aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
suricata/rust/src/lib.rs

149 lines
3.4 KiB
Rust
Raw Permalink Normal View History Unescape Escape

quic: Add QUIC App Layer Parses quic and logs a CYU hash for gquic frames
5 years ago
/* Copyright (C) 2017-2021 Open Information Security Foundation
rust: wrapper around C logging, and "context" Where the context is a struct passed from C with pointers to all the functions that may be called. Instead of referencing C functions directly, wrap them in function pointers so pure Rust unit tests can still run.
8 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
rust/doc: add docstring to rust module files. Issue: #4584
2 years ago
//! Suricata is a network intrusion prevention and monitoring engine.
//!
//! Suricata is a hybrid C and Rust application. What is found here are
//! the components written in Rust.
rust: --enable-rust-strict to turn warnings into errors
8 years ago
#![cfg_attr(feature = "strict", deny(warnings))]
rust: don't allow fixed up clippy lints
3 years ago
// Allow these patterns as its a style we like.
#![allow(clippy::needless_return)]
#![allow(clippy::let_and_return)]
rust: allow uninlined_format_args Newer versions of Rust/clippy are getting picky about format strings. We should allow and use the new style, but also not prevent the old style.
3 years ago
#![allow(clippy::uninlined_format_args)]
rust: don't allow fixed up clippy lints
3 years ago
rust: allow clippy::items_after_test_module As clippy began to complain about jsonbuilder.rs
2 years ago
// We find this is beyond what the linter should flag.
#![allow(clippy::items_after_test_module)]
rust/clippy: comments on why we have specific allows
3 years ago
// We find this makes sense at time.
#![allow(clippy::module_inception)]
rust: allow some more clippy lints Allow these lints for now until some more investigation can be done, as --fix attempts to fix these.
3 years ago
rust/clippy: comments on why we have specific allows
3 years ago
// The match macro is not always more clear. But its use is
// recommended where it makes sense.
rust(lint): suppress clippy lints that we should fix Suppress all remaining clippy lints that we trip. This can be fixed on a per-lint basis.
4 years ago
#![allow(clippy::match_like_matches_macro)]
rust/clippy: comments on why we have specific allows
3 years ago
// Something we should be conscious of, but due to interfacing with C
// is unavoidable at this time.
#![allow(clippy::too_many_arguments)]
rust/clippy: allow derivable impls The latest Rust will automatically "fix" derivable default implementation, which is nice, but makes changes that don't meet our current MSRV, so allow derivable impls for now.
2 years ago
// This would be nice, but having this lint enables causes
// clippy --fix to make changes that don't meet our MSRV.
#![allow(clippy::derivable_impls)]
rust/clippy: comments on why we have specific allows
3 years ago
// TODO: All unsafe functions should have a safety doc, even if its
// just due to FFI.
#![allow(clippy::missing_safety_doc)]
rust: allow some clippy lints without warning Suppresses some clippy lints that have more to do with style than anything else, to reduce the amount of noise in the clippy output.
5 years ago
rust: compatibility with cbindgen 0.27 Ticket: 7206 Cbindgen 0.27 now handles extern blocks as extern "C" blocks. The way to differentiate them is to use a special comment before the block.
12 months ago
// Allow /// cbindgen:ignore comments on extern blocks
// cf https://github.com/mozilla/cbindgen/issues/709
#![allow(unused_doc_comments)]
rust: allow static_mut_refs for now But we should fix all these soon.
8 months ago
// Allow unknown lints, our MSRV doesn't know them all, for
// example static_mut_refs.
#![allow(unknown_lints)]
protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions
6 years ago
#[macro_use]
extern crate bitflags;
extern crate byteorder;
rust/nfs: add (file)handle to log as crc32
8 years ago
extern crate crc;
protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions
6 years ago
extern crate memchr;
smb: use lru for guid2name map; rename Use `lru` crate. Rename to reflect this. Add `app-layer.protocols.smb.max-guid-cache-size` to control the max size of the LRU cache. Ticket: #5672.
10 months ago
extern crate lru;
protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions
6 years ago
#[macro_use]
extern crate num_derive;
extern crate widestring;
rust/nfs: add (file)handle to log as crc32
8 years ago
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)
8 years ago
extern crate der_parser;
auth/krb5: move kerberos5 wrapper to rust root Make it available outside of just the SMB parser.
