Commit Graph

2133 Commits (364d2c077d529bb01b3ca5cc3f53b1b9beb5d712)

Author SHA1 Message Date
Philippe Antoine 867f5bfa21 detect/integers: generic detect_parse_uint_bitflags
Ticket: 6724

This will ease other keywords with bitflags, by having a generic
function + an association between flag string and bit value.
10 months ago
Philippe Antoine 3641b4eda1 detect/nfs: move nfs_procedure to rust
Make it able to use strings on the way

Ticket: 6723
10 months ago
Philippe Antoine 9869fb776b detect/snmp: pdu_type keyword now accepts strings
Ticket: 6723
10 months ago
Philippe Antoine 0553dfa814 detect/krb5: move krb5_msg_type to rust
Makes it a generic u32 on the way

Unit tests are covered by SV tests

Ticket: 6723
10 months ago
Philippe Antoine 24503b0ead rust: move file functions out of SuricataContext
Ticket: 7667
10 months ago
Philippe Antoine 1f084f8cb7 rust: move HttpRangeFreeBlock out of SuricataContext
Ticket: 7667
10 months ago
Philippe Antoine 828a6bdbf8 rust: bindgen SCLogMessage
Ticket: 7667
10 months ago
Philippe Antoine cc845dccdb rust: bindgen GenericVarFree
Ticket: 7667
10 months ago
Philippe Antoine b00788af8b rust: bindgen SCAppLayerParserTriggerRawStreamInspection
Ticket: 7667
10 months ago
Philippe Antoine c52121586a rust: move AppLayerEvents funcs out of RustContext
Ticket: 7667

just use it directly, with bindgen, and cfg not test
10 months ago
Philippe Antoine bf6b8510fe rust: move DetectEngineStateFree out of RustContext
Ticket: 7667

just use it directly, with bindgen, and cfg not test
10 months ago
Philippe Antoine 573dd2367e rust: bindgen SCFileFlowFlagsToFlags
Ticket: 7667
10 months ago
Philippe Antoine 6fa85d18f0 rust: reenable lint unused_doc_comment
With just local exceptions
10 months ago
Philippe Antoine b59086210f rust: bindgen flow ffi API
Ticket: 7667
10 months ago
Philippe Antoine bbf1424371 rust: bindgen MpmAddPatternCI
Ticket: 7667
10 months ago
Philippe Antoine c391451f19 rust: begin to bindgen app-layer-register.h
Ticket: 7667
10 months ago
Philippe Antoine 95483228d2 detect: list-keywords cli shows integers with bitflags
Ticket: 7875
10 months ago
Philippe Antoine 53d9569dfb detect: list-keywords cli shows integers with enums
Ticket: 7875
10 months ago
Philippe Antoine da486af881 detect: list-keywords cli shows integers
Ticket: 7875
10 months ago
Philippe Antoine 68017d3fe1 detect: grow SigTableElmt flags to u32
to be later able to store information about keywords being about
integers
10 months ago
Philippe Antoine b298bce0e7 detect: list-keywords cli shows multi-buffers
Ticket: 7571
10 months ago
Philippe Antoine cb9ab951b9 detect/integers: subslice for multi-integers 10 months ago
Philippe Antoine 82f0e725a2 detect/integers: index or_absent and or_oob
To match if array is empty, or index is out of bounds
10 months ago
Philippe Antoine 1480cf47ab detect/integers: nb index to match a specific number of times
For example
dns.rrtype: !A,nb>3
will match if we have more than 3 dns records which are not A
10 months ago
Philippe Antoine 6f848eeaaf detect/integers: all1 index to match only on non-empty arrays 10 months ago
Philippe Antoine dd81cfa733 detect/uint: wait for end of progress to match on all
As is done for absent keyword for instance
10 months ago
Philippe Antoine 5add185f22 http2/detect: http2.window can now use index
Ticket: 7480
10 months ago
Philippe Antoine 83868778b9 http2/detect: http2.priority can now use index
Ticket: 7480
10 months ago
Philippe Antoine 9fc407fd75 mqtt/detect: mqtt.type can now use index
Ticket: 7480
10 months ago
Philippe Antoine c0988252ba dns/detect: rrtype can now use index
Ticket: 7480
10 months ago
Philippe Antoine d8c1f8e7be rust/detect: generic detect_uint_match_at_index
and make ldap use it

Ticket: 7480

No behavior change, just code restyling
10 months ago
Philippe Antoine 7effcb7835 rust/ldap: use Vec instead of Vecdeque
as we do not pop

Ticket: 7480

May have a behavior change, but only in terms of performance
10 months ago
Philippe Antoine f555f02ed4 rust/detect: generic detect_parse_array_uint_enum
And make ldap use it

Ticket: 7480

No behavior change, just code restyling
10 months ago
Philippe Antoine c6d3857793 rust/detect: create generic DetectUintArrayData
And make ldap use them

Ticket: 7480

No behavior change, just code restyling
10 months ago
Philippe Antoine e01d19889e rust/detect: move DetectUintIndex definition to generic file
Ticket: 7480

