
    "tftp":{"packet":"read","file":"rfc1350.txt","mode":"octet"}
8 years ago
Victor Julien e8939335ea rust/nfs: explicitly handle GAPs from C
It seems that Rust optimizes this code in such a way that it
passes the null ptr along as real data.

    if buf.as_ptr().is_null() && input_len > 0 {
8 years ago
Victor Julien 2c3c8f8b85 rust/filetracker: if file API return error, trunc file 8 years ago
Victor Julien d27ed5957f rust/nfs: fix read reply handling
READ replies with large data chunks are processed partially to avoid
queuing too much data. When the final chunk was received however, the
start of the chunk would already tag the transaction as 'done'. The
more aggressive tx freeing that was recently merged would cause this
tx to be freed before the rest of the in-progress chunk was done.

This patch delays the tagging of the tx until the final data has been
received.
8 years ago
Victor Julien 3a2e4614d0 rust/file: handle file open errors 8 years ago
Victor Julien 45c5030ff0 rust/file: change return type for FileOpenFileWithId
Make it int so we can easily check it in Rust. No consumer used the
File pointer that was returned before anyway.
8 years ago
Victor Julien 288ddc95ac rust/core: comment cleanup 8 years ago
Victor Julien 8cda2a4351 rust/nfs: add support for detect_flags API 8 years ago
Victor Julien 98eca55241 rust/dns: implement detect_flags API 8 years ago
Pierre Chifflier 4b6555588f NTP: ensure parser name is not freed after registration 8 years ago
Pierre Chifflier ec62eedc87 Rust: remove deprecated functions LoggerFlags::get_logged/set_logged 8 years ago
Pierre Chifflier 5c6868b327 NTP: update logger to use new API 8 years ago
Victor Julien bca0cd71ae app-layer: use logger bits to avoid looping
Avoid looping in transaction output.

Update app-layer API to store the bits in one step
and retrieve the bits in a single step as well.

Update users of the API.
8 years ago
Victor Julien e1e9ada9df rust/nfs: improve file close handling 8 years ago
Nick Price 350b5d99ce rust/nfs: don't panic on malformed NFS traffic
Instead set events.
8 years ago
Pierre Chifflier f5b27ae767 Rust: fix probing function prototype: change sign and add Flow 8 years ago
Victor Julien 6c251b8576 rust: add --enable-rust-debug
Add option to put Rust code in non-'--release' mode, preserving
debug symbols.

Until now Suricata would have to be compiled with --enable-debug for
this.
8 years ago
Eric Leblond b0a6934431 app-layer-ftp: add ftp-data support
Use expectation to be able to identify connections that are
ftp data. It parses the PASV response, STOR message and the
RETR message to provide extraction of files.

Implementation in Rust of FTP messages parsing is available.

Also this patch changes some var name prefixed by ssh to ftp.
8 years ago
Jason Ish 5a8537fe4a rust/dns - convert more type values to text
Issue:
https://redmine.openinfosecfoundation.org/issues/2364

Convert more record type and errr code values to text.
Remove duplicate type declarations.
8 years ago
Clément Galland 3396747cd6 Dns logger display flags information 8 years ago
Victor Julien bb65a48edd rust: require at least libc 0.2.33
Required to be higher than 0.2.24 for IPPROTO_UDP. Upgraded to latest
version.
8 years ago
Pierre Chifflier 83808bbdad rust/ntp: convert parser to new registration method
Converting the NTP parser to the new registration method is a simple,
3-steps process:
- change the extern functions to use generic input parameters (functions
  in all parsers must share common types to be generic) and cast them
- declare the Parser structure
- remove the C code and call the registration function
8 years ago
Pierre Chifflier 0b07bdf5d9 rust: generate declaration for extern unsafe funcs 8 years ago
Pierre Chifflier e7c0a53cbf rust/applayer: add registration iface for parsers
Add Rust support for the common interface to declare and register all
parsers.

Add a common structure definition to contain all required elements
required for registering a parser, similar to the C interface.
This also reduces the risk of incorrectly registering a parser: the
compiler prevents omitting required functions from the structure, and
functions (even if external) are type-checked. Optional functions are
explicitly marked.
8 years ago
Jason Ish 7eead7dfbc autotools: fix distcheck with rust enabled 8 years ago
Victor Julien d9e5dfa1f0 rust/file: improve truncation handling 8 years ago
Victor Julien e023ce9aad rust/dns: fix new warning in rustc 1.21 8 years ago
Victor Julien fd38e5e82b rust/nfs: fix new warnings in rustc 1.21 8 years ago
Pierre Chifflier e4129c1568 Rust/Lua: cast value to arch-dependant type (fix build on x86, #2197) 8 years ago
Jason Ish 6cfabb7863 autogen: cleanup rust strict warning 8 years ago
Jason Ish 6a4cefb7c5 rust: --enable-rust-strict to turn warnings into errors 8 years ago
Jason Ish 3063851d85 rust/dns/tcp - probe even if payload is short
As the DNS probe just uses the query portion of a response, don't
require there to be as many bytes as specified in the TCP DNS
header. This can occur in large responses where probe is called
without all the data.