7 years ago
extern crate kerberos_parser;
protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions
6 years ago
extern crate tls_parser;
extern crate x509_parser;
rust/ldap: implement types and filters This implementation adds types and filters specified in the LDAP RFC to work with the ldap_parser. Although using the parser directly would be best, strange behavior has been observed during transaction logging. It appears that C pointers are being overwritten, leading to incorrect output when LDAP fields are logged.
1 year ago
extern crate ldap_parser;
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)
8 years ago
dns: use derive macro for DNSEvent
6 years ago
#[macro_use]
extern crate suricata_derive;
rust: dns: add log filtering on rrtype While the filtering is still configured in C, the filtering flags are passed into Rust so it can determine if a record should be logged or not.
8 years ago
#[macro_use]
rust: wrapper around C logging, and "context" Where the context is a struct passed from C with pointers to all the functions that may be called. Instead of referencing C functions directly, wrap them in function pointers so pure Rust unit tests can still run.
8 years ago
pub mod core;
rust: dns: add log filtering on rrtype While the filtering is still configured in C, the filtering flags are passed into Rust so it can determine if a record should be logged or not.
8 years ago
rust: add take_until_and_consume replacement function
6 years ago
#[macro_use]
rust/logging: fix logging from plugins Commit 2bcc66da5826fa0e6e074a756754b295e5ac4da2 broke logging from plugins: - debug visibility was reduced making it unusable from an external crate - the plugins view of the log level was broken To fix: - make debug pub - minor change to initialization of the log LEVEL as seen by the plugin so its seen by the plugin. I'm not really sure why the previous version wasn't working though, but this one does
6 months ago
pub mod debug;
rust/log: move rust log and debug utils to debug module Move Rust logging, and debug_validation to a debug module to mirrow the C side.
6 months ago
rust: add take_until_and_consume replacement function
6 years ago
pub mod common;
rust: stub out configuration access functions
8 years ago
pub mod conf;
jsonbuilder: new module for generating json JsonBuilder is a Rust module for creating JSON output. Unlike Jansson, the final JSON string is built up as items are added, instead of building up an object tree and rendering it when done. The idea is to create a more efficient JSON serializer instead of a flexible one.
6 years ago
pub mod jsonbuilder;
rust/app-layer: macros to export de_state functions These macros generate the extern "C" functions for transactions structs that need provide functions for setting and getting the de_state. The idea is to provide macros do avoid code duplication and make it simpler to create an app-layer. A trait would be the correct solution, but it doesn't look like you can use traits to export extern "C" functions.
7 years ago
#[macro_use]
rust: use LoggerFlags type to track logged state
8 years ago
pub mod applayer;
app/frames: implement rust API
4 years ago
pub mod frames;
rust: filecontainer API Wrapper around Suricata's File and FileContainer API. Built around assumption that a rust owned structure will have a 'SuricataFileContainer' member that is managed by the C-side of things.
8 years ago
pub mod filecontainer;
rust: filetracker API Initial version of a filetracker API that depends on the filecontainer and wraps around the Suricata File API in C. The API expects chunk based transfers where chunks can be out of order.
8 years ago
pub mod filetracker;
auth/krb5: move kerberos5 wrapper to rust root Make it available outside of just the SMB parser.
7 years ago
pub mod kerberos;
detect: rust generic functions for integers Move it away from http2 to generic core crate. And use it for DCERPC (and SMB) And remove the C version. Main change in API is the free function is not free itself, but a rust wrapper around unbox. Ticket: #4112
3 years ago
pub mod detect;
rust/base64: add decoder Add a pure rust base64 decoder. This supports 3 modes of operation just like the C decoder as follows. 1. RFC 2045 2. RFC 4648 3. Strict One notable change is that "strict" mode is carried out by the rust base64 crate instead of native Rust. This crate was already used for encoding in a few places like datasets of string type. As a part of this mode, now, only the strings that can be reliably converted back are decoded. The decoder fn is available to C via FFI. Bug 6280 Ticket 7065 Ticket 7058
1 year ago
pub mod utils;
rust: lua wrapper Rust wrapper for working with lua state.
