Commit Graph

19346 Commits (main)
 

Author SHA1 Message Date
Victor Julien 8455efd9ac app-layer: add substate support to list hooks
Add substates to the --list-app-layer-hooks option.
20 hours ago
Victor Julien 8a5e8c63b2 detect: strict validation of buffers
Make sure that every buffer in a signature is actually used in the
setup of the engines. Reject sigs that are locked to a certain substate
and use buffers that require another.
20 hours ago
Victor Julien 89baff01c9 output/tx: allow registering logging at substate
Register HTTP/2 and DOH2 this way.
20 hours ago
Victor Julien a824d97d71 detect: use sub state to select inspect engines
When building the per signature app_inspect list, only add engines
that match the sub state specified in the hook.
20 hours ago
Victor Julien c5d4a250b5 detect/firewall: avoid passing state match for policy 20 hours ago
Victor Julien 9a294bf73b app-layer: check if protocol is enabled for sub state callbacks 20 hours ago
Victor Julien f545f06cf2 doh2: do not enable parser if http2 is disabled
DOH2 depends on HTTP/2, so it makes no sense to enable it separately.

It would also put the sub state handling in a weird state, as the DOH2
side reuses the registered HTTP/2 callbacks.
20 hours ago
Victor Julien cf216b6309 http2: rename state *start to *started
This is to make the hook use names consistent with the default
hooks and other protocols.
20 hours ago
Victor Julien f8f28c6f6f detect: sync prefilter and app inspect alproto logic
In firewall mode the alproto logic when building prefilter and rule
engines is strict, but was out of sync between prefilter and rule app
inspect engines.

For SIGNATURE_HOOK_TYPE_APP rules the logic is strict, with an exception
for HTTP/2 and DOH2. DOH2 is not a full protocol implementation, but
rather HTTP/2 with a different alproto.

Fixes: d64954a873 ("detect: don't register unrelated inspect engines")
20 hours ago
Victor Julien 56d9670af7 eve/alert: log sub state progress values 20 hours ago
Victor Julien f02a427059 eve/alert: clean up state logging 20 hours ago
Victor Julien 110e74642e detect/firewall: harden policy lookup logic 20 hours ago
Victor Julien cfc98aeeaf detect: add debug validation checks to assert assumptions 20 hours ago
Victor Julien 7517ba9f98 detect: give clear errors for http2 w/o substate
http2 states were not yet supported even if the built-in states could
already work. Clearly error out on a hook w/o substate.
20 hours ago
Victor Julien e4176d2b9a detect/firewall: support substate in analyzer 20 hours ago
Victor Julien 2511070a58 detect/firewall: support lte mode for substate 20 hours ago
Victor Julien e1e24d6cb4 eve/alert: add sub state output 20 hours ago
Victor Julien 7e60c3205e detect/alert: store sub-state in PacketAlert
In preparation of being able to log it.
20 hours ago
Victor Julien 17a3e0d44f app-layer: use macro for progress ceiling 20 hours ago
Victor Julien 2e1003a026 detect: add debug validation checks
Check that sub state handling is correct.
20 hours ago
Victor Julien af1c72c37e detect/mpm: don't register engines for disabled protocols 20 hours ago
Victor Julien 3b6b381f90 detect/firewall: add default alert signature to policy object
Now that there is a policy hash, make the alert signature object a
member of that to avoid another hash table lookup.
20 hours ago
Victor Julien bffea309db detect/firewall: implement app policy as hash table
With substate support the fixed table approach for policies was no
longer a good fit, so convert to a hash table. The policies are stored
per alproto, sub_state, progress and direction.
20 hours ago
Victor Julien eb87137471 detect/parse: allow bigger protocol/hook specifications 20 hours ago
Victor Julien 6a3f9bc0b0 app-layer: for sub state API treat DOH2 as HTTP/2
Otherwise we'd have to re-register the relevant callbacks.
20 hours ago
Victor Julien 956030452f detect/parse: don't setup sub states if protocol doesn't support it 20 hours ago
Victor Julien bb41ef9caf http2: update push promise to account for stream id 0 filtering 20 hours ago
Victor Julien c17ab6a65e http2: set event on frame types not allowed on stream id 20 hours ago
Victor Julien 3ef0d2ce16 detect/parse: parse sub state hooks
Register a generic list for each sub state / progress combo.
20 hours ago
Victor Julien 116a060092 detect/firewall: policy for substates
For the most part hard coded for HTTP/2 for now.
20 hours ago
Victor Julien 63b8143577 http2: register names for states per sub-state 20 hours ago
Victor Julien 14100d795c http2: mark HTTP2TxProgress and HTTP2TxGlobalProgress as AppLayerState 20 hours ago
Victor Julien cedb836d01 output/dns: update for DOH2 change 20 hours ago
Victor Julien 5735b87c3a detect: change how DOH2 inspection works
DNS/HTTP2 no longer automatically registers all keywords also for DOH2.

