aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,202 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '42e5e556e5'
${ noResults }
Commit Graph

1483 Commits (42e5e556e59fcd10efa89fcc75ad9f081ee25e93)

Author SHA1 Message Date
Juliana Fajardini 8d3de85edd pgsql: fix u16 overflow in query data_row 
Found by oss-fuzz with quadfuzz.

Cf https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63113

According to PostgreSQL documentation the maximum number of rows can be
the maximum of tuples that can fit onto max u32 pages - 4,294,967,295 (cf
https://www.postgresql.org/docs/current/limits.html). Some rough
calculations for that indicate that this could go over max u32, so
updating the data_row data type to u64.

Bug #6389
 1 year ago
Philippe Antoine 673d13d445 rust: allow clippy::items_after_test_module 
As clippy began to complain about jsonbuilder.rs
 1 year ago
Jeff Lucovsky f12e026696 mqtt: Move conf code to rust 
Issue: 6387

This commit moves the configuration logic to Rust.
 1 year ago
Jason Ish 5d5b0509a5 requires: add requires keyword 
Add a new rule keyword "requires" that allows a rule to require specific
Suricata versions and/or Suricata features to be enabled.

Example:

  requires: feature geoip, version >= 7.0.0, version < 8;
  requires: version >= 7.0.3 < 8
  requires: version >= 7.0.3 < 8 | >= 8.0.3

Feature: #5972

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
 1 year ago
Jason Ish 15ed51f9b8 feature: provide a Rust binding to the feature API 
As the feature module is not available for Rust unit tests, a mock
version is also provided.
 1 year ago
Juliana Fajardini 1afb485dfa pgsql: remove unused msg field 
The `ConsolidatedDataRow` struct had a `length` field that wasn't truly
used.

Related to
Bug #6389
 1 year ago
Juliana Fajardini 30ac77ce65 pgsql: add cancel request message 
A CanceldRequest can occur after any query request, and is sent over a
new connection, leading to a new flow. It won't take any reply, but, if
processed by the backend, will lead to an ErrorResponse.

Task #6577
 1 year ago
Juliana Fajardini 7fa8bbfe43 pgsql: extract length validation into function 
This is called so many times that it seems to make sense that we use a
function for this.
 1 year ago
Victor Julien b8440a0917 jsonbuilder: add set_int for signed ints 
Bug: #6615
 1 year ago
Jason Ish f91122e0e8 dns: replace usage of rs_dns_tx_get_query_name with SCDnsTxGetQueryName 
SCDnsTxGetQueryName was introduced to allow for getting the query name
in responses as well as requests, so covers the functionality of
rs_dns_tx_get_query_name.
 1 year ago
Jason Ish 482325e28b dns: add dns.query.name sticky buffer 
This buffer is much like dns.query_name but allows for detection in both
directions.

Feature: #6497
 1 year ago
Jason Ish 5f99abb0cb dns: add dns.answer.name keyword 
This sticky buffer will allow content matching on the answer names.
While ansers typically only occur in DNS responses, we allow the buffer
to be used in request context as well as the request message format
allows it.

Feature: #6496
 1 year ago
Jason Ish 9464d0b14a dns: consolidate DNSRequest and DNSResponse to DNSMessage 
DNS request and response messages follow the same format so there is
no reason not to use the same data structure for each. While its
unlikely to see fields like answers in a request, the message format
does not disallow them, so it might be interesting data to have the
ability to log.
 1 year ago
Jason Ish e2d7a7f877 dns: rustfmt with latest stable 1 year ago
Jason Ish 4620776a30 rustfmt: replace deprecated fn_args_layout with fn_params_layout 1 year ago
Philippe Antoine 1b5e04bee3 http2: do not have leading space for response line 
Ticket: 6547
 1 year ago
Juliana Fajardini bdec2d8ea8 pgsql: don't log password msg if password disabled 
If the logging of the password is disabled, there isn't much point in
logging the password message itself.
 1 year ago
Juliana Fajardini 9aeeac532e pgsql: remove probe_ts function 
With the changes in the probing_ts function, this other one could become
obsolete. Remove it, and directly call `parser::parse_request` when
checking for gaps, instead.
 1 year ago
Juliana Fajardini 53d29f652a pgsql: remove unused error handling call 1 year ago
Juliana Fajardini afd6e4dc41 pgsql: don't log unknown message type 1 year ago
Juliana Fajardini 4f85d06192 pgsql: fix probing functions 
Some non-pgsql traffic seen by Suricata is mistankenly identified as
pgsql, as the probing function is too generic. Now, if the parser sees
an unknown message type, even if it looks like pgsql, it will fail.

