Commit Graph

12899 Commits (6d30f4442c400e7b27726267b94b7bf5404881c4)
 

Author SHA1 Message Date
Victor Julien 609a7eaab2 app-layer: error counters
Per app-layer error counters for:
gap, parser, internal (AppLayerResult issues), alloc
4 years ago
Victor Julien ae0b8d92da flow/manager: remove dead code 4 years ago
Victor Julien 5618886aa9 stream: remove unused defines 4 years ago
Victor Julien 811b2cd334 doc: refresh main README; more accurate CI description 4 years ago
Modupe Falodun d2dad66a2b detect-dce-opnum: remove unittests
These tests are reimplemented in Suricata-Verify

Task: 4911
4 years ago
Jason Ish b9a429e6ce devguide: move image generation into sphinx setup
While ReadTheDocs can't execute arbitrary scripts, we can install
mscgen in the container that builds the docs (see .readthedocs.yaml).

Then instead of calling generate-images.sh from the Makefile, move this
into the setup function defined on conf.yaml, which will generate the
scripts as part of a normal Sphinx workflow.

This should give us an image generation solution that works on
ReadTheDocs, and locally within anyones build system provided they have
mscgen installed.
4 years ago
Philippe Antoine 4247605d87 smtp: check if we have a current transaction
Ticket: 4948

This is not the perfect solution, but it prevents to trigger
the assert, and keep the assert.
A better solution would need to create transaction from
the reponse parsing, in case a later command was buffered and
not answered. But this would not be enough as NoNewTx prevents
the creation of a new transaction for RSET...
4 years ago
Philippe Antoine 11d3af551b doc: suricata.yaml fields about maximum transactions
For HTTP2, MQTT and FTP.
4 years ago
Philippe Antoine 2ef4172437 ftp: limits the number of active transactions per flow
Ticket: 4530

As for HTTP2 and MQTT.
In FTP case, transactions are pipelined, not identified by an id.
So, there are less chances of DOS by quadratic complexity.
4 years ago
Philippe Antoine e42094f238 mqtt: make max transactions configurable
Allows users to find balance between completeness of decoding
and increases resource consumption, which can DOS suricata.
4 years ago
Philippe Antoine 4f90d4254e http2: makes some settings configurable
max-streams and max-table-size

Allows users to find balance between completeness of decoding
and increases resource consumption, which can DOS suricata.
4 years ago
Philippe Antoine a8079dc978 mqtt: limits the number of active transactions per flow
Ticket: 4530

So, that we do not get DOS by quadratic complexity, while
looking for a new pkt_id over the ever growing list
of active transactions
4 years ago
Philippe Antoine 5475212f21 http2: limits the number of active transactions per flow
Ticket: 4530

So, that we do not get DOS by quadratic complexity, while
looking for a new stream id over the ever growing list
of active streams
4 years ago
Philippe Antoine b39554b11f fuzz: target for applayer cleans transactions
Ticket: 4530

Otherwise, we timeout because we kept too many of them
as Suricata would not
4 years ago
Aaron Bungay a5d3a1f92c src: use bool instead of int 4 years ago
Aaron Bungay 272786908c smtp/mime: configurable url scheme extraction
Parse extract-url-schemes from the mime config.
e.g. 'extract-urls-schemes: [http, https, ftp, mailto]'
Update MimeDecConfig struct to new url extraction fields.
Change app-layer-smtp.c & util-decode-mime.c to initialize new struct
fields for MimeDecConfig.
Sets the default value for extract-url-schemes if not found in the
config to 'extract-urls-schemes: [http]' for backwards compatibility.

Uses the schemes defined in the mime config value for
extract-urls-schemes to search for URLS starting with those scheme
names followed by "://".
Logs the URLS with the scheme + '://' at the start if the
log-url-scheme is set in the mime config, otherwise the old behaviour
is reverted to and the urls are logged with the schemes stripped.

Removed unused constant URL_STR now that URLS are being searched for
using extract-urls-schemes mime config values instead of just URL's
starting with 'http://'.

Added commented out new options for extract-urls-schemes and
log-url-scheme to suricata.yaml.in.

Update FindUrlStrings comments.
Remove old outdated comments/commented code from FindUrlStrings.
Update test case for mime which now needs schemes list to be set.
Add Test Cases for FindUrlStrings() method.

