Commit Graph

163 Commits (74326a43e7cff0665c6973abad9b4accfcfb952d)

Author SHA1 Message Date
Victor Julien e78e33a428 http: add event for suspicious method delimeter
Add event and rule for suspicious delim(s) between method and uri.

Add unittests as well.
11 years ago
Victor Julien 5ad7198dc0 http: add libhtp uri warning event
Add event for libhtp warning added 0.5.17 for URI's with suspicious
delimeters.
11 years ago
Victor Julien 0bb2b15491 ipv6: check for MLD messages with HL not 1
MLD messages should have a hop limit of 1 only. All others are invalid.

Written at MLD talk of Enno Rey, Antonios Atlasis & Jayson Salazar during
Deepsec 2014.
11 years ago
DIALLO David 5a0409959f App-layer: Add Modbus protocol parser
Decode Modbus request and response messages, and extracts
MODBUS Application Protocol header and the code function.

In case of read/write function, extracts message contents
(read/write address, quantity, count, data to write).

Links request and response messages in a transaction according to
Transaction Identifier (transaction management based on DNS source code).

MODBUS Messaging on TCP/IP Implementation Guide V1.0b
(http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf)
MODBUS Application Protocol Specification V1.1b3
(http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf)

Based on DNS source code.

Signed-off-by: David DIALLO <diallo@et.esia.fr>
11 years ago
David Abarbanel c2dc686742 SMTP MIME Email Message decoder 11 years ago
Jason Ish 55c45ac91d Fix MPLS decoder rules. 11 years ago
Jason Ish 65f40cbeaa Don't default to ethernet, ethernet should be preceded by a pseudowire.
If the payload type can't be determined, raise an alert.
11 years ago
Jason Ish 348b0e0e9f Set decoder events for labels that shouldn't be seen on the wire.
Add unit tests to test for mpls decoder events.
11 years ago
Victor Julien 6b0ff0193d stream: detect and filter out bad window updates
Reported in bug 1238 is an issue where stream reassembly can be
disrupted.

A packet that was in-window, but otherwise unexpected set the
window to a really low value, causing the next *expected* packet
to be considered out of window. This lead to missing data in the
stream reassembly.

The packet was unexpected in various ways:
- it would ack unseen traffic
- it's sequence number would not match the expected next_seq
- set a really low window, while not being a proper window update

Detection however, it greatly hampered by the fact that in case of
packet loss, quite similar packets come in. Alerting in this case
is unwanted. Ignoring/skipping packets in this case as well.

The logic used in this patch is as follows. If:

- the packet is not a window update AND
- packet seq > next_seq AND
- packet acq > next_seq (packet acks unseen data) AND
- packet shrinks window more than it's own data size
THEN set event and skip the packet in the stream engine.

So in case of a segment with no data, any window shrinking is rejected.

Bug #1238.
11 years ago
Victor Julien 7c05685421 ipv6: set event on unsupported nh
If a next header / protocol is encountered that we can't handle (yet)
set an event. Disabled the rule by default.

    decode-event:ipv6.unknown_next_header;
11 years ago
Victor Julien bbcdb657da ipv6: more robust ipv6 exthdr handling
Skip past Shim6, HIP and Mobility header.

Detect data after 'none' header.
    decode-event:ipv6.data_after_none_header;
11 years ago
Victor Julien 938602c55e ipv6: detect frag header reserved field non-zero
Frag Header length field is reserved, and should be set to 0.

    decode-event:ipv6.fh_non_zero_reserved_field;
11 years ago
Victor Julien 8c19e5ff63 ipv6: make exthdr parsing more robust
Improve data length checks. Detect PadN option with 0 length.
11 years ago
Victor Julien abee95ca4f ipv6: set flag on type 0 routing header
Type 0 Routing headers are deprecated per RFC 5095.

This patch sets an decode event flag that can be matched on through:
    decode-event:ipv6.rh_type_0;
11 years ago
Victor Julien db563ed4b0 tls: check SSL3/TLS version per record
Set event if SSL3/TLS record isn't within the acceptable range.
12 years ago
Victor Julien c5f43785f1 tls/heartbleed: add rule for invalid encrypted hb
Add rule to tls-events.rules to match on the invalid encrypted
heartbeat.
12 years ago
Pierre Chifflier d476c654ee TLS: add detection for malicious heartbeats (AKA heartbleed)
The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not
check the payload length correctly, resulting in a copy of at most 64k
of memory from the server (ref: CVE-2014-0160).
This patch adds support for decoding heartbeat messages (if not
encrypted), and checking several parts (type, length and padding).
When an anomaly is detected, a TLS event is raised.
12 years ago
Eric Leblond e00b5ca191 classification: add category to some stream rules
All stream events signatures deserve a category.
12 years ago
Victor Julien 3ec6bcf284 Make sure tls-events is part of the dist
Added it to Makefile.am so it will be part of the dist created by
make distcheck.
12 years ago
Victor Julien df10559d80 dns: fix message of decoder rule 2240008
The message now reflects that the rule matches on:
    app-layer-event:dns.state_memcap_reached;
12 years ago
Victor Julien fdca557e01 ipv4 decoder: set 'invalid' event on icmpv6
ICMPv6 on IPv4 is invalid, so if we encounter this we set an event
and flag the packet as invalid.

Ticket #1105.
12 years ago
Victor Julien 657b83d238 dns: add event for when memcap is reached
Raise event if state-memcap is reached for a flow.
12 years ago
Victor Julien 61cdd9be6b dns: detect case of request flooding
In the case where DNS requests are sent over the same flow w/o a
reply being received, we now set an event in the flow and refuse
to add more transactions to the state. This protects the DNS
handling from getting overloaded slowing down everything.

