aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,649 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f8620d0ed2'
${ noResults }
Commit Graph

1263 Commits (f8620d0ed228766db4b5fd6bd43a216120713dcf)

Author SHA1 Message Date
Philippe Antoine c1b7befb18 smb: checks against nbss records length 
When Suricata handles files over SMB, it does not wait for the
NBSS record to be complete, and can stream the payload to the
file... But it did not check the consistency of the SMB record
length being read or written against the NBSS record length.

This could lead to an evasion where an attacker crafts a SMB
write with a too big Length field, and then sends its evil
payload, even if the server returned an error for the write request.

Ticket: #5770
 2 years ago
Jason Ish f15f092a69 rfb: remove duplicate logging of depth 
The "depth" field in the "pixel_format" object was being logged twice.

Issue: 5813
 2 years ago
Jason Ish 717e2b0248 smb: fix duplicate interface logging 
An array of interfaces was being logged without creating an array,
resulting in duplicate "interface" objects being logged. Instead put
these interfaces into an array like already done elsewhere.

Issue: 5814
 2 years ago
Jason Ish 67baab573b smb: remove duplicate tree_id logging 
Remove the second occurrence of tree_id logging which appears to
always be a duplicate of the first tree_id logged, even though they
come from different data structures.

Issue: 5811
 2 years ago
Jason Ish e21ae88e05 rust: utility function to copy Rust strings to C strings 
As there are a few places where a Rust string is copied into a provided
C string buffer, create a utility function to take care of these
details.
 2 years ago
Jason Ish 6344501dba tls: fix date logging for dates before 1970 
The Rust time crate used by the x509-parser crate represents dates
before 1970 as negative numbers which do not survive the conversion to
SCTime_t and formatting with the current time formatting functions.

Instead of fixing our formatting functions to handle such dates,
create a Rust function for logging TLS dates directly to JSON using
the time crate that handles such dates properly.

Also add a FFI function for formatting to a provided C buffer for the
legacy tls-log.

Issue: 5817
 2 years ago
Jason Ish 64cb687a65 rust: suppress specific manual_flatten list 
In this case of debug code, the explicit iterator seems to make more
sense.
 2 years ago
Jason Ish 7080ecbb76 rust: remove explicit lifetimes where not needed 2 years ago
Jason Ish e7f5bd047d rust: fix needless borrows of references 
Fixed automatically by cargo clippy --fix.
 2 years ago
Jason Ish 29f345af1a rust: allow uninlined_format_args 
Newer versions of Rust/clippy are getting picky about format strings.
We should allow and use the new style, but also not prevent the old
style.
 2 years ago
Jason Ish 3f4dad8676 ftp: add events for command too long 
Issue: 5235
 2 years ago
Jason Ish 48920bd784 rust/derive: allow event name to be set as attribute 
When deriving AppLayerEvent, allow the event name to be set with the
"name" attribute in cases where the transformed name is not suitable.

This allows us to use enum variant names like
"FtpEventRequestCommandTooLong" for direct use in C, but is also a
name that doesn't transform well to an event name in rules, where we
want to see "request_command_too_long".
 2 years ago
Philippe Antoine b52293b609 dcerpc: config limit maximum number of live transactions 
As is done for other protocols

Ticket: #5779
 2 years ago
Philippe Antoine ba99241957 http2: fix leak with range files 
Ticket: #5808

May have been introduced by a24d7dc45c

Function http2_range_open expects to be called only when
tx.file_range is nil. One condition to ensure this is to check
that we are beginning the files contents. The filetracker field
file_open is not fit for this, as it may be reset to false.
 2 years ago
Victor Julien 37f13a4fc7 smb: set defaults for file transfer limits 
Ticket: #5782.
 2 years ago
Jason Ish fab3f36b8c dns: never return error on UDP DNS 
UDP parsers should never return error as it should indicate to Suricata
that an unrecoverable error has occurred.  UDP being record based for
the most part is almost always recoverable, at least for protocols like
DNS.
 2 years ago
Jason Ish d720ead470 dns: split header and body parsing 
As part of extra header validation, split out DNS body parsing to
avoid the overhead of parsing the header twice.
 2 years ago
Jason Ish 595700ab7e dns: validate header on every incoming message 
As UDP streams getting probed, a stream that does not appear to be DNS
at first, may have a single packet that does look close enough to DNS
to be picked up as DNS causing every subsequent packet to result in a
parser error.