Bug #6080
 1 year ago
Juliana Fajardini 1ac5d97259 pgsql: add unknonwn frontend message type 
We had unkonwn message type for the backend, but not the frontend
messages. It's important to better identify those to improve pgsql
probing functions.

Related to
Bug #6080
 1 year ago
Victor Julien d3ccff5822 detect/asn1: handle in PMATCH 
Since the asn1 keyword is processing payload data, move the handling of
the keyword into the PMATCH with content inspection.

Use u32 as buffer length in the Rust FFI
 1 year ago
Victor Julien 132fe57ac6 rust: add copyright header to common.rs 1 year ago
Philippe Antoine e38b9de6a2 output/krb5: have krb5 properties in alerts 
Ticket: 5977
 1 year ago
Philippe Antoine 8a09bff0aa output/tftp: have tftp properties in alerts 
Ticket: 6501
 1 year ago
Philippe Antoine 0b6b015e26 output/alert: rewrite code for app-layer properties 
Especially fix setup-app-layer script to not forget this part

This allows, for simple loggers, to have a unique definition
of the actual logging function with the jsonbuilder.
This way, alerts, files, and app-layer event can share the code
to output the same data.

Ticket: #3827
 1 year ago
Philippe Antoine 90c17652a3 rust: remove unused 
Ticket: #4083
 1 year ago
Sascha Steinbiss 0c55fe3515 detect: add mqtt.connect.protocolstring 
Ticket:  OISF#6396
 1 year ago
Philippe Antoine e3cd0d073f http2: app-layer event for userinfo in uri 
Ticket: #6426

as per RFC 9113
":authority" MUST NOT include the deprecated userinfo subcomponent
for "http" or "https" schemed URIs.
 1 year ago
Philippe Antoine 6249722589 http2: normalize host when there is user info 
Ticket: 6479
 1 year ago
Philippe Antoine b6cd66f41d http2: update brotli crate 
Fixes debug assertion found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63144
 1 year ago
Philippe Antoine 46a46e5b1f http2: event on mismatch between authority and host 
Ticket: #6425
 1 year ago
Philippe Antoine ae72ce77fa detect: parse units for integers 
Ticket: #6423

Especially for filesize, instead of just a number, a signature
can use a number and a unit such as kb, mb or Gb
 1 year ago
Daniel Olatunji 54de0450f4 rust: remove cbindgen:ignore on frames module 
This directive is no longer required, and does
mess up the rustdoc description of the module.
 1 year ago
Daniel Olatunji 5c0af0b203 rust/doc: add docstring to rust module files. 
Issue: #4584
 1 year ago
Philippe Antoine 14a4c6c696 rust: update brotli decompressor crate 
cf https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59687
 1 year ago
Philippe Antoine 9157070907 quic: v2 support per rfc 9369 
Ticket: #4968
 1 year ago
Yatin Kanetkar b67ff4badf dhcp: Log Vendor Client Identifier (dhcp option 60) 
* Log vendor client identifier (dhcp option 60) if extended dhcp
logging is turned on. This required the `vendor_client_identifier` to
be added to the json schema. Validation done using an SV Test
* Added `requested_ip` to the json schema as well, since it was
missed. My SV test failed without it.

Feature #4587
 2 years ago
Philippe Antoine 5bdbc1a313 rdp: do not use zero-bit bitflag 
cf https://docs.rs/bitflags/latest/bitflags/#zero-bit-flags

As warned by clippy 1.72.0
 2 years ago
Philippe Antoine b235e85c68 rust: fix clippy warnings for version 1.72.0 
Includes using the right prototype for C SRepCatGetByShortname
 2 years ago
Victor Julien 89f1837625 rust: update cargo.lock 2 years ago
Shivani Bhardwaj 8770431986 dcerpc: accept ALTER_CONTEXT as a valid request 
So far, if only the starting request was a DCERPC request, it would be
considered DCERPC traffic. Since ALTER_CONTEXT is a valid request type,
it should be accepted too.

Reported and patch proposed in the following Redmine ticket by
InterNALXz.

Bug 6191
 2 years ago
Victor Julien 389f166d78 file: remove FILE_USE_DETECT flag 
All implementations were converted to use the logic, so the flag itself
can be removed.
 2 years ago
Shivani Bhardwaj d4e674b390 rust: fix clippy warnings 2 years ago
Victor Julien 0068b81269 rust: update cargo.lock 2 years ago
Philippe Antoine 60db5e981c http2: do not append data after closing file 
Ticket: #6211

Completes commit 02dece5db5

Once a http2 stream has end of stream flag, we close the file.
If we see new data frames with this stream id, the new_chunk
function should ignore them as the file was already closed.
 2 years ago
Jeff Lucovsky 690b65ae88 detect/byte_math: Permit var name for bytes value 
Issue: 6145

