suricata

Commit Graph

Author	SHA1	Message	Date
Jason Ish	29a4a7fddc	rust: fix clippy lints for clippy::assign_op_pattern	2 years ago
Jason Ish	c4034dafa1	rust: fix clippy lints for clippy::derive_partial_eq_without_eq	2 years ago
Jason Ish	5a10fcd2d8	rust: suppress large enum variant lint at location And disable the global lint.	2 years ago
Jason Ish	74b7522b6a	rust/http2: box decompressor variants These variants, in particular the Brotli one can be large at over 2500 bytes which is allocated no matter which decompressor is being used. Gzip comes in at over 500 bytes. Box deflate for consistency.	2 years ago
Jason Ish	36f8ada305	rust: remove clippy lints that no longer warn	2 years ago
Jason Ish	e8c00dd980	rust: sort clippy allow statements	2 years ago
Haleema Khan	6c922e0b98	rust: fix lint warning for clippy::enum's name Ticket: #4597	2 years ago
Jason Ish	2a42386c28	rust: fix clippy lint for null comparison Use .is_null() instead of checking for equality against std::ptr::null().	2 years ago
Jason Ish	45dfea2497	rust/modbus: derive default instead of manual impl Cleans up a clippy lint for a trivial default impl that can be derived.	2 years ago
Jason Ish	9218da0eb8	rust/frames: cleanup clippy lint for unsafe Where possible mark the relevant functions unsafe. Otherwise suppress the warning for now as this pattern is supposed to be a safe API around an unsafe one. Might need some further investigation, but in general the "guarantee" here is provided from the C side.	2 years ago
Jason Ish	105d9a5f02	rust: fix clippy lint for unnecessary_unwrap Avoid check if not none followed by unwrap.	2 years ago
Jason Ish	85cfa7254b	rust: fix clippy lint for single_char_add_str Idiomatic cleanup and a fix automatically done by `cargo clippy --fix`.	2 years ago
Jason Ish	f3e4bcfe23	rust: fix clippy lint for bool_assert_comparison Checking for is_empty is faster than checking for equality.	2 years ago
Jason Ish	f60e1b30f6	rust: fix clippy lint for partialeq_to_none Use .is_some() and .is_none() instead of comparing against None. Comparing against None requires a value to impl PartialEq, is_none() and is_some() do not and are more idiomatic.	2 years ago
Jason Ish	7d623f0854	rust: fix clippy lint for explicit_auto_deref This adds unnecessary complexity to code.	2 years ago
Jason Ish	c503ca62e2	rust: fix clippy lint for needless_late_init	2 years ago
Jason Ish	94dd85baed	rust: fix clippy lint for borrow_deref_ref This type of borrow then reference has no effect.	2 years ago
Jason Ish	e9597f3d0c	rust: fix clippy lint for redundant_closure Removes a closure where the function can be directly provided.	2 years ago
Jason Ish	c5b26e2043	rust: fix clippy ling for needless borrows Cleanup needless borrows found by clippy. This fix done automatically by `cargo clippy --fix`.	2 years ago
Jason Ish	63b3d73ccc	rust: allow some more clippy lints Allow these lints for now until some more investigation can be done, as --fix attempts to fix these.	2 years ago
Eric Leblond	a9519778de	rust/smb: avoid allocation in smb status function Avoid an allocation by returning a static string.	2 years ago
Eric Leblond	9cb06d4376	detect/smb: add smb.ntlmssp_domain keyword Feature #5411.	2 years ago
Eric Leblond	5debb86cd5	rust/smb1: add a missing command	2 years ago
Eric Leblond	69ef1bc194	detect/smb: add smb.ntlmssp_user keyword Feature #5411.	2 years ago
