Commit Graph

7958 Commits (38b698c50f44c07e59dd37728155700b9eaccf96)

Author SHA1 Message Date
Victor Julien 38b698c50f detect/analyzer: show pattern that is used by mpm
Set a new DETECT_CONTENT_MPM flag on the pattern that is selected
during setup.
7 years ago
Victor Julien 0b5d8a1d75 detect/prefilter: fix alias for fast_pattern
If prefilter is used on a content keyword, it acts as a simple
fast_pattern statement. This was broken because the SIG_FLAG_PREFILTER
flag bypasses MPM for a sig. This commits fixes this by not setting
the flag when it should act as fast_pattern.
7 years ago
Victor Julien 35c5ae3458 detect: limit flush logic to sigs that need it
Limit the early 'flush' logic to sigs that actually need to match
on both stream and http bodies.
7 years ago
Victor Julien f35a3bbae0 detect/analyzer: add built-in lists 7 years ago
Victor Julien 28a0291d07 detect: don't setup PMATCH if it will be unused
Safes a bit of memory and makes it easier to debug.
7 years ago
Victor Julien 6694593cc0 detect/analyzer: add Signature::flags 7 years ago
Victor Julien c0adff3770 detect: remove STATE_MATCH flag use at runtime
Instead, use it only at init time and use Signature::app_inspect
directly at runtime.
7 years ago
Victor Julien 5879dafe55 detect: cleanup direct SIG_FLAG_STATE_MATCH use
This flag should normally not be set manually. It will be set by the
code registering the app engines in a signature.
7 years ago
Victor Julien cbd5ca3f69 detect/dnp3: cleanup list and proto registration 7 years ago
Victor Julien c279a801e5 detect: remove SIG_FLAG_STATE_MATCH flag check
It could not fail as before it the flag was already checked as a bail
out condition.
7 years ago
Victor Julien 83d2d7bb4b detect: minor formatting fixups 7 years ago
Victor Julien adfcb1071b flow: reduce structure size by removing gap 7 years ago
Victor Julien 7e004f52c6 detect/http: flush bodies when inspecting stream
The HTTP bodies (http_client_body and http_server_body/file_data) use
settings to control how much data we have before doing first inspection:

    request-body-minimal-inspect-size
    response-body-minimal-inspect-size

These settings default to 32k as quite some existing rules need this.

At the same time, the 'raw stream' inspection uses its own limits. By
default it inspects the data in blocks of about 2.5k. This could lead
to a situation where rules would not match.

For example, with 2 rules like this:

    content:"abc"; content:"data="; http_client_body; depth:5; sid:1;
    content:"xyz"; sid:2;

Sid 1 would only be inspected when the POST body reached the 32k limit
or when it was complete. Observed case shows the POST body to be 18k.
Sid 2 is inspected as soon as the 2.5k limit is reached, and then again
for each 2.5k increment. This moves the raw stream tracker forward.

So by the time sid 1 is inspected, some 18/19k into the stream, the
raw stream tracker is actually already moved forward for approximately
17.5k, this leads to the stream match of sid 1 possibly not matching.
Since the body match is at the start of the buffer, it makes sense
that the body and stream are inspected together.

The body inspection uses a tracker 'body_inspected', that keeps track
of how far into the body both MPM and per signature inspection has
moved.

This patch updates the logic in 2 ways:

1. it triggers earlier HTTP body inspection, which is matched to the
   stream inspection. When the detection engine finds it has stream
   data available for inspection, it passes the new 'STREAM_FLUSH'
   flag to the HTTP body inspection code. Which will then do an
   early inspection, even if still before the min inspect size.

2. to still somewhat adhere to the min inspect size, the body
   tracker is not updated until the min inspect size is reached.
   This will lead to some re-evaluation of the same body data.

If raw stream reassembly is disabled, this 'STREAM_FLUSH' flag is
never set, and the old behavior is used.

Bug #2522.
7 years ago
Victor Julien 2629ca423a stream: improve TCP CLOSED handling
Trigger app layer reassembly in both directions as soon as we've set
the TCP state to closed.

