Commit Graph

2133 Commits (364d2c077d529bb01b3ca5cc3f53b1b9beb5d712)

Author SHA1 Message Date
Philippe Antoine 364d2c077d rust: bindgen SCAppLayerRegisterParser
Ticket: 7662
5 months ago
Philippe Antoine 8401417a84 app-layer: remove some obsolete forward declarations
and reorder definitions
5 months ago
Philippe Antoine 8857b78f6a rust: move AppLayerTxData definition to C
and bindgen it to rust

Will make easier the bindgen of RustParser structure which uses
a callback which uses AppLayerTxData

Move also the free function to C SCAppLayerTxDataCleanup
As suricata-sys crate defines AppLayerTxData for rust,
It must itself implement the Drop trait, and thus,
We need to define a feature surest
5 months ago
Philippe Antoine 8eaced3c1e rust: move AppLayerResult definition to C
and bindgen it to rust

Will make easier the bindgen of RustParser structure which uses
a callback which uses AppLayerResult

Keep From<> impl in sys crate that defines it
5 months ago
Philippe Antoine 06f78b2a22 rust: move StreamSlice definition to C
and bindgen it to rust

Will make easier the bindgen of RustParser structure which uses
a callback which uses StreamSlice
5 months ago
Philippe Antoine 41f543ca35 rust: move AppLayerGetTxIterTuple definition to C
and bindgen it to rust

Will make easier the bindgen of RustParser structure which uses
a callback which uses AppLayerGetTxIterTuple
5 months ago
Philippe Antoine 64d29fcd1c rust: move AppLayerStateData definition to C
and bindgen it to rust, and use default trait instead of new

Will make easier the bindgen of RustParser structure which uses
a callback which uses AppLayerStateData
5 months ago
Philippe Antoine 76efb8af4d rust: move AppLayerGetFileState definition to C
and bindgen it to rust.

Will make easier the bindgen of RustParser structure which uses
a callback which uses AppLayerGetFileState
5 months ago
Philippe Antoine fc23e54c6d rust: bindgen with derive eq
As will be needed such as AppLayerTxData
5 months ago
Shivani Bhardwaj d4008a6508 dcerpc: remove bad tests
Unittests test_parse_bind_pdu_infinite_loop and
test_parse_bindack_pdu_infinite_loop seem to have artificially made up
header which does not hold up to the strict calculations enforced by the
parser now. Their headers mark the fraglens as 64 and 72 respectively
which are not enough to hold the kind of bind(ack) items that are expected.
It worked so far as the parser passed the entire input slice around but
with the bugfix for issue 7546, the input passed around is strictly
restricted to the fraglen parsed in the header.

Bug 7546
5 months ago
Shivani Bhardwaj ed1bd8624e dcerpc: use fraglen from header
So far, the fraglen defined in the header was used inconsistently in
certain places to define bounds on input length. Make it consistent by
making sure that only a slice up until fraglen is passed around as that
is the maximum length the fragment should have.
With the help of Applayer::incomplete API, the case when the
stream_slice passed to the parser is smaller than the header defined
fraglen is already handled.

Bug 7546
5 months ago
Shivani Bhardwaj fc9da1c7a1 dcerpc: fix consumed bytes post gap handling
The parser could receive an input that consists of arbitrary data post
gap. This is handled in the beginning of the fn handle_input_data.
However, the rest of the calculation does not take into account the
bytes that were consumed at this stage. Fix the indices and calculations
to consider a new DCERPC fragment beginning post these consumed bytes.
5 months ago
Philippe Antoine 9a52bbcbe9 detect/quic: move quic.cyu.hash to rust
Ticket: 8255
5 months ago
Philippe Antoine 01610aabe7 detect/quic: move quic.cyu.string to rust
Ticket: 8255
5 months ago
Philippe Antoine ee4d4a14d5 detect/quic: move quic.ua to rust
Ticket: 8255
5 months ago
Philippe Antoine 9ba9fdcb87 detect/quic: move quic.sni to rust
Ticket: 8255
5 months ago
Philippe Antoine 907e71a984 detect/quic: move quic.version to rust
Ticket: 8255
5 months ago
Philippe Antoine 7dbe033ae0 app-layer: function to register ci pattern + probe
Ticket: 6591
5 months ago
Philippe Antoine 2cf9a327d5 detect/ssh: move ssh.hassh to rust
Introduces helper SCDetectRegisterBufferLowerMd5Callbacks
5 months ago
Philippe Antoine 83360cfce0 detect/ssh: move ssh.hassh string to rust
bindgen needed SCSigMatchSilentErrorEnabled on the way
5 months ago
Philippe Antoine 02cb0f2ac2 rust: fix unnecessary_unwrap warnings
warning: called `unwrap` on `rd.pipe` after checking its variant with `is_some`
   --> src/smb/smb1.rs:858:28
    |
857 |             if rd.pipe.is_some() {
    |             -------------------- help: try: `if let Some(<item>) = rd.pipe`
858 |                 let pipe = rd.pipe.unwrap();
    |                            ^^^^^^^^^^^^^^^^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.93.0/index.html#unnecessary_unwrap
    = note: `#[warn(clippy::unnecessary_unwrap)]` on by default
6 months ago
Philippe Antoine cafc398355 dcerpc: consume bytes after gap resync
Ticket: 7567

Re-applies commit 8c3bd3e8a0
which was reverted in f64aec9d11
6 months ago
Philippe Antoine 54cc752cf9 ssh: hassh can be truly disabled
Rules will not re-enable it

Ticket: 8223
6 months ago
Philippe Antoine 458211dcf2 detect/ssh: move ssh.proto to rust 6 months ago
Philippe Antoine 9cfc1cc557 detect/ssh: move obsolete keywords to rust 6 months ago
Philippe Antoine ea8ac2a02a detect/ssh: move ssh.software to rust
Adds helper function SCDetectHelperBufferProgressMpmRegister on the way
6 months ago
Philippe Antoine c0d6747e82 app-layer: GetTxIteratorFn uses a AppLayerGetTxIterState
Even if every current rust parser uses the u64 variant of the C union
6 months ago
Philippe Antoine 4b541b39f2 rust: move AppLayerEventType definition to C
and bindgen it to rust.

