aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rfb: trigger raw stream inspection

Browse Source 
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

RFB has several different types of requests and responses. Appropriate calls
to trigger raw stream inspection have been added on completion of each type of
request and response.

Task 7026
Bug 7004
pull/13292/head
Shivani Bhardwaj 2 months ago committed by Victor Julien
parent 44e098b7b3
commit b7629c1b90
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File

15
rust/src/rfb/rfb.rs
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2020-2023 Open Information Security Foundation
/* Copyright (C) 2020-2025 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -21,7 +21,7 @@
use super::parser;
use crate::applayer;
use crate::applayer::*;
use crate::core::{ALPROTO_UNKNOWN, IPPROTO_TCP};
use crate::core::{ALPROTO_UNKNOWN, IPPROTO_TCP, sc_app_layer_parser_trigger_raw_stream_inspection};
use crate::direction::Direction;
use crate::flow::Flow;
use crate::frames::*;
@ -218,6 +218,7 @@ impl RFBState {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_client_protocol_version = Some(request);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToServer as i32);
} else {
debug_validate_fail!(
"no transaction set at protocol selection stage"
@ -257,6 +258,7 @@ impl RFBState {
current_transaction.ts_security_type_selection = Some(request);
current_transaction.chosen_security_type =
Some(chosen_security_type as u32);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToServer as i32);
} else {
debug_validate_fail!("no transaction set at security type stage");
}
@ -314,6 +316,7 @@ impl RFBState {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_vnc_response = Some(request);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToServer as i32);
} else {
debug_validate_fail!("no transaction set at security result stage");
}
@ -352,6 +355,7 @@ impl RFBState {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_client_init = Some(request);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToServer as i32);
} else {
debug_validate_fail!("no transaction set at client init stage");
}
@ -438,6 +442,7 @@ impl RFBState {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_server_protocol_version = Some(request);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToClient as i32);
} else {
debug_validate_fail!("no transaction set but we just set one");
}
@ -487,6 +492,7 @@ impl RFBState {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_supported_security_types = Some(request);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToClient as i32);
} else {
debug_validate_fail!("no transaction set at security type stage");
}
@ -553,6 +559,7 @@ impl RFBState {
current_transaction.tc_server_security_type = Some(request);
current_transaction.chosen_security_type =
Some(chosen_security_type);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToClient as i32);
} else {
debug_validate_fail!("no transaction set at security type stage");
}
@ -592,6 +599,7 @@ impl RFBState {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_vnc_challenge = Some(request);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToClient as i32);
} else {
debug_validate_fail!("no transaction set at auth stage");
}
@ -632,6 +640,7 @@ impl RFBState {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_security_result = Some(request);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToClient as i32);
} else {
debug_validate_fail!(
"no transaction set at security result stage"
@ -671,6 +680,7 @@ impl RFBState {
Ok((_rem, request)) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_failure_reason = Some(request);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToClient as i32);
} else {
debug_validate_fail!("no transaction set at failure reason stage");
}
@ -712,6 +722,7 @@ impl RFBState {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.tc_server_init = Some(request);
sc_app_layer_parser_trigger_raw_stream_inspection(flow, Direction::ToClient as i32);
// connection initialization is complete and parsed
current_transaction.complete = true;
} else {

Write Preview
Loading…
Cancel
Save