Commit Graph

594 Commits (bc41dcc854e24487d3786ce578a8a86a8350ab20)

Author SHA1 Message Date
Philippe Antoine 03ba8a71d8 mqtt: bounds number of messages per tx
Ticket: 8525
2 weeks ago
Giuseppe Longo 8a4eea44d8 suricata.yaml.in: enable app-layer.sip by default 1 month ago
Juliana Fajardini f8945e7a1a yaml/firewall: expand firewall options explanation 2 months ago
Giuseppe Longo 8f205bb34f llmnr: implement logger
This adds an LLMNR protocol logger that reuses existing DNS functions,
following the same approach as the mDNS logger:

- No grouped logging
- Rdata is logged in a field that is named after the rdata type
- Types are logged in lower case
- Flags are logged as an array

Ticket #8366
2 months ago
Giuseppe Longo 13df0f7a06 llmnr: implement parser
This adds a parser for LLMNR protocol over both UDP and TCP.

The parser reuses the existing DNS functions since LLMNR shares
the same wire format as DNS, but implements its own protocol-specific
validation:

- LLMNR-specific flag checks (C, TC, T bits)
- Opcode validation (only standard query opcode 0 is valid)
- An Event is set if Z-flag is set, since it's must be zero per RFC4795

LLMNR transactions inherit DNS behavior where each packet creates a new state
with one transaction.

Ticket #8366
2 months ago
Philippe Antoine 7bf48b02be http2: protection against decompression bombs
Ticket: 8513

During decompression, fail early if we have a big decompression
ratio, and enough data.
Track this data also during a tx lifetime, and even a flow/state
lifetime, so that we set event and fail also if the compression
bomb is split over multiple packets
2 months ago
Philippe Antoine e98d419d96 ldap: bound the number of responses
Ticket: 8405
2 months ago
Victor Julien 7134592fea detect/firewall: configurable default policies
Allow configurable policies, including accept. For app-layer this
requires looping all available hooks to apply the policies.

Support configurable policies for packet-filter, pre-stream, pre-flow.

If there are no rules there is also no rule group (sgh). Make sure
the app hooks policies are correctly handled in this case by allowing
a NULL sgh to be handled as well.

For tx rule match actually apply drop directly. Previously this was
always handled by the default drop:flow policy.

Ticket: #7701.
2 months ago
Victor Julien 943fa5f453 respond/reject: use livedev in bridge mode
Clean up host mode tracking, which is used by reject to control how
rejects are sent. Before this patch there were 2 modes: sniffer only
and router. This patch introduces a bridge mode that is automatically
set by the bridge modes. In bridge mode the `Packet::livedev` is used.

Ticket: #8390.
2 months ago
alinse-pltzr 86fe20dd48 conf: add comment for ftp.max-tx
Add missing FTP configuration value to suricata.yaml.in showing the
default value.

Issue: 8489
2 months ago
Jason Ish 31b967b089 ntp: add transaction logging
Adds basic NTP transaction logging for the current supported message
types.

Includes small cleanups around reference ID.

Ticket: #8425
3 months ago
Jeff Lucovsky e7dc0d885b doc/config: Update flushing description
Update output flushing description to reflect EVE based approach in
documentation and config template.

Issue: 8286
4 months ago
Philippe Antoine 784e173278 http2: bound number of http2 frames per tx
Ticket: 8289

If stream.reassembly.depth is unlimited,
an attacker controlling the 2 sides of a communication going through Suricata
can send a transition with an infinite number of headers, until suricata OOMs

Solution is to offer a configuration option to bound the number
of HTTP2 frames we store in a HTTP2 transaction, and produce an
anomaly if this bound is crossed
4 months ago
Giuseppe Longo a072ca02be suricata.yaml: add missing modbus logger
Ticket #8347
4 months ago
Jeff Lucovsky 4af77975e3 output/log: ipv6-compress member to file context
Issue: 7399

Add compress ipv6 setting to file context.
5 months ago
Shivani Bhardwaj 0e345c93ca app-layer: check ipproto enabled setting first
If the key `app-layer.protocols.PROTO.enabled` is present, the protocol
is enabled for all carrier protocols. This is not ideal.
Only if the key `app-layer.protocols.PROTO.enabled` is missing, an
attempt is made to look for a setting specific to the ipproto passed
at the time of registration e.g.
`app-layer.protocols.PROTO.udp.enabled`.