Eric Leblond	f46f895e8d	rust/smb: import NT status code for Microsoft doc This patch updates the NT status code definition to use the status definition used on Microsoft documentation website. A first python script is building JSON object with code definition. ``` import json from bs4 import BeautifulSoup import requests ntstatus = requests.get('https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55') ntstatus_parsed = BeautifulSoup(ntstatus.text, 'html.parser') ntstatus_parsed = ntstatus_parsed.find('tbody') ntstatus_dict = {} for item in ntstatus_parsed.find_all('tr'): cell = item.find_all('td') if len(cell) == 0: continue code = cell[0].find_all('p') description_ps = cell[1].find_all('p') description_list = [] if len(description_ps): for desc in description_ps: if not desc.string is None: description_list.append(desc.string.replace('\n ', '')) else: description_list = ['Description not available'] if not code[0].string.lower() in ntstatus_dict: ntstatus_dict[code[0].string.lower()] = {"text": code[1].string, "desc": ' '.join(description_list)} print(json.dumps(ntstatus_dict)) ``` The second one is generating the code that is ready to be inserted into the source file: ``` import json ntstatus_file = open('ntstatus.json', 'r') ntstatus = json.loads(ntstatus_file.read()) declaration_format = 'pub const SMB_NT%s:%su32 = %s;\n' resolution_format = ' SMB_NT%s%s=> "%s",\n' declaration = "" resolution = "" text_max = len(max([ntstatus[x]['text'] for x in ntstatus.keys()], key=len)) for code in ntstatus.keys(): text = ntstatus[code]['text'] text_spaces = ' ' * (4 + text_max - len(text)) declaration += declaration_format % (text, text_spaces, code) resolution += resolution_format % (text, text_spaces, text) print(declaration) print('\n') print(''' pub fn smb_ntstatus_string(c: u32) -> String { match c { ''') print(resolution) print(''' _ => { return (c).to_string(); }, }.to_string() } ''') ``` Bug #5412.	2 years ago
Victor Julien	db0f9ddc69	files/tx: inspection, logging and loop optimizations Introduce AppLayerTxData::file_tx as direction(s) indicator for transactions. When set to 0, its not a file tx and it will not be considered for file inspection, logging and housekeeping tasks. Various tx loop optimizations in housekeeping and output. Update the "file capable" app-layers to set the fields based on their directional file support as well as on the traffic.	2 years ago
Victor Julien	79499e4769	app-layer: move files into transactions Update APIs to store files in transactions instead of the per flow state. Goal is to avoid the overhead of matching up files and transactions in cases where there are many of both. Update all protocol implementations to support this. Update file logging logic to account for having files in transactions. Instead of it acting separately on file containers, it is now tied into the transaction logging. Update the filestore keyword to consider a match if filestore output not enabled.	2 years ago
Victor Julien	01e64d80da	app-layer: trunc parser per direction	2 years ago
Victor Julien	ff9d1807f9	app-layer: parser flags to u16	2 years ago
Victor Julien	c27df6304d	app-layer: introduce common AppLayerStateData API Add per state structure for storing flags and other variables.	2 years ago
Victor Julien	879a46f085	rust: lock to time 0.3.13 to avoid MSRV bump to 1.59 Indirect dependency through x509-parser.	2 years ago
Pierre Chifflier	16db04c1a7	rust: remove nom 5 dependency	2 years ago
Pierre Chifflier	0acf75bff7	rust/applayertemplate: convert to nom7	2 years ago
Pierre Chifflier	378e915846	rust/asn1: convert parsers to nom7	2 years ago
Pierre Chifflier	0ba0572c4a	rust/x509: finish transition to nom7	2 years ago
Pierre Chifflier	3ef5121ab0	rust/telnet: convert parsers to nom7	2 years ago
Pierre Chifflier	d98b386f36	rust/conf: convert parser to nom7	2 years ago
Pierre Chifflier	db9a1e17b6	rust/ssh: finish transition to nom7	2 years ago
Pierre Chifflier	b31c72c06a	rust/rdp: convert parsers to nom7	2 years ago
Pierre Chifflier	49520b2143	rust/rdp: upgrade dependency on tls-parser	2 years ago
Pierre Chifflier	beadd090b8	rust: upgrade versions of BER/DER, Kerberos and SNMP parsers	2 years ago
