aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
13,851 Commits
8 Branches
163 Tags
196 MiB
main-8.0.x
main
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7bfb63210e'
${ noResults }
Commit Graph

11122 Commits (7bfb63210e3a128c999343a4805b1d972ae64b73)

Author SHA1 Message Date
Victor Julien db0f9ddc69 files/tx: inspection, logging and loop optimizations 
Introduce AppLayerTxData::file_tx as direction(s) indicator for transactions.
When set to 0, its not a file tx and it will not be considered for file
inspection, logging and housekeeping tasks.

Various tx loop optimizations in housekeeping and output.

Update the "file capable" app-layers to set the fields based on their
directional file support as well as on the traffic.
 3 years ago
Victor Julien 3263202094 detect/tx: add AppLayerTxData to PrefilterTx 
In preparation of some file inspection optimizations, for which we need the
tx data.

Update all users.
 3 years ago
Victor Julien 602c39ed01 files: remove unused code 3 years ago
Victor Julien b1c22169f8 files: don't set NOSTORE in 'store all' case 3 years ago
Victor Julien d39a79b6f2 smtp: remove bad tests 3 years ago
Victor Julien 79499e4769 app-layer: move files into transactions 
Update APIs to store files in transactions instead of the per flow state.

Goal is to avoid the overhead of matching up files and transactions in
cases where there are many of both.

Update all protocol implementations to support this.

Update file logging logic to account for having files in transactions. Instead
of it acting separately on file containers, it is now tied into the
transaction logging.

Update the filestore keyword to consider a match if filestore output not
enabled.
 3 years ago
Victor Julien 01e64d80da app-layer: trunc parser per direction 3 years ago
Victor Julien ff9d1807f9 app-layer: parser flags to u16 3 years ago
Victor Julien a1d728bb65 app-layer: specify direction in tx cleanup 
In preparation of per tx files storage.
 3 years ago
Victor Julien c27df6304d app-layer: introduce common AppLayerStateData API 
Add per state structure for storing flags and other variables.
 3 years ago
Victor Julien 96b642c32d file: minor debug updates 3 years ago
Victor Julien 2218a3716e file: clean up file flags handling 3 years ago
Victor Julien 408b64558f files: debug log flags 3 years ago
Victor Julien bdbaaa3b24 lua: store id with tx ptr 3 years ago
Sascha Steinbiss 8438ee48aa decode-ipv4: adjust validation to RFC 
RFC1108 only specifies a minimum field length of 3, not
a fixed length of 11.
 3 years ago
Sascha Steinbiss fb790121bb decode-ipv4: implement extended security option 
IP option 0x85 (extended security) is mentioned in the
documentation for the ipopts keyword but was not implemented.
 3 years ago
Philippe Antoine ae6abd8ca3 ssl: fix compiler warning 
implicit conversion loses integer precision: 'int' to 'uint16_t'
because C shifts << translates automatically to signed integers
 3 years ago
Victor Julien b06c0579f5 stream: fix reachable assertion 
Fix `Flow::thread_id` not always getting properly set up, leading to
a reachable assertion.

Bug #4582.
 3 years ago
Juliana Fajardini 9d9bc04886 stream/tcp: typo fix 3 years ago
jason taylor 489af24132 detect: update ttl debug log messages 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Jeff Lucovsky ccd1063e43 detect/bytemath: convert parser to Rust 
Issue: 5077

This commit
- Converts the PCRE based parser to Rust.
- Adds unit tests to the new Rust modules
- Removes the PCRE parser from detect-bytemath.c
- Adjusts the C source modules to refer to the Rust definitions
- Includes the multiply operator (missing from the C parser)
 3 years ago
Philippe Antoine c6d8daecd3 log: fix coverity warning 
CID 1515529

Checks ftell return value for negative/error
 3 years ago
Victor Julien 1701a6b14c tls: handle incomplete header sooner 
Make sure to exit the parser early on incomplete header data.

Additionally, make sure to not create duplicated tls frames in this
case.

Add a debug validation check for the header parser parsing too much
data, which should never happen.
 3 years ago
Victor Julien 9053c49178 ssl: add debug validation check for incomplete api 3 years ago
Victor Julien 0ec136621d debug: add bool string print helper macro 3 years ago
Victor Julien 69be41b241 tls: improve record checks 
Improve unknown record handling. Inspired by Wireshark 'unknown record'
handling, we take a best effort approach for records with unknown content
types in TLS versions 1.0, 1.1 and 1.2.

