aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '688efe79f0'
${ noResults }
suricata/rust/src/rfb/rfb.rs

996 lines
42 KiB
Rust
Raw Normal View History Unescape Escape

rfb: add unittests to rfb.rs Task: #5741
3 years ago
/* Copyright (C) 2020-2023 Open Information Security Foundation
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
// Author: Frank Honza <frank.honza@dcso.de>
rfb: add myself as contributor
2 years ago
// Sascha Steinbiss <sascha.steinbiss@dcso.de>
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
rfb: rustfmt rfb.rs
2 years ago
use super::parser;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
use crate::applayer;
use crate::applayer::*;
rfb: rustfmt rfb.rs
2 years ago
use crate::core::{AppProto, Flow, ALPROTO_UNKNOWN, IPPROTO_TCP};
use crate::frames::*;
rust/rfb: convert parser to nom7 functions
4 years ago
use nom7::Err;
rfb: rustfmt rfb.rs
2 years ago
use std;
use std::ffi::CString;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
#[derive(FromPrimitive, Debug, AppLayerEvent)]
pub enum RFBEvent {
UnimplementedSecurityType,
UnknownSecurityResult,
MalformedMessage,
ConfusedState,
}
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
#[derive(AppLayerFrameType)]
pub enum RFBFrameType {
Pdu,
}
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
pub struct RFBTransaction {
tx_id: u64,
pub complete: bool,
pub chosen_security_type: Option<u32>,
pub tc_server_protocol_version: Option<parser::ProtocolVersion>,
pub ts_client_protocol_version: Option<parser::ProtocolVersion>,
pub tc_supported_security_types: Option<parser::SupportedSecurityTypes>,
pub ts_security_type_selection: Option<parser::SecurityTypeSelection>,
pub tc_server_security_type: Option<parser::ServerSecurityType>,
pub tc_vnc_challenge: Option<parser::VncAuth>,
pub ts_vnc_response: Option<parser::VncAuth>,
pub ts_client_init: Option<parser::ClientInit>,
pub tc_security_result: Option<parser::SecurityResult>,
pub tc_failure_reason: Option<parser::FailureReason>,
pub tc_server_init: Option<parser::ServerInit>,
rfb: support AppLayerTxData
5 years ago
tx_data: applayer::AppLayerTxData,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
rfb: use generic tx iterator
4 years ago
impl Transaction for RFBTransaction {
fn id(&self) -> u64 {
self.tx_id
}
}
rust/clippy: fix lint: new_without_default
3 years ago
impl Default for RFBTransaction {
fn default() -> Self {
Self::new()
}
}
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
impl RFBTransaction {
rust/clippy: fix lint: new_without_default
3 years ago
pub fn new() -> Self {
Self {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
tx_id: 0,
complete: false,
chosen_security_type: None,
tc_server_protocol_version: None,
ts_client_protocol_version: None,
tc_supported_security_types: None,
ts_security_type_selection: None,
tc_server_security_type: None,
tc_vnc_challenge: None,
ts_vnc_response: None,
ts_client_init: None,
tc_security_result: None,
tc_failure_reason: None,
tc_server_init: None,
rfb: support AppLayerTxData
5 years ago
tx_data: applayer::AppLayerTxData::new(),
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
fn set_event(&mut self, event: RFBEvent) {
self.tx_data.set_event(event as u8);
}
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
pub struct RFBState {
app-layer: introduce common AppLayerStateData API Add per state structure for storing flags and other variables.
