Commit Graph

1028 Commits (61b73416e27a07cab50743d69c1cf5cd7f07b45d)

Author SHA1 Message Date
Eric Leblond 2cc9152fc9 rust/smb: log uuid of interface in dcerpc
When doing a DCERPC request, we can use the context id to log the
interface that is used. Doing that we can see in one single event
what is the DCERPC interface and opnum that are used. This allows
to have all the information needed to resolve the request to a
function call.

Feature #5413.
3 years ago
Eric Leblond b6f1cf255c rust/smb/dcerpc: parse context id
As context id is used to know to which variant of the endpoint the
request is done, it is interesting to parse it.

Feature #5413.
3 years ago
Philippe Antoine 11f849c3ee protocol-change: sets event in case of failure
Protocol change can fail if one protocol change is already
occuring.

Ticket: #5509
3 years ago
Philippe Antoine e94920b49f smb: do not use tree id to match create request and response
As an SMB2 async response does not have a tree id, even if
the request has it.

Per spec, MessageId should be enough to identifiy a message request
and response uniquely across all messages that are sent on the same
SMB2 Protocol transport connection.
So, the tree id is redundant anyways.

Ticket: #5508
3 years ago
Philippe Antoine 461725a9bf dhcp: adds leasetime keyword
As it is logged

Ticket: #5435
3 years ago
Philippe Antoine 9b4a133777 http2: remove to_vec for comparisons
Ticket: #5454
3 years ago
Philippe Antoine d011b468da http2: fix clippy warning about &Vec<u8>
Using &[u8] instead in function prototype
3 years ago
Philippe Antoine 3de735ae70 ike: log ikev1 tx fields instead of state ones
As state fields can grow abitrarily, and this can lead to DOS
by quadratic complexity (CPU time and disk space)

Adds a direction field to retain all the information in the
transaction.

Also checks array vendor_ids had at least one element before
logging it.

Ticket: #5455
3 years ago
Philippe Antoine d0171d7418 ike: rustfmt 3 years ago
Philippe Antoine 5c7b5c5fb5 krb: detection for ticket encryption
As is done for logging.

Ticket: #5442
3 years ago
Philippe Antoine 64b2385c64 krb: log for ticket encryption
Also logs if the ticket encryption is weak.
It is different from the encryption used for the rest of the
packet, and this allows to detect kerberoasting attack.

Ticket: #5442
3 years ago
Philippe Antoine 7fcc6696cb krb: rustfmt kerberos.rs 3 years ago
Philippe Antoine 675de33405 krb: bump up crate version
kerberos parser crate is also used by other procotols : nfs and
smb. These protocols use an older der_parser crate version.
Upgrading der_parser will simplify the code further.
3 years ago
Philippe Antoine 783dff2c38 krb: rustfmt detect.rs 3 years ago
Jason Ish c862e84c01 rust/frames: cleanups
- Implement the Display trait on Direction to print "toserver" or
  "toclient" which used in a format string.

- Use Direction struct inside Frame instead of a u32.  Requires a helper
  method as there are two representation in C for direction, and the C
  methods for frames don't use the internal representation of the
  Direction enum (some sweeping changes could help here)
3 years ago
Jason Ish f92708b8ca rust/frames: derive direction from StreamSlice
On the Rust side, a Frame requires a StreamSlice to be created. We can
derive the direction from the StreamSlice removing the need for callers
to provide the direction when operating on the frame.
3 years ago
Jason Ish b39d7f46e7 dns/tests: fix StreamSlice to satisfy debug validation 3 years ago
Philippe Antoine f3b6fd3329 quic: update to nom7 3 years ago
Philippe Antoine 95125811b8 quic: reassemble crypto frames and parse it 3 years ago
Philippe Antoine f242fb7f22 quic: events and rules on them 3 years ago
Philippe Antoine b9c1d9e86b quic: parse gquic version Q039
Ticket: #5166
3 years ago
Philippe Antoine 018fef5ef8 quic: ja3 computation and logging and detection
Logging as is done in TLS.