No behavior change, just code restyling
10 months ago
Philippe Antoine ef6ce7d701 detect: rename LdapIndex to something generic
to be able to use it outside of ldap

Ticket: 7480

No behavior change, just code restyling
10 months ago
Philippe Antoine 2ed7a85356 rust: rustfmt detect uint 10 months ago
Alice Akaki 8e0b0ef35f detect: add email.body_md5 keyword
email.body_md5 matches on md5 hash generated from email body
This keyword maps to the EVE field email.body_md5
It is a sticky buffer
Supports prefiltering

Ticket: #7587
10 months ago
Alice Akaki 6c88cc1e0c detect/mime: fix detect mime nits
Return 0 if .to_str() fails in functions
SCDetectMimeEmailGetData and SCDetectMimeEmailGetDataArray

Fixes:
431822c ("detect: add email.from")
96e461f ("detect: add email.received keyword")
10 months ago
Alice Akaki 4f1cc19f25 mime/smtp: Change md5_result type from GenericArray<u8, U16> to String 10 months ago
Victor Julien 96ae693b44 version: start work on 9.0.0 10 months ago
Shivani Bhardwaj 0d65d35c92 version: start development towards 8.0.2 10 months ago
Jason Ish 2444feed0d release: 8.0.1; update changelog 10 months ago
Jason Ish 6d74656bef rust: respect RUSTC and CARGO env vars like CC
To support alternative cargo and rustc programs (such as cargo-1.82),
respect CARGO and RUSTC environment variables during ./configure much
like CC.

RUSTFMT is also respected as that is required for the tests, and Cargo
can't figure this out like it can for rustc (perhaps a bug in the
packaging).

For cbindgen, we have also have to make sure the cargo environment
variable is set for each invocation.

To build with Ubuntu's Rust 1.82 packaging:

  CARGO=cargo-1.82 RUSTC=rustc-1.82 RUSTDOC=rustdoc-1.82 \
      ./configure

Note that setting RUSTDOC is only required for commands like "make
check" to pass.

Ticket: #7877
10 months ago
Jason Ish db945aec83 rust: bindgen requires rustfmt
Bindgen will use rustfmt after generating the bindings, but this will
fail if rustfmt is not installed. Only run bindgen if rustfmt is
installed.
10 months ago
Jason Ish 4d4198dccc rust: update tracing-subscriber
Address https://rustsec.org/advisories/RUSTSEC-2025-0055.
10 months ago
Jason Ish 3b9dfe620d rust: pin time crate to 0.3.41
0.3.42 introduces dependencies that require Rust 1.81.
10 months ago
Philippe Antoine be605ba2de htp: use transactions right get function
Not the VecDeque one

Ticket: 7803
11 months ago
Philippe Antoine d0a513df6a detect/integers: support kibibyte unit
Ticket: 7869
11 months ago
Philippe Antoine 2a17ab6d88 http: generate no anomaly for identity encoding
Ticket: 7843
11 months ago
Jeff Lucovsky 03d676531a detect/from_base64: Support keyword w/no opts
Issue: 7853

Support the use of `from_base64` with no optional values. In this case,
the default values for:
- mode RFC4648
- offset: 0
- bytes: buffer size
will be used.
11 months ago
Jason Ish b93a27722c rust: fix mismatched_lifetime_syntaxes warning
Fix new warning present in Rust 1.89.

warning: hiding a lifetime that's elided elsewhere is confusing
   --> src/ldap/types.rs:191:30
    = help: the same lifetime is referred to in inconsistent ways, making the signature confusing
    = note: `#[warn(mismatched_lifetime_syntaxes)]` on by default
help: use `'_` for type paths
11 months ago
Philippe Antoine fe9da8acd6 http2: do not log empty objects for request or response
Ticket: 7741
11 months ago
Philippe Antoine 11c549211e snmp: fix the possibility to disable the parser
Ticket: 7820

Do not register anything, not even ALPROTO_SNMP "snmp" string
if parser is disabled
11 months ago
Shivani Bhardwaj e4b3b75b23 version: start development towards 8.0.1 1 year ago
Shivani Bhardwaj 9956286fb8 release: 8.0.0; update changelog 1 year ago
Philippe Antoine fa8d3a4ccb http2: do not set file flags for global txs
Global txs means here txs with stream id 0, used for connection control
messages.
1 year ago
Philippe Antoine 349c21af2c http2: mark old txs as updated
As is done in the other case a few lines below
1 year ago
Philippe Antoine 1d6d331752 http2: forbid data on stream 0
Ticket: 7658

Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.

RFC 9113 section 6.1 states:

If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
 of type PROTOCOL_ERROR.
1 year ago
Jason Ish c204ddb3e5 rust/Makefile: sort filenames
Misc cleanup as these lists are growing.
1 year ago
Jason Ish f68b06798f rust/htp: follow suricata versioning
Have htp follow Suricata versioning so we don't have to worry about
version updates as it changes.

