Commit Graph

543 Commits (06db2e2698253f267e91d0c7d115ce7dc5680fa0)

Author SHA1 Message Date
Shivani Bhardwaj 06db2e2698 detect/flowbits: add max usage per signature limit
Add a limit on the maximum number of times flowbits keyword that can be used in a
signature.

Task 8596
2 days ago
Victor Julien 7fe8f63a89 detect/parse: tighten hook parsing
Don't allow trailing :
2 weeks ago
Philippe Antoine 89dbce1b46 detect: convert tx_progress to uint8_t 2 weeks ago
Victor Julien d64954a873 detect: don't register unrelated inspect engines
For rules that specify an explicit app-layer hook,
e.g. http1:request_headers, don't register inspect engines for
other protocols like HTTP/2. These have their own progress tracking,
so should be excluded from these rules.
1 month ago
Denis Balashov 4d4c6227e1 detect/parse: assert HashListTableLookup results in duplicate sig check
Add DEBUG_VALIDATE_BUG_ON() at four sites in DetectEngineSignatureIsDuplicate()
where HashListTableLookup() is assumed to return non-NULL. Documents the
invariant that every Signature in sig_list has a dup_sig_hash_table entry
and catches violations in debug builds.

Flagged by Svace static analyzer.

Ticket: 8635
1 month ago
Juliana Fajardini 6e71ff3013 detect/parse: allow banning keywords with fw mode
Related to
Ticket #8551
1 month ago
Juliana Fajardini 04a7674512 detect/parse: allow banning keywords from fw rules
Related to
Ticket #8551
1 month ago
Victor Julien 57b16c964e detect/firewall: drop in fw mode does not include alert
In TD mode the drop action also includes alert.

In firewall mode it should not to stay in line with accept.

Ticket: #8601.
1 month ago
Victor Julien dc4c22e906 detect/firewall: support alert in packet default policy
Support `alert` as a secondary action in packet firewall policies.

To implement this a Signature object is created per policy that uses
alert, and this is stored in a array table. When the policy is applied
the signature is looked up and used in the PacketAlert.

Ticket: #8566.
1 month ago
Victor Julien 2d4f1968b8 detect/firewall: support alert in default app policy
Support `alert` as a secondary action in app-layer firewall policies.

To implement this a Signature object is created per policy that uses
alert, and this is stored in a hash table. When the policy is applied
the signature is looked up and used in the PacketAlert.

Ticket: #8566.
1 month ago
Victor Julien 71a6a9a746 detect/firewall: limit auto accept notation
Limit to accept:flow, accept:tx and accept:hook.
1 month ago
Victor Julien 651afba883 detect/firewall: implement initial state range support
Allow a single rule to accept a hook and the hooks prior to it.

Example:

        accept:flow tls:<client_hello_done ... \
                tls.sni; content:"suricata.io"; endswith;

This will evaluate the SNI at the client_hello_done hook, but will
act as if there is a `accept:hook tls:client_in_progress ...` as well.

Implementation is currently specific to this `<` operator. During
parsing the sig gets flagged for this case. During setup this has 3 main
effects:

1. prefilter is disabled as we need to eval this right at the first
   state (0)
2. for state 0 a non-PF "prefilter" engine is setup to make sure the
   rule is flagged for evaluation
3. In the Signature::app_inspect list a dummy inspect engine is
   registered per state before Signature::app_progress_hook

The matching logic is building on the stateful rule handling. The
stateful rule handling can now tell the inspection loop that a partial
match occured. For this rule type the partial match will act as a match
with action accept:hook.

Next app updates will then use the continue detection logic to continue
the stateful match. When that fully matches, the final actions are
applied, like accept:flow or accept:tx.

Ticket: #8472.
1 month ago
Juliana Fajardini 6933602050 detect/parse: convert Notice Log into Debug 1 month ago
Victor Julien 7134592fea detect/firewall: configurable default policies
Allow configurable policies, including accept. For app-layer this
requires looping all available hooks to apply the policies.

Support configurable policies for packet-filter, pre-stream, pre-flow.

If there are no rules there is also no rule group (sgh). Make sure
the app hooks policies are correctly handled in this case by allowing
a NULL sgh to be handled as well.

For tx rule match actually apply drop directly. Previously this was
always handled by the default drop:flow policy.

Ticket: #7701.
2 months ago
Victor Julien e76728a536 firewall: support multi-action statements in rules
For firewall rules, allow multiple actions to be specified in a list

        accept:flow,pass:flow,alert
        accept:flow,alert
        accept:flow,pass:flow

It is mandatory to make the first action the primary firewall policy
action: accept, drop, reject.

Ticket: #8480.
2 months ago
Victor Julien 33b3793372 firewall: limit action scope packet for app-hooks
For non-UDP (so TCP), don't allow `accept:packet` or `drop:packet` as
this makes the evaluation of other rule hooks unpredictable.

Ticket: #8497.
2 months ago
Victor Julien 6fbd7483d6 detect/parse: limit pkthdr proto to decoder event rules
`alert pkthdr` was initially just an alias for `alert ip`, as that was
really just a way of stating that "any" should be matched. However with
the Ethernet matching in place, it no long makes sense to treat `alert
ip` as "any". Since `pkthdr` is used to match on decoder events, also
for packets that completely failed to parse, it should no longer be
treated as `alert ip` but rather as it's own distinct logic.
3 months ago
Victor Julien 232276ac19 detect: ethernet/arp matching
Support `alert ether` for matching all ethernet packets.

Add `alert arp` for matching ARP packets.

