suricata

Commit Graph

Author	SHA1	Message	Date
Zach Kelly	ef397daba3	rdp: rustfmt (update)	5 years ago
Shivani Bhardwaj	35362b7bfa	jsonbuilder: run test if not debug-validate	5 years ago
Shivani Bhardwaj	2ce7d98af1	dcerpc: fix tests to have a valid header	5 years ago
Shivani Bhardwaj	9f9670ebdc	logging: Add DCERPC logger	5 years ago
Shivani Bhardwaj	bab497ab2c	dcerpc: Add multi transaction support DCERPC parser so far provided support for single transactions only. Extend that to support multiple transactions. In order for multiple transactions to work, there is always a transaction identifier for any protocol in its header that lets a response match the request. In DCERPC, for TCP, that param is call_id in the header which is a 32 bit field. For UDP, however since it uses different version of RPC (4.x), this is defined by serial number field defined in the header. This field however is not contiguous and needs to be assembled by the provided serial_low and serial_hi fields.	5 years ago
Shivani Bhardwaj	67e7be633c	krb: convert to jsonbuilder Closes redmine ticket 3754.	5 years ago
Shivani Bhardwaj	72dab0a8b7	snmp: convert to jsonbuilder Closes redmine ticket 3756.	5 years ago
Jason Ish	abc71dc4a5	applayer template (rust): better gap handling example In the request parser, show checking if a gap was received and what one example of trying to continue might look like.	5 years ago
Jason Ish	b91bb92b7d	applayer template (rust): incomplete support Show how to use the incomplete AppLayerResult type within the limits of what the template protocol parser can provide. Redmine issue: https://redmine.openinfosecfoundation.org/issues/3541	5 years ago
Jason Ish	3f615f751b	rust app-layer template: add stubs for gap handling	5 years ago
Jason Ish	d60671d855	rust/dns: use new flags field to set parser option flags	5 years ago
Jason Ish	53aa967e0b	applayer: add flags to parser registration struct This will allow Rust parsers to register for gap handing from Rust (some Rust parsers do handle gaps, but they set the flag from C).	5 years ago
Jason Ish	9d9a901b68	dns: conditional logging Apply config to newly created response TX.	5 years ago
Victor Julien	ac3cf6ff75	detect/config: set config for special cases Allow app-layer to declare the txs are uni-directional and special care is needed for applying config.	5 years ago
Victor Julien	5dd4d948d9	app-layer: remove unused detect flags API	5 years ago
Victor Julien	c94a5e6392	app-layer/rust: don't use option for GetTxDataFn anymore	5 years ago
Victor Julien	8fe9faecb2	app-layer: remove DetectFlags API. Replaced by AppLayerTxData	5 years ago
Victor Julien	88dd0abb38	rdp: support AppLayerTxData	5 years ago
Victor Julien	9664f73f75	app-layer: remove logged API calls	5 years ago
Victor Julien	e0debed0b4	tftp: support AppLayerTxData	5 years ago
Victor Julien	4ff51a0e07	sip: support AppLayerTxData	5 years ago
Victor Julien	cc1210c956	ntp: support AppLayerTxData	5 years ago
Victor Julien	e0f75157a0	ikev2: support AppLayerTxData	5 years ago
Victor Julien	64e2a27512	applayer/template: support AppLayerTxData	5 years ago
Victor Julien	a484bbbe1b	dhcp: support AppLayerTxData	5 years ago
Victor Julien	11e2434526	snmp: support AppLayerTxData	5 years ago
Victor Julien	5afe4835ad	rfb: support AppLayerTxData	5 years ago
Victor Julien	9f29366c7c	krb5: support AppLayerTxData	5 years ago
Victor Julien	2aab1938d7	ssh: support AppLayerTxData	5 years ago
Victor Julien	a1e06247a6	dcerpc/udp: support AppLayerTxData	5 years ago
Victor Julien	3202d29325	dcerpc: support AppLayerTxData	5 years ago
Victor Julien	77a95eddd9	smb: support AppLayerTxData	5 years ago
Victor Julien	7a7805cde6	nfs: support AppLayerTxData	5 years ago
Victor Julien	fb3bdd8cf3	dns: remove detect_flags and logged now that we use AppLayerTxData	5 years ago
Victor Julien	5665fc8301	app-layer: add ApplyTxConfig API Optional callback a parser can register for applying configuration to the 'transaction'. Most parsers have a bidirectional tx. For those parsers that have different types of transaction handling, this new callback can be used to properly apply the config.	5 years ago
Victor Julien	e15995e2d2	detect: store detect flags in AppLayerTxData	5 years ago
Victor Julien	c797c9f09c	app-layer: add logger flags to AppLayerTxData	5 years ago
Victor Julien	411f428a38	app-layer: define AppLayerTxData and AppLayerTxConfig AppLayerTxData is a structure each tx should include that will contain the common fields the engine needs for tracking logging, detection and possibly other things. AppLayerTxConfig will be used by the detection engine to configure the transaction.	5 years ago
Jason Ish	03efbccfe6	jsonbuilder: set_float, append_float methods New methods for setting and appending float values.	5 years ago
Philippe Antoine	ece29c4210	ssh: fix incomplete return for ssh kex In the case where we already parsed some records	5 years ago
Philippe Antoine	ca6d072297	dcerpc: detect right parsing of empty op version	5 years ago
Emmanuel Thompson	6e5d64f102	detect/asn1: Simplify errors and checks	5 years ago
Emmanuel Thompson	4fc45b5c60	detect/asn1: Update ASN1 struct lifetime - 'static is only realistic when allocating and leaking it over the FFI boundary	5 years ago
Emmanuel Thompson	627e90a4bd	detect/asn1: Log out errors - Failure to parse asn1-max-frames - Failure on asn1 detection checks	5 years ago
Emmanuel Thompson	88601b1993	detect/asn1: Update relative_offset keyword - To be consistent with recent C version changes - Add checks for over/underflows	5 years ago
Emmanuel Thompson	7af6cdb7ec	detect/asn1: Update asn1 C files to use rust code Mark rust extern "C" functions as pub in asn1 module to expose via cbindgen Update detect-asn1.c/h to use rust functions	5 years ago
Emmanuel Thompson	63704fdf13	rust/asn1: Introduce ASN1 rust module This module uses the `der-parser` crate to parse ASN1 objects in order to replace src/util-decode-asn1.c It also handles the parsing of the asn1 keyword rules and detection checks performed in src/detect-asn1.c	5 years ago
Emmanuel Thompson	6b8517dc12	rust: Update der, kerberos and snmp parser dependencies - The update to der-parser allows us to use the latest API changes	5 years ago
Jason Ish	43b9bfaed4	applayer template (rust): convert to JsonBuilder	5 years ago
Vadym Malakhatko	126597144c	eve: add Hassh fields to SSH JSON logger and add ssh log condition	5 years ago
Vadym Malakhatko	536cee3ba9	rust/ssh: add hassh generation Add generation of hassh fingerprints based on fields in the kexinit record	5 years ago
Jeff Lucovsky	d5bb41011c	output/ikev2: Convert to JsonBuilder Convert the IKEV2 Json logging to use JsonBuilder.	5 years ago
Victor Julien	65e9a7c31c	smb: fix 'dangling' files in lossy sessions In case of lossy connections the SMB state would properly clean up transactions, including file transactions. However for files the state was never set to 'truncated', leading to files to stay 'active'. This would lead these files staying in the SMB's state. In long running sessions with lots of files this would lead to performance and memory use issues. This patch cleans truncates the file that was being transmitted when a file transaction is being closed.	5 years ago
Victor Julien	25f2efe977	smb: check post-gap timeouts once a second at most	5 years ago
Victor Julien	8aa380600d	smb: update ts only if it changed	5 years ago
Jeff Lucovsky	8c5c949cfa	output/tftp: Convert to JsonBuilder This commit converts the TFTP logging mechanisms to JsonBuilder.	5 years ago
Jason Ish	07e88a7479	jsonbuilder: add debug_validate to state If debug validation is enabled, panic on invalid state errors. For example, calling close on an already closed jsonbuilder object.	5 years ago
Jason Ish	ca6b70ea1b	rust: macro debug_validate_fail to fail with message Add a new debug_validate macro that unconditionally panics with a message. Useful in Rust pattern matching.	5 years ago
Shivani Bhardwaj	a7535099b4	smb/eve: convert to jsonbuilder Closes redmine ticket 3712.	5 years ago
Victor Julien	79681bf655	app-layer: remove old MPMId API calls Had been deprecated and non-functional since 2017.	5 years ago
Jason Ish	a545cdef6a	jsonbuilder: setter for formatted data Create a method to set preformatted data that contains the key and the value already formatted. This is an optimization for static data.	5 years ago
Jason Ish	e3b7c58218	jsonbuilder: export {set,append}_string_from_bytes to C	5 years ago
Jason Ish	f184bcc10e	jsonbuilder: use Box::from_raw instead of transmute to free I think this is a bad use of transmute, while the end result is the same, Box::from_raw is more correct as we created this pointer with Box::into_raw.	5 years ago