In IDS mode, if a toserver packet would close the state, the app layer
would not get updated until the next toclient packet. However, in
detection, the raw stream inspection would already use all available
stream data in detection and move the 'raw stream progress' tracker
forward. When in later (a) packet(s) the app layer was updated and
inspection ran on the app layer, the stream progress was already
moved too far forward. This would lead to signatures that matched
on both stream and app layer to not match.

By triggering the app layer reassembly as soon as the TCP state is
set to closed, the inspection as both the stream and app layer data
available at the same time so these rules can match.

Bug: #2570
Bug: #2554
7 years ago
Victor Julien ee1d207454 detect: add debug statements to stream inspect 7 years ago
Victor Julien 4e452a471f proto/detect: add debug info 7 years ago
Victor Julien 5a8779cfc0 flow: flag packets as established for async
If a stream is async we see only on side of the traffic. This would
lead to the flow engine not flagging packets as 'established' even
if the flow state was in fact established. The flow was tagged as
such by the TCP engine.

This patch considers the flow state for setting the packet flag.

Bug #2491.
7 years ago
Victor Julien 0b46d027d0 rust/smb: implement stream-depth, unlimited by default 7 years ago
Eric Leblond d38e7d9410 stream-tcp: fix typo in debug message 7 years ago
Giuseppe Longo fc38013975 app-layer-htp: close file with TRUNCATE state
When a file in TOSERVER direction is being stored and
libhtp or stream depth limit is reached,
it will be closed by HTPCallbackRequest without setting
any flags so the file state will be set to CLOSED
instead of TRUNCATED.
7 years ago
Victor Julien c8fb9bcba5 app-layer-parser: split registration flags 7 years ago
Giuseppe Longo 397f5f5fdf app-layer-parser: don't overwrite stream_depth value
When an app-layer parser is enabled, it could set its
own stream_depth value calling the API AppLayerParserSetStreamDepth.

Then, the function AppLayerParserPostStreamSetup will replace
the stream_depth value already set with stream_config.reassembly_depth.

To avoid overwriting, in AppLayerParserSetStreamDepth API a flag
will be set internally to specify that a value is already set.
7 years ago
Victor Julien 12fec46d13 multi-tenant: introduce device selector
Add device to tenant mapping support:

  mappings:
  - device: ens5f0
    tenant-id: 1
  - device: ens5f1
    tenant-id: 23

Implemented by assigning the tenant id to the 'livedev', which means
it's only supported for capture methods that use the livedev API.

It's also currently not supported for IPS. In a case like 'eth0 -> eth1'
it's unclear which tenant should be used for the return traffic in a
flow, where the incoming device is 'eth1'.
7 years ago
Maurizio Abba 55b14f3721 decode: set pktlen of decode handler to uint32
Change the decode handler signature to increase the size of its decode
handler, from uint16 to uint32. This is necessary to let suricata use
interfaces with mtu > 65535 (ex: lo interface has default size 65536).

It's necessary to change several primitive for Packet manipulation, to
unify the parameter "packet length" whenever we are before IP decoding.

Add tests before calling DecodeIPVX function to avoid a possible
integer overflow over the len parameter.
7 years ago
Victor Julien 22f9875096 detect: free rule group init memory at the end of startup 7 years ago
Maurizio Abba f32cc6ca9c detect: fix fileext and filename negated match
fix bug in fileext and filename preventing negated match to work
correctly. Previously, negated fileext (such as !"php") would cause a
match anyway on files that have extension php, as the last if would not
be accessed.