For example, between 8.0.0-beta1 and 8.0.0-rc1 there were changes to
the htp, however the version stayed at 2.0.0 making it impossible to
publish these changes to crates.io.
1 year ago
Philippe Antoine 1940454a69 http: do not yield after failed connect if already pipelined
Ticket: 7791
1 year ago
Philippe Antoine 10150e95ad rust: allow collapsible_else_if for debug logs
see https://github.com/rust-lang/rust-clippy/issues/15158
1 year ago
Philippe Antoine a22b2f06fe rust/htp: fix clippy uninlined_format_args
--> htp/src/decompressors.rs:703:64
    |
703 |                 std::io::Error::new(std::io::ErrorKind::Other, format!("{}", e))
    |                                                                ^^^^^^^^^^^^^^^^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
1 year ago
Jeff Lucovsky 7e713cb45a detect/analyzer: Support u8 types
Issue: 6359

Support JSON output of u8 types
1 year ago
Philippe Antoine bca6cbfb04 rust: fix prototype for AppLayerParserTriggerRawStreamInspection
Ticket: 7762

As it modifies the flow indeed
1 year ago
Philippe Antoine f8168493f6 rust: remove unnecessary cbindgen exclusions 1 year ago
Philippe Antoine 59a5b53809 util/mpm: constify arg
and make rust version use the correct integer type

Ticket: 7762
1 year ago
Shivani Bhardwaj 6a6104304d version: start development towards 8.0.0 1 year ago
Shivani Bhardwaj cdfebcdc9c release: 8.0.0-rc1; update changelog 1 year ago
Jason Ish 25b8cd9761 lua: update to lua 5.4.8002
This updated crates remove tmpnam from being linked in, removing the
warning.
1 year ago
Eric Leblond dd94dc6cc6 datajson: introduce feature
This patch introduces new option to dataset keyword.
Where regular dataset allows match from sets, dataset with json
format allows the same but also adds JSON data to the alert
event. This data is coming from the set definition it self.
For example, an ipv4 set will look like:

  [{"ip": "10.16.1.11", "test": "success","context":3}]

The syntax is a JSON array but it can also be a JSON object
with an array inside. The idea is to directly used data coming
from the API of a threat intel management software.

The syntax of the keyword is the following:

  dataset:isset,src_ip,type ip,load src.lst,format json, \
       enrichment_key src_ip, value_key ip;

Compare to dataset, it just have a supplementary option key
that is used to indicate in which subobject the JSON value
should be added.

The information is added in the even under the alert.extra
subobject:

  "alert": {
    "extra": {
      "src_ip": {
        "ip": "10.6.1.11",
        "test": "success",
        "context": 3
      },

The main interest of the feature is to be able to contextualize
a match. For example, if you have an IOC source, you can do

 [
   {"buffer": "value1", "actor":"APT28","Country":"FR"},
   {"buffer": "value2", "actor":"APT32","Country":"NL"}
 ]

This way, a single dataset is able to produce context to the
event where it was not possible before and multiple signatures
had to be used.

The format introduced in datajson is an evolution of the
historical datarep format. This has some limitations. For example,
if a user fetch IOCs from a threat intel server there is a large
change that the format will be JSON or XML. Suricata has no support
for the second but can support the first one.

Keeping the key value may seem redundant but it is useful to have it
directly accessible in the extra data to be able to query it
independantly of the signature (where it can be multiple metadata
or even be a transformed metadata).

In some case, when interacting with data (mostly coming from
threat intel servers), the JSON array containing the data
to use is not at the root of the object and it is ncessary
to access a subobject.

This patch implements this with support of key in level1.level2.
This is done via the `array_key` option that contains the path
to the data.

Ticket: #7372
1 year ago
Pierre Chifflier adcee8d7b5 ldap: avoid unneeded renaming of variables 1 year ago
Pierre Chifflier ebc1678c5c ldap: fix clippy warnings (unneded conversions) 1 year ago
Pierre Chifflier bda22c1f4a ldap: factorize code and remove duplicated structs, use ldap_parser where relevant 1 year ago
Pierre Chifflier c152c5c7e0 ldap: update ldap-parser to 0.5.0 1 year ago
Philippe Antoine 6dbc421825 rust: bindgen AppLayerParserConfParserEnabled
Ticket: 7667
1 year ago
Philippe Antoine 49b2a2be5d rust: bindgen SCAppLayerParserRegisterLogger
Ticket: 7667
1 year ago
Philippe Antoine 7bfef2e1e8 rust: bindgen AppLayerParserRegisterParserAcceptableDataDirection
Ticket: 7667
1 year ago
Philippe Antoine 1ff4dbfc24 rust: bindgen AppLayerParserSetStreamDepth
Ticket: 7667
1 year ago
Philippe Antoine b29d46d81f rust: bindgen SCAppLayerParserStateIssetFlag
Ticket: 7667
1 year ago
Philippe Antoine 6d56beffef rust: bindgen AppLayerParserStateSetFlag
Ticket: 7667
1 year ago
Jason Ish 1aaf5cb7d2 rust: allow some lints in suricatactl and suricatasc
These are lints we allow in the Suricata Rust source code for style
reasons.
1 year ago
Jason Ish 89ba53272c suricatasc: reconnect on loss of connection
If the connection is lost (for example, Suricata is restarted), try to
re-open the connect and re-execute the command.

