|
|
|
|
/* Copyright (C) 2007-2017 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Victor Julien <victor@inliniac.net>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "detect-smb-ntlmssp.h"
|
|
|
|
|
#include "suricata-common.h"
|
|
|
|
|
#include "suricata.h"
|
|
|
|
|
#include "detect.h"
|
|
|
|
|
#include "flow.h"
|
|
|
|
|
#include "flow-private.h"
|
|
|
|
|
#include "flow-bit.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-parse.h"
|
|
|
|
|
#include "detect-engine.h"
|
|
|
|
|
#include "detect-engine-profile.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-engine-alert.h"
|
|
|
|
|
#include "detect-engine-siggroup.h"
|
|
|
|
|
#include "detect-engine-address.h"
|
|
|
|
|
#include "detect-engine-proto.h"
|
|
|
|
|
#include "detect-engine-port.h"
|
|
|
|
|
#include "detect-engine-mpm.h"
|
|
|
|
|
#include "detect-engine-iponly.h"
|
|
|
|
|
#include "detect-engine-threshold.h"
|
|
|
|
|
#include "detect-engine-prefilter.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-engine-payload.h"
|
|
|
|
|
#include "detect-engine-dcepayload.h"
|
|
|
|
|
#include "detect-dns-opcode.h"
|
|
|
|
|
#include "detect-dns-query.h"
|
|
|
|
|
#include "detect-tls-sni.h"
|
|
|
|
|
#include "detect-tls-certs.h"
|
|
|
|
|
#include "detect-tls-cert-fingerprint.h"
|
|
|
|
|
#include "detect-tls-cert-issuer.h"
|
|
|
|
|
#include "detect-tls-cert-subject.h"
|
|
|
|
|
#include "detect-tls-cert-serial.h"
|
|
|
|
|
#include "detect-tls-random.h"
|
|
|
|
|
#include "detect-tls-ja3-hash.h"
|
|
|
|
|
#include "detect-tls-ja3-string.h"
|
|
|
|
|
#include "detect-tls-ja3s-hash.h"
|
|
|
|
|
#include "detect-tls-ja3s-string.h"
|
|
|
|
|
#include "detect-engine-state.h"
|
|
|
|
|
#include "detect-engine-analyzer.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-http-cookie.h"
|
|
|
|
|
#include "detect-http-method.h"
|
|
|
|
|
#include "detect-http-ua.h"
|
|
|
|
|
#include "detect-http-host.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-mark.h"
|
|
|
|
|
#include "detect-nfs-procedure.h"
|
|
|
|
|
#include "detect-nfs-version.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-engine-event.h"
|
|
|
|
|
#include "decode.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-config.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-smb-share.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-base64-decode.h"
|
|
|
|
|
#include "detect-base64-data.h"
|
|
|
|
|
#include "detect-ipaddr.h"
|
|
|
|
|
#include "detect-ipopts.h"
|
|
|
|
|
#include "detect-tcp-flags.h"
|
|
|
|
|
#include "detect-fragbits.h"
|
|
|
|
|
#include "detect-fragoffset.h"
|
|
|
|
|
#include "detect-gid.h"
|
|
|
|
|
#include "detect-tcp-ack.h"
|
|
|
|
|
#include "detect-tcp-seq.h"
|
|
|
|
|
#include "detect-content.h"
|
|
|
|
|
#include "detect-uricontent.h"
|
|
|
|
|
#include "detect-pcre.h"
|
|
|
|
|
#include "detect-depth.h"
|
|
|
|
|
#include "detect-nocase.h"
|
|
|
|
|
#include "detect-rawbytes.h"
|
|
|
|
|
#include "detect-bytetest.h"
|
|
|
|
|
#include "detect-bytemath.h"
|
|
|
|
|
#include "detect-bytejump.h"
|
|
|
|
|
#include "detect-sameip.h"
|
|
|
|
|
#include "detect-l3proto.h"
|
|
|
|
|
#include "detect-ipproto.h"
|
|
|
|
|
#include "detect-within.h"
|
|
|
|
|
#include "detect-distance.h"
|
|
|
|
|
#include "detect-offset.h"
|
|
|
|
|
#include "detect-sid.h"
|
|
|
|
|
#include "detect-prefilter.h"
|
|
|
|
|
#include "detect-priority.h"
|
|
|
|
|
#include "detect-classtype.h"
|
|
|
|
|
#include "detect-reference.h"
|
|
|
|
|
#include "detect-tag.h"
|
|
|
|
|
#include "detect-threshold.h"
|
|
|
|
|
#include "detect-metadata.h"
|
|
|
|
|
#include "detect-msg.h"
|
|
|
|
|
#include "detect-rev.h"
|
|
|
|
|
#include "detect-flow.h"