To mitigate this, probe every incoming DNS message header for validity
before continuing onto the body.  If the header doesn't validate as
DNS, just ignore the packet so no parse error is registered.
 2 years ago
Jason Ish c98c49d4ba dns: parse and alert on invalid opcodes 
Accept DNS messages with an invalid opcode that are otherwise
valid. Such DNS message will create a parser event.

This is a change of behavior, previously an invalid opcode would cause
the DNS message to not be detected or parsed as DNS.

Issue: #5444
 2 years ago
Jason Ish 7afc2e3aed dns: rustfmt 2 years ago
Jason Ish 39d2524bf6 dns: mark test buffers with rustfmt::skip 2 years ago
Victor Julien 6cc9811edd files: move FileContainer into FileTransferTracker 
Update SMB, NFS, HTTP2.
 2 years ago
Victor Julien e3e55406a7 files: update API and callers to take stream config 
This is to allow not storing the stream buffer config in each file.
 2 years ago
Victor Julien 71bc9e75f5 app-layer: get sbconfg with files 2 years ago
Victor Julien a1a221066f files: remove filecontainer drop trait 
In preparation of it becoming impossible to use due to the free
function getting an cfg argument.
 2 years ago
Victor Julien 0320c03f8c http2: explicity free files 
In preparation of adding an argument to the free functions which
means the drop trait can't be used anymore.
 2 years ago
Victor Julien 4b1e9f7c21 smb: explicity free files 
In preparation of adding an argument to the free functions which
means the drop trait can't be used anymore.
 2 years ago
Victor Julien 3a24cce289 nfs: explicity free files 
In preparation of adding an argument to the free functions which
means the drop trait can't be used anymore.
 2 years ago
Victor Julien 4bfeac6591 nfs: file handling cleanups 2 years ago
Victor Julien 33f6a16290 smb: file handling cleanups 2 years ago
Victor Julien d57510a10f files: remove unused Rust binding for file pruning 2 years ago
Victor Julien a24d7dc45c smb: fix post-trunc chunk behavior 
After a gap in a file transaction, the file tracker is truncated. However
this did not clear any stored out of order chunks from memory or stop more
chunks to be stored, leading to accumulation of a large number of chunks.

This patches fixes this be clearing the stored chunks on trunc. It also
makes sure no more chunks are stored in the tracker after the trunc.

Bug: #5781.
 2 years ago
Philippe Antoine 55c4834e4e smb: configurable max number of transactions per flow 
Ticket: #5753
 2 years ago
Philippe Antoine 1d9183638f smb: convert transaction list to vecdeque 
Allows for more efficient removal from front of the list.

Ticket: #5753
 2 years ago
Philippe Antoine cb89192ec3 smb: fix typo in comment 2 years ago
Haleema Khan cfcb7df9dc mqtt: rustfmt parser.rs 2 years ago
Haleema Khan 23acb89653 mqtt: add unittests for nom7 parsers 
Ticket: #5742
 2 years ago
Haleema Khan cdc5ccd7f7 rfb: rustfmt parser.rs 2 years ago
Haleema Khan b95d7efbd0 rfb: add unittests for nom7 parsers 
Task: #5741
 2 years ago
Philippe Antoine 3979acb5ed smb: set event for ntlmssp unusual order 2 years ago
Philippe Antoine e41c01a483 smb: rustfmt ntlmssp_records.rs 2 years ago
Philippe Antoine 1db8685848 smb/ntlmssp: parse fields independently of order 
Instead of relying on the usual ordering...

Ticket: #5258
 2 years ago
Jason Ish ae192ebae7 rust: sync log levels with C 2 years ago
Jeff Lucovsky f8474344cd log: Add module and subsystem identifiers to log 
Issue: 2497

This changeset provides subsystem and module identifiers in the log when
the log format string contains "%S". By convention, the log format
surrounds "%S" with brackets.

