aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,428 Commits
8 Branches
163 Tags
184 MiB
main-7.0.x
main-8.0.x
main
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd581fc82b1'
${ noResults }
Commit Graph

782 Commits (d581fc82b18219d9c5bef8f0e0c0c42545c7b054)

Author SHA1 Message Date
Philippe Antoine 7d0a39412b detect: use u32 for InspectionBufferMultipleForList 
So that we do not have an endless loop casting index to
u16 and having more than 65536 buffers in one transaction

Changes for all protocols, even ones where it is impossible
to have such a pattern, so as to avoid bad pattern copy/paste
in the future
 4 years ago
Philippe Antoine b3c1f2ab48 nfs: improve probing parser 
Checks credentials flavor is known
 4 years ago
Philippe Antoine 39575e2cc9 modbus: use ascii character classes while parsin rule 
As the rust regex crate is unicode aware, which was
not the case of the C version
 4 years ago
Philippe Antoine ef5755338f rust: SCLogDebug is real nop when built as release 
Before, even if there were no outputs, all the arguments
were evaluated, which could turn expensive

All variables which are used only in certain build configurations
are now prefixed by underscore to avoid warnings
 4 years ago
Victor Julien 20e8f90981 http2: set Debug on structs 4 years ago
Victor Julien 3587033d9e files: construct with default, free on drop 
Update protocols.
 4 years ago
Victor Julien d757545f03 files: implement default support 4 years ago
Philippe Antoine fdab22d924 rust: fix app-layer parser flags 
This especially allows for SSH bypass to work
 4 years ago
Jeff Lucovsky aa8871a5be rust/default: Enable Default usage 4 years ago
Jeff Lucovsky 6028ca7827 nfs: Rework constructs to use Self/Default 4 years ago
Jeff Lucovsky aafb0a60b7 dhcp: Rework constructs to use Self/Default 4 years ago
Jeff Lucovsky 1ef0bd580b dcerpc: Rework constructs to use Self/Default 4 years ago
Jeff Lucovsky 00167121dc dns: Rework constructs to use Self/Default 4 years ago
Jeff Lucovsky 02dccb1529 smb: Rework constructs to use Self/Default 
This commit modifies the constructors to use Self and/or
Default::default() when feasible
 4 years ago
Jeff Lucovsky f502f21f9e rust/default: Enable Default usage in SMB 4 years ago
Shivani Bhardwaj 581cb6223d dcerpc/udp: Add rust registration function 
Get rid of the C glue code and move registration completely to Rust.
 4 years ago
Shivani Bhardwaj d7007424bd dcerpc/udp: Change fn sign as per rust registration requirement 
Registering parsers in Rust requires signatures to be a certain way and
compatible with C. Change signatures of all the functions.
 4 years ago
Shivani Bhardwaj bac69af7e4 dcerpc: Add rust registration function 
Get rid of the C glue code and move registration completely to Rust.
 4 years ago
Shivani Bhardwaj a0a09a102b dcerpc: Change fn sign as per rust registration requirement 
Registering parsers in Rust requires signatures to be a certain way and
compatible with C. Change signatures of all the functions.
 4 years ago
Shivani Bhardwaj dee972b863 rust/core: Make AppProto type u16 4 years ago
Shivani Bhardwaj d66ad96f0d applayer/rust: add extern AppLayerProtoDetectPMRegisterPatternCSwPP 4 years ago
Victor Julien d7c3ecb6f9 http2: remove dead code 5 years ago
Philippe Antoine b3c502d572 http2: remove assertion which can be wrong 
Brotli decoder stops consuming input it it reaches the
end of its input
 5 years ago
Simon Dugas c2720fc2fb modbus: fix quantity and count calculation 
The [Modbus Spec S6.11](https://modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf)
clearly states that the `count = quantity / 8` and not the other way
around. This is fixed in sawp-0.5.0.
 5 years ago
Philippe Antoine 999327ba1f http2: http.cookie keyword now works for HTTP2 5 years ago
Philippe Antoine df039555bc http2: http.host.raw keyword now works for HTTP2 5 years ago
Philippe Antoine 1e82d0b3c8 http2: http.method keyword now works for HTTP2 5 years ago
Philippe Antoine 017e39d8fd http2: makes all HTTP1 header keywords work 5 years ago
Simon Dugas a8a51dc004 modbus: add eve logging 5 years ago
Simon Dugas 8342641477 modbus: move tests from c to rust 
Move tests in a seperate commit so that we can use the previous one for
regression testing. This also gets rid of the temporary glue that made
the C tests work with the rust implementation.
 5 years ago
Simon Dugas a458a94dca modbus: move from C to rust 
Adds a new rust modbus app layer parser and detection module.