Philippe Antoine	baf5f52f22	ssh/eve: convert to jsonbuilder	5 years ago
Victor Julien	b3b5802c85	eve/nfs: switch output to jsonbuilder	5 years ago
Jason Ish	6ce9b2972b	rdp: enable by default Redmine issue: https://redmine.openinfosecfoundation.org/issues/3255	5 years ago
Jason Ish	5a7ba62493	sip: enable by default Redmine issue: https://redmine.openinfosecfoundation.org/issues/3256	5 years ago
Jason Ish	36d687580a	rfb/eve: convert to jsonbuilder	5 years ago
Jason Ish	60bfbd43fd	jsonbuilder: add reset marks Add methods to get the state of a JsonBuilder (called a mark), then allow restoring to the mark.	5 years ago
Jason Ish	ddb22549be	rust: allow some clippy lints without warning Suppresses some clippy lints that have more to do with style than anything else, to reduce the amount of noise in the clippy output.	5 years ago
Jason Ish	03cf3dcd6d	dns/eve: convert to jsonbuilder	5 years ago
Jason Ish	6a70d6bb6e	sip/eve: convert to jsonbuilder	5 years ago
Jason Ish	deed0541bb	dhcp/eve: convert to jsonbuilder	5 years ago
Jason Ish	942dd08654	jsonbuilder: new module for generating json JsonBuilder is a Rust module for creating JSON output. Unlike Jansson, the final JSON string is built up as items are added, instead of building up an object tree and rendering it when done. The idea is to create a more efficient JSON serializer instead of a flexible one.	5 years ago
Jason Ish	5513b4ed0b	rust/json: expose libjansson json_dumps This will be temporarily used by JsonBuilder to add the ability to extend JsonBuilder with Jansson's json_t types.	5 years ago
Victor Julien	9fd326b6c0	ssh: minor cleanups in incomplete handling	5 years ago
Victor Julien	3a2434ed4d	app-layer: support Copy and Clone traits in AppLayerResult	5 years ago
Victor Julien	b0288da686	app-layer: add methods to get status from AppLayerResult	5 years ago
Philippe Antoine	6373071aa3	ssh: handles incomplete record after banner To signal incomplete data, we must return the number of consumed bytes. When we get a banner and some records, we have to take into account the number of bytes already consumed by the banner parsing before reaching an incomplete record.	5 years ago
Philippe Antoine	69b4fffdae	parse: move SSH parser from C to Rust	5 years ago
Shivani Bhardwaj	80adf7d1cf	smb: Import constants from DCERPC Remove DCERPC constants to avoid duplicate name errors. Import the required constants from DCERPC implementation.	5 years ago
Shivani Bhardwaj	6457754fd6	dcerpc: Replace C function calls with Rust All the dead code in C after the Rust implementation is hereby removed. Invalid/migrated tests have also been deleted. All the function calls in C have been replaced with appropriate calls to Rust functions. Same has been done for smb/detect.rs as a part of this migration.	5 years ago
Shivani Bhardwaj	8036202c7b	rust: Add DCERPC parser This parser rewrites the DCE/RPC protocol implementation of Suricata in Rust. More tests have been added to improve the coverage and some fixes have been made to the tests already written in C. Most of the valid tests from C have been imported to Rust. File anatomy src/dcerpc.rs This file contains the implementation of single transactions in DCE/RPC over TCP. It takes care of REQUEST, RESPONSE, BIND and BINDACK business logic before and after the data parsing. DCERPCState holds the state corresponding to a particular transaction and handles all important aspects. It also defines any common structures and constants required for DCE/RPC parsing irrespective of the carrier protocol. src/dcerpc_udp.rs This file contains the implementation of single transactions in DCE/RPC over UDP. It takes care of REQUEST and RESPONSE parsing. It borrows the Request and Response structs from src/dcerpc.rs. src/detect.rs This file contains the implementation of dce_iface and opnum detect keywords. Both the parsing and the matching is taken care of by functions in this file. Tests have been rewritten with the test data from C. src/parser.rs This file contains all the nom parsers written for DCERPCRequest, DCERPCResponse, DCERPCBind, DCERPCBindAck, DCERPCHeader, DCERPCHdrUdp. It also implements functions to assemble and convert UUIDs. All the fields have their endianness defined unless its an 8bit field or an unusable one, then it's little endian but it won't make any difference. src/mod.rs This file contains all the modules of dcerpc folder which should be taken into account during compilation. Function calls This is a State-wise implementation of the protocol for single transaction only i.e. a valid state object is required to parse any record. Function calls start with the app layer parser in C which detects the application layer protocol to be DCE/RPC and calls the appropriate functions in C which in turn make a call to these functions in Rust using FFI. All the necessary information is passed from C to the parsers and handlers in Rust. Implementation When a batch of input comes in, there is an analysis of whether the input header and the direction is appropriate. Next check is about the size of fragment. If it is as defined by the header, process goes through else the data is buffered and more data is awaited. After this, type of record as indicated by the header is checked. A call to the appropriate handler is made. After the handling, State is updated with the latest information about whatever record came in. AppLayerResult::ok() is returned in case all went well else AppLayerResult::err() is returned indicating something went wrong.	5 years ago
Shivani Bhardwaj	6db1f19d62	rust: Add debug_validate_bug_on macro This macro allows to check if certain parts of the code are reachable during fuzzing.	5 years ago
Shivani Bhardwaj	ab6b4986ce	rust: Add Debug and PartialEq to AppLayerResult	5 years ago
frank honza	bbe9137f20	rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.	5 years ago
Philippe Antoine	edcb784f1a	dns: improve probe_tcp handling of incomplete data	5 years ago
Sascha Steinbiss	713c379427	rfb: make sure size calculations do not overflow Addresses #3570 by extra checking of calculated size requests. With the given input, the parser eventually arrived at parser::parse_failure_reason() which parsed from the remaining four bytes (describing the string length) that the failure string to follow would be 4294967295 bytes long. While calculating the total size of the data to request via AppLayerResult::incomplete(), adding the four bytes for the parsed but not consumed string length caused the u32 length to overflow, resulting in a much smaller value triggering the bug condition. This problem was addressed by more careful checking of values in each step that could overflow: one subtraction, one addition (which could overflow the usize length values), and a final check to determine whether the result still fit into the u32 values required by AppLayerResult::incomplete(). If so, we would safely convert the values and pass them to the result type. If not, we simply return AppLayerResult::err() but do not erroneously and silently request the wrong amount.	5 years ago
Pierre Chifflier	01aef49cbd	rust/x509: map decoding errors to decoder events	5 years ago
Pierre Chifflier	36d2e257c6	rust/x509: use the raw serial number so leading zeros are not removed	5 years ago
Pierre Chifflier	d92321d8b1	ssl/tls: use the rust decoder to decode X.509 certificates	5 years ago
Pierre Chifflier	10d9deec9f	rust: add common function to exchange CString objects from/to C	5 years ago
Sascha Steinbiss	26123e05f2	rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.	5 years ago
Frank Honza	1c8943dedd	add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.	5 years ago
Victor Julien	acef21b759	app-layer: extend AppLayerResult to add convenience	5 years ago
Victor Julien	2f5834cdfa	rust: merge parser.rs into applayer.rs Both were serving the same purpose.	5 years ago
Victor Julien	21e6f1f063	app-layer: document return macros	5 years ago
Victor Julien	5b9b0b7226	nfs: switch to new 'incomplete' logic Remove buffering code in favor of using incomplete API.	5 years ago
Victor Julien	66598f9ce7	nfs: switch to AppLayerResult	5 years ago
Victor Julien	5cd9cfb5a0	smb: update return type of GAP handling	5 years ago
Victor Julien	4bf87d30e4	smb: convert to return AppLayerResult Support returning 'incomplete' and remove the buffering code from the parser.	5 years ago
Victor Julien	674b8dc0fb	app-layer: add 'incomplete' return logic Allow app-layer parsers to indicate how much data they need before being called again.	5 years ago
