Commit Graph

107 Commits (10150e95ad0c6aa9e5af6f39f709e87b3b3b0ba9)

Author SHA1 Message Date
Jeff Lucovsky 9cb54f747d decode/sll2: Support PCAPs encoded with Linux SLL ver 2
Support Linux Cooked mode v2 -- DLT 276
2 months ago
Jason Ish d78f2c9a4e af-packet: add event for packets truncated by af-packet
Ticket: #7458
4 months ago
Jeff Lucovsky 123b36b9f5 decode/ethertype: Event on unknown ethertype
Issue: 7129

Create a decode/engine event if unknown ethertypes are observed.
6 months ago
Victor Julien 6882bcb3e5 stream: add TCP urgent handling options
TCP urgent handling is a complex topic due to conflicting RFCs and
implementations.

Until now the URG flag and urgent pointer values were simply ignored,
leading to an effective "inline" processing of urgent data. Many
implementations however, do not default to this behavior.

Many actual implementations use the urgent mechanism to send 1 byte of
data out of band to the application.

Complicating the matter is that the way the urgent logic is handled is
generally configurable both of the OS and the app level. So from the
network it is impossible to know with confidence what the settings are.

This patch adds the following policies:

`stream.reassembly.urgent.policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- oob (out of band): treat the last byte as out of band

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

For the `oob` option, tracking of a sequence number offset is required,
as the OOB data does "consume" sequence number space. This is limited to
64k. For this reason, there is a second policy:

`stream.reassembly.urgent.oob-limit-policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

Bug: #7411.
8 months ago
Giuseppe Longo 5219a5da5f decode/arp: implement decoder
This adds a decoder for ARP.

Ticket #6827
1 year ago
Jason Ish 44388f1b69 src: make include guards more library friendly
Include guards for libraries should use a prefix that is meaningful for
the library to avoid conflicts with other user code. For Suricata, use
SURICATA.

Additionally, remove the pattern of leading and trailing underscores as
these are reserved for the language implementation per the C and C++
standards.
1 year ago
Victor Julien 9ba55b8a28 stream: add stream.rst_with_data event for RST with data 2 years ago
Victor Julien db1cb2a032 stream: update insert error checking 2 years ago
Victor Julien 30a716a4ab stream: accept and flag ack of ZWP data
Tcp Zero Window Probes try to send a single byte payload to "probe" if
the window has reopened. This single byte is, if accepted, not retransmitted.
2 years ago
Victor Julien 7ef57cc7cb stream: support SYN/ACK with TFO only ack'ing ISN
Not ack'ing the data.
2 years ago
Victor Julien 7bfee147ef stream: SYN queue support
Support case where there are multiple SYN retransmits, where
each has a new timestamp.

Before this patch, Suricata would only accept a SYN/ACK that
matches the last timestamp. However, observed behavior is that
the server may choose to only respond to the first. In IPS mode
this could lead to a connection timing out as Suricata drops
the SYN/ACK it considers wrong, and the server continues to
retransmit it.

This patch reuses the SYN/ACK queuing logic to keep a list
of SYN packets and their window, timestamp, wscale and sackok
settings. Then when the SYN/ACK arrives, it is first evaluated
against the normal session state. But if it fails due to a
timestamp mismatch, it will look for queued SYN's and see if
any of them match the timestamp. If one does, the ssn is updated
to use that SYN and the SYN/ACK is accepted.

Bug: #5856.
2 years ago
Shivani Bhardwaj eebdfe9a3e decode/events: add event type UDP_LEN_INVALID 3 years ago
Jeff Lucovsky 1d8cc7791d general: Typo fixup 3 years ago
Jeff Lucovsky 6a039ab316 stream/event: New reassembly depth event
Issue: 3512

This commit adds a stream event triggered when the stream assembly depth
is reached.
3 years ago
Victor Julien cc4e8f0936 stream: detect spurious retransmissions early 3 years ago
Philippe Antoine 6cb6225b28 tcp: rejects FIN+SYN packets as invalid
Ticket: #4569

If a FIN+SYN packet is sent, the destination may keep the
connection alive instead of starting to close it.
In this case, a later SYN packet will be ignored by the
destination.

Previously, Suricata considered this a session reuse, and thus
used the sequence number of the last SYN packet, instead of
using the one of the live connection, leading to evasion.