|
|
|
|
|
#include "detect-flow-age.h"
|
|
|
|
|
#include "detect-tcp-window.h"
|
|
|
|
|
#include "detect-ftpbounce.h"
|
|
|
|
|
#include "detect-isdataat.h"
|
|
|
|
|
#include "detect-id.h"
|
|
|
|
|
#include "detect-rpc.h"
|
|
|
|
|
#include "detect-asn1.h"
|
|
|
|
|
#include "detect-filename.h"
|
|
|
|
|
#include "detect-fileext.h"
|
|
|
|
|
#include "detect-filestore.h"
|
|
|
|
|
#include "detect-filemagic.h"
|
|
|
|
|
#include "detect-filemd5.h"
|
|
|
|
|
#include "detect-filesha1.h"
|
|
|
|
|
#include "detect-filesha256.h"
|
|
|
|
|
#include "detect-filesize.h"
|
|
|
|
|
#include "detect-dataset.h"
|
|
|
|
|
#include "detect-datarep.h"
|
|
|
|
|
#include "detect-dsize.h"
|
|
|
|
|
#include "detect-flowvar.h"
|
|
|
|
|
#include "detect-flowint.h"
|
|
|
|
|
#include "detect-pktvar.h"
|
|
|
|
|
#include "detect-noalert.h"
|
|
|
|
|
#include "detect-flowbits.h"
|
|
|
|
|
#include "detect-hostbits.h"
|
|
|
|
|
#include "detect-xbits.h"
|
|
|
|
|
#include "detect-csum.h"
|
|
|
|
|
#include "detect-stream_size.h"
|
|
|
|
|
#include "detect-engine-sigorder.h"
|
|
|
|
|
#include "detect-ttl.h"
|
|
|
|
|
#include "detect-fast-pattern.h"
|
|
|
|
|
#include "detect-itype.h"
|
|
|
|
|
#include "detect-icode.h"
|
|
|
|
|
#include "detect-icmp-id.h"
|
|
|
|
|
#include "detect-icmp-seq.h"
|
|
|
|
|
#include "detect-icmpv4hdr.h"
|
|
|
|
|
#include "detect-dce-iface.h"
|
|
|
|
|
#include "detect-dce-opnum.h"
|
|
|
|
|
#include "detect-dce-stub-data.h"
|
|
|
|
|
#include "detect-urilen.h"
|
|
|
|
|
#include "detect-bsize.h"
|
|
|
|
|
#include "detect-detection-filter.h"
|
|
|
|
|
#include "detect-http-client-body.h"
|
|
|
|
|
#include "detect-http-server-body.h"
|
|
|
|
|
#include "detect-http-header.h"
|
|
|
|
|
#include "detect-http-header-names.h"
|
|
|
|
|
#include "detect-http-headers.h"
|
|
|
|
|
#include "detect-http-raw-header.h"
|
|
|
|
|
#include "detect-http-uri.h"
|
|
|
|
|
#include "detect-http-protocol.h"
|
|
|
|
|
#include "detect-http-start.h"
|
|
|
|
|
#include "detect-http-stat-msg.h"
|
|
|
|
|
#include "detect-http-request-line.h"
|
|
|
|
|
#include "detect-http-response-line.h"
|
|
|
|
|
#include "detect-http2.h"
|
|
|
|
|
#include "detect-byte-extract.h"
|
|
|
|
|
#include "detect-file-data.h"
|
|
|
|
|
#include "detect-pkt-data.h"
|
|
|
|
|
#include "detect-replace.h"
|
|
|
|
|
#include "detect-tos.h"
|
|
|
|
|
#include "detect-app-layer-event.h"
|
|
|
|
|
#include "detect-lua.h"
|
|
|
|
|
#include "detect-iprep.h"
|
|
|
|
|
#include "detect-geoip.h"
|
|
|
|
|
#include "detect-app-layer-protocol.h"
|
|
|
|
|
#include "detect-template.h"
|
|
|
|
|
#include "detect-template2.h"
|
|
|
|
|
#include "detect-tcphdr.h"
|
|
|
|
|
#include "detect-tcpmss.h"
|
|
|
|
|
#include "detect-udphdr.h"
|
|
|
|
|
#include "detect-icmpv6hdr.h"
|
|
|
|
|
#include "detect-icmpv6-mtu.h"
|
|
|
|
|
#include "detect-ipv4hdr.h"
|
|
|
|
|
#include "detect-ipv6hdr.h"
|
|
|
|
|
#include "detect-krb5-cname.h"
|
|
|
|
|
#include "detect-krb5-errcode.h"
|
|
|
|
|
#include "detect-krb5-msgtype.h"
|
|
|
|
|
#include "detect-krb5-sname.h"
|
|
|
|
|
#include "detect-krb5-ticket-encryption.h"
|
|
|
|
|
#include "detect-sip-method.h"
|
|
|
|
|
#include "detect-sip-uri.h"
|
|
|
|
|
#include "detect-sip-protocol.h"
|
|
|
|
|
#include "detect-sip-stat-code.h"
|
|
|
|
|
#include "detect-sip-stat-msg.h"
|
|
|
|
|
#include "detect-sip-request-line.h"
|
|
|
|
|
#include "detect-sip-response-line.h"
|
add RFB parser
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:
- rfb.name: Session name as sticky buffer
- rfb.sectype: Security type, e.g. VNC-style challenge-response
- rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...