Victor Julien	44d3f264bf	app-layer: update API to return more details Add AppLayerResult struct as the Parser return type in preparation of allowing returning 'Incomplete(size)' similar to what nom in Rust allows.	5 years ago
Victor Julien	3bcf948a75	app-layer: change return codes This patch simplifies the return codes app-layer parsers use, in preparation of a patch set for overhauling the return type. Introduce two macros: APP_LAYER_OK (value 0) APP_LAYER_ERROR (value -1) Update all parsers to use this.	5 years ago
Victor Julien	6ae66cb2bb	nfs: code cleanups Use 'if let' to replace simple 'match' statements. Use explicit returns to easy code review.	5 years ago
Victor Julien	a729d266c3	smb: fix rustc 1.42 warnings	5 years ago
Jason Ish	a0e3e2d7b4	dns: register parsers from Rust And port the C DNS tests to Rust.	5 years ago
Jason Ish	0af9a3a5f7	dns: remove C wrapper functions to Rust Remove registration of C wrapper functions and register the Rust functions directly for UDP.	5 years ago
Jason Ish	1b44f839e6	dns: cleanup: move event callbacks into Rust Remove app-layer-dns-common.c as its no longer needed.	5 years ago
Jason Ish	ca5a3f0f04	dns: cleanup: remove unused events Removed events that are no longer used since the Rust implementation of DNS: - UnsolicitedResponse - StateMemCapReached - Flooded	5 years ago
Jason Ish	d809b0959b	dns: cleanup: move DnsGetRcode (Lua) to rust Move the implementation of Lua DnsGetRcode to Rust.	5 years ago
Philippe Antoine	23f796a021	kerberos: fix against packet split in record size	5 years ago
Victor Julien	76dd951523	krb5/tcp: remove notice logging on failed records	5 years ago
Sascha Steinbiss	11912bd715	sip: address trailing space parsing	5 years ago
Victor Julien	74305c0486	rust/nfs: minor code cleanups	5 years ago
Victor Julien	576e92983e	rust/rpc: add partial data tests	5 years ago
Pierre Chifflier	442500678b	rust: use the streaming version of combinators to fix incomplete reads	5 years ago
Pierre Chifflier	df9a4fd635	rust/rdp: use the streaming version of combinators to fix incomplete reads	5 years ago
Pierre Chifflier	2561da89c0	rust/rdp: fix regression introduced during nom 5 upgrade	5 years ago
Pierre Chifflier	f3ddd7127c	rust: Add types annotation when required Unfortunately, the transition to nom 5 (and functions instead of macros) has side-effects, one of them being requiring lots of types annotations when using a parsing, for ex in a match instruction.	5 years ago
Pierre Chifflier	62e31396ae	rust/ftp: upgrade to nom 5 CompleteByteSlice type has been removed, and replaced by combinators under the nom::character::complete namespace.	5 years ago
Pierre Chifflier	1a505ccd11	rust/rdp: add custom error handling	5 years ago
Pierre Chifflier	d1bf34a427	rust/smb: add custom error handling	5 years ago
Pierre Chifflier	1ab8c5763c	rust: add SecBlobError custom error type for the Kerberos parser	5 years ago
Pierre Chifflier	030c9a3d86	rust: add take_until_and_consume replacement function	5 years ago
Pierre Chifflier	8664a55ee7	rust/dns: remove unneeded calls to closure!	5 years ago
Pierre Chifflier	5b809f77f1	rust: upgrade all parsers to nom 5	5 years ago
Philippe Antoine	6663246563	parser: make rust probing parsers optional	5 years ago
Victor Julien	f68c255f09	nfs: implement post-GAP transaction cleanup Close all prior transactions in the direction of the GAP, except the file xfers. Those use their own logic described below. After a GAP all normal transactions are closed. File transactions are left open as they can handle GAPs in principle. However, the GAP might have contained the closing of a file and therefore it may remain active until the end of the flow. This patch introduces a time based heuristic for these transactions. After the GAP all file transactions are stamped with the current timestamp. If 60 seconds later a file has seen no update, its marked as closed. This is meant to fix resource starvation issues observed in long running SMB sessions where packet loss was causing GAPs. Due to the similarity of the NFS and SMB parsers, this issue is fixed for NFS as well in this patch. Bug #3424. Bug #3425.	5 years ago
Victor Julien	d41aeccea4	smb: handle file transactions post-GAP After a GAP all normal transactions are closed. File transactions are left open as they can handle GAPs in principle. However, the GAP might have contained the closing of a file and therefore it may remain active until the end of the flow. This patch introduces a time based heuristic for these transactions. After the GAP all file transactions are stamped with the current timestamp. If 60 seconds later a file has seen no update, its marked as closed. This is meant to fix resource starvation issues observed in long running SMB sessions where packet loss was causing GAPs.	6 years ago
Jason Ish	80cafb2979	flow: expose last time as a function This function returns the individual components of the timeval in output pointers making it suitable for use over Rust FFI.	6 years ago
Jason Ish	e68dfa46a6	rust: cargo fix for Rust 2018 edition	6 years ago
Jason Ish	5ee8323028	rust: remove unnecessary parentheses (Rust 1.40 fixup) Rust 1.40 in strict mode will now fail the build on the presence of unnecessary parentheses. warning: unnecessary parentheses around type --> src/smb/smb2_ioctl.rs:41:12 \| 41 \| -> (&mut SMBTransaction) \| ^^^^^^^^^^^^^^^^^^^^^ help: remove these parentheses \| = note: `#[warn(unused_parens)]` on by default	6 years ago
Victor Julien	f5b33a070a	smb1: allow empty trans records	6 years ago
Victor Julien	40fe29de96	smb1: fix 'event' txs not getting closed If the only reason we created a request side TX was to set an event, we would not close it. This patch always looks up the TX from the response side.	6 years ago
Victor Julien	129cd28058	smb/dcerpc: close request tx sooner	6 years ago
Victor Julien	44ac3e30dd	smb: post-GAP handling update Close all prior transactions in the direction of the GAP, except the file xfers. Those use their own logic.	6 years ago
Victor Julien	a7ee2ffbde	smb: winreg is a DCERPC facility	6 years ago
Jason Ish	e2c846d01f	snmp: add tx detect flags	6 years ago
Jason Ish	fa4b9d37c2	krb5: register tx detect flags Related ticker #3345: https://redmine.openinfosecfoundation.org/issues/3345	6 years ago
Jason Ish	8a232be77e	rust: define TxDetectFlag struct and binding macros Define a TxDetectFlag type and macros to generating C bindings for getting and settings the tx detect flags.	6 years ago
Jason Ish	cde49ec246	rust: add tx detect flags function to registration struct	6 years ago
Victor Julien	f9155aa121	files: simplify pruning logic Since `ebcc4db84a` the flow worker runs file pruning after parsing, detection and loging. This means we can simplify the pruning logic. If a file is in state >= CLOSED, we can prune it. Detection and outputs will have had a final chance to process it. Remove the calls to the pruning code from Rust. They are no longer needed.	6 years ago
Jason Ish	f9c9548b74	configure: detect lua integer size Lua 5.1 and 5.3 use a different integer size. Run a test program to set the integer size used in the Rust FFI layer to Rust.	6 years ago
Jeff Lucovsky	bd691778eb	rust/ftp: add parser for active mode port handling	6 years ago
Jason Ish	517ecd68a9	sip: rustfmt As this is new Rust code, format with rustfmt using default styling.	6 years ago
Jason Ish	a45a2fa1fc	sip: disable by default in 5.0	6 years ago
Jason Ish	fdbc2fe49c	sip rust fixup: remove unused import in tests	6 years ago
Giuseppe Longo	e06291922f	detect/sip.response_line: add sticky buffer Matches on response line field in SIP.	6 years ago
Giuseppe Longo	17de4a8023	detect/sip.request_line: add sticky buffer Matches on request line field in SIP.	6 years ago
Giuseppe Longo	8939ece538	detect/sip.stat_msg: add sticky buffer Matches on status msg field in SIP.	6 years ago
Giuseppe Longo	bd2219cac6	detect/sip.stat_code: add sticky buffer Matches on status code field in SIP.	6 years ago
Giuseppe Longo	8454122eb2	detect/sip.protocol: add sticky buffer Matches on protocol field in SIP.	6 years ago
Giuseppe Longo	2661c5b298	detect/sip.uri: add sticky buffer Matches on uri field in SIP.	6 years ago
Giuseppe Longo	424eead8c0	detect/sip.method: add sticky buffer Matches on uri field in SIP.	6 years ago
Giuseppe Longo	edc2a583a9	rust/sip: add SIP logger	6 years ago
Giuseppe Longo	2e975a0481	rust/sip: add parser for SIP protocol	6 years ago
Jason Ish	d79c23baa3	dns/detect: dns.opcode keyword Add a rule keyword, dns.opcode to match on the opcode flag found in the DNS request and response headers. Only exact matches are allowed with negation. Examples: - dns.opcode:4; - dns.opcode:!1;	6 years ago