Detection using the generic generic ja3.string keyword

Ticket: #5143
3 years ago
Philippe Antoine c6cf61a39b quic: complete parsing of initial for non gquic
The format of initial packet for quic ietf, ie quic v1,
is described in rfc 9000, section 17.2.2

Parse more frames and logs interesting extensions from crypto frame

Do not try to parse encrypted data, ie after we have seen
a crypto frame in each direction.

Use sni from crypto frame with tls for detection already implemented

Ticket: #4967
3 years ago
Philippe Antoine 7044131c39 quic: rustfmt 3 years ago
Philippe Antoine 0c346af4a9 rust: bump up digest crates
so that we can use hkdf crate for quic
3 years ago
Philippe Antoine 2294e9cdbc rdp: bump up tls-parser crate version
so that we can use new functions in quic parser
3 years ago
Philippe Antoine 11e0eb9c89 quic: do not log empty cyu array
Ticket: #5167
3 years ago
Philippe Antoine 632581ac95 ike: do not log empty notify array
Ticket: #5167
3 years ago
Philippe Antoine 262a93ce18 mqtt: do not log reason_codes if there is none
Ticket: #5167
3 years ago
Philippe Antoine 1621f5e453 detect/nfs: use inclusive ranges 3 years ago
Philippe Antoine ed6955ee98 detect: use generic integer functions for iprep
Ticket: #4112
3 years ago
Philippe Antoine cfb60d0fce detect: use generic integer functions for urilen
Ticket: #4112
3 years ago
Philippe Antoine c57052181c snmp: rustfmt detect.rs 3 years ago
Philippe Antoine c7214be99b snmp: adds usm keyword
as is logged

Ticker: #5416
3 years ago
Philippe Antoine eb1c2a6083 smb: use default stream-depth 0 by default
As broken by commit e5c948df87

Ticket: #5390
3 years ago
Philippe Antoine c585be338c nfs: fix arbitrary allocation
Bug introduced by https://github.com/OISF/suricata/pull/7111

Nom's count begins by allocating a Vector, which leads to arbitrary
allocation due to flavors_cnt coming from network, and not even
being checked against i.len()

Ticket: #5237
3 years ago
Philippe Antoine 26dc70648c dns: remove unused events field from state
found overflowing by oss-fuzz
3 years ago
Philippe Antoine d1a4dae36b detect: use generic integer functions for streamsize
By the way, adds the prefilter feature

Ticket: #2697
Ticket: #4112
3 years ago
Philippe Antoine 35b6dcec7e detect: use generic integer functions for filesize
Ticket: #4112
3 years ago
Philippe Antoine f29b43defd detect: rust generic functions for integers
Move it away from http2 to generic core crate.
And use it for DCERPC (and SMB)

And remove the C version.
Main change in API is the free function is not free itself, but
a rust wrapper around unbox.

Ticket: #4112
3 years ago
Philippe Antoine c4d9cb02ec util: better hex print function
Without dangerous snprintf pattern identified by CodeQL
even if this pattern is not a problem in those precise cases,
it may easily get copy pasted in a dangerous place, so better
get rid of it and make CodeQL happy
3 years ago
Philippe Antoine 6058792bee rust: make suricata context const
So that it is read only and its pointers do not get modified
3 years ago
Philippe Antoine 6224e283fa modbus: bump up rust crate version
So that probing parser is more strict and does not accept unknown
function code as valid modbus.

Ticket: #5377
3 years ago
Philippe Antoine 2d761810db rust: cbindgen first verifies existing bindings
So as not to recompile every C file inclusing rust.h
3 years ago
Juliana Fajardini 6ccc01a79c rust: fix doc comments that trigger rust warnings
Rust generates warnings that are treated as errors for documentation
blocks before `extern` blocks.
3 years ago
Philippe Antoine d745d28d4a dcerpc: use vecdeque tx iterator
Ticket: #5321
3 years ago
Jason Ish dfe76bb905 dcerpc: convert transaction list to vecdeque
Allows for more efficient removal from front of the list.

Ticket: #5271
4 years ago
Jason Ish 8790968281 mqtt, rdp: fix copyright dates 4 years ago
Philippe Antoine c78722a671 rust: RustParser same fields as AppLayerParser
So that there is no problem when crossing FFI
4 years ago
Sam Muhammed 323fe1c1ac nfs3/records: Fix typo
Fix response_lookup unittest name
4 years ago