aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,966 Commits
8 Branches
163 Tags
182 MiB
main-8.0.x
main
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'abb3cc85d5'
${ noResults }
Commit Graph

200 Commits (abb3cc85d5e54fbc14e4c2783ddbc619b1e29443)

Author SHA1 Message Date
Philippe Antoine eb460cf78d ssl: reset state when breaking out of SSLV3_HANDSHAKE_PROTOCOL 
So that we cannot resumt it with corrupted values
 5 years ago
Jason Ish 90dcaff41d ssl: replace ComputeSHA1 with Rust SCSha1HashBuffer 
Removes the final use of internal ComputeSHA1 function.
 5 years ago
Jason Ish d5bf748c90 ja3: remove requirement on NSS 5 years ago
Jason Ish e50ee7eb62 filestore: remove requirement of nss for filestore 
Required including NSS header in places that depended on
util-file.h including it.

All filestore suricata-verify tests now pass without libnss.

Also enabled detect-file{md5,sha1,sha256} without NSS support.
 5 years ago
Victor Julien efc9a7a398 app-layer: remove callback for completion status 
Since the completion status was a constant for all parsers, remove the
callback logic and instead register the values themselves. This should
avoid a lot of unnecessary callback calls.

Update all parsers to take advantage of this.
 5 years ago
Philippe Antoine 4706b38866 ssl: do not reuse struct session_id_length 
As it can be confused between SSLv2 and TLSv13
In SSLv2, this variable is not used after the function scope, so
we can use a temporary variable.
 5 years ago
Philippe Antoine 2eacc6a9a8 ssl: adds safety checks 
Ensure the client version is valid by checking hello flags

Ensure no integer underflow occurs in SSLv3ParseHandshakeType
 5 years ago
Philippe Antoine 547d6c2d78 applayer: pass parameter to StateAlloc 
This parameter is NULL or the pointer to the previous state
for the previous protocol in the case of a protocol change,
for instance from HTTP1 to HTTP2

This way, the new protocol can use the old protocol context.
For instance, HTTP2 mimicks the HTTP1 request, to have a HTTP2
transaction with both request and response
 5 years ago
Victor Julien 4f73943df9 app-layer: split EOF flag per direction 5 years ago
Victor Julien fb780c7d92 ssl/tls: support AppLayerTxData 5 years ago
Victor Julien 3ed188e0bc ssl: support multi-frag certificate assembly 
Support reassembling multi-frag certificates. For this the cert queuing
code is changed to queue just the cert, not entire tls record.

Improve message tracking. Better track where a message starts and ends
before passing data around.

Add wrapper macros to check for 'impossible' conditions that are activate
in debug validation mode. This helps fuzzers find input that might trigger
these conditions, if they exist.
 6 years ago
Victor Julien 4f679fd843 ssl: add asserts for 'impossible' conditions 
Wrap in debug validation so that fuzzing can pick them up.
 6 years ago
Victor Julien 68d5a9dc2c tls/sni: parsing cleanup 
Set proper event on all invalid sni length values.
 6 years ago
Victor Julien 61b8c99236 ssl: improve error checking 6 years ago
Victor Julien bb06298102 ssl: unify main parsing routine 6 years ago
Victor Julien 40be9d2219 ssl: improve debug output 6 years ago
Victor Julien f1bf11f716 ssl: record parsing cleanup 6 years ago
Victor Julien ab44b5edac ssl: handshake parsing code cleanup 6 years ago
Victor Julien d1ada2e13c ssl: copy data using a safe memcpy wrapper 
To avoid future memcpy issues introduce a wrapper and check the
result of it.

When compiled with --enable-debug-validation the wrapper will abort if
the input is wrong.
 6 years ago
Victor Julien cffbdff024 ssl: don't say we consumed bytes if we didn't consume them 6 years ago
Victor Julien 9950ebffe6 ssl: code cleanups 6 years ago
Victor Julien 1578c84605 ssl: bump copyright year 6 years ago
Victor Julien 9a97821c43 ssl: improve 'first cert' check to avoid leaks 
In some error conditions, or potentially in case of multiple 'certificate'
records, the extracted subject, issuerdn and serial could be overwritten
without freeing the original memory.
 6 years ago
Victor Julien fa2a1385ea ssl: fix handshake cert buffer sizing 
'trec' buffer was not grown properly when it was checked as too small.
After this it wasn't checked again so that copying into the buffer could
overflow it.
 6 years ago
Pierre Chifflier 01aef49cbd rust/x509: map decoding errors to decoder events 6 years ago
Pierre Chifflier 333fcc43e7 ssl/tls: call rs_cstring_free for strings allocated in Rust 6 years ago
Pierre Chifflier 1d9f37a60e DER: remove the C parser for DER 6 years ago
Pierre Chifflier d92321d8b1 ssl/tls: use the rust decoder to decode X.509 certificates 6 years ago
Victor Julien 44d3f264bf app-layer: update API to return more details 
Add AppLayerResult struct as the Parser return type in
preparation of allowing returning 'Incomplete(size)' similar
to what nom in Rust allows.
 6 years ago
Victor Julien 3bcf948a75 app-layer: change return codes 
This patch simplifies the return codes app-layer parsers use,
in preparation of a patch set for overhauling the return type.