The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.
We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
6 years ago
|
|
|
#include "detect-rfb-secresult.h"
|
|
|
|
|
#include "detect-rfb-sectype.h"
|
|
|
|
|
#include "detect-rfb-name.h"
|
|
|
|
|
#include "detect-target.h"
|
|
|
|
|
#include "detect-template-rust-buffer.h"
|
|
|
|
|
#include "detect-dhcp-leasetime.h"
|
|
|
|
|
#include "detect-dhcp-rebinding-time.h"
|
|
|
|
|
#include "detect-dhcp-renewal-time.h"
|
|
|
|
|
#include "detect-snmp-usm.h"
|
|
|
|
|
#include "detect-snmp-version.h"
|
|
|
|
|
#include "detect-snmp-community.h"
|
|
|
|
|
#include "detect-snmp-pdu_type.h"
|
|
|
|
|
#include "detect-mqtt-type.h"
|
|
|
|
|
#include "detect-mqtt-flags.h"
|
|
|
|
|
#include "detect-mqtt-qos.h"
|
|
|
|
|
#include "detect-mqtt-protocol-version.h"
|
|
|
|
|
#include "detect-mqtt-reason-code.h"
|
|
|
|
|
#include "detect-mqtt-connect-flags.h"
|
|
|
|
|
#include "detect-mqtt-connect-clientid.h"
|
|
|
|
|
#include "detect-mqtt-connect-username.h"
|
|
|
|
|
#include "detect-mqtt-connect-password.h"
|
|
|
|
|
#include "detect-mqtt-connect-willtopic.h"
|
|
|
|
|
#include "detect-mqtt-connect-willmessage.h"
|
|
|
|
|
#include "detect-mqtt-connack-sessionpresent.h"
|
|
|
|
|
#include "detect-mqtt-publish-topic.h"
|
|
|
|
|
#include "detect-mqtt-publish-message.h"
|
|
|
|
|
#include "detect-mqtt-subscribe-topic.h"
|
|
|
|
|
#include "detect-mqtt-unsubscribe-topic.h"
|
|
|
|
|
#include "detect-quic-sni.h"
|
|
|
|
|
#include "detect-quic-ua.h"
|
|
|
|
|
#include "detect-quic-version.h"
|
|
|
|
|
#include "detect-quic-cyu-hash.h"
|
|
|
|
|
#include "detect-quic-cyu-string.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-bypass.h"
|
|
|
|
|
#include "detect-ftpdata.h"
|
|
|
|
|
#include "detect-engine-content-inspection.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-transform-compress-whitespace.h"
|
|
|
|
|
#include "detect-transform-strip-whitespace.h"
|
|
|
|
|
#include "detect-transform-md5.h"
|
|
|
|
|
#include "detect-transform-sha1.h"
|
|
|
|
|
#include "detect-transform-sha256.h"
|
|
|
|
|
#include "detect-transform-dotprefix.h"
|
|
|
|
|
#include "detect-transform-pcrexform.h"
|
|
|
|
|
#include "detect-transform-urldecode.h"
|
|
|
|
|
#include "detect-transform-xor.h"
|
|
|
|
|
|
|
|
|
|
#include "util-rule-vars.h"
|
|
|
|
|
|
|
|
|
|
#include "app-layer.h"
|
|
|
|
|
#include "app-layer-protos.h"
|
|
|
|
|
#include "app-layer-htp.h"
|
|
|
|
|
#include "app-layer-smtp.h"
|
|
|
|
|
#include "detect-frame.h"
|
|
|
|
|
#include "detect-tls.h"
|
|
|
|
|
#include "detect-tls-cert-validity.h"
|
|
|
|
|
#include "detect-tls-version.h"
|
|
|
|
|
#include "detect-ssh-proto.h"
|
|
|
|
|
#include "detect-ssh-proto-version.h"
|
|
|
|
|
#include "detect-ssh-software.h"
|
|
|
|
|
#include "detect-ssh-software-version.h"
|
|
|
|
|
#include "detect-ssh-hassh.h"
|
|
|
|
|
#include "detect-ssh-hassh-server.h"
|
|
|
|
|
#include "detect-ssh-hassh-string.h"
|
|
|
|
|
#include "detect-ssh-hassh-server-string.h"
|
|
|
|
|
#include "detect-http-stat-code.h"
|
|
|
|
|
#include "detect-ssl-version.h"
|
|
|
|
|
#include "detect-ssl-state.h"
|
|
|
|
|
#include "detect-modbus.h"
|
|
|
|
|
#include "detect-cipservice.h"
|
|
|
|
|
#include "detect-dnp3.h"
|
|
|
|
|
