|
|
|
|
Suricata Rules
|
|
|
|
|
==============
|
|
|
|
|
|
|
|
|
|
.. toctree::
|
|
|
|
|
|
|
|
|
|
intro
|
|
|
|
|
meta
|
|
|
|
|
header-keywords
|
|
|
|
|
payload-keywords
|
|
|
|
|
integer-keywords
|
|
|
|
|
transforms
|
|
|
|
|
prefilter-keywords
|
|
|
|
|
flow-keywords
|
|
|
|
|
bypass-keyword
|
|
|
|
|
http-keywords
|
|
|
|
|
file-keywords
|
|
|
|
|
dns-keywords
|
mdns: add mdns parser, logger and detection
The mDNS support is based heavily on the DNS support, reusing the
existing DNS parser where possible. This meant adding variations on
DNS, as mDNS is a little different. Mainly being that *all* mDNS
traffic is to_server, yet there is still the concept of request and
responses.
Keywords added are:
- mdns.queries.rrname
- mdns.answers.rrname
- mdns.additionals.rrname
- mdns.authorities.rrname
- mdns.response.rrname
They are mostly in-line with the DNS keywords, except
mdns.answers.rdata which is a better than that mdns.response.rrname,
as its actually looking at the rdata, and not rrnames.
mDNS has its own logger that differs from the DNS logger:
- No grouped logging
- In answers/additionals/authorities, the rdata is logged in a field
that is named after the rdata type. For example, "txt" data is no
longer logged in the "rdata" field, but instead a "txt" field. We
currently already did this in DNS for fields that were not a single
buffer, like SOA, SRV, etc. So this makes things more consistent. And
gives query like semantics that the "grouped" object was trying to
provide.
- Types are logged in lower case ("txt" instead of "TXT")
- Flags are logged as an array: "flags": ["aa", "z"]
Ticket: #3952
1 month ago
|
|
|
mdns-keywords
|
|
|
|
|
tls-keywords
|
|
|
|
|
ssh-keywords
|
|
|
|
|
ja-keywords
|
|
|
|
|
modbus-keyword
|
|
|
|
|
dcerpc-keywords
|
|
|
|
|
dhcp-keywords
|
|
|
|
|
dnp3-keywords
|
|
|
|
|
enip-keyword
|
|
|
|
|
ftp-keywords
|
|
|
|
|
kerberos-keywords
|
rust/smb: import NT status code for Microsoft doc
This patch updates the NT status code definition to use the status
definition used on Microsoft documentation website. A first python
script is building JSON object with code definition.
```
import json
from bs4 import BeautifulSoup
import requests
ntstatus = requests.get('https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55')
ntstatus_parsed = BeautifulSoup(ntstatus.text, 'html.parser')
ntstatus_parsed = ntstatus_parsed.find('tbody')
ntstatus_dict = {}
for item in ntstatus_parsed.find_all('tr'):
cell = item.find_all('td')
if len(cell) == 0:
continue
code = cell[0].find_all('p')
description_ps = cell[1].find_all('p')
description_list = []
if len(description_ps):
for desc in description_ps:
if not desc.string is None:
description_list.append(desc.string.replace('\n ', ''))
else:
description_list = ['Description not available']
if not code[0].string.lower() in ntstatus_dict:
ntstatus_dict[code[0].string.lower()] = {"text": code[1].string, "desc": ' '.join(description_list)}
print(json.dumps(ntstatus_dict))
```
The second one is generating the code that is ready to be inserted into the
source file:
```
import json
ntstatus_file = open('ntstatus.json', 'r')
ntstatus = json.loads(ntstatus_file.read())
declaration_format = 'pub const SMB_NT%s:%su32 = %s;\n'
resolution_format = ' SMB_NT%s%s=> "%s",\n'
declaration = ""
resolution = ""
text_max = len(max([ntstatus[x]['text'] for x in ntstatus.keys()], key=len))
for code in ntstatus.keys():
text = ntstatus[code]['text']
text_spaces = ' ' * (4 + text_max - len(text))
declaration += declaration_format % (text, text_spaces, code)
resolution += resolution_format % (text, text_spaces, text)
print(declaration)
print('\n')
print('''
pub fn smb_ntstatus_string(c: u32) -> String {
match c {
''')
print(resolution)
print('''
_ => { return (c).to_string(); },
}.to_string()
}
''')
```
Bug #5412.
4 years ago
|
|
|
smb-keywords
|
|
|
|
|
snmp-keywords
|
|
|
|
|
base64-keywords
|
|
|
|
|
sip-keywords
|
|
|
|
|
sdp-keywords
|
add RFB parser
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:
- rfb.name: Session name as sticky buffer
- rfb.sectype: Security type, e.g. VNC-style challenge-response
- rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...
The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.
We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
5 years ago
|
|
|
rfb-keywords
|
|
|
|
|
mqtt-keywords
|
|
|
|
|
ike-keywords
|
|
|
|
|
http2-keywords
|
|
|
|
|
quic-keywords
|
|
|
|
|
nfs-keywords
|
|
|
|
|
smtp-keywords
|
|
|
|
|
websocket-keywords
|
|
|
|
|
app-layer
|
|
|
|
|
decode-layer
|
|
|
|
|
xbits
|
|
|
|
|
noalert
|
|
|
|
|
thresholding
|
|
|
|
|
ip-reputation-rules
|
|
|
|
|
ipaddr
|
|
|
|
|
config
|
|
|
|
|
datasets
|
|
|
|
|
lua-detection
|
|
|
|
|
differences-from-snort
|
|
|
|
|
multi-buffer-matching
|
|
|
|
|
tag
|
|
|
|
|
vlan-keywords
|
|
|
|
|
ldap-keywords
|
|
|
|
|
pgsql-keywords
|
|
|
|
|
rule-types
|
|
|
|
|
email-keywords
|