Feature: #2054
4 years ago
Victor Julien 6c240938b5 github-ci: replace failing CentOS 8 by AlmaLinux 8.4 4 years ago
Modupe Falodun b77d1d7d2e detect-flowbits: remove unittests
These tests are reimplemented in Suricata-Verify

Task: 4911
4 years ago
Philippe Antoine f0e869b26b mqtt: parse properties with the right buffer's length 4 years ago
Philippe Antoine df2cbd6517 http2: event for variable-length integer overflow
http2_parse_var_uint can overflow the variable-length
integer it is decoding. In this case, it now returns an error
of kind LengthValue.

The new function http2_parse_headers_blocks, which factorizes
the code loop for headers, push promise, and continuation, will
check for this specific error, and instead of erroring itself,
will return the list of so far parsed headers, plus another one
with HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIntegerOverflow

This status is then checked by process_headers to create an
app-layer event.
4 years ago
Philippe Antoine b86beb9b68 http2: check overflow before it happens
instead of checking afterwards if value got smaller
4 years ago
Jason Ish f8e143030c github-ci: update commit and formatting containers
Update the Ubuntu containers for the commit and formatting checks to
Ubuntu 20.04.

The latest version of the checkout action requires git v2.18 in order to
checkout the code as a git repo, which is required for these workflows.

With older versions of git the action will download the code as a
tarball and lack the .git directory.
4 years ago
Jason Ish 234a44bf85 github-ci: pin actions to specific versions
Resolve the GitHub scanning pinned-dependencies for most of our GitHub
actions.  The oss-fuzz actions have not been updated.
4 years ago
Philippe Antoine 1e1a4ab1c4 detect: logs an error if a protocol is disabled
So that the user knows that the rule cannot match
4 years ago
Philippe Antoine bf30eb344a detect: checking validity of rules with http protocol
We want to check that a rule beginning with alert http
can be valid, that is if either HTTP1 or HTTP2 is enabled.
So, AppLayerProtoDetectGetProtoName will do a more complex
check for this ALPROTO_HTTP (any).
4 years ago
Jeff Lucovsky b53fced452 general: Fix typo 4 years ago
Jeff Lucovsky be2155b4ed config/ref: Raise errors for ref.config parsing
This commit raises an error in configuration test mode if there was an
error parsing reference.config.

Issue: 4659
4 years ago
Modupe Falodun 8d615842f9 detect/bypass: remove unittest
This test is reimplemented in Suricata-Verify

Task: 4911
4 years ago
Victor Julien 7b152d0021 github-ci: update codecov
Update to v2 API.
Pin the version as suggested by Scorecard.
No longer fail on error. This was not found to be very actionable.
4 years ago
Jason Ish ee933794aa github-ci: set workflow permissions to read-all 4 years ago
Victor Julien 738e756eaf eve/pgsql: log txs in flow direction 4 years ago
Angelo Mirabella 41a139b590 stream-tcp-reassemble: fix reassembly direction for FIN packets
Suricata invokes the stream reassembly logic only for the current packet
direction if the packet contains a FIN flag. However, this does not
handle the case in which the packet ACKs data from the opposing direction.
This patch forces the invocation of the stream reassembly logic
on both direction when Suricata sees a FIN packet.
4 years ago
Jason Ish 9e096dda4e windows: exit early if live capture requested without npcap 4 years ago
Jason Ish 5037c86b49 github-ci: add windows build for libpcap 4 years ago
Jason Ish 31ba4fd152 configure: fallback to libpcap on Windows
If npcap/wpcap is not found on Windows, try libpcap. This allows
Suricata to build without NPCap on Windows, however live capture won't
be available.
4 years ago
Modupe Falodun 154e4eb395 http-response-line: remove unittest
This test is reimplemented in Suricata-Verify

Task: 4911
4 years ago
Modupe Falodun 926c02a141 detect/modbus: remove unittests
These tests are reimplemented in Suricata-Verify

Task: 4911
4 years ago
Modupe Falodun 0984528ddb detect-http-request-line: remove unittests
These tests are reimplemented as Suricata-Verify

Task: 4911
4 years ago
Modupe Falodun dff7e7d34e detect/hostbits: remove unittests
These tests are reimplemented as Suricata-Verify tests

Task: 4911
4 years ago
Modupe Falodun 47f70bf1f4 detect/proto: remove unittests
This test is reimplemented in Suricata-Verify

Task: 4911
4 years ago
Philippe Antoine 749b9c7635 fuzz: cleans all flow after one run
Completes commit e2370d6861
for all the fuzz targets processing pcaps
using a generic function.

FlowShutdown is not used because it uses the loop to destroy
mutexes, which we want to reuse for fuzzing
4 years ago
Victor Julien 40c315aa35 detect/frames: fix coverity warning
Harmless warning, but it was correct in that the code made no sense:
1497420 Dereference before null check
4 years ago
Victor Julien e902aaf838 detect/frames: fix crash when parsing bad rule
Indexing of Signature::init_data::smlists would fail for a rule that
used a frame w/o content, as the array would only be expanded when
adding a content. Adding a check to see if there list id is in bounds
is an implicit check for the "no content" case.