Moves the C module to rust but leaves the test cases in place to
regression test the new rust module.
 5 years ago
frank honza f83d51d0cb ike: set event for multiple server proposals 5 years ago
Philippe Antoine ca6e434e0b ftp: completely parses pasv and epsv responses 5 years ago
Philippe Antoine 6fe8bce3b0 http2: have filecontainer for both directions 5 years ago
Jason Ish c7f44447c9 dns: remove flood protection purging 
It doesn't look like flood protection is required with the
stateless parser anymore. It actually can get in the way of TCP
DNS when a large number of requests end-up in the same segment
where a TX can get purged before it has a chance to go through
the normal TX life-cycle.
 5 years ago
Shivani Bhardwaj c663ac6ddd dcerpc/tcp: improve detection 
Lately, some of the TLS data was misdetected as DCERPC/TCP because of
the pattern |05 00|. Add more checks in DCERPC probe function to ensure
that it is in fact DCERPC/TCP.
 5 years ago
Philippe Antoine d2d0e0adc9 rust: remove exported unused functions 5 years ago
Philippe Antoine 6da9a37285 rdp: correctly returns incomplete in parse_tc 
Adding the already consumed bytes
In case an incomplete tls handshake is handled with/after
a refular rdp t123_tpkt
 5 years ago
Philippe Antoine 3de0123ffb http2: adds check about dynamic headers table size 5 years ago
Philippe Antoine 1ca4f041bb http2: pass data through when decompression fails 
as is done for HTTP1
 5 years ago
Juliana Fajardini c6a35d09b7 templates: fix typos 
- *template*files[ch][rs]: fix typos
- scripts/setup-app-layer: fix typos
 5 years ago
Jason Ish 6853bf98fb dns: only register a single logger 
DNS no longer requires a logger to be registered for to-client and
to-server directions. This has not been required with the stateless
design of the Rust DNS parser.
 5 years ago
Philippe Antoine 0105d4f017 rust: bump bitflags dependency version 
So that lexical-core, needed by nom, and using bitflags
is used with version 0.7.5 instead of version 0.7.0
which fixed the fact that BITS is now a reserved keyword
in nightly version
 5 years ago
Philippe Antoine cb150e97d0 kerberos: fix probing parser tag condition 
according to the comment
 5 years ago
Sascha Steinbiss e2dbdd7fd5 ikev1: add ikev1 parser 5 years ago
frank honza ecdf9f6b0b ikev1: rename ikev2 to common ike 
Renaming was done with shell commands, git mv for moving the files and content like
find -iname '*.c' | xargs sed -i 's/ikev1/ike/g' respecting the different mixes of upper/lower case.
 5 years ago
frank honza ab6171c429 detect: added support for protocol-aliases 5 years ago
frank honza e9494ddd8f util: add function converting u8-array into a hex-String 5 years ago
Philippe Antoine 8307010255 smb: relax probing parser to handle first NBSS message 
cf dcerpc-udp S-V test :
First message is Message Type: Session request (0x81)
Second message is SMB
 5 years ago
Philippe Antoine 1b6e81cd72 smb: probing parser for start and midstream 
The probing parser is more strict at the start of the stream
 5 years ago
Philippe Antoine 9dc5258a21 smb: split probing function for code style 
Introduces rs_smb_probe_tcp_midstream
 5 years ago
Shivani Bhardwaj 0ac5c5376a dcerpc: trigger raw assembly on record completion 5 years ago
Shivani Bhardwaj c77c8e7005 rust/context: add AppLayerParserTriggerRawStreamReassembly 5 years ago
Philippe Antoine 2d14606224 smb: andx support 
Add AndX support for SMB1. Finishes #3475.

