aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,208 Commits
7 Branches
155 Tags
194 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '76225bf9ac'
${ noResults }
Commit Graph

14208 Commits (76225bf9ac87ed4312d44b83d9499794cc760207)
 

Author SHA1 Message Date
Victor Julien 76225bf9ac stream: fix next_seq updates after temporary gap 
On every accepted packet in established state, update next_seq if
packet seq+len is larger than existing next_seq. This allows it to
catch up after large gaps that are filled again a bit later.

Bug: #5877.
 2 years ago
Victor Julien 83a16a7a89 eve/stream: per packet stream engine logging 
Debug facility to get a per packet view into the stream engine's state.

Logs after a packet has been processed in the stream engine, so the view
into the state includes the updates based on the current packet.

Marked as experimental so it can be changed w/o notice.

Bug: #5876.
 2 years ago
Victor Julien 3948b160c7 stream: implement config option for SYN queue 
Default to allowing 10 SYNs to not trigger an event on a connection
attempt that times out.
 2 years ago
Victor Julien d03773840b stream: track packet flags in packet 
These flags can then later be used by stream logging.
 2 years ago
Victor Julien 551fb80150 stream: improve first FIN next_seq update 
For accepted FIN packets, always update next_seq. This helps track the
FIN sequence.

Bug: #5877.
 2 years ago
Victor Julien 80a012a787 stream: improve FIN next_seq handling 
Update next_seq to SEQ + payload_len + 1, so retransmission checks
work better.

Bug: #5877.
 2 years ago
Victor Julien 20df715e64 stream: set next_seq before last_ack 
next_seq sometimes depends on last_ack in cases of packet loss
catch up, so first update it.

Bug: #5877.
 2 years ago
Victor Julien 67af94f2e0 stream/tcp: fix wrong ACK trigger FIN1 to FIN2 
An ACK that ACK'd older data while still being in-window could
lead to FIN_WAIT1 to FIN_WAIT2 state transition. Detect this
case and generally harden the check.

Bug: #5877.
 2 years ago
Victor Julien 7bfee147ef stream: SYN queue support 
Support case where there are multiple SYN retransmits, where
each has a new timestamp.

Before this patch, Suricata would only accept a SYN/ACK that
matches the last timestamp. However, observed behavior is that
the server may choose to only respond to the first. In IPS mode
this could lead to a connection timing out as Suricata drops
the SYN/ACK it considers wrong, and the server continues to
retransmit it.

This patch reuses the SYN/ACK queuing logic to keep a list
of SYN packets and their window, timestamp, wscale and sackok
settings. Then when the SYN/ACK arrives, it is first evaluated
against the normal session state. But if it fails due to a
timestamp mismatch, it will look for queued SYN's and see if
any of them match the timestamp. If one does, the ssn is updated
to use that SYN and the SYN/ACK is accepted.

Bug: #5856.
 2 years ago
Victor Julien 449ed75547 stream: fix direction macro to be used in conditions 2 years ago
Victor Julien 3bbed8c1d4 stream: minor code cleanup 2 years ago
Victor Julien 9a34997d71 flow: fix comment typo 2 years ago
Victor Julien 65f28b075f stream: turn session bool into flag 2 years ago
Victor Julien aa7d58b0c7 stream: turn session flags into u32 
Due to gaps/padding the size of the struct won't change.
 2 years ago
Victor Julien dd8e8fd7c3 stream/config: optimize stream config structure layout 2 years ago
Victor Julien 23dd34dd8a stream/config: turn async_oneside into bool 2 years ago
Victor Julien 0a831b5ea2 stream: minor code cleanups in ACK validation 2 years ago
Victor Julien 15637ecce4 stream: remove unused macros 2 years ago
Victor Julien 58c1f14f17 stream: remove usused thread pseudo packet queue 2 years ago
Victor Julien 435ca5bbf0 stream: remove unused packetqueue argument 2 years ago
Haleema Khan 6b55e53ff5 rfb: add unittests to rfb.rs 
Task: #5741
 2 years ago
Philippe Antoine 3365ef72c3 tcp: pick up a midstream session even with FIN flag 
Ticket: #5437
 2 years ago
Haleema Khan 609df1776e userguide: update tls keywords information 
Ticket #5544
 2 years ago
Philippe Antoine 233ab11148 smb: handles records with trailing nbss data 
If a file (read/write) SMB record has padding/trailing data
after the buffer being read or written, and that Suricata falls
in one case where it skips the data, it should skip until
the very end of the NBSS record, meaning it should also skip the
padding/trailing data.

