Commit Graph

9751 Commits (c41e64d637fc0ce7a95e68c2de08f4d4ea24f49f)

Author SHA1 Message Date
Philippe Antoine 0c92b8f7e4 dcerpc: adds invalid signature unit test 5 years ago
Philippe Antoine b8069365f5 dcerpc: check app proto for signature keywords 5 years ago
Victor Julien 6ab323d323 detect: hide RegisterTests behind ifdef UNITTESTS
Update all callers to more aggressively use UNITTESTS guards as well.
5 years ago
Xiaofan Wang 071f55dcd7 ftp: fix direction of expectation for STOR command
Fix direction in active mode.
5 years ago
Victor Julien 0d24066876 sip: minor cleanup 5 years ago
Victor Julien db3b637ada htp: minor UNITTESTS guarding cleanup 5 years ago
Victor Julien 7c364017da ftp: small code cleanup 5 years ago
Jeff Lucovsky 72e2f36f9b ftp: Restrict file name lengths
Restrict file name lengths to PATH_MAX - 1 to avoid over subscribing
memory to FTP file name tracking.
5 years ago
Shivani Bhardwaj c169cfe0a3 bytetest: use ByteExtractString instead of StringParse 5 years ago
Shivani Bhardwaj 6f84515dd9 util: fix trailing char check with ByteExtractString 5 years ago
Zach Kelly 22a2bee614 rdp/eve: convert to jsonbuilder 5 years ago
Joshua Lumb f7c4600482 threads/runmode: Changes to thread config behaviour 5 years ago
Shivani Bhardwaj 333a785efd sip: remove extra jsonbuilder close 5 years ago
Shivani Bhardwaj 9f9670ebdc logging: Add DCERPC logger 5 years ago
Shivani Bhardwaj bab497ab2c dcerpc: Add multi transaction support
DCERPC parser so far provided support for single transactions only.
Extend that to support multiple transactions.

In order for multiple transactions to work, there is always a
transaction identifier for any protocol in its header that lets a
response match the request. In DCERPC, for TCP, that param is call_id in
the header which is a 32 bit field. For UDP, however since it uses
different version of RPC (4.x), this is defined by serial number field
defined in the header. This field however is not contiguous and needs to
be assembled by the provided serial_low and serial_hi fields.
5 years ago
Victor Julien 9831839388 detect/mpm: fix hs check 5 years ago
Roland Fischer 9f1efa3c10 pcap: 32bit counters can wrap-around
Fixes issue 2845.

pcap_stats is based on 32bit counters and given a big enough throughput
will overflow them. This was reported by people using Myricom cards which
should only be a happenstance. The problem exists for all pcap-based
interfaces.

Let's use internal 64bit counters that drag along the pcap_stats and
handle pcap_stats wrap-around as we update the 64bit stats "often enough"
before the pcap_stats can wrap around twice.
5 years ago
Shivani Bhardwaj 67e7be633c krb: convert to jsonbuilder
Closes redmine ticket 3754.
5 years ago
Shivani Bhardwaj 72dab0a8b7 snmp: convert to jsonbuilder
Closes redmine ticket 3756.
5 years ago
Jason Ish 53aa967e0b applayer: add flags to parser registration struct
This will allow Rust parsers to register for gap handing from
Rust (some Rust parsers do handle gaps, but they set the flag
from C).
5 years ago
Jason Ish 7476399f43 template: add gap handling 5 years ago
Victor Julien 4726d7027c detect/mpm: 'mpm-algo' parsing cleanups 5 years ago
Victor Julien f2a3d6d834 flow: fix unlikely issue with int handling
Thanks for reporting this magenbluten PR 4575.
5 years ago
Victor Julien fa2b46cdc3 detect/stream_size: minor code cleanups 5 years ago
Victor Julien ac3cf6ff75 detect/config: set config for special cases
Allow app-layer to declare the txs are uni-directional and special
care is needed for applying config.
5 years ago
Victor Julien 2145cf99a3 detect/config: initial version 5 years ago
Victor Julien a2f249cc86 app-layer: handle AppLayerTxData being NULL
Http parser can have 'NULL' user data in case of memcap limit getting
reached.
5 years ago
Victor Julien 5dd4d948d9 app-layer: remove unused detect flags API 5 years ago
Victor Julien f88657206c app-layer: GetTxData callback is mandatory 5 years ago
Victor Julien 8fe9faecb2 app-layer: remove DetectFlags API. Replaced by AppLayerTxData 5 years ago
Victor Julien 9664f73f75 app-layer: remove logged API calls 5 years ago
Victor Julien 455eab370e template: support AppLayerTxData 5 years ago
Victor Julien e0debed0b4 tftp: support AppLayerTxData 5 years ago
Victor Julien a1e06247a6 dcerpc/udp: support AppLayerTxData 5 years ago
Victor Julien 3202d29325 dcerpc: support AppLayerTxData 5 years ago
Victor Julien 8cd55124a3 modbus: support AppLayerTxData 5 years ago
Victor Julien 7d663ed5cf enip: support AppLayerTxData 5 years ago
Victor Julien fb780c7d92 ssl/tls: support AppLayerTxData 5 years ago
Victor Julien bc11a1c23e smtp: support AppLayerTxData 5 years ago
Victor Julien c98f597831 ftp: support AppLayerTxData 5 years ago
Victor Julien 302cf49486 dnp3: support AppLayerTxData 5 years ago
Victor Julien 77a95eddd9 smb: support AppLayerTxData 5 years ago
Victor Julien 7a7805cde6 nfs: support AppLayerTxData 5 years ago
Victor Julien 910922cdc4 htp: support AppLayerTxData 5 years ago
Victor Julien 5665fc8301 app-layer: add ApplyTxConfig API
Optional callback a parser can register for applying configuration
to the 'transaction'. Most parsers have a bidirectional tx. For those
parsers that have different types of transaction handling, this new
callback can be used to properly apply the config.
5 years ago
Victor Julien df27205451 output/tx: implement filtering 5 years ago
Victor Julien e15995e2d2 detect: store detect flags in AppLayerTxData 5 years ago
Victor Julien c797c9f09c app-layer: add logger flags to AppLayerTxData 5 years ago
Victor Julien 411f428a38 app-layer: define AppLayerTxData and AppLayerTxConfig
AppLayerTxData is a structure each tx should include that will contain
the common fields the engine needs for tracking logging, detection and
possibly other things.