8 years ago
ja4: implement for TLS and QUIC Ticket: OISF#6379
1 year ago
pub mod ja4;
tls: Move tls-versions to rust This commit is designed in preparation of enabling the handshake object to log it's own contents rather than being done on the C side. Moving the tls versions functionality to rust has a couple of uses: 1. Allows both rust and C side to use these fields 2. Moves more of the tls related logic to rust 3. C side can still use these values because of cbindgen
2 months ago
pub mod tls_version;
tls: Introduce HandshakeParams object for tracking Ticket: 6695 This introduction splits the use of the handshake parameters into their own object, HandshakeParams, which is populated by the TLS decoder. The JA4 object is now very simple. It's a simple String object (the JA4 Hash) which is generated during new(). This introduction is part of a larger idea, which is to enable outputting these raw parameters without JA3/JA4. These handshake parameters are the components used to generate the JA4 hash, thus it makes sense for it to be a user of HandshakeParams.
3 months ago
pub mod handshake;
ja4: implement for TLS and QUIC Ticket: OISF#6379
1 year ago
rust: lua wrapper Rust wrapper for working with lua state.
8 years ago
pub mod lua;
rust: dns: nom DNS parsers
8 years ago
pub mod dns;
mdns: add mdns parser, logger and detection The mDNS support is based heavily on the DNS support, reusing the existing DNS parser where possible. This meant adding variations on DNS, as mDNS is a little different. Mainly being that *all* mDNS traffic is to_server, yet there is still the concept of request and responses. Keywords added are: - mdns.queries.rrname - mdns.answers.rrname - mdns.additionals.rrname - mdns.authorities.rrname - mdns.response.rrname They are mostly in-line with the DNS keywords, except mdns.answers.rdata which is a better than that mdns.response.rrname, as its actually looking at the rdata, and not rrnames. mDNS has its own logger that differs from the DNS logger: - No grouped logging - In answers/additionals/authorities, the rdata is logged in a field that is named after the rdata type. For example, "txt" data is no longer logged in the "rdata" field, but instead a "txt" field. We currently already did this in DNS for fields that were not a single buffer, like SOA, SRV, etc. So this makes things more consistent. And gives query like semantics that the "grouped" object was trying to provide. - Types are logged in lower case ("txt" instead of "TXT") - Flags are logged as an array: "flags": ["aa", "z"] Ticket: #3952
2 months ago
pub mod mdns;
rust/nfs: NFSv3 parser, logger and detection
8 years ago
pub mod nfs;
app-layer-ftp: add ftp-data support Use expectation to be able to identify connections that are ftp data. It parses the PASV response, STOR message and the RETR message to provide extraction of files. Implementation in Rust of FTP messages parsing is available. Also this patch changes some var name prefixed by ssh to ftp.
8 years ago
pub mod ftp;
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)
8 years ago
pub mod smb;
Add Kerberos 5 application layer
7 years ago
pub mod krb;
dcerpc: Replace C function calls with Rust All the dead code in C after the Rust implementation is hereby removed. Invalid/migrated tests have also been deleted. All the function calls in C have been replaced with appropriate calls to Rust functions. Same has been done for smb/detect.rs as a part of this migration.
5 years ago
pub mod dcerpc;
modbus: move from C to rust Adds a new rust modbus app layer parser and detection module. Moves the C module to rust but leaves the test cases in place to regression test the new rust module.
5 years ago
pub mod modbus;
Add NTP parser (rust-experimental)
8 years ago
ikev1: rename ikev2 to common ike Renaming was done with shell commands, git mv for moving the files and content like find -iname '*.c' | xargs sed -i 's/ikev1/ike/g' respecting the different mixes of upper/lower case.
5 years ago
pub mod ike;
Add SNMP (v1/v2c/v3) application layer
7 years ago
pub mod snmp;
Add new parser: IKEv2 Add a new parser for Internet Key Exchange version (IKEv2), defined in RFC 7296. The IKEv2 parser itself is external. The embedded code includes the parser state and associated variables, the state machine, and the detection code. The parser looks the first two messages of a connection, and analyzes the client and server proposals to check the cryptographic parameters.