[Updated by Victor Julien to split functions]
 5 years ago
Shivani Bhardwaj f967a49104 dcerpc/udp: improve detection 
Lately, Wireguard proto starting w pattern |04 00| is misdetected as
DCERPC/UDP which also starts with the same pattern, add more checks
to make sure that it is the best guess for packet to be dcerpc/udp.
 5 years ago
Shivani Bhardwaj 3641f1b522 dcerpc: add probe function 5 years ago
Shivani Bhardwaj d7a3523b12 rust/applayer: split EOF flag per direction 5 years ago
Shivani Bhardwaj 0ca8591994 dcerpc/udp: remove transmute 
The book defines transmute as "This is really, truly, the most horribly unsafe
thing you can do in Rust. The guardrails here are dental floss."
Transmute can result into mind boggling undefined behaviors. Get rid of
it wherever possible.
 5 years ago
Philippe Antoine c6aadf0dfa protodetect: rename direction to flags 
And use whole flags in AppLayerProtoDetectPPGetProto
 5 years ago
Philippe Antoine 5465e0b154 http2: http.stat_msg keyword now works for HTTP2 5 years ago
Philippe Antoine 47928babfc http2: http.user_agent keyword now works for HTTP2 5 years ago
Philippe Antoine a98d0fe6ed http2: http.uri keyword now works for HTTP2 
cf #4067
 5 years ago
Philippe Antoine 707f027231 protos: renaming ALPROTO_HTTP* constants 
Having now ALPROTO_HTTP1, ALPROTO_HTTP2 and ALPROTO_HTTP

Run with 3 sed commands
git grep ALPROTO_HTTP | cut -d: -f1 | uniq |
 xargs sed -i -e 's/ALPROTO_HTTP/ALPROTO_HTTP1/g'
git grep ALPROTO_HTTP12 | cut -d: -f1 | uniq |
 xargs sed -i -e 's/ALPROTO_HTTP12/ALPROTO_HTTP2/g'
git grep ALPROTO_HTTP1_ANY | cut -d: -f1 | uniq |
 xargs sed -i -e 's/ALPROTO_HTTP1_ANY/ALPROTO_HTTP/g'

and then running clang-format
 5 years ago
Jason Ish dbae17dbc0 install: makefile target to install libraries 
As we don't install the libraries by default, provide a make target,
"install-library" to install the libsuricata library files.

If shared library support exists, both the static and shared
libraries will be installed, otherwise only the static libraries
will be installed.
 5 years ago
Jason Ish a178ec6bef rust: rename lib to libsuricata_rust 
Previously it was libsuricata.a, but eventually we want to get
to a place where libsuricata.a is a combination of the Rust
and C code.
 5 years ago
Jason Ish 9f20297cb3 rust/Makefile: add Cargo.toml as make dependency 
This will force Cargo.toml to be recreated if Cargo.toml.in
is modified.
 5 years ago
Jason Ish 3ada5e1480 rust/ffi: provide AppLayerRegisterParser in context 
AppLayerRegisterParser was creating a link error when attempting
to use a convenience library for the Suricata C code, then linking
the library of C code with the library of Rust code into a final
Suricata executable, or use with fuzz targets.

By moving AppLayerRegisterParser to the context structure and
calling it like a callback the circular reference is removed
allowing the convenience libraries to work again.