AppLayerTxConfig will be used by the detection engine to configure
the transaction.
5 years ago
Victor Julien 274a033d65 htp: alloc user data at tx start
This way the AppLayerTxData is set up from the start. Any type of
processing (logging, detection) will lead to setting up the user
data later on anyway.

Remove other places where it was added.
5 years ago
Victor Julien f7ff7dbaed config: common definitions 5 years ago
Victor Julien 6dcdf394d7 rules: add config action 5 years ago
Jason Ish 8c98fa452f dnp3/eve: update for regenerated dnp3 object logging code
Migration from Jansson to JsonBuilder.
5 years ago
Jason Ish bf8d8c573a dnp3/eve: regenerator object logging code 5 years ago
Jason Ish ccc057fdc9 dnp3/eve: convert to jsonbuilder (non generated code)
First step of converting DNP3 to JsonBuilder by first converting
the non-generated code.
5 years ago
Shivani Bhardwaj 6f7d8e50c8 src: use FatalError whenever possible
Replaces all patterns of SCLogError() followed by exit() with
FatalError(). Cocci script to do this:

@@
constant C;
constant char[] msg;
@@

- SCLogError(C,
+ FatalError(SC_ERR_FATAL,
  msg);
- exit(EXIT_FAILURE);

Closes redmine ticket 3188.
5 years ago
Jeff Lucovsky f6a399f154 general: Correct typos 5 years ago
Jeff Lucovsky fb409664d2 detect: byte_math support 5 years ago
Jeff Lucovsky 1a726731e4 detect: Use byte-math to byte var handling func 5 years ago
Jeff Lucovsky 0e4ba7b13e detect: Add byte_math detector 5 years ago
Jeff Lucovsky ac01adc260 detect: Add utility module for byte var handling 5 years ago
Victor Julien c1673908ac eve/alert: minor cleanups 5 years ago
Victor Julien d2c48d4faf eve/alert: move files logging into util func 5 years ago
Victor Julien 3dacbcddef eve/alert: move app-layer logic into a util func 5 years ago
Shivani Bhardwaj 537fb7a1c6 hyperscan: better error message if not compiled 5 years ago
Philippe Antoine abe3f6e6ef rfb: set app proto for signature keyword rfb.secresult 5 years ago
Jeff Lucovsky 2f32d7f831 filestore: Use proper string in error case
When make-open-files has an invalid value, the incorrect value was being
displayed improperly
5 years ago
Jeff Lucovsky 823f6b35d0 filestore: Validate stream-depth when non-zero
Make sure that configured non-zero values for stream-depth are
greater than stream_config.depth
5 years ago
Jeff Lucovsky 6bb89c37f1 output/json: Correct clang warning
This commit corrects the warning for mismatched type.
5 years ago
Jeff Lucovsky b2c1dab2da output/alert: Correct FORWARD_NULL Coverity issue.
This commit corrects the FORWARD_NULL issue in AlertJson by
null-checking p->flow
5 years ago
Jeff Lucovsky bd22e0d7a4 output/ftp: Correct Coverity DEADCODE issue
This commit corrects the deadcode (CID 1465224) issue in
EveFTPLogCommand.
5 years ago
Jeff Lucovsky ac70d925f5 filestore: Correct Coverity RESOURCE_LEAK issue
This commit corrects the RESOURCE_LEAK issue (CID 1465222) of the `FILE`
pointer.
5 years ago
Jeff Lucovsky 2d055ed1f7 detect: Correct Coverity REVERSE_INULL issue
This commit corrects the "Null pointer dereferences" issue (CID
1465221).
5 years ago
Shivani Bhardwaj d27b407bc3 pfring: fix StringParse* warnings
Closes redmine ticket 3808.
5 years ago
Shivani Bhardwaj 7cbb8c44c5 ttl: Make IPV4 TTL uint_8t 5 years ago
Shivani Bhardwaj 4ed72addf3 src: remove multiple uses of atoi
atoi() and related functions lack a mechanism for reporting errors for
invalid values. Replace them with calls to the appropriate
ByteExtractString* functions.