Using the same workflow as detect-filemagic we remove the final
isolated if and set it as a branch of the previous if.
7 years ago
Victor Julien 9370805af6 eve/smb: use flow direction for tuple 7 years ago
Maurizio Abba bf4398b15d output-json: ensure string is json-encodable
Substitute json_string with SCJsonString custom function.
SCJsonString will ensure string passed is json-encodable (utf-8).
If it's not, the string will be converted in such a way that any
non-printable character will be encoded in its hex form.
The resulting json object will be returned.

rust modification will encode any non-printable character during its
conversion in to_cstring.
7 years ago
Victor Julien 4f32324fe4 devices: clean up device init code 7 years ago
Eric Leblond 023bb72cc6 suricata: fix init process for layer 2 IPS
4474889667 did break the logic of IPS
mode detection for layer 2 IPS mode like Netmap and AF_PACKET. This
pach fixes the issue by calling the IPS detection mode after
complete registration of the interfaces.

Reported-by: Alexander Gozman <a.gozman@securitycode.ru>
7 years ago
Victor Julien 44daf84321 output/tls: don't pass NULL fingerprint to json logging 7 years ago
Victor Julien 155a017cf8 ssl: fix uninitialized variable warning 7 years ago
Victor Julien 3c72d67635 detect/analyzer: log mask flags and more engine details 7 years ago
Victor Julien c4b56ca289 dcerpc: fix dce_iface not matching 7 years ago
Victor Julien a2b8ea57fc detect/dce: fix false positives in detection
If a signature didn't explicitly specified 'dcerpc' or 'smb' as the
app proto, false positives on other traffic could happen. This was
caused by the sig not having a app_proto set. This isn't set as the
rule is supposed to match against either ALPROTO_DCERPC or ALPROTO_SMB.

To avoid adding runtime costs for checking for both protocols, this
patch adds a new flag for DCERPC in the 'mask' logic. The flag is set
on the sig if dce_* keywords are present and set on the packet if the
flow's app proto is either ALPROTO_DCERPC or ALPROTO_SMB.

Bug #2559

Reported-by: Jason Taylor
7 years ago
Victor Julien 8547d113bf detect: minor code cleanups 7 years ago
Victor Julien 329e029525 detect/dce: keyword cleanups 7 years ago
Victor Julien 177966970a smb: probing parser improvement 7 years ago
Victor Julien fd38989113 proto/detect: remove probing parser offset argument
Remove offset argument as it was unused.
7 years ago
Victor Julien 991ec4ed60 detect/flow: minor code cleanups 7 years ago
Victor Julien bfa884c956 detect: avoid potential use-after-free in error path 7 years ago
Victor Julien 9cd0bbcab1 proto/detect: minor cleanup 7 years ago
Victor Julien d062089c60 detect: clean up counter registration 7 years ago
Victor Julien e8079e2f1b flow: fix comment typos 7 years ago
Victor Julien 90e0e3da27 nfs: fix applying nfs3 logging logic to nfs4 7 years ago
Victor Julien 22e0fc97f8 nfs: rename generic functions from nfs3 to nfs 7 years ago
Danny Browning cd40a3f7ac detect-parse: fix missing space in error message (2541)
Fix missing space in error message.
7 years ago
Victor Julien f68bf3301a enip: harden byte parsing code
Make sure we never read more than we have.

Reported-by: Henning Perl
7 years ago
Victor Julien 9ba89a31ef ssh: fix out of bounds read in banner parsing
Reported-by: Henning Perl
7 years ago
Victor Julien 843d0b7a10 stream: support RST getting lost/ignored
In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'.
However, the target of the RST may not have received it, or may not
have accepted it. Also, the RST may have been injected, so the supposed
sender may not actually be aware of the RST that was sent in it's name.

In this case the previous behavior was to switch the state to CLOSED and
accept no further TCP updates or stream reassembly.

This patch changes this. It still switches the state to CLOSED, as this
is by far the most likely to be correct. However, it will reconsider
the state if the receiver continues to talk.

To do this on each state change the previous state will be recorded in
TcpSession::pstate. If a non-RST packet is received after a RST, this
TcpSession::pstate is used to try to continue the conversation.

If the (supposed) sender of the RST is also continueing the conversation
as normal, it's highly likely it didn't send the RST. In this case
a stream event is generated.

Ticket: #2501

Reported-By: Kirill Shipulin
7 years ago