This is also a stepping block to proving a Suricata library
as a single .a or .so file.
 5 years ago
Philippe Antoine 32b604e8c7 template: use response_gap in rust parser 5 years ago
Victor Julien 3f807f3bf6 rust: update dependencies 5 years ago
Victor Julien ebde15f0e2 rust: lock all major crate versions 
To avoid surprises with dependencies bumping MSRV.
 5 years ago
Victor Julien 4b5af36061 rust: relax nom version to any >=5.1.1 5 years ago
Philippe Antoine d861228214 http2: decompression for files 
gzip and brotli decompression for files
 5 years ago
Philippe Antoine 2e46b5d100 rust: BIT_U16 macro utility 5 years ago
Philippe Antoine aee8e60149 rust: better panic message for missing file config 5 years ago
Philippe Antoine 8ac363c34d rust: fix warning about unused values in smb tests 5 years ago
Jason Ish 0a3b9e0220 rust/hashing: add function to finalize md5 to hex string 
New function, SCMd5FinalizeToHex to finalize an md5 hash
to a hex string.
 5 years ago
Jason Ish 26c1321668 rust/hashing: function to md5 hash buffer to hex 
Add function SCMd5HashBufferToHex to hash a single buffer to an
md5 hex string.
 5 years ago
Jason Ish 0f714be9f3 rust/hashing: method to SHA256 and finalize in one call 
Add SCSha256HashBuffer to hash a single buffer returning the
result.
 5 years ago
Jason Ish eb5cfd9b82 rust/hashing: new function to SHA1 hash a single buffer 
SCSha1HashBuffer will has a single buffer and compute the digest
in one call.
 5 years ago
Jason Ish ff37526c6b rust: remove md5 crate, unalias md-5 
Remove the md5 crate as a dependency as it is no longer removed.
We now use md-5 from RustCrypto.
 5 years ago
Jason Ish 0a2d8509c9 rust/ssh: use md-5 crate instead of md5 
The "md-5" crate is part of the RustCrypto project that also
uses the sha1 and sha256 crates we are using. These all implement
the Digest trait for a common API.
 5 years ago
Jason Ish 1022b217ed rust/hashing: a method to md5 hash a single buffer 
Add SCMd5HashBuffer as a replacement for NSS HASH_HashBuf as
used in ja3 to hash a single buffer.
 5 years ago
Jason Ish 46ceb13c08 rust: add ffi module for sha256, sha1 and md5 
Add a Rust module that exposes Rust implementations of
sha256, sha1 and md5 from the RustCrypto project.

This is an experiment in replacing the libnss hash functions with
pure Rust versions that will allow us to remove nss as a compile
time option.

Initial tests are good, even with a 10% or so performance
improvement when being called from C.

Also trying a module naming scheme where modules under the ffi
modules are purely for exports to C, as it doesn't make any
sense to use this new hashing module directly from Rust.
 5 years ago
Jeff Lucovsky 8ce2078a38 tftp: Add test cases 
This commit adds test cases for the TFTP parser.
 5 years ago
Jeff Lucovsky e900b6d265 tftp: Improve parser 
This commit improves TFTP parsing by ensuring the mode and opcode are
valid.
 5 years ago
Jason Ish f77fd0c0cb rust: include file cleanup 
The cbindgen generated header should not include rust.h as
rust.h already includes the generated binding.

Fixup C source code that only pulled the generated include, it
should instead pull in "rust.h" which includes the generated
binding plus other misc. stuff.
 5 years ago
Juliana Fajardini e33bbee9b7 nbss: add parser tests 
Add tests to parse_nbss_record and parse_nbss_record_partial
 5 years ago
Juliana Fajardini 5226ba1c15 Rust: generic files definition 
Issue: Optimization 3825
- filecontainer: add Files structure, to replace/unify SMBFiles,
NFSFiles and HTTP2Files
- smb/files: delete SMBFiles implementation
- smb/smb: replace SMBFiles with Files
- nfs/nfs: delete NFSFiles implementation, replace its former
 declarations with Files' ones
- http2/http2: replace HTTP2Files with Files
- http2/mod: Delete reference to file files.rs
- http2/files: Delete
 5 years ago
Sascha Steinbiss a4556c9427 dns: use rest() for NULL parsing 5 years ago
Sascha Steinbiss 81b206a5f4 dns: add test for SRV 5 years ago
Sascha Steinbiss 08a6f1441a dns: parse SRV records 5 years ago
Antti Tönkyrä f3ad7f14fa dns: add rdata logging for NS rrtype 5 years ago
Simon Dugas 4336a0e739 dns: log rdata for NULL record type 
Logs the rdata for a NULL record type as a printable string.
 5 years ago
Victor Julien efc9a7a398 app-layer: remove callback for completion status 
Since the completion status was a constant for all parsers, remove the
callback logic and instead register the values themselves. This should
avoid a lot of unnecessary callback calls.

