Commit Graph

8037 Commits (5ea1d3bd53befc7ebb0566aa17d28ff17d02f602)
 

Author SHA1 Message Date
Victor Julien 5ea1d3bd53 stream/async: improvements for IPS
Initialize midstream with async if enabled. Unset async on seeing
bidirectional traffic.

If only async-oneside is enabled, set ASYNC flag on session creation
when receiving a SYN packet.

Let last_ack stay in sync with next_seq so that various checks work
better.
9 years ago
Victor Julien b767f1d306 output/streaming: fixes and redo tcp logging
Fix HTTP body logging.

Redo TCP data logging based on the streaming API.
9 years ago
Victor Julien f4c4ef12c0 stream: introduce optional 'log' progress tracker
For logging streaming TCP data so far the individual segments where
used. However since the last big stream changes, the segments are
no longer the proper place for this. Segments can now have overlaps
etc.

This patch introduces a new tracker. Next to the existing 'app' and
'raw' trackers, the new tracker is 'log'. When the TCP logging is
used, a flag in the config is set and the log tracker is used to
determine how much of the stream window can be moved.
9 years ago
Victor Julien 5b1d8c7e94 streaming/lua: add direction indication to streamer
Call SCStreamingBuffer as follows:

    data, sb_open, sb_close, sb_ts, sb_tc = SCStreamingBuffer()

sb_ts and sb_tc are bools indicating the direction of the data.
9 years ago
Victor Julien 35edc5264d luajit: cleanup states before return to pool 9 years ago
Victor Julien 888ed9db0d streaming: small code cleanup 9 years ago
Victor Julien 30a8b2def0 lua/streaming: fix http body logging 9 years ago
Victor Julien 0f4a9d740e flow-worker: improve no-flow case 9 years ago
Jason Ish 922a27ed97 detect-dns-query: use unit test macros 9 years ago
Victor Julien a636d96b15 detect/file: cleanups
TX id is enfored in the engine, so the keywords don't need to.

Unify detect file engines.
9 years ago
Andreas Herz 2aad2d605d rules: add missing classtypes for event.rules 9 years ago
Victor Julien 9492a43060 output-tx: small cleanups and scan-build suppression 9 years ago
Jason Ish bb10bd7fca profiling: fix const compiler warnings 9 years ago
Victor Julien 43b0bc8c8e unix socket: improve runmode handling
Improve output of unix mode in --list-runmodes

Honor the runmode commandline setting. Supported are 'single'
and 'autofp', with the latter still the default.
9 years ago
Victor Julien 75edfcc2cd unix-socket: fix minor memleak 9 years ago
Eric Leblond 1655a67654 log-tlsstore: fix error handling
In case of realloc error, the length of the encoding buffer was not
reset and this could result in trying to write to NULL pointer.
9 years ago
Andreas Herz bf1a8d08da doc: rephrase nocase placement explanation 9 years ago
Victor Julien 41e6c6dc36 flow: enforce 51 bits id globally 9 years ago
Victor Julien 71c6df1655 lua: add SCFlowId for getting the flow id 9 years ago
Victor Julien 8127730f00 bug 2113: fix live modes 9 years ago
Jason Ish c7ddbbc586 dns: fix log filtering
Previously only a subset of the records could be selected
in custom. Now allow any to be selected.
9 years ago
Victor Julien 4217c6839a stream: single GAP check
Move all GAP checks into CheckGap. Remove seg_list based check.
Also remove seg_list == NULL check to make sure the Gap check is
done on an empty list as well.

Improve next_seq < last_ack check, but add data beyond gap check.
9 years ago
Victor Julien 39183f7a8e doc: fix doc links for http keywords 9 years ago
Victor Julien 4697330b73 doc: flowints formatting cleanup 9 years ago
Victor Julien 0af562d4c8 doc: move parts out of snort difference doc
Move generic keyword descriptions to the keyword documentation.
9 years ago
David Wharton a8d0ae460c doc: removing (replaced) snort-compatibility.rst
snort-compatibility.rst replaced by differences-from-snort.rst
9 years ago
David Wharton 8a53d49e81 doc: replacing snort-compatibility link
The snort-compatibility.rst document is being replaced by
differences-from-snort.rst. This commit updates the link.
9 years ago
David Wharton 6bc7c64794 doc: overhaul of the snort-compatibility document
This is intended to replace the existing 'snort-compatibility.rst'
document.
Based on "The Suricata Rule Writing Guide for The Snort Expert"
2016 SuriCon talk.
9 years ago
Victor Julien c513896786 bug 2113: unix-socket start up race 9 years ago
Victor Julien 5b56d324c4 app-layer: optimize many-tx case 9 years ago
Victor Julien 4459b88782 output: tx logging optimizations 9 years ago
Victor Julien 5c01b40931 tests: update tests for app-layer changes 9 years ago
Victor Julien 3148ff34b6 app-layer API optimizations and cleanups 9 years ago
Victor Julien cd97fa80f1 file: fix pruning for parallel files
Allow pruning of random files, not just list head.
9 years ago
Victor Julien afedd5c6df file: fix storing parallel files
When looping available files 'flags' misuse would lead to all files
being closed after the first close.

