Commit Graph

12913 Commits (a6bda3596bdd1a0ac04afe5553609c6f7cba0023)
 

Author SHA1 Message Date
Philippe Antoine ed11e32076 enip: fix too restrictive check in probing parser
As is shown later in the code, enip_len can be
ENIP_LEN_REGISTER_SESSION which is 4, which is
smaller than sizeof(ENIPEncapHdr) which is 24
4 years ago
Philippe Antoine 09c84d0c26 fuzz: use fuzzing confyaml for protodetect target
As is done for other targets,
so that all app-layer protocols are enabled,
even the ones disabled by default such as enip

And resets protocol detection every time we try
so that probing_parser_toserver_alproto_masks are fresh.
4 years ago
Jason Ish cda11b8d97 doc/update: mention change of default rule path 4 years ago
Jason Ish 8071d8239e doc: update rule section to current default
Update the rule section to better describe whats seen in a default
install of Suricata including a link to the rule management section.
4 years ago
Jason Ish 9d7a497cc1 rule-path: always use $localstatedir/lib/suricata/rules
Always use the same path for default-rule-path whether or not
Suricata-Update will be installed as part of the Suricata install or
not.

This provides consistency, and maps better to our recommendation that
Suricata-Update be used to manage rules.

Probably should have been done as part of
55852d0de3.

Ticket #4912.
4 years ago
Victor Julien 44c9241b6a telnet: initial support with frames
Bootstrapped using setup script. Basic option parsing for purpose
of tagging frames.
4 years ago
Victor Julien fc4279de85 htp: improve request/response size accuracy 4 years ago
Victor Julien 52ad906d31 htp: implement basic request/response frames 4 years ago
Victor Julien af797b5926 ssl: implement frames for SSLv3 and TLS 4 years ago
Jason Ish 3cdefd5f8b smb: use derive AppLayerFrameType 4 years ago
Victor Julien 0c9fdf8f4f smb: implement frames
SMB1 record parsing code simplification.

Frames:

    nbss.pdu
    nbss.hdr
    nbss.data

    smb1.pdu
    smb1.hdr
    smb1.data

    smb2.pdu
    smb2.hdr
    smb2.data

    smb3.pdu
    smb3.hdr
    smb3.data

The smb* frames are created for valid SMB records.
4 years ago
Victor Julien a492d94826 detect/frames: implement 'frame' keyword
Implement a special sticky buffer to select frames for inspection.

This keyword takes an argument to specify the per protocol frame type:

    alert <app proto name> ... frame:<specific frame name>

Or it can specify both in the keyword:

    alert tcp ... frame:<app proto name>.<specific frame name>

The latter is useful in some cases like http, where "http" applies to
both HTTP and HTTP/2.

    alert http ... frame:http1.request;
    alert http1 ... frame:request;

Examples:

    tls.pdu
    smb.smb2.hdr
    smb.smb3.data

Consider a rule like:

    alert tcp ... flow:to_server; content:"|ff|SMB"; content:"some smb 1 issue";

this will scan all toserver TCP traffic, where it will only be limited by a port,
depending on how rules are grouped.

With this work we'll be able to do:

    alert smb ... flow:to_server; frame:smb1.data; content:"some smb 1 issue";

This rule will only inspect the data portion of SMB1 frames. It will not affect
any other protocol, and it won't need special patterns to "search" for the
SMB1 frame in the raw stream.
4 years ago
Victor Julien 02f98796a7 detect/frames: limit mixing frames and other detection
Don't allow mixing of payload/stream/tx and frame keywords. Initial
support is only for 'pure' frame inspection.
4 years ago
Victor Julien 3cbe33de57 detect/analyzer: add frame support 4 years ago
Victor Julien f6f124f283 detect/engine: support frames
Implement the low level detect engine support for inspecting frames,
including MPM, transforms and inspect API's.
4 years ago
Victor Julien c0ec3984fa eve/alert: add support for logging frame
If detection was done in a frame, the frame will be added to the
eve.alert output.
4 years ago
Victor Julien 60bfade351 eve: implement frame logging
This is mostly to assist development and QA. It produces too much data
for practical use.
4 years ago
Jason Ish 8a40b7b42e cbindgen: ignore frames module 4 years ago
Jason Ish de870e2fbf rust: derive macro for app-layer frame type 4 years ago
Jason Ish 0ece208074 rust/applayer: create trait for app-layer frame types 4 years ago
Jason Ish cb7f7a7e08 app/frames: implement rust API 4 years ago
Victor Julien a27ee49c73 app-layer: move app_progress forward on errors as well
In case of APP_LAYER_ERROR still move the app_progress forward.
This helps validation of frame offsets and should be harmless
otherwise.
4 years ago
Victor Julien 1556e86c7d app/frames: initial support
The idea of stream frames is that the applayer parsers can tag PDUs and
other arbitrary frames in the stream while parsing. These frames can then
be inspected from the rule language. This will allow rules that are more
precise and less costly.