Partially closes redmine ticket 3053.
5 years ago
Emmanuel Thompson 88601b1993 detect/asn1: Update relative_offset keyword
- To be consistent with recent C version changes
- Add checks for over/underflows
5 years ago
Emmanuel Thompson 275f6ae96f detect/asn1: Remove asn1 C parser
- In favor of rust parser
5 years ago
Emmanuel Thompson 7af6cdb7ec detect/asn1: Update asn1 C files to use rust code
Mark rust extern "C" functions as pub in asn1 module to expose via cbindgen
Update detect-asn1.c/h to use rust functions
5 years ago
Jeff Lucovsky dfcc8a88f6 util/proto: Convert validation routine to bool
This commit changes the signature of the protocol validation code to
bool and simplifies the validation steps.
5 years ago
Jeff Lucovsky 1e8d4af29a output/json: Improve protocol output handling
Improve protocol label handling by eliminating an unneeded copy.

Additionally, unknown protocol values are no longer zero-padded.
5 years ago
Jeff Lucovsky a06a706078 output/flow: Improve protocol output handling
This commit improves handling of the protocol label by removing an
unnecessary copy.

Additionally, unknown protocol values are no longer zero-padded.
5 years ago
Jeff Lucovsky 5776a98f67 log/syslog: Improve protocol output handling
Move protocol handling outside of the packet alert loop.
5 years ago
Jeff Lucovsky 0a1c36759a log: Use updated SCProtoNameValid signature 5 years ago
Jeff Lucovsky a843b36c97 output/lua: Remove unused proto code
This commit removes unused protocol string handling logic.
5 years ago
Jason Ish 43b9bfaed4 applayer template (rust): convert to JsonBuilder 5 years ago
Jason Ish d71fc50212 applayer template (C): convert to JsonBuilder 5 years ago
Shivani Bhardwaj 0ebeaf4fe4 modbus: align comments properly 5 years ago
Shivani Bhardwaj d5a672fbcf modbus: make subfunction uint16_t 5 years ago
Shivani Bhardwaj dfd872c1a7 enip: remove unnecessarry definition 5 years ago
Shivani Bhardwaj 0dac699197 src: remove multiple uses of atoi
atoi() and related functions lack a mechanism for reporting errors for
invalid values. Replace them with calls to the appropriate
ByteExtractString* functions.

Closes redmine ticket 3053.
5 years ago
Victor Julien a98a209732 fuzz/sigpcap: make sure hassh is enabled 5 years ago
Vadym Malakhatko 8a8212d0f6 lua: add functions to get hassh parameters 5 years ago
Vadym Malakhatko 126597144c eve: add Hassh fields to SSH JSON logger and add ssh log condition 5 years ago
Vadym Malakhatko 216a75c522 detect: add (mpm) hassh keywords
Match on Hassh using ssh.hassh, ssh.hassh.server, ssh.hassh.string, ssh.hassh.server.string keywords, e.g:

alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; sid:1000010;)
alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; sid:1000020;)
alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"none,zlib@openssh.com,zlib"; sid:1000030;)
alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,"; sid:1000040;)
5 years ago
Vadym Malakhatko 536cee3ba9 rust/ssh: add hassh generation
Add generation of hassh fingerprints based on fields in the kexinit record
5 years ago
Jeff Lucovsky f7a47a4477 detect/bsize: Use U16 bit macros
This commit changes the flag bit values to be expressed using the
BIT_U16 macro instead with hex values.
5 years ago
Jeff Lucovsky 39105917ce detect/bsize: Use SCLogDebug instead of printf
This commit updates debug "printf" message to use SCLogDebug
5 years ago
Jeff Lucovsky 620659b5f3 detect: Increase flag size for byte_jump 5 years ago
Jeff Lucovsky 23a65b5824 general: Fix typo in detect-bytejump.c 5 years ago
Jeff Lucovsky 0701d82890 detect/bytejump: Add "from_end" support
This commit adds support for the byte jump "from_end" keyword and
unittests.
5 years ago
Jeff Lucovsky d5bb41011c output/ikev2: Convert to JsonBuilder
Convert the IKEV2 Json logging to use JsonBuilder.
5 years ago
Philippe Antoine 1e8ac7dadb dnp3: adds unit test against previous bug 5 years ago
Philippe Antoine d465bb8686 dnp3: fix buffer over read in responses parsing 5 years ago
Philippe Antoine 629a16e373 dnp3: probing parser fixes direction based on dnp3 header 5 years ago
Philippe Antoine a90b1c1bcb fuzz: disable DNP3 checksums while fuzzing 5 years ago
Philippe Antoine 00509da286 fuzz: improves fuzz target applayerparserparse
Does not proceed final chunk if we got an error previously
Flips the direction for last chunk as usual
5 years ago
Victor Julien b440d0b13e flow: use stream state to string util func 5 years ago
Victor Julien 1b0319ea98 stream: add state to string funcs 5 years ago
Victor Julien 6608b9a5f3 app-layer: set EOF flag in case of unsupported GAP
If GAP is not supported set EOF flags in the parser.
5 years ago
Victor Julien 54d2f2c300 flow: improve 'under stress' behavior
When under stress, the packet threads ultimately fall back
to walking the hash table until they find a flow they can
safely evict and reuse. This could lead to all threads
fighting over the FlowBucket locks.