8 years ago
Add NTP parser (rust-experimental)
8 years ago
pub mod ntp;
rust/tftp: add tftp parsing and logging TFTP parsing and logging written in Rust. Log on eve.json the type of request (read or write), the name of the file and the mode. Example of output: "tftp":{"packet":"read","file":"rfc1350.txt","mode":"octet"}
8 years ago
pub mod tftp;
rust/dhcp: Rust based DHCP decoder and logger. This is a DHCP decoder and logger written in Rust. Unlike most parsers, this one is stateless so responses are not matched up to requests by Suricata. However, the output does contain enough fields to match them up in post-processing. Rules are included to alert of malformed or truncated options.
7 years ago
pub mod dhcp;
rust/sip: add parser for SIP protocol
7 years ago
pub mod sip;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
pub mod rfb;
rust/mqtt: add MQTT parser
5 years ago
pub mod mqtt;
pgsql: add initial support - add nom parsers for decoding most messages from StartupPhase and SimpleQuery subprotocols - add unittests - tests/fuzz: add pgsql to confyaml Feature: #4241
4 years ago
pub mod pgsql;
telnet: initial support with frames Bootstrapped using setup script. Basic option parsing for purpose of tagging frames.
4 years ago
pub mod telnet;
app-layer: websockets protocol support Ticket: 2695
2 years ago
pub mod websocket;
enip: convert to rust Ticket: 3958 - transactions are now bidirectional - there is a logger - gap support is improved with probing for resync - frames support - app-layer events - enip_command keyword accepts now string enumeration as values. - add enip.status keyword - add keywords : enip.product_name, enip.protocol_version, enip.revision, enip.identity_status, enip.state, enip.serial, enip.product_code, enip.device_type, enip.vendor_id, enip.capabilities, enip.cip_attribute, enip.cip_class, enip.cip_instance, enip.cip_status, enip.cip_extendedstatus
2 years ago
pub mod enip;
pop3: app-layer parser using sawp-pop3 This module uses the sawp-pop3 crate to parse POP3 requests and responses Features: - eve logging - events for parsable but non-RFC-compliant messages Ticket: 3243
4 months ago
pub mod pop3;
rust: app-layer template parser and logger The protocol is a simple request/reply based protocol that can be hand driven with netcat. Request -> 12:Hello World! Response -> 3:Byte Its of the format <length>:<message> where length is the length of the message, not including the length or the delimiter.
7 years ago
pub mod applayertemplate;
protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions
6 years ago
pub mod rdp;
ssl/tls: use the rust decoder to decode X.509 certificates
5 years ago
pub mod x509;
rust/asn1: Introduce ASN1 rust module This module uses the `der-parser` crate to parse ASN1 objects in order to replace src/util-decode-asn1.c It also handles the parsing of the asn1 keyword rules and detection checks performed in src/detect-asn1.c
5 years ago
pub mod asn1;
mime: move FindMimeHeaderTokenRestrict to rust Also fixes the case where the token name is present in a value
4 years ago
pub mod mime;
parse: move SSH parser from C to Rust
5 years ago
pub mod ssh;
http2: initial support
5 years ago
pub mod http2;
quic: Add QUIC App Layer Parses quic and logs a CYU hash for gquic frames
5 years ago
pub mod quic;
bittorrent-dht: add bittorrent-dht app layer Parses and logs the bittorrent-dht protocol. Note: Includes some compilation fixups after rebase by Jason Ish. Feature: #3086
5 years ago
pub mod bittorrent_dht;
rust/util: expose function to test strings for valid UTF-8 rs_check_utf8 will check that the provided string is valid UTF-8 by converting it to a Rust string and returning true or false.
5 years ago
pub mod plugin;
file/swf: Use lzma-rs decompression instead of libhtp. Use the lzma-rs crate for decompressing swf/lzma files instead of the lzma decompressor in libhtp. This decouples suricata from libhtp except for actual http parsing, and means libhtp no longer has to export a lzma decompression interface. Ticket: #5638
3 years ago
pub mod lzma;
rust/util: expose function to test strings for valid UTF-8 rs_check_utf8 will check that the provided string is valid UTF-8 by converting it to a Rust string and returning true or false.