Jason Ish	baab1de735	rust: update x509-parser to 0.14.0 Resolves RustSec issues in time and chrono: - https://rustsec.org/advisories/RUSTSEC-2020-0071 - https://rustsec.org/advisories/RUSTSEC-2020-0159 Ticket: #5259. Ammended by Victor Julien to bump to 0.14 instead of 0.13.	2 years ago
Pierre Chifflier	3aace49649	rust/x509: update dependency on x509-parser	2 years ago
Jeff Lucovsky	ab4d0f7f4a	detect/stream_size: Rename detect.rs to stream_size.rs This commit renames detect.rs to stream_size.rs to reflect its content.	2 years ago
Jeff Lucovsky	2386f2614f	detect/iprep: Move iprep logic into a separate module	2 years ago
Jeff Lucovsky	c957882d1c	detect/uri: Move uri logic into a separate module	2 years ago
Jeff Lucovsky	484c34bc60	detect/uint: Move uint logic into a separate module This commit moves the uint logic into its own module.	2 years ago
Jeff Lucovsky	8bfe427a74	rust/detect: Create detect module for rule parsing This commit creates a module named "detect" for rule parsing logic. As part of this commit, detect.rs is moved from its toplevel position into the new module. Thus, use crate::detect::detect to refer to items within detect.rs (instead of create::detect). Ticket: 5077	2 years ago
Jeff Lucovsky	ccd1063e43	detect/bytemath: convert parser to Rust Issue: 5077 This commit - Converts the PCRE based parser to Rust. - Adds unit tests to the new Rust modules - Removes the PCRE parser from detect-bytemath.c - Adjusts the C source modules to refer to the Rust definitions - Includes the multiply operator (missing from the C parser)	2 years ago
Philippe Antoine	af40873127	pgsql: config limit maximum number of live transactions As is done for other protocols Ticket: #5527	2 years ago
Philippe Antoine	e160917bcf	mqtt: remove quadratic time complexity When having many transactions in a single parsing call... Fix has overhead of having one more field in the mqtt state. Completes commit `a8079dc978` Ticket: #5399	2 years ago
Philippe Antoine	5ef259722b	dhcp: adds renewal-time keyword Ticket: #5507	3 years ago
Philippe Antoine	6faf6299e0	dhcp: adds rebinding-time keyword Ticket: #5506	3 years ago
Philippe Antoine	95f0424423	nfs4: fix write record handling Ticket: #5280	3 years ago
Philippe Antoine	bf43011a43	dcerpc: convert transaction list to vecdeque for UDP As was done for TCP in `dfe76bb90` and `d745d28d4` Ticket: #5518	3 years ago
Eric Leblond	2cc9152fc9	rust/smb: log uuid of interface in dcerpc When doing a DCERPC request, we can use the context id to log the interface that is used. Doing that we can see in one single event what is the DCERPC interface and opnum that are used. This allows to have all the information needed to resolve the request to a function call. Feature #5413.	3 years ago
Eric Leblond	b6f1cf255c	rust/smb/dcerpc: parse context id As context id is used to know to which variant of the endpoint the request is done, it is interesting to parse it. Feature #5413.	3 years ago
Philippe Antoine	11f849c3ee	protocol-change: sets event in case of failure Protocol change can fail if one protocol change is already occuring. Ticket: #5509	3 years ago
Philippe Antoine	e94920b49f	smb: do not use tree id to match create request and response As an SMB2 async response does not have a tree id, even if the request has it. Per spec, MessageId should be enough to identifiy a message request and response uniquely across all messages that are sent on the same SMB2 Protocol transport connection. So, the tree id is redundant anyways. Ticket: #5508	3 years ago
Philippe Antoine	461725a9bf	dhcp: adds leasetime keyword As it is logged Ticket: #5435	3 years ago
Philippe Antoine	9b4a133777	http2: remove to_vec for comparisons Ticket: #5454	3 years ago
Philippe Antoine	d011b468da	http2: fix clippy warning about &Vec<u8> Using &[u8] instead in function prototype	3 years ago
