aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '96b642c32d'
${ noResults }
suricata/rust/src/rfb/rfb.rs

629 lines
24 KiB
Rust
Raw Normal View History Unescape Escape

add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
// Author: Frank Honza <frank.honza@dcso.de>
use std;
use std::ffi::CString;
app-layer: include decoder events in app-layer tx data As most parsers use an events structure we can include it in the tx_data structure to reduce some boilerplate/housekeeping code in app-layer parsers.
4 years ago
use crate::core::{ALPROTO_UNKNOWN, AppProto, Flow, IPPROTO_TCP};
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
use crate::applayer;
use crate::applayer::*;
rust/rfb: convert parser to nom7 functions
4 years ago
use nom7::Err;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
use super::parser;
static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN;
pub struct RFBTransaction {
tx_id: u64,
pub complete: bool,
pub chosen_security_type: Option<u32>,
pub tc_server_protocol_version: Option<parser::ProtocolVersion>,
pub ts_client_protocol_version: Option<parser::ProtocolVersion>,
pub tc_supported_security_types: Option<parser::SupportedSecurityTypes>,
pub ts_security_type_selection: Option<parser::SecurityTypeSelection>,
pub tc_server_security_type: Option<parser::ServerSecurityType>,
pub tc_vnc_challenge: Option<parser::VncAuth>,
pub ts_vnc_response: Option<parser::VncAuth>,
pub ts_client_init: Option<parser::ClientInit>,
pub tc_security_result: Option<parser::SecurityResult>,
pub tc_failure_reason: Option<parser::FailureReason>,
pub tc_server_init: Option<parser::ServerInit>,
rfb: support AppLayerTxData
5 years ago
tx_data: applayer::AppLayerTxData,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
rfb: use generic tx iterator
4 years ago
impl Transaction for RFBTransaction {
fn id(&self) -> u64 {
self.tx_id
}
}
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
impl RFBTransaction {
pub fn new() -> RFBTransaction {
RFBTransaction {
tx_id: 0,
complete: false,
chosen_security_type: None,
tc_server_protocol_version: None,
ts_client_protocol_version: None,
tc_supported_security_types: None,
ts_security_type_selection: None,
tc_server_security_type: None,
tc_vnc_challenge: None,
ts_vnc_response: None,
ts_client_init: None,
tc_security_result: None,
tc_failure_reason: None,
tc_server_init: None,
rfb: support AppLayerTxData
5 years ago
tx_data: applayer::AppLayerTxData::new(),
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
}
pub struct RFBState {
tx_id: u64,
transactions: Vec<RFBTransaction>,
state: parser::RFBGlobalState
}
rfb: use generic tx iterator
4 years ago
impl State<RFBTransaction> for RFBState {
app-layer: more generic state trait Instead of a method that is required to return a slice of transactions, use 2 methods, one to return the number of transactions in the collection, and another to get a transaction by its index in the collection. This allows for the transaction collection to not be a contiguous array and instead can be a VecDeque, or possibly another collection type that supports retrieval by index. Ticket #5278
3 years ago
fn get_transaction_count(&self) -> usize {
self.transactions.len()
rfb: use generic tx iterator
4 years ago
}
app-layer: more generic state trait Instead of a method that is required to return a slice of transactions, use 2 methods, one to return the number of transactions in the collection, and another to get a transaction by its index in the collection. This allows for the transaction collection to not be a contiguous array and instead can be a VecDeque, or possibly another collection type that supports retrieval by index. Ticket #5278
3 years ago
fn get_transaction_by_index(&self, index: usize) -> Option<&RFBTransaction> {
self.transactions.get(index)
}
rfb: use generic tx iterator
4 years ago
}
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
impl RFBState {
pub fn new() -> Self {
Self {
tx_id: 0,
transactions: Vec::new(),
state: parser::RFBGlobalState::TCServerProtocolVersion
}
}
// Free a transaction by ID.
fn free_tx(&mut self, tx_id: u64) {
let len = self.transactions.len();
let mut found = false;
let mut index = 0;
for i in 0..len {
let tx = &self.transactions[i];
if tx.tx_id == tx_id + 1 {
found = true;
index = i;
break;
}
}
if found {
self.transactions.remove(index);
}
}
pub fn get_tx(&mut self, tx_id: u64) -> Option<&RFBTransaction> {
for tx in &mut self.transactions {
if tx.tx_id == tx_id + 1 {
return Some(tx);
}
}
return None;
}
fn new_tx(&mut self) -> RFBTransaction {
let mut tx = RFBTransaction::new();
self.tx_id += 1;
tx.tx_id = self.tx_id;
return tx;
}
fn get_current_tx(&mut self) -> Option<&mut RFBTransaction> {
for tx in &mut self.transactions {
if tx.tx_id == self.tx_id {
return Some(tx);
}
}
return None;
}
fn parse_request(&mut self, input: &[u8]) -> AppLayerResult {
// We're not interested in empty requests.