Bug #5011.
4 years ago
Victor Julien c6be6d2c6f detect/frames: fix error messages 4 years ago
Eloy Pérez González bff0774767 smb/dce_iface: avoid deleting current ifaces from state
The smb dce_iface keyword must match for all those dcerpc requests
and responses sent in the context of the given interface. They are
not matching as the current bind interfaces are deleted by any
non bind message.

Ticket: 4767
4 years ago
Eloy Pérez González 1ae22fd5de smb/dce_iface: use DCERPC_TYPE_REQUEST
The smb dce_iface keyword must match for all those dcerpc requests and
responses sent in the context of the given interface. They are not
matching because in rs_smb_tx_get_dce_iface, x.req_cmd is erroneously
compared with 1. Fix this by comparing with DCERPC_TYPE_REQUEST instead.

Ticket: 4767
4 years ago
Eloy Pérez González 333db3b385 smb/dce_opnum: move range if to outer context
The smb dce_opnum matches all the opnums that are higher that the
indicated opnum. This is due the range comparison if was put in the
exact comparison context, and in case the opnum doesn't match exactly,
then the range comparison is triggered (the upper limit is always true).

Move the erroneus if to the outer context, as else option of the block
checks if comparison should be exact or range.

Ticket: 4767
4 years ago
Eloy Pérez González 8dca3d0416 smb/dce_opnum: use DCERPC_TYPE_REQUEST
The smb dce_opnum keyword doesn't match the dcerpc requests/responses.
This occurs because in the rs_smb_tx_match_dce_opnum function, the
x.req_cmd is matched against the erroneous code 1. Fix this by using
DCERPC_TYPE_REQUEST for the comparison instead.

Ticket: 4767
4 years ago
Eloy Pérez González 15f493f516 dcerpc: remove prev_tx_call_id and clear_bind_cache from DCERPCState
remove those fields since are not used because of the removal of
handle_bind_cache.
4 years ago
Eloy Pérez González 1aca2676a6 dcerpc: avoid delete the rpc state interface context
The bug:
The dcerpc dce_iface keyword just match the packet following the bind. Only the
next request after the rpc is sent will match. However the expected behaviour it
that all the rpc requests/responses sent under the context of the given
interface would match.

In the Open Group c706 the following is indicated:

In 2.2.1 Binding-related Operations, indicates that one category of binding
operations are those that "operations that establish internal call routing
information for the server." (The other are to establish the protocol which is
not relevant here). And the following statement can be found:

Operations in the second category establish a set of mappings that the server
can use to route calls internally to the appropriate manager routine. This
routing is based on the interface and version, operation and any object
requested by the call.

It indicates that server routes (to call methods) are based on the operation,
interface and object.

- Operation: To indicate the method to call, and operation number is
             specified as indicated in the second step of 2.3.3.2 (Client
             Binding Steps).
- Interface: An interface is a set of remotely callable operations offered by a
             server and invokable by clients. (2.1.1.1)
- Object: Is the manager that implements the interface, as stated in section
          Interface and Manager Selection of 2.3.3.3. It is not mandatory, can
          be nil.

To call a method, a client must send a request message as defined in 2.6.4.9,
that contains these identifiers:

- opnum: The opnum field identifies the operation being invoked within the
         interface.
- p_cont_id (Context ID in Wireshark): The p_cont_id field holds a presentation
                                       context identifier that identifies the
                                       data representation and interface, as
                                       defined in 12.6.3.4 (Context Identifiers).
- object: The object field is contained if the PFC_OBJECT_UUID is set. (Could be
          interesting to create a keyword dce_object for matching this UUID)

Therefore, to get the correct method to invoke, the server must map the context
to the correct interface. This is negotiated by the bind request

Interfaces are first negotiated using the bind message (12.6.4.3), contained in
the p_context_elem array. Then they are accepted or rejected using the bind_ack
message (12.6.4.4).

Once these contexts are established, both client and server can use the context
id, which is the index of the p_context_elem array, to refer the interface they
are using.

Moreover, in the middle of the connection, the context can be changed with the
alter_context message.

This is way suricata shouldn't delete the bindack attribute, that contains
the contexts, used by match_backuuid. This is the only way to know the interface
a request message is referring to.

ticket: 4769
https://redmine.openinfosecfoundation.org/issues/4769
4 years ago