Philippe Antoine	3de735ae70	ike: log ikev1 tx fields instead of state ones As state fields can grow abitrarily, and this can lead to DOS by quadratic complexity (CPU time and disk space) Adds a direction field to retain all the information in the transaction. Also checks array vendor_ids had at least one element before logging it. Ticket: #5455	3 years ago
Philippe Antoine	d0171d7418	ike: rustfmt	3 years ago
Philippe Antoine	5c7b5c5fb5	krb: detection for ticket encryption As is done for logging. Ticket: #5442	3 years ago
Philippe Antoine	64b2385c64	krb: log for ticket encryption Also logs if the ticket encryption is weak. It is different from the encryption used for the rest of the packet, and this allows to detect kerberoasting attack. Ticket: #5442	3 years ago
Philippe Antoine	7fcc6696cb	krb: rustfmt kerberos.rs	3 years ago
Philippe Antoine	675de33405	krb: bump up crate version kerberos parser crate is also used by other procotols : nfs and smb. These protocols use an older der_parser crate version. Upgrading der_parser will simplify the code further.	3 years ago
Philippe Antoine	783dff2c38	krb: rustfmt detect.rs	3 years ago
Jason Ish	c862e84c01	rust/frames: cleanups - Implement the Display trait on Direction to print "toserver" or "toclient" which used in a format string. - Use Direction struct inside Frame instead of a u32. Requires a helper method as there are two representation in C for direction, and the C methods for frames don't use the internal representation of the Direction enum (some sweeping changes could help here)	3 years ago
Jason Ish	f92708b8ca	rust/frames: derive direction from StreamSlice On the Rust side, a Frame requires a StreamSlice to be created. We can derive the direction from the StreamSlice removing the need for callers to provide the direction when operating on the frame.	3 years ago
Jason Ish	b39d7f46e7	dns/tests: fix StreamSlice to satisfy debug validation	3 years ago
Philippe Antoine	f3b6fd3329	quic: update to nom7	3 years ago
Philippe Antoine	95125811b8	quic: reassemble crypto frames and parse it	3 years ago
Philippe Antoine	f242fb7f22	quic: events and rules on them	3 years ago
Philippe Antoine	b9c1d9e86b	quic: parse gquic version Q039 Ticket: #5166	3 years ago
Philippe Antoine	018fef5ef8	quic: ja3 computation and logging and detection Logging as is done in TLS. Detection using the generic generic ja3.string keyword Ticket: #5143	3 years ago
Philippe Antoine	c6cf61a39b	quic: complete parsing of initial for non gquic The format of initial packet for quic ietf, ie quic v1, is described in rfc 9000, section 17.2.2 Parse more frames and logs interesting extensions from crypto frame Do not try to parse encrypted data, ie after we have seen a crypto frame in each direction. Use sni from crypto frame with tls for detection already implemented Ticket: #4967	3 years ago
Philippe Antoine	7044131c39	quic: rustfmt	3 years ago
Philippe Antoine	0c346af4a9	rust: bump up digest crates so that we can use hkdf crate for quic	3 years ago
Philippe Antoine	2294e9cdbc	rdp: bump up tls-parser crate version so that we can use new functions in quic parser	3 years ago
Philippe Antoine	11e0eb9c89	quic: do not log empty cyu array Ticket: #5167	3 years ago
Philippe Antoine	632581ac95	ike: do not log empty notify array Ticket: #5167	3 years ago
Philippe Antoine	262a93ce18	mqtt: do not log reason_codes if there is none Ticket: #5167	3 years ago
Philippe Antoine	1621f5e453	detect/nfs: use inclusive ranges	3 years ago
Philippe Antoine	ed6955ee98	detect: use generic integer functions for iprep Ticket: #4112	3 years ago
Philippe Antoine	cfb60d0fce	detect: use generic integer functions for urilen Ticket: #4112	3 years ago
Philippe Antoine	c57052181c	snmp: rustfmt detect.rs	3 years ago
Philippe Antoine	c7214be99b	snmp: adds usm keyword as is logged Ticker: #5416	3 years ago
Philippe Antoine	eb1c2a6083	smb: use default stream-depth 0 by default As broken by commit `e5c948df87` Ticket: #5390	3 years ago