Modifications to permit a variable name to be used for the byte_math
bytes value.
 2 years ago
Philippe Antoine 02dece5db5 http2: file tracker is initialized when file is closed 
Ticket: #6130

This avoids quadratic complexity by having http2_range_key_get
looking in a growing number of frames
 2 years ago
Sascha Steinbiss 1521b77edd rfb: also set unimplemented auth types 2 years ago
Sascha Steinbiss 1606aca881 rfb: ensure logging of incompletely parsed txs 2 years ago
Sascha Steinbiss 1f8a5874fb rfb: never return error on unknown traffic 
We only try to parse a small subset of what is possible in
RFB. Currently we only understand some standard auth schemes
and stop parsing when the server-client handshake is complete.
Since in IPS mode returning an error from the parser causes
drops that are likely uncalled for, we do not want to return
errors when we simply do not understand what happens in the
traffic. This addresses Redmine #5912.

Bug: #5912.
 2 years ago
Sascha Steinbiss 836fff3679 rfb: add myself as contributor 2 years ago
Sascha Steinbiss bd1fbf392e rfb: be more strict parsing the version 2 years ago
Philippe Antoine d40dca5e55 dcerpc: maximum number of live transactions also for UDP 
Ticket: #6129

Avoids that quadratic complexity gets too bad
 2 years ago
Jason Ish 68d0d6ca24 rust: fix unit test link error on Rust 1.70 
Rust 1.70 appears to now link code on both branches of `if cfg!(test)`
now causing Rust unit tests to fail as that pattern was used to
disable functions only available when linked with the Suricata C code.

To work-around this issue, provide two versions of the `new` function,
one for unit tests and one when running as an application.
 2 years ago
Philippe Antoine 7256ec8a6e detect/http2: do not escape ':' in header name or value 
for keywords http.request_header and http.response_header

Ticket: #5780
 2 years ago
Philippe Antoine 4c466ec5f4 rust/pgsql: remove unused/unconstructed enum variants 2 years ago
Philippe Antoine f2a18e91c4 rust: define AppLayerEventType only in rust 
And detect.h does no longer depend on app-layer-events.h
 2 years ago
Philippe Antoine 668501c225 rust: remove unused 2 years ago
Philippe Antoine 7ca43e7e1f output/snmp: log version from tx 
and not the one from state

If a SNMP flow starts with a V2 version transaction,
then there is a V3i version transaction,
we will now log V3 for the second transaction
 2 years ago
Philippe Antoine 0ec0d8de67 output/rfb: remove unused function parameters 2 years ago
Philippe Antoine 24c2702a05 output/mqtt: remove unused function parameters 2 years ago
Philippe Antoine 09d364b32f output/krb5: remove unused function parameters 2 years ago
Lancer Cheng abc76e27de smb: fix data padding logic in writeAndX parser 
Bug: #6008
 2 years ago
Lancer Cheng 000eb91078 smb: fix wrong data offset when wct = 12 
Bug: #6008
 2 years ago
Philippe Antoine 6350736882 http2: avoid quadratic complexity in headers 
When adding an element to the dynamic headers table, the oldest
ones may get evicted. When multiple elements get evicted, they
should get evicted all at once with drain, instead of one by one
as there will be a massive move each time.

Ticket: #6103
 2 years ago
Philippe Antoine 7d3aa91bf4 mqtt: fix quadratic complexity 
get_tx_by_pkt_id loops only over the last transactions
in case there is a transaction flood

Ticket: #6100
 2 years ago
Haleema Khan 8e19906afa mqtt: rustfmt mqtt.rs 2 years ago
Haleema Khan e474858e25 mqtt: add mqtt frames 
Adds PDU, Header and Data frame to the MQTT parser.
Ticket: 5731
 2 years ago
Jason Ish 33827beae5 jsonbuilder: check buffer growth 
Use try_reserve before growing the internal buffer, and the internal
state vector. This allows allocation errors to be caught and an error
returned instead of just aborting the process.