Introduce two macros:

APP_LAYER_OK (value 0)
APP_LAYER_ERROR (value -1)

Update all parsers to use this.
 6 years ago
Victor Julien 4164c0bbd6 app-layer: make dns,smb,tls parsers less noisy w/o config 6 years ago
Victor Julien c582fd28d9 tls/ja3: allow 'auto' setting for ja3 6 years ago
Victor Julien 29dcd98ed1 tls/ja3: add way to check active config 6 years ago
Victor Julien 4cd3b84606 tls/ja3: allow dynamic enabling of ja3 6 years ago
Victor Julien 922f4f7d78 ssl: fix bounds checking in version decoding 
Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3169.
 6 years ago
Victor Julien 229eccdd04 ssl: minor cleanups 6 years ago
Victor Julien 579cc9f02b const: constify decoder, app-layer, detect funcs 6 years ago
Nick Price d0a85b7550 ja3: Mention LibNSS dependency for JA3 6 years ago
Philippe Antoine 477328f79b ssl: register probing for port 443 if no config 6 years ago
Jeff Lucovsky d568e7fadd eve/logging: 2991 Optimize logging by TX 
This changeset makes changes to the TX logging path. Since the txn
is passed to the TX logger, the TX can be used directly instead of
through the TX id.
 6 years ago
Jeff Lucovsky f7b934f83f app-layer/logging: protocol parser updates 6 years ago
Mats Klepsland a4471987ba app-layer-ssl: generate JA3S fingerprints 
Generate JA3S fingerprints based on fields in the ServerHello record.
 7 years ago
Philippe Antoine 316a411b6b ssl : SSLProbingParser overflow fix 
Found by fuzzing
Fixes ssl detection evasion by packet splitting
 7 years ago
Victor Julien 422e4892cc proto-detect: improve midstream support 
When Suricata picks up a flow it assumes the first packet is
toserver. In a perfect world without packet loss and where all
sessions neatly start after Suricata itself started, this would be
true. However, in reality we have to account for packet loss and
Suricata starting to get packets for flows already active be for
Suricata is (re)started.

The protocol records on the wire would often be able to tell us more
though. For example in SMB1 and SMB2 records there is a flag that
indicates whether the record is a request or a response. This patch
is enabling the procotol detection engine to utilize this information
to 'reverse' the flow.

There are three ways in which this is supported in this patch:

1. patterns for detection are registered per direction. If the proto
   was not recognized in the traffic direction, and midstream is
   enabled, the pattern set for the opposing direction is also
   evaluated. If that matches, the flow is considered to be in the
   wrong direction and is reversed.

2. probing parsers now have a way to feed back their understanding
   of the flow direction. They are now passed the direction as
   Suricata sees the traffic when calling the probing parsers. The
   parser can then see if its own observation matches that, and
   pass back it's own view to the caller.

3. a new pattern + probing parser set up: probing parsers can now
   be registered with a pattern, so that when the pattern matches
   the probing parser is called as well. The probing parser can
   then provide the protocol detection engine with the direction
   of the traffic.

The process of reversing takes a multi step approach as well:

a. reverse the current packets direction
b. reverse most of the flows direction sensitive flags
c. tag the flow as 'reversed'. This is because the 5 tuple is
   *not* reversed, since it is immutable after the flows creation.

Most of the currently registered parsers benefit already:

- HTTP/SMTP/FTP/TLS patterns are registered per direction already
  so they will benefit from the pattern midstream logic in (1)
  above.

- the Rust based SMB parser uses a mix of pattern + probing parser
  as described in (3) above.

- the NFS detection is purely done by probing parser and is updated
  to consider the direction in that parser.

Other protocols, such as DNS, are still to do.

Ticket: #2572
 7 years ago
Mats Klepsland d62d33cdff app-layer-ssl: check that cipher suites length is divisible by two 
Cipher suites length should always be divisible by two. If it is a
odd number, which should not happen with normal traffic, it ends up
reading one byte too much.
 7 years ago
Mats Klepsland b5dfc9ed41 app-layer-ssl: fix coverty error (RESOURCE_LEAK) 
Bug #2677
 7 years ago
Mats Klepsland 033e756905 app-layer-ssl: add Facebook TLSv1.3 draft versions 
Add draft versions for Facebooks custom TLSv1.3 implementation "fizz"
to SSLVersionToString().
 7 years ago
Mats Klepsland dd5374c20d app-layer-ssl: change how TLSv1.3 drafts are logged 
Change from logging TLSv1.3 drafts as "TLS 1.3 (draft 28)" to
"TLS 1.3 draft-28" instead.
 7 years ago
Mats Klepsland a8347e1bc2 app-layer-ssl: fix flow and inspection bypass for TLSv1.3 7 years ago
Mats Klepsland 3b73b7d542 app-layer-ssl: add 0-RTT support for TLSv1.3 7 years ago