This was the behavior of the Python implementation.

Ticket: #7746
1 year ago
Shivani Bhardwaj 16eb56aa73 sip: fix inspection direction 1 year ago
Jason Ish f0411c079d rust: fix compiler warning for confusing lifetimes
For example:

error: lifetime flowing from input to output with different syntax can be confusing
   --> htp/src/headers.rs:475:16
    |
475 | fn null(input: &[u8]) -> IResult<&[u8], ParsedBytes> {
    |                ^^^^^             -----  ----------- the lifetimes get resolved as `'_`
    |                |                 |
    |                |                 the lifetimes get resolved as `'_`
    |                this lifetime flows to the output
    |
note: the lint level is defined here
   --> htp/src/lib.rs:3:9

This currently only happens when using the Rust nightly compiler, which
we use for our fuzz builds.
1 year ago
Jason Ish b83c2dacd4 lua: update to Lua 5.4.8
Also uses a proper Lua tagged version that is not a pre-release.

Ticket: #7632
1 year ago
Jason Ish e7366e43b5 rust: update deps
Update all deps with cargo update. Additionally, apply the updated
versions to the Cargo.toml, which while not stricly required, does
make it more clear what the version in use is.
1 year ago
Jason Ish 332bc6a05b rust: fix new clippy issues with MSRV update 1 year ago
Jason Ish 7de03a5ef3 rust: update clap and rustyline
With a MSRV of 1.75.0 we can now use current Clap. Rustlyline is
updated, but still needs to be held back from the most current
release.
1 year ago
Jason Ish 55a0d403cb rust: unpin once_cell from old version
We can now update to the current version of once_cell with Rust 1.75.
1 year ago
Jason Ish f0eaebe3a6 rust: set MSRV to 1.75.0
This is the Rust version found on Ubuntu LTS releases as of today, and
is the oldest we need to support.

Ticket: #6573
1 year ago
Jeff Lucovsky a292670443 detect/entropy: Add calculated entropy value to flowvars
When the entropy keyword is used, record the calculated entropy value to
a flow variable for logging use.
1 year ago
Philippe Antoine 79544d0f1e rust: remove some unneeded cbindgen:ignore
Ticket: 7667
1 year ago
Philippe Antoine 7bb0c94ae9 rust: bindgen app-layer-detect-proto.h
Ticket: 7667
1 year ago
Juliana Fajardini 765041dcdd pgsql: fix clippy warnings 1 year ago
Juliana Fajardini be47de4f6d pgsql: fix typo in comment that changed meaning 1 year ago
Juliana Fajardini 88fdfb9d5a pgsql: debug validation on duplicated request msgs
There shouldn't be duplicated messages in the requests Vec. And thus
the parser shouldn't log duplicated keys nor messages. Add debug
validations to ensure this.

With PGSQL's current state machine, most frontend/ client messages will
lead to the creation of a new transaction - which would prevent
duplicated messages being pushed to the requests array and reaching the
logger.

The current exceptions for that are:

- CopyDataIn
- CopyDone
- CopyFail

Thus, debug statements were added for those cases.

CopyDone and CopyFail, per the documentation, shouldn't be seen
duplicated on the wire for the same transaction. CopyDataIn -- yes, but
we consolidate those, so the expectation is that they won't be
duplicated in the requests array or when reaching the logger either.

Related to
Task #7645
1 year ago
Juliana Fajardini f4439c520c pgsql: separate request completion and state type
Since some of state types could indicate a request completion, don't
process them in if/else statements.

Related to
Task #7645
1 year ago
Juliana Fajardini 68acc0cfcb pgsql: be more strict with pub usage
Review pub visibility to:
Make it pub crate-only wherever possible.
Remove pub altogether where not-needed.
1 year ago
Juliana Fajardini 57f7f93a03 pgsql: reorganize pgsql states for CopyData msgs
To set apart states that are both for frontend and backend.
1 year ago
Juliana Fajardini f3aa0085a0 pgsql: rename copy in/out response field
We used `copy_column_count`, while just `columns` is more accurate with
what PostgreSQL describes, and what Wireshark shows.

Related to
Task #7644
Task #7645
1 year ago
Juliana Fajardini e5a47d7616 pgsql: rename 'dummy' response variables
While this could be considered minor, they were not just bad, but
misleading names, as the variables weren't really `dummy` responses,
but consolidating several messages.
1 year ago
Juliana Fajardini 2086f99d6b pgsql: add initial support to CopyIn mode/subproto
This sub-protocol inspects messages sent mainly from the frontend to
the backend after a 'COPY FROM STDIN' has been processed by the
backend.

Parses new messages:
- CopyInResponse -- initiates copy-in mode/sub-protocol
- CopyData (In) -- data transfer message, from frontend to backend
- CopyDone -- signals that no more CopyData messages will be seen from
  the frontend, for the current transaction
- CopyFail -- used by the frontend to signal some failure to proceed
  with sending CopyData messages

Task #7645
1 year ago
Juliana Fajardini decbb0ba5f pgsql: allow multi-request transactions
Important for CopyIn mode/ subprotocol, where the frontend is the one
sending 0 or more messages to the backend as part of a transaction.

