Commit Graph

176 Commits (7bb0c94ae9f20ce9f2b7a61986060e0814b6c062)

Author SHA1 Message Date
Juliana Fajardini f3aa0085a0 pgsql: rename copy in/out response field
We used `copy_column_count`, while just `columns` is more accurate with
what PostgreSQL describes, and what Wireshark shows.

Related to
Task #7644
Task #7645
1 year ago
Juliana Fajardini 2086f99d6b pgsql: add initial support to CopyIn mode/subproto
This sub-protocol inspects messages sent mainly from the frontend to
the backend after a 'COPY FROM STDIN' has been processed by the
backend.

Parses new messages:
- CopyInResponse -- initiates copy-in mode/sub-protocol
- CopyData (In) -- data transfer message, from frontend to backend
- CopyDone -- signals that no more CopyData messages will be seen from
  the frontend, for the current transaction
- CopyFail -- used by the frontend to signal some failure to proceed
  with sending CopyData messages

Task #7645
1 year ago
Juliana Fajardini d5c48259de schema/psgql: fix fields order 1 year ago
Juliana Fajardini 3febbcbf1c pgsql: document CopyOut messages
Related to
Task #7644
1 year ago
Jason Ish 4a655053e8 mdns: add mdns parser, logger and detection
The mDNS support is based heavily on the DNS support, reusing the
existing DNS parser where possible. This meant adding variations on
DNS, as mDNS is a little different. Mainly being that *all* mDNS
traffic is to_server, yet there is still the concept of request and
responses.

Keywords added are:
- mdns.queries.rrname
- mdns.answers.rrname
- mdns.additionals.rrname
- mdns.authorities.rrname
- mdns.response.rrname

They are mostly in-line with the DNS keywords, except
mdns.answers.rdata which is a better than that mdns.response.rrname,
as its actually looking at the rdata, and not rrnames.

mDNS has its own logger that differs from the DNS logger:

- No grouped logging

- In answers/additionals/authorities, the rdata is logged in a field
  that is named after the rdata type. For example, "txt" data is no
  longer logged in the "rdata" field, but instead a "txt" field. We
  currently already did this in DNS for fields that were not a single
  buffer, like SOA, SRV, etc. So this makes things more consistent. And
  gives query like semantics that the "grouped" object was trying to
  provide.

- Types are logged in lower case ("txt" instead of "TXT")

- Flags are logged as an array: "flags": ["aa", "z"]

Ticket: #3952
1 year ago
Jeff Lucovsky 9cb54f747d decode/sll2: Support PCAPs encoded with Linux SLL ver 2
Support Linux Cooked mode v2 -- DLT 276
1 year ago
Jason Ish 5a4eba2f57 etc/schema: sort properties in alphabetic order
Also:
- Place "additionalProperties" before "properties"
- Place "required" after "additionalProperties"
- Remove "additionalProperties where true, as that is the default

The order should help us spot duplicate keys, and make it easier to
add new keys in their proper place.
1 year ago
Richard McConnell d81b76d852 output/tls: Allow logging of sv-handshake params
Ticket: 6695

"server_handshake" which logs the following:
1. TLS version used during handshake
2. The chosen cipher suite, excluding GREASE
3. TLS extensions, excluding GREASE
1 year ago
Richard McConnell 94c8be22d4 output/tls: Allow logging of cl-handshake params
Ticket: 6695

Add new custom log fields:

"client_handshake" which logs the following:
1. TLS version used during handshake
2. TLS extensions, excluding GREASE, SNI and ALPN
3. All cipher suites, excluding GREASE
4. All signature algorithms, excluding GREASE

The use-case is for logging TLS handshake parameters in order to survey
them, and so that JA4 hashes can be computed offline (in the case that
they're not already computed for the purposes of rule matching).
1 year ago
Juliana Fajardini 62949b3815 pgsql: remove unused "password_message" code
``Password message`` is actually logged just as ``Password``.
Remove related dead code.
1 year ago
Juliana Fajardini 6f81caf8d4 pgsql: clearly indicate redacted password message
If a password message was seen while logging passwords was disabled
for pgsql, this would lead to an empty request being logged.
Instead of simply not logging anything when there is a password message
and this is disabled, however, log instead that said password is
redacted.

Bug #7647
1 year ago
Shivani Bhardwaj c1b932747c schema: add rule keyword mapping for flow 1 year ago
Juliana Fajardini 3286ae2cc9 eve: add ip version field
Adds the field `ip_v` (integer) to the common fields of EVE.
To facilitate searches based on IP version, for instance.

Task #7047
1 year ago
Eric Leblond 0044b5f682 eve/schema: remove duplicate fields 1 year ago
Eric Leblond 5cf6459f3f eve/flow: log tx_cnt
This patch adds a `tx_cnt` field to `netflow` events to give some
context about the underlying protocol activity.

Ticket: #7635
1 year ago
Eric Leblond 668c6d646e eve/netflow: add tx_cnt
This patch adds a `tx_cnt` field to `netflow` events to give some
context about the underlying protocol activity.