Fix by adding a limit to the number of hash rows that are
checked for a new flow. If the limit is reached, simply fail
to get a flow.
5 years ago
Victor Julien c50ef8cc21 flow: fix TCP closed default initialization
TCP closed state was initialized to 0 by default.

Clean up 'closed' value setting for other protocols and the common
default.
5 years ago
Victor Julien 3bba671273 flow: remove unused function declaration 5 years ago
Victor Julien cba8efff2a flow: remove unused sctp enum member
This caused some arrays to be larger than needed.
5 years ago
Victor Julien c2561b2655 flow: cleanup validation check 5 years ago
Jeff Lucovsky 8c5c949cfa output/tftp: Convert to JsonBuilder
This commit converts the TFTP logging mechanisms to JsonBuilder.
5 years ago
Philippe Antoine 5ac8e41a13 signature: fix linked list for bidirectional signatures
Bidirectional signatures are really two signatures with one id
This needs to be handled with care when changing a linked list
5 years ago
Philippe Antoine ac76ff9e47 detect: fail properly on invalid transform pcrexform 5 years ago
Antti Tönkyrä 57d0f4bb6f detect/flowbits: fix stack overflow in analyzer
Fix stack overflow in DetectFlowbitsAnalyze.

Use dynamically allocated array instead of stack and free
it after it is no longer needed.
5 years ago
Jason Ish c09235e327 netflow/eve: convert to JsonBuilder 5 years ago
Jeff Lucovsky 9c47b8c1bf general: Fix spelling error 5 years ago
Jeff Lucovsky 64912104b3 detect/content: Validate content byte array
This commit checks whether the content byte array is compatible with the
transforms, if any, for the rule.
5 years ago
Jeff Lucovsky 197a593078 detect: Add transform validation api
This commit extends the API with a function that validates arguments
against the transforms for the SM list (if any).
5 years ago
Jeff Lucovsky 0189ff998f detect/transform: Add validation function
This commit adds a function to pre-validate buffers. If a content
buffer contains whitespace, the validation fails.
5 years ago
Jeff Lucovsky a4132d8e0f detect/transform: Add transform "validate" function
This commit adds an (optional) entry for a validation function. The
validation function, if present, will be used during rule processing.

Its role is to determine if the arguments are compatible with the
transform. E.g., a content string of "this string has whitespace" is not
compatible with the `strip_whitespace` transform.
5 years ago
Jason Ish 114b7e5cd9 dhcp/eve: remove erroneous jsonbuilder close
The JsonBuilder was being closed to early.
5 years ago
Jeff Lucovsky 4127c5fcc8 output/fileinfo: Optimize filename output
This commit optimizes the JSON preparation of the file name by
eliminating the temporary copy before adding to the Json builder buffer.
5 years ago
Jeff Lucovsky 0d298d47a1 output/rdp: Include common output options
This commit will cause common metadata values and the community id to be
included in log output when configured.
5 years ago
Jeff Lucovsky ef3840e256 output/dhcp: Include common output options
This commit will cause common metadata values and the community id to be
included in log output when configured.
5 years ago
Jeff Lucovsky c6c4936a20 output/smb: Include common output options
This commit will cause common metadata values and the community id to be
included in log output when configured.
5 years ago
Jeff Lucovsky 414bb25c93 output/tftp: Include common options
This commit will cause common metadata values and the community id to be
included in log output when configured.
5 years ago
Angelo Mirabella 0cdc009da1 detect/http_raw_header: Correct type mismatch
This changeset fixes a bug on the computation of the buffer
lenght for raw http headers. The bug is due to a mismatch
on the data type of the length (uint8_t vs uint32_t) and it
was causing signature misses.
5 years ago
Victor Julien 37d228dae0 rule/parse: minor action parsing cleanup 5 years ago
Victor Julien 14e1a342ac reject: support single vlan layer
Support sending RST/ICMP errors for packet with a single VLAN header.
5 years ago
Victor Julien 9f3f07dd97 reject: get MTU for reject-dev and use it 5 years ago
Victor Julien 498ae0180b reject: minor optimization of reset entry code 5 years ago
Victor Julien 279865b145 reject: remove L3 from function names 5 years ago
Victor Julien c594d0c1ad reject: allow configuration of the reject interface
Using the '--reject-dev <dev>' commandline option. This is a global option
that applies to all 'reject' actions.