Fixes the cases where the app proto is recorded as failed.

Fixes issue:
https://redmine.openinfosecfoundation.org/issues/2169
8 years ago
Victor Julien a306ccfd34 rust/nfs: implement events
Remove lots of panic statements in favor of setting non-fatal events.

Bug #2175.
8 years ago
Victor Julien 82bd732f4e rust/nfs: improve proto detect 8 years ago
Victor Julien 6b4a04510a rust/nfs: remove debug rec_size check
Records larger than 40k are perfectly valid.

Bug #2162.
8 years ago
Jason Ish 40991cab82 rust/dns: handle multiple txt strings
Fix handling of TXT records when there are multiple strings
in a single TXT record. For now, conform to the C implementation
where an answer record is created for each string in a single
txt record.

Also removes the data_len field from the answer entry. In Rust,
the length is available from actual data, which after decoding
may actually be different than the encoded data length, so just
use the length from the actual data.
8 years ago
Pierre Chifflier 8a0549c42e NTP: change parse function to return the number of parsed messages 8 years ago
Pierre Chifflier efe11dc37e Add NTP parser (rust-experimental) 8 years ago
Pierre Chifflier 4f677fd157 Rust gen-c-headers: keep 'const' attribute 8 years ago
Pierre Chifflier 4fe9292ed8 Autotools: add switch to build experimental Rust parsers 8 years ago
Jason Ish 61d9f4bb0a rust: make distcheck fixes 8 years ago
Jason Ish f5a90e26a9 rust: for sclog*, strip nul bytes before logging 8 years ago
Jason Ish 717b826d25 rust: safe string handling in logging
In logging (SCLog*), safely convert strings to cstrings instead
of blindly unwrapping them.

Also implement a simple rust logger if the Suricata C context
is not available.
8 years ago
Jason Ish 14951e3f00 rust: save cargo and CARGO_HOME to variables
During configure, substitute the path of cargo, as well as the
value of CARGO_HOME as variables. This fixes the case where a
user might do:
  make
  sudo make install
Which will cause the cargo bits to be rebuilt, including
re-downloading external crates.

By saving these to variables we can be sure that the same
values are used during make install as were used during
make which prevents the Rust artifacts from being rebuild
during "sudo make install".
8 years ago
Victor Julien 7c119cc595 nfs: log number of chunks that xfer'd a file 8 years ago
Victor Julien e8dae2e093 nfs: add to fileinfo events 8 years ago
Victor Julien db2d928151 rust/nfs: add (file)handle to log as crc32 8 years ago
Jason Ish 829155b9d5 rust/dns: pass byte arrays directly to rust/json
Using the json.set_string_from_bytes which will
safely convert the bytes printable ascii string
before logging.
8 years ago
Jason Ish 96cc503026 rust/lua: use lua_pushlstring for strings
Lua strings can contain NULLs, and Rust strings are UTF8 which
can also contain NULLs. Use pushlstring so a NULL containing
string can be pushed.
8 years ago
Jason Ish 6dbc5be4be rust/json: only output printable characters
Rust strings are UTF8 and we cannot yet rely on jansson
having json_stringn on all supported OS distributions yet
so sanitize strings to ascii before printing.

Also add set_string_from_bytes which is like set_string, but
accepts a byte array as input.
8 years ago
Victor Julien becf1a2dfe rust/nfs: fix style warning 8 years ago
Victor Julien e0c6565e68 nfs: nfs_version keyword
Store nfs version in tx and add keyword to match on it.
8 years ago
Victor Julien aff576b524 eve/nfs: log nfs version 8 years ago
Victor Julien 0d79181d78 nfs: rename nfs3 to nfs
Since the parser now also does nfs2, the name nfs3 became confusing.
As it's still in beta, we can rename so this patch renames all 'nfs3'
logic to simply 'nfs'.
8 years ago
Victor Julien 28cdf7b628 nfs3: create file tx for read on request
This is done so that we can add creds to it.
8 years ago
Victor Julien 7e0d9619ac nfs3: add readdirplus path 8 years ago
Victor Julien 41376da03c nfs: log more rpc 8 years ago
Victor Julien 9edbb6f235 nfs: split record parsers into different files 8 years ago
Victor Julien 25edac7666 nfs3: fill bytes corner case 8 years ago
Victor Julien 5153271b87 nfs2: basic record parsing and tracking 8 years ago
Victor Julien c7e10c73f9 nfs3: support NFS over UDP 8 years ago
Victor Julien d9f87cec3d nfs3: probing parsers in both directions 8 years ago
Victor Julien 8fe32f943b nfs3: search for next record if needed after GAP 8 years ago
Victor Julien 58af39131f rust/nfs: handle GAPs
In normal records it will try to continue parsing.