Victor Julien	85ba2e16ba	rust/conf: don't print failed conf lookups at info level	6 years ago
Jason Ish	664605b5f1	rdp: disable rdp by default for 5.0	6 years ago
Jason Ish	0f10298990	rdp: address comments in pull request Pull request: https://github.com/OISF/suricata/pull/4174 - fix commit: range -> set - OUTPUT_BUFFER_SIZE -> JSON_OUTPUT_BUFFER_SIZE - output: check for initdata first	6 years ago
Zach Kelly	caef8b5b38	protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions	6 years ago
Jason Ish	5f1d21f247	dns: handle mid stream pickup on response packet Related Redmine issue: https://redmine.openinfosecfoundation.org/issues/2146	6 years ago
Jason Ish	42e5065ab8	rust: update to Rust 2018 with cargo fix Migrate to Rust 2018 edition. Credit to Danny Browning for first demontrating this: https://github.com/OISF/suricata/pull/3604/commits	6 years ago
Shivani Bhardwaj	8bebea5d4c	rust: Get rid of unneeded macros, fix warnings	6 years ago
Victor Julien	579cc9f02b	const: constify decoder, app-layer, detect funcs	6 years ago
Shivani Bhardwaj	6d39f6fd7d	rust: Fix deprecation warnings Fix the following warnings by compiler, (1) warning: use of deprecated item 'take_until_s': Please use `take_until` instead (2) warning: `...` range patterns are deprecated For the second warning, the builtin lint "ellipsis_inclusive_range_pattern" has been added which causes the following warning to show up with rustc 1.24. warning: unknown lint: `ellipsis_inclusive_range_patterns` --> /home/travis/build/OISF/suricata/suricata-5.0.0-dev/rust/src/lib.rs:18:10 \| 18 \| #![allow(ellipsis_inclusive_range_patterns)] \| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ \| = note: #[warn(unknown_lints)] on by default Since there is no other way to fix this, the above warning shall stay. We need to take care of modifying this if and when the support for 1.24 as MSRV is dropped.	6 years ago
Shivani Bhardwaj	bbfd706e1f	rust: fix compiler warning rustc 1.36 introduced: error: variable does not need to be mutable --> src/dhcp/parser.rs:202:17 \| 202 \| let mut malformed_options = false; \| ----^^^^^^^^^^^^^^^^^ \| \| \| help: remove this `mut` \| note: lint level defined here --> src/lib.rs:18:38 \| 18 \| #![cfg_attr(feature = "strict", deny(warnings))] \| ^^^^^^^^ = note: #[deny(unused_mut)] implied by #[deny(warnings)] error: aborting due to previous error error: Could not compile `suricata`. Ticket #3072.	6 years ago
Pierre Chifflier	af7d245a31	rust/snmp: add event when expected/received PDU versions mismatch	6 years ago
Pierre Chifflier	1880f6945c	rust/snmp: use generic parsing function, for all SNMP versions Do no restrict parsing to the version seen in the first packet, but use a generic function, independent of the version.	6 years ago
Jeff Lucovsky	6911cc01ad	rust/snmp: Support get-info-by-id	6 years ago
Jeff Lucovsky	7560b75591	rust/ntp: Support get-info-by-id	6 years ago
Jeff Lucovsky	12c2d18c8b	rust/krb: Support get-info-by-id	6 years ago
Jeff Lucovsky	fb01641629	rust/ikev2: Support get-info-by-id	6 years ago
Jeff Lucovsky	e3ca6b43fc	rust/dhcp: Support get-info-by-id	6 years ago
Jeff Lucovsky	a5d9d37c34	rust/parser: Extend Rust parser for event-by-id Extend the Rust parsing infrastructure with the "get event info by id" calls. This changeset extends the parser structure, the C-based registration handlers and the template parser.	6 years ago
Jeff Lucovsky	9ccc28baeb	rust/smb: Implement get event by id	6 years ago
Jeff Lucovsky	643864a8f5	rust/snmp: fix libc deprecation warnings	6 years ago
Victor Julien	3f6624bf16	rust: remove libc crate dependency Use std::os::raw instead.	6 years ago
Victor Julien	28ed0d3a18	nfs: implement get_event_info_by_id callback	6 years ago
Jeff Lucovsky	d568e7fadd	eve/logging: 2991 Optimize logging by TX This changeset makes changes to the TX logging path. Since the txn is passed to the TX logger, the TX can be used directly instead of through the TX id.	6 years ago
Pierre Chifflier	c1b30fe9fd	rust/snmp: fix libc deprecation warnings for int types	6 years ago
Pierre Chifflier	bc07656ce7	rust/snmp: use snake_case when logging PDU types	6 years ago
Pierre Chifflier	c60f2028e5	rust/snmp: fix missing IPPROTO_* declarations (use core)	6 years ago
Pierre Chifflier	031cbbe868	rust/snmp: fix selection of v1/v2c parser	6 years ago
Pierre Chifflier	9dfec7e734	SNMP: add the "snmp.pdu_type" detection keyword	6 years ago
Pierre Chifflier	e1dd19a0eb	SNMP: add the "snmp.community" detection keyword	6 years ago
Pierre Chifflier	aa608e0ca2	SNMP: add the "snmp.version" detection keyword	6 years ago
Pierre Chifflier	60324740e6	SNMP: use explicit references to support build with old rust compiler	6 years ago
Pierre Chifflier	57b233f462	SNMP: start looking for transactions from end of list	6 years ago
Pierre Chifflier	6fc7fc74cb	SNMP: add logger	6 years ago
Pierre Chifflier	2df840a8b8	Add SNMP (v1/v2c/v3) application layer	6 years ago
Pierre Chifflier	b65896c0de	Rust: expose function AppLayerParserRegisterGetTxIterator	6 years ago
Victor Julien	b1d4931842	rust: fix warnings about wrong type of comments "rustdoc does not generate documentation for macro expansions"	6 years ago
Victor Julien	bf1bd407dd	rust: fix libc deprecation warnings for int types	6 years ago
Victor Julien	723f1586ca	ikev2: remove excess new lines	6 years ago
Victor Julien	adcbac1c77	tftp: properly implement tx handling	6 years ago
Victor Julien	63ab296cca	nfs: fix integer underflow Fix int underflow that leads to Rust panic in NFS3 readdirplus parsing. Reported-by: Sirko Höer -- Code Intelligence for DCSO.	6 years ago
Jason Ish	8be4142aaf	dhcp: verify client id len before parsing data Verify that the client id length is at least 2 per the DHCP protocol rfc before parsing the data. Redmine issue: https://redmine.openinfosecfoundation.org/issues/2902	6 years ago
Jason Ish	9d75fdc6ea	rust/ftp: validate port components in passive reponse Make sure they are valid 8 bit integers before combining the two parts into a u16 to prevent an overflow of the u16 return value. Add unit tests to check parsing of invalid ports. Redmine issue: https://redmine.openinfosecfoundation.org/issues/2904	6 years ago
Victor Julien	f84667ceb7	nfs: small cleanups	6 years ago
Victor Julien	822a434036	nfs: implement midstream reverse flow support Register special midstream version of protocol detection that can indicate the flow is the wrong direction based on the record properties.	6 years ago
Victor Julien	0301ceab13	rust/mingw: fix missing IPPROTO_* declarations The libc crate doesn't provide these on MinGW, so define them in our 'core' instead. We only use IPPROTO_TCP and IPPROTO_UDP. Bug #2733	6 years ago
Victor Julien	422e4892cc	proto-detect: improve midstream support When Suricata picks up a flow it assumes the first packet is toserver. In a perfect world without packet loss and where all sessions neatly start after Suricata itself started, this would be true. However, in reality we have to account for packet loss and Suricata starting to get packets for flows already active be for Suricata is (re)started. The protocol records on the wire would often be able to tell us more though. For example in SMB1 and SMB2 records there is a flag that indicates whether the record is a request or a response. This patch is enabling the procotol detection engine to utilize this information to 'reverse' the flow. There are three ways in which this is supported in this patch: 1. patterns for detection are registered per direction. If the proto was not recognized in the traffic direction, and midstream is enabled, the pattern set for the opposing direction is also evaluated. If that matches, the flow is considered to be in the wrong direction and is reversed. 2. probing parsers now have a way to feed back their understanding of the flow direction. They are now passed the direction as Suricata sees the traffic when calling the probing parsers. The parser can then see if its own observation matches that, and pass back it's own view to the caller. 3. a new pattern + probing parser set up: probing parsers can now be registered with a pattern, so that when the pattern matches the probing parser is called as well. The probing parser can then provide the protocol detection engine with the direction of the traffic. The process of reversing takes a multi step approach as well: a. reverse the current packets direction b. reverse most of the flows direction sensitive flags c. tag the flow as 'reversed'. This is because the 5 tuple is not reversed, since it is immutable after the flows creation. Most of the currently registered parsers benefit already: - HTTP/SMTP/FTP/TLS patterns are registered per direction already so they will benefit from the pattern midstream logic in (1) above. - the Rust based SMB parser uses a mix of pattern + probing parser as described in (3) above. - the NFS detection is purely done by probing parser and is updated to consider the direction in that parser. Other protocols, such as DNS, are still to do. Ticket: #2572	6 years ago
