aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
15,721 Commits
7 Branches
155 Tags
195 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7274ad58aa'
${ noResults }
Commit Graph

1383 Commits (7274ad58aaeab5a65d49aa8d60839d7cf1f56e00)

Author SHA1 Message Date
Juliana Fajardini 8d3de85edd pgsql: fix u16 overflow in query data_row 
Found by oss-fuzz with quadfuzz.

Cf https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63113

According to PostgreSQL documentation the maximum number of rows can be
the maximum of tuples that can fit onto max u32 pages - 4,294,967,295 (cf
https://www.postgresql.org/docs/current/limits.html). Some rough
calculations for that indicate that this could go over max u32, so
updating the data_row data type to u64.

Bug #6389
 1 year ago
Philippe Antoine 673d13d445 rust: allow clippy::items_after_test_module 
As clippy began to complain about jsonbuilder.rs
 1 year ago
Jeff Lucovsky f12e026696 mqtt: Move conf code to rust 
Issue: 6387

This commit moves the configuration logic to Rust.
 1 year ago
Jason Ish 5d5b0509a5 requires: add requires keyword 
Add a new rule keyword "requires" that allows a rule to require specific
Suricata versions and/or Suricata features to be enabled.

Example:

  requires: feature geoip, version >= 7.0.0, version < 8;
  requires: version >= 7.0.3 < 8
  requires: version >= 7.0.3 < 8 | >= 8.0.3

Feature: #5972

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
 1 year ago
Jason Ish 15ed51f9b8 feature: provide a Rust binding to the feature API 
As the feature module is not available for Rust unit tests, a mock
version is also provided.
 1 year ago
Juliana Fajardini 1afb485dfa pgsql: remove unused msg field 
The `ConsolidatedDataRow` struct had a `length` field that wasn't truly
used.

Related to
Bug #6389
 1 year ago
Juliana Fajardini 30ac77ce65 pgsql: add cancel request message 
A CanceldRequest can occur after any query request, and is sent over a
new connection, leading to a new flow. It won't take any reply, but, if
processed by the backend, will lead to an ErrorResponse.

Task #6577
 1 year ago
Juliana Fajardini 7fa8bbfe43 pgsql: extract length validation into function 
This is called so many times that it seems to make sense that we use a
function for this.
 1 year ago
Victor Julien b8440a0917 jsonbuilder: add set_int for signed ints 
Bug: #6615
 1 year ago
Jason Ish f91122e0e8 dns: replace usage of rs_dns_tx_get_query_name with SCDnsTxGetQueryName 
SCDnsTxGetQueryName was introduced to allow for getting the query name
in responses as well as requests, so covers the functionality of
rs_dns_tx_get_query_name.
 1 year ago
Jason Ish 482325e28b dns: add dns.query.name sticky buffer 
This buffer is much like dns.query_name but allows for detection in both
directions.

Feature: #6497
 1 year ago
Jason Ish 5f99abb0cb dns: add dns.answer.name keyword 
This sticky buffer will allow content matching on the answer names.
While ansers typically only occur in DNS responses, we allow the buffer
to be used in request context as well as the request message format
allows it.

Feature: #6496
 1 year ago
Jason Ish 9464d0b14a dns: consolidate DNSRequest and DNSResponse to DNSMessage 
DNS request and response messages follow the same format so there is
no reason not to use the same data structure for each. While its
unlikely to see fields like answers in a request, the message format
does not disallow them, so it might be interesting data to have the
ability to log.
 1 year ago
Jason Ish e2d7a7f877 dns: rustfmt with latest stable 1 year ago
Jason Ish 4620776a30 rustfmt: replace deprecated fn_args_layout with fn_params_layout 1 year ago
Philippe Antoine 1b5e04bee3 http2: do not have leading space for response line 
Ticket: 6547
 1 year ago
Juliana Fajardini bdec2d8ea8 pgsql: don't log password msg if password disabled 
If the logging of the password is disabled, there isn't much point in
logging the password message itself.
 1 year ago
Juliana Fajardini 9aeeac532e pgsql: remove probe_ts function 
With the changes in the probing_ts function, this other one could become
obsolete. Remove it, and directly call `parser::parse_request` when
checking for gaps, instead.
 1 year ago
Juliana Fajardini 53d29f652a pgsql: remove unused error handling call 1 year ago
Juliana Fajardini afd6e4dc41 pgsql: don't log unknown message type 1 year ago
Juliana Fajardini 4f85d06192 pgsql: fix probing functions 
Some non-pgsql traffic seen by Suricata is mistankenly identified as
pgsql, as the probing function is too generic. Now, if the parser sees
an unknown message type, even if it looks like pgsql, it will fail.