5 years ago
pub mod util;
rust: add ffi module for sha256, sha1 and md5 Add a Rust module that exposes Rust implementations of sha256, sha1 and md5 from the RustCrypto project. This is an experiment in replacing the libnss hash functions with pure Rust versions that will allow us to remove nss as a compile time option. Initial tests are good, even with a 10% or so performance improvement when being called from C. Also trying a module naming scheme where modules under the ffi modules are purely for exports to C, as it doesn't make any sense to use this new hashing module directly from Rust.
5 years ago
pub mod ffi;
feature: provide a Rust binding to the feature API As the feature module is not available for Rust unit tests, a mock version is also provided.
2 years ago
pub mod feature;
rust/sdp: implement protocol parser This implements a parser for the SDP protocol. Given that SDP is encapsulated within other protocols (such as SIP), enabling it separately is not necessary. Ticket #6627.
1 year ago
pub mod sdp;
rust/ldap: implement types and filters This implementation adds types and filters specified in the LDAP RFC to work with the ldap_parser. Although using the parser directly would be best, strange behavior has been observed during transaction logging. It appears that C pointers are being overwritten, leading to incorrect output when LDAP fields are logged.
1 year ago
pub mod ldap;
rust/flow: move flow support to its own file (cleanup) Move the Rust Flow support from core.rs to flow.rs.
6 months ago
pub mod flow;
rust/direction: move direction to own file (cleanup) Move the implementation of Direction to its own file, direction.rs.
6 months ago
pub mod direction;
lua: use rust crate to vendor (bundle) lua Remove lua-dev(el) from all CI tests.
1 year ago
#[allow(unused_imports)]
pub use suricata_lua_sys;
http: Use libhtp-rs. Ticket: #2696 There are a lot of changes here, which are described below. In general these changes are renaming constants to conform to the libhtp-rs versions (which are generated by cbindgen); making all htp types opaque and changing struct->member references to htp_struct_member() function calls; and a handful of changes to offload functionality onto libhtp-rs from suricata, such as URI normalization and transaction cleanup. Functions introduced to handle opaque htp_tx_t: - tx->parsed_uri => htp_tx_parsed_uri(tx) - tx->parsed_uri->path => htp_uri_path(htp_tx_parsed_uri(tx) - tx->parsed_uri->hostname => htp_uri_hostname(htp_tx_parsed_uri(tx)) - htp_tx_get_user_data() => htp_tx_user_data(tx) - htp_tx_is_http_2_upgrade(tx) convenience function introduced to detect response status 101 and “Upgrade: h2c" header. Functions introduced to handle opaque htp_tx_data_t: - d->len => htp_tx_data_len() - d->data => htp_tx_data_data() - htp_tx_data_tx(data) function to get the htp_tx_t from the htp_tx_data_t - htp_tx_data_is_empty(data) convenience function introduced to test if the data is empty. Other changes: Build libhtp-rs as a crate inside rust. Update autoconf to no longer use libhtp as an external dependency. Remove HAVE_HTP feature defines since they are no longer needed. Make function arguments and return values const where possible htp_tx_destroy(tx) will now free an incomplete transaction htp_time_t replaced with standard struct timeval Callbacks from libhtp now provide the htp_connp_t and the htp_tx_data_t as separate arguments. This means the connection parser is no longer fetched from the transaction inside callbacks. SCHTPGenerateNormalizedUri() functionality moved inside libhtp-rs, which now provides normalized URI values. The normalized