Related to
Task #7645
1 year ago
Juliana Fajardini b3b0bbd1c3 pgsql: make CopyData struct generic
We have a data structure that can be used both for backend and frontend
messages, but was named as backend only.

Related to
Task #7645
1 year ago
Philippe Antoine d8a99e1fdd transforms: move base64 to rust
Ticket: 7733
1 year ago
Philippe Antoine 55a5a278f8 base64: use more precise and compact type for mode 1 year ago
Philippe Antoine 8b0d256e6b transform: move rust base64 to dedicated subdirectory 1 year ago
Philippe Antoine 97591230a9 rust: update brotli crate to latest version
Ticket: 7735

New version has a fix for an integer underflow
1 year ago
Philippe Antoine 16fee33368 http1: use a blocking cursor for decompression
Kind of as is done by HTTP2 which limits input data instead of
output data

Ticket: 7732
1 year ago
Philippe Antoine 7c88d37570 ci: check cargo fmt for htp 1 year ago
Philippe Antoine 261d2ad63b dcerpc: use wrapping to prevent u16 overflow
Otherwise, rust with debug assertion may trigger a panic
1 year ago
Philippe Antoine f4a5b741ce transform: fix identity function for base64 xfrom
As SCDetectTransformFromBase64Data is not a flat structure,
because it has pointers to other buffers, we cannot use it simply
for TransformId

We need to compute a serialization of the data hold by
SCDetectTransformFromBase64Data and own it.
1 year ago
Jason Ish 4a655053e8 mdns: add mdns parser, logger and detection
The mDNS support is based heavily on the DNS support, reusing the
existing DNS parser where possible. This meant adding variations on
DNS, as mDNS is a little different. Mainly being that *all* mDNS
traffic is to_server, yet there is still the concept of request and
responses.

Keywords added are:
- mdns.queries.rrname
- mdns.answers.rrname
- mdns.additionals.rrname
- mdns.authorities.rrname
- mdns.response.rrname

They are mostly in-line with the DNS keywords, except
mdns.answers.rdata which is a better than that mdns.response.rrname,
as its actually looking at the rdata, and not rrnames.

mDNS has its own logger that differs from the DNS logger:

- No grouped logging

- In answers/additionals/authorities, the rdata is logged in a field
  that is named after the rdata type. For example, "txt" data is no
  longer logged in the "rdata" field, but instead a "txt" field. We
  currently already did this in DNS for fields that were not a single
  buffer, like SOA, SRV, etc. So this makes things more consistent. And
  gives query like semantics that the "grouped" object was trying to
  provide.

- Types are logged in lower case ("txt" instead of "TXT")

- Flags are logged as an array: "flags": ["aa", "z"]

Ticket: #3952
1 year ago
Jason Ish de88d8ec48 dns: parse multiple txt segments into an array
A DNS TXT answer record can actually be made of up multiple TXT
entries in a single record. Suricata currently expands these into
multiple TXT records, however that is not very representative of the
actualy DNS message.

Instead, if a TXT record contains multiple labels, parse them into an
array.

We still expand multiple TXT segements into multiple TXT records at
logging time for compatibility, but this will allow something like
MDNS to log more accurately to the protocol.
1 year ago
Juliana Fajardini 404bb53ce9 pgsql: add query keyword
Add the `pgsql.query` rule keyword to match on PGSQL's query
request message contents. This currently matches on the EVE field:

pgsql.request.simple_query

`pgsql.query` is a sticky buffer and can be used as a fast_pattern.

Task #6259
1 year ago
Jason Ish 5a5b48179a github-ci: enable asan for suricata-lua-sys in fuzz build 1 year ago
Jason Ish 005cec693f rust: pass CC to to cargo
This is required for crates that use a C compiler to use the same one as
used by Suricata. Important for cross compiling.

Also pass AR and RANLIB which are often used for cross compiling.
1 year ago
Jason Ish 9781f207f7 lua: update to suricata-lua-sys 0.1.0-alpha.9
This version supports picking up CFLAGS either passed with CFLAGS or
SURICATA_LUA_SYS_CFLAGS.
1 year ago
Philippe Antoine f2e7309bbb rust: use bindgened Flow definition
Ticket: 7667
1 year ago
Philippe Antoine 6bc86230a5 rust: bindgen part of util-debug.h
Ticket: 7667

Especially SCLogLevel whose enum redef is removed in rust
1 year ago
Philippe Antoine 54a3a18a9e snmp: probing parser returns unknown if not enough data
Ticket: 7019
1 year ago
Shivani Bhardwaj bb7009f2f4 websocket: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

Websocket parser creates a new PDU per transaction in each direction. Appropriate
calls to trigger raw stream inspection have been added on succesful parsing of
each PDU.

Task 7026
Bug 7004
1 year ago
Shivani Bhardwaj efa1e3d72e ssh: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

SSH parser creates a new record per request or response. Appropriate calls
to trigger raw stream inspection have been added on succesful parsing of
each request and response.