Bug #6080
 1 year ago
Juliana Fajardini 1ac5d97259 pgsql: add unknonwn frontend message type 
We had unkonwn message type for the backend, but not the frontend
messages. It's important to better identify those to improve pgsql
probing functions.

Related to
Bug #6080
 1 year ago
Victor Julien d3ccff5822 detect/asn1: handle in PMATCH 
Since the asn1 keyword is processing payload data, move the handling of
the keyword into the PMATCH with content inspection.

Use u32 as buffer length in the Rust FFI
 1 year ago
Victor Julien 132fe57ac6 rust: add copyright header to common.rs 1 year ago
Philippe Antoine e38b9de6a2 output/krb5: have krb5 properties in alerts 
Ticket: 5977
 1 year ago
Philippe Antoine 8a09bff0aa output/tftp: have tftp properties in alerts 
Ticket: 6501
 1 year ago
Philippe Antoine 0b6b015e26 output/alert: rewrite code for app-layer properties 
Especially fix setup-app-layer script to not forget this part

This allows, for simple loggers, to have a unique definition
of the actual logging function with the jsonbuilder.
This way, alerts, files, and app-layer event can share the code
to output the same data.

Ticket: #3827
 1 year ago
Philippe Antoine 90c17652a3 rust: remove unused 
Ticket: #4083
 1 year ago
Sascha Steinbiss 0c55fe3515 detect: add mqtt.connect.protocolstring 
Ticket:  OISF#6396
 1 year ago
Philippe Antoine e3cd0d073f http2: app-layer event for userinfo in uri 
Ticket: #6426

as per RFC 9113
":authority" MUST NOT include the deprecated userinfo subcomponent
for "http" or "https" schemed URIs.
 1 year ago
Philippe Antoine 6249722589 http2: normalize host when there is user info 
Ticket: 6479
 1 year ago
Philippe Antoine b6cd66f41d http2: update brotli crate 
Fixes debug assertion found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63144
 1 year ago
Philippe Antoine 46a46e5b1f http2: event on mismatch between authority and host 
Ticket: #6425
 1 year ago
Philippe Antoine ae72ce77fa detect: parse units for integers 
Ticket: #6423

Especially for filesize, instead of just a number, a signature
can use a number and a unit such as kb, mb or Gb
 1 year ago
Daniel Olatunji 54de0450f4 rust: remove cbindgen:ignore on frames module 
This directive is no longer required, and does
mess up the rustdoc description of the module.
 1 year ago
Daniel Olatunji 5c0af0b203 rust/doc: add docstring to rust module files. 
Issue: #4584
 1 year ago
Philippe Antoine 14a4c6c696 rust: update brotli decompressor crate 
cf https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59687
 1 year ago
Philippe Antoine 9157070907 quic: v2 support per rfc 9369 
Ticket: #4968
 1 year ago
Yatin Kanetkar b67ff4badf dhcp: Log Vendor Client Identifier (dhcp option 60) 
* Log vendor client identifier (dhcp option 60) if extended dhcp
logging is turned on. This required the `vendor_client_identifier` to
be added to the json schema. Validation done using an SV Test
* Added `requested_ip` to the json schema as well, since it was
missed. My SV test failed without it.

Feature #4587
 2 years ago
Philippe Antoine 5bdbc1a313 rdp: do not use zero-bit bitflag 
cf https://docs.rs/bitflags/latest/bitflags/#zero-bit-flags

As warned by clippy 1.72.0
 2 years ago
Philippe Antoine b235e85c68 rust: fix clippy warnings for version 1.72.0 
Includes using the right prototype for C SRepCatGetByShortname
 2 years ago
Victor Julien 89f1837625 rust: update cargo.lock 2 years ago
Shivani Bhardwaj 8770431986 dcerpc: accept ALTER_CONTEXT as a valid request 
So far, if only the starting request was a DCERPC request, it would be
considered DCERPC traffic. Since ALTER_CONTEXT is a valid request type,
it should be accepted too.

Reported and patch proposed in the following Redmine ticket by
InterNALXz.