Ticket: #6057
 2 years ago
Jason Ish 95cfc2b34f jsonbuilder: rustfmt 
Some very minor changes to formatting.
 2 years ago
Jason Ish 039c27789b rust: use 2021 edition 
With the MSRV being bumped to 1.62 for 7.0, we can move the edition up
to 2021.
 2 years ago
Jason Ish c30fff8bcb rust/doc: restore comment with code example, but ignore 
Use backticks for proper markdown processing. As Rust code in
backticks is compiled, and this is a non-complete example, tag the
code sample to be ignored.
 2 years ago
Philippe Antoine 5391f0a8a0 detect: http_response_line for HTTP2 
Ticket: #4067

Synthetized as HTTP/2 <STAT>\r\n
 2 years ago
Philippe Antoine 0dca8cc796 detect: http_request_line support for HTTP2 
Ticket: #4067

Synthetized as <METHOD> <URI> HTTP/2\r\n
 2 years ago
Jason Ish 13fe957b7e rust/doc: wrap some code examples in backticks 2 years ago
Victor Julien d4c60924f1 rust/doc: fix doc compile issues 2 years ago
Eloy Pérez González ed91d689f2 krb5: use req_type instead of msg_type to get request type 2 years ago
Eloy Pérez González a9b7241417 krb5: set msg_type for KRB-ERROR messages to MessageType::KRB_ERROR 2 years ago
Eloy Pérez González 511dbfe171 krb5: add AS-REQ and TGS-REQ transactions 
Fix bug in ticket #4529
 2 years ago
Victor Julien f9276fdf00 rust: spelling fixes 
Thanks to Josh Soref.
 2 years ago
Victor Julien cdd3251982 snmp: fix spelling 
Thanks to Josh Soref.
 2 years ago
Victor Julien ee7ed99b6f rust: spelling 2 years ago
Victor Julien d630f0fa34 rust: rustfmt files with recent new tests 2 years ago
Victor Julien 77f1658c2a rust: fix new clippy warnings 2 years ago
Lancer Cheng 0cf742a9ca smb: add unit tests 
Issue: 4865
 2 years ago
tianjinshan 2c0c6cb0a5 smb/ntlmssp: fix parsing of negotiate flags 
Ticket: #5783
 2 years ago
Jason Ish 0e55307c1d app-layer: remove APP_LAYER_PARSER_OPT_UNIDIR_TXS 
This flag is no longer needed as a parser can now create a transaction
as unidirectional.

Setting this flag also doesn't make sense on parsers that may have
request/reply and some unidirectional messaging.
 2 years ago
Jason Ish f8ec993401 rust/time: add note why this needs to be pinned 2 years ago
Jason Ish 5925b63d82 rust: update x509-parser to 0.15.0 2 years ago
William Correia e378aa8d15 modbus: bump crate version 
sawp 0.12 is available and addresses future compilation failures in
dependent crates.
Updated modbus test case to expect 12 bytes needed instead of 15. This
aligns with expectations as the test case slices 3 bytes off the end of
a 12 byte message so needing 12 bytes is correct.

Ticket #5989
 2 years ago
Jason Ish b4f0d3c741 rust: update der-parser to 8.2.0 
Minimal modifications required on the Suricata side, mainly for fields
becoming private and needing an accessor instead.

Note: As the kerberos parser still depends on der-parser 6.0, we still
have to depend on that so it is depended on, but renamed to
der-parser6. There is not an udpated kerberos-parser yet that uses
der-parser 8.2.0.

Ticket: #5991
 2 years ago
Jason Ish 3d9fc3bf1d rust: update snmp-parser to 0.9.0 
Updating snmp-parser required directly depending on the asn1-rs crate
for the Oid type, as snmp-parser does not re-export this type anymore.

Ticket: #5992
 2 years ago
Jason Ish 0d6628c64e rust: update cargo.lock 
Update Cargo.lock, most importantly the Nom 5.1.3 update which will
prevent future breakage by Rustc.
 2 years ago
Jason Ish d2fb958e28 rust: fix clippy lint for assert 
Fix done automatically by clippy --fix
 2 years ago
Haleema Khan 3531a4abaa rfb: rustfmt rfb.rs 2 years ago
Haleema Khan 3eee311350 rfb: add rfb frames, update tests 
Adds a PDU frame to the RFB parser.
Update function signature in tests to reflect frames

Ticket: 5717
 2 years ago
Victor Julien 0bbc411743 nfs: fix newline in debug messages 2 years ago
Philippe Antoine 9adb59bcdb http2: faster when reducing dynamic headers size 
avoid quadratic complexity from removing the first element
and copying all the contents a big number fo times.

Ticket: #5909
 2 years ago
Jason Ish 8ef410e284 app-layer: add direction to transaction creation where needed 
Build on Eric's but set the direction on transaction creation when
needed. I think this makes it a little more clear, and easier to
document when creating single direction transactions.

This also somewhat abstracts the inner-workings of a directional
transaction from the implementation.

Ticket: #4759
 2 years ago
Eric Leblond 9f4ca26962 sip: add TX orientation 
Set no inspection in the opposite side of the transaction.

Ticket: #5799
 2 years ago
Eric Leblond 8b0d56c414 nfs: TX are not unidirectional 
NFS transactions are not unidirectional so we should not declare
them as such.
 2 years ago
Eric Leblond 19174de4f3 quic: add TX orientation 
Set no inspection in the opposite side of the transaction.