#include "detect-ike-exch-type.h"
|
|
|
|
|
#include "detect-ike-spi.h"
|
|
|
|
|
#include "detect-ike-vendor.h"
|
|
|
|
|
#include "detect-ike-chosen-sa.h"
|
|
|
|
|
#include "detect-ike-key-exchange-payload-length.h"
|
|
|
|
|
#include "detect-ike-nonce-payload-length.h"
|
|
|
|
|
#include "detect-ike-nonce-payload.h"
|
|
|
|
|
#include "detect-ike-key-exchange-payload.h"
|
|
|
|
|
|
|
|
|
|
#include "action-globals.h"
|
|
|
|
|
#include "tm-threads.h"
|
|
|
|
|
|
|
|
|
|
#include "pkt-var.h"
|
|
|
|
|
|
|
|
|
|
#include "conf.h"
|
|
|
|
|
#include "conf-yaml-loader.h"
|
|
|
|
|
|
|
|
|
|
#include "stream-tcp.h"
|
|
|
|
|
#include "stream-tcp-inline.h"
|
|
|
|
|
|
|
|
|
|
#include "util-lua.h"
|
|
|
|
|
#include "util-var-name.h"
|
|
|
|
|
#include "util-classification-config.h"
|
|
|
|
|
#include "util-threshold-config.h"
|
|
|
|
|
#include "util-print.h"
|
|
|
|
|
#include "util-unittest.h"
|
|
|
|
|
#include "util-unittest-helper.h"
|
|
|
|
|
#include "util-debug.h"
|
|
|
|
|
#include "util-hashlist.h"
|
|
|
|
|
#include "util-privs.h"
|
|
|
|
|
#include "util-profiling.h"
|
|
|
|
|
#include "util-validate.h"
|
|
|
|
|
#include "util-optimize.h"
|
|
|
|
|
#include "util-path.h"
|
|
|
|
|
#include "util-mpm-ac.h"
|
|
|
|
|
#include "runmodes.h"
|
|
|
|
|
|
|
|
|
|
static void PrintFeatureList(const SigTableElmt *e, char sep)
|
|
|
|
|
{
|
|
|
|
|
const uint16_t flags = e->flags;
|
|
|
|
|
|
|
|
|
|
int prev = 0;
|
|
|
|
|
if (flags & SIGMATCH_NOOPT) {
|
|
|
|
|
printf("No option");
|
|
|
|
|
prev = 1;
|
|
|
|
|
}
|
|
|
|
|
if (flags & SIGMATCH_IPONLY_COMPAT) {
|
|
|
|
|
if (prev == 1)
|
|
|
|
|
printf("%c", sep);
|
|
|
|
|
printf("compatible with IP only rule");
|
|
|
|
|
prev = 1;
|
|
|
|
|
}
|
|
|
|
|
if (flags & SIGMATCH_DEONLY_COMPAT) {
|
|
|
|
|
if (prev == 1)
|
|
|
|
|
printf("%c", sep);
|
|
|
|
|
printf("compatible with decoder event only rule");
|
|
|
|
|
prev = 1;
|
|
|
|
|
}
|
|
|
|
|
if (flags & SIGMATCH_INFO_CONTENT_MODIFIER) {
|
|
|
|
|
if (prev == 1)
|
|
|
|
|
printf("%c", sep);
|
|
|
|
|
printf("content modifier");
|
|
|
|
|
prev = 1;
|
|
|
|
|
}
|
|
|
|
|
if (flags & SIGMATCH_INFO_STICKY_BUFFER) {
|
|
|
|
|
if (prev == 1)
|
|
|
|
|
printf("%c", sep);
|
|
|
|
|
printf("sticky buffer");
|
|
|
|
|
prev = 1;
|
|
|
|
|
}
|
|
|
|
|
if (e->Transform) {
|
|
|
|
|
if (prev == 1)
|
|
|
|
|
printf("%c", sep);
|
|
|
|
|
printf("transform");
|
|
|
|
|
prev = 1;
|
|
|
|
|
}
|
|
|
|
|
if (e->SupportsPrefilter) {
|
|
|
|
|
if (prev == 1)
|
|
|
|
|
printf("%c", sep);
|
|
|
|
|
printf("prefilter");
|
|
|
|
|
prev = 1;
|
|
|
|
|
}
|
|
|
|
|
if (prev == 0) {
|
|
|
|
|
printf("none");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void SigMultilinePrint(int i, const char *prefix)
|
|
|
|
|
{
|
|
|
|
|
if (sigmatch_table[i].desc) {
|
|
|
|
|
printf("%sDescription: %s\n", prefix, sigmatch_table[i].desc);
|
|
|
|
|
}
|
|
|
|
|
printf("%sFeatures: ", prefix);
|
|
|
|
|
PrintFeatureList(&sigmatch_table[i], ',');
|
|
|
|
|
if (sigmatch_table[i].url) {
|
|
|
|
|
printf("\n%sDocumentation: %s%s", prefix, GetDocURL(), sigmatch_table[i].url);
|
|
|
|
|
}
|
|
|
|
|
if (sigmatch_table[i].alternative) {
|
|
|
|
|
printf("\n%sReplaced by: %s", prefix, sigmatch_table[sigmatch_table[i].alternative].name);
|
|
|
|
|
}
|
|
|