If the interface specified is using ethernet, libnet will use the faster
L2 (link) layer. Suricata sets up the ethernet header based on the packet.

When the interface is specified, cache libnet_t ctx for (much) better
performance.
5 years ago
Victor Julien 604aa65c80 reject: don't respond to tunnel packets 5 years ago
Victor Julien a6ed9b11d5 reject: check tcp header sooner to avoid potential leak 5 years ago
Victor Julien 1b042cf108 reject: optimize and simplify run test 5 years ago
Victor Julien 66257f37eb reject: never return error
Errors by thread modules are not handled.
5 years ago
Jason Ish b8d1677b9c file-hash-common: fix rule_file truncation
Loading file hash lists uses dirname(3) on the
de_ctx->rule_file which modifies the contents,
removing the last part of the path. So on subsequent
calls the rule_file no longer contains the rule_file,
but instead just the directory name.

Mostly noticed when using "-S" with rule files outside
of the default-rule-path which requires more hunting for
the rule file.
5 years ago
Jeff Lucovsky 648bd5afff output/ftp: Use "Eve" prefix with FTP helpers
This commit changes the prefix of the FTP helper routines from Json to
Eve.
5 years ago
Jeff Lucovsky 1f19ab1013 output/eve: Remove unused helper function
This commit removes an unused helper function no longer required/used
after conversion to JsonBuilder.
5 years ago
Jeff Lucovsky 03de315bc2 ftp/eve: Convert FTP logging to use JsonBuilder
This commit converts the FTP logging mechanisms to use JsonBuilder.
5 years ago
Shivani Bhardwaj a7535099b4 smb/eve: convert to jsonbuilder
Closes redmine ticket 3712.
5 years ago
Jeff Lucovsky d14a14fa13 output/anomaly: Use helpers for string output 5 years ago
Jeff Lucovsky 9097df3a3b output/flow: Use helpers for string output 5 years ago
Jeff Lucovsky ff92745851 output/json: Include fileinfo in alerts
This commit adds fileinfo to alerts when `metadata` is configured.
5 years ago
Jeff Lucovsky cc99f95ecd json: macro for setting formatted false value 5 years ago
Jeff Lucovsky ae50d1a225 output/json: Refactor file output helper
This commit creates a common file output helper function based on the
logic in output-file-info.c:BuildBuildFileInfoRecord

The refactored helper will be used to create "fileinfo" information
during the alert output path.
5 years ago
Shivani Bhardwaj f2dbee4787 util: check if parsed data is in range 5 years ago
Shivani Bhardwaj 2162c52b17 src: remove multiple uses of atoi
atoi() and related functions lack a mechanism for reporting errors for
invalid values. Replace them with calls to the appropriate
ByteExtractString* and StringParse* functions.

Partially closes redmine ticket #3053.
5 years ago
Shivani Bhardwaj 271e33fbaa affinity: Convert nb_threads to uint32_t 5 years ago
Shivani Bhardwaj a516435443 napatech: make stream_id uint8_t 5 years ago
Shivani Bhardwaj f4c9d33923 redis: Change port type to uint16_t 5 years ago
Victor Julien 79681bf655 app-layer: remove old MPMId API calls
Had been deprecated and non-functional since 2017.
5 years ago
Jason Ish 74053f43cb json: macros for setting formatted true and string values
JB_SET_TRUE(jb, key), and JB_SET_STRING(string, key, val) are C macros
around jb_set_formatted to set static string and true values as a
(micro) optimization.
5 years ago
Philippe Antoine e5d4332ede signature: adds file flag for file_data keyword
So that SigValidate can check if a protocol not supporting
files was set after this keyword
5 years ago
Philippe Antoine baf5f52f22 ssh/eve: convert to jsonbuilder 5 years ago
Jeff Lucovsky a0b81b3c9d detect: Register pcrexform
This commit registers the `pcrexform` transform.
5 years ago
Jeff Lucovsky 66d15710b8 transform/pcrexform: Add pcrexform source files 5 years ago
Jeff Lucovsky c1875d8532 detect/pcrexform: New transform: applies RE
This commit adds a new transform -- pcrexform -- that applies a regular
expression to the transformation buffer. If an expression was captured,
that is output to the transformation buffer. Otherwise, the
transformation buffer is unchanged.
5 years ago
Jeff Lucovsky c8eca52804 detect: Add constant for new transform
This commit adds the definition of the new `pcrexform` transform.
5 years ago
Jeff Lucovsky 5d10db88bc detect/transform: Support transform options
This commit adds support for transform-specific options. During Setup,
transforms have the signature string available for options detection.
When a transform detects an option, it should convert the option into an
internal format and supply a pointer to this format as the last argument
to DetectSignatureAddTransform.

