aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,801 Commits
7 Branches
155 Tags
195 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '313c23a26b'
${ noResults }
Commit Graph

403 Commits (313c23a26bee7f22e9ea8bfb36d413bdb23dc6a0)

Author SHA1 Message Date
Sascha Steinbiss 26123e05f2 rfb: use more idiomatic Rust code 
Using 'if let Some()...' makes the code in these many checks more
concise and readable.
 5 years ago
Frank Honza 1c8943dedd add RFB parser 
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
 5 years ago
Victor Julien acef21b759 app-layer: extend AppLayerResult to add convenience 5 years ago
Victor Julien 2f5834cdfa rust: merge parser.rs into applayer.rs 
Both were serving the same purpose.
 5 years ago
Victor Julien 21e6f1f063 app-layer: document return macros 5 years ago
Victor Julien 5b9b0b7226 nfs: switch to new 'incomplete' logic 
Remove buffering code in favor of using incomplete API.
 5 years ago
Victor Julien 66598f9ce7 nfs: switch to AppLayerResult 5 years ago
Victor Julien 5cd9cfb5a0 smb: update return type of GAP handling 5 years ago
Victor Julien 4bf87d30e4 smb: convert to return AppLayerResult 
Support returning 'incomplete' and remove the buffering
code from the parser.
 5 years ago
Victor Julien 674b8dc0fb app-layer: add 'incomplete' return logic 
Allow app-layer parsers to indicate how much data they need
before being called again.
 5 years ago
Victor Julien 44d3f264bf app-layer: update API to return more details 
Add AppLayerResult struct as the Parser return type in
preparation of allowing returning 'Incomplete(size)' similar
to what nom in Rust allows.
 5 years ago
Victor Julien 3bcf948a75 app-layer: change return codes 
This patch simplifies the return codes app-layer parsers use,
in preparation of a patch set for overhauling the return type.

Introduce two macros:

APP_LAYER_OK (value 0)
APP_LAYER_ERROR (value -1)

Update all parsers to use this.
 5 years ago
Victor Julien 6ae66cb2bb nfs: code cleanups 
Use 'if let' to replace simple 'match' statements.

Use explicit returns to easy code review.
 5 years ago
Victor Julien a729d266c3 smb: fix rustc 1.42 warnings 5 years ago
Jason Ish a0e3e2d7b4 dns: register parsers from Rust 
And port the C DNS tests to Rust.
 5 years ago
Jason Ish 0af9a3a5f7 dns: remove C wrapper functions to Rust 
Remove registration of C wrapper functions and register
the Rust functions directly for UDP.
 5 years ago
Jason Ish 1b44f839e6 dns: cleanup: move event callbacks into Rust 
Remove app-layer-dns-common.c as its no longer needed.
 5 years ago
Jason Ish ca5a3f0f04 dns: cleanup: remove unused events 
Removed events that are no longer used since the Rust
implementation of DNS:
- UnsolicitedResponse
- StateMemCapReached
- Flooded
 5 years ago
Jason Ish d809b0959b dns: cleanup: move DnsGetRcode (Lua) to rust 
Move the implementation of Lua DnsGetRcode to Rust.
 5 years ago
Philippe Antoine 23f796a021 kerberos: fix against packet split in record size 5 years ago
Victor Julien 76dd951523 krb5/tcp: remove notice logging on failed records 5 years ago
Sascha Steinbiss 11912bd715 sip: address trailing space parsing 5 years ago
Victor Julien 74305c0486 rust/nfs: minor code cleanups 5 years ago
Victor Julien 576e92983e rust/rpc: add partial data tests 5 years ago
Pierre Chifflier 442500678b rust: use the streaming version of combinators to fix incomplete reads 5 years ago
Pierre Chifflier df9a4fd635 rust/rdp: use the streaming version of combinators to fix incomplete reads 5 years ago
Pierre Chifflier 2561da89c0 rust/rdp: fix regression introduced during nom 5 upgrade 5 years ago
Pierre Chifflier f3ddd7127c rust: Add types annotation when required 
Unfortunately, the transition to nom 5 (and functions instead of macros)
has side-effects, one of them being requiring lots of types annotations
when using a parsing, for ex in a match instruction.
 5 years ago
Pierre Chifflier 62e31396ae rust/ftp: upgrade to nom 5 
CompleteByteSlice type has been removed, and replaced by combinators
under the nom::character::complete namespace.
 5 years ago
Pierre Chifflier 1a505ccd11 rust/rdp: add custom error handling 5 years ago
Pierre Chifflier d1bf34a427 rust/smb: add custom error handling 5 years ago
Pierre Chifflier 1ab8c5763c rust: add SecBlobError custom error type for the Kerberos parser 5 years ago
Pierre Chifflier 030c9a3d86 rust: add take_until_and_consume replacement function 5 years ago
Pierre Chifflier 8664a55ee7 rust/dns: remove unneeded calls to closure! 5 years ago
Pierre Chifflier 5b809f77f1 rust: upgrade all parsers to nom 5 5 years ago
Philippe Antoine 6663246563 parser: make rust probing parsers optional 5 years ago
Victor Julien f68c255f09 nfs: implement post-GAP transaction cleanup 
Close all prior transactions in the direction of the GAP, except the
file xfers. Those use their own logic described below.