Task 7026
Bug 7004
1 year ago
Shivani Bhardwaj 2da5bc8039 applayer: add bool status check fns 1 year ago
Shivani Bhardwaj a5583075f5 sip: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

SIP parser creates a new transaction per request or response. Appropriate calls
to trigger raw stream inspection have been added on creation of each request and
response.

Task 7026
Bug 7004
1 year ago
Shivani Bhardwaj b7629c1b90 rfb: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

RFB has several different types of requests and responses. Appropriate calls
to trigger raw stream inspection have been added on completion of each type of
request and response.

Task 7026
Bug 7004
1 year ago
Shivani Bhardwaj 44e098b7b3 rdp: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

RDP parser creates a transaction per request or response. Appropriate calls
to trigger raw stream inspection have been added on completion of each request
and response.

Task 7026
Bug 7004
1 year ago
Shivani Bhardwaj f709631cf7 pop3: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

POP3 has a classic request response model where a request is mapped to
a response although not by any ID. Appropriate calls to trigger raw stream
inspection have been added on completion of each request and response.

Task 7026
Bug 7004
1 year ago
Shivani Bhardwaj c0aa60c573 nfs: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

NFS has a classic request response model where each request is mapped to
a corresponding response. Additionally, there's also file tracking and
handling done as a part of these transactions. Appropriate calls to
trigger raw stream inspection have been added on completion of each
request and response.

Task 7026
Bug 7004
1 year ago
Shivani Bhardwaj 35cef72b44 stream: rename TriggerRawStreamReassembly
The functions around TriggerRawStreamReassembly are misnomers in the
current layout of the code. The functions were named appropriately when
they were created as per the structural and logical layout of the code
at the time.

These functions in today's code are being used to track, update and
trigger progress of inspection in the raw stream only. Hence, rename them
to TriggerRawStreamInspection.
1 year ago
Philippe Antoine a2b5225612 rust: bindgen SCSigMatchAppendSMToList
Ticket: 7667
1 year ago
Philippe Antoine 78034b218d rust: bindgen SCDetectSignatureSetAppProto
Ticket: 7667
1 year ago
Jeff Lucovsky f8575dab50 detect/ftp: Add ftp.completion_code keyword
Issue: 7507

Implement the ftp.completion_code sticky buffer. Multi-buffer as an FTP
command can produce multiple responses.

E.g., with the FTP command RETR
    RETR temp.txt
    150 Opening BINARY mode data connection for temp.txt (1164 bytes).
    226 Transfer complete.
1 year ago
Shivani Bhardwaj 31a395c734 pop3: fix incorrect direction matching
sawp crate has its own Direction enum as follows.

pub enum Direction {
    ToClient = 0,
    ToServer = 1,
    Unknown = 2,
}

While it is correct to send this Direction enum as argument to the
sawp_pop3 parser as it expects, it is not correct to use it where the
direction param is obtained from the internal API of Suricata.
The reason is that Suricata's definition of its Direction enum is as
follows.

pub enum Direction {
    ToServer = 0x04,
    ToClient = 0x08,
}

This can lead to issues like incorrect progress tracking of a transaction in
a direction which could cause inspection on incorrect data and buggy behavior.
1 year ago
Jeff Lucovsky 263d56fd11 detect/ftp: Add ftp.received_reply
Issue: 7506

Add a (non-sticky buffer) keyword for ftp.reply_received. This is not a
sticky buffer as the keyword relates to protocol state and not bytes
from the actual protocol exchange.

ftp.reply_received: yes|on|no|off
1 year ago
Philippe Antoine dc20129195 rust: bindgen SCDetectHelperBufferMpmRegister
Ticket: 7667
1 year ago
Philippe Antoine e2603fa820 detect/single-buf: new simple wrapper
Introduce DetectGetSingleData which does the generic wrapping,
including the transforms, using a new callback prototype
DetectTxGetBufferPtr

The goal is to replace most InspectionBufferGetDataPtr.
For this commit, we do not change every callback to keep the
change relatively small.

Focus here is to remove DetectHelperGetData as its functionality is
provided more directly by the new DetectTxGetBufferPtr.
1 year ago
Philippe Antoine 6bf2b3c47e rust/derive: fix clippy collapsible_match warning
And now deny warnings
1 year ago
Richard McConnell d81b76d852 output/tls: Allow logging of sv-handshake params
Ticket: 6695

"server_handshake" which logs the following:
1. TLS version used during handshake
2. The chosen cipher suite, excluding GREASE
3. TLS extensions, excluding GREASE
1 year ago
Richard McConnell 94c8be22d4 output/tls: Allow logging of cl-handshake params
Ticket: 6695

Add new custom log fields:

"client_handshake" which logs the following:
1. TLS version used during handshake
2. TLS extensions, excluding GREASE, SNI and ALPN
3. All cipher suites, excluding GREASE
4. All signature algorithms, excluding GREASE

The use-case is for logging TLS handshake parameters in order to survey
them, and so that JA4 hashes can be computed offline (in the case that
they're not already computed for the purposes of rule matching).
1 year ago
Richard McConnell 912030cbf4 tls: Move tls-versions to rust
This commit is designed in preparation of enabling the handshake object
to log it's own contents rather than being done on the C side.
Moving the tls versions functionality to rust has a couple of uses:
1. Allows both rust and C side to use these fields
2. Moves more of the tls related logic to rust
3. C side can still use these values because of cbindgen
1 year ago
Richard McConnell 6c1238b7bd tls: Integrate ALPNs into HandshakeParams object
Ticket: 6695

With the introduction of the HandshakeParams object we're able to
utilise the theory further by using it as the object to track the ALPNs.

