aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,397 Commits
7 Branches
155 Tags
198 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9716c24ba1'
${ noResults }
Commit Graph

344 Commits (9716c24ba1508925e7403c7203126313ceab3379)

Author SHA1 Message Date
Jason Ish 58933bafc1 rust app layer template: functions to get buffers 
Example functions for getting the request and response buffers.
Useful for running detection on the decoded buffers.
 7 years ago
Jason Ish 01f7dcf5fd rust template parser: sample pcap 7 years ago
Jason Ish c3f1a35e28 rust: app-layer template parser and logger 
The protocol is a simple request/reply based protocol that can
be hand driven with netcat.

Request  -> 12:Hello World!
Response -> 3:Byte

Its of the format <length>:<message> where length is the length
of the message, not including the length or the delimiter.
 7 years ago
Jason Ish 7682b1ba74 rustfmt.toml: set to 80 char line width 
The rustfmt default is 100, set to 80 to be more inline with
the Suricata C code.
 7 years ago
Jason Ish 9636b9de32 rust: expose AppLayerParserStateIssetFlag to Rust. 7 years ago
Jason Ish 90dfcf4907 rust/gen-c-headers: don't attempt to split empty lines 7 years ago
Jason Ish 1c6bc5754c dhcp: check length of option before accessing 
Prevent Rust index out of bounds panic.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2571
 7 years ago
Jason Ish 7bc2469eb1 dhcp: remove println!() that got committed 7 years ago
Victor Julien a337908c78 rust/dhcp: free events and destate at tx end 7 years ago
Victor Julien edd0c2246c smb1: add SMB1_COMMAND_QUERY_INFO_DISK command mapping 7 years ago
Maurizio Abba bf4398b15d output-json: ensure string is json-encodable 
Substitute json_string with SCJsonString custom function.
SCJsonString will ensure string passed is json-encodable (utf-8).
If it's not, the string will be converted in such a way that any
non-printable character will be encoded in its hex form.
The resulting json object will be returned.

rust modification will encode any non-printable character during its
conversion in to_cstring.
 7 years ago
Victor Julien 177966970a smb: probing parser improvement 7 years ago
Victor Julien fd38989113 proto/detect: remove probing parser offset argument 
Remove offset argument as it was unused.
 7 years ago
Victor Julien c6e79f4410 nfs4: create tx for CREATE procedure 7 years ago
Victor Julien 90e0e3da27 nfs: fix applying nfs3 logging logic to nfs4 7 years ago
Victor Julien cb3abba1e0 nfs4: log remove procedure + add multi-proc support 
Add TX creation for NFS4 transactions. Start with the 'REMOVE' procedure.

Start on logging all procs. In NFS4 COMPOUND records there are multiple
procedures. One of them can be considered the 'main' procedure, with others
as supporting utility. This patch adds the first step in supporting to
track those in the TX for logging and inspection.
 7 years ago
Victor Julien ff518e5c64 nfs4: for putrootfh set 'mount root' as name 7 years ago
Victor Julien 22e0fc97f8 nfs: rename generic functions from nfs3 to nfs 7 years ago
Victor Julien d22c170c38 nfs: move v2 parsing into own file 7 years ago
Victor Julien 9b42073e54 nfs3: move nfs3 specific handling into own file 7 years ago
Victor Julien 4c09766b33 nfs: request parser cleanup 7 years ago
Victor Julien f570905f8c nfs: get rid of reachable panic statements 7 years ago
Victor Julien 8a1af5c367 nfs4: remove panic calls, set events instead 7 years ago
Victor Julien f2382356b1 nfs4: support 4.1 SEQUENCE procedure 7 years ago
Victor Julien 2b581cd6db smb: log trans2 that enable delete on close 7 years ago
Victor Julien eefac0ef95 smb1: add support for trans2 set_path_info rename 7 years ago
Victor Julien 1b86d4e1a2 smb: improve dcerpc logic 
Detect whether a pipe is a dcerpc channel based on the name of the
pipe.
 7 years ago
Victor Julien 7c8a078a2c smb1: improve NT Create response record parsing 7 years ago
Victor Julien 2e6014b15c rust/smb: search for record on midstream start 
Calls with both START and MIDSTREAM mean the record might be cut and the
start of it could be missing. For this case, enable the same logic as is
used when catching up after a GAP. Search for the start of the record
instead of assuming it sits exactly at the start of the input data.
 7 years ago
Victor Julien 905d9a1dd8 rust: define all STREAM_* types 7 years ago
Victor Julien 7bc3c3ac6e app-layer: pass STREAM_* flags to parser 
Pass the STREAM_* flags to the app-layer parser functions so that
the parser can know more about how it is called.
 7 years ago
Victor Julien b5bc509857 dhcp: suppress notice message at startup 7 years ago
Jason Ish d83707bef9 rust/dns - remove extra parantheses 
Removes rust compiler warning.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2521
 7 years ago
Jason Ish 9210d8743b rust/dhcp: Rust based DHCP decoder and logger. 
This is a DHCP decoder and logger written in Rust. Unlike most
parsers, this one is stateless so responses are not matched
up to requests by Suricata. However, the output does contain
enough fields to match them up in post-processing.