URI is available with accessor function: htp_tx_normalized_uri() Configuration settings added to control the behaviour of the URI normalization: - htp_config_set_normalized_uri_include_all() - htp_config_set_plusspace_decode() - htp_config_set_convert_lowercase() - htp_config_set_double_decode_normalized_query() - htp_config_set_double_decode_normalized_path() - htp_config_set_backslash_convert_slashes() - htp_config_set_bestfit_replacement_byte() - htp_config_set_convert_lowercase() - htp_config_set_nul_encoded_terminates() - htp_config_set_nul_raw_terminates() - htp_config_set_path_separators_compress() - htp_config_set_path_separators_decode() - htp_config_set_u_encoding_decode() - htp_config_set_url_encoding_invalid_handling() - htp_config_set_utf8_convert_bestfit() - htp_config_set_normalized_uri_include_all() - htp_config_set_plusspace_decode() Constants related to configuring uri normalization: - HTP_URL_DECODE_PRESERVE_PERCENT => HTP_URL_ENCODING_HANDLING_PRESERVE_PERCENT - HTP_URL_DECODE_REMOVE_PERCENT => HTP_URL_ENCODING_HANDLING_REMOVE_PERCENT - HTP_URL_DECODE_PROCESS_INVALID => HTP_URL_ENCODING_HANDLING_PROCESS_INVALID htp_config_set_field_limits(soft_limit, hard_limit) changed to htp_config_set_field_limit(limit) because libhtp didn't implement soft limits. libhtp logging API updated to provide HTP_LOG_CODE constants along with the message. This eliminates the need to perform string matching on message text to map log messages to HTTP_DECODER_EVENT values, and the HTP_LOG_CODE values can be used directly. In support of this, HTP_DECODER_EVENT values are mapped to their corresponding HTP_LOG_CODE values. New log events to describe additional anomalies: HTP_LOG_CODE_REQUEST_TOO_MANY_LZMA_LAYERS HTP_LOG_CODE_RESPONSE_TOO_MANY_LZMA_LAYERS HTP_LOG_CODE_PROTOCOL_CONTAINS_EXTRA_DATA HTP_LOG_CODE_CONTENT_LENGTH_EXTRA_DATA_START HTP_LOG_CODE_CONTENT_LENGTH_EXTRA_DATA_END HTP_LOG_CODE_SWITCHING_PROTO_WITH_CONTENT_LENGTH HTP_LOG_CODE_DEFORMED_EOL HTP_LOG_CODE_PARSER_STATE_ERROR HTP_LOG_CODE_MISSING_OUTBOUND_TRANSACTION_DATA HTP_LOG_CODE_MISSING_INBOUND_TRANSACTION_DATA HTP_LOG_CODE_ZERO_LENGTH_DATA_CHUNKS HTP_LOG_CODE_REQUEST_LINE_UNKNOWN_METHOD HTP_LOG_CODE_REQUEST_LINE_UNKNOWN_METHOD_NO_PROTOCOL HTP_LOG_CODE_REQUEST_LINE_UNKNOWN_METHOD_INVALID_PROTOCOL HTP_LOG_CODE_REQUEST_LINE_NO_PROTOCOL HTP_LOG_CODE_RESPONSE_LINE_INVALID_PROTOCOL HTP_LOG_CODE_RESPONSE_LINE_INVALID_RESPONSE_STATUS HTP_LOG_CODE_RESPONSE_BODY_INTERNAL_ERROR HTP_LOG_CODE_REQUEST_BODY_DATA_CALLBACK_ERROR HTP_LOG_CODE_RESPONSE_INVALID_EMPTY_NAME HTP_LOG_CODE_REQUEST_INVALID_EMPTY_NAME HTP_LOG_CODE_RESPONSE_INVALID_LWS_AFTER_NAME HTP_LOG_CODE_RESPONSE_HEADER_NAME_NOT_TOKEN HTP_LOG_CODE_REQUEST_INVALID_LWS_AFTER_NAME HTP_LOG_CODE_LZMA_DECOMPRESSION_DISABLED HTP_LOG_CODE_CONNECTION_ALREADY_OPEN HTP_LOG_CODE_COMPRESSION_BOMB_DOUBLE_LZMA HTP_LOG_CODE_INVALID_CONTENT_ENCODING HTP_LOG_CODE_INVALID_GAP HTP_LOG_CODE_ERROR The new htp_log API supports consuming log messages more easily than walking a list and tracking the current offset. Internally, libhtp-rs now provides log messages as a queue of htp_log_t, which means the application can simply call htp_conn_next_log() to fetch the next log message until the queue is empty. Once the application is done with a log message, they can call htp_log_free() to dispose of it. Functions supporting htp_log_t: htp_conn_next_log(conn) - Get the next log message htp_log_message(log) - To get the text of the message htp_log_code(log) - To get the HTP_LOG_CODE value htp_log_free(log) - To free the htp_log_t
2 years ago
//Re-export htp symbols
pub use htp::c_api::*;