Commit Graph

166 Commits (873bc290bc010fa24eed9b2953ebc7a8a6ef2e2e)

Author SHA1 Message Date
Victor Julien 922f4f7d78 ssl: fix bounds checking in version decoding
Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3169.
7 years ago
Victor Julien 229eccdd04 ssl: minor cleanups 7 years ago
Victor Julien 579cc9f02b const: constify decoder, app-layer, detect funcs 7 years ago
Nick Price d0a85b7550 ja3: Mention LibNSS dependency for JA3 7 years ago
Philippe Antoine 477328f79b ssl: register probing for port 443 if no config 7 years ago
Jeff Lucovsky d568e7fadd eve/logging: 2991 Optimize logging by TX
This changeset makes changes to the TX logging path. Since the txn
is passed to the TX logger, the TX can be used directly instead of
through the TX id.
7 years ago
Jeff Lucovsky f7b934f83f app-layer/logging: protocol parser updates 7 years ago
Mats Klepsland a4471987ba app-layer-ssl: generate JA3S fingerprints
Generate JA3S fingerprints based on fields in the ServerHello record.
7 years ago
Philippe Antoine 316a411b6b ssl : SSLProbingParser overflow fix
Found by fuzzing
Fixes ssl detection evasion by packet splitting
7 years ago
Victor Julien 422e4892cc proto-detect: improve midstream support
When Suricata picks up a flow it assumes the first packet is
toserver. In a perfect world without packet loss and where all
sessions neatly start after Suricata itself started, this would be
true. However, in reality we have to account for packet loss and
Suricata starting to get packets for flows already active be for
Suricata is (re)started.

The protocol records on the wire would often be able to tell us more
though. For example in SMB1 and SMB2 records there is a flag that
indicates whether the record is a request or a response. This patch
is enabling the procotol detection engine to utilize this information
to 'reverse' the flow.

There are three ways in which this is supported in this patch:

1. patterns for detection are registered per direction. If the proto
   was not recognized in the traffic direction, and midstream is
   enabled, the pattern set for the opposing direction is also
   evaluated. If that matches, the flow is considered to be in the
   wrong direction and is reversed.

2. probing parsers now have a way to feed back their understanding
   of the flow direction. They are now passed the direction as
   Suricata sees the traffic when calling the probing parsers. The
   parser can then see if its own observation matches that, and
   pass back it's own view to the caller.

3. a new pattern + probing parser set up: probing parsers can now
   be registered with a pattern, so that when the pattern matches
   the probing parser is called as well. The probing parser can
   then provide the protocol detection engine with the direction
   of the traffic.

The process of reversing takes a multi step approach as well:

a. reverse the current packets direction
b. reverse most of the flows direction sensitive flags
c. tag the flow as 'reversed'. This is because the 5 tuple is
   *not* reversed, since it is immutable after the flows creation.

Most of the currently registered parsers benefit already:

- HTTP/SMTP/FTP/TLS patterns are registered per direction already
  so they will benefit from the pattern midstream logic in (1)
  above.

- the Rust based SMB parser uses a mix of pattern + probing parser
  as described in (3) above.

- the NFS detection is purely done by probing parser and is updated
  to consider the direction in that parser.

Other protocols, such as DNS, are still to do.