4 years ago
state_data: AppLayerStateData,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
tx_id: u64,
transactions: Vec<RFBTransaction>,
rfb: rustfmt rfb.rs
2 years ago
state: parser::RFBGlobalState,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
rfb: use generic tx iterator
4 years ago
impl State<RFBTransaction> for RFBState {
app-layer: more generic state trait Instead of a method that is required to return a slice of transactions, use 2 methods, one to return the number of transactions in the collection, and another to get a transaction by its index in the collection. This allows for the transaction collection to not be a contiguous array and instead can be a VecDeque, or possibly another collection type that supports retrieval by index. Ticket #5278
3 years ago
fn get_transaction_count(&self) -> usize {
self.transactions.len()
rfb: use generic tx iterator
4 years ago
}
app-layer: more generic state trait Instead of a method that is required to return a slice of transactions, use 2 methods, one to return the number of transactions in the collection, and another to get a transaction by its index in the collection. This allows for the transaction collection to not be a contiguous array and instead can be a VecDeque, or possibly another collection type that supports retrieval by index. Ticket #5278
3 years ago
fn get_transaction_by_index(&self, index: usize) -> Option<&RFBTransaction> {
self.transactions.get(index)
}
rfb: use generic tx iterator
4 years ago
}
rust/clippy: fix lint: new_without_default
3 years ago
impl Default for RFBState {
fn default() -> Self {
Self::new()
}
}
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
impl RFBState {
pub fn new() -> Self {
Self {
app-layer: introduce common AppLayerStateData API Add per state structure for storing flags and other variables.
4 years ago
state_data: AppLayerStateData::new(),
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
tx_id: 0,
transactions: Vec::new(),
rfb: rustfmt rfb.rs
2 years ago
state: parser::RFBGlobalState::TCServerProtocolVersion,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
// Free a transaction by ID.
fn free_tx(&mut self, tx_id: u64) {
let len = self.transactions.len();
let mut found = false;
let mut index = 0;
for i in 0..len {
let tx = &self.transactions[i];
if tx.tx_id == tx_id + 1 {
found = true;
index = i;
break;
}
}
if found {
self.transactions.remove(index);
}
}
pub fn get_tx(&mut self, tx_id: u64) -> Option<&RFBTransaction> {
rust/clippy: fix lint: manual_find These get_tx methods look like ideal candidates for generic and/or derived methods.
3 years ago
self.transactions.iter().find(|tx| tx.tx_id == tx_id + 1)
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
fn new_tx(&mut self) -> RFBTransaction {
let mut tx = RFBTransaction::new();
self.tx_id += 1;
tx.tx_id = self.tx_id;
return tx;
}
fn get_current_tx(&mut self) -> Option<&mut RFBTransaction> {
rust/clippy: fix lint: manual_find These get_tx methods look like ideal candidates for generic and/or derived methods.
3 years ago
let tx_id = self.tx_id;
self.transactions.iter_mut().find(|tx| tx.tx_id == tx_id)
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
fn parse_request(&mut self, flow: *const Flow, stream_slice: StreamSlice) -> AppLayerResult {
rfb: rustfmt rfb.rs
2 years ago
let input = stream_slice.as_slice();
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
// We're not interested in empty requests.
rust: fix clippy lints for clippy::len_zero
3 years ago
if input.is_empty() {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
return AppLayerResult::ok();
}
let mut current = input;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
let mut consumed = 0;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
SCLogDebug!("request_state {}, input_len {}", self.state, input.len());
loop {
rust: fix clippy lints for clippy::len_zero
3 years ago
if current.is_empty() {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
return AppLayerResult::ok();
}
match self.state {
parser::RFBGlobalState::TSClientProtocolVersion => {
match parser::parse_protocol_version(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
rfb: rustfmt rfb.rs
2 years ago
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
if request.major == "003" && request.minor == "003" {
// in version 3.3 the server decided security type
self.state = parser::RFBGlobalState::TCServerSecurityType;
} else {
self.state = parser::RFBGlobalState::TCSupportedSecurityTypes;
}
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_client_protocol_version = Some(request);
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!(
"no transaction set at protocol selection stage"
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: rustfmt rfb.rs
2 years ago
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
// We even failed to parse the protocol version.
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TSSecurityTypeSelection => {
match parser::parse_security_type_selection(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
rfb: rustfmt rfb.rs
2 years ago
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
let chosen_security_type = request.security_type;
rfb: also set unimplemented auth types
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_security_type_selection = Some(request);
current_transaction.chosen_security_type =
Some(chosen_security_type as u32);
} else {
debug_validate_fail!("no transaction set at security type stage");
}
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
match chosen_security_type {
2 => self.state = parser::RFBGlobalState::TCVncChallenge,
1 => self.state = parser::RFBGlobalState::TSClientInit,
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
_ => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction
.set_event(RFBEvent::UnimplementedSecurityType);
}
// We have just have seen a security type we don't know about.