This patch separates per file and per call flags.
9 years ago
Victor Julien ae99e08396 file: update loops to account for parallel files 9 years ago
Victor Julien c4c93872f8 file: introduce per file 'track id'
Some protocols transfer multiple files in parallel. To support this add
a 'track id' to the API. This track id is set by the protocol parser. It
will use this id to indicate what file in the FileContainer it wants to
act on.
9 years ago
Victor Julien 1062a9213b file-store: small cleanup 9 years ago
Victor Julien 944ab48b20 file: clarify file store id name 9 years ago
Victor Julien f18c976a8e flow: counters for total number of flows
flow.tcp
flow.udp
flow.icmpv4
flow.icmpv6
9 years ago
Jason Ish ac7cf48a98 dnp3: in template, include files own headers
To deal with -Wmissing-prototypes as added in
ab1200fbd7

Note: Change was already applied to source files, this just
updates the generation.
9 years ago
Victor Julien 312ad9e3ad pfring: compiler warning fixes 9 years ago
Victor Julien f6e3755b5c lua: extend SCFlowAppLayerProto
Change SCFlowAppLayerProto to return 5 values:
<alproto> <alproto_ts> <alproto_tc> <alproto_orig> <alproto_expect>:

alproto: detected protocol
alproto_ts: detected protocol in toserver direction
alproto_tc: detected protocol in toclient direction
alproto_orig: pre-change/upgrade protocol
alproto_expected: expected protocol in change/upgrade

Orig and expect are used when changing and upgrading protocols. In a
SMTP STARTTLS case, orig would normally be set to "smtp" and expect
to "tls".
9 years ago
Victor Julien 9c071d1724 eve.flow: log original and expected app_protocols
Log protocols if they are available.
9 years ago
Victor Julien 88177694fd nfq: don't try to verdict detect/log flush pkts 9 years ago
Victor Julien d9908216d8 connect/starttls: handle detection corner cases
When switching protocol from http to tls the following corner case
was observed:

 pkt 6, TC "200 connection established"
 pkt 7, TS acks pkt 6 + adds "client hello"
 pkt 8 TC, acks pkt 7
 pkt 8 is where normally the detect on the 200 connection established
       would run however before detection runs the app-layer is called
       and it resets the state

So the issue is missed detection on the last data in the original
protocol before the switch.

Another case was:

TS ->    STARTTLS
TC ->    Ack "STARTTLS data"
         220
TS ->    Ack "220 data"
         Client Hello

In IDS mode, this made a rule that wanted to look at content:"STARTTLS"
in combination with the protocol SMTP 'alert smtp ... content:"STARTTLS";'
impossible. By the time the content would match, the protocol was already
switched.

This patch fixes this case by creating a 'Detect/Log Flush' packet in
both directions. This will force final inspection and logging of the
pre-upgrade protocol (SMTP in this example) before doing the final
switch.
9 years ago
Victor Julien 6f42ae91c7 app-layer: protocol change API
Add API calls to upgrade to TLS or to request a protocol change
without a specific protocol expectation.

If the HTTP CONNECT session includes a port on the url, use that to
look up the probing parser during protocol detection. Solves a
missed detection of a SSLv2 session that upgrades to TLSv1. SSLv2
relies on the probing parser which is limited to certain ports.

In case of STARTTLS in SMTP and FTP, the port is hardcoded to 443.

A new event APPLAYER_UNEXPECTED_PROTOCOL is set if there was a
mismatch.
9 years ago
Mats Klepsland 72c757433a app-layer: add decoder event for missing TLS after STARTTLS 9 years ago
Mats Klepsland 11b9e6fdab app-layer-ftp: add STARTTLS support 9 years ago
Mats Klepsland 8125f78f5f app-layer-ftp: detect FTP alproto when using AUTH TLS
Try to detect FTP using the patterns '220 (' and 'FEAT', since 'USER '
and 'PASS ' are not sent in cleartext when using AUTH TLS.
9 years ago