By default, check for carrier proto specific setting. If it is not
found, then fall back to the generic setting.
Issue a warning in case an inconsistent combination of global and
ipproto specific setting is found.

Bug 8205
5 months ago
Philippe Antoine d378610e93 stream: non infinite default value for reassembly.depth
So that empty config have a safer default.

Ticket: 8290
5 months ago
Ofer Dagan e1f9d8a067 pcap: refactor delete-when-done to support non-alerts
Refactor pcap file deletion to use a single delete-when-done option
with three values instead of separate boolean options:
- false (default): No deletion
- true: Always delete files
- "non-alerts": Delete only files with no alerts

Also account for alerts produced by pseudo packets (flow timeout / shutdown flush):
- Introduce small capture hooks and invoke on pseudo-packet creation so the
  capture layer can retain references and observe alerts emitted after the last
  live packet
- Call the hook from both TmThreadDisableReceiveThreads and TmThreadDrainPacketThreads

Key changes:
- Replace should_delete/delete_non_alerts_only bools with enum
- Move alert counter from global to per-file PcapFileFileVars
- Relocate alert counting from PacketAlertFinalize to pcap module
- Ensure thread safety for both single and continuous pcap modes
- Add unit tests for configuration parsing and pseudo-packet alert path

The --pcap-file-delete command line option overrides YAML config
and forces "always delete" mode for backward compatibility.

Documentation updated to reflect the new three-value configuration.

Fixes OISF#7786
5 months ago
Fupeng Zhao f7ec1c8813 redis: Add authentication support
Add authentication support to the Redis logging output.
It introduces `username` and `password` configuration options for Redis,
allowing Suricata to authenticate with Redis servers that require it.

Ticket: 7062
6 months ago
Philippe Antoine 54cc752cf9 ssh: hassh can be truly disabled
Rules will not re-enable it

Ticket: 8223
6 months ago
Lukas Sismis 15c83be61a hs: prune stale MPM cache files
Hyperscan MPM can cache the compiled contexts to files.
This however grows as rulesets change and leads to bloating
the system. This addition prunes the stale cache files based
on their modified file timestamp.

Part of this work incorporates new model for MPM cache stats
to split it out from the cache save function and aggregate
cache-related stats in one place (newly added pruning).

Ticket: 7830
6 months ago
Philippe Antoine 7422c97bf2 quic: encryption-handling config parameters
Ticket: 8116
6 months ago
Shivani Bhardwaj e412215af9 dcerpc: add upper limit on stub data
DCERPC parsers had no upper bounds when it came to extending the stub
data buffer. Traffic can be crafted to bypass some internal parser
conditions to create an indefinite buffering in the stub_data array that
can make Suricata crash.

Add a default limit of 1MiB and make it configurable for the user.

Security 8182

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
6 months ago
Jason Ish 2c95f1ff44 dnp3: bound the maximum number of objects per tx
Default to 2048, but provide a user configuration value.

Ticket: #8181
6 months ago
Jason Ish 3a32bb5743 dnp3: set a bound on the number of points per message
16384 is used as the max, but a configuration parameter has been
provided. The reason for setting an upper bound is that bit flags can
create a memory amplification as we parse them into individual data
structures.

Ticket: #8181
6 months ago
Jason Ish a16f087b93 dnp3: reduce flood threshold to 32 and make configurable
Lower the number of unreplied requests from 500 to 32 to consider a
flood. At the very least this is an anomaly given the DNP3 spec mentions
that DNP3 should only have one outstanding request at a time, with an
exception for unsolicited responses, so in practice no more than 2
should be seen.

Additionally make this value configurable by introducing the max-tx
parameter.