Improve record length check and set 'invalid_record_length' event instead
of 'invalid_tls_header'.
 3 years ago
Victor Julien c028800ae1 tls: improve versions extension logic 
Skip over unusable versions like GREASE.
 3 years ago
Victor Julien 599791fa33 tls: make version and size checks stricter 
This way bad records won't buffer lots of stream data.
 3 years ago
Victor Julien c73d812026 tls: store cert data in heap buffer 
Cert chain is a list of pointers into this buffer, so can't use a
stream slice approach.
 3 years ago
Victor Julien 4a283d480d eve/tls: implement client cert logging 
Enable client logging in extended mode.

Add "client", "client_certificate" and "client_chain", where the latter two
depend on "client".
 3 years ago
Victor Julien e817a8f968 tls: parse client certificates 
Parse client cerificates and store them in the state similar to how
this is done for server certificates.

Update "progress" handling to not consider the TLS handshake complete
if the server indicated a client cert was needed.
 3 years ago
Victor Julien 10f5e6cb66 tls: prepare for client cert parsing 3 years ago
Victor Julien 6d4cc39c02 eve/tls: prepare for client cert logging 
Code cleanups that work on per direction "connp" instead of hard coding
to the server side.
 3 years ago
Victor Julien 14b2e04b58 tls: make cert handling more generic 
In preparation for client cert handling.
 3 years ago
Victor Julien cf4c201acb tls: avoid tls.invalid_handshake_message FP 
Don't set TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE event on encrypted
handshake messages.
 3 years ago
Victor Julien e9d63f3355 tls: don't set 2 events for a single exception 
Keep the more specific ones.
 3 years ago
Victor Julien 214e466b29 tls: remove incomplete tests 
These tests are incompatible with the incomplete API usage and should
have been pcap based tests in the first place.
 3 years ago
Victor Julien 82e03bd8fc tls: set event if record size exceeds limit 3 years ago
Victor Julien e857c864ca tls: support server hello done message 3 years ago
Victor Julien 4bab6e24e5 tls: support handshake fragmentation 
Implement TLS record defrag for handshake messages.

Ticket: #5183.
 3 years ago
Victor Julien bcaf0f6f7d tls: remove certificate buffering code 
TCP Buffering is now done in the app-layer using the incomplete API, on
the SSL/TLS record level. TLS level fragmentation will be implemented
separately.
 3 years ago
Victor Julien 0839317ea7 tls: parse handshake protocol records in single pass 3 years ago
Victor Julien 9f0ea5e70c sslv2: use version from client hello 
Remove streaming code that is now unused.

Incomplete handling makes this record parsing work on full data.
 3 years ago
Victor Julien c8d79fb81f ssl: implement 'incomplete' handling for SSLv2 3 years ago
Victor Julien 6076a51511 tls: streaming mode for application records 
To avoid overhead of stream buffering for records we don't do
much with anyway, pass through application records instead of
buffering the entire record in the stream engine.
 3 years ago
Victor Julien 129fcb5c72 tls: use incomplete API to get full TLS records 
The TLS record header is parsed in streaming mode still, but once the
record size is known we tell the app-layer API to give us the full
record.

Ticket: #5481
 3 years ago
Gleb Smirnoff 7110ea75c4 ipfw: remove setting of SO_BROADCAST on the divert(4) socket 
My review of the FreeBSD kernel code reveals that this setting
a) is ignored by the kernel b) is not required.  The sending
side of divert(4) never checks so->so_options, but always gives
IP_ALLOWBROADCAST to ip_output().
 3 years ago
Andrei Shchapaniak ee5573c4ee dpdk/i40e: fix warning with number of queues for RSS configuration 3 years ago
Philippe Antoine 390cf9248f detect: adds flow.age keyword 
Ticket: #5536
 3 years ago
Philippe Antoine ce2775d331 flow/icmpv4: fix vlan.use-for-tracking 
For ICMPv4 error messages the vlan ids were always considered,
even if the 'vlan.use-for-tracking' option was disabled.