Ticket: #7635
1 year ago
Alex Savage 778053876b pop3: app-layer parser using sawp-pop3
This module uses the sawp-pop3 crate to parse POP3 requests and responses
Features:
- eve logging
- events for parsable but non-RFC-compliant messages

Ticket: 3243
1 year ago
Victor Julien 31d048ed4b firewall: start of firewall rules support
Config:

Firewall rules are like normal rule, with some key differences.

They are loaded separate, and first, from:

```yaml
firewall-rule-path: /etc/suricata/firewall/
firewall-rule-files:
  - fw.rules
```

Can also be loaded with --firewall-rules-exclusive: Mostly for QA purposes.

Allow -S with --firewall-rules-exclusive, so that firewall and threat detection
rules can be tested together.

Rules:

Differences with regular "threat detection" rules:

1. these rules are evaluated before threat detection rules

2. these rules are evaluated in the order as they appear in the rule file

3. currently only rules specifying an explicit hook at supported

   a. as a consequence, no rules will be treated as (like) IP-only, PD-only or
      DE-only

Require explicit action scope for firewall rules. Default policy is
drop for the firewall tables.

Actions:

New action "accept" is added to allow traffic in the filter tables.

New scope "accept:tx" is added to allow accepting a transaction.

Tables:

Rulesets are per table.

Table processing order: `packet:filter` -> `packet:td` -> `app:*:*` -> `app:td`.

Each of the tables has some unique properties:

`packet:filter`:
- default policy is `drop:packet`
- rules are process in order
- action scopes are explicit
- `drop` or `accept` is immediate
- `accept:hook` continues to `packet:td`

`packet:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `app:*:*` or `alert/action finalize`

`app:*:*`:
- default policy is `drop:flow`
- rules are process in order
- action scopes are explicit
- `drop` is immediate
- `accept` is conditional on possible `drop` from `packet:td`
- `accept:hook` continues to `app:td`, `accept:packet` or `accept:flow`
  continues to `alert/action finalize`

`app:td`:
- default policy is `accept:hook`
- rules are ordered by IDS/IPS ordering logic
- action scopes are implicit
- actions are queued
- continues to `alert/action finalize`

Implementation:

During sigorder, split into packet:filter, app:*:* and general td.

Allow fw rules to work when in pass:flow mode. When firewall mode is enabled,
`pass:flow` will not skip the detection engine anymore, but instead
process the firewall rules and then apply the pass before inspecting threat
detect rules.
1 year ago
Victor Julien 7c8a55de54 eve/alert: log ts_progress/tc_progress
This is mostly to help with debugging firewall rules, but
can be useful in other places.
1 year ago
Philippe Antoine 706a0bd99b output: option to add suricata version in eve logs
Ticket: 4853
1 year ago
Jason Ish fdc17b2125 pcap-log: add stats for written and filtered
Filtered is the number of packets not written as they were filtered out.
1 year ago
Juliana Fajardini e75fcffa29 pgsql: add initial support to copy-out subproto
This sub-protocol inspects messages exchanged between postgresql backend
and frontend after a 'COPY TO STDOUT' has been processed.

Parses new messages:
- CopyOutResponse -- initiates copy-out mode/sub-protocol
- CopyData -- data transfer messages
- CopyDone -- signals that no more CopyData messages will be seen from
  the sender for the current transaction

Task #4854
1 year ago
Shivani Bhardwaj 0aea826776 util: add initial flow rate tracking implementation
In order to track flow rate and thus determine a course of action or
categorize it as elephant flow, track a flow's byte count per direction
in a ring buffer for a given time interval.

The implementation is simple and keeps overwriting the buffer and
updating the final sum. The sum of all the elements in the ring buffer
at any point in time should reflect the number of bytes for the
respective flow in the last of a given configured interval.
e.g. if the definition says that the flows must be tracked by a rate of
100k bytes in 10 seconds, the ring buffer at any point in time should
carry the total number of bytes seen by the respective flow in the last
10 seconds.

So far, the implementation only supports reading the flow rate
definition from suricata.yaml and using it to track the flows.

This solution adds up a space complexity to the existing Flow struct.
However, the added space complexity should only take effect if the
feature is in use. Since this buffer extends the Flow struct, it does
not impact the usual business logic or complexity of the code.

This implementation is currently limited to defining the time interval
of flow rate in seconds only. However, the number of seconds defined are
directly proportional to the aforementioned added space complexity as
that's the size of the ring buffer.

Feature 5647
1 year ago
Giuseppe Longo a7b38ccae3 sdp: parse time and repeat_time multiple times
As defined in RFC4566, the time and repeat_time fields can be present
multiple times but they are currently parsed only once.

Ticket #7325
1 year ago
Giuseppe Longo 891da0fa4a sdp: log media's encryption key
The encryption key subfield of the media description field is not
logged when it should be.

Ticket #7305
1 year ago
Juliana Fajardini 78b16a9b76 exceptions: move midstream stats to common counter
Part of making the exception policy stats counters more search
friendly.

Task #7185
1 year ago
Juliana Fajardini 9a3b1553cc exceptions: move reassembly memcap stats to common counter
Part of making the exception policy stats counters more search
friendly.