The HandshakeParams object is now responsible for holding all ALPNS. The
user of this HandshakeParams object i.e. JA4, can use whichever fields
are needed. So only when we generate a JA4 hash do we use the first ALPN
and require to format it. Other users of HandshakeParams may opt to use
all ALPN's i.e. during TlsAlpnGetData().
1 year ago
Richard McConnell 468a037daa tls: Introduce HandshakeParams object for tracking
Ticket: 6695

This introduction splits the use of the handshake parameters into their
own object, HandshakeParams, which is populated by the TLS decoder. The
JA4 object is now very simple. It's a simple String object (the JA4
Hash) which is generated during new().

This introduction is part of a larger idea, which is to enable
outputting these raw parameters without JA3/JA4. These handshake
parameters are the components used to generate the JA4 hash, thus it
makes sense for it to be a user of HandshakeParams.
1 year ago
Jason Ish 259a304f3e rust/applayer: collapse nested if let to remove clippy warning
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match
   = note: `#[warn(clippy::collapsible_match)]` on by default
1 year ago
Jason Ish 90297788f6 rust/htp: suppress io_other_error lint
The fix for this lint requires Rust 1.74.
1 year ago
Shivani Bhardwaj 91353fdb61 mqtt: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

MQTT creates a transaction per message per direction, so, a call to
trigger raw stream reassembly has been made on completion of each
transaction in the respective direction.

Optimization 7026
Bug 7004
1 year ago
Shivani Bhardwaj 42978ca9a7 modbus: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

Modbus has a classic request response model, so, a call to trigger raw
stream reassembly is added on completion of each request and response.

Optimization 7026
Bug 7004
1 year ago
Shivani Bhardwaj ca7e9f8daf ldap: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

LDAP can have multiple responses corresponding to a request. The call to
trigger raw stream reassembly has been added on common call sites that
see the completion of a request or any of the responses.

Optimization 7026
Bug 7004
1 year ago
Shivani Bhardwaj fd683ed151 krb: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

KRB5 creates a transaction based on how each input is parsed. It could
be parsed as a request or response but that is the concern of the
parser. The call to trigger raw stream reassembly has been added after
successful parsing of the respective request/response.

Optimization 7026
Bug 7004
1 year ago
Shivani Bhardwaj d0655ed30e http2: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

HTTP2 has a classic request response model, so, a call to trigger raw
stream reassembly is added on completion of each request and response.
HTTP2 parser has its own maximum reassembly setting. The call has been
added irrespective of this setting as it is prudent to make all data so
far available for inspection if maximum was reached until the maximum.

Optimization 7026
Bug 7004
1 year ago
Shivani Bhardwaj eca13b8dd8 enip: trigger raw stream reassembly
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.

Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.

Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream reassembly which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.

Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.

ENIP has a classic request response model, so, a call to trigger raw
stream reassembly is added on completion of each request and response.

Optimization 7026
Bug 7004
1 year ago
Philippe Antoine 622476c47d http1: use a tx iterator
Better performance than the defaut iterator as we do not need to
read all first elements every time
1 year ago
Philippe Antoine c2756dec75 htp: move transactions list from BTree to VecDeque
As it is more efficient in our case of pipelining requests
1 year ago
Philippe Antoine 756f28d086 http: simplify tx removal interface 1 year ago
Philippe Antoine ba186f5d25 htp: remove unused code 1 year ago
Jeff Lucovsky 07205ab057 detect/xform: Support transform identity data
Transforms that support optional strings, like from_base64 and
pcrexform, should also support identity-strings to treat transforms with
like transform options as the same.

This commit adds transform identity data handling:
- When computing a hash, include identity data from the transform
- When comparing, include the identity data from the transforms
- Omitting the "options" ptr from the transform hash/compare
- Modify xor, pcrexform and from_base64 to supply identification data for
  disambiguation in the compare/hash logic.
1 year ago
Jeff Lucovsky c6e0ba2b85 detect/ftp: Add parser for ftp.mode keyword
Issue: 7505