|
|
printf("\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int SigTableList(const char *keyword)
|
|
|
|
|
{
|
|
|
|
|
size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt);
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
if (keyword == NULL) {
|
|
|
|
|
printf("=====Supported keywords=====\n");
|
|
|
|
|
for (i = 0; i < size; i++) {
|
|
|
|
|
const char *name = sigmatch_table[i].name;
|
|
|
|
|
if (name != NULL && strlen(name) > 0) {
|
|
|
|
|
if (name[0] == '_' || strcmp(name, "template") == 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) {
|
|
|
|
|
printf("- %s (not built-in)\n", name);
|
|
|
|
|
} else {
|
|
|
|
|
printf("- %s\n", name);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else if (strcmp("csv", keyword) == 0) {
|
|
|
|
|
printf("name;description;app layer;features;documentation\n");
|
|
|
|
|
for (i = 0; i < size; i++) {
|
|
|
|
|
const char *name = sigmatch_table[i].name;
|
|
|
|
|
if (name != NULL && strlen(name) > 0) {
|
|
|
|
|
if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (name[0] == '_' || strcmp(name, "template") == 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
printf("%s;", name);
|
|
|
|
|
if (sigmatch_table[i].desc) {
|
|
|
|
|
printf("%s", sigmatch_table[i].desc);
|
|
|
|
|
}
|
|
|
|
|
/* Build feature */
|
|
|
|
|
printf(";Unset;"); // this used to be alproto
|
|
|
|
|
PrintFeatureList(&sigmatch_table[i], ':');
|
|
|
|
|
printf(";");
|
|
|
|
|
if (sigmatch_table[i].url) {
|
|
|
|
|
printf("%s%s", GetDocURL(), sigmatch_table[i].url);
|
|
|
|
|
}
|
|
|
|
|
printf(";");
|
|
|
|
|
printf("\n");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else if (strcmp("all", keyword) == 0) {
|
|
|
|
|
for (i = 0; i < size; i++) {
|
|
|
|
|
const char *name = sigmatch_table[i].name;
|
|
|
|
|
if (name != NULL && strlen(name) > 0) {
|
|
|
|
|
if (name[0] == '_' || strcmp(name, "template") == 0)
|
|
|
|
|
continue;
|
|
|
|
|
printf("%s:\n", sigmatch_table[i].name);
|
|
|
|
|
SigMultilinePrint(i, "\t");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
for (i = 0; i < size; i++) {
|
|
|
|
|
if ((sigmatch_table[i].name != NULL) &&
|
|
|
|
|
strcmp(sigmatch_table[i].name, keyword) == 0) {
|
|
|
|
|
printf("= %s =\n", sigmatch_table[i].name);
|
|
|
|
|
if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) {
|
|
|
|
|
printf("Not built-in\n");
|
|
|
|
|
return TM_ECODE_FAILED;
|
|
|
|
|
}
|
|
|
|
|
SigMultilinePrint(i, "");
|
|
|
|
|
return TM_ECODE_DONE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
printf("Non existing keyword\n");
|
|
|
|
|
return TM_ECODE_FAILED;
|
|
|
|
|
}
|
|
|
|
|
return TM_ECODE_DONE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void SigTableSetup(void)
|
|
|
|
|
{
|
|
|
|
|
memset(sigmatch_table, 0, sizeof(sigmatch_table));
|
|
|
|
|
|
|
|
|
|
DetectSidRegister();
|
|
|
|
|
DetectPriorityRegister();
|
|
|
|
|
DetectPrefilterRegister();
|
|
|
|
|
DetectRevRegister();
|
|
|
|
|
DetectClasstypeRegister();
|
|
|
|
|
DetectReferenceRegister();
|
|
|
|
|
DetectTagRegister();
|
|
|
|
|
DetectThresholdRegister();
|
|
|
|
|
DetectMetadataRegister();
|
|
|
|
|
DetectMsgRegister();
|
|
|
|
|
DetectAckRegister();
|
|
|
|
|
DetectSeqRegister();
|
|
|
|
|
DetectContentRegister();
|
|
|
|
|
DetectUricontentRegister();
|
|