This commit errors on FIN+SYN so that they do not get
processed as regular FIN packets.
4 years ago
Philippe Antoine ca760e305c ipv6: decoder event on invalid length
From RFC 2460, section 4.5,
each fragment, except the last one, must have a length
which is a multiple of 8
4 years ago
Jeff Lucovsky 1ddad0a0d6 decode/events: VNTAG decoder events 4 years ago
Philippe Antoine 7500c29300 decode: limits the number of decoded layers
so as to avoid overrecursion leading to stack exhaustion
4 years ago
Emmanuel Thompson f12daa710f decode/flow/esp: Add ESP decoder & flow
- Adds an ESP (Encapsulating Security Payload) header decoder
- Tracks ESP flows via the SPI field
5 years ago
Carl Smith 660b68a083 nsh: Parsing of Network Services Header and payload
Support for EtherType 0x894F and basic header
5 years ago
Ali Jad Khalil 66452dd38a decode/vxlan: Modified/refactored VXLAN logic
This is just a slight refactor to make analagous decoding/encapsulation
schemes - Geneve, Teredo, and VXLAN - be implemented as similarly as
possible.
5 years ago
Ali Jad Khalil 5d955c1836 decode/geneve: Add Geneve decoding functionality
These changes are in response to feature request 3063. Geneve is
very similar to VXLAN, but uses a slightly different encapsulation
scheme.
5 years ago
Victor Julien 77bafe13a3 decode: reformat event table 5 years ago
Victor Julien 328a94206e decode/hdlc: initial support 5 years ago
Jason Ish b8ce7f2885 mpls: check buffer length before peeking at next header
Check that we have enough bytes before peaking into the MPLS
packet payload.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2884
6 years ago
Victor Julien 631ee383bb flow/stream: 'wrong thread' as stream event & counter
Set event at most once per flow, for the first 'wrong' packet.

Add 'tcp.pkt_on_wrong_thread' counter. This is incremented for each
'wrong' packet. Note that the first packet for a flow determines
what thread is 'correct'.
7 years ago
Victor Julien 4f84672d7c stats: decoder/stream events as stats 7 years ago
Victor Julien 6c97909a92 stream/events: log as stats 7 years ago
Victor Julien 843d0b7a10 stream: support RST getting lost/ignored
In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'.
However, the target of the RST may not have received it, or may not
have accepted it. Also, the RST may have been injected, so the supposed
sender may not actually be aware of the RST that was sent in it's name.

In this case the previous behavior was to switch the state to CLOSED and
accept no further TCP updates or stream reassembly.

This patch changes this. It still switches the state to CLOSED, as this
is by far the most likely to be correct. However, it will reconsider
the state if the receiver continues to talk.

To do this on each state change the previous state will be recorded in
TcpSession::pstate. If a non-RST packet is received after a RST, this
TcpSession::pstate is used to try to continue the conversation.

If the (supposed) sender of the RST is also continueing the conversation
as normal, it's highly likely it didn't send the RST. In this case
a stream event is generated.

Ticket: #2501

Reported-By: Kirill Shipulin
7 years ago
Victor Julien ca67408e79 stream: set event for suspected data injection during 3whs
This rule will match on the STREAM_3WHS_ACK_DATA_INJECT, that is
set if we're:
- in IPS mode
- get a data packet from the server
- that matches the exact SEQ/ACK expectations for the 3whs

The action of the rule is set to drop as the stream engine will drop.
So the rule action is actually not needed, but for consistency it
is drop.
8 years ago
Victor Julien d5f7acd860 decoder: implement IEEE802.1AH 8 years ago
Victor Julien ab1200fbd7 compiler: more strict compiler warnings
Set flags by default:

    -Wmissing-prototypes
    -Wmissing-declarations
    -Wstrict-prototypes
    -Wwrite-strings
    -Wcast-align
    -Wbad-function-cast
    -Wformat-security
    -Wno-format-nonliteral
    -Wmissing-format-attribute
    -funsigned-char

Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
Jason Ish b454aa46c6 defrag: use frag_pkt_too_large instead of frag_too_large
The rules were using the wrong decoder event type, which was
only set in the unlikely event of a complete overlap, which
really had nothing to do with being too large.

Remove FRAG_TOO_LARGE as its no longer being used, an overlap
event is already set in the case where this event would be set.
9 years ago
Jason Ish 95015a3f6d decode: support Cisco Fabric Path / DCE
Cisco Fabric Path is ethernet wrapped in an ethernet like header
with 2 extra bytes.  The ethernet type is in the same location
so the ethernet decoder can be used with some validation
for the extra length.
9 years ago
Maurizio Abba 44a7c12ad0 decode-events: counters for decode events errors
We want to add counters in order to track the number of times we hit a
decode event. A decode event is related to an error in the protocol
decoding over a certain packet.