Ticket: #5330
 3 years ago
Sascha Steinbiss 148b53125b ebpf: update deprecated API calls 
This fixes build errors when libbpf 1.0 is used. It removes previously
deprecated API functions that were still in use in Suricata's eBPF
code.
 3 years ago
Jeff Lucovsky 63745a7879 detect/tls: Improve tls.fingerprint rule handling 
Issue: 4581

This commit improves the runtime performance of rules with
tls.fingerprint by using the inspection logic from tls.cert_fingerprint.
 3 years ago
Jeff Lucovsky 6bccd5aa30 detect/uri: Remove unnecessary include 
This commit removes an unnecessary #include for detect-uricontent.h
 3 years ago
Victor Julien d941703cd8 detect/build: minor code cleanup 3 years ago
Victor Julien 040404b093 detect/profiling: track bytes scanned by prefilter engines 3 years ago
Victor Julien 682e2a07fe detect/tls: add tls.cert_chain_len keyword 3 years ago
Victor Julien 224ba82569 eve/tls: warn on unsupported 'custom' options 3 years ago
Victor Julien dbf3d1e977 tls: make SSLSetEvent a macro to help debugging 3 years ago
Victor Julien 0e39c92fcf flow-manager: reduce locks at startup 
Effectively busy looping on a mutex to wait for time to be ready.
 3 years ago
Victor Julien 19e94e93fa common: move u8_tolower to common header 3 years ago
Victor Julien 18e63d4ede htp: remove user setup from request line callback 
This used to be the first callback that was called, but its not anymore.

Codecov confirmed that this is no longer used and therefore not useful.
 3 years ago
Victor Julien faca974f32 ipfw: remove unused func prototype 3 years ago
Victor Julien b9ad1d1260 app-layer: fix compiler warning 3 years ago
Victor Julien e250ef6402 debug: remove empty header 3 years ago
Victor Julien c3c5829f96 reputation: add ipv6 cidr test 3 years ago
Victor Julien e9c4b3719e reputation: fix multiline test 3 years ago
Eric Leblond a9a17c8185 landlock: handle filestore case 
If landlock ABI is inferior to 2 (before Linux 5.19) then the
renaming of files is impossible if the protection is enabled. This
patch disables landlock if ABI < 2 and file-store is enabled.

As file store is initialized in output the call to landlock had to
done after the output initialization.
 3 years ago
Eric Leblond 485d5a4ea4 landlock: basic implementation 
This patch is adding support for Landlock, a Linux
Security Module available since Linux 5.13.

The concept is to prevent any file operation on directories where
Suricata is not supposed to access.

Landlock support is built by default if the header is present. The
feature is disabled by default and need to be activated in the YAML
to be active.

Landlock documentation: https://docs.kernel.org/userspace-api/landlock.html

Feature: #5479
 3 years ago
Juliana Fajardini bbd968c738 exceptions: add reject support to exception policy 
This enables the usage of 'reject' as an exception policy. As for both
IPS and IDS modes the intended result of sending a reject packet is to
reject the related flow, this will effectively mean setting the reject
action to the packet that triggered the exception condition, and then
dropping the associated flow.

Task #5503
 3 years ago
Victor Julien f5bd55dac8 decode/tcp: allow 4 byte TFO with 2 byte cookie 3 years ago
Philippe Antoine 5ef259722b dhcp: adds renewal-time keyword 
Ticket: #5507
 3 years ago
Philippe Antoine dc59389087 dhcp: fix license in detect-dhcp-leasetime.c 
from search and replace overkill
 3 years ago
Philippe Antoine 6faf6299e0 dhcp: adds rebinding-time keyword 
Ticket: #5506
 3 years ago
Josh Soref c23560ec41 detect: function header return value clarification 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 3 years ago
Gleb Smirnoff 5dbbc52b06 ipfw: use PF_DIVERT on modern FreeBSD 3 years ago
Victor Julien bb2e11108b packetpool: fix uaf in debug validation check 
Location of the check meant access to freed packet was possible.

Move check and simplify it to just look at the packet at hand.
 3 years ago
Philippe Antoine b0ce55c9df flow: finish to remove obsolete counters 
As was begun in b3599507f4

Ticket: #5317
 3 years ago
Juliana Fajardini aa5bb2c329 stream: add exception policy for midstream flows 
This allows to set a midstream-policy that can:
- fail closed (stream.midstream-policy=drop-flow)
- fail open (stream.midstream-policy=pass-flow)
- bypass stream (stream.midstream-policy=bypass)
- do nothing (default behavior)

Usage and behavior:

If stream.midstream-policy is set then if Suricata identifies a midstream flow
it will apply the corresponding action associated with the policy.

No setting means Suricata will not apply such policies, either inspecting the
flow (if stream.midstream=true) or ignoring it stream.midstream=false.