|
|
|
|
|
|
|
|
/* NOTE: the order of these currently affects inspect
|
|
|
|
|
* engine registration order and ultimately the order
|
|
|
|
|
* of inspect engines in the rule. Which in turn affects
|
|
|
|
|
* state keeping */
|
|
|
|
|
DetectHttpUriRegister();
|
|
|
|
|
DetectHttpRequestLineRegister();
|
|
|
|
|
DetectHttpClientBodyRegister();
|
|
|
|
|
DetectHttpResponseLineRegister();
|
|
|
|
|
DetectHttpServerBodyRegister();
|
|
|
|
|
DetectHttpHeaderRegister();
|
|
|
|
|
DetectHttpHeaderNamesRegister();
|
|
|
|
|
DetectHttpHeadersRegister();
|
|
|
|
|
DetectHttpProtocolRegister();
|
|
|
|
|
DetectHttpStartRegister();
|
|
|
|
|
DetectHttpRawHeaderRegister();
|
|
|
|
|
DetectHttpMethodRegister();
|
|
|
|
|
DetectHttpCookieRegister();
|
|
|
|
|
|
|
|
|
|
DetectFilenameRegister();
|
|
|
|
|
DetectFileextRegister();
|
|
|
|
|
DetectFilestoreRegister();
|
|
|
|
|
DetectFilemagicRegister();
|
|
|
|
|
DetectFileMd5Register();
|
|
|
|
|
DetectFileSha1Register();
|
|
|
|
|
DetectFileSha256Register();
|
|
|
|
|
DetectFilesizeRegister();
|
|
|
|
|
|
|
|
|
|
DetectHttpUARegister();
|
|
|
|
|
DetectHttpHHRegister();
|
|
|
|
|
|
|
|
|
|
DetectHttpStatMsgRegister();
|
|
|
|
|
DetectHttpStatCodeRegister();
|
|
|
|
|
DetectHttp2Register();
|
|
|
|
|
|
|
|
|
|
DetectDnsQueryRegister();
|
|
|
|
|
DetectDnsOpcodeRegister();
|
|
|
|
|
DetectModbusRegister();
|
|
|
|
|
DetectCipServiceRegister();
|
|
|
|
|
DetectEnipCommandRegister();
|
|
|
|
|
DetectDNP3Register();
|
|
|
|
|
|
|
|
|
|
DetectIkeExchTypeRegister();
|
|
|
|
|
DetectIkeSpiRegister();
|
|
|
|
|
DetectIkeVendorRegister();
|
|
|
|
|
DetectIkeChosenSaRegister();
|
|
|
|
|
DetectIkeKeyExchangePayloadLengthRegister();
|
|
|
|
|
DetectIkeNoncePayloadLengthRegister();
|
|
|
|
|
DetectIkeNonceRegister();
|
|
|
|
|
DetectIkeKeyExchangeRegister();
|
|
|
|
|
|
|
|
|
|
DetectTlsSniRegister();
|
|
|
|
|
DetectTlsIssuerRegister();
|
|
|
|
|
DetectTlsSubjectRegister();
|
|
|
|
|
DetectTlsSerialRegister();
|
|
|
|
|
DetectTlsFingerprintRegister();
|
|
|
|
|
DetectTlsCertsRegister();
|
|
|
|
|
DetectTlsCertChainLenRegister();
|
|
|
|
|
DetectTlsRandomRegister();
|
|
|
|
|
|
|
|
|
|
DetectTlsJa3HashRegister();
|
|
|
|
|
DetectTlsJa3StringRegister();
|
|
|
|
|
DetectTlsJa3SHashRegister();
|
|
|
|
|
DetectTlsJa3SStringRegister();
|
|
|
|
|
|
|
|
|
|
DetectAppLayerEventRegister();
|
|
|
|
|
/* end of order dependent regs */
|
|
|
|
|
|
|
|
|
|
DetectFrameRegister();
|
|
|
|
|
|
|
|
|
|
DetectPcreRegister();
|
|
|
|
|
DetectDepthRegister();
|
|
|
|
|
DetectNocaseRegister();
|
|
|
|
|
DetectRawbytesRegister();
|
|
|
|
|
DetectBytetestRegister();
|
|
|
|
|
DetectBytejumpRegister();
|
|
|
|
|
DetectBytemathRegister();
|
|
|
|
|
DetectSameipRegister();
|
|
|
|
|
DetectGeoipRegister();
|
|
|
|
|
DetectL3ProtoRegister();
|
|
|
|
|
DetectIPProtoRegister();
|
|
|
|
|
DetectWithinRegister();
|
|
|
|
|
DetectDistanceRegister();
|
|
|
|
|
DetectOffsetRegister();
|
|
|
|
|
DetectReplaceRegister();
|
|
|
|
|
DetectFlowRegister();
|
|
|
|
|
DetectFlowAgeRegister();
|
|
|
|
|
DetectWindowRegister();
|
|
|
|
|
DetectRpcRegister();
|
|
|
|
|
DetectFtpbounceRegister();
|
|
|
|
|
DetectFtpdataRegister();
|
|
|
|
|
DetectIsdataatRegister();
|
|
|
|
|
DetectIdRegister();
|
|
|
|
|
DetectDsizeRegister();
|