Update all parsers to take advantage of this.
 5 years ago
Philippe Antoine f574663352 http2: files inspection API fixes 
uses right transaction id for file tracker
uses FILE_USE_DETECT for good matches with keyword startswith
 5 years ago
Philippe Antoine a63ee5adbd http2: allow multiple size updates in one headers batch 
cf RFC 7541 section 4.2
 5 years ago
Philippe Antoine 6181459086 smb: do not rely on one valid NBSS byte for probing 
Need to have the SMB header so as to validate
 5 years ago
Jason Ish f3c59ef8a6 rust: handle windows naming change from .lib to .a 
Prior to Rust 1.44, Cargo would name static libs with the .lib
extension. 1.44 changes this extension to .a when running under
a GNU environment on Windows like msys to make it more similar
to other unix environments.

Now assume static library name to be the same on Windows and
unix, but rename the .lib if found to still support older
versions of Rust on Windows.
 5 years ago
Victor Julien ba781265a4 dcerpc/udp: fix transaction handling and logging 
Implement missing transaction handling.

Fix logging wrongly casting 'state' to DCERPCState instead of
DCERPCUDPState leading to crashes and malformed output.

Remove unused fields from DCERPCUDPState.
 5 years ago
Philippe Antoine 8db78208f9 rust: fix warnings found by nightly compiler 
warning: getting the inner pointer of a temporary `CString`
this `CString` is deallocated at the end of the statement,
bind it to a variable to extend its lifetime
 5 years ago
Jason Ish 2f81f3fbe9 rust/log: clarify comment in non-debug mode SCLogDebug 5 years ago
Jason Ish a453d28bc6 rust/log: order log macros in descending order 
Readability cleanup.
- error, notice, ... debug
 5 years ago
Jason Ish 411a5d41c1 rust/log: expand macros after checking log level 
Expand macros in the do_log macro after checking the log level
instead of each log macro (ie: SCLogDebug) expanding the macros
then passing off to do_log to have the log level check.

Will eliminate any expense of expanding macros if this log level
does not permit the given message to be logged.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4114
 5 years ago
Shivani Bhardwaj 269324e84d dcerpc/log: Log fields particular to an RPC version 
Log fields that only are meant to be in a PDU for a particular RPC
version. Since DCERPC/UDP works on RPC version 4 and DCERPC/TCP works on
RPC version 5, there are certain fields that are particular to each
version.
Remove call_id from the logger for UDP.
Add activityuuid and seqnum fields to the logger for UDP.
call_id and (activityuuid + seqnum) fields are used to uniquely pair a
request with response for RPC versions 5 and 4 respectively.
 5 years ago
Ilya Bakhtin 2033f386f9 rust/dcerpc: Remove redundant fields 5 years ago
Ilya Bakhtin 2840a2e064 rust/dcerpc: Make tx_id u64 5 years ago
Ilya Bakhtin 6916b63f09 dcerpc/udp: Fix pairing of request response 
So far, request and response were paired with serial number fields in
the header. This is incorrect. According to
https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm,
"Together, the activity UUID and the sequence number uniquely identify
a remote procedure call."