Task #5468
 3 years ago
Juliana Fajardini 242b8f7d65 exceptions: add callbacks for drop-flow policy 
Make sure that when the policy is to drop the flow, we set no inspection
for payload and packet and disable applayer inspection as well.

Task #5468
 3 years ago
Victor Julien 1bff888947 detect: fix duplicate detect state issue 
For protocols with multi buffer inspection there could be multiple times
the same sid would be queued into the candidates queue. This triggered
a debug validation check.

W/o debug validation this would lead to duplicate work and possibly multiple
alerts where a single one would be appropriate.

Bug: 5419.
 3 years ago
Victor Julien d31beba8d4 detect/frames: fix too strict debug check 
Frame::len is -1 if it is still unknown. Handle that in the debug
check.
 3 years ago
Victor Julien f04b7a1827 stream/ids: make sure we don't slide past last_ack 
Bug: #5401.
 3 years ago
Victor Julien 55b2077fcd stream: minor code cleanup 3 years ago
Shivani Bhardwaj 78045d3bbf tls/sni: remove unused fn declaration 3 years ago
Shivani Bhardwaj 42c3f418c6 tls: add tls.random* keywords 
Add tls.random keyword that matches on the 32 bytes of the TLS
random field for client as well as server.
Add tls.random_time keyword that matches on the first 4 bytes of the TLS
random field for client as well as server.
Add tls.random_bytes keyword that matches on the last 28 bytes of the TLS
random field for client as well as server.

All these are sticky buffers.

Feature 5190
 3 years ago
Philippe Antoine e587f6792a detect: support file.data for HTTP1 to server 
That is file sent with POST or PUT

Ticket: #4144
 3 years ago
Victor Julien 50f8779128 flow-manager: reduce burstiness in adaptive timing 
Previous adaptive model would have a large time range when scanning the
hash when not so busy. In the default case it would take up to 4 minutes
for a full hash scan. In case of sudden increase in business, where the
hash would fill up rapidily during a few seconds, the flow manager would
be forced to suddenly consider a much larger slice of the hash leading
to a burst of work. This burst would increase pressure on the rest of the
system leading to packet loss as the worker threads would be overloaded
with flow housekeeping tasks.

This patch reduces the max scan time to 10 seconds, and ramps up quickly
to increase the slice of the hash scanned.
 3 years ago
Juliana Fajardini 58ef3cde7a exceptions: error out when invalid policy is used 
Before, if an invalid value was passed as exception policy, Suricata
would log a warning and set the exception policy to "ignore". This is a
very different result, than, say, dropping or bypassing a midstream flow.

Task #5504
 3 years ago
Philippe Antoine 61b73416e2 detect: transforms check for 0-sized buffer 
So as to avoid undefined behavior with a 0-sized variable length
array

Ticket: #5521
 3 years ago
Philippe Antoine d1ebf320f7 fuzz: disable enip detection based on source port 
So as to avoid fuzzing detecting protocol polyglots with enip
 3 years ago
Philippe Antoine 617c9fb7e5 fuzz: remove check about max transactions 
Suricata can indeed pipeline many HTTP1 transactions
 3 years ago
Victor Julien b01c311c1d profiling: fix implicit-int-float-conversion warnings 3 years ago
Victor Julien aa09d5f556 packetpool: ifdef debug check 3 years ago
Juliana Fajardini e7727c3744 decode: remove unused macros, replace w/ functions 
With the recent changes, these macros weren't being used anymore.

Related to
Bug #5458
 3 years ago
Juliana Fajardini d07a6c6174 stream/tcp: remove repeated header declaration 
StreamTcpRegisterTests was being declared twice.
 3 years ago
Juliana Fajardini f897761ecb detect/alert: add unittests to check packet action 
Add unittests to check that packet flags are correctly updated after
detection finds drop or reject rules that match.

Related to
Bug #5458
 3 years ago
Juliana Fajardini abd595d695 decode: validate if dropped packet has drop reason 
Related to
Bug #5458
 3 years ago
Juliana Fajardini 1f54e8611a detect/alert: ensure reject action is applied 
Bug 5458 states that the reject action is no longer working. While SV
tests that use the reject action still pass, it indeed seems that a
regression has happened with commit aa93984, because while the
function that applies rule actions to the flow (RuleActionToFlow) does
check for the reject action, the newly added function PacketApply
SignatureActions only checks for ACTION_DROP or ACTION_PASS when
deciding to call RuleActionToFlow.