The subsystem name is generally the same as the thread name. The module
name is derived from the source code module name and usually consists of
the first one or 2 segments of the name using the dash character as the
segment delimiter.
 2 years ago
Victor Julien b31ffde6f4 output: remove error codes from output 2 years ago
Jason Ish bd9adac3ac rust/clippy: comments on why we have specific allows 2 years ago
Jason Ish dfd7abe185 rust/clippy: fix lint: type_complexity 
Convert a DNS sub-parser to use a return type rather than a large
tuple. For mqtt, allow the lint for now, but remove the global allow.
 2 years ago
Jason Ish e49ce49471 rust/clippy: allow result_unit_err in http2 only 
Its the only module making use of this pattern, but we shouldn't let
new modules use this pattern.
 2 years ago
Jason Ish 7ba2dadc7f rust/clippy: fix lint: upper_case_acronyms 2 years ago
Jason Ish 029ac650d7 rust/clippy: fix lint: manual_find 
These get_tx methods look like ideal candidates for generic and/or
derived methods.
 2 years ago
Jason Ish 4940dfb3bd rust/clippy: fix lint: len_without_is_empty 2 years ago
Jason Ish e1cffd348f rust/clippy: fix lint: field_reassign_with_default 2 years ago
Jason Ish 9df7c326b9 rust/clippy: remove allow: collapsible_else_if 2 years ago
Jason Ish 30ee5fc835 rust/clippy: remove allow: collapsible_if 
Already clean.
 2 years ago
Jason Ish da12b77f18 rust/clippy: fix lint: new_without_default 2 years ago
Jason Ish c4cf062a6f rust/clippy: fix lint: redundant_pattern_matching 2 years ago
Jason Ish 7c293ff68f rust/clippy: fix lint: never_loop 2 years ago
Jason Ish e8823644ec rust/clippy: fix lint: nonminimal_bool 2 years ago
Jason Ish 53ae0c8a06 rust/clippy: fix lint: derive_partial_eq_without_eq 2 years ago
Jason Ish 5d62995e26 rust/clippy: fix lint: explicit_counter_loop 2 years ago
Jason Ish f250b92180 rust/clippy: fix lint: extra_unused_lifetimes 2 years ago
Jason Ish 3044565cf4 rust/clippy: fix lint: needless_range_loop 2 years ago
Jason Ish 2ac52d0610 rust/clippy: remove lint: for_loops_over_fallibles 
Already clean.
 2 years ago
Jason Ish c026d8531b rust/clippy: fix lint: match_ref_pats 2 years ago
Jason Ish 359d5fcb7e rust/clippy: fix lint: needless_lifetimes 2 years ago
Jason Ish 4e001688de rust/clippy: remove lint: bool_comparison 
Already clean.
 2 years ago
Jason Ish f15ffbc869 rust/clippy: fix lint: single_match 
Allow this lint in some cases where a match statement adds clarity.
 2 years ago
Jason Ish 925bc74c1f rust/clippy: fix lint: while_let_loop 2 years ago
Jason Ish cf20fa1e67 template: import c_void, c_char, c_int 
These are ffi types that are commonly used, import them so they can be
used by their short names instead of a fully qualified name.
 2 years ago
Jason Ish 4220f18258 template: remove no_mangle and pub where not needed 
Extern functions that are only used as a function pointer do not
require "pub" or "no_mangle".
 2 years ago
Jason Ish 4a7567b3f0 template: rename template-rust to template 
Remove the distinction between the C template protocol "template" and
the Rust template protocol "template-rust" and make the Rust parser
simply template now that we no longer have support to generate a C
protocol template.
 2 years ago
Jason Ish 38321a213f rust/app-layer-template: rustfmt 2 years ago
Jason Ish 50a787a9a3 app-layer-template-rust: remove C app-layer stub 
Remove the app-layer-PROTO stub for Rust based parsers.  It is no longer
needed as Rust parsers now contain the registration function in Rust.

Ticket: 4939
 2 years ago
Jason Ish baa7021ee6 rust/conf: add fn conf_get_node 
A wrapper around ConfGetNode to get a configuration node by name.
 2 years ago
Victor Julien 64c0459d2d rust/lzma: clippy fixup 2 years ago
Jason Ish 35f99d1af7 rust/http2: fix clippy lint for is_empty() 
This snuck through as "cargo clippy" check wasn't finding lints that
were fixed by the previous test for fixable lints.
 2 years ago
Todd Mortimer 7d1a8cc335 file/swf: Use lzma-rs decompression instead of libhtp. 
Use the lzma-rs crate for decompressing swf/lzma files instead of
the lzma decompressor in libhtp. This decouples suricata from libhtp
except for actual http parsing, and means libhtp no longer has to
export a lzma decompression interface.