|
|
|
|
DetectDatasetRegister();
|
|
|
|
|
DetectDatarepRegister();
|
|
|
|
|
DetectFlowvarRegister();
|
|
|
|
|
DetectFlowintRegister();
|
|
|
|
|
DetectPktvarRegister();
|
|
|
|
|
DetectNoalertRegister();
|
|
|
|
|
DetectFlowbitsRegister();
|
|
|
|
|
DetectHostbitsRegister();
|
|
|
|
|
DetectXbitsRegister();
|
|
|
|
|
DetectEngineEventRegister();
|
|
|
|
|
DetectIpOptsRegister();
|
|
|
|
|
DetectFlagsRegister();
|
|
|
|
|
DetectFragBitsRegister();
|
|
|
|
|
DetectFragOffsetRegister();
|
|
|
|
|
DetectGidRegister();
|
|
|
|
|
DetectMarkRegister();
|
|
|
|
|
DetectCsumRegister();
|
|
|
|
|
DetectStreamSizeRegister();
|
|
|
|
|
DetectTtlRegister();
|
|
|
|
|
DetectTosRegister();
|
|
|
|
|
DetectFastPatternRegister();
|
|
|
|
|
DetectITypeRegister();
|
|
|
|
|
DetectICodeRegister();
|
|
|
|
|
DetectIcmpIdRegister();
|
|
|
|
|
DetectIcmpSeqRegister();
|
|
|
|
|
DetectIcmpv4HdrRegister();
|
|
|
|
|
DetectDceIfaceRegister();
|
|
|
|
|
DetectDceOpnumRegister();
|
|
|
|
|
DetectDceStubDataRegister();
|
|
|
|
|
DetectSmbNamedPipeRegister();
|
|
|
|
|
DetectSmbShareRegister();
|
|
|
|
|
DetectSmbNtlmsspUserRegister();
|
|
|
|
|
DetectSmbNtlmsspDomainRegister();
|
|
|
|
|
DetectTlsRegister();
|
|
|
|
|
DetectTlsValidityRegister();
|
|
|
|
|
DetectTlsVersionRegister();
|
|
|
|
|
DetectNfsProcedureRegister();
|
|
|
|
|
DetectNfsVersionRegister();
|
|
|
|
|
DetectUrilenRegister();
|
|
|
|
|
DetectBsizeRegister();
|
|
|
|
|
DetectDetectionFilterRegister();
|
|
|
|
|
DetectAsn1Register();
|
|
|
|
|
DetectSshProtocolRegister();
|
|
|
|
|
DetectSshVersionRegister();
|
|
|
|
|
DetectSshSoftwareRegister();
|
|
|
|
|
DetectSshSoftwareVersionRegister();
|
|
|
|
|
DetectSshHasshRegister();
|
|
|
|
|
DetectSshHasshServerRegister();
|
|
|
|
|
DetectSshHasshStringRegister();
|
|
|
|
|
DetectSshHasshServerStringRegister();
|
|
|
|
|
DetectSslStateRegister();
|
|
|
|
|
DetectSslVersionRegister();
|
|
|
|
|
DetectByteExtractRegister();
|
|
|
|
|
DetectFiledataRegister();
|
|
|
|
|
DetectPktDataRegister();
|
|
|
|
|
DetectLuaRegister();
|
|
|
|
|
DetectIPRepRegister();
|
|
|
|
|
DetectAppLayerProtocolRegister();
|
|
|
|
|
DetectBase64DecodeRegister();
|
|
|
|
|
DetectBase64DataRegister();
|
|
|
|
|
DetectTemplateRegister();
|
|
|
|
|
DetectTemplate2Register();
|
|
|
|
|
DetectTcphdrRegister();
|
|
|
|
|
DetectUdphdrRegister();
|
|
|
|
|
DetectTcpmssRegister();
|
|
|
|
|
DetectICMPv6hdrRegister();
|
|
|
|
|
DetectICMPv6mtuRegister();
|
|
|
|
|
DetectIPAddrBufferRegister();
|
|
|
|
|
DetectIpv4hdrRegister();
|
|
|
|
|
DetectIpv6hdrRegister();
|
|
|
|
|
DetectKrb5CNameRegister();
|
|
|
|
|
DetectKrb5ErrCodeRegister();
|
|
|
|
|
DetectKrb5MsgTypeRegister();
|
|
|
|
|
DetectKrb5SNameRegister();
|
|
|
|
|
DetectKrb5TicketEncryptionRegister();
|
|
|
|
|
DetectSipMethodRegister();
|
|
|
|
|
DetectSipUriRegister();
|
|
|
|
|
DetectSipProtocolRegister();
|
|
|
|
|
DetectSipStatCodeRegister();
|
|
|
|
|
DetectSipStatMsgRegister();
|
|
|
|
|
DetectSipRequestLineRegister();
|
|
|
|
|
DetectSipResponseLineRegister();
|
add RFB parser
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:
- rfb.name: Session name as sticky buffer
- rfb.sectype: Security type, e.g. VNC-style challenge-response
- rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...