if input.len() == 0 {
return AppLayerResult::ok();
}
let mut current = input;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
let mut consumed = 0;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
SCLogDebug!("request_state {}, input_len {}", self.state, input.len());
loop {
if current.len() == 0 {
return AppLayerResult::ok();
}
match self.state {
parser::RFBGlobalState::TSClientProtocolVersion => {
match parser::parse_protocol_version(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
if request.major == "003" && request.minor == "003" {
// in version 3.3 the server decided security type
self.state = parser::RFBGlobalState::TCServerSecurityType;
} else {
self.state = parser::RFBGlobalState::TCSupportedSecurityTypes;
}
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_client_protocol_version = Some(request);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TSSecurityTypeSelection => {
match parser::parse_security_type_selection(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
let chosen_security_type = request.security_type;
match chosen_security_type {
2 => self.state = parser::RFBGlobalState::TCVncChallenge,
1 => self.state = parser::RFBGlobalState::TSClientInit,
_ => return AppLayerResult::err(),
}
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_security_type_selection = Some(request);
current_transaction.chosen_security_type = Some(chosen_security_type as u32);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TSVncResponse => {
match parser::parse_vnc_auth(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
self.state = parser::RFBGlobalState::TCSecurityResult;
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_vnc_response = Some(request);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TSClientInit => {
match parser::parse_client_init(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
self.state = parser::RFBGlobalState::TCServerInit;
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_client_init = Some(request);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::Message => {
//todo implement RFB messages, for now we stop here
return AppLayerResult::err();
}
parser::RFBGlobalState::TCServerProtocolVersion => {
SCLogDebug!("Reversed traffic, expected response.");
return AppLayerResult::err();
}
_ => {
SCLogDebug!("Invalid state for request {}", self.state);
current = b"";
}
}
}
}
fn parse_response(&mut self, input: &[u8]) -> AppLayerResult {
// We're not interested in empty responses.
if input.len() == 0 {
return AppLayerResult::ok();
}
let mut current = input;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
let mut consumed = 0;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
SCLogDebug!("response_state {}, response_len {}", self.state, input.len());
loop {
if current.len() == 0 {
return AppLayerResult::ok();
}
match self.state {
parser::RFBGlobalState::TCServerProtocolVersion => {
match parser::parse_protocol_version(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
self.state = parser::RFBGlobalState::TSClientProtocolVersion;
let tx = self.new_tx();
self.transactions.push(tx);
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_server_protocol_version = Some(request);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TCSupportedSecurityTypes => {
match parser::parse_supported_security_types(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
SCLogDebug!(
"supported_security_types: {}, types: {}", request.number_of_types,
request.types.iter().map(ToString::to_string).map(|v| v + " ").collect::<String>()
);
self.state = parser::RFBGlobalState::TSSecurityTypeSelection;
if request.number_of_types == 0 {
self.state = parser::RFBGlobalState::TCFailureReason;
}
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_supported_security_types = Some(request);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TCServerSecurityType => {
// In RFB 3.3, the server decides the authentication type
match parser::parse_server_security_type(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
let chosen_security_type = request.security_type;
SCLogDebug!("chosen_security_type: {}", chosen_security_type);
match chosen_security_type {
0 => self.state = parser::RFBGlobalState::TCFailureReason,
1 => self.state = parser::RFBGlobalState::TSClientInit,
2 => self.state = parser::RFBGlobalState::TCVncChallenge,
_ => {
// TODO Event unknown security type
return AppLayerResult::err();
}
}
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_server_security_type = Some(request);
current_transaction.chosen_security_type = Some(chosen_security_type);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TCVncChallenge => {
match parser::parse_vnc_auth(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
self.state = parser::RFBGlobalState::TSVncResponse;
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_vnc_challenge = Some(request);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TCSecurityResult => {
match parser::parse_security_result(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
if request.status == 0 {
self.state = parser::RFBGlobalState::TSClientInit;
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_security_result = Some(request);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
} else if request.status == 1 {
self.state = parser::RFBGlobalState::TCFailureReason;
} else {
// TODO: Event: unknown security result value
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TCFailureReason => {
match parser::parse_failure_reason(current) {
Ok((_rem, request)) => {
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_failure_reason = Some(request);
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
return AppLayerResult::err();
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::TCServerInit => {
match parser::parse_server_init(current) {
Ok((rem, request)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
consumed += current.len() - rem.len();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
current = rem;
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
self.state = parser::RFBGlobalState::Message;
rfb: use more idiomatic Rust code Using 'if let Some()...' makes the code in these many checks more concise and readable.
