suricata

Commit Graph

Author	SHA1	Message	Date
Pierre Chifflier	13b7399790	rust: upgrade all parsers to nom4	7 years ago
Victor Julien	8b570c0293	smb: improve request/response mapping Only use ssn_id and msg_id for mapping a response to a request. By not using the tree_id it can always be included in the tx.hdr which means it can be logged properly in case of IOCTL and DCERPC.	7 years ago
Victor Julien	0e40231189	app-layer: improve transaction cleanup handling The app layers with a custom iterator would skip a tx if during the ..Cleanup() pass a transaction was removed. Address this by storing the current index instead of the next index. Also pass in the next "min_tx_id" to be incremented from the last TX. Update loops to do this increment. Also make sure that the min_id is properly updated if the last TX is removed when out of order. Finally add a SMB unittest to test this. Reported by: Ilya Bakhtin	7 years ago
Victor Julien	4d5024255f	smb/dcerpc: remove now unused ssn2maxsize_map	7 years ago
Victor Julien	ac4e888597	smb2/dcerpc: probe if response data is dcerpc If we missed the tree connect we can't know for sure if we're reading from a (DCERPC) PIPE or not. In this case probe the data to see if it looks like DCERPC. If the detection succeeds, use a special 'suricata::dcerpc' service in the TX. Simplify handling of DCERPC records that cross records Update logging for the response only TXs.	7 years ago
Victor Julien	177966970a	smb: probing parser improvement	7 years ago
Victor Julien	2b581cd6db	smb: log trans2 that enable delete on close	7 years ago
Victor Julien	1b86d4e1a2	smb: improve dcerpc logic Detect whether a pipe is a dcerpc channel based on the name of the pipe.	7 years ago
Victor Julien	2e6014b15c	rust/smb: search for record on midstream start Calls with both START and MIDSTREAM mean the record might be cut and the start of it could be missing. For this case, enable the same logic as is used when catching up after a GAP. Search for the start of the record instead of assuming it sits exactly at the start of the input data.	7 years ago
Victor Julien	f40fc0293b	smb: minor optimizations	7 years ago
Victor Julien	4d58aaae90	smb: clean up partial read/write record handling	7 years ago
Victor Julien	aa8d64c2b8	smb: improve skip handling When skipping records the skip tracker could underflow if the record parsing had more data than expected. Enforce the calculation by moving it into a method and make the actual fields private.	7 years ago
Victor Julien	ea1e13cb00	smb: suppress notice messages	7 years ago
Victor Julien	7b61f2c589	smb2: log renames	7 years ago
Victor Julien	fb986abe81	smb: log file FID/GUID as fuid	7 years ago
Victor Julien	816bd022a6	smb1: improve non nt-status handling Support SRV error, with a couple of codes. Rename statux field to status_code.	7 years ago
Victor Julien	7ab071a58d	rust/smb: implement minimal record parsing in probing	7 years ago
Victor Julien	283be3cade	smb2: break out ioctl handling	7 years ago
Victor Julien	5c26020714	smb2: add ioctl transactions to log the funcs	7 years ago
Victor Julien	6d56edc3de	smb2: log client and server guid from negotiate	7 years ago
Victor Julien	c56f5e11ca	smb2: log share type	7 years ago
Victor Julien	fcbeab70a4	smb1: log create 'service' fields	7 years ago
Victor Julien	0e05ef7369	smb2: parse and log timestamps in CREATE	7 years ago
Victor Julien	28f16e38ac	smb1: disable 'generic tx's for common commands Don't create a generic TX for each READ, WRITE, TRANS, TRANS2, except if they cause events to trigger.	7 years ago
Victor Julien	be615c9fbc	smb: small cleanups, fixes and optimizations	7 years ago
Victor Julien	0d69e7b8c2	smb: remove unused dialects from state	7 years ago
Victor Julien	a44504a1bf	smb: redo gap catch up handling	7 years ago
Victor Julien	b34392051d	smb3: parse transform records	7 years ago
Victor Julien	7ceb67138f	smb: add status	7 years ago
Victor Julien	7dff9b9969	smb/nbss: work around bad traffic	7 years ago
Victor Julien	8bef120898	smb: session setup improvements Improve ntlmssp version extraction and logging, make its data structures optional. Extract native os/lm from smb1 ssn setup. Move session setup handling into their own files. Only log auth data for the session setup tx.	7 years ago
Victor Julien	75d7c9d64a	rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)	7 years ago

32 Commits (9e7f261a883d8221fae18f3b7900fdf9d8c9f126)