Rules are included to alert of malformed or truncated options.
 7 years ago
Jason Ish 1b0b74dc16 rust: a Rust ConfNode wrapper. 
A Rust wrapper around the C ConfNode object. Currenlty only exposes
ConfGetChildValueBool and ConfGetChildValue.
 7 years ago
Jason Ish 2ec3381600 rust/app-layer: macros to export de_state functions 
These macros generate the extern "C" functions for transactions
structs that need provide functions for setting and getting
the de_state. The idea is to provide macros do avoid code
duplication and make it simpler to create an app-layer.

A trait would be the correct solution, but it doesn't look like
you can use traits to export extern "C" functions.
 7 years ago
Jason Ish da4912dfe7 rust: add get_tx_iterator to parser registration 7 years ago
Pierre Chifflier e9ae62ed05 Kerberos 5: properly handle TCP buffering 7 years ago
Pierre Chifflier 1076c7cd47 Add krb5_err_code detection keyword 7 years ago
Pierre Chifflier d6b9c0294a Add krb5_cname and krb5_sname detection keywords 7 years ago
Pierre Chifflier 0bd81ff838 Add krb5_msg_type detection keyword 7 years ago
Pierre Chifflier 5037051161 Kerberos 5: rename weak crypto to weak encryption, and log it 7 years ago
Pierre Chifflier 6ae53a1869 Add event rules for Kerberos 5 7 years ago
Pierre Chifflier 3a017f61b0 Kerberos 5: pretty-print error code when logging 7 years ago
Pierre Chifflier 52f5c7914f Log Kerberos 5 errors 7 years ago
Pierre Chifflier 1e5f5d405f Kerberos 5: add support for TCP as well 7 years ago
Pierre Chifflier 645ba17509 Kerberos: check version in probing function 7 years ago
Pierre Chifflier fd175f2bfb Add logger for Kerberos 5 metadata 7 years ago
Pierre Chifflier 77f0c11c9e Add Kerberos 5 application layer 7 years ago
Jason Ish d73b5ee276 rust: cargo fixes for out of tree build 7 years ago
Pierre Chifflier 2d1c4420de Update ntp-parser to 0.2.0 7 years ago
Victor Julien 73d94fff73 nfs4: support records wrapped in GSSAPI integrity 7 years ago
Victor Julien 53fa2af07c nfs4: fix attr parsing corner case 7 years ago
Victor Julien 39489bc5fd nfs4: implement COMMIT parsing and handling 7 years ago
Victor Julien c7cb01b636 nfs4: parse GSSAPI init 7 years ago
Victor Julien bfa60753f9 nfs4: create link support 7 years ago
Victor Julien 06f6c15954 nfs4: initial implementation 
Implements record parsing and file extraction for READs and WRITEs.