Bug #5458
 3 years ago
Juliana Fajardini 1774ff18a6 decode: make PacketDrop use action as parameter 
A Packet may be dropped due to several different reasons. This change
adds action as a parameter, so we can update the packet action when we
drop it, instead of setting it to drop.

Related to
Bug #5458
 3 years ago
Eric Leblond 01bf0ad43d luajit: fix unittests build 
When building with the following options:

 ./configure CC=clang --enable-luajit --enable-geoip --enable-unittests

There is a build failure:

runmode-unittests.c:234:9: error: implicit declaration of function 'LuajitSetupStatesPool' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
    if (LuajitSetupStatesPool() != 0) {
 3 years ago
Philippe Antoine 11f849c3ee protocol-change: sets event in case of failure 
Protocol change can fail if one protocol change is already
occuring.

Ticket: #5509
 3 years ago
Philippe Antoine 461725a9bf dhcp: adds leasetime keyword 
As it is logged

Ticket: #5435
 3 years ago
Jason Ish f1f43cba5e app-layer: don't wrap around on port 65535 
A port value of 65535 caused the port value to wrap-around to 0
resulting in an infinite loop.

Fixes: 53fc70a9a7 ("protodetect: fix int warnings")
 3 years ago
Juliana Fajardini c81b78fd1c detect/parse: test sig parsing for more actions 
Our unittests were only covering sig parsing for alert actions. As in
environments without LibNet the reject action will not work, we must
ensure that our parser properly fails in such cases, instead of silently
accepting an unsupported action.

Added tests for the reject and drop action.

Task #5496
 3 years ago
Eric Leblond 954e3e1f3f smtp/mime: fix url extraction when no config is set 3 years ago
Eric Leblond ad6c2f1411 eve/email: log existing url type 
MIME parsing was setting flag on URL to indicate their
estimated type. This patch attach the information to
the email object so the user can extract interesting
email directly:

```
  "email": {
    "status": "PARSE_DONE",
    "from": "Eric Leblond <regit@regit.org>",
    "to": [
      "eric@regit.org"
    ],
    "has_ipv6_url": false,
    "has_ipv4_url": false,
    "has_exe_url": true,
    "url": [
      "http://www.toto.com",
      "http://perdu.com.",
      "https://hacke.me/pown.exe"
    ]
  }
```
 3 years ago
Eric Leblond 767d2cc9ba util/mime: add some extensions to exe list 3 years ago
Benjamin Wilkins 57ef80f5ec lua: Expose byte extract to lua match scripts 
Allow lua match scripts to access variables defined in rule by
byte_extract or byte_math

Issue: 2871
 3 years ago
Eric Leblond debdff0375 detect/tls: fix descriptions 
Most keywords were presented as content modifiers when they
were in fact sticky buffers.
 3 years ago
Victor Julien 5fbec8ca67 netmap: fix includes 3 years ago
Philippe Antoine 489ac003b2 detect/krb: no more wrapper around DetectEngineInspectGenericList 3 years ago
Philippe Antoine 5c7b5c5fb5 krb: detection for ticket encryption 
As is done for logging.

Ticket: #5442
 3 years ago
Victor Julien 5fec07b87d flow: minor compiler warnings 
flow-util.c: In function 'FlowEndCountersRegister':
flow-util.c:294:34: warning: 'name' may be used uninitialized in this function [-Wmaybe-uninitialized]
  294 |         fec->flow_tcp_state[i] = StatsRegisterCounter(name, t);
      |                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3 years ago
Jeff Lucovsky e133ab029e stream/event: Trigger stream reassembly event 
Issue: 3512

This commit triggers the stream reassembly depth reached event.
 3 years ago
Jeff Lucovsky 1d8cc7791d general: Typo fixup 3 years ago
Jeff Lucovsky 6a039ab316 stream/event: New reassembly depth event 
Issue: 3512

This commit adds a stream event triggered when the stream assembly depth
is reached.
 3 years ago
Philippe Antoine e1e03c25c9 ci: update to macos latest 3 years ago
Philippe Antoine 018fef5ef8 quic: ja3 computation and logging and detection 
Logging as is done in TLS.

Detection using the generic generic ja3.string keyword

Ticket: #5143
 3 years ago
Juliana Fajardini 5f4bcfe313 detect/engine: fix typos in assorted files 3 years ago
Juliana Fajardini 58928b249d commandline: add alert-queue expand failure option 
For testing purposes. Meant to simulate a reallocation failure when
dynamically growing the alert queue in DetectEngineThreadCtx, so we can
check that Suri's behavior doesn't break under such circumstances.