Transforms that support options must provide a function in their
Sigmatch table entry. When the transform is freed, a pointer to the
internal format of the option is passed to this function.
5 years ago
Jeff Lucovsky b569670c33 general: Correct typos 5 years ago
Jeff Lucovsky 4407cf8979 general: Update copyright year 5 years ago
Emmanuel Thompson be3379f00e detect/asn1: Fix relative_offset keyword option
- Fix relative_offset keyword option to be relative in regards to the
last content match
- Change relative_offset to int32_t with bounds check to allow the full
range of the packet buffer size (uint16_t)
- Added checks for over/underflows
- Changed the offset type to uint16_t because the offset is applied to
the payload length, which is a uint16_t
- Adjusted test cases to work relative to the content match
- Added test case to verify bounds
5 years ago
Eric Leblond f5e2968f12 redis: ensure a dump per second
In sync mode, Suricata was waiting to have batch size alerts before
logging them. This was introducing delay in some configuration with
low traffic.
5 years ago
Eric Leblond ec8eba28a8 redis: fix reconnect in batch mode
In case of redis outage, the redis session was reset but the replies
were still fetch even if there is none replies in the new session.
5 years ago
Eric Leblond 025de61f43 redis: add support for unix socket
If there is a '/' in the redis server string then we consider that
the connection should be done other a unix socket.
5 years ago
Joshua Lumb 82fb72678f cmdline: --list-app-layer-protos respects -c arg 5 years ago
Victor Julien a4568a634d htp: enforce body limits more exact 5 years ago
Victor Julien 0db3ee26d0 eve/alert: convert decoder event logging to jsonbuilder 5 years ago
Victor Julien aa0286d925 eve/anomaly: don't add timestamp twice
Timestamp is added unconditionally by CreateEveHeader(), so no need
to have a local timestamp in case of non-IP packets.
5 years ago
Victor Julien bd3fdeb53f eve/alert: clean up decoder event logging 5 years ago
Victor Julien b3b5802c85 eve/nfs: switch output to jsonbuilder 5 years ago
Giuseppe Longo cb7e72e602 jsonbuilder: fix build error
Clang's build in travis-ci is actually failing because of this error:

output-json-alert.c:476:40: error: missing field 'state_index' initializer

      [-Werror,-Wmissing-field-initializers]

            JsonBuilderMark mark = { 0 };
5 years ago
Jason Ish e26718aea3 drop-log: remove drop log (deprecated)
Remove the old style line based drop log.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2381
5 years ago
Jason Ish 6ce9b2972b rdp: enable by default
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3255
5 years ago
Phil Young 3ccd44b144 Napatech: Fix network byte order when comparing addresses
This fixes an issue where the "endieness" was not properly accounted for
when comparing two IPv4 addresses to be sorted.
5 years ago
Phil Young d1d09ecfa8 Napatech: Change to use separate FlowStream handle for each thread
Previously a single handle to the FlowStream (which is  used to program
flows to the card) was shared between the threads.  This resulted
in contention between the threads where sometimes programming the flow would
silently fail.
5 years ago
Victor Julien bd70e0e621 eve: print interface info for vxlan and other tunnel pkts 5 years ago
Jason Ish 36d687580a rfb/eve: convert to jsonbuilder 5 years ago
Jason Ish 49f7dc93bd smtp/eve: convert to jsonbuilder 5 years ago
Jason Ish 7803a9ac40 anomaly/eve: convert to jsonbuilder 5 years ago
Jason Ish 037c449b85 tls/eve: convert to jsonbuilder 5 years ago
Jason Ish be8fa5da43 http/eve: remove jansson version of metadata logger
With fileinfo converted over to JsonBuilder, these
Jansson versions are no longer needed.
5 years ago
Jason Ish fb7ee888bc fileinfo-filestore/eve: convert to jsonbuilder 5 years ago
Jason Ish 0ec7d2ff66 fileinfo: use addr info cache for address logging (jsonbuilder prep)
This is to prepare for JsonBuilder conversion where we can't
overwrite an already set value. Here we prepare the addresses
to be logged in a struct, overwite with XFF if needed, then
log.
5 years ago
Jason Ish 6ba93d905f http/eve: convert to jsonbuilder 5 years ago
Jason Ish baf2723757 flow/eve: convert to jsonbuilder 5 years ago
Jason Ish 03cf3dcd6d dns/eve: convert to jsonbuilder 5 years ago
Jason Ish 6a70d6bb6e sip/eve: convert to jsonbuilder 5 years ago
Jason Ish e9a3415fc2 dhcp/eve: add common eve fields
Add the common eve fields like metadata and community id.
5 years ago
Jason Ish deed0541bb dhcp/eve: convert to jsonbuilder 5 years ago
Jason Ish 30cc373b7f alert/eve: convert to jsonbuilder
Convert alert Eve logging JsonBuilder. Currently
makes heavy use of JsonBuilder being able to log Jansson's json_t
which is a temporary measure until all protocols loggers can be
converted to JsonBuilder.

New functions that replace Jansson versions with JsonBuilder
variations use "Eve" instead of "JSON".
5 years ago
Jason Ish 5e1b44ac71 alert/eve: use addr info struct for source/target (jsonbuilder prep)
Update the source/target logging to use the cached address info
instead of fetching it from the constructed json_t object.