// This is not bad per se, it might just mean this is a
// proprietary one not in the spec.
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
}
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: rustfmt rfb.rs
2 years ago
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// We failed to parse the security type.
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
}
rfb: rustfmt rfb.rs
2 years ago
parser::RFBGlobalState::TSVncResponse => match parser::parse_vnc_auth(current) {
Ok((rem, request)) => {
consumed += current.len() - rem.len();
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
current = rem;
self.state = parser::RFBGlobalState::TCSecurityResult;
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_vnc_response = Some(request);
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!("no transaction set at security result stage");
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rfb: rustfmt rfb.rs
2 years ago
Err(Err::Incomplete(_)) => {
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
rfb: rustfmt rfb.rs
2 years ago
}
},
parser::RFBGlobalState::TSClientInit => match parser::parse_client_init(current) {
Ok((rem, request)) => {
consumed += current.len() - rem.len();
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
current = rem;
self.state = parser::RFBGlobalState::TCServerInit;
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_client_init = Some(request);
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!("no transaction set at client init stage");
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rfb: rustfmt rfb.rs
2 years ago
Err(Err::Incomplete(_)) => {
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// We failed to parse the client init.
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
rfb: rustfmt rfb.rs
2 years ago
}
},
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
parser::RFBGlobalState::Skip => {
// End of parseable handshake reached, skip rest of traffic
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
_ => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
// We have gotten out of sync with the expected state flow.
// This could happen since we use a global state (i.e. that
// is used for both directions), but if traffic can not be
// parsed as expected elsewhere, we might not have advanced
// a state for one direction but received data in the
// "unexpected" direction, causing the parser to end up
// here. Let's stop trying to parse the traffic but still
// accept it.
SCLogDebug!("Invalid state for request: {}", self.state);
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::ConfusedState);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
}
}
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
fn parse_response(&mut self, flow: *const Flow, stream_slice: StreamSlice) -> AppLayerResult {
let input = stream_slice.as_slice();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
// We're not interested in empty responses.
rust: fix clippy lints for clippy::len_zero
3 years ago
if input.is_empty() {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
return AppLayerResult::ok();
}
let mut current = input;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
let mut consumed = 0;
rfb: rustfmt rfb.rs
2 years ago
SCLogDebug!(
"response_state {}, response_len {}",
self.state,
input.len()
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
loop {
rust: fix clippy lints for clippy::len_zero
3 years ago
if current.is_empty() {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
return AppLayerResult::ok();
}
match self.state {
parser::RFBGlobalState::TCServerProtocolVersion => {
match parser::parse_protocol_version(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
rfb: rustfmt rfb.rs
2 years ago
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
self.state = parser::RFBGlobalState::TSClientProtocolVersion;
let tx = self.new_tx();
self.transactions.push(tx);
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_server_protocol_version = Some(request);
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!("no transaction set but we just set one");
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: rustfmt rfb.rs
2 years ago
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
// We even failed to parse the protocol version.
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TCSupportedSecurityTypes => {
match parser::parse_supported_security_types(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
rfb: rustfmt rfb.rs
2 years ago
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
SCLogDebug!(
rfb: rustfmt rfb.rs
2 years ago
"supported_security_types: {}, types: {}",
request.number_of_types,
request
.types
.iter()
.map(ToString::to_string)
.map(|v| v + " ")
.collect::<String>()
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
);
self.state = parser::RFBGlobalState::TSSecurityTypeSelection;
if request.number_of_types == 0 {
self.state = parser::RFBGlobalState::TCFailureReason;
}
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_supported_security_types = Some(request);
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!("no transaction set at security type stage");
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: rustfmt rfb.rs
2 years ago
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
}
parser::RFBGlobalState::TCServerSecurityType => {
// In RFB 3.3, the server decides the authentication type
match parser::parse_server_security_type(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
rfb: rustfmt rfb.rs
2 years ago
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
let chosen_security_type = request.security_type;
SCLogDebug!("chosen_security_type: {}", chosen_security_type);
match chosen_security_type {
0 => self.state = parser::RFBGlobalState::TCFailureReason,
1 => self.state = parser::RFBGlobalState::TSClientInit,
2 => self.state = parser::RFBGlobalState::TCVncChallenge,
_ => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction
.set_event(RFBEvent::UnimplementedSecurityType);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
} else {
debug_validate_fail!(
"no transaction set at security type stage"
);
}
// We have just have seen a security type we don't know about.