Task #5319
 3 years ago
Victor Julien ebc2714e07 nflog: fix missing util-time include; cleanups 3 years ago
Victor Julien 09c0128138 nflog: update copyright years 3 years ago
Jeff Lucovsky e566563875 classification/config: Propagate validation errors 
Issue: #4554

This commit modifies the workflow to propagate classification parsing
errors when in test mode.

When not in test mode, errors continue to be displayed but they do not
halt Suricata execution.
 3 years ago
Jeff Lucovsky 2621c90ea1 classification/config: Raise error on validation errors 
This commit adds logic which raises an error if parse errors occur while
loading classification.config

Issue: 4554
 3 years ago
Philippe Antoine 83a8cd80b2 detect: remove wrappers around DetectEngineInspectGenericList 3 years ago
Scott Jordan 7eaf1688b5 stream: fix StreamTcpSegmentForSession missing segments 
Bugfix, segment traversal was being initialized at root node, but
should have been started at the min node. Bug resulted in captures
missing segments left of root node.
 3 years ago
Victor Julien ad3e68f378 detect/file: minor cleanups 3 years ago
Victor Julien af145ad125 detect/file: reduce scope of keyword data structures 3 years ago
Victor Julien 73eb7744d8 detect/file: update copyright years 3 years ago
Victor Julien 6f8ca41eb3 detect/cip: cleanup includes 3 years ago
Philippe Antoine 16fc78645d dnp3: do not log empty objects array 
Ticket: #5167
 3 years ago
Philippe Antoine da0be16d36 output: do not log empty arrays for sid 
Ticket: #5167
 3 years ago
Philippe Antoine adeb1fdfc3 threads: cleaner code with one instruction per line 
As reported by Shchelk
 3 years ago
Victor Julien 9fa0033966 detect: reduce datatype scope for various keywords 3 years ago
Victor Julien ad76502df0 detect/cip: remove dead code 3 years ago
Victor Julien 08e349a8bb detect: update copyright years 3 years ago
Victor Julien 0ec9379db9 includes: minor cleanups 3 years ago
Victor Julien 21f76773c7 profiling: minor code cleanups 3 years ago
Philippe Antoine 36b1344680 util: fix integer warnings in profiling 3 years ago
Philippe Antoine 4411ef785d src: remove unused header files 3 years ago
Philippe Antoine 02f2602dde src: rework includes as per cppclean 3 years ago
Jufajardini Reichow 93c2c9743d detect/engine: init alert queue counters on reload 
alert_queue_overflow and alerts_suppressed were not being
reinitialized when there was a reload of Suricata rules, leading to
non-valid stats counters if that happened.

Bug #5457
 3 years ago
Philippe Antoine f8bf581775 output: skip files logging for ICMP packets 
Ticket: #5408
 3 years ago
Philippe Antoine 5781631f85 output: use flow's proto for file loggers 
As there can be an ICMP packet which gets related to a TCP flow.

Ticket: #5408
 3 years ago
Philippe Antoine 7f9d25fa86 fuzz: use forced file store 
to find bugs such as 5408
 3 years ago
Philippe Antoine a2f857ed90 threshold: fix regex to accept by_both and by_rule 
As is done in detect-threshold.c or in DETECT_RATE_REGEX
and is expected by switch (rule_type) which makes the same
for THRESHOLD_TYPE_THRESHOLD and THRESHOLD_TYPE_RATE

Ticket: #5327
 3 years ago
Philippe Antoine 1621f5e453 detect/nfs: use inclusive ranges 3 years ago
Philippe Antoine 8dbb07e4fe detect: use generic integer functions for itype 
Ticket: #4112
 3 years ago
Philippe Antoine 2817f1a6ed detect: use generic integer functions for snmp.version 
Ticket: #4112
 3 years ago
Philippe Antoine c72571ea28 detect: use generic integer functions for rfb.sectype 
Ticket: #4112
 3 years ago
Philippe Antoine 6c9091c86f detect: use generic integer functions for nfs.version 
Ticket: #4112
 3 years ago
Philippe Antoine ddac6165c9 detect: use generic integer functions for nfs.procedure 
Ticket: #4112
 3 years ago
Philippe Antoine ed6955ee98 detect: use generic integer functions for iprep 
Ticket: #4112
 3 years ago
Philippe Antoine bdc359bed3 detect: use generic integer functions for bsize 
Ticket: #4112
 3 years ago
Philippe Antoine cfb60d0fce detect: use generic integer functions for urilen 
Ticket: #4112
 3 years ago
Philippe Antoine e87c53bb55 defrag: use util function for timeout 
To fix timestamp overflow as found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44608

fixu
 3 years ago
jason taylor d600a1603c detect: update text for nocase used with http.host 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Philippe Antoine c7214be99b snmp: adds usm keyword 
as is logged

Ticker: #5416
 3 years ago
Philippe Antoine 5a31b3508d ftp: optimized tx iterator 
To be more efficient with larger number of transactions.