Victor Julien	f7a41412d6	smb1: fix NT create andx records filename parsing Use file name parsing routines that take unicode into account and consider padding bytes as well.	6 years ago
Wesley van der Ree	cc50908f8d	smb: fix NT create filename parsing parse_smb_create_andx_request_record skipped 1 byte too much before the filename. Fixes: #2894	6 years ago
Pierre Chifflier	f90733fe3f	rust/ikev2: fix events not being raised in first message The `set_event` function requires that the transaction is already inserted, or the event set is silently lost. When parsing first IKEv2 message, first insert transaction, prepare values, and borrow back inserted transaction to update it.	6 years ago
Victor Julien	25112ee7e3	rust/smb: fix and optimize record search Get rid of struct with just a slice reference as well.	6 years ago
Pierre Chifflier	9e7f261a88	rust: fix cargo tests	7 years ago
Pierre Chifflier	f22695130b	rust: nom4 requires to add complete!() when using many! combinators	7 years ago
Pierre Chifflier	8c0cde36c6	rust: fix warnings for unused variables (add _)	7 years ago
Pierre Chifflier	13b7399790	rust: upgrade all parsers to nom4	7 years ago
Pierre Chifflier	2f08b3eabd	rust/nom4: error_code is superseded by error_position	7 years ago
Victor Julien	8b570c0293	smb: improve request/response mapping Only use ssn_id and msg_id for mapping a response to a request. By not using the tree_id it can always be included in the tx.hdr which means it can be logged properly in case of IOCTL and DCERPC.	7 years ago
Pierre Chifflier	3eade88bd8	Krb5: make TCP probing function less strict, messages can be fragmented	7 years ago
Jason Ish	b7083bc3a8	rust/dns/v2 - log rrtype in response Redmine issue: https://redmine.openinfosecfoundation.org/issues/2723	7 years ago
Jason Ish	b7a58680db	dns/rust - if let Some over options instead of loop. Except in one case where the loop makes more sense for easy break out. Also remove one line of non-conforming debug logging.	7 years ago
Jason Ish	4163d5c360	rust/dns/lua - fix call convention to match C. Also, when requesting the query, if the request doesn't exist, return the query from the response. This makes it behave more like C implementation. Redmine issue: https://redmine.openinfosecfoundation.org/issues/2730	7 years ago
Jason Ish	87250da0fc	rust/dns: add v1 dns logging Redmine issue: https://redmine.openinfosecfoundation.org/issues/2704	7 years ago
Victor Julien	0e40231189	app-layer: improve transaction cleanup handling The app layers with a custom iterator would skip a tx if during the ..Cleanup() pass a transaction was removed. Address this by storing the current index instead of the next index. Also pass in the next "min_tx_id" to be incremented from the last TX. Update loops to do this increment. Also make sure that the min_id is properly updated if the last TX is removed when out of order. Finally add a SMB unittest to test this. Reported by: Ilya Bakhtin	7 years ago
Victor Julien	eedf08be29	rust/filetracker: remove reachable panic Remove reachable panic condition when an existing file chunk is not completed. Instead trunc the file and reset. Related to bug #2717	7 years ago
Victor Julien	1b1e136c4f	nfs: improve file tracking under packet loss In case of packet loss during an in-progress chunk the file tracker could loose track of a file because it couldn't map the XID to a file handle. The file tracker would then panic if a new file was opened, as it noticed the last chunk wasn't yet complete. This patch tracks the file handle for a in-progress chunk in the state, just like the tracking of the size that is left. Bug #2717	7 years ago
Victor Julien	27f87567ca	rust/nfs: improve debug output	7 years ago
Victor Julien	c62273f4fd	rust/smb: silence noisy debug messages	7 years ago
Victor Julien	083908f3be	rust/ike2: free destate on tx free Bug #2604	7 years ago
Victor Julien	4d5024255f	smb/dcerpc: remove now unused ssn2maxsize_map	7 years ago
Victor Julien	4d044483cf	smb/dcerpc: clean up and unify DCERPC probe logic	7 years ago
Victor Julien	ac4e888597	smb2/dcerpc: probe if response data is dcerpc If we missed the tree connect we can't know for sure if we're reading from a (DCERPC) PIPE or not. In this case probe the data to see if it looks like DCERPC. If the detection succeeds, use a special 'suricata::dcerpc' service in the TX. Simplify handling of DCERPC records that cross records Update logging for the response only TXs.	7 years ago
Victor Julien	9dd7c38113	smb2: skip rest of READ response if status is not success	7 years ago
Victor Julien	ae10a92bc6	rust/applayer: use correct return type for Parser The mismatch between the types would randomly lead to the return code of the Rust parser to be not correctly handled over the C/Rust boundary. This would lead to the API considering a parser to be in error state when it was not.	7 years ago
Jason Ish	58933bafc1	rust app layer template: functions to get buffers Example functions for getting the request and response buffers. Useful for running detection on the decoded buffers.	7 years ago
Jason Ish	01f7dcf5fd	rust template parser: sample pcap	7 years ago
Jason Ish	c3f1a35e28	rust: app-layer template parser and logger The protocol is a simple request/reply based protocol that can be hand driven with netcat. Request -> 12:Hello World! Response -> 3:Byte Its of the format <length>:<message> where length is the length of the message, not including the length or the delimiter.	7 years ago
Jason Ish	9636b9de32	rust: expose AppLayerParserStateIssetFlag to Rust.	7 years ago
Jason Ish	1c6bc5754c	dhcp: check length of option before accessing Prevent Rust index out of bounds panic. Redmine issue: https://redmine.openinfosecfoundation.org/issues/2571	7 years ago
Jason Ish	7bc2469eb1	dhcp: remove println!() that got committed	7 years ago
Victor Julien	a337908c78	rust/dhcp: free events and destate at tx end	7 years ago
Victor Julien	edd0c2246c	smb1: add SMB1_COMMAND_QUERY_INFO_DISK command mapping	7 years ago
Maurizio Abba	bf4398b15d	output-json: ensure string is json-encodable Substitute json_string with SCJsonString custom function. SCJsonString will ensure string passed is json-encodable (utf-8). If it's not, the string will be converted in such a way that any non-printable character will be encoded in its hex form. The resulting json object will be returned. rust modification will encode any non-printable character during its conversion in to_cstring.	7 years ago
Victor Julien	177966970a	smb: probing parser improvement	7 years ago
Victor Julien	fd38989113	proto/detect: remove probing parser offset argument Remove offset argument as it was unused.	7 years ago
Victor Julien	c6e79f4410	nfs4: create tx for CREATE procedure	7 years ago
Victor Julien	90e0e3da27	nfs: fix applying nfs3 logging logic to nfs4	7 years ago
Victor Julien	cb3abba1e0	nfs4: log remove procedure + add multi-proc support Add TX creation for NFS4 transactions. Start with the 'REMOVE' procedure. Start on logging all procs. In NFS4 COMPOUND records there are multiple procedures. One of them can be considered the 'main' procedure, with others as supporting utility. This patch adds the first step in supporting to track those in the TX for logging and inspection.	7 years ago
Victor Julien	ff518e5c64	nfs4: for putrootfh set 'mount root' as name	7 years ago
Victor Julien	22e0fc97f8	nfs: rename generic functions from nfs3 to nfs	7 years ago
Victor Julien	d22c170c38	nfs: move v2 parsing into own file	7 years ago
Victor Julien	9b42073e54	nfs3: move nfs3 specific handling into own file	7 years ago
Victor Julien	4c09766b33	nfs: request parser cleanup	7 years ago
Victor Julien	f570905f8c	nfs: get rid of reachable panic statements	7 years ago
Victor Julien	8a1af5c367	nfs4: remove panic calls, set events instead	7 years ago
Victor Julien	f2382356b1	nfs4: support 4.1 SEQUENCE procedure	7 years ago
Victor Julien	2b581cd6db	smb: log trans2 that enable delete on close	7 years ago
Victor Julien	eefac0ef95	smb1: add support for trans2 set_path_info rename	7 years ago
Victor Julien	1b86d4e1a2	smb: improve dcerpc logic Detect whether a pipe is a dcerpc channel based on the name of the pipe.	7 years ago