// This is not bad per se, it might just mean this is a
// proprietary one not in the spec.
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_server_security_type = Some(request);
rfb: rustfmt rfb.rs
2 years ago
current_transaction.chosen_security_type =
Some(chosen_security_type);
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!("no transaction set at security type stage");
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: rustfmt rfb.rs
2 years ago
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
}
rfb: rustfmt rfb.rs
2 years ago
parser::RFBGlobalState::TCVncChallenge => match parser::parse_vnc_auth(current) {
Ok((rem, request)) => {
consumed += current.len() - rem.len();
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
current = rem;
self.state = parser::RFBGlobalState::TSVncResponse;
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_vnc_challenge = Some(request);
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!("no transaction set at auth stage");
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rfb: rustfmt rfb.rs
2 years ago
Err(Err::Incomplete(_)) => {
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
rfb: rustfmt rfb.rs
2 years ago
}
},
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
parser::RFBGlobalState::TCSecurityResult => {
match parser::parse_security_result(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
rfb: rustfmt rfb.rs
2 years ago
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
if request.status == 0 {
self.state = parser::RFBGlobalState::TSClientInit;
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_security_result = Some(request);
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!(
"no transaction set at security result stage"
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
} else if request.status == 1 {
self.state = parser::RFBGlobalState::TCFailureReason;
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::UnknownSecurityResult);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: rustfmt rfb.rs
2 years ago
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
}
parser::RFBGlobalState::TCFailureReason => {
match parser::parse_failure_reason(current) {
Ok((_rem, request)) => {
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_failure_reason = Some(request);
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!("no transaction set at failure reason stage");
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: rustfmt rfb.rs
2 years ago
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
}
parser::RFBGlobalState::TCServerInit => {
match parser::parse_server_init(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
rfb: rustfmt rfb.rs
2 years ago
let _pdu = Frame::new(
flow,
&stream_slice,
current,
consumed as i64,
RFBFrameType::Pdu as u8,
);
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
self.state = parser::RFBGlobalState::Skip;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_server_init = Some(request);
// connection initialization is complete and parsed
current_transaction.complete = true;
} else {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
debug_validate_fail!("no transaction set at server init stage");
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: rustfmt rfb.rs
2 years ago
return AppLayerResult::incomplete(
consumed as u32,
(current.len() + 1) as u32,
);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
}
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
parser::RFBGlobalState::Skip => {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
//todo implement RFB messages, for now we stop here
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
_ => {
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
// We have gotten out of sync with the expected state flow.
// This could happen since we use a global state (i.e. that
// is used for both directions), but if traffic can not be
// parsed as expected elsewhere, we might not have advanced
// a state for one direction but received data in the
// "unexpected" direction, causing the parser to end up
// here. Let's stop trying to parse the traffic but still
// accept it.
SCLogDebug!("Invalid state for response: {}", self.state);
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::ConfusedState);
rfb: ensure logging of incompletely parsed txs
2 years ago
current_transaction.complete = true;
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
}
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
}
}
}
// C exports.
#[no_mangle]
rfb: rustfmt rfb.rs
2 years ago
pub extern "C" fn rs_rfb_state_new(
_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto,
) -> *mut std::os::raw::c_void {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
let state = RFBState::new();
let boxed = Box::new(state);
rust: remove all usage of transmute All cases of our transmute can be replaced with more idiomatic solutions and do no require the power of transmute. When returning an object to C for life-time management, use Box::into_raw to convert the boxed object to pointer and use Box::from_raw to convert back. For cases where we're just returning a pointer to Rust managed data, use a cast.
4 years ago
return Box::into_raw(boxed) as *mut _;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
#[no_mangle]
pub extern "C" fn rs_rfb_state_free(state: *mut std::os::raw::c_void) {
// Just unbox...
rust: remove all usage of transmute All cases of our transmute can be replaced with more idiomatic solutions and do no require the power of transmute. When returning an object to C for life-time management, use Box::into_raw to convert the boxed object to pointer and use Box::from_raw to convert back. For cases where we're just returning a pointer to Rust managed data, use a cast.