This is required for migration to JsonBuilder which does not
have the ability to retrieve already set fields.
5 years ago
Jason Ish 5ab673aee2 flow/eve: separate flow and app_proto logging (jsonbuilder prep)
Currently the flow logger also logs app_proto information,
but not to the flow object, but instead to the root object
of the log record.

Refactor into 2 separate methods, one for the app_proto
and one for the flow, to make this more clear, as well
as make it easier to refactor for JsonBuilder as JsonBuilder
can only write to the currently open object.
5 years ago
Jason Ish 99f460aa5a eve/fivetuple: use intermediate address struct (jsonbuilder prep)
Currently alert logging relies on the ability to change existing
values in the json_t structure to overwrite addresses with xff
data. This feature is also used for the "target" logging.

As we can't do this with JsonBuilder, create a new struct to
hold the 5 tuple, with the values swapped as needed, and
overwritten with XFF data if needed. This struct will now
be used to write out the 5 tuple, as well as cache the information
for log fields to be written out later on in the log path.
5 years ago
Jason Ish cc4f9d7f3d alert/eve: remove jansson specific feature (jsonbuilder prep)
Remove the Jansson specific feature of being able to delete
an object from json_t, in prep for refactors to JsonBuilder.

Instead create a new header for each alert to be logged.
5 years ago
Jason Ish f4f1fdbf86 alert/eve: move logging of rule text (jsonbuilder prep)
Move the logging of the rule text to where the alert object
is being logged to remove the usage of json_object_get...

Getting previously logged objects will not be possible with
JsonBuilder.
5 years ago
Victor Julien f8f2a2bbc0 detect/pcre: set app proto correctly when using modifiers 5 years ago
Victor Julien 9fd56e8430 detect/pcre: minor code cleanups 5 years ago
Victor Julien de6c9b9441 detect: clarify and slightly cleanup non-pf logic 5 years ago
Victor Julien 5acfdfcc76 flow/manager: fix management tasks not running
Fix tasks not running on the first manager, even if there is just
a single manager.
5 years ago
Eric Leblond ae5650d443 magic: get rid of global lock
Global magic context was involving a lock that appear to be really
costly for some traffic.
5 years ago
Victor Julien d8c82d4f39 af-packet: fix warnings by undefined sanitizer 5 years ago
Victor Julien 3957750731 capture: optimize checksum handling
Don't use a flag in the livedev, but overwrite the config setting after
'auto' mode has determined checksums should be disabled.
5 years ago
Victor Julien bbdc11842d windows: fix timestring timezone display
Bug: #3690
5 years ago
Jeff Lucovsky 12148bc53c detect/pcre: Use the keyword context for JIT stack
When PCRE `jit` is available, store the JIT stack in the keyword context
instead of on a global id. This ensures proper cleanup and
re-initialization over a rule reload.
5 years ago
Victor Julien d1e690ccb3 profiling: c11 atomics fixup 5 years ago
Jason Ish ca88e4d0e3 filestore v1: remove
File store v1 has been deprecated and was scheduled for removal
by June 2020.

Log an error if a file-store configuration is loaded without
version set to 2.
5 years ago
Philippe Antoine 69b4fffdae parse: move SSH parser from C to Rust 5 years ago
Shivani Bhardwaj 6457754fd6 dcerpc: Replace C function calls with Rust
All the dead code in C after the Rust implementation is hereby removed.
Invalid/migrated tests have also been deleted.
All the function calls in C have been replaced with appropriate calls to
Rust functions. Same has been done for smb/detect.rs as a part of this
migration.
5 years ago
Philippe Antoine 2fe82ce0d6 fuzz: do not reuse global variable named suricata 5 years ago
Philippe Antoine 304aedfa95 fuzz: improves sigpcap target
So that it can cover alert generation
ie in function DetectRun, get past scratch.sgh == NULL condition
5 years ago
Jeff Lucovsky 690bd14371 napatech: Fix parameters passed to thread-check
This commit corrects an error introduced earlier: the call to
`TmThreadsCaptureHandleTimeout` is passing too many parameters.
5 years ago
Jeff Lucovsky 9db8a917a2 dag: Fix parameters passed to thread-check
This commit corrects an error introduced earlier: the call to
`TmThreadsCaptureHandleTimeout` is passing too many parameters.
5 years ago
Victor Julien a0392c6027 fuzz/sigpcap: enable protocols, add more outputs 5 years ago
Victor Julien 032f31b7d3 htp: fix test after libhtp changes 5 years ago
Jeff Lucovsky beb45c564e detect/smtp: Refactor command check
This commit refactors the code that matches reply with command.

Bug: #3677
5 years ago
Jeff Lucovsky dc7a991bfb app-layer/smtp: Improve RSET handling
This commit improves how the parser handles the `RSET` command.
Termination of the transaction occurs when the `RSET` ack is seen (reply
code 250).

Bug: #3677
5 years ago
Philippe Antoine a15e503b7d enip: more precise probing parser
Bug: #3615
5 years ago
Victor Julien 049c5fe230 detect/port: limit recursion in port parsing
Bug: #3586
5 years ago
Victor Julien 476b5f21f3 detect/address: limit recursion during parsing
Allow a max depth of 64.