Task #7185
1 year ago
Juliana Fajardini 3e83ae9a5f exceptions: move ssn memcap stats to common counter
Part of making the exception policy stats counters more search
friendly.

Task #7185
1 year ago
Juliana Fajardini 0f81190d2a exceptions: move flow memcap stats to common counter
Part of making the exception policy stats counters more search
friendly.

Task #7185
1 year ago
Juliana Fajardini b4c216a4ba exceptions: move defrag stats to common counter
Part of making the exception policy stats counters more search
friendly.

Task #7185
1 year ago
Juliana Fajardini 6c484064d8 exceptions: move app_layer stats to common counter
Part of making the exception policy stats counters more search
friendly.

Task #7185
1 year ago
Jeff Lucovsky a8b9965f69 output: Add linktype name
Issue: 6954

This commit adds the linktype name to the output stream. The name is
determined from the pcap utility function pcap_datalink_val_to_name
1 year ago
Jason Ish 9c522a0ac9 eve/schema: add top level ndpi object
The format is left free-form, as its controled by a plugin.
1 year ago
Juliana Fajardini 08e928988f flow/output: log triggered exception policies
To accompany the Exception Policy stats, also add information about any
Exception Policy triggered and for which target to the flow log event.

Task #6215
1 year ago
Jason Ish d78f2c9a4e af-packet: add event for packets truncated by af-packet
Ticket: #7458
1 year ago
Victor Julien b8ed01e23e eve/schema: map tls fields to keywords 1 year ago
Shivani Bhardwaj fc1dbf6eb4 schema: add rule keyword mapping for dcerpc 1 year ago
Jason Ish 744f301df4 eve-parity: handle arrays of scalars
And add an example with "client_alpns".
1 year ago
Jason Ish 771d9d9d8b schema: mark dns.version and dns.grouped as having no keywords 1 year ago
Jason Ish 00a571a25c schema: mark "stats" and "drop" as having no keywords 1 year ago
Jason Ish 115d7d3c6d schema: add an object for mapping fields to keywords
To some EVE fields and a "suricata" object that contains an array of
keywords. These are the keywords that map directly to this field, or
somehow cover this field.

This is an attempt at tooling to help with EVE and keyword parity.

Related to tickets: #5642, #6463, #4772
1 year ago
Jeff Lucovsky cbda276aeb output: Log ethernet type
Issue 7129

When configured with the existing "ethernet" switch, include the ether
type in the output.

This is most useful with anomaly records indicating unknown ethertypes.
1 year ago
Jeff Lucovsky 123b36b9f5 decode/ethertype: Event on unknown ethertype
Issue: 7129

Create a decode/engine event if unknown ethertypes are observed.
1 year ago
Philippe Antoine b967fcaf8f stats: remove unused pseudo_failed stat 2 years ago
Philippe Antoine b0282f49af http2: complete json schema
git grep js.set_string rust/src/http2/logger.rs | grep '"' |
cut -d'"' -f2 | sort | uniq | while read i;
do echo -n $i; git grep $i etc/schema.json | wc -l; done

shows only has_multiple was missing
2 years ago
Victor Julien 779f9d8ba3 eve/flow: add per flow TCP oob urg data counter
If TCP urgent handling is set to the OOB processing, the number of OOB
bytes is tracked for SEQ offset calculations. If this offset is
non-zero, add the field to the flow record.

Ticket: #7411.
2 years ago
Victor Julien 6882bcb3e5 stream: add TCP urgent handling options
TCP urgent handling is a complex topic due to conflicting RFCs and
implementations.

Until now the URG flag and urgent pointer values were simply ignored,
leading to an effective "inline" processing of urgent data. Many
implementations however, do not default to this behavior.

Many actual implementations use the urgent mechanism to send 1 byte of
data out of band to the application.

Complicating the matter is that the way the urgent logic is handled is
generally configurable both of the OS and the app level. So from the
network it is impossible to know with confidence what the settings are.

This patch adds the following policies:

`stream.reassembly.urgent.policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- oob (out of band): treat the last byte as out of band

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

For the `oob` option, tracking of a sequence number offset is required,
as the OOB data does "consume" sequence number space. This is limited to
64k. For this reason, there is a second policy:

`stream.reassembly.urgent.oob-limit-policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

Bug: #7411.
2 years ago
Victor Julien ac02a71479 decode/tcp: count urg flag 2 years ago
Jason Ish 37f4c52b22 eve/dns: add truncation flags for fields that are truncated
If rrname, rdata or mname are truncated, set a flag field like
'rrname_truncated: true' to indicate that the name is truncated.

Ticket: #7280
2 years ago
Philippe Antoine f2c3776314 detect: log app-layer metadata in alert with single tx
Ticket: 7199

Uses a config parameter detect.guess-applayer-tx to enable
this behavior (off by default)

This feature is requested for use cases with signatures not
using app-layer keywords but still targetting application
layer transactions, such as pass/drop rule combination,
or lua usage.

This overrides the previous behavior of checking if the signature
has a content match, by checking if there is only one live
transaction, in addition to the config parameter being set.
2 years ago