Defines all types from RFC 7530.
 7 years ago
Victor Julien 75c5722b7e nfs/rpc: add parser for GSSAPI Integrity records 7 years ago
Victor Julien f40fc0293b smb: minor optimizations 7 years ago
Victor Julien f201a3761f rust: remove multi level 'experimental' 
Don't treat 'external' parsers as more experimental. All parsers
depend on crates to some extend, and all have C glue code. So the
distinction doesn't really make sense.
 7 years ago
Pierre Chifflier d222b9ae6c IKEv2: Use JSON arrays instead of comma-separated values 7 years ago
Pierre Chifflier bf66948ad7 IKEv2: suppress some debug output 7 years ago
Pierre Chifflier 3fbfb22204 IKEv2: remove events counter 7 years ago
Pierre Chifflier 4e4cf00c07 Remove the 'experimental' mark for IKEv2 7 years ago
Pierre Chifflier f65fafa34b IKEv2 logger: use Debug trait for IkePayloadType 7 years ago
Pierre Chifflier d94346282c Add logger for IKEv2 7 years ago
Pierre Chifflier c99b9462d7 Add new parser: IKEv2 
Add a new parser for Internet Key Exchange version (IKEv2), defined in
RFC 7296.
The IKEv2 parser itself is external. The embedded code includes the
parser state and associated variables, the state machine, and the
detection code.

The parser looks the first two messages of a connection, and analyzes
the client and server proposals to check the cryptographic parameters.
 7 years ago
Pierre Chifflier b810275b16 Rust: fix prototype of parsing function (make pstate mutable) 7 years ago
Pierre Chifflier 8e8f0db192 Rust: expose function AppLayerParserStateSetFlag 7 years ago
Victor Julien 91307dafd9 nfs/rpc: fix reponse parsing 7 years ago
Victor Julien b1e2783788 auth/krb5: move kerberos5 wrapper to rust root 
Make it available outside of just the SMB parser.
 7 years ago
Victor Julien 4d58aaae90 smb: clean up partial read/write record handling 7 years ago
Victor Julien aa8d64c2b8 smb: improve skip handling 
When skipping records the skip tracker could underflow if the record
parsing had more data than expected.

Enforce the calculation by moving it into a method and make the actual
fields private.
 7 years ago
Victor Julien eac7a92200 smb2: improve read/write record parsing 
parse_smb2_response_read()/parse_smb2_response_write() can be called on
incomplete data, so they didn't use the read/write length field to grab
the data field. Instead it just used rest(). However in some cases
SMB2 records have trailing data, which would be included in the
READ/WRITE data.

This patch addresses this by using the length field if enough data is
available.
 7 years ago
Victor Julien 53f63f7498 nfs/rpc: improve RPCv2 parser, add GssApi 
Improve RPCv2 credentials parsing. Add GssApi and turn creds into
an enum.

