Commit Graph

165 Commits (c6e0ba2b8549adf3c8b82ebdc13a5cd9f8ae0370)

Author SHA1 Message Date
Philippe Antoine 4af3bd9c91 rust: bindgen SCDetectHelperKeywordSetCleanCString
Ticket: 7667
2 months ago
Philippe Antoine 41fcf3b356 detect: fix some -Wshorten-64-to-32 warnings
Ticket: #6186
3 months ago
Jeff Lucovsky 19fe098e88 detect/ftp: Add ftp.dynamic_port keyword
Issue: 7504

Add implementation of the ftp.dynamic_port rule keyword. The
implementation uses the U16 integer matching/parsing and thus supports
the comparison operations such as <, >, <=, >=, !, !=, and range (-).
3 months ago
Philippe Antoine aa7f926ff4 detect: rust helper to register sticky buffer 3 months ago
Philippe Antoine a7f4fd12d5 detect: remove never set SIGMATCH_NOT_BUILT 3 months ago
Philippe Antoine 9814b698c8 detect/dns: move keywords to rust
Ticket: 7529
Ticket: 3725

Adds url for dns.opcode on the way
3 months ago
Victor Julien f96e97205c firewall: detect: add feature flag for keywords supporting firewall 3 months ago
Victor Julien 88e96c9d49 detect/domain: move transform fully to rust 4 months ago
Jeff Lucovsky e0131f6098 detect/ftp: Add ftp.reply rule keyword
Issue: 7508

Add the rule detection keyword "ftp.reply". This is a multi-buffer
command.
4 months ago
Eric Leblond 0b031a33c6 domain: add new transformation
Ticket: #5639
4 months ago
Victor Julien 6f5fd77cb9 detect/app-layer-state: keyword for protocol state
Allow matching on the app-layer protocol state.
4 months ago
Victor Julien 67df6ad94e detect: introduce explicit hooks
Generic:
        <app_proto>:request_started and <app_proto>:response_started
        <app_proto>:request_complete and <app_proto>:response_complete

Per protocol, it uses the registered progress (state) values. E.g.

        tls:client_hello_done

A rule ruleset could be:

        pass tls:client_hello_done any any -> any any (tls.sni; content:"www.google.com"; sid:21; alert;)
        drop tls:client_hello_done any any -> any any (sid:22;)

The pass rule is evaluated when the client hello is parsed, and if it
doesn't match the drop rule will be evaluated.

Registers each generic lists as "<alproto>:<progress state>:generic"
(e.g. "tls:client_hello_done:generic").

Ticket: #7485.
4 months ago
Philippe Antoine 3b271b3f5b detect: rename with prefix SCSigTablePreRegister
to make it available to rust via bindgen
4 months ago
Philippe Antoine d24a3eb5f6 snmp: register protocol dynamically
Ticket: 4103
4 months ago
Jeff Lucovsky 559cdc358d detect/ftp: ftp.command_data keyword
Issue: 7503

Add the rule keyword ftp.command_data; a sticky buffer that matches on
the values send with FTP commands, e.g., USER someuser
4 months ago
Victor Julien 4da69a52fe detect/sdp: minor style fixup 4 months ago
Giuseppe Longo 2f24f49dba sdp: add sdp.session_name sticky buffer
This adds a sticky buffer to match the "Session name" field in both
requests and responses.

Ticket #7291
4 months ago
Jeff Lucovsky fdc0ac590e detect/entropy: Add entropy keyword
This commit adds keyword/build support for the entropy keyword. The
entropy keyword compares an entropy value with a value calculated
according to the Shannon entropy on the available content.

Issue: 4162
4 months ago
Alice Akaki 90aab0d62f detect: add email.from
email.from matches on MIME EMAIL FROM
This keyword maps to the EVE field email.from
It is a sticky buffer
Supports prefiltering

Ticket: #7592
4 months ago
Jason Ish 814e9ffb7a dns: add keywords for additionals and authorities rrnames
Add keywords dns.additionals.rrname and dns.authorities.rrname. Along
the way, consolidate dns.query.name and dns.answer.name into a single file
and register them altogether since there is a lot of common code.
5 months ago
Nathan Scrivens 07632fdf4e dns: add dns.response sticky buffer
Feature: 7012
Add dns.response sticky buffer to match on dns response fields.
Add rust functions to return dns response packet data.
Unit tests verifying signature matching.
5 months ago
Alice Akaki 7b350e9933 misc: fix name prefix in detect register functions 5 months ago
Jeff Lucovsky b662feb162 detect/ftp.command: Add sticky buffer
Issue: 7502

Add a sticky buffer for "ftp.command" for matching on FTP command names.
6 months ago
Philippe Antoine 3d3b1ade9d detect/smtp: smtp.helo keyword
Ticket: 7515