After a GAP all normal transactions are closed. File transactions
are left open as they can handle GAPs in principle. However, the
GAP might have contained the closing of a file and therefore it
may remain active until the end of the flow.

This patch introduces a time based heuristic for these transactions.
After the GAP all file transactions are stamped with the current
timestamp. If 60 seconds later a file has seen no update, its marked
as closed.

This is meant to fix resource starvation issues observed in long
running SMB sessions where packet loss was causing GAPs. Due to the
similarity of the NFS and SMB parsers, this issue is fixed for NFS
as well in this patch.

Bug #3424.
Bug #3425.
 5 years ago
Victor Julien d41aeccea4 smb: handle file transactions post-GAP 
After a GAP all normal transactions are closed. File transactions
are left open as they can handle GAPs in principle. However, the
GAP might have contained the closing of a file and therefore it
may remain active until the end of the flow.

This patch introduces a time based heuristic for these transactions.
After the GAP all file transactions are stamped with the current
timestamp. If 60 seconds later a file has seen no update, its marked
as closed.

This is meant to fix resource starvation issues observed in long
running SMB sessions where packet loss was causing GAPs.
 5 years ago
Jason Ish 80cafb2979 flow: expose last time as a function 
This function returns the individual components
of the timeval in output pointers making it suitable
for use over Rust FFI.
 5 years ago
Jason Ish 1e741641a6 rust: make clean fixups 
For make clean, only remove gen/ if cbindgen is available.
This prevents make clean from remove gen when the headers
were bundled, but cbindgen is not available to remove them.

Unconditionally remove gen and vendor in maintainerclean.
 5 years ago
Jason Ish 53aaa82deb rust: set edition to 2018 5 years ago
Jason Ish e68dfa46a6 rust: cargo fix for Rust 2018 edition 5 years ago
Jason Ish 5fbe020585 rust/cbindgen: Revert Makefile to a more pre-cbindgen state 
The modifications as part of the cbindgen commit caused issues
with distcheck, revert the Makefile to how it was with the Python
generator, but still using cbindgen.

Also always assume we'll include the generated headers in the
distribution archive to fix make distcheck from distribution
archives with headers included, but no cbindgen.
 5 years ago
Danny Browning b573c16dd5 build: cbindgen 
Rust headers are now generated using cbindgen. If cbindgen is present, they can
be generated during dist, otherwise they will be available for builds.
 5 years ago
Victor Julien ce0ae81d95 rust: fix vendor use on MinGW 5 years ago
Jason Ish 57b683233d rust: Don't use --frozen during build. 
If sources are vendored, we get the same effect of using frozen
with a lock file, and the Cargo.lock is generated based
on the vendored sources.

This also removes the need to ship a Cargo.lock.

Fixed out of source builds with vendored sources.
 5 years ago
Jason Ish c6f168eb98 rust/Makefile: Don't include Cargo.toml 
There is no need to include Cargo.toml in the distribution,
it is always generated from Cargo.toml.in during
./configure.
 5 years ago
Jason Ish 5ee8323028 rust: remove unnecessary parentheses (Rust 1.40 fixup) 
Rust 1.40 in strict mode will now fail the build on the
presence of unnecessary parentheses.

warning: unnecessary parentheses around type
  --> src/smb/smb2_ioctl.rs:41:12
   |
41 |         -> (&mut SMBTransaction)
   |            ^^^^^^^^^^^^^^^^^^^^^ help: remove these parentheses
   |
   = note: `#[warn(unused_parens)]` on by default
 5 years ago
Victor Julien f5b33a070a smb1: allow empty trans records 5 years ago
Victor Julien 40fe29de96 smb1: fix 'event' txs not getting closed 
If the only reason we created a request side TX was to set an event,
we would not close it.

This patch always looks up the TX from the response side.
 5 years ago