Minor cleanups and optimizations.
 7 years ago
Victor Julien 47ebef3af8 nfs: minor cleanup 7 years ago
Victor Julien ea1e13cb00 smb: suppress notice messages 7 years ago
Pierre Chifflier 576b8ef722 SMB: simplify code 7 years ago
Pierre Chifflier cf5de0c58e SMB: use String::from_utf8_lossy in logging functions 7 years ago
Pierre Chifflier b5529e4ffb SMB: use kerberos-parser to extract Real and PrincipalName 7 years ago
Victor Julien 0dfb3f0e7f smb1: extract rename info from TRANS2 
Exclude TRANS2 from generic TX lookup bypass.
 7 years ago
Victor Julien 8eeda113c8 smb1: add parsing for RENAME command 7 years ago
Victor Julien 7b61f2c589 smb2: log renames 7 years ago
Victor Julien 15978d4e85 smb: if filename is missing, use '<unknown>' 7 years ago
Jason Ish 27fd521420 eve/dns/v2: support eve/dns v2 in rust 7 years ago
Jason Ish 57d9574839 rust/json: expose more of jansson to rust 7 years ago
Victor Julien 71742ed52b smb: share can't be <share_root> 7 years ago
Victor Julien bc193242ad smb1: add OPEN_ANDX command name for logging 7 years ago
Victor Julien 32b19fac99 smb2: don't log/track each READ/WRITE/etc 7 years ago
Victor Julien fb986abe81 smb: log file FID/GUID as fuid 7 years ago
Victor Julien 816bd022a6 smb1: improve non nt-status handling 
Support SRV error, with a couple of codes.
Rename statux field to status_code.
 7 years ago
Victor Julien 0519807639 smb1: ignore tree_id in session setup 7 years ago
Victor Julien 286c054472 smb: improve nbss/smb record detection 7 years ago
Victor Julien 7ab071a58d rust/smb: implement minimal record parsing in probing 7 years ago
Victor Julien 283be3cade smb2: break out ioctl handling 7 years ago
Victor Julien bf08285602 smb2: parse async records 7 years ago
Victor Julien 5c26020714 smb2: add ioctl transactions to log the funcs 7 years ago
Victor Julien 75265ec376 smb2: map ioctl funcs to names 
List is based on Wireshark's list.
 7 years ago
Victor Julien 7cd66516f0 smb: use formal MS names for disposition 7 years ago
Victor Julien f7ed749d4f smb: disable debug output 7 years ago
Victor Julien eed492547c smb1: extract server guid from negotiate 7 years ago
Victor Julien 6d56edc3de smb2: log client and server guid from negotiate 7 years ago
Victor Julien c56f5e11ca smb2: log share type 7 years ago
Victor Julien d75ebdb981 smb: log create empty filename as '<share_root>' like Bro does 7 years ago
Victor Julien fcbeab70a4 smb1: log create 'service' fields 7 years ago
Victor Julien 90e2abaac4 smb1: use generic string parsing for trans 7 years ago
Victor Julien 76917a8732 smb1: generic smb string parse func 7 years ago
Victor Julien 668c747aee smb1: more exact tree connect record parsing 7 years ago
Victor Julien 0ed00cf104 smb: move common parsing funcs into own file 7 years ago
Victor Julien 1c701dc50e smb: make string parsing functions public 7 years ago
Victor Julien 1d4aac1d4d smb1: set event on empty/malformed dialect 7 years ago
Victor Julien c91242e71c smb: rename file to filename in output 7 years ago
Victor Julien caf29e92b3 smb1: parse and log timestamps in CREATE 7 years ago
Victor Julien 0e05ef7369 smb2: parse and log timestamps in CREATE 7 years ago
Victor Julien 28f16e38ac smb1: disable 'generic tx's for common commands 
Don't create a generic TX for each READ, WRITE, TRANS, TRANS2,
except if they cause events to trigger.
 7 years ago
Victor Julien 78cd92a933 smb: generic event per trans/read/write for tx events 7 years ago
Victor Julien 05992f1772 smb: fix event handling when no tx is available 7 years ago
Victor Julien be615c9fbc smb: small cleanups, fixes and optimizations 7 years ago
Victor Julien dab055d8c8 smb: update to der-parser 0.5.1 7 years ago
Victor Julien 0d69e7b8c2 smb: remove unused dialects from state 7 years ago
Victor Julien ad1bc7f473 smb1: minor debug improvment 7 years ago
Victor Julien a44504a1bf smb: redo gap catch up handling 7 years ago
Victor Julien 7114d5d25b smb1: parser cleanups 7 years ago
Victor Julien d9e43d3e63 smb: cleaner server component parsing 7 years ago
Victor Julien ecbf10da70 smb2: improve write error handling 7 years ago
Victor Julien b34392051d smb3: parse transform records 7 years ago
Victor Julien 894a73ee06 smb2: add missing commands and improve ioctl err handling 7 years ago
Victor Julien 170edf7c44 smb1: improve error handling 7 years ago
Victor Julien 7ceb67138f smb: add status 7 years ago
Victor Julien 98b926bf72 smb1: implement WRITE_AND_CLOSE 7 years ago
Victor Julien 595557eb8d smb1: locking andx may have no response 7 years ago
Victor Julien 7dff9b9969 smb/nbss: work around bad traffic 7 years ago
Victor Julien 8bef120898 smb: session setup improvements 
Improve ntlmssp version extraction and logging, make its data structures
optional. Extract native os/lm from smb1 ssn setup.

Move session setup handling into their own files.