Ticket: #8313.
3 months ago
Victor Julien d4f005933a detect/proto: reduce size for common sigs
Make `Signature::proto` an optional member, meaning that if it is
NULL we can skip the check. This can be done for `alert ip`, as no check
is needed, and for `alert tcp` and `alert udp` as having a rule in a sgh
for those means that the protocol matches.

Some exceptions are rules that require:
- ipv4/ipv6 specific matching
- frames, due to sharing prefilter between tcp and udp
- ip-only rules, due to those not being per sgh
3 months ago
Jeff Lucovsky 022a79fdd5 misc/cleanup: Simplify <cond> ? true : false
Simplify statements where there's a conditional statement followed by
return true or return false.

Instead of
    if (conditional)
        return true;
    else
        return false;

Use:
        return conditional
4 months ago
Victor Julien 9cecd29fd4 detect/parse: convert test to fail/pass 4 months ago
Philippe Antoine 4849d34325 detect/parse: debug validation before stack allocation
A rule size has a global bound

Ticket: 8001
4 months ago
Victor Julien a4aa056884 detect/parse: convert test to fail/pass 4 months ago
Victor Julien edc19a15ad detect/parse: convert unittest to fail/pass API 5 months ago
Philippe Antoine df495d7e22 rust: bindgen SCDetectGetLastSMFromLists
to use it from rust keywords
5 months ago
Philippe Antoine 83360cfce0 detect/ssh: move ssh.hassh string to rust
bindgen needed SCSigMatchSilentErrorEnabled on the way
5 months ago
Philippe Antoine df812b7a90 detect: do not exit on allocation failure during rule (re)load
Ticket: 6187
6 months ago
Lukas Sismis b596073a79 src: doc: remove double-space typos 6 months ago
Philippe Antoine 1329786f84 detect: new command line option : list-rule-protos
To list the protocols we can use a in a rule header

Ticket: 635
7 months ago
Victor Julien 3f4af00fdd counters: remove ThreadVars from API 7 months ago
Victor Julien 70096873ce counters: threadvar init func
Add initializion.

Also fixes DetectDsizeIcmpv6Test01 using two different ThreadVar
structs.
7 months ago
Philippe Antoine ca16b4ebf7 detect/parse: debug validation about stack allocation
Ticket: 8001
8 months ago
Victor Julien 5b11241a46 unittests: clean up memory for classtype tests 9 months ago
Victor Julien 5ab8b8cd49 unittests: clean up memory for signature tests 9 months ago
Philippe Antoine c99e159341 detect/files: support protocols only over udp
Ticket: 7973

Files were supported on both TCP and UDP. But file detection keywords
such as file.data made signatures loading fail if the signature
was using an app-layer protocol that enabled on udp only, even
if the signatures could run smoothly.
9 months ago
Victor Julien f1fdc1801e detect: set detect table for non-firewall mode as well
This also exposed a difference between the handling of TD alerts in
firewall vs non-firewall mode. In firewall mode the table/hook is also
part of the alert ordering to make sure actions from packet:td are
applied before app:td. Handle that explicitly for now.
1 year ago
Victor Julien 7896148798 detect/config: allow setting a scope for action config 1 year ago
Victor Julien 0de19d61aa detect: clean up signature validate logic
`SigValidate` was doing more than just validation. Break out the
function into validation steps and consolidation steps.
1 year ago
Victor Julien 12f2f3f9f1 detect: tables support per keyword
Allow keywords to specify in which detect table they can function.

E.g. the pre_flow table will not support flow keywords, as no flow is
availble at this time.
1 year ago
Victor Julien df7fe5b0ce detect: add pre_flow hook
Allows dropping of packets before a flow is created/updated.
Directionless as direction is inferred from the flow.

Ticket: #7714.
1 year ago
Victor Julien 8f2b925e09 detect: add pre_stream hook
Meant to be used from the detection engine, to allow rules to drop
traffic before it modifies the stream state.

Ticket: #7712.
1 year ago
Philippe Antoine a2b5225612 rust: bindgen SCSigMatchAppendSMToList
Ticket: 7667
1 year ago
Philippe Antoine 78034b218d rust: bindgen SCDetectSignatureSetAppProto
Ticket: 7667
1 year ago
Philippe Antoine b1ef498a81 rust: bindgen detect-parse.h
Ticket: 7667

Currently no functions are exported.

DetectFile* struct are moved to detect-file-data.h where
they make more sense.

ifndef SURICATA_BINDGEN_H is used for bindgen to exclude
pcre2 related code
1 year ago
Shivani Bhardwaj 623229728d signature: rename num to iid
to signify that it refers to the internal ID of the signature and
distinguish it from the "id" param that signifies the "sid" specified in
a rule.
1 year ago
Philippe Antoine df0dc2e8ea rust: bindgen SCDetectSignatureAddTransform
by moving it to detect-engine-buffer.h and prefixing it

Ticket: 7667
1 year ago
Philippe Antoine 8545ef2e56 detect: factorize code for DetectSetupDirection
Ticket: 7665

Instead of each keyword calling DetectSetupDirection, use a
new flag SIGMATCH_SUPPORT_DIR so that DetectSetupDirection gets
called, before parsing the rest of the keyword.

Allows to support filesize keyword in transactional signatures
1 year ago
Jason Ish bf427c69cd rust: remaining rs_ to SC conversions 1 year ago
Victor Julien f96e97205c firewall: detect: add feature flag for keywords supporting firewall 1 year ago
Victor Julien e6bd69b419 firewall: detect: set per rule table
For firewall mode, set the pseudo table in the rule and use this
in alert queue ordering, so that rule actions are applied in the
expected order:

        packet:filter -> packet:td -> app:filter -> app:td

This makes sure that a packet:td drop is applied before a app:filter
accept.
1 year ago