Ticket: #8181
6 months ago
Jason Ish b3d45e5507 profiling: log rule profiling as json by default
We've been forcing JSON logging in our default configuration for some
time now, just make it the actual default.
7 months ago
Jason Ish 6eda4b9f59 configure: remove @e_enable_evelog@
Jansson/JSON has been mandatory for a long time now, so this value has
evaluated to yes for many years now.
7 months ago
Jason Ish e895cbbf58 profiling: don't enable rule profiling by default
Update the suricata.yaml rule profiling section to not turn on rule
profiling by default, as its not on by default when commented out.

Also update the comments.
7 months ago
Victor Julien 365ed2a2ff af-packet: disable hwtimestamp by default
Add enable-hwtimestamp option to replace disable-hwtimestamp.

Ticket: #7585.
7 months ago
Victor Julien 08d625bb10 mpm: remove remaining ac-bs references 8 months ago
Victor Julien 18a6a079da af-packet: add disable-hwtimestamp option
HW timestamping is not always reliable, so add an option to disable it.

Bug: #1954.
8 months ago
Fupeng Zhao 4f68cb026f decoder/vxlan: add configurable reserved bits validation for VXLAN
Add support for two VXLAN reserved bits check modes:
- strict: validate all reserved bits for standard VXLAN format
- permissive: skip all reserved bits validation (allows extensions)

Configuration added to suricata.yaml.in with 'strict' as default.
Includes comprehensive unit tests and documentation updates.

Ticket: 7753
10 months ago
Alice Akaki 8e0b0ef35f detect: add email.body_md5 keyword
email.body_md5 matches on md5 hash generated from email body
This keyword maps to the EVE field email.body_md5
It is a sticky buffer
Supports prefiltering

Ticket: #7587
10 months ago
Victor Julien 08925eac18 firewall: add --firewall and firewall.enabled
Allows for enabling firewall mode
1 year ago
Victor Julien 0e18048ef0 firewall: move config into yaml object
To make it easier to group settings or include them.
1 year ago
Lukas Sismis 8817a959e8 threading: support thread autopinning and interface-specific affinity
Using the new configuration format, it is now possible to set CPU affinity
settings per interface.

The threading.autopin option has been added to automatically use CPUs from the
same NUMA node as the interface. The autopin option requires
hwloc-devel / hwloc-dev to be installed and --enable-hwloc flag in configure
script.

Ticket: 7036
1 year ago
Lukas Sismis 733cf34ad7 threading: transform *-cpu-set nodes from list items to nodes
Part of Ticket 2321 work to remove unnecessary lists from
the config file.

Ticket: 2321
1 year ago
Lukas Sismis 390baad7dc util-affinity: move properties of *-cpu-set node one layer up in YAML 1 year ago
Jason Ish 4a655053e8 mdns: add mdns parser, logger and detection
The mDNS support is based heavily on the DNS support, reusing the
existing DNS parser where possible. This meant adding variations on
DNS, as mDNS is a little different. Mainly being that *all* mDNS
traffic is to_server, yet there is still the concept of request and
responses.

Keywords added are:
- mdns.queries.rrname
- mdns.answers.rrname
- mdns.additionals.rrname
- mdns.authorities.rrname
- mdns.response.rrname

They are mostly in-line with the DNS keywords, except
mdns.answers.rdata which is a better than that mdns.response.rrname,
as its actually looking at the rdata, and not rrnames.

mDNS has its own logger that differs from the DNS logger:

- No grouped logging

- In answers/additionals/authorities, the rdata is logged in a field
  that is named after the rdata type. For example, "txt" data is no
  longer logged in the "rdata" field, but instead a "txt" field. We
  currently already did this in DNS for fields that were not a single
  buffer, like SOA, SRV, etc. So this makes things more consistent. And
  gives query like semantics that the "grouped" object was trying to
  provide.