GAP 'data' will be passed to file api as '0's. New call is used
so that the file API does know it is dealing with a GAP. Such
files are flagged as truncated at the end of the file and no
checksums are calculated.
8 years ago
Victor Julien a116c16019 nfs3: parse mkdir and rmdir request records 8 years ago
Jason Ish 6bddc4d3e0 python: use python path found during configure
Also look for Python under more names. For example, on OpenBSD
if you just install Python 2, you will only get a python2.7
executable.
8 years ago
Jason Ish c473c56eed rust/dns: fix panic on rrnames with bad chars
Check for erros in the UTF-8 conversion, on error, print the
the printable chars as chars, and print non printable chars
as \xHEX.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2148
8 years ago
Jason Ish ecc63481c6 rust/dns: fix tcp message length verification
And add Rust unit tests to check length validation.

Redmine issue 2144:
https://redmine.openinfosecfoundation.org/issues/2144
8 years ago
Jason Ish 70808a4f1d rust/dns: support gaps in TCP DNS 8 years ago
Jason Ish 4bdb722371 rust/dns: fix unit tests on Rust 1.7.0 8 years ago
Jason Ish 2aebfbce94 rust/dns: support txt records 8 years ago
Jason Ish fafa75035f rust: don't fail distcheck if cargo-vendor not found
Allow distcheck to pass if cargo vendor is not found by not
failing out. It is not required to successfully build a dist
tarball, the Rust sources will just not be vendored in.

Also don't fail out make dist if Python is not installed. A build
will still be successful is Python is available on the end
build system.
8 years ago
Jason Ish 33e09a0002 rust dns: fixup for nom 3.0 9 years ago
Jason Ish ee83f7a0db rust: build fixes and nom update
Update nom to ~3.0.

Prefix dependencies with ~, which will allow for newer patch
versions only. Minor version updates should get a test before
using.

Remove Cargo.lock from the repo, but still generate as part
of the vendoring process for release builds. This will ensure
that all users of a particular distribution tarball will be
linking against the same Rust dependencies.
9 years ago
Victor Julien 098aced714 rust/nfs/files: no longer Option/Box 9 years ago
Victor Julien 75a6a13790 rust/nfs: move files into tx type data 9 years ago
Victor Julien de7e0614fa rust/nfs: add more record types 9 years ago
Victor Julien d6592211d0 rust/nfs: NFSv3 parser, logger and detection 9 years ago
Victor Julien 69bf219b39 rust: bindings: improve generator script 9 years ago
Victor Julien 71ddc43d49 rust/core: add file tx API call 9 years ago
Victor Julien 9a1fa5f1f4 rust: filetracker API
Initial version of a filetracker API that depends on the filecontainer
and wraps around the Suricata File API in C.

The API expects chunk based transfers where chunks can be out of order.
9 years ago
Victor Julien a809f090d3 rust: filecontainer API
Wrapper around Suricata's File and FileContainer API. Built around
assumption that a rust owned structure will have a
'SuricataFileContainer' member that is managed by the C-side of
things.
9 years ago
Victor Julien f47fd2c243 rust/json: expose json_boolean 9 years ago
Jason Ish ba1a67e2cb rust: dns: add log filtering on rrtype
While the filtering is still configured in C, the filtering
flags are passed into Rust so it can determine if a record
should be logged or not.
9 years ago
Jason Ish c54fc7f98f rust: use LoggerFlags type to track logged state 9 years ago
Jason Ish b588b49779 rust: lua support for DNS based Rust
Uses Rust wrappers around Lua to populate Lua
data structures.
9 years ago
Jason Ish 9d687025e2 rust: lua wrapper
Rust wrapper for working with lua state.
9 years ago
Jason Ish 73388042b2 rust: DNS app-layer.
A DNS application layer in Rust. This is different than the
C based one, as it is partially stateless by not matching
up responses to replies.
9 years ago
Jason Ish 9449739dd5 rust: dns: nom DNS parsers 9 years ago
Jason Ish 94032d3ada rust: wrapper around C logging, and "context"
Where the context is a struct passed from C with pointers
to all the functions that may be called.

Instead of referencing C functions directly, wrap them
in function pointers so pure Rust unit tests can still run.
9 years ago
Jason Ish 9231b0ae92 rust: generate headers as part of build 9 years ago
Jason Ish d0880d75ff rust: c header generator 9 years ago
Jason Ish e739fa1477 rust: add libjansson wrapper for rust 9 years ago
Jason Ish f6f126d53d rust: example of how an app-layer may be initialized
Also shows basic usage of the configuration API from Rust.
9 years ago
Jason Ish 949b358b80 rust: stub out configuration access functions 9 years ago
Jason Ish de5bb1f953 rust: stub out logging from rust 9 years ago
Jason Ish 8f81792da5 rust: hook rust into the build
Rust is currently optional, use the --enable-rust configure
argument to enable Rust.

By default Rust will be built in release mode. If debug is enabled
then it will be built in debug mode.

On make dist, "cargo vendor" will be run to make a local copy
of Rust dependencies for the distribution archive file.

Add autoconf checks to test for the vendored source, and if it
exists setup the build to use the vendored code instead of
fetching it from the network.

Also, as Cargo requires semantic versioning, the Suricata version
had to change from 4.0dev to 4.0.0-dev.
9 years ago
Jason Ish cf0b9dd45f rust: add rust skeleton tree 9 years ago