Hence, add activity uuid and sequence number to the transaction and pair
the request accordingly. Remove incorrect handling of this and fix
tests.
 5 years ago
Ilya Bakhtin e9b21553cc rust/dcerpc: Add UDP flag definitions 5 years ago
Victor Julien 51f4e4d0b7 dcerpc/udp: add missing tx free logic 5 years ago
Victor Julien 9f9c29a14a dcerpc: fix stream flag handling 
Only hardcoded direction flags were passed to the parser, not the
full range.

Handle receiving an EOF flag w/o data.

Bug: #3856
 5 years ago
Victor Julien f31372ad1d dcerpc/tcp: fix compile warning 
warning: variable does not need to be mutable
    --> src/dcerpc/dcerpc.rs:1036:42
     |
1036 |                     let tx = if let Some(mut tx) = self.get_tx_by_call_id(current_call_id, core::STREAM_TOCLIENT) {
     |                                          ----^^
     |                                          |
     |                                          help: remove this `mut`
     |
     = note: `#[warn(unused_mut)]` on by default

warning: variable does not need to be mutable
    --> src/dcerpc/dcerpc.rs:1061:30
     |
1061 |                         Some(mut tx) => {
     |                              ----^^
     |                              |
     |                              help: remove this `mut`
 5 years ago
Victor Julien 67b5295bbc dcerpc/tcp: add missing detect state cleanup 5 years ago
Philippe Antoine 1fd6f5bc61 http2: asymetric sizes for headers tables 
The headers table from client to server
and the one from server to client
may have different maximum sizes
(even if both endpoints have to keep both tables)
 5 years ago
Philippe Antoine aaa69fe3c5 smb: resistance against padding evasions 
Scenario is use of dummy padding in write AndX request
or other similar commands using a data offset.

Parsing skips now these dummy bytes, and generates one event
 5 years ago
Philippe Antoine caa7946888 smb: adds file overlap event against evasions 
Evasion scenario is
- a first dummy write of one byte at offset 0 is done
- the second full write of EICAR at offset 0 is then done
and does not trigger detection

The last write had the final value, and as we cannot "cancel"
the previous write, we set an event which is then transformed into
an app-layer decoder alert
 5 years ago
Philippe Antoine 3e96f96153 rdp: fix incomplete result 
Aggregating the consumed bytes
 5 years ago
Jason Ish 0529a00ffd dhcp: set unidirection transaction flag 5 years ago
Jason Ish 3036ec4db0 ikev2: set unidirection transaction flag 5 years ago
Jason Ish ff674d0cd0 mqtt: set unidirection transaction flag 5 years ago
Jason Ish 54d5f336d4 sip: set unidirection transaction flag 5 years ago
Jason Ish 1d40d0c5f9 rdp: set unidirection transaction flag 5 years ago
Jason Ish f7dee602e9 krb5: set unidirection transaction flag 5 years ago
Jason Ish 984d3c7f20 ntp: set unidirection transaction flag 5 years ago
Jason Ish fc7d59d92f snmp: set unidirectional transaction flag 5 years ago
Philippe Antoine 64fcba228b http2: complete parsing of priority frames 5 years ago
Philippe Antoine c300a859a0 http2: keep track of dynamic headers table size 
And evict entries accordingly to maximum size
 5 years ago
Philippe Antoine 1a21eea0e9 http2: variable size integers decoded everywhere 5 years ago
Philippe Antoine b21acfbf21 http2: StreamIdReuse frame types exceptions 
Also handles better the state so as not to revert from
HTTP2StateHalfClosedClient to HTTP2StateDataServer and not
go to final HTTP2StateClosed
 5 years ago
Philippe Antoine 89573060d9 http2: use variable integer for headers lengths 5 years ago
Shivani Bhardwaj 97c67cd5ce dcerpc: fix gap handling 
This patch addresses issues discovered by redmine ticket 3896. With the
approach of finding latest record, there was a chance that no record was
found at all and consumed + needed became input length.

e.g.
input_len = 1000
input = 01 05 00 02 00 03 a5 56 00 00 .....