- Types are logged in lower case ("txt" instead of "TXT")

- Flags are logged as an array: "flags": ["aa", "z"]

Ticket: #3952
1 year ago
Lukas Sismis eb52e337da pcap-file: document capture method options 1 year ago
Richard McConnell d81b76d852 output/tls: Allow logging of sv-handshake params
Ticket: 6695

"server_handshake" which logs the following:
1. TLS version used during handshake
2. The chosen cipher suite, excluding GREASE
3. TLS extensions, excluding GREASE
1 year ago
Richard McConnell 94c8be22d4 output/tls: Allow logging of cl-handshake params
Ticket: 6695

Add new custom log fields:

"client_handshake" which logs the following:
1. TLS version used during handshake
2. TLS extensions, excluding GREASE, SNI and ALPN
3. All cipher suites, excluding GREASE
4. All signature algorithms, excluding GREASE

The use-case is for logging TLS handshake parameters in order to survey
them, and so that JA4 hashes can be computed offline (in the case that
they're not already computed for the purposes of rule matching).
1 year ago
Juliana Fajardini 6f81caf8d4 pgsql: clearly indicate redacted password message
If a password message was seen while logging passwords was disabled
for pgsql, this would lead to an empty request being logged.
Instead of simply not logging anything when there is a password message
and this is disabled, however, log instead that said password is
redacted.

Bug #7647
1 year ago
Philippe Antoine 16f74c68aa websocket: use max window bits of 15
Ticket: 7285

As this is the default for websocket, which is bigger than the
defaut for zlib usage

Also limit the decompressed content to the max-payload-size
configuration parameter also used for non-compressed content.

And also use a stateful decoder to store/remember the compression
state to be able to decompress later messages.
1 year ago
Victor Julien 57c73880db lua: enable lua rules by default
Now that sandboxing is in place, lua rule support is enabled by default.
1 year ago
Alex Savage 778053876b pop3: app-layer parser using sawp-pop3
This module uses the sawp-pop3 crate to parse POP3 requests and responses
Features:
- eve logging
- events for parsable but non-RFC-compliant messages

Ticket: 3243
1 year ago
Victor Julien 31d048ed4b firewall: start of firewall rules support
Config:

Firewall rules are like normal rule, with some key differences.

They are loaded separate, and first, from:

```yaml
firewall-rule-path: /etc/suricata/firewall/
firewall-rule-files:
  - fw.rules
```

Can also be loaded with --firewall-rules-exclusive: Mostly for QA purposes.

Allow -S with --firewall-rules-exclusive, so that firewall and threat detection
rules can be tested together.

Rules:

Differences with regular "threat detection" rules:

1. these rules are evaluated before threat detection rules

2. these rules are evaluated in the order as they appear in the rule file

3. currently only rules specifying an explicit hook at supported

   a. as a consequence, no rules will be treated as (like) IP-only, PD-only or
      DE-only

Require explicit action scope for firewall rules. Default policy is
drop for the firewall tables.

Actions:

New action "accept" is added to allow traffic in the filter tables.

New scope "accept:tx" is added to allow accepting a transaction.

Tables:

Rulesets are per table.

Table processing order: `packet:filter` -> `packet:td` -> `app:*:*` -> `app:td`.

Each of the tables has some unique properties:

`packet:filter`:
- default policy is `drop:packet`
- rules are process in order
- action scopes are explicit
- `drop` or `accept` is immediate
- `accept:hook` continues to `packet:td`

`packet:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `app:*:*` or `alert/action finalize`

`app:*:*`:
- default policy is `drop:flow`
- rules are process in order
- action scopes are explicit
- `drop` is immediate
- `accept` is conditional on possible `drop` from `packet:td`
- `accept:hook` continues to `app:td`, `accept:packet` or `accept:flow`
  continues to `alert/action finalize`

`app:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `alert/action finalize`

Implementation:

During sigorder, split into packet:filter, app:*:* and general td.

Allow fw rules to work when in pass:flow mode. When firewall mode is enabled,
`pass:flow` will not skip the detection engine anymore, but instead
process the firewall rules and then apply the pass before inspecting threat
detect rules.
1 year ago
Philippe Antoine 706a0bd99b output: option to add suricata version in eve logs
Ticket: 4853
1 year ago
Jason Ish 2fce106aec pcap-log: add bpf filter for packets that are logged
Add an optional bpf filter to pcap-log. If set, packets must match the
filter to be logged, otherwise they will be ignored.

This allows a user to limit what is logged to disk if they have pcap-log
enabled, but still inspect all data captured.

Ticket: #6832
1 year ago