Ticket: #5314
 3 years ago
Victor Julien 6d3140bc01 mime: remove unused length fields 3 years ago
Victor Julien 816bbeb7dc fuzz/mime: fix call conditions and args 
The SMTP parser should not supply lines w/o EOL chars to the mime
parser unless its in the BODY parsing stage. Mimic this in the fuzz
target by testing the state for inputs that have no EOL.

Additionally, make sure the delim cnt reflects the missing EOL.
 3 years ago
Victor Julien d81582c4a2 mime: fix corner case 
Fix a corner case where a base64 sequence including a space was followed
by a newline in the input data.
 3 years ago
Victor Julien 5805ed47f5 mime: add base64 related debug messages 3 years ago
Victor Julien 41c2c1ed5a mime: improved empty line handling 
Make sure a new body is not set up on empty lines unless it is
a body that is not encoded as base64/quoted printable.
 3 years ago
Victor Julien 074cfb5c68 mime: fix and cleanup tests 
Line count check was failing after recent delim handling updates.
 3 years ago
Victor Julien 6e2c066ce1 smtp: fix passing a wrong delim len around 3 years ago
Victor Julien b82b8825e7 mime: properly pass full lines to non-decoded body 
Use actual delim count and make sure we also pass on empty lines
(so delim(s) only).
 3 years ago
Victor Julien 0d6ab727c5 mime/base64: fix final data not getting processed 
If the last data of the body was not a multple of 4 and not padded
to be a multiple of 4, it would not be processed.
 3 years ago
Victor Julien 100d821a9f stream: fix GAP check 
Gap check would consider a GAP when the current data was in fact
exactly not a gap, but next segment(s) were already available.
 3 years ago
Victor Julien 29ec1b1e7b mime: minor code cleanup 3 years ago
Victor Julien 0871029d17 mime: remove unused 'linerem' logic 3 years ago
Victor Julien 5953a7d2eb smtp/mime: fix parsing edge case 
Correctly track "remaining" bytes after partial base64 decoding.

Add comment clarifications and debug validation checks.
 3 years ago
Victor Julien a38f2f2a52 smtp: skip preprocessing for mime headers 
Mime parser doesn't expect partial lines, which preprocessing can
provide. Add a check to let mime headers be handled by regular line
parsing.
 3 years ago
Juliana Fajardini 2544be4672 source/pcap: fix infinite loop if interface goes down 
When in live-pcap mode, if the sniffed interface went down and up again,
Suri would enter an infinite and keep running, while not registering new
events. This fixes that behavior by allowing Suri to retry to open the
pcap in case of a retry on an already activated capture
('PCAP_ERROR_ACTIVATED').

This change is based on Zhiyuan Liao's work.

Bug #3846
 3 years ago
Philippe Antoine 585e5e0d3c detect: impose limits on pcrexform 
As is done for pcre keyword

Ticket: #5409
 3 years ago
Victor Julien a89840929b detect: set drop reason for rule based drops 
Call `PacketDrop` with drop reason for drops, keep old logic
in place for the rest.
 3 years ago
Victor Julien ad14e71efe stream: suppress exception policy debug message 3 years ago
Victor Julien 046287c2b5 detect/filestore: clean up stream flag handling 3 years ago
Victor Julien 71ef62bfc5 file: consistently track size of gaps 
Until now only the size of gaps counted in the regular append, not
close and open.