Ticket: #2572
7 years ago
Mats Klepsland d62d33cdff app-layer-ssl: check that cipher suites length is divisible by two
Cipher suites length should always be divisible by two. If it is a
odd number, which should not happen with normal traffic, it ends up
reading one byte too much.
7 years ago
Mats Klepsland b5dfc9ed41 app-layer-ssl: fix coverty error (RESOURCE_LEAK)
Bug #2677
8 years ago
Mats Klepsland 033e756905 app-layer-ssl: add Facebook TLSv1.3 draft versions
Add draft versions for Facebooks custom TLSv1.3 implementation "fizz"
to SSLVersionToString().
8 years ago
Mats Klepsland dd5374c20d app-layer-ssl: change how TLSv1.3 drafts are logged
Change from logging TLSv1.3 drafts as "TLS 1.3 (draft 28)" to
"TLS 1.3 draft-28" instead.
8 years ago
Mats Klepsland a8347e1bc2 app-layer-ssl: fix flow and inspection bypass for TLSv1.3 8 years ago
Mats Klepsland 3b73b7d542 app-layer-ssl: add 0-RTT support for TLSv1.3 8 years ago
Mats Klepsland 23993c18cd app-layer-ssl: decode early data extension in ClientHello record
Decode early data extension used by 0-RTT that is used to indicate that
application data will be sent right after the ClientHello record.
8 years ago
Mats Klepsland 7556004a51 app-layer-ssl: use extension length when decoding extensions
Pass extension length to functions decoding extensions, instead of
passing the length left in the record. This enables us to also
decode empty extensions.
8 years ago
Mats Klepsland ee1de4c812 app-layer-ssl: handle all versions above TLSv1.2 as TLSv1.3
This makes it more likely to log custom versions of TLSv1.3 that
doesn't comply with the draft version numbering.
8 years ago
Victor Julien 31b87d5f8f tls: remove debug printfs 8 years ago
Mats Klepsland fc53b2ecd5 app-layer-ssl: fix JA3 bug in TLS extension decoding 8 years ago
Mats Klepsland 89bd274f44 app-layer-ssl: fix JA3 bug in TLS version decoding 8 years ago
Victor Julien 7bf71805b8 hash/sha1: optimize by avoiding mem alloc
Don't allocate an output buffer for each call. These buffers
would have the exact same size every time.
8 years ago
Mats Klepsland 4470b05ae4 app-layer-ssl: remove unnecessary length check
We already check that empty extensions are not decoded, so this length
check is not needed.
8 years ago
Mats Klepsland eba0d04171 app-layer-ssl: don't decode empty extensions 8 years ago
Mats Klepsland 97cc3475bf app-layer-ssl: add function to get string from version
Add 'SSLVersionToString' to get string from version.
8 years ago
Mats Klepsland 91acd3831f app-layer-ssl: add support for earlier TLSv1.3 drafts
Add support for TLSv1.3 draft 1 to draft 21.
8 years ago
Mats Klepsland 831ddb62d2 app-layer-ssl: add support for TLSv1.3 from draft 22
Add support for draft 22 to draft 28 and for the final
version (RFC8446) of TLSv1.3.
8 years ago
Mats Klepsland e0ef578c46 app-layer-ssl: add support for session tickets
Add support for logging a session as 'resumed' when using a non-empty
session ticket extension in the client hello record.
8 years ago
Mats Klepsland 21897a4d7a app-layer-ssl: add better session id support
Verify that the session id from both the client hello record and the
server hello record matches before marking the session as 'resumed'.
8 years ago
Mats Klepsland f22bd5a75b app-layer-ssl: decode server hello record
Decoding server hello is needed to do a better implementation of
session resumption.
8 years ago
Mats Klepsland 68cc53d188 app-layer-ssl: make sure that JA3 stuff is only initialized once
Avoid possible memory leaks by making sure that JA3 buffer and
string is only initialized once.
8 years ago
Mats Klepsland 5ec2f6e7b3 app-layer-ssl: fix memleak/coredump (Bug #2603) 8 years ago
Victor Julien 155a017cf8 ssl: fix uninitialized variable warning 8 years ago
Victor Julien fd38989113 proto/detect: remove probing parser offset argument
Remove offset argument as it was unused.
8 years ago
Victor Julien 7bc3c3ac6e app-layer: pass STREAM_* flags to parser
Pass the STREAM_* flags to the app-layer parser functions so that
the parser can know more about how it is called.
8 years ago
Victor Julien 2d50fe499a tls: new config for dealing with encrypted traffic
Much of encrypted traffic is uninteresting to Suricata. Once encrypted
communication starts, inspecting the packet payloads is generally
not interesting anymore. The default behavior is to disable the parts
of the detection engine and stream reassembly that relate to raw content
inspection.

The tls app-layer parser also had a crude option to affect this behavior:
set 'no-reassemble' to true went much further than the default behavior.
It disabled the TCP reassembly on the flow completely, disabled all
inspection on the flow and enabled bypass if available.

This patch adds a new option: full inspection. This continues to treat
a TLS session as any other, so without any limits to inspection.

The new option is implemented in a new config option 'encrypt-handling',
that replaces 'no-reassemble'. The new option has 3 values:
'default', 'full' and 'bypass'. Default is the current default behavior,
'bypass' is the current 'no-reassemble = true' behavior and 'full'
is the new full inspection mode.
8 years ago
Mats Klepsland 21078521f8 app-layer-ssl: remove possibility to overflow HAS_SPACE macro 8 years ago
Mats Klepsland 598ef96b7b app-layer-ssl: really fix CID 1433623 8 years ago
Mats Klepsland 900c27e235 app-layer-ssl: fix use-after-free (CID 1433623)
Ja3BufferAddValue frees the buffer on error, so there is no point
in doing it twice (use-after-free).
8 years ago
Mats Klepsland fc0e339467 app-layer-ssl: fix use-after-free (CID 14336229)
Nullify JA3 buffer on free to avoid use-after-free vulnerability.
8 years ago
Victor Julien 3b474ac599 tls: work around coverity warnings 8 years ago
Mats Klepsland 3e597512ea app-layer-tls-handshake: remove since it is no longer needed
Remove this file and all its content, since the functionality
was reimplemented in app-layer-ssl.
8 years ago
Mats Klepsland e93fef5c44 app-layer-ssl: reimplement function for decoding certificates
Do a complete rewrite of the function for decoding the SSL/TLS
certificate from the handshake.
8 years ago
Mats Klepsland 0c16cd0120 app-layer-ssl: generate JA3 fingerprints
Decode additional fields from the client hello packet and generate
JA3 fingerprints.
8 years ago
Mats Klepsland 3f0dea582d app-layer-ssl: split function into multiple smaller functions
Split 'TLSDecodeHandshakeHello' into smaller functions to make
it easier to read the code when the function grows in size.
8 years ago
Jason Ish c411519605 app-layer: remove has events callback - not used 9 years ago
Victor Julien 7548944b49 app-layer: remove unused HasTxDetectState call
Also remove the now useless 'state' argument from the SetTxDetectState
calls. For those app-layer parsers that use a state == tx approach,
the state pointer is passed as tx.

Update app-layer parsers to remove the unused call and update the
modified call.
9 years ago
Victor Julien d0f19891b4 ssl/tls: use DetectFlags API 9 years ago
Victor Julien bca0cd71ae app-layer: use logger bits to avoid looping
Avoid looping in transaction output.

Update app-layer API to store the bits in one step
and retrieve the bits in a single step as well.

Update users of the API.
9 years ago