4 years ago
std::mem::drop(unsafe { Box::from_raw(state as *mut RFBState) });
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
#[no_mangle]
rfb: rustfmt rfb.rs
2 years ago
pub unsafe extern "C" fn rs_rfb_state_tx_free(state: *mut std::os::raw::c_void, tx_id: u64) {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
let state = cast_pointer!(state, RFBState);
state.free_tx(tx_id);
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_parse_request(
rfb: rustfmt rfb.rs
2 years ago
flow: *const Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void,
stream_slice: StreamSlice, _data: *const std::os::raw::c_void,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
) -> AppLayerResult {
let state = cast_pointer!(state, RFBState);
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
return state.parse_request(flow, stream_slice);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_parse_response(
rfb: rustfmt rfb.rs
2 years ago
flow: *const Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void,
stream_slice: StreamSlice, _data: *const std::os::raw::c_void,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
) -> AppLayerResult {
let state = cast_pointer!(state, RFBState);
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
return state.parse_response(flow, stream_slice);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_state_get_tx(
rfb: rustfmt rfb.rs
2 years ago
state: *mut std::os::raw::c_void, tx_id: u64,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
) -> *mut std::os::raw::c_void {
let state = cast_pointer!(state, RFBState);
match state.get_tx(tx_id) {
Some(tx) => {
rust: remove all usage of transmute All cases of our transmute can be replaced with more idiomatic solutions and do no require the power of transmute. When returning an object to C for life-time management, use Box::into_raw to convert the boxed object to pointer and use Box::from_raw to convert back. For cases where we're just returning a pointer to Rust managed data, use a cast.
4 years ago
return tx as *const _ as *mut _;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
None => {
return std::ptr::null_mut();
}
}
}
#[no_mangle]
rfb: rustfmt rfb.rs
2 years ago
pub unsafe extern "C" fn rs_rfb_state_get_tx_count(state: *mut std::os::raw::c_void) -> u64 {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
let state = cast_pointer!(state, RFBState);
return state.tx_id;
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_tx_get_alstate_progress(
rfb: rustfmt rfb.rs
2 years ago
tx: *mut std::os::raw::c_void, _direction: u8,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
) -> std::os::raw::c_int {
let tx = cast_pointer!(tx, RFBTransaction);
if tx.complete {
return 1;
}
return 0;
}
// Parser name as a C style string.
rust: fix clippy lints for clippy::redundant_static_lifetimes
3 years ago
const PARSER_NAME: &[u8] = b"rfb\0";
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
rfb: support AppLayerTxData
5 years ago
export_tx_data_get!(rs_rfb_get_tx_data, RFBTransaction);
app-layer: introduce common AppLayerStateData API Add per state structure for storing flags and other variables.
4 years ago
export_state_data_get!(rs_rfb_get_state_data, RFBState);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
#[no_mangle]
pub unsafe extern "C" fn rs_rfb_register_parser() {
let parser = RustParser {
name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
rfb: remove futile default port setting
4 years ago
default_port: std::ptr::null(),
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
ipproto: IPPROTO_TCP,
probe_ts: None,
probe_tc: None,
min_depth: 0,
max_depth: 16,
state_new: rs_rfb_state_new,
state_free: rs_rfb_state_free,
tx_free: rs_rfb_state_tx_free,
parse_ts: rs_rfb_parse_request,
parse_tc: rs_rfb_parse_response,
get_tx_count: rs_rfb_state_get_tx_count,
get_tx: rs_rfb_state_get_tx,
app-layer: remove callback for completion status Since the completion status was a constant for all parsers, remove the callback logic and instead register the values themselves. This should avoid a lot of unnecessary callback calls. Update all parsers to take advantage of this.
5 years ago
tx_comp_st_ts: 1,
tx_comp_st_tc: 1,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
tx_get_progress: rs_rfb_tx_get_alstate_progress,
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
get_eventinfo: Some(RFBEvent::get_event_info),
get_eventinfo_byid: Some(RFBEvent::get_event_info_by_id),
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
localstorage_new: None,
localstorage_free: None,
app-layer: move files into transactions Update APIs to store files in transactions instead of the per flow state. Goal is to avoid the overhead of matching up files and transactions in cases where there are many of both. Update all protocol implementations to support this. Update file logging logic to account for having files in transactions. Instead of it acting separately on file containers, it is now tied into the transaction logging. Update the filestore keyword to consider a match if filestore output not enabled.