The frames are stored per direction in the `AppLayerParserState` and will only
be initialized when actual frames are in use. The per direction storage has a
fixed size static portion and dynamic support for a larger number. This is done
for effeciency.

When the Stream Buffer slides, frames are updated as they use offsets relative
to the stream. A negative offset is used for frames that started before the
current window.

Frames have events to inspect/log parser errors that don't fit the TX model.

Frame id starts at 1. So implementations can keep track of frame ids where 0
is not set.

Frames affect TCP window sliding. The frames keep a "left edge" which
signifies how much data to keep for frames that are still in progress.
4 years ago
Victor Julien e6f49e5a05 app/frames: implement name to id API for frames 4 years ago
Victor Julien eeee740e84 stream: add util function to get 'usable' data 4 years ago
Philippe Antoine a6cb539054 ci: do not use ppa for cocci
As this version segfaults
4 years ago
Pierre Chifflier 3e19ccdc0c rust/http2: convert parser to nom7 functions (HTTP2 ranges) 4 years ago
Pierre Chifflier f8647b0ffb rust/http2: convert parser to nom7 functions (HTTP2 core functions) 4 years ago
Lukas Sismis 52d8d35453 dpdk: fix received/error counters 4 years ago
Victor Julien 3cbbe66ea2 tests/pppoe: clean up more tests to use PASS/FAIL macros 4 years ago
Steven Ottenhoff 6bf2117056 pppoe: fix protocol field length variation
Detect when protocol field is not a 16 bit field.
Added tests to prove logic

Ticket: 4810
4 years ago
Steven Ottenhoff 260bc03603 test/pppoe: refactor to use FAIL/PASS macros 4 years ago
Modupe Falodun 3dbf74ff10 detect-file-data: remove SMTP unittests
These tests are reimplemented as Suricata-verify tests

Task: 4938
4 years ago
Eric Leblond 264eddb81f output/alert: don't call basic logging twice
Issue: 4106
4 years ago
Victor Julien a7e77dd22d stream: suppress noisy debug message 4 years ago
Victor Julien 78f5e082f5 stream: fix stream pruning being too aggressive
Pruning of StreamBufferBlocks could remove blocks that fell entirely
after the target offset due to a logic error. This could lead to data
being evicted that was still meant to be processed in theapp-layer
parsers.

Bug: #4953.
4 years ago
Victor Julien 544ff0fb52 stream: debug code for showing segment list state 4 years ago
Jeff Lucovsky f30d8ece80 detect: Avoid recomputing ntohl() in addr match
This commit makes a small optimization when comparing IPv4 and IPv6
addresses by making the host order value invariant and calculating the
value once, before entering the loop.
4 years ago
Philippe Antoine 86ea7f2474 file: define own variable instead of PATH_MAX
to be used for maximum size of file names,
and not depend on the OS
4 years ago
Philippe Antoine c56b1c99d5 ssl: fix int warnings
especially increasing padding_len size
4 years ago
Philippe Antoine 078e1cdacc smtp: fix int warnings
and explicitly truncating filename's length
4 years ago
Philippe Antoine 23f242dfc2 app: fix int warnings in generic app files 4 years ago
Philippe Antoine 334b1382e0 http: : fix int warnings
Explicitly truncate file names to UINT16_MAX

Before, they got implicitly truncated, meaning a UINT16_MAX + 1
file name, went to 0 file name (because of modulo 65536)
4 years ago
Philippe Antoine defce022b4 ftp: fix int warnings
Explicitly truncate a file name if it is longer
than UINT16_MAX
4 years ago
Jeff Lucovsky 22e89ec4a3 log: Coverity REVERSE_INULL warnings
This commit addresses Coverity reported "REVERSE_INULL" warnings.

Issue: 4699
4 years ago
Philippe Antoine e1c0725e05 doc: fix typo lenght/length 4 years ago
Sam Muhammed 9bea850d53 nfs4_records: add unittests for nom7 parsers
Task #4866
4 years ago
Sam Muhammed 463fbdc36d nfs4_records: add missing field to res_sequence_ok()
Missing _seqid in sequence op struct left a trailing four zeros
that are parsed by nfs4_res_compound_command() as a cmd
causing a Switch Error Code
4 years ago
Sam Muhammed 4e2edd44aa nfs3-records: add unittests to nom7 parsers
Task #4866
4 years ago
Sam Muhammed 03906010a2 nfs3-records: add missing fields and update parsers
Add missing fields to some record structures and
update their respective parsers
4 years ago