Ticket: #5799
 2 years ago
Eric Leblond 44482a68b0 ntp: add TX orientation 
Set no inspection in the opposite side of the transaction.

Ticket: #5799
 2 years ago
Eric Leblond c64e4526cd krb: add TX orientation 
Set no inspection in the opposite side of the transaction.

Ticket: #5799
 2 years ago
Eric Leblond 322f3896ba mqtt: add TX orientation 
Set no inspection in the opposite side of the transaction.

Ticket: #5799
 2 years ago
Eric Leblond 7ce557a44c ike: add TX orientation 
Set no inspection in the opposite side of the transaction.

Ticket: #5799
 2 years ago
Eric Leblond 8926d82465 dns: add TX orientation 
Set no inspection in the opposite side of the transaction.

Ticket: #5799
 2 years ago
Eric Leblond 744fccee17 bittorrent_dht: add TX orientation 
Set no inspection in the opposite side of the transaction.

Ticket: #5799
 2 years ago
Eric Leblond a82a5aa84b snmp: add TX orientation 
Set no inspection in the opposite side of the transaction.

Ticket: #5799
 2 years ago
Eric Leblond 5aaf50760f app-layer: add flag to skip detection on TX 
Stamus team did discover a problem were a signature can shadow
other signatures.

For example, on a PCAP only containing Kerberos protocol and where the
following signature is matching:

alert krb5 $HOME_NET any -> any any (msg:"krb match"; krb5_cname; content:"marlo"; sid:3; rev:1;)

If we add the following signature to the list of signature

alert ssh $HOME_NET any -> any any (msg:"rr"; content:"rr"; flow:established,to_server; sid:4; rev:2;)

Then the Kerberos signature is not matching anymore.

To understand this case, we need some information:

- The krb5_cname is a to_client keyword
- The signal on ssh is to_server
- Kerberos has unidirectional transaction
- kerberos application state progress is a function always returning 1

As the two signatures are in opposite side, they end up in separate
sig group head.

Another fact is that, in the PCAP, the to_server side of the session
is sent first to the detection. It thus hit the sig group head of
the SSH signature. When Suricata runs detection in this direction
the Kerberos application layer send the transaction as it is existing
and because the alstate progress function just return 1 if the transaction
exists. So Suricata runs DetectRunTx() and stops when it sees that
sgh->tx_engines is NULL.

But the transaction is consumed by the engine as it has been evaluated
in one direction and the kerberos transaction are unidirectional so
there is no need to continue looking at it.

This results in no matching of the kerberos signature as the match
should occur in the evaluation of the other side but the transaction
with the data is already seen has been handled.

This problem was discovered on this Kerberos signature but all
the application layer with unidirectional transaction are impacted.

This patch introduces a flag that can be used by application layer
to signal that the TX should not be inspected. By using this flag
on the directional detect_flags_[ts|tc] the application layer can
prevent the TX to be consumed in the wrong direction.

Application layers with unidirectional TX will be updated
in separate commits to set the flag on the direction opposite
to the one they are.

Ticket: #5799
 2 years ago
Eric Leblond 236869bc58 detect: remove STREAM_FLUSH 
It is unused in the code so can be removed.

Ticket: #5799
 2 years ago
Jason Ish 60e67db452 rust: don't suppress vendor output 
There appears to be some errors happening in CI and this may be hiding
the source of the error.
 2 years ago
Jason Ish 6f14aed0e6 rust: bundle Cargo.lock 
Cargo.lock has to be provided as template, Cargo.lock.in so it can
live beside Cargo.lock in out of tree automake builds, like distcheck.

This will pin Rust dependencies even for git builds, updating
Cargo.lock will now be a manual process that we'll have to take care
of periodically.
 2 years ago
Jason Ish d4418034d1 rust: update aes and aes-gcm crates 
Addresses RUSTSEC-2021-0059, RUSTSEC-2021-0060.
 2 years ago
Jason Ish 159b72c101 rust/clippy: allow derivable impls 
The latest Rust will automatically "fix" derivable default
implementation, which is nice, but makes changes that don't meet our
current MSRV, so allow derivable impls for now.
 2 years ago
Lancer Cheng 9207012e4b smb: fix parser of ntlmssp negotiateflags 
Fix endian-conversion bug in function parse_ntlm_auth_nego_flags

Bug OISF#5783
 2 years ago
Haleema Khan 6b55e53ff5 rfb: add unittests to rfb.rs 
Task: #5741
 2 years ago
Philippe Antoine 233ab11148 smb: handles records with trailing nbss data 
If a file (read/write) SMB record has padding/trailing data
after the buffer being read or written, and that Suricata falls
in one case where it skips the data, it should skip until
the very end of the NBSS record, meaning it should also skip the
padding/trailing data.