Victor Julien	7c8a078a2c	smb1: improve NT Create response record parsing	7 years ago
Victor Julien	2e6014b15c	rust/smb: search for record on midstream start Calls with both START and MIDSTREAM mean the record might be cut and the start of it could be missing. For this case, enable the same logic as is used when catching up after a GAP. Search for the start of the record instead of assuming it sits exactly at the start of the input data.	7 years ago
Victor Julien	905d9a1dd8	rust: define all STREAM_* types	7 years ago
Victor Julien	7bc3c3ac6e	app-layer: pass STREAM_* flags to parser Pass the STREAM_* flags to the app-layer parser functions so that the parser can know more about how it is called.	7 years ago
Victor Julien	b5bc509857	dhcp: suppress notice message at startup	7 years ago
Jason Ish	d83707bef9	rust/dns - remove extra parantheses Removes rust compiler warning. Redmine issue: https://redmine.openinfosecfoundation.org/issues/2521	7 years ago
Jason Ish	9210d8743b	rust/dhcp: Rust based DHCP decoder and logger. This is a DHCP decoder and logger written in Rust. Unlike most parsers, this one is stateless so responses are not matched up to requests by Suricata. However, the output does contain enough fields to match them up in post-processing. Rules are included to alert of malformed or truncated options.	7 years ago
Jason Ish	1b0b74dc16	rust: a Rust ConfNode wrapper. A Rust wrapper around the C ConfNode object. Currenlty only exposes ConfGetChildValueBool and ConfGetChildValue.	7 years ago
Jason Ish	2ec3381600	rust/app-layer: macros to export de_state functions These macros generate the extern "C" functions for transactions structs that need provide functions for setting and getting the de_state. The idea is to provide macros do avoid code duplication and make it simpler to create an app-layer. A trait would be the correct solution, but it doesn't look like you can use traits to export extern "C" functions.	7 years ago
Jason Ish	da4912dfe7	rust: add get_tx_iterator to parser registration	7 years ago
Pierre Chifflier	e9ae62ed05	Kerberos 5: properly handle TCP buffering	7 years ago
Pierre Chifflier	1076c7cd47	Add krb5_err_code detection keyword	7 years ago
Pierre Chifflier	d6b9c0294a	Add krb5_cname and krb5_sname detection keywords	7 years ago
Pierre Chifflier	0bd81ff838	Add krb5_msg_type detection keyword	7 years ago
Pierre Chifflier	5037051161	Kerberos 5: rename weak crypto to weak encryption, and log it	7 years ago
Pierre Chifflier	6ae53a1869	Add event rules for Kerberos 5	7 years ago
Pierre Chifflier	3a017f61b0	Kerberos 5: pretty-print error code when logging	7 years ago
Pierre Chifflier	52f5c7914f	Log Kerberos 5 errors	7 years ago
Pierre Chifflier	1e5f5d405f	Kerberos 5: add support for TCP as well	7 years ago
Pierre Chifflier	645ba17509	Kerberos: check version in probing function	7 years ago
Pierre Chifflier	fd175f2bfb	Add logger for Kerberos 5 metadata	7 years ago
Pierre Chifflier	77f0c11c9e	Add Kerberos 5 application layer	7 years ago
Pierre Chifflier	2d1c4420de	Update ntp-parser to 0.2.0	7 years ago
Victor Julien	73d94fff73	nfs4: support records wrapped in GSSAPI integrity	7 years ago
Victor Julien	53fa2af07c	nfs4: fix attr parsing corner case	7 years ago
Victor Julien	39489bc5fd	nfs4: implement COMMIT parsing and handling	7 years ago
Victor Julien	c7cb01b636	nfs4: parse GSSAPI init	7 years ago
Victor Julien	bfa60753f9	nfs4: create link support	7 years ago
Victor Julien	06f6c15954	nfs4: initial implementation Implements record parsing and file extraction for READs and WRITEs. Defines all types from RFC 7530.	7 years ago
Victor Julien	75c5722b7e	nfs/rpc: add parser for GSSAPI Integrity records	7 years ago
Victor Julien	f40fc0293b	smb: minor optimizations	7 years ago
Victor Julien	f201a3761f	rust: remove multi level 'experimental' Don't treat 'external' parsers as more experimental. All parsers depend on crates to some extend, and all have C glue code. So the distinction doesn't really make sense.	7 years ago
Pierre Chifflier	d222b9ae6c	IKEv2: Use JSON arrays instead of comma-separated values	7 years ago
Pierre Chifflier	bf66948ad7	IKEv2: suppress some debug output	7 years ago
Pierre Chifflier	3fbfb22204	IKEv2: remove events counter	7 years ago
Pierre Chifflier	4e4cf00c07	Remove the 'experimental' mark for IKEv2	7 years ago
Pierre Chifflier	f65fafa34b	IKEv2 logger: use Debug trait for IkePayloadType	7 years ago
Pierre Chifflier	d94346282c	Add logger for IKEv2	7 years ago
Pierre Chifflier	c99b9462d7	Add new parser: IKEv2 Add a new parser for Internet Key Exchange version (IKEv2), defined in RFC 7296. The IKEv2 parser itself is external. The embedded code includes the parser state and associated variables, the state machine, and the detection code. The parser looks the first two messages of a connection, and analyzes the client and server proposals to check the cryptographic parameters.	7 years ago
Pierre Chifflier	b810275b16	Rust: fix prototype of parsing function (make pstate mutable)	7 years ago
Pierre Chifflier	8e8f0db192	Rust: expose function AppLayerParserStateSetFlag	7 years ago
Victor Julien	91307dafd9	nfs/rpc: fix reponse parsing	7 years ago
Victor Julien	b1e2783788	auth/krb5: move kerberos5 wrapper to rust root Make it available outside of just the SMB parser.	7 years ago
Victor Julien	4d58aaae90	smb: clean up partial read/write record handling	7 years ago
Victor Julien	aa8d64c2b8	smb: improve skip handling When skipping records the skip tracker could underflow if the record parsing had more data than expected. Enforce the calculation by moving it into a method and make the actual fields private.	7 years ago
Victor Julien	eac7a92200	smb2: improve read/write record parsing parse_smb2_response_read()/parse_smb2_response_write() can be called on incomplete data, so they didn't use the read/write length field to grab the data field. Instead it just used rest(). However in some cases SMB2 records have trailing data, which would be included in the READ/WRITE data. This patch addresses this by using the length field if enough data is available.	7 years ago
Victor Julien	53f63f7498	nfs/rpc: improve RPCv2 parser, add GssApi Improve RPCv2 credentials parsing. Add GssApi and turn creds into an enum. Minor cleanups and optimizations.	7 years ago
Victor Julien	47ebef3af8	nfs: minor cleanup	7 years ago
Victor Julien	ea1e13cb00	smb: suppress notice messages	7 years ago
Pierre Chifflier	576b8ef722	SMB: simplify code	7 years ago
Pierre Chifflier	cf5de0c58e	SMB: use String::from_utf8_lossy in logging functions	7 years ago
Pierre Chifflier	b5529e4ffb	SMB: use kerberos-parser to extract Real and PrincipalName	7 years ago
Victor Julien	0dfb3f0e7f	smb1: extract rename info from TRANS2 Exclude TRANS2 from generic TX lookup bypass.	7 years ago
Victor Julien	8eeda113c8	smb1: add parsing for RENAME command	7 years ago
Victor Julien	7b61f2c589	smb2: log renames	7 years ago
Victor Julien	15978d4e85	smb: if filename is missing, use '<unknown>'	7 years ago
Jason Ish	27fd521420	eve/dns/v2: support eve/dns v2 in rust	7 years ago
Jason Ish	57d9574839	rust/json: expose more of jansson to rust	7 years ago
Victor Julien	71742ed52b	smb: share can't be <share_root>	7 years ago
Victor Julien	bc193242ad	smb1: add OPEN_ANDX command name for logging	7 years ago
Victor Julien	32b19fac99	smb2: don't log/track each READ/WRITE/etc	7 years ago
Victor Julien	fb986abe81	smb: log file FID/GUID as fuid	7 years ago
Victor Julien	816bd022a6	smb1: improve non nt-status handling Support SRV error, with a couple of codes. Rename statux field to status_code.	7 years ago
Victor Julien	0519807639	smb1: ignore tree_id in session setup	7 years ago
Victor Julien	286c054472	smb: improve nbss/smb record detection	7 years ago
Victor Julien	7ab071a58d	rust/smb: implement minimal record parsing in probing	7 years ago
Victor Julien	283be3cade	smb2: break out ioctl handling	7 years ago
Victor Julien	bf08285602	smb2: parse async records	7 years ago
Victor Julien	5c26020714	smb2: add ioctl transactions to log the funcs	7 years ago
Victor Julien	75265ec376	smb2: map ioctl funcs to names List is based on Wireshark's list.	7 years ago
Victor Julien	7cd66516f0	smb: use formal MS names for disposition	7 years ago
Victor Julien	f7ed749d4f	smb: disable debug output	7 years ago
Victor Julien	eed492547c	smb1: extract server guid from negotiate	7 years ago
Victor Julien	6d56edc3de	smb2: log client and server guid from negotiate	7 years ago
Victor Julien	c56f5e11ca	smb2: log share type	7 years ago
Victor Julien	d75ebdb981	smb: log create empty filename as '<share_root>' like Bro does	7 years ago
Victor Julien	fcbeab70a4	smb1: log create 'service' fields	7 years ago