Bug 6191
 2 years ago
Victor Julien 389f166d78 file: remove FILE_USE_DETECT flag 
All implementations were converted to use the logic, so the flag itself
can be removed.
 2 years ago
Shivani Bhardwaj d4e674b390 rust: fix clippy warnings 2 years ago
Victor Julien 0068b81269 rust: update cargo.lock 2 years ago
Philippe Antoine 60db5e981c http2: do not append data after closing file 
Ticket: #6211

Completes commit 02dece5db5

Once a http2 stream has end of stream flag, we close the file.
If we see new data frames with this stream id, the new_chunk
function should ignore them as the file was already closed.
 2 years ago
Jeff Lucovsky 690b65ae88 detect/byte_math: Permit var name for bytes value 
Issue: 6145

Modifications to permit a variable name to be used for the byte_math
bytes value.
 2 years ago
Philippe Antoine 02dece5db5 http2: file tracker is initialized when file is closed 
Ticket: #6130

This avoids quadratic complexity by having http2_range_key_get
looking in a growing number of frames
 2 years ago
Sascha Steinbiss 1521b77edd rfb: also set unimplemented auth types 2 years ago
Sascha Steinbiss 1606aca881 rfb: ensure logging of incompletely parsed txs 2 years ago
Sascha Steinbiss 1f8a5874fb rfb: never return error on unknown traffic 
We only try to parse a small subset of what is possible in
RFB. Currently we only understand some standard auth schemes
and stop parsing when the server-client handshake is complete.
Since in IPS mode returning an error from the parser causes
drops that are likely uncalled for, we do not want to return
errors when we simply do not understand what happens in the
traffic. This addresses Redmine #5912.

Bug: #5912.
 2 years ago
Sascha Steinbiss 836fff3679 rfb: add myself as contributor 2 years ago
Sascha Steinbiss bd1fbf392e rfb: be more strict parsing the version 2 years ago
Philippe Antoine d40dca5e55 dcerpc: maximum number of live transactions also for UDP 
Ticket: #6129

Avoids that quadratic complexity gets too bad
 2 years ago
Jason Ish 68d0d6ca24 rust: fix unit test link error on Rust 1.70 
Rust 1.70 appears to now link code on both branches of `if cfg!(test)`
now causing Rust unit tests to fail as that pattern was used to
disable functions only available when linked with the Suricata C code.

To work-around this issue, provide two versions of the `new` function,
one for unit tests and one when running as an application.
 2 years ago
Philippe Antoine 7256ec8a6e detect/http2: do not escape ':' in header name or value 
for keywords http.request_header and http.response_header

Ticket: #5780
 2 years ago
Philippe Antoine 4c466ec5f4 rust/pgsql: remove unused/unconstructed enum variants 2 years ago
Philippe Antoine f2a18e91c4 rust: define AppLayerEventType only in rust 
And detect.h does no longer depend on app-layer-events.h
 2 years ago
Philippe Antoine 668501c225 rust: remove unused 2 years ago
Philippe Antoine 7ca43e7e1f output/snmp: log version from tx 
and not the one from state

If a SNMP flow starts with a V2 version transaction,
then there is a V3i version transaction,
we will now log V3 for the second transaction
 2 years ago
Philippe Antoine 0ec0d8de67 output/rfb: remove unused function parameters 2 years ago
Philippe Antoine 24c2702a05 output/mqtt: remove unused function parameters 2 years ago
Philippe Antoine 09d364b32f output/krb5: remove unused function parameters 2 years ago
Lancer Cheng abc76e27de smb: fix data padding logic in writeAndX parser 
Bug: #6008
 2 years ago
Lancer Cheng 000eb91078 smb: fix wrong data offset when wct = 12 
Bug: #6008
 2 years ago
Philippe Antoine 6350736882 http2: avoid quadratic complexity in headers 
When adding an element to the dynamic headers table, the oldest
ones may get evicted. When multiple elements get evicted, they
should get evicted all at once with drain, instead of one by one
as there will be a massive move each time.

Ticket: #6103
 2 years ago
Philippe Antoine 7d3aa91bf4 mqtt: fix quadratic complexity 
get_tx_by_pkt_id loops only over the last transactions
in case there is a transaction flood

Ticket: #6100
 2 years ago
Haleema Khan 8e19906afa mqtt: rustfmt mqtt.rs 2 years ago
Haleema Khan e474858e25 mqtt: add mqtt frames 
Adds PDU, Header and Data frame to the MQTT parser.
Ticket: 5731
 2 years ago
Jason Ish 33827beae5 jsonbuilder: check buffer growth 
Use try_reserve before growing the internal buffer, and the internal
state vector. This allows allocation errors to be caught and an error
returned instead of just aborting the process.