Otherwise, an attacker may smuggle some NBSS/SMB record in this
trailing data, that will be interpreted by Suricata, but not
by the SMB client/server, leading to evasions.

Ticket: #5786
 2 years ago
Philippe Antoine c1b7befb18 smb: checks against nbss records length 
When Suricata handles files over SMB, it does not wait for the
NBSS record to be complete, and can stream the payload to the
file... But it did not check the consistency of the SMB record
length being read or written against the NBSS record length.

This could lead to an evasion where an attacker crafts a SMB
write with a too big Length field, and then sends its evil
payload, even if the server returned an error for the write request.

Ticket: #5770
 2 years ago
Jason Ish f15f092a69 rfb: remove duplicate logging of depth 
The "depth" field in the "pixel_format" object was being logged twice.

Issue: 5813
 2 years ago
Jason Ish 717e2b0248 smb: fix duplicate interface logging 
An array of interfaces was being logged without creating an array,
resulting in duplicate "interface" objects being logged. Instead put
these interfaces into an array like already done elsewhere.

Issue: 5814
 2 years ago
Jason Ish 67baab573b smb: remove duplicate tree_id logging 
Remove the second occurrence of tree_id logging which appears to
always be a duplicate of the first tree_id logged, even though they
come from different data structures.

Issue: 5811
 2 years ago
Jason Ish e21ae88e05 rust: utility function to copy Rust strings to C strings 
As there are a few places where a Rust string is copied into a provided
C string buffer, create a utility function to take care of these
details.
 2 years ago
Jason Ish 6344501dba tls: fix date logging for dates before 1970 
The Rust time crate used by the x509-parser crate represents dates
before 1970 as negative numbers which do not survive the conversion to
SCTime_t and formatting with the current time formatting functions.

Instead of fixing our formatting functions to handle such dates,
create a Rust function for logging TLS dates directly to JSON using
the time crate that handles such dates properly.

Also add a FFI function for formatting to a provided C buffer for the
legacy tls-log.

Issue: 5817
 2 years ago
Jason Ish 64cb687a65 rust: suppress specific manual_flatten list 
In this case of debug code, the explicit iterator seems to make more
sense.
 2 years ago
Jason Ish 7080ecbb76 rust: remove explicit lifetimes where not needed 2 years ago
Jason Ish e7f5bd047d rust: fix needless borrows of references 
Fixed automatically by cargo clippy --fix.
 2 years ago
Jason Ish 29f345af1a rust: allow uninlined_format_args 
Newer versions of Rust/clippy are getting picky about format strings.
We should allow and use the new style, but also not prevent the old
style.
 2 years ago
Jason Ish 3f4dad8676 ftp: add events for command too long 
Issue: 5235
 2 years ago
Jason Ish 48920bd784 rust/derive: allow event name to be set as attribute 
When deriving AppLayerEvent, allow the event name to be set with the
"name" attribute in cases where the transformed name is not suitable.

This allows us to use enum variant names like
"FtpEventRequestCommandTooLong" for direct use in C, but is also a
name that doesn't transform well to an event name in rules, where we
want to see "request_command_too_long".
 2 years ago
Philippe Antoine b52293b609 dcerpc: config limit maximum number of live transactions 
As is done for other protocols

Ticket: #5779
 2 years ago
Philippe Antoine ba99241957 http2: fix leak with range files 
Ticket: #5808

May have been introduced by a24d7dc45c

Function http2_range_open expects to be called only when
tx.file_range is nil. One condition to ensure this is to check
that we are beginning the files contents. The filetracker field
file_open is not fit for this, as it may be reset to false.
 2 years ago
Victor Julien 37f13a4fc7 smb: set defaults for file transfer limits 
Ticket: #5782.
 2 years ago
Jason Ish fab3f36b8c dns: never return error on UDP DNS 
UDP parsers should never return error as it should indicate to Suricata
that an unrecoverable error has occurred.  UDP being record based for
the most part is almost always recoverable, at least for protocols like
DNS.
 2 years ago
Jason Ish d720ead470 dns: split header and body parsing 
As part of extra header validation, split out DNS body parsing to
avoid the overhead of parsing the header twice.
 2 years ago
Jason Ish 595700ab7e dns: validate header on every incoming message 
As UDP streams getting probed, a stream that does not appear to be DNS
at first, may have a single packet that does look close enough to DNS
to be picked up as DNS causing every subsequent packet to result in a
parser error.