Only log auth data for the session setup tx.
 7 years ago
Victor Julien 75d7c9d64a rust/smb: initial support 
Implement SMB app-layer parser for SMB1/2/3. Features:
- file extraction
- eve logging
- existing dce keyword support
- smb_share/smb_named_pipe keyword support (stickybuffers)
- auth meta data extraction (ntlmssp, kerberos5)
 7 years ago
Pierre Chifflier b69acaadf5 Rust: add 'debug' feature 
The 'debug' feature is enabled if suricata was configured with the
--enabled-debug' flag.
If enabled, the SCLogDebug format and calls the logging function as
usual. Otherwise, this macro is a no-op (similarly to the C code).
 7 years ago
Victor Julien 053022931c rust/json: add array_append_string 7 years ago
Victor Julien 73fac478a2 rust/dns: fix nom verbose error mode 7 years ago
Jason Ish c411519605 app-layer: remove has events callback - not used 7 years ago
Pierre Chifflier 92b537d028 rust: update 'external' api for app layer changes 
Remove unused HasTxDetectState function and remove state argument
from SetTxDetectState.

Update NTP code.
 7 years ago
Victor Julien f815027cdf rust/dns: simplify tx freeing 
Now that we no longer need the state when freeing a TX, we can simply
do cleanup from the Drop trait.
 7 years ago
Victor Julien 7548944b49 app-layer: remove unused HasTxDetectState call 
Also remove the now useless 'state' argument from the SetTxDetectState
calls. For those app-layer parsers that use a state == tx approach,
the state pointer is passed as tx.

Update app-layer parsers to remove the unused call and update the
modified call.
 7 years ago
Victor Julien 1c270cae13 nfs: remove old test code 7 years ago
Victor Julien e96d9c1159 app-layer: add tx iterator API 
Until now, the transaction space is assumed to be terse. Transactions
are handled sequentially so the difference between the lowest and highest
active tx id's is small. For this reason the logic of walking every id
between the 'minimum' and max id made sense. The space might look like:

    [..........TTTT]

Here the looping starts at the first T and loops 4 times.

This assumption isn't a great fit though. A protocol like NFS has 2 types
of transactions. Long running file transfer transactions and short lived
request/reply pairs are causing the id space to be sparse. This leads to
a lot of unnecessary looping in various parts of the engine, but most
prominently: detection, tx house keeping and tx logging.

    [.T..T...TTTT.T]

Here the looping starts at the first T and loops for every spot, even
those where no tx exists anymore.

Cases have been observed where the lowest tx id was 2 and the highest
was 50k. This lead to a lot of unnecessary looping.

This patch add an alternative approach. It allows a protocol to register
an iterator function, that simply returns the next transaction until
all transactions are returned. To do this it uses a bit of state the
caller must keep.

The registration is optional. If no iterator is registered the old
behaviour will be used.
 7 years ago
Victor Julien 6e82df274d rust: update dependencies 7 years ago
Victor Julien dfae3297a5 rust: don't gen C headers if Rust isn't enabled 7 years ago
Pascal Delalande 80f2fbac6e rust/tftp: eve logging with rust 7 years ago
Clement Galland b9cf49e933 rust/tftp: add tftp parsing and logging 
TFTP parsing and logging written in Rust.
Log on eve.json the type of request (read or write), the name of the file and
the mode.

Example of output:
    "tftp":{"packet":"read","file":"rfc1350.txt","mode":"octet"}
 7 years ago
Victor Julien e8939335ea rust/nfs: explicitly handle GAPs from C 
It seems that Rust optimizes this code in such a way that it
passes the null ptr along as real data.

    if buf.as_ptr().is_null() && input_len > 0 {
 7 years ago
Victor Julien 2c3c8f8b85 rust/filetracker: if file API return error, trunc file 7 years ago
Victor Julien d27ed5957f rust/nfs: fix read reply handling 
READ replies with large data chunks are processed partially to avoid
queuing too much data. When the final chunk was received however, the
start of the chunk would already tag the transaction as 'done'. The
more aggressive tx freeing that was recently merged would cause this
tx to be freed before the rest of the in-progress chunk was done.

This patch delays the tagging of the tx until the final data has been
received.
 7 years ago