Ticket: #5638
 2 years ago
Victor Julien 45eb038e63 smb: fix file reopening issue 
Fuzzing highlighted an issue where a command sequence on the same file
id triggered a logging issue:

file data for id N
close id N
file data for id N

If this happened in a single blob of data passed to the parser, the
existing file tx would be reused, the file "reopened", confusing the
file logging logic. This would trigger a debug assert.

This patch makes sure a new file tx is created for the file data
coming in after the first file tx is closed.

Bug: #5567.
 2 years ago
Philippe Antoine 29f40c9e07 dcerpc: fix integer underflow 
as input.len() can be 65536, it cannot be directly cast to u16

Ticket: #5557
 2 years ago
Jason Ish 91617f479a rust: sha-1 is now sha1 
This is the same crate, but renamed to be more consistent with the
RustCrypto project naming. Some recent discussion is available here:

    https://github.com/RustCrypto/hashes/issues/438
 2 years ago
Philippe Antoine af44504550 smb: do not use tree id to match request and response 
Completes commit e94920b49f

This must be true for access to state ssn2vecoffset_map

Ticket: #5161
 2 years ago
Victor Julien cade6046c5 rust/files: open file without trackid as pointer 2 years ago
Victor Julien ad869e1c52 rust/filecontainer: remove unused declaration 2 years ago
Philippe Antoine 086b28da3d http2: fix decompression buffering 
It was not enough to set Cursor position to 0,
also its inner Vec should be cleared.

This way, a new input gets written at the beginning of the
Cursor and its inner Vec...

Ticket: #5691
 2 years ago
Philippe Antoine c6349d3cfc http2: support padded data frames 
Ticket: #5691
 2 years ago
Philippe Antoine e1ee401a12 quic: use VecDeque 
Ticket: #5637
 2 years ago
Philippe Antoine 286bd2a7ed rust: fix cargo clippy --all-features 2 years ago
Philippe Antoine bc287018e5 rust: cargo clippy --all-features --fix --allow-no-vcs 2 years ago
Philippe Antoine cd4bf518f3 rust: fix warnings on rustc 1.67.0-nightly 
warning: for loop over an `Option`. This is more readably written
as an `if let` statement
 2 years ago
Juliana Fajardini a654ef50de pgsql: add test for parameter status parser 
Since we've done some changes to how the parameters are parsed, add one
more test case to check that.

Bug #5579
 2 years ago
Juliana Fajardini c4fbd78770 pgsql: move database into opt parameters list 
For StartupMessages, the database parameter is optional. This moves the
parameter into the optional_parameters list.

Bug #5579
 2 years ago
Philippe Antoine cc68898532 pgsql: support empty parameter values 
Bug #5579
 2 years ago
Philippe Antoine 1e0190bc6b pgsql: support out of order parameters for startup message 
As user can be not the first parameter

Bug #5579
 2 years ago
Jason Ish 1f056f9974 bittorrent-dht: parse and log node6 lists 
Node6 lists are just like node lists, but for IPv6 addresses.
 2 years ago
Jason Ish 86d5ab8644 bittorrent-dht: remove tests that are no longer valid 2 years ago
Jason Ish 2f9eb5d1dd bittorrent-dht: fix values decoding, as a list of peers 
The "values" field is not a string, but instead peer information in
compact format. Decode this properly and then properly format in the
log.
 2 years ago
Jason Ish 4a0859beeb jsonbuilder: add append_hex - add hex to array 
New method, append_hex to add a byte array to a JSON array in hex
encoding.
 2 years ago
Jason Ish 4bc9cf3986 bittorrent-dht: parse token and target as byte values 2 years ago
Jason Ish 5a30ee77a1 bittorrent-dht: only attempt to parse dht messages 
The bittorrent flow is shared with transport messages as well as dht
messages. Only attempt to parse dht message as dht, ignore the rest.
 2 years ago
Jason Ish 98a9391210 bittorrent-dht: decode node data structures 
Instead of decoding the nodes field into a blog of bytes, decode it into
an array of node info objects, each with a node id, IP address and port.
 2 years ago