To mitigate this, probe every incoming DNS message header for validity
before continuing onto the body.  If the header doesn't validate as
DNS, just ignore the packet so no parse error is registered.
 2 years ago
Jason Ish c98c49d4ba dns: parse and alert on invalid opcodes 
Accept DNS messages with an invalid opcode that are otherwise
valid. Such DNS message will create a parser event.

This is a change of behavior, previously an invalid opcode would cause
the DNS message to not be detected or parsed as DNS.

Issue: #5444
 2 years ago
Jason Ish 7afc2e3aed dns: rustfmt 2 years ago
Jason Ish 39d2524bf6 dns: mark test buffers with rustfmt::skip 2 years ago
Victor Julien 6cc9811edd files: move FileContainer into FileTransferTracker 
Update SMB, NFS, HTTP2.
 2 years ago
Victor Julien e3e55406a7 files: update API and callers to take stream config 
This is to allow not storing the stream buffer config in each file.
 2 years ago
Victor Julien 71bc9e75f5 app-layer: get sbconfg with files 2 years ago
Victor Julien a1a221066f files: remove filecontainer drop trait 
In preparation of it becoming impossible to use due to the free
function getting an cfg argument.
 2 years ago
Victor Julien 0320c03f8c http2: explicity free files 
In preparation of adding an argument to the free functions which
means the drop trait can't be used anymore.
 2 years ago
Victor Julien 4b1e9f7c21 smb: explicity free files 
In preparation of adding an argument to the free functions which
means the drop trait can't be used anymore.
 2 years ago
Victor Julien 3a24cce289 nfs: explicity free files 
In preparation of adding an argument to the free functions which
means the drop trait can't be used anymore.
 2 years ago
Victor Julien 4bfeac6591 nfs: file handling cleanups 2 years ago
Victor Julien 33f6a16290 smb: file handling cleanups 2 years ago
Victor Julien d57510a10f files: remove unused Rust binding for file pruning 2 years ago
Victor Julien a24d7dc45c smb: fix post-trunc chunk behavior 
After a gap in a file transaction, the file tracker is truncated. However
this did not clear any stored out of order chunks from memory or stop more
chunks to be stored, leading to accumulation of a large number of chunks.

This patches fixes this be clearing the stored chunks on trunc. It also
makes sure no more chunks are stored in the tracker after the trunc.

Bug: #5781.
 2 years ago
Philippe Antoine 55c4834e4e smb: configurable max number of transactions per flow 
Ticket: #5753
 2 years ago
Philippe Antoine 1d9183638f smb: convert transaction list to vecdeque 
Allows for more efficient removal from front of the list.

Ticket: #5753
 2 years ago
Philippe Antoine cb89192ec3 smb: fix typo in comment 2 years ago
Haleema Khan cfcb7df9dc mqtt: rustfmt parser.rs 2 years ago
Haleema Khan 23acb89653 mqtt: add unittests for nom7 parsers 
Ticket: #5742
 2 years ago
Haleema Khan cdc5ccd7f7 rfb: rustfmt parser.rs 2 years ago
Haleema Khan b95d7efbd0 rfb: add unittests for nom7 parsers 
Task: #5741
 2 years ago
Philippe Antoine 3979acb5ed smb: set event for ntlmssp unusual order 2 years ago
Philippe Antoine e41c01a483 smb: rustfmt ntlmssp_records.rs 2 years ago
Philippe Antoine 1db8685848 smb/ntlmssp: parse fields independently of order 
Instead of relying on the usual ordering...

Ticket: #5258
 2 years ago
Jason Ish ae192ebae7 rust: sync log levels with C 2 years ago
Jeff Lucovsky f8474344cd log: Add module and subsystem identifiers to log 
Issue: 2497

This changeset provides subsystem and module identifiers in the log when
the log format string contains "%S". By convention, the log format
surrounds "%S" with brackets.