Victor Julien	90e2abaac4	smb1: use generic string parsing for trans	7 years ago
Victor Julien	76917a8732	smb1: generic smb string parse func	7 years ago
Victor Julien	668c747aee	smb1: more exact tree connect record parsing	7 years ago
Victor Julien	0ed00cf104	smb: move common parsing funcs into own file	7 years ago
Victor Julien	1c701dc50e	smb: make string parsing functions public	7 years ago
Victor Julien	1d4aac1d4d	smb1: set event on empty/malformed dialect	7 years ago
Victor Julien	c91242e71c	smb: rename file to filename in output	7 years ago
Victor Julien	caf29e92b3	smb1: parse and log timestamps in CREATE	7 years ago
Victor Julien	0e05ef7369	smb2: parse and log timestamps in CREATE	7 years ago
Victor Julien	28f16e38ac	smb1: disable 'generic tx's for common commands Don't create a generic TX for each READ, WRITE, TRANS, TRANS2, except if they cause events to trigger.	7 years ago
Victor Julien	78cd92a933	smb: generic event per trans/read/write for tx events	7 years ago
Victor Julien	05992f1772	smb: fix event handling when no tx is available	7 years ago
Victor Julien	be615c9fbc	smb: small cleanups, fixes and optimizations	7 years ago
Victor Julien	dab055d8c8	smb: update to der-parser 0.5.1	7 years ago
Victor Julien	0d69e7b8c2	smb: remove unused dialects from state	7 years ago
Victor Julien	ad1bc7f473	smb1: minor debug improvment	7 years ago
Victor Julien	a44504a1bf	smb: redo gap catch up handling	7 years ago
Victor Julien	7114d5d25b	smb1: parser cleanups	7 years ago
Victor Julien	d9e43d3e63	smb: cleaner server component parsing	7 years ago
Victor Julien	ecbf10da70	smb2: improve write error handling	7 years ago
Victor Julien	b34392051d	smb3: parse transform records	7 years ago
Victor Julien	894a73ee06	smb2: add missing commands and improve ioctl err handling	7 years ago
Victor Julien	170edf7c44	smb1: improve error handling	7 years ago
Victor Julien	7ceb67138f	smb: add status	7 years ago
Victor Julien	98b926bf72	smb1: implement WRITE_AND_CLOSE	7 years ago
Victor Julien	595557eb8d	smb1: locking andx may have no response	7 years ago
Victor Julien	7dff9b9969	smb/nbss: work around bad traffic	7 years ago
Victor Julien	8bef120898	smb: session setup improvements Improve ntlmssp version extraction and logging, make its data structures optional. Extract native os/lm from smb1 ssn setup. Move session setup handling into their own files. Only log auth data for the session setup tx.	7 years ago
Victor Julien	75d7c9d64a	rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)	7 years ago
Pierre Chifflier	b69acaadf5	Rust: add 'debug' feature The 'debug' feature is enabled if suricata was configured with the --enabled-debug' flag. If enabled, the SCLogDebug format and calls the logging function as usual. Otherwise, this macro is a no-op (similarly to the C code).	7 years ago
Victor Julien	053022931c	rust/json: add array_append_string	7 years ago
Victor Julien	73fac478a2	rust/dns: fix nom verbose error mode	7 years ago
Jason Ish	c411519605	app-layer: remove has events callback - not used	8 years ago
Pierre Chifflier	92b537d028	rust: update 'external' api for app layer changes Remove unused HasTxDetectState function and remove state argument from SetTxDetectState. Update NTP code.	8 years ago
Victor Julien	f815027cdf	rust/dns: simplify tx freeing Now that we no longer need the state when freeing a TX, we can simply do cleanup from the Drop trait.	8 years ago
Victor Julien	7548944b49	app-layer: remove unused HasTxDetectState call Also remove the now useless 'state' argument from the SetTxDetectState calls. For those app-layer parsers that use a state == tx approach, the state pointer is passed as tx. Update app-layer parsers to remove the unused call and update the modified call.	8 years ago
Victor Julien	1c270cae13	nfs: remove old test code	8 years ago
Victor Julien	e96d9c1159	app-layer: add tx iterator API Until now, the transaction space is assumed to be terse. Transactions are handled sequentially so the difference between the lowest and highest active tx id's is small. For this reason the logic of walking every id between the 'minimum' and max id made sense. The space might look like: [..........TTTT] Here the looping starts at the first T and loops 4 times. This assumption isn't a great fit though. A protocol like NFS has 2 types of transactions. Long running file transfer transactions and short lived request/reply pairs are causing the id space to be sparse. This leads to a lot of unnecessary looping in various parts of the engine, but most prominently: detection, tx house keeping and tx logging. [.T..T...TTTT.T] Here the looping starts at the first T and loops for every spot, even those where no tx exists anymore. Cases have been observed where the lowest tx id was 2 and the highest was 50k. This lead to a lot of unnecessary looping. This patch add an alternative approach. It allows a protocol to register an iterator function, that simply returns the next transaction until all transactions are returned. To do this it uses a bit of state the caller must keep. The registration is optional. If no iterator is registered the old behaviour will be used.	8 years ago
Pascal Delalande	80f2fbac6e	rust/tftp: eve logging with rust	8 years ago
Clement Galland	b9cf49e933	rust/tftp: add tftp parsing and logging TFTP parsing and logging written in Rust. Log on eve.json the type of request (read or write), the name of the file and the mode. Example of output: "tftp":{"packet":"read","file":"rfc1350.txt","mode":"octet"}	8 years ago
Victor Julien	e8939335ea	rust/nfs: explicitly handle GAPs from C It seems that Rust optimizes this code in such a way that it passes the null ptr along as real data. if buf.as_ptr().is_null() && input_len > 0 {	8 years ago
Victor Julien	2c3c8f8b85	rust/filetracker: if file API return error, trunc file	8 years ago
Victor Julien	d27ed5957f	rust/nfs: fix read reply handling READ replies with large data chunks are processed partially to avoid queuing too much data. When the final chunk was received however, the start of the chunk would already tag the transaction as 'done'. The more aggressive tx freeing that was recently merged would cause this tx to be freed before the rest of the in-progress chunk was done. This patch delays the tagging of the tx until the final data has been received.	8 years ago
Victor Julien	3a2e4614d0	rust/file: handle file open errors	8 years ago
Victor Julien	45c5030ff0	rust/file: change return type for FileOpenFileWithId Make it int so we can easily check it in Rust. No consumer used the File pointer that was returned before anyway.	8 years ago
Victor Julien	288ddc95ac	rust/core: comment cleanup	8 years ago
Victor Julien	8cda2a4351	rust/nfs: add support for detect_flags API	8 years ago
Victor Julien	98eca55241	rust/dns: implement detect_flags API	8 years ago
Pierre Chifflier	4b6555588f	NTP: ensure parser name is not freed after registration	8 years ago
Pierre Chifflier	ec62eedc87	Rust: remove deprecated functions LoggerFlags::get_logged/set_logged	8 years ago
Pierre Chifflier	5c6868b327	NTP: update logger to use new API	8 years ago
Victor Julien	bca0cd71ae	app-layer: use logger bits to avoid looping Avoid looping in transaction output. Update app-layer API to store the bits in one step and retrieve the bits in a single step as well. Update users of the API.	8 years ago
Victor Julien	e1e9ada9df	rust/nfs: improve file close handling	8 years ago
Nick Price	350b5d99ce	rust/nfs: don't panic on malformed NFS traffic Instead set events.	8 years ago
Pierre Chifflier	f5b27ae767	Rust: fix probing function prototype: change sign and add Flow	8 years ago
Eric Leblond	b0a6934431	app-layer-ftp: add ftp-data support Use expectation to be able to identify connections that are ftp data. It parses the PASV response, STOR message and the RETR message to provide extraction of files. Implementation in Rust of FTP messages parsing is available. Also this patch changes some var name prefixed by ssh to ftp.	8 years ago
Jason Ish	5a8537fe4a	rust/dns - convert more type values to text Issue: https://redmine.openinfosecfoundation.org/issues/2364 Convert more record type and errr code values to text. Remove duplicate type declarations.	8 years ago
Clément Galland	3396747cd6	Dns logger display flags information	8 years ago
Pierre Chifflier	83808bbdad	rust/ntp: convert parser to new registration method Converting the NTP parser to the new registration method is a simple, 3-steps process: - change the extern functions to use generic input parameters (functions in all parsers must share common types to be generic) and cast them - declare the Parser structure - remove the C code and call the registration function	8 years ago