4 years ago
get_tx_files: None,
rfb: use generic tx iterator
4 years ago
get_tx_iterator: Some(applayer::state_get_tx_iterator::<RFBState, RFBTransaction>),
app-layer/rust: don't use option for GetTxDataFn anymore
5 years ago
get_tx_data: rs_rfb_get_tx_data,
app-layer: introduce common AppLayerStateData API Add per state structure for storing flags and other variables.
4 years ago
get_state_data: rs_rfb_get_state_data,
app-layer: add ApplyTxConfig API Optional callback a parser can register for applying configuration to the 'transaction'. Most parsers have a bidirectional tx. For those parsers that have different types of transaction handling, this new callback can be used to properly apply the config.
5 years ago
apply_tx_config: None,
applayer: add flags to parser registration struct This will allow Rust parsers to register for gap handing from Rust (some Rust parsers do handle gaps, but they set the flag from C).
5 years ago
flags: 0,
applayer/rust: expose truncate callback
5 years ago
truncate: None,
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
get_frame_id_by_name: Some(RFBFrameType::ffi_id_from_name),
get_frame_name_by_id: Some(RFBFrameType::ffi_name_from_id),
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
};
let ip_proto_str = CString::new("tcp").unwrap();
rfb: rustfmt rfb.rs
2 years ago
if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
ALPROTO_RFB = alproto;
rfb: rustfmt rfb.rs
2 years ago
if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
let _ = AppLayerRegisterParser(&parser, alproto);
}
SCLogDebug!("Rust rfb parser registered.");
} else {
SCLogDebug!("Protocol detector and parser disabled for RFB.");
}
}
rfb: add unittests to rfb.rs Task: #5741
3 years ago
#[cfg(test)]
mod test {
use super::*;
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
use crate::core::STREAM_START;
rfb: add unittests to rfb.rs Task: #5741
3 years ago
#[test]
fn test_error_state() {
let mut state = RFBState::new();
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
let buf: &[u8] = &[
rfb: add unittests to rfb.rs Task: #5741
3 years ago
0x05, 0x00, 0x03, 0x20, 0x20, 0x18, 0x00, 0x01, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff,
0x10, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x61, 0x6e, 0x65, 0x61,
0x67, 0x6c, 0x65, 0x73, 0x40, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74,
0x2e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
];
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
let r = state.parse_response(
rfb: add rfb frames, update tests Adds a PDU frame to the RFB parser. Update function signature in tests to reflect frames Ticket: 5717
2 years ago
std::ptr::null(),
StreamSlice::from_slice(buf, STREAM_START, 0),
);
rfb: add unittests to rfb.rs Task: #5741
3 years ago
assert_eq!(
r,
AppLayerResult {
status: -1,
consumed: 0,
needed: 0
}
);
}
// Test the state machine for RFB protocol
// Passes an initial buffer with initial RFBState = TCServerProtocolVersion
// Tests various client and server RFBStates as the buffer is parsed using parse_request and parse_response functions
#[test]
fn test_rfb_state_machine() {
let mut init_state = RFBState::new();
let buf: &[u8] = &[
0x52, 0x46, 0x42, 0x20, 0x30, 0x30, 0x33, 0x2e, 0x30, 0x30, 0x38, 0x0a,
0x01, /* Number of security types: 1 */
0x02, /* Security type: VNC (2) */
0x02, /* Security type selected: VNC (2) */
0x54, 0x7b, 0x7a, 0x6f, 0x36, 0xa1, 0x54, 0xdb, 0x03, 0xa2, 0x57, 0x5c, 0x6f, 0x2a,
0x4e,
0xc5, /* 16 byte Authentication challenge: 547b7a6f36a154db03a2575c6f2a4ec5 */
0x00, 0x00, 0x00, 0x00, /* Authentication result: OK */