5 years ago
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_server_init = Some(request);
// connection initialization is complete and parsed
current_transaction.complete = true;
} else {
return AppLayerResult::err();
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
}
rust/rfb: convert parser to nom7 functions
4 years ago
Err(Err::Incomplete(_)) => {
rfb: Update incomplete handling in parser. This commit adds an updated incomplete handling for the RFB-Parser. If incomplete data is processed, the successfully consumed position and length of remainder + 1 is returned. If the next packet is not empty suricata will call the parser again. This commit is a result of discussion on https://github.com/OISF/suricata/pull/4792.
5 years ago
return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
Err(_) => {
return AppLayerResult::err();
}
}
}
parser::RFBGlobalState::Message => {
//todo implement RFB messages, for now we stop here
return AppLayerResult::err();
}
_ => {
SCLogDebug!("Invalid state for response");
return AppLayerResult::err();
}
}
}
}
}
// C exports.
#[no_mangle]
applayer: pass parameter to StateAlloc This parameter is NULL or the pointer to the previous state for the previous protocol in the case of a protocol change, for instance from HTTP1 to HTTP2 This way, the new protocol can use the old protocol context. For instance, HTTP2 mimicks the HTTP1 request, to have a HTTP2 transaction with both request and response
5 years ago
pub extern "C" fn rs_rfb_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void {
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
let state = RFBState::new();
let boxed = Box::new(state);
rust: remove all usage of transmute All cases of our transmute can be replaced with more idiomatic solutions and do no require the power of transmute. When returning an object to C for life-time management, use Box::into_raw to convert the boxed object to pointer and use Box::from_raw to convert back. For cases where we're just returning a pointer to Rust managed data, use a cast.
4 years ago
return Box::into_raw(boxed) as *mut _;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
#[no_mangle]
pub extern "C" fn rs_rfb_state_free(state: *mut std::os::raw::c_void) {
// Just unbox...
rust: remove all usage of transmute All cases of our transmute can be replaced with more idiomatic solutions and do no require the power of transmute. When returning an object to C for life-time management, use Box::into_raw to convert the boxed object to pointer and use Box::from_raw to convert back. For cases where we're just returning a pointer to Rust managed data, use a cast.
4 years ago
std::mem::drop(unsafe { Box::from_raw(state as *mut RFBState) });
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_state_tx_free(
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
state: *mut std::os::raw::c_void,
tx_id: u64,
) {
let state = cast_pointer!(state, RFBState);
state.free_tx(tx_id);
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_parse_request(
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
_flow: *const Flow,
state: *mut std::os::raw::c_void,
_pstate: *mut std::os::raw::c_void,
app-layer: use StreamSlice as input to parsers Remove input, input_len and flags in favor of stream slice.
4 years ago
stream_slice: StreamSlice,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
_data: *const std::os::raw::c_void,
) -> AppLayerResult {
let state = cast_pointer!(state, RFBState);
app-layer: use StreamSlice as input to parsers Remove input, input_len and flags in favor of stream slice.
4 years ago
return state.parse_request(stream_slice.as_slice());
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_parse_response(
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
_flow: *const Flow,
state: *mut std::os::raw::c_void,
_pstate: *mut std::os::raw::c_void,
app-layer: use StreamSlice as input to parsers Remove input, input_len and flags in favor of stream slice.
4 years ago
stream_slice: StreamSlice,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
_data: *const std::os::raw::c_void,
) -> AppLayerResult {
let state = cast_pointer!(state, RFBState);
app-layer: use StreamSlice as input to parsers Remove input, input_len and flags in favor of stream slice.
4 years ago
return state.parse_response(stream_slice.as_slice());
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_state_get_tx(
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
state: *mut std::os::raw::c_void,
tx_id: u64,
) -> *mut std::os::raw::c_void {
let state = cast_pointer!(state, RFBState);
match state.get_tx(tx_id) {
Some(tx) => {
rust: remove all usage of transmute All cases of our transmute can be replaced with more idiomatic solutions and do no require the power of transmute. When returning an object to C for life-time management, use Box::into_raw to convert the boxed object to pointer and use Box::from_raw to convert back. For cases where we're just returning a pointer to Rust managed data, use a cast.