There exists no |05 00| identifier in the rest of the record. After
having parsed |05 00|, there was a search for another record with the
leftover data. Current data length at this point would be 997. Since the
identifier was not found in the data, we calculate the consumed bytes at
this point i.e. consumed = current_data.len() - 1 which would be 996.
Needed bytes still stay at a constant of 2. So, consumed + needed = 996
+ 2 = 998 which is lesser than initial input length of 1000 and hence
the assertion fails.

There could be two fixes to this problem.
1. Finding the latest record but making use of the last found record in
   case no new record was found.
2. Always use the earliest record.

This patch takes the approach (2). It also makes sure that the gap and
current direction are the same.
 5 years ago
Philippe Antoine 4f963717f8 fuzz: better configure checks for MSAN building 
More compatible check for rust nightly
Checks for CARGO_BUILD_TARGET
Builds release or debug mode independently
 5 years ago
Victor Julien 5d985c4271 dcerpc: implement tx free function 5 years ago
Victor Julien 8b2886635f dcerpc/tcp: implement trunc logic 
When one side of the connection reaches the STREAM_DEPTH condition the
parser should be aware of this. Otherwise transactions will forever be
waiting for data in that direction.
 5 years ago
Victor Julien 4da0d9bdea applayer/rust: expose truncate callback 5 years ago
Shivani Bhardwaj 301454e9e4 dcerpc: fix datatypes while handling stub data 5 years ago
Shivani Bhardwaj 3fd9a3d420 dcerpc: fix datatype for stub data len 5 years ago
Philippe Antoine 222b386102 rust: rebuilds std when building fuzzers 
so as to have MSAN working
 5 years ago
Philippe Antoine 15447cc672 dceprc: signature rust check with is_char_boundary 
before calling split_at which would panic
 5 years ago
Philippe Antoine 6694737fcf http2: settings from http1 upgrade 5 years ago
Philippe Antoine 7011bddf84 http2: mimic HTTP1 request from upgrade 5 years ago
Philippe Antoine 9d1b030ff0 http2: first connection upgrade from http1 5 years ago
Philippe Antoine 547d6c2d78 applayer: pass parameter to StateAlloc 
This parameter is NULL or the pointer to the previous state
for the previous protocol in the case of a protocol change,
for instance from HTTP1 to HTTP2

This way, the new protocol can use the old protocol context.
For instance, HTTP2 mimicks the HTTP1 request, to have a HTTP2
transaction with both request and response
 5 years ago
Sascha Steinbiss ed9fed4958 mqtt: add some extra tests for varint parsing 5 years ago
Philippe Antoine 1a88df7e88 http2: handles incomplete frames after banner 
To signal incomplete data, we must return the number of
consumed bytes. When we get a banner and some records, we have
to take into account the number of bytes already consumed by
the banner parsing before reaching an incomplete record.
 5 years ago
Philippe Antoine 7ab9a01db2 mqtt: limit size of variable integer 5 years ago
Philippe Antoine e3b28bcf2a http2: returns error in case of index 0 
As is documented in RFC 7541, section 6.1
The index value of 0 is not used.  It MUST be treated as a decoding
error if found in an indexed header field representation.
 5 years ago
Jason Ish e9fec043b5 rust/util: expose function to test strings for valid UTF-8 
rs_check_utf8 will check that the provided string is valid
UTF-8 by converting it to a Rust string and returning true
or false.
 5 years ago
Simon Dugas 7f26246ce1 dns: parse and log fields for SOA record type 
Added `dns_parse_rdata_soa` to parse SOA fields into an `DNSRDataSOA`
struct.

Added logging for answer and authority SOA records in both version
1 & 2, as well as grouped formats.
 5 years ago
Simon Dugas af498fd840 dns: use nom's rest to take all remaining rdata 
Using nom's `rest` combinator eliminates the need to call the do_parse
macro for parsing a single element.
 5 years ago
Simon Dugas 8005f50647 dns: refactor to handle more rdata formats 
Represent rdata as `DNSRData` enum variants instead of `Vec<u8>`.
This will allow parsing/logging of more complex formats like SOA.
 5 years ago