Bug: #3586
5 years ago
Victor Julien b6658e6269 detect/address: minor cleanups 5 years ago
Victor Julien 41d0dcae99 decode: cleanup packet properly on bad packets
In case of bad IPv4, TCP or UDP, the per packet ip4vars/tcpvars/udpvar
structures would not be cleaned up because the cleanup depends on the
'header' pointer being set, but the error handling would unset that.

This could mean these structures were already filled with values before
the error was detected. As packets were recycled, the next packet decoding
would use this unclean structure.

To make things worse these structures are part of unions. IPv4/IPv6 and
TCP/ICMPv4/ICMPv6 share the same memory location.

LibFuzzer+UBSAN found this both locally and in Oss-Fuzz:

decode-ipv6.c:654:9: runtime error: load of value 6, which is not a valid value for type 'bool'
    #0 0x6146f0 in DecodeIPV6 /src/suricata/src/decode-ipv6.c:654:9
    #1 0x617e96 in DecodeNull /src/suricata/src/decode-null.c:70:13
    #2 0x9dd8a4 in DecodePcapFile /src/suricata/src/source-pcap-file.c:412:9
    #3 0x4c8ed2 in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_sigpcap.c:158:25
    #4 0x457e51 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #5 0x457575 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #6 0x459917 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #7 0x45a6a5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5
    #8 0x448728 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
    #9 0x472552 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #10 0x7ff0d097b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x41bde8 in _start (/out/fuzz_sigpcap+0x41bde8)

Bug: #3496
5 years ago
Victor Julien 3ed188e0bc ssl: support multi-frag certificate assembly
Support reassembling multi-frag certificates. For this the cert queuing
code is changed to queue just the cert, not entire tls record.

Improve message tracking. Better track where a message starts and ends
before passing data around.

Add wrapper macros to check for 'impossible' conditions that are activate
in debug validation mode. This helps fuzzers find input that might trigger
these conditions, if they exist.
5 years ago
Victor Julien 4f679fd843 ssl: add asserts for 'impossible' conditions
Wrap in debug validation so that fuzzing can pick them up.
5 years ago
Victor Julien 68d5a9dc2c tls/sni: parsing cleanup
Set proper event on all invalid sni length values.
5 years ago
Victor Julien 61b8c99236 ssl: improve error checking 5 years ago
Victor Julien bb06298102 ssl: unify main parsing routine 5 years ago
Victor Julien 40be9d2219 ssl: improve debug output 5 years ago
Victor Julien f1bf11f716 ssl: record parsing cleanup 5 years ago
Victor Julien ab44b5edac ssl: handshake parsing code cleanup 5 years ago
Victor Julien d1ada2e13c ssl: copy data using a safe memcpy wrapper
To avoid future memcpy issues introduce a wrapper and check the
result of it.

When compiled with --enable-debug-validation the wrapper will abort if
the input is wrong.
5 years ago
Victor Julien cffbdff024 ssl: don't say we consumed bytes if we didn't consume them 5 years ago
Victor Julien 9950ebffe6 ssl: code cleanups 5 years ago
Victor Julien 1578c84605 ssl: bump copyright year 5 years ago
Victor Julien 9a97821c43 ssl: improve 'first cert' check to avoid leaks
In some error conditions, or potentially in case of multiple 'certificate'
records, the extracted subject, issuerdn and serial could be overwritten
without freeing the original memory.
5 years ago
Victor Julien fa2a1385ea ssl: fix handshake cert buffer sizing
'trec' buffer was not grown properly when it was checked as too small.
After this it wasn't checked again so that copying into the buffer could
overflow it.
5 years ago
Victor Julien 26bcc97515 detect/keywords: dynamic version part of doc URL 5 years ago
Victor Julien 8f2df0f938 logging: fix default log format for release mode 5 years ago
Victor Julien eef7760870 datasets: reputation value validation 5 years ago
Philippe Antoine ae102ca096 detect: refactoring parsing of ip range
To optimize first netmask
5 years ago
Philippe Antoine 8ca9c0e8f0 signature: minimizes ip CIDR for ip range
Example leading to over allocation is 41.232.107.2-43.252.37.6
5 years ago
Jeff Lucovsky fa082d04dc decode/erspan: Warn on ERSPAN Type I config
This commit checks whether pre-6.x settings for ERSPAN Type I are
present. ERSPAN Type I is no longer enabled/disabled through a
configuration setting -- it's always enabled.

When a setting exists to enable/disable ERSPAN Type I decoding, a
warning message is logged.

Enabling/disabling ERSPAN Type I decode has been deprecated in 6.x
5 years ago
Jeff Lucovsky 82da71bbc4 decode/erspan: Add warning ERSPAN Type I config
This commit adds a warning value when ERSPAN Type I configuration
settings are detected; specifically, when ERSPAN Type I `enabled` is
specified.

Enabling/disabling ERSPAN Type I decode has been deprecated in 6.x
5 years ago