Instead, the DNS keywords and HTTP/2 stream keywords are registered for
DOH2 explicitly as well.

- flow alproto DOH2 + engine DOH2  -> inspect inner DNS
- flow alproto DOH2 + engine HTTP2 -> inspect outer HTTP/2
- flow alproto DOH2 + engine UNKNOWN -> inspect outer HTTP/2
20 hours ago
Victor Julien 17953d2355 detect/http: register keywords for HTTP/2
Now that HTTP keywords are no longer automatically registered for
HTTP/2, register them manually.
20 hours ago
Victor Julien b36ec146aa detect/dns: register keywords for DOH2 as well
Now that DNS keywords are no longer registered for DOH2, the keywords
need to manually registered for DOH2.
20 hours ago
Victor Julien 1bb843d83f detect/http2: don't double register engines
Each keyword supporting DOH2 must register explicitly
20 hours ago
Victor Julien 416b9c12ae detect/file: register http/2 with sub-state 20 hours ago
Victor Julien c943de4fac detect/parse: initial http2 substate support
Hard coded for now.
20 hours ago
Victor Julien 7ebc699df0 http2: split transaction state machines
Split into 2 sub-states:
- stream, which has the "HTTP" requests and responses, including DOH2
- global, which has the settings and other global or control handling

Introduce a simpler progress tracking for the global sub state:
- HTTP2ProgGlobalStart and HTTP2ProgGlobalComplete.

The stream sub state uses the same state machine as before.

Ticket: #8386.
20 hours ago
Victor Julien 2f41e0ef2d output/tx: support substate completion flags 20 hours ago
Victor Julien 67e2cb538a detect/app-layer-event: support sub-state progress handling 20 hours ago
Victor Julien 59e2c5a40c detect/parse: initial substate support 20 hours ago
Victor Julien 95365ce05b detect: support per tx sub states
Support for per transaction sub states: different state machines per
transaction type.

Skip engines not belonging to our substate.

Store tx_type in DetectTransaction.

Each protocol supporting sub states will register states from 1 and up.

To support:

Ticket: #8386.
20 hours ago
Victor Julien b6bc025789 app-layer: start of substate API support
Allow registration of per substate progress name mappings.

Implement logic for getting sub-state names, id's.

Add transaction type and end of progress values to AppLayerTxData.

Introduce helpers to keep logic clean.
20 hours ago
Shivani Bhardwaj 06db2e2698 detect/flowbits: add max usage per signature limit
Add a limit on the maximum number of times flowbits keyword that can be used in a
signature.

Task 8596
20 hours ago
Shivani Bhardwaj 3462b126a3 detect: add max_flowbits option
Also move field around to pack holes and align the struct better.

Task 8596
20 hours ago
Jason Ish 842b14ee1f smtp: don't create transaction for trailing quit
Also ensures that a quit or rset without a helo still creates a tx.

Ticket: #8728
1 day ago
Jason Ish e2a62dd1c0 smtp: handle pipelined replies on owning tx
Track the transaction id for each queued SMTP command so replies can update the
transaction that created the command instead of always using the current
transaction.

Ticket: #8393
1 day ago
Jason Ish 7b31f41878 smtp: complete transactions by progress state
Add directionality to completion states, and replace tx->done by checking for
both directions being complete.

This means that the transaction is now not complete until the server responds
to the clients of data marker, previously the tx was completed when the client
send end of data without waiting for the server response.

This keeps smtp:response_complete from being exposed before the server response
is parsed.

Ticket: #8393
1 day ago