It is a sticky buffer mapping to the smtp.helo log field
6 months ago
Alice Akaki cdb043810f detect: add ldap.request.operation
ldap.request.operation matches on Lightweight Directory Access Protocol request operations
This keyword maps to the eve field ldap.request.operation
It is an unsigned 8-bit integer
Doesn't support prefiltering

Ticket: #7453
6 months ago
Jason Ish c5089ac5f4 dhcp: cleanup visibility and naming
- remove "rs_" prefix from functions that are not exported
- prefix exported functions with "SC"
- don't export functions that are only used by pointer

Ticket: 7498
6 months ago
Alice Akaki 078c6469a0 detect: add vlan.layers keyword
vlan.layers matches on the number of VLAN layers per packet
It is an unsigned 8-bit integer
Valid range = [0-3]
Supports prefiltering

Ticket: #1065
6 months ago
Alice Akaki b1c2643c87 detect: add vlan.id keyword
vlan.id matches on Virtual Local Area Network IDs
It is an unsigned 16-bit integer
Valid range = [0-4095]
Supports prefiltering

Ticket: #1065
6 months ago
Philippe Antoine eab212b0be plugins: app-layer plugins
Ticket: 5053
6 months ago
Shivani Bhardwaj aad313438c flow/pkts: make syntax cleaner and compact
Currently, the syntax includes direction as a part of the keyword which
is against how usually keywords are done. By making direction as a
mandatory argument, it is possible to make the syntax cleaner and the
implementation more compact and easily extendable.
Pros:
- Registration table sees lesser entries if newer options are added
- If the options have to be extended, it can be done trivially
- In accordance w existing keyword implementations

Note that this commit also retains the existing direction specific
keywords.
7 months ago
Jason Ish 8bcc844b6f sigtable: add function to test for a keyword
To be used by the requires keyword to check for keyword support.

Ticket: #7403
8 months ago
Jason Ish 2ac16ee1a6 detect: break apart sigtable setup and initialization
Allows initialization to be done early, so the table is ready for
dynamic registration by plugins which are loaded before signature
setup.
8 months ago
Philippe Antoine 63324b7368 transforms: move urldecode to rust
Ticket: 7229
9 months ago
Philippe Antoine 8984bc6801 transforms: move xor to rust
Ticket: 7229
9 months ago
Philippe Antoine 45e0acf772 transforms: move http headers transforms to rust
Ticket: 7229
9 months ago
Philippe Antoine f0414570d2 transforms: move casechange to rust
Ticket: 7229
9 months ago
Philippe Antoine 0e5b49d20f transforms: move hash transforms to rust
md5, sha1 and sha256

Ticket: 7229
9 months ago
Philippe Antoine 71da38e702 transforms: move dotprefix to rust
Ticket: 7229
9 months ago
Philippe Antoine 966f659201 transforms: move compress_whitespace to rust
Ticket: 7229
9 months ago
Philippe Antoine 4985ebc0e0 transforms: move strip_whitespace to rust
Ticket: 7229
9 months ago
Philippe Antoine 96c8470cdd template: move detect keywords to pure rust
Ticket: 3195

Also remove unused src/tests/detect-template-buffer.c

Completes commit 4a7567b3f0
to remove references to template-rust
10 months ago
Giuseppe Longo 969f4d131f sip: rustify sticky buffers
Ticket #7204
10 months ago
Philippe Antoine 62a186ceef detect/rfb: move keywords to rust
Ticket: 7178

On the way, convert rfb.secresult to a generic integer with enumeration
cf ticket 6723
12 months ago
Philippe Antoine 0a1062fad2 detect/mqtt: move keywords to rust
Ticket: 4863

On the way, convert some keywords to use the first-class integer
support.
And helpers for pure rust the support for multi-buffer.

Move the C unit tests about keyword mqtt.protocol_version
to unit tests for generic integer parsing, and test version 5
instead of testing twice version 3.

Also iterate all tx's messages for reason code as is done for other
keywords.

And allow detection on empty topics.
1 year ago
Jeff Lucovsky f042e9034b detect/transform: Add from_base64 transform
Issue: 6487

Implement the from_base64 transform:
    [bytes value] [offset value] [mode strict|rfc4648|rfc2045]

    The value for bytes and offset may be a byte_ variable or an
    unsigned integer.
1 year ago
Victor Julien 3d059611c3 detect: add tls.alpn keyword
Ticket: #7108.
1 year ago
Philippe Antoine 4fe3f04fa3 detect/enip: move keywords to rust
Ticket: 4863
1 year ago
Philippe Antoine ce1eea4ad6 detect/websocket: move keywords to rust
Ticket: 4863
1 year ago
Philippe Antoine 16952d67e7 detect/dhcp: move keywords to rust
Ticket: 4863
1 year ago
Philippe Antoine ae72376ebe detect/snmp: move keywords to rust
Ticket: 4863

On the way, convert unit test DetectSNMPCommunityTest to a SV test.

And also, make snmp.pdu_type use a generic uint32 for detection,
allowing operators, instead of just equality.
1 year ago