Pierre Chifflier	e7c0a53cbf	rust/applayer: add registration iface for parsers Add Rust support for the common interface to declare and register all parsers. Add a common structure definition to contain all required elements required for registering a parser, similar to the C interface. This also reduces the risk of incorrectly registering a parser: the compiler prevents omitting required functions from the structure, and functions (even if external) are type-checked. Optional functions are explicitly marked.	8 years ago
Victor Julien	d9e5dfa1f0	rust/file: improve truncation handling	8 years ago
Victor Julien	e023ce9aad	rust/dns: fix new warning in rustc 1.21	8 years ago
Victor Julien	fd38e5e82b	rust/nfs: fix new warnings in rustc 1.21	8 years ago
Pierre Chifflier	e4129c1568	Rust/Lua: cast value to arch-dependant type (fix build on x86, #2197 )	8 years ago
Jason Ish	6a4cefb7c5	rust: --enable-rust-strict to turn warnings into errors	8 years ago
Jason Ish	3063851d85	rust/dns/tcp - probe even if payload is short As the DNS probe just uses the query portion of a response, don't require there to be as many bytes as specified in the TCP DNS header. This can occur in large responses where probe is called without all the data. Fixes the cases where the app proto is recorded as failed. Fixes issue: https://redmine.openinfosecfoundation.org/issues/2169	8 years ago
Victor Julien	a306ccfd34	rust/nfs: implement events Remove lots of panic statements in favor of setting non-fatal events. Bug #2175.	8 years ago
Victor Julien	82bd732f4e	rust/nfs: improve proto detect	8 years ago
Victor Julien	6b4a04510a	rust/nfs: remove debug rec_size check Records larger than 40k are perfectly valid. Bug #2162.	8 years ago
Jason Ish	40991cab82	rust/dns: handle multiple txt strings Fix handling of TXT records when there are multiple strings in a single TXT record. For now, conform to the C implementation where an answer record is created for each string in a single txt record. Also removes the data_len field from the answer entry. In Rust, the length is available from actual data, which after decoding may actually be different than the encoded data length, so just use the length from the actual data.	8 years ago
Pierre Chifflier	8a0549c42e	NTP: change parse function to return the number of parsed messages	8 years ago
Pierre Chifflier	efe11dc37e	Add NTP parser (rust-experimental)	8 years ago
Jason Ish	f5a90e26a9	rust: for sclog*, strip nul bytes before logging	8 years ago
Jason Ish	717b826d25	rust: safe string handling in logging In logging (SCLog*), safely convert strings to cstrings instead of blindly unwrapping them. Also implement a simple rust logger if the Suricata C context is not available.	8 years ago
Victor Julien	7c119cc595	nfs: log number of chunks that xfer'd a file	8 years ago
Victor Julien	e8dae2e093	nfs: add to fileinfo events	8 years ago
Victor Julien	db2d928151	rust/nfs: add (file)handle to log as crc32	8 years ago
Jason Ish	829155b9d5	rust/dns: pass byte arrays directly to rust/json Using the json.set_string_from_bytes which will safely convert the bytes printable ascii string before logging.	8 years ago
Jason Ish	96cc503026	rust/lua: use lua_pushlstring for strings Lua strings can contain NULLs, and Rust strings are UTF8 which can also contain NULLs. Use pushlstring so a NULL containing string can be pushed.	8 years ago
Jason Ish	6dbc5be4be	rust/json: only output printable characters Rust strings are UTF8 and we cannot yet rely on jansson having json_stringn on all supported OS distributions yet so sanitize strings to ascii before printing. Also add set_string_from_bytes which is like set_string, but accepts a byte array as input.	8 years ago
Victor Julien	becf1a2dfe	rust/nfs: fix style warning	8 years ago
Victor Julien	e0c6565e68	nfs: nfs_version keyword Store nfs version in tx and add keyword to match on it.	8 years ago
Victor Julien	aff576b524	eve/nfs: log nfs version	8 years ago
Victor Julien	0d79181d78	nfs: rename nfs3 to nfs Since the parser now also does nfs2, the name nfs3 became confusing. As it's still in beta, we can rename so this patch renames all 'nfs3' logic to simply 'nfs'.	8 years ago
Victor Julien	28cdf7b628	nfs3: create file tx for read on request This is done so that we can add creds to it.	8 years ago
Victor Julien	7e0d9619ac	nfs3: add readdirplus path	8 years ago
Victor Julien	41376da03c	nfs: log more rpc	8 years ago
Victor Julien	9edbb6f235	nfs: split record parsers into different files	8 years ago
Victor Julien	25edac7666	nfs3: fill bytes corner case	8 years ago
Victor Julien	5153271b87	nfs2: basic record parsing and tracking	8 years ago
Victor Julien	c7e10c73f9	nfs3: support NFS over UDP	8 years ago
Victor Julien	d9f87cec3d	nfs3: probing parsers in both directions	8 years ago
Victor Julien	8fe32f943b	nfs3: search for next record if needed after GAP	8 years ago
Victor Julien	58af39131f	rust/nfs: handle GAPs In normal records it will try to continue parsing. GAP 'data' will be passed to file api as '0's. New call is used so that the file API does know it is dealing with a GAP. Such files are flagged as truncated at the end of the file and no checksums are calculated.	8 years ago
Victor Julien	a116c16019	nfs3: parse mkdir and rmdir request records	8 years ago
Jason Ish	c473c56eed	rust/dns: fix panic on rrnames with bad chars Check for erros in the UTF-8 conversion, on error, print the the printable chars as chars, and print non printable chars as \xHEX. Redmine issue: https://redmine.openinfosecfoundation.org/issues/2148	8 years ago
Jason Ish	ecc63481c6	rust/dns: fix tcp message length verification And add Rust unit tests to check length validation. Redmine issue 2144: https://redmine.openinfosecfoundation.org/issues/2144	8 years ago
Jason Ish	70808a4f1d	rust/dns: support gaps in TCP DNS	8 years ago
Jason Ish	4bdb722371	rust/dns: fix unit tests on Rust 1.7.0	8 years ago
Jason Ish	2aebfbce94	rust/dns: support txt records	8 years ago
Jason Ish	33e09a0002	rust dns: fixup for nom 3.0	8 years ago
Victor Julien	098aced714	rust/nfs/files: no longer Option/Box	8 years ago
Victor Julien	75a6a13790	rust/nfs: move files into tx type data	8 years ago
Victor Julien	de7e0614fa	rust/nfs: add more record types	8 years ago
Victor Julien	d6592211d0	rust/nfs: NFSv3 parser, logger and detection	8 years ago
Victor Julien	71ddc43d49	rust/core: add file tx API call	8 years ago
Victor Julien	9a1fa5f1f4	rust: filetracker API Initial version of a filetracker API that depends on the filecontainer and wraps around the Suricata File API in C. The API expects chunk based transfers where chunks can be out of order.	8 years ago
Victor Julien	a809f090d3	rust: filecontainer API Wrapper around Suricata's File and FileContainer API. Built around assumption that a rust owned structure will have a 'SuricataFileContainer' member that is managed by the C-side of things.	8 years ago
Victor Julien	f47fd2c243	rust/json: expose json_boolean	8 years ago
Jason Ish	ba1a67e2cb	rust: dns: add log filtering on rrtype While the filtering is still configured in C, the filtering flags are passed into Rust so it can determine if a record should be logged or not.	8 years ago
Jason Ish	c54fc7f98f	rust: use LoggerFlags type to track logged state	8 years ago
Jason Ish	b588b49779	rust: lua support for DNS based Rust Uses Rust wrappers around Lua to populate Lua data structures.	8 years ago
Jason Ish	9d687025e2	rust: lua wrapper Rust wrapper for working with lua state.	8 years ago
Jason Ish	73388042b2	rust: DNS app-layer. A DNS application layer in Rust. This is different than the C based one, as it is partially stateless by not matching up responses to replies.	8 years ago
Jason Ish	9449739dd5	rust: dns: nom DNS parsers	8 years ago
Jason Ish	94032d3ada	rust: wrapper around C logging, and "context" Where the context is a struct passed from C with pointers to all the functions that may be called. Instead of referencing C functions directly, wrap them in function pointers so pure Rust unit tests can still run.	8 years ago
Jason Ish	e739fa1477	rust: add libjansson wrapper for rust	8 years ago
Jason Ish	f6f126d53d	rust: example of how an app-layer may be initialized Also shows basic usage of the configuration API from Rust.	8 years ago
Jason Ish	949b358b80	rust: stub out configuration access functions	8 years ago
Jason Ish	de5bb1f953	rust: stub out logging from rust	8 years ago
Jason Ish	cf0b9dd45f	rust: add rust skeleton tree	8 years ago

... 8 9 10 11 12 ...

903 Commits (9b275d3878643fa27ac4f54d74ba66b51e115459)