This patch fist modifies the decode-event list, reordering it in order
to separate single packet events from stream-related events and adding
the prefix "decoder" to decode events.
The counters are created during the decode setup and the relative event
counter is increased every time a packet with the flag PKT_IS_INVALID is
finalized in the decode phase
10 years ago
Eric Leblond ab3aed7d25 decode: update icmpv6 message handling
This patch adds two new events relative to icmpv6. One for packets
using unassigned icmpv6 type. The second one for packets using
private experimentation type.

Icmpv6 type table taken from http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2
10 years ago
Victor Julien 928957f0a3 decode: add ERSPANv1 decoder
Only allow v1 to be parsed as thats what is tested.

Take vlan_id from the ERSPAN layer.
10 years ago
Victor Julien 04ccfda639 pcap: implement LINKTYPE_NULL
Implement LINKTYPE_NULL for pcap live and pcap file.

From: http://www.tcpdump.org/linktypes.html

"BSD loopback encapsulation; the link layer header is a 4-byte field,
 in host byte order, containing a PF_ value from socket.h for the
 network-layer protocol of the packet.

 Note that ``host byte order'' is the byte order of the machine on
 which the packets are captured, and the PF_ values are for the OS
 of the machine on which the packets are captured; if a live capture
 is being done, ``host byte order'' is the byte order of the machine
 capturing the packets, and the PF_ values are those of the OS of
 the machine capturing the packets, but if a ``savefile'' is being
 read, the byte order and PF_ values are not necessarily those of
 the machine reading the capture file."

Feature ticket #1445
10 years ago
Victor Julien 0bb2b15491 ipv6: check for MLD messages with HL not 1
MLD messages should have a hop limit of 1 only. All others are invalid.

Written at MLD talk of Enno Rey, Antonios Atlasis & Jayson Salazar during
Deepsec 2014.
11 years ago
Jason Ish 2d12209194 Use ENGINE_SET_INVALID_EVENT when the packet is too small for an
MPLS header, and when the payload type can not be determined.
11 years ago
Jason Ish 65f40cbeaa Don't default to ethernet, ethernet should be preceded by a pseudowire.
If the payload type can't be determined, raise an alert.
11 years ago
Jason Ish 348b0e0e9f Set decoder events for labels that shouldn't be seen on the wire.
Add unit tests to test for mpls decoder events.
11 years ago
Victor Julien 6b0ff0193d stream: detect and filter out bad window updates
Reported in bug 1238 is an issue where stream reassembly can be
disrupted.

A packet that was in-window, but otherwise unexpected set the
window to a really low value, causing the next *expected* packet
to be considered out of window. This lead to missing data in the
stream reassembly.

The packet was unexpected in various ways:
- it would ack unseen traffic
- it's sequence number would not match the expected next_seq
- set a really low window, while not being a proper window update

Detection however, it greatly hampered by the fact that in case of
packet loss, quite similar packets come in. Alerting in this case
is unwanted. Ignoring/skipping packets in this case as well.

The logic used in this patch is as follows. If:

- the packet is not a window update AND
- packet seq > next_seq AND
- packet acq > next_seq (packet acks unseen data) AND
- packet shrinks window more than it's own data size
THEN set event and skip the packet in the stream engine.

So in case of a segment with no data, any window shrinking is rejected.

Bug #1238.
11 years ago
Victor Julien 7c05685421 ipv6: set event on unsupported nh
If a next header / protocol is encountered that we can't handle (yet)
set an event. Disabled the rule by default.

    decode-event:ipv6.unknown_next_header;
11 years ago
Victor Julien bbcdb657da ipv6: more robust ipv6 exthdr handling
Skip past Shim6, HIP and Mobility header.

Detect data after 'none' header.
    decode-event:ipv6.data_after_none_header;
11 years ago
Victor Julien 938602c55e ipv6: detect frag header reserved field non-zero
Frag Header length field is reserved, and should be set to 0.

    decode-event:ipv6.fh_non_zero_reserved_field;
11 years ago
Victor Julien 8c19e5ff63 ipv6: make exthdr parsing more robust
Improve data length checks. Detect PadN option with 0 length.
11 years ago
Victor Julien abee95ca4f ipv6: set flag on type 0 routing header
Type 0 Routing headers are deprecated per RFC 5095.

This patch sets an decode event flag that can be matched on through:
    decode-event:ipv6.rh_type_0;
11 years ago
Victor Julien fdca557e01 ipv4 decoder: set 'invalid' event on icmpv6
ICMPv6 on IPv4 is invalid, so if we encounter this we set an event
and flag the packet as invalid.

Ticket #1105.
12 years ago