0x00, /* Share desktop flag: False */
0x05, 0x00, 0x03, 0x20, 0x20, 0x18, 0x00, 0x01, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff,
0x10, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x61, 0x6e, 0x65, 0x61,
0x67, 0x6c, 0x65, 0x73, 0x40, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74,
0x2e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x64, 0x6f, 0x6d, 0x61, 0x69,
0x6e, /* Server framebuffer parameters */
];
//The buffer values correspond to Server Protocol version: 003.008
// Same buffer is used for both functions due to similar values in request and response
rfb: rustfmt rfb.rs
2 years ago
init_state.parse_response(
std::ptr::null(),
StreamSlice::from_slice(&buf[0..12], STREAM_START, 0),
);
rfb: add unittests to rfb.rs Task: #5741
3 years ago
let mut ok_state = parser::RFBGlobalState::TSClientProtocolVersion;
assert_eq!(init_state.state, ok_state);
//The buffer values correspond to Client Protocol version: 003.008
rfb: rustfmt rfb.rs
2 years ago
init_state.parse_request(
std::ptr::null(),
StreamSlice::from_slice(&buf[0..12], STREAM_START, 0),
);
rfb: add unittests to rfb.rs Task: #5741
3 years ago
ok_state = parser::RFBGlobalState::TCSupportedSecurityTypes;
assert_eq!(init_state.state, ok_state);
rfb: rustfmt rfb.rs
2 years ago
init_state.parse_response(
std::ptr::null(),
StreamSlice::from_slice(&buf[12..14], STREAM_START, 0),
);
rfb: add unittests to rfb.rs Task: #5741
3 years ago
ok_state = parser::RFBGlobalState::TSSecurityTypeSelection;
assert_eq!(init_state.state, ok_state);
rfb: rustfmt rfb.rs
2 years ago
init_state.parse_request(
std::ptr::null(),
StreamSlice::from_slice(&buf[14..15], STREAM_START, 0),
);
rfb: add unittests to rfb.rs Task: #5741
3 years ago
ok_state = parser::RFBGlobalState::TCVncChallenge;
assert_eq!(init_state.state, ok_state);
//The buffer values correspond to Server Authentication challenge: 547b7a6f36a154db03a2575c6f2a4ec5
// Same buffer is used for both functions due to similar values in request and response
rfb: rustfmt rfb.rs
2 years ago
init_state.parse_response(
std::ptr::null(),
StreamSlice::from_slice(&buf[15..31], STREAM_START, 0),
);
rfb: add unittests to rfb.rs Task: #5741
3 years ago
ok_state = parser::RFBGlobalState::TSVncResponse;
assert_eq!(init_state.state, ok_state);
//The buffer values correspond to Client Authentication response: 547b7a6f36a154db03a2575c6f2a4ec5
rfb: rustfmt rfb.rs
2 years ago
init_state.parse_request(
std::ptr::null(),
StreamSlice::from_slice(&buf[15..31], STREAM_START, 0),
);
rfb: add unittests to rfb.rs Task: #5741
3 years ago
ok_state = parser::RFBGlobalState::TCSecurityResult;
assert_eq!(init_state.state, ok_state);
rfb: rustfmt rfb.rs
2 years ago
init_state.parse_response(
std::ptr::null(),
StreamSlice::from_slice(&buf[31..35], STREAM_START, 0),
);
rfb: add unittests to rfb.rs Task: #5741
3 years ago
ok_state = parser::RFBGlobalState::TSClientInit;
assert_eq!(init_state.state, ok_state);
rfb: rustfmt rfb.rs
2 years ago
init_state.parse_request(
std::ptr::null(),
StreamSlice::from_slice(&buf[35..36], STREAM_START, 0),
);
rfb: add unittests to rfb.rs Task: #5741
3 years ago
ok_state = parser::RFBGlobalState::TCServerInit;
assert_eq!(init_state.state, ok_state);
rfb: rustfmt rfb.rs
2 years ago
init_state.parse_response(
std::ptr::null(),
StreamSlice::from_slice(&buf[36..90], STREAM_START, 0),
);
rfb: never return error on unknown traffic We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine #5912. Bug: #5912.
2 years ago
ok_state = parser::RFBGlobalState::Skip;
rfb: add unittests to rfb.rs Task: #5741
3 years ago
assert_eq!(init_state.state, ok_state);
}
}