The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.
We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
6 years ago
|
|
|
DetectRfbSecresultRegister();
|
|
|
|
|
DetectRfbSectypeRegister();
|
|
|
|
|
DetectRfbNameRegister();
|
|
|
|
|
DetectTargetRegister();
|
|
|
|
|
DetectTemplateRustBufferRegister();
|
|
|
|
|
DetectDHCPLeaseTimeRegister();
|
|
|
|
|
DetectDHCPRebindingTimeRegister();
|
|
|
|
|
DetectDHCPRenewalTimeRegister();
|
|
|
|
|
DetectSNMPUsmRegister();
|
|
|
|
|
DetectSNMPVersionRegister();
|
|
|
|
|
DetectSNMPCommunityRegister();
|
|
|
|
|
DetectSNMPPduTypeRegister();
|
|
|
|
|
DetectMQTTTypeRegister();
|
|
|
|
|
DetectMQTTFlagsRegister();
|
|
|
|
|
DetectMQTTQosRegister();
|
|
|
|
|
DetectMQTTProtocolVersionRegister();
|
|
|
|
|
DetectMQTTReasonCodeRegister();
|
|
|
|
|
DetectMQTTConnectFlagsRegister();
|
|
|
|
|
DetectMQTTConnectClientIDRegister();
|
|
|
|
|
DetectMQTTConnectUsernameRegister();
|
|
|
|
|
DetectMQTTConnectPasswordRegister();
|
|
|
|
|
DetectMQTTConnectWillTopicRegister();
|
|
|
|
|
DetectMQTTConnectWillMessageRegister();
|
|
|
|
|
DetectMQTTConnackSessionPresentRegister();
|
|
|
|
|
DetectMQTTPublishTopicRegister();
|
|
|
|
|
DetectMQTTPublishMessageRegister();
|
|
|
|
|
DetectMQTTSubscribeTopicRegister();
|
|
|
|
|
DetectMQTTUnsubscribeTopicRegister();
|
|
|
|
|
DetectQuicSniRegister();
|
|
|
|
|
DetectQuicUaRegister();
|
|
|
|
|
DetectQuicVersionRegister();
|
|
|
|
|
DetectQuicCyuHashRegister();
|
|
|
|
|
DetectQuicCyuStringRegister();
|
|
|
|
|
|
|
|
|
|
DetectBypassRegister();
|
|
|
|
|
DetectConfigRegister();
|
|
|
|
|
|
|
|
|
|
DetectTransformCompressWhitespaceRegister();
|
|
|
|
|
DetectTransformStripWhitespaceRegister();
|
|
|
|
|
DetectTransformMd5Register();
|
|
|
|
|
DetectTransformSha1Register();
|
|
|
|
|
DetectTransformSha256Register();
|
|
|
|
|
DetectTransformDotPrefixRegister();
|
|
|
|
|
DetectTransformPcrexformRegister();
|
|
|
|
|
DetectTransformUrlDecodeRegister();
|
|
|
|
|
DetectTransformXorRegister();
|
|
|
|
|
|
|
|
|
|
/* close keyword registration */
|
|
|
|
|
DetectBufferTypeCloseRegistration();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef UNITTESTS
|
|
|
|
|
void SigTableRegisterTests(void)
|
|
|
|
|
{
|
|
|
|
|
/* register the tests */
|
|
|
|
|
for (int i = 0; i < DETECT_TBLSIZE; i++) {
|
|
|
|
|
g_ut_modules++;
|
|
|
|
|
if (sigmatch_table[i].RegisterTests != NULL) {
|
|
|
|
|
sigmatch_table[i].RegisterTests();
|
|
|
|
|
g_ut_covered++;
|
|
|
|
|
} else {
|
|
|
|
|
SCLogDebug("detection plugin %s has no unittest "
|
|
|
|
|
"registration function.", sigmatch_table[i].name);
|
|
|
|
|
|
|
|
|
|
if (coverage_unittests)
|
|
|
|
|
SCLogWarning("detection plugin %s has no unittest "
|
|
|
|
|
"registration function.",
|
|
|
|
|
sigmatch_table[i].name);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