A new option to configure this behaviour was added:

app-layer:
  protocols:
    dnsudp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53
       request-flood: 750

The request-flood parameter can be 0 (disabling this feature) or a
positive integer. It defaults to 500.

This means that if 500 unreplied requests are seen in a row an event
is set. Rule 2240007 was added to dns-events.rules to match on this.
12 years ago
Victor Julien cb15000387 http: add new events for invalid host header and host part of uri 12 years ago
Victor Julien 85f13c4e28 http: update http rules 12 years ago
Anoop Saldanha cd7f0273a2 Add decoder event rule for tls event "invalid_ssl_record", which will now be available "app-layer-event:tls.invalid_ssl_record". 12 years ago
Victor Julien fb16cf1a5a vlan: add rule for new 'too many layers' event 12 years ago
Victor Julien 6229bfab5e DNS: rename dns.rules to dns-events.rules, include it in yaml 12 years ago
Victor Julien 4f20f72f4d DNS: add event rules file 13 years ago
Victor Julien 4c6463f378 stream: handle extra different SYN/ACK
Until now, when processing the TCP 3 way handshake (3whs), retransmissions
of SYN/ACKs are silently accepted, unless they are different somehow. If
the SEQ or ACK values are different they are considered wrong and events
are set. The stream events rules will match on this.

In some cases, this is wrong. If the client missed the SYN/ACK, the server
may send a different one with a different SEQ. This commit deals with this.

As it is impossible to predict which one the client will accept, each is
added to a list. Then on receiving the final ACK from the 3whs, the list
is checked and the state is updated according to the queued SYN/ACK.
13 years ago
Victor Julien 1eed3f2233 ipv6: add event for ipv6 packet with icmpv4 header 13 years ago
Victor Julien 150b0c5ae0 ipv6: add option to detect HOP/DST headers with only padding. Detect unknown DST/HOP opts. 13 years ago
Victor Julien 9f519e95a2 http: add event for libhtp detection of request port not matching tcp port. 13 years ago
Victor Julien e1321f9ae6 stream: change how retransmissions are handled and detected. 13 years ago
Victor Julien 3f6ecff260 stream: disable retransmission packet before last ack sig as it is fairly common in regular traffic 13 years ago
Victor Julien bc37cb6b8e stream: detect retransmissions on closewait and finwait2 states 13 years ago
Victor Julien 9094eb4783 stream: ignore ack value if ack flag is not set. Add stream.pkt_broken_ack event for when ack value is not 0 and ack flag not set. 13 years ago
Victor Julien 6f76ac176d stream: add option to match on overlapping data
Set event on overlapping data segments that have different data.

Add stream-events option stream-event:reassembly_overlap_different_data and
add an example rule.

Issue 603.
13 years ago
Eric Leblond def0270de7 decode: decode IPv6-in-IPv6
This patch adds decoding of IPv6-in-IPv6. It also adds some events
for invalid packets.

This patch should fix #514.
13 years ago
Eric Leblond 09fa0b9542 Add support for IPv4-in-IPv6
This patch adds support for IPv4-in-IPv6 and should fix #462.
13 years ago
Victor Julien c44f4c13fc stream: improve TCP flags handling 13 years ago
Victor Julien e3764b90c3 tls: debug compilation fixes, new tls decoder rule for tls.error_message_encountered event. 14 years ago
Victor Julien b976ff228a ipv6: fix an AH header parsing issue. Add decoder event for non-null reserved fields. 14 years ago
Victor Julien 887b4e0b6a Disable some stream rules by default, fix sid no typo. 14 years ago
Victor Julien e624c56c83 Add TLS decoder event rule file. 14 years ago
Victor Julien 374947c354 ipv6: properly deal with packets containing a FH header that has offset 0 and no more frags flag set. 14 years ago
Victor Julien aded3c5578 http: 'HTTP Host header ambiguous' after libhtp update. It now fires if hostname is present both in URL and Host header and the 2 are not equal. 14 years ago
Victor Julien e21d8cdf01 file extract: improve multipart parsing and set events on some error conditions. 14 years ago
Victor Julien 93df717aa9 Add files.rules to the dist. 14 years ago
Victor Julien 93d121bf21 Update app layer events for HTTP now that libhtp has fixes for some response errors. 14 years ago
Victor Julien ea34aeff3d Add missing Makefile.am files for rules/ and doc/ dir. 14 years ago
Victor Julien 132d9d1789 Add http-events.rules with an example rule for each HTTP event. 14 years ago
Victor Julien 5a1a443701 Add example smtp decoding events rules file. 14 years ago
Victor Julien fd4e1460cf Add checksum validation rules to decoder events rules. 14 years ago
Victor Julien ddfa5c49c6 Stream engine: gap handling
Set a stream event for stream gaps.
Add a (disabled by default) signature to the stream-event.rules.
14 years ago
Victor Julien b3e1679321 file handling: add example files.rules file
Adding a rule file with various examples for using the fileext, filename,
filemagic and filestore keywords.
14 years ago
Victor Julien d9ad1b00b3 Clean up SID allocation for decoder and stream rules. 14 years ago
Eric Leblond 552c6731b2 Add signature file for stream events.
This patch adds a rules/stream-events.rules file which contains
alert related to all stream events.
14 years ago
Victor Julien 83c3f15812 Minor fixes in defrag engine, shrink DefragTracker_ structure. 15 years ago
Jason Ish 0385f72669 Use separate frag decoder events for IPv4 and IPv6. 15 years ago
Jason Ish de1c40c44f Set decoder event on fragment overlaps. 15 years ago
Jason Ish 6da9c64a28 Set decoder event when re-assembled fragments would exceed max IP packet size. 15 years ago
Victor Julien 6a048f2d69 Include initial version of decoder-event rules. 15 years ago