The subsystem name is generally the same as the thread name. The module
name is derived from the source code module name and usually consists of
the first one or 2 segments of the name using the dash character as the
segment delimiter.
 2 years ago
Victor Julien b31ffde6f4 output: remove error codes from output 2 years ago
Jason Ish bd9adac3ac rust/clippy: comments on why we have specific allows 2 years ago
Jason Ish dfd7abe185 rust/clippy: fix lint: type_complexity 
Convert a DNS sub-parser to use a return type rather than a large
tuple. For mqtt, allow the lint for now, but remove the global allow.
 2 years ago
Jason Ish e49ce49471 rust/clippy: allow result_unit_err in http2 only 
Its the only module making use of this pattern, but we shouldn't let
new modules use this pattern.
 2 years ago
Jason Ish 7ba2dadc7f rust/clippy: fix lint: upper_case_acronyms 2 years ago
Jason Ish 029ac650d7 rust/clippy: fix lint: manual_find 
These get_tx methods look like ideal candidates for generic and/or
derived methods.
 2 years ago
Jason Ish 4940dfb3bd rust/clippy: fix lint: len_without_is_empty 2 years ago
Jason Ish e1cffd348f rust/clippy: fix lint: field_reassign_with_default 2 years ago
Jason Ish 9df7c326b9 rust/clippy: remove allow: collapsible_else_if 2 years ago
Jason Ish 30ee5fc835 rust/clippy: remove allow: collapsible_if 
Already clean.
 2 years ago
Jason Ish da12b77f18 rust/clippy: fix lint: new_without_default 2 years ago
Jason Ish c4cf062a6f rust/clippy: fix lint: redundant_pattern_matching 2 years ago
Jason Ish 7c293ff68f rust/clippy: fix lint: never_loop 2 years ago
Jason Ish e8823644ec rust/clippy: fix lint: nonminimal_bool 2 years ago
Jason Ish 53ae0c8a06 rust/clippy: fix lint: derive_partial_eq_without_eq 2 years ago
Jason Ish 5d62995e26 rust/clippy: fix lint: explicit_counter_loop 2 years ago
Jason Ish f250b92180 rust/clippy: fix lint: extra_unused_lifetimes 2 years ago
Jason Ish 3044565cf4 rust/clippy: fix lint: needless_range_loop 2 years ago
Jason Ish 2ac52d0610 rust/clippy: remove lint: for_loops_over_fallibles 
Already clean.
 2 years ago
Jason Ish c026d8531b rust/clippy: fix lint: match_ref_pats 2 years ago
Jason Ish 359d5fcb7e rust/clippy: fix lint: needless_lifetimes 2 years ago
Jason Ish 4e001688de rust/clippy: remove lint: bool_comparison 
Already clean.
 2 years ago
Jason Ish f15ffbc869 rust/clippy: fix lint: single_match 
Allow this lint in some cases where a match statement adds clarity.
 2 years ago
Jason Ish 925bc74c1f rust/clippy: fix lint: while_let_loop 2 years ago
Jason Ish cf20fa1e67 template: import c_void, c_char, c_int 
These are ffi types that are commonly used, import them so they can be
used by their short names instead of a fully qualified name.
 2 years ago
Jason Ish 4220f18258 template: remove no_mangle and pub where not needed 
Extern functions that are only used as a function pointer do not
require "pub" or "no_mangle".
 2 years ago
Jason Ish 4a7567b3f0 template: rename template-rust to template 
Remove the distinction between the C template protocol "template" and
the Rust template protocol "template-rust" and make the Rust parser
simply template now that we no longer have support to generate a C
protocol template.
 2 years ago
Jason Ish 38321a213f rust/app-layer-template: rustfmt 2 years ago
Jason Ish 50a787a9a3 app-layer-template-rust: remove C app-layer stub 
Remove the app-layer-PROTO stub for Rust based parsers.  It is no longer
needed as Rust parsers now contain the registration function in Rust.

Ticket: 4939
 2 years ago
Jason Ish baa7021ee6 rust/conf: add fn conf_get_node 
A wrapper around ConfGetNode to get a configuration node by name.
 2 years ago
Victor Julien 64c0459d2d rust/lzma: clippy fixup 2 years ago
Jason Ish 35f99d1af7 rust/http2: fix clippy lint for is_empty() 
This snuck through as "cargo clippy" check wasn't finding lints that
were fixed by the previous test for fixable lints.
 2 years ago
Todd Mortimer 7d1a8cc335 file/swf: Use lzma-rs decompression instead of libhtp. 
Use the lzma-rs crate for decompressing swf/lzma files instead of
the lzma decompressor in libhtp. This decouples suricata from libhtp
except for actual http parsing, and means libhtp no longer has to
export a lzma decompression interface.

Ticket: #5638
 2 years ago
Victor Julien 45eb038e63 smb: fix file reopening issue 
Fuzzing highlighted an issue where a command sequence on the same file
id triggered a logging issue:

file data for id N
close id N
file data for id N

If this happened in a single blob of data passed to the parser, the
existing file tx would be reused, the file "reopened", confusing the
file logging logic. This would trigger a debug assert.

This patch makes sure a new file tx is created for the file data
coming in after the first file tx is closed.

Bug: #5567.
 2 years ago
Philippe Antoine 29f40c9e07 dcerpc: fix integer underflow 
as input.len() can be 65536, it cannot be directly cast to u16

Ticket: #5557
 2 years ago
Jason Ish 91617f479a rust: sha-1 is now sha1 
This is the same crate, but renamed to be more consistent with the
RustCrypto project naming. Some recent discussion is available here:

    https://github.com/RustCrypto/hashes/issues/438
 2 years ago