4 years ago
return tx as *const _ as *mut _;
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
}
None => {
return std::ptr::null_mut();
}
}
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_state_get_tx_count(
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
state: *mut std::os::raw::c_void,
) -> u64 {
let state = cast_pointer!(state, RFBState);
return state.tx_id;
}
#[no_mangle]
rust: functions that reference raw pointers are unsafe Based on the Rust clippy lint that recommends that any public function that dereferences a raw pointer, mark all FFI functions that reference raw pointers with build_slice and cast_pointer as unsafe. This commits starts by removing the unsafe wrapper inside the build_slice and cast_pointer macros then marks all functions that use these macros as unsafe. Then fix all not_unsafe_ptr_arg_deref warnings from clippy. Fixes clippy lint: https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref
4 years ago
pub unsafe extern "C" fn rs_rfb_tx_get_alstate_progress(
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
tx: *mut std::os::raw::c_void,
_direction: u8,
) -> std::os::raw::c_int {
let tx = cast_pointer!(tx, RFBTransaction);
if tx.complete {
return 1;
}
return 0;
}
// Parser name as a C style string.
const PARSER_NAME: &'static [u8] = b"rfb\0";
rfb: support AppLayerTxData
5 years ago
export_tx_data_get!(rs_rfb_get_tx_data, RFBTransaction);
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
#[no_mangle]
pub unsafe extern "C" fn rs_rfb_register_parser() {
let parser = RustParser {
name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
rfb: remove futile default port setting
4 years ago
default_port: std::ptr::null(),
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
ipproto: IPPROTO_TCP,
probe_ts: None,
probe_tc: None,
min_depth: 0,
max_depth: 16,
state_new: rs_rfb_state_new,
state_free: rs_rfb_state_free,
tx_free: rs_rfb_state_tx_free,
parse_ts: rs_rfb_parse_request,
parse_tc: rs_rfb_parse_response,
get_tx_count: rs_rfb_state_get_tx_count,
get_tx: rs_rfb_state_get_tx,
app-layer: remove callback for completion status Since the completion status was a constant for all parsers, remove the callback logic and instead register the values themselves. This should avoid a lot of unnecessary callback calls. Update all parsers to take advantage of this.
5 years ago
tx_comp_st_ts: 1,
tx_comp_st_tc: 1,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
tx_get_progress: rs_rfb_tx_get_alstate_progress,
rfb: register None for get_event_info/get_event_info_by_id Implementations are not required if they're just going to return -1. We allow None to be registered for that.
5 years ago
get_eventinfo: None,
get_eventinfo_byid: None,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
localstorage_new: None,
localstorage_free: None,
get_files: None,
rfb: use generic tx iterator
4 years ago
get_tx_iterator: Some(applayer::state_get_tx_iterator::<RFBState, RFBTransaction>),
app-layer/rust: don't use option for GetTxDataFn anymore
5 years ago
get_tx_data: rs_rfb_get_tx_data,
app-layer: add ApplyTxConfig API Optional callback a parser can register for applying configuration to the 'transaction'. Most parsers have a bidirectional tx. For those parsers that have different types of transaction handling, this new callback can be used to properly apply the config.
5 years ago
apply_tx_config: None,
applayer: add flags to parser registration struct This will allow Rust parsers to register for gap handing from Rust (some Rust parsers do handle gaps, but they set the flag from C).
5 years ago
flags: 0,
applayer/rust: expose truncate callback
5 years ago
truncate: None,
app/frames: implement name to id API for frames
4 years ago
get_frame_id_by_name: None,
get_frame_name_by_id: None,
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation.
6 years ago
};
let ip_proto_str = CString::new("tcp").unwrap();
if AppLayerProtoDetectConfProtoDetectionEnabled(
ip_proto_str.as_ptr(),
parser.name,
) != 0
{
let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
ALPROTO_RFB = alproto;
if AppLayerParserConfParserEnabled(
ip_proto_str.as_ptr(),
parser.name,
) != 0
{
let _ = AppLayerRegisterParser(&parser, alproto);
}
SCLogDebug!("Rust rfb parser registered.");
} else {
SCLogDebug!("Protocol detector and parser disabled for RFB.");
}
}