Will make easier the bindgen of RustParser structure which uses
a callback which uses AppLayerEventType
6 months ago
Philippe Antoine c960b7d7c1 app-layer: AppLayerParserFPtr uses a mut pointer to local storage
So, fix the fn prototype in rust ParseFn
6 months ago
Philippe Antoine f470ee448b quic: use standard tx iterator code
Will make bindgen life easier

As the fn prototype should not have istate: &mut u64
but a *mut AppLayerGetTxIterState which is an union with a u64
6 months ago
Philippe Antoine 076fcd61cd bittorrent: use standard tx iterator code
Will make bindgen life easier

As the fn prototype should not have istate: &mut u64
but a *mut AppLayerGetTxIterState which is an union with a u64
6 months ago
Philippe Antoine 1a546936c7 rust: AppLayerTxConfig uses Default impl 6 months ago
Philippe Antoine 4e64de3b3b rust: remove wrapper LoggerFlags struct definition
just use an u32 out of the box.
Will make bindgen like easier
6 months ago
Philippe Antoine f663be5983 rust: define every RustParser fn pointer unsafe
That is what bindgen will do
6 months ago
Lukas Sismis 3e4fdb2118 misc: time unit parsing function 6 months ago
Philippe Antoine 5bb9a0c3af dcerpc/tcp: fix fragmentation handling
Really count the fragments, and set it done when last was received
6 months ago
Philippe Antoine f64aec9d11 dcerpc: use different header for different directions
Header handling is wrong in the case
packet A to server is fragmented (return AppLayerResult::incomplete)
packet B is to client, but uses the header of the to_server packet

Bug 7547
6 months ago
Philippe Antoine 1832b50506 nfs: log read/write/rename whatever the nfs version
These were previously logged correctly only for nfs v3

Now, the correct opcodes are used for v2 and v4 as well

Ticket: 8222
6 months ago
Philippe Antoine b0850efd67 rust: from_str implementation for EncryptionHandling
To move non-specific quic code to the right place
6 months ago
Philippe Antoine 89b6ab6730 rust: rename EncryptionHandling
as it is no longer specific to SSH
6 months ago
Philippe Antoine 7acfea57a9 rust: move EncryptionHandling definition to its own file
as it is not specific to ssh anymore
6 months ago
Philippe Antoine 7422c97bf2 quic: encryption-handling config parameters
Ticket: 8116
6 months ago
Victor Julien ff3def130c rust/htp: formatting fixup 6 months ago
Victor Julien b1fe6a4ceb rust: update lru to 0.16.3; update lock
RUSTSEC-2026-0002

Ticket: #8210.
6 months ago
Philippe Antoine a48200b9e5 dcerpc: use saturating_add to count fragments
And do not overflow if we have traffic with more than 65K fragments
6 months ago
Shivani Bhardwaj e412215af9 dcerpc: add upper limit on stub data
DCERPC parsers had no upper bounds when it came to extending the stub
data buffer. Traffic can be crafted to bypass some internal parser
conditions to create an indefinite buffering in the stub_data array that
can make Suricata crash.

Add a default limit of 1MiB and make it configurable for the user.

Security 8182

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
6 months ago
Philippe Antoine fa5a4a994a http: limit the number of folded lines per header
Ticket: 8201

Limits the quadratic complexity if each packet, restarting the
header parsing, just adds a new folded line.
This was previously bounded by the configurable max header length
6 months ago
Philippe Antoine f2a45c4216 http: do not use recursion in decompression
just loop and iterate

Ticket: 8185
6 months ago
Shivani Bhardwaj 1d7b0d9b7a tls/subjectaltname: use byte arr instead of string
TLS parsers use x509-parser crate which parses X.509 certificates that
use ASN.1 DER encoding that can allow arbitrary byte sequences. An
attacker could inject null byte in a certificate anywhere to stump the
common language parsers terminating the string at a null byte leading to
a bypass of a possibly malicious certificate.

So far, the rust TLS parser for "subjectaltname" used a pattern that involved:
-> Get ASN.1 DER encoded raw data from the x509-parser crate
-> Convert this raw data to a decoded string (Rust)
-> Convert the Rust string to CString
-- The problem lies here. CString only accepts proper strings/byte
buffers and converts it into an owned C-compatible, null-terminated
string. However, if any null byte occurs in the string passed to the
CString then it panics.
In the rust TLS parser, this panic is handled by returning NULL.

This means that the parser will error out during the decoding of the
certificate. However, Suricata must be able to detect the null byte
injection attack being an IDS/IPS.

Hence, replace all such string patterns w.r.t. TLS SAN with a byte
array.

Bug 7887
6 months ago
Shivani Bhardwaj 24f5b7dab2 tls/serial: use byte array instead of string
Bug 7887
6 months ago