Ticket: #6057
 2 years ago
Jason Ish 95cfc2b34f jsonbuilder: rustfmt 
Some very minor changes to formatting.
 2 years ago
Jason Ish 039c27789b rust: use 2021 edition 
With the MSRV being bumped to 1.62 for 7.0, we can move the edition up
to 2021.
 2 years ago
Jason Ish c30fff8bcb rust/doc: restore comment with code example, but ignore 
Use backticks for proper markdown processing. As Rust code in
backticks is compiled, and this is a non-complete example, tag the
code sample to be ignored.
 2 years ago
Philippe Antoine 5391f0a8a0 detect: http_response_line for HTTP2 
Ticket: #4067

Synthetized as HTTP/2 <STAT>\r\n
 2 years ago
Philippe Antoine 0dca8cc796 detect: http_request_line support for HTTP2 
Ticket: #4067

Synthetized as <METHOD> <URI> HTTP/2\r\n
 2 years ago
Jason Ish 13fe957b7e rust/doc: wrap some code examples in backticks 2 years ago
Victor Julien d4c60924f1 rust/doc: fix doc compile issues 2 years ago
Eloy Pérez González ed91d689f2 krb5: use req_type instead of msg_type to get request type 2 years ago
Eloy Pérez González a9b7241417 krb5: set msg_type for KRB-ERROR messages to MessageType::KRB_ERROR 2 years ago
Eloy Pérez González 511dbfe171 krb5: add AS-REQ and TGS-REQ transactions 
Fix bug in ticket #4529
 2 years ago
Victor Julien f9276fdf00 rust: spelling fixes 
Thanks to Josh Soref.
 2 years ago
Victor Julien cdd3251982 snmp: fix spelling 
Thanks to Josh Soref.
 2 years ago
Victor Julien ee7ed99b6f rust: spelling 2 years ago
Victor Julien d630f0fa34 rust: rustfmt files with recent new tests 2 years ago
Victor Julien 77f1658c2a rust: fix new clippy warnings 2 years ago
Lancer Cheng 0cf742a9ca smb: add unit tests 
Issue: 4865
 2 years ago
tianjinshan 2c0c6cb0a5 smb/ntlmssp: fix parsing of negotiate flags 
Ticket: #5783
 2 years ago
Jason Ish 0e55307c1d app-layer: remove APP_LAYER_PARSER_OPT_UNIDIR_TXS 
This flag is no longer needed as a parser can now create a transaction
as unidirectional.

Setting this flag also doesn't make sense on parsers that may have
request/reply and some unidirectional messaging.
 2 years ago
Jason Ish f8ec993401 rust/time: add note why this needs to be pinned 2 years ago
Jason Ish 5925b63d82 rust: update x509-parser to 0.15.0 2 years ago
William Correia e378aa8d15 modbus: bump crate version 
sawp 0.12 is available and addresses future compilation failures in
dependent crates.
Updated modbus test case to expect 12 bytes needed instead of 15. This
aligns with expectations as the test case slices 3 bytes off the end of
a 12 byte message so needing 12 bytes is correct.

Ticket #5989
 2 years ago
Jason Ish b4f0d3c741 rust: update der-parser to 8.2.0 
Minimal modifications required on the Suricata side, mainly for fields
becoming private and needing an accessor instead.

Note: As the kerberos parser still depends on der-parser 6.0, we still
have to depend on that so it is depended on, but renamed to
der-parser6. There is not an udpated kerberos-parser yet that uses
der-parser 8.2.0.

Ticket: #5991
 2 years ago
Jason Ish 3d9fc3bf1d rust: update snmp-parser to 0.9.0 
Updating snmp-parser required directly depending on the asn1-rs crate
for the Oid type, as snmp-parser does not re-export this type anymore.

Ticket: #5992
 2 years ago
Jason Ish 0d6628c64e rust: update cargo.lock 
Update Cargo.lock, most importantly the Nom 5.1.3 update which will
prevent future breakage by Rustc.
 2 years ago
Jason Ish d2fb958e28 rust: fix clippy lint for assert 
Fix done automatically by clippy --fix
 2 years ago
Haleema Khan 3531a4abaa rfb: rustfmt rfb.rs 2 years ago
Haleema Khan 3eee311350 rfb: add rfb frames, update tests 
Adds a PDU frame to the RFB parser.
Update function signature in tests to reflect frames

Ticket: 5717
 2 years ago
Victor Julien 0bbc411743 nfs: fix newline in debug messages 2 years ago
Philippe Antoine 9adb59bcdb http2: faster when reducing dynamic headers size 
avoid quadratic complexity from removing the first element
and copying all the contents a big number fo times.

Ticket: #5909
 2 years ago