Otherwise, an attacker may smuggle some NBSS/SMB record in this
trailing data, that will be interpreted by Suricata, but not
by the SMB client/server, leading to evasions.

Ticket: #5786
 2 years ago
Philippe Antoine c1b7befb18 smb: checks against nbss records length 
When Suricata handles files over SMB, it does not wait for the
NBSS record to be complete, and can stream the payload to the
file... But it did not check the consistency of the SMB record
length being read or written against the NBSS record length.

This could lead to an evasion where an attacker crafts a SMB
write with a too big Length field, and then sends its evil
payload, even if the server returned an error for the write request.

Ticket: #5770
 2 years ago
jason taylor 8e5b1fe8e6 userguide: add DHCP EVE log information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Victor Julien 4ad5e040af stream: minor cleanups 2 years ago
Victor Julien b31617c060 stream: reduce scope of inline drop check 2 years ago
Victor Julien 288086af3f stream: move state queue code into util func 2 years ago
Victor Julien fc376f8145 stream: set event on bad timestamp on syn_sent state 2 years ago
Victor Julien c3ecf63b1e stream: remove unnecessary ssn checks 
Add debug validation to catch any change.
 2 years ago
Victor Julien 89f3346c3c eve/flow: optimize tcp gap checks 2 years ago
Victor Julien 67634c561c time: don't log debug messages from debug logging 
Bug: #5835.

Fixes: 31793aface ("time: Replace struct timeval with scalar value")
 2 years ago
Philippe Antoine 96b48d7104 github: avoid bash escaping 
so as to allow ' in github discussion and get CI green
 2 years ago
Victor Julien 977c5ea719 detect: initialize empty buffers 2 years ago
Victor Julien abf1ac8e01 stream/regions: improve region shrinking 
Handle failure on shrink.

Keep size multiple of configured buf_size setting.
 2 years ago
Victor Julien d6b4c90225 streaming/sbb: propegate allocation errors 2 years ago
Victor Julien cdab91df8a streaming: remove unused function 2 years ago
Victor Julien 93c9594dd8 stream/tcp: allow tcp session reuse on null sessions 
When a "stream starter" packet finds an existing TCP flow, the flow will be
evaluated for reuse.

The following scenario wasn't handled well:

1. Suricata starts after a tool has just stopped using lots of connections
   (e.g. ab stress testing a webserver)
2. even though the client is closed already, the server is still doing
   connection cleanup sending many FINs and later RSTs
3. Suricata creates flows for these packets, but no TCP sessions
4. client resumes testing, creating flows that have the same 5 tuple as the
   flows created for the FIN/RST packets
5. Suricata refuses to "reuse" the flows as the condition "tcp flow w/o session"
   is not considered valid for session reuse
6. new TCP connection is not properly tracked and evaluated in parsing and
   detection

There may be other vectors into this, like a flow w/o session because of
memcap issues.

Bug: #5843.
 2 years ago
Victor Julien e8ce5f3430 streaming/regions: fix consolidation cornercases 
Incorrect "end" region for consolidation was selected if the "dst"
would be expanded to overlap with it.

Fix list handling when the first region to consider (src_start) was
not the list start.

Bug: #5833.
Bug: #5834.
 2 years ago
Victor Julien d5409a0b29 streaming: grow more conservatively 
Don't grow to next multiple of cfg->buf_size if size is already
a multiple of buf_size.
 2 years ago
Victor Julien 63ceb0567d streaming: minor debug logging improvement 2 years ago
Victor Julien 935dedf1e8 version: start development towards 7.0.0-rc2 2 years ago
Shivani Bhardwaj d9e6301af2 release: 7.0.0-rc1; update changelog 2 years ago
Jason Ish 79dfbcb788 requirements: use suricata-update 1.3.0rc1 2 years ago
Victor Julien f4fa51986e doc: warn IPS users on new exception policy default 2 years ago
Victor Julien 5e5da81cca exception/policy: add more info on defaults 
Be more informative where a exception value came from: defaults,
master switch or an explicit setting.
 2 years ago
Victor Julien a5547564b6 stream/midstream: add bug number to policy warning 2 years ago
Victor Julien 3fcc19e78c exception/policy: 'auto' sets IPS to 'drop-flow' 
In IPS mode set all exception policies to drop-flow by default, both
in the default yaml and if no `exception-policy` is defined.
 2 years ago
Victor Julien 0863544d83 exception/policy: fix formatting issues 2 years ago