Bug: #5392.
 3 years ago
Victor Julien 1594e41b06 stream: remove unused TCP_LISTEN 
Keep the values the same so we might be able to bring it back
w/o issues.
 3 years ago
Victor Julien e05b6f44e3 counter: tcp liberal counter 3 years ago
Victor Julien 0ebe372607 stream: after missing segments, be liberal on RST 
This avoids long lasting inactive flows because in the most likely
case the RST did in fact end the connection. However Suricata may
still consider it to be "established".
 3 years ago
Victor Julien b0993d6fd8 flow: add various flow counters 
Add flow.end state counters

Add active TCP sessions counter

Add flow.active counter

Add flow.total counter

Ticket: #1478.
 3 years ago
Victor Julien aa31d2193f counters: add StatsDecr 3 years ago
Victor Julien 88edc8630c flow/manager: add flow.mgr.rows_sec counter 3 years ago
Victor Julien f271fb4575 flow/recycler: bring back pthread_cond_t sleep 
Bug #4379.
 3 years ago
Victor Julien 633e6cf09e flow/recycler: minor code cleanups 3 years ago
Victor Julien 73138809e2 flow/manager: move counters into util func 3 years ago
Victor Julien 0c048d3e5c flow/manager: minor code cleanups 3 years ago
Victor Julien 7f4e120a97 flow/manager: remove debug and dead code 3 years ago
Victor Julien e6ac2e4e8a flow/manager: sleep handled by pthread_cond_t again 
Use only in live mode to allow FM to respond quickly to time
increases in offline mode.

Bug #4379.
 3 years ago
Victor Julien 39141a8836 time: add timeradd implementation 
timeradd isn't available on MinGW.
 3 years ago
Victor Julien e9d2417e0f flow/manager: adaptive hash eviction timing 
The flow manager scans the hash table in chunks based on the flow timeout
settings. In the default config this will lead to a full hash pass every
240 seconds. Under pressure, this will lead to a large amount of memory
still in use by flows waiting to be evicted, or evicted flows waiting to
be freed.

This patch implements a new adaptive logic to the timing and amount of
work that is done by the flow manager. It takes the memcap budgets and
calculates the proportion of the memcap budgets in use. It takes the max
in-use percentage, and adapts the flow manager behavior based on that.

The memcaps considered are:
    flow, stream, stream-reassembly and app-layer-http

The percentage in use, is inversely applies to the time the flow manager
takes for a full hash pass. In addition, it is also applied to the chunk
size and the sleep time.

Example: tcp.reassembly_memuse is at 90% of the memcap and normal flow
hash pass is 240s. Hash pass time will be:

    240 * (100 - 90) / 100 = 24s

Chunk size and sleep time will automatically be updated for this.

Adds various counters.

Bug: #4650.
Bug: #4808.
 3 years ago
Michael Tremer f50af12068 stream: tcp: Handle retransmitted SYN with TSval 
For connections that use TCP timestamps for which the first SYN packet
does not reach the server, any replies to retransmitted SYNs will be
tropped.

This is happening in StateSynSentValidateTimestamp, where the timestamp
value in a SYN-ACK packet must match the one from the SYN packet.
However, since the server never received the first SYN packet, it will
respond with an updated timestamp from any of the following SYN packets.

The timestamp value inside suricata is not being updated at any time
which should happen. This patch fixes that problem.

Bug: #4376.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 3 years ago
Victor Julien 8109b0017e detect/dcerpc: simplify keyword validation 
Now that the engine understands the relation between SMB and DCERPC better
we can get rid of some of the special case handling in keywords.
 3 years ago
Victor Julien 8d20b40cdd detect/content: fix FNs due to bad depth calc 
When trying to propegate the depth/offset, within/distance chains
a logic error would set too a restrictive depth on a pattern that
followed more than one "unchained" patterns.

Bug: #5162.
 3 years ago
Victor Julien 50d02ebc05 detect/content: simplify int bounds checking 
Use a macro to validate the ranges for overflows. This removes
the clutter of all the checks and warnings, and also no longer
puts the state machine in an undefined state when hitting such
a condition.
 3 years ago
Victor Julien a83f02d4cd detect/dcerpc: apply dcerpc to smb as well 
So 'alert dcerpc' also matches if the DCERPC is over SMB.

Explicitly refuse smb keywords for the 'dcerpc' app proto setting:
`alert dceprc ... smb.share; ...` is rejected.

Remove a now useless special case in the stateless rule processing
matching for dcerpc/smb.

Bug: #5208.
 3 years ago
Philippe Antoine e692530021 event: only sets APPLAYER_UNEXPECTED_PROTOCOL once 
If f->alproto == ALPROTO_UNKNOWN, we do not know the new protocol
yet, so we do not set the event yet.
 3 years ago
Philippe Antoine b0298dd046 events: reset logged event 
Otherwise, if we log a first app_layer_event, then reset
with AppLayerDecoderEventsResetEvents for a new packet,
then get another event, it does not get logged

Ticket: #5391
 3 years ago