Add a parser for the ftp.mode command that returns the state struct. Add
a function to free the object it allocates.
1 year ago
Philippe Antoine 4af3bd9c91 rust: bindgen SCDetectHelperKeywordSetCleanCString
Ticket: 7667
1 year ago
Philippe Antoine 13449344e8 rust: bindgen SCDetectHelperKeywordRegister
Ticket: 7667
1 year ago
Philippe Antoine f909bbba68 rust: bindgen SCDetectHelperKeywordAliasRegister
Ticket: 7667
1 year ago
Philippe Antoine a7448a0c16 rust: bindgen SCDetectHelperBufferRegister
Ticket: 7667
1 year ago
Philippe Antoine 0d82e905bc rust: bindgen DetectHelperMultiBufferMpmRegister
Ticket: 7667
1 year ago
Philippe Antoine dfa4df9f54 rust: bindgen SCDetectHelperMultiBufferProgressMpmRegister
Ticket: 7667
1 year ago
Juliana Fajardini 62949b3815 pgsql: remove unused "password_message" code
``Password message`` is actually logged just as ``Password``.
Remove related dead code.
1 year ago
Juliana Fajardini 6f81caf8d4 pgsql: clearly indicate redacted password message
If a password message was seen while logging passwords was disabled
for pgsql, this would lead to an empty request being logged.
Instead of simply not logging anything when there is a password message
and this is disabled, however, log instead that said password is
redacted.

Bug #7647
1 year ago
Philippe Antoine fd7bd9c200 src: new file detect-engine-inspect-buffer.h
For InspectionBuffer structure and related functions

Bindgen it for rust, especially transforms

Ticket: 7667
1 year ago
Philippe Antoine df0dc2e8ea rust: bindgen SCDetectSignatureAddTransform
by moving it to detect-engine-buffer.h and prefixing it

Ticket: 7667
1 year ago
Philippe Antoine 1f871cdd64 rust: reuse/reexport suricata_sys DetectEngineThreadCtx
Use the bindgen'd version instead of our own recoded one
1 year ago
Philippe Antoine cf336396c3 rust: bindgen detect-engine-helper.h
Ticket: 7667

Begin by focusing on transforms
1 year ago
Jason Ish 97eaeef7d8 lua: convert SMTP functions to lib: suricata.smtp
Ticket: #7606
1 year ago
Philippe Antoine 06ad72e83e quic: ja3 getter function uses direction
so that future lua code can specify a direction
1 year ago
Jason Ish bf427c69cd rust: remaining rs_ to SC conversions 1 year ago
Jason Ish d16c014641 rust/x509: replace rs_ naming with SC 1 year ago
Jason Ish afce53c8b7 rust/websocket: replace rs_ naming with SC 1 year ago
Jason Ish 7321d7c7db rust/applayertemplate: replace rs_ naming with SC 1 year ago
Jason Ish 2c98ee73ce rust/rfb: replace rs_ naming with SC 1 year ago
Jason Ish e74b4177ac rust/nfs: rust format 1 year ago
Jason Ish 8c1bd60ab1 rust/nfs: replace rs_ naming with SC 1 year ago
Jason Ish 01ce0f92e8 rust/modbus: replace rs_ naming to SC
This was missed in the previous round.
1 year ago
Jason Ish 4e2f1de308 rust/quic: replace rs_ naming with SC 1 year ago
Jason Ish bfa0acf278 rust/ike: replace rs_ naming with SC 1 year ago
Jason Ish 717e06e351 rust/http2: replace rs_ naming with SC 1 year ago
Jason Ish af15986d41 rust/modbus: replace rs_ naming with SC 1 year ago
Jason Ish c994cfb615 rust/sip: replace rs_ naming with SC 1 year ago
Jason Ish 9b830c92dc rust/tftp: replace rs_ naming with SC 1 year ago
Jason Ish aa24276999 rust/telnet: replace rs_ naming with SC 1 year ago
Jason Ish 1c580f9001 rust/detect: replace rs_ naming with SC 1 year ago
Jason Ish 713034d0dd rust/asn1: replace rs_ naming with SC naming 1 year ago
Jason Ish 90116827fe rust/krb: rust format 1 year ago
Jason Ish 8ba0a5c8ec rust/krb: remove rs_ prefix; visibility fixes
- remove pub/no_mangle where not needed
- replace rs_ naming with SC naming
1 year ago
Jason Ish 1f30746e07 rust/dns: rs_ prefix name cleanup 1 year ago
Victor Julien 3c5ce91cbb ftp: per direction tx progress
For request side, having a tx means the request is done.

For response, wait for tx to be marked complete.

Remove unused states.
1 year ago
Philippe Antoine 033e0480cf detect/single-buf: helper with more explicit direction 1 year ago
Philippe Antoine dadf9012fc rust: bindgen detect-engine-buffer.h
Ticket: 7667

And prefix SCDetectBufferSetActiveList to be exported

Allows less use of suricata crate in plugin as we get the functions
prototypes from suricata_sys and they are more correct.
1 year ago
Philippe Antoine 31e30d4aa1 sdp: use rust join
It is much faster as it does not do an allocation for each element
1 year ago
Philippe Antoine 6436a5cebe websocket: limit allocation for small sizes
Fixes: 16f74c68aa ("websocket: use max window bits of 15")

We do not need to allocate 8kbytes for a small message
1 year ago
Philippe Antoine 1f2cb21786 ssh: rustfmt 1 year ago
Philippe Antoine fcac063cfe ssh: make hooks available
Allows signature like `alert ssh:request_banner_done`
1 year ago