Philippe Antoine	c585be338c	nfs: fix arbitrary allocation Bug introduced by https://github.com/OISF/suricata/pull/7111 Nom's count begins by allocating a Vector, which leads to arbitrary allocation due to flavors_cnt coming from network, and not even being checked against i.len() Ticket: #5237	3 years ago
Philippe Antoine	26dc70648c	dns: remove unused events field from state found overflowing by oss-fuzz	3 years ago
Philippe Antoine	d1a4dae36b	detect: use generic integer functions for streamsize By the way, adds the prefilter feature Ticket: #2697 Ticket: #4112	3 years ago
Philippe Antoine	35b6dcec7e	detect: use generic integer functions for filesize Ticket: #4112	3 years ago
Philippe Antoine	f29b43defd	detect: rust generic functions for integers Move it away from http2 to generic core crate. And use it for DCERPC (and SMB) And remove the C version. Main change in API is the free function is not free itself, but a rust wrapper around unbox. Ticket: #4112	3 years ago
Philippe Antoine	c4d9cb02ec	util: better hex print function Without dangerous snprintf pattern identified by CodeQL even if this pattern is not a problem in those precise cases, it may easily get copy pasted in a dangerous place, so better get rid of it and make CodeQL happy	3 years ago
Philippe Antoine	6058792bee	rust: make suricata context const So that it is read only and its pointers do not get modified	3 years ago
Philippe Antoine	6224e283fa	modbus: bump up rust crate version So that probing parser is more strict and does not accept unknown function code as valid modbus. Ticket: #5377	3 years ago
Philippe Antoine	2d761810db	rust: cbindgen first verifies existing bindings So as not to recompile every C file inclusing rust.h	3 years ago
Juliana Fajardini	6ccc01a79c	rust: fix doc comments that trigger rust warnings Rust generates warnings that are treated as errors for documentation blocks before `extern` blocks.	3 years ago
Philippe Antoine	d745d28d4a	dcerpc: use vecdeque tx iterator Ticket: #5321	3 years ago
Jason Ish	dfe76bb905	dcerpc: convert transaction list to vecdeque Allows for more efficient removal from front of the list. Ticket: #5271	3 years ago
Jason Ish	8790968281	mqtt, rdp: fix copyright dates	3 years ago
Philippe Antoine	c78722a671	rust: RustParser same fields as AppLayerParser So that there is no problem when crossing FFI	3 years ago
Sam Muhammed	323fe1c1ac	nfs3/records: Fix typo Fix response_lookup unittest name	3 years ago
Jason Ish	b8b6a17a5b	dns: add pdu frame Adds a PDU frame to the DNS parser. For UDP this is the DNS payload portion of the DNS packet, for TCP this is the payload minus the leading legth field. Ticket: 4984	3 years ago
Jason Ish	8d1840f595	frames(rust): don't call into C if running Rust unit tests Wrap the calls behind frames to C code if a `cfg!(not(test))` so they don't get compiled when running Rust unit tests. Linkage to C functions is not yet available for Rust unit tests, and this will keep the check out of individual parsers. Ticket: 4984	3 years ago
Jason Ish	c74ea3840d	frames (rust): method to create StreamSlice from slice Useful in unit test for function that require a StreamSlice.	3 years ago
Jason Ish	d712a8b29d	eve/dns: remove dns v1 logging Removal of DNS v1 logging was scheduled to be removed in May 2022. Ticket: #4157	3 years ago
Jason Ish	e319d31c14	template(rust): convert transaction list to vecdeque Allows for more efficient removal from front of the list. Ticket: #5298	3 years ago
Jason Ish	9b0b2beac1	pgsql: convert transaction list to vecdeque Allows for more efficient removal from front of the list. Ticket: #5297	3 years ago
Jason Ish	2db84726ad	http2: convert transaction list to vecdeque Allows for more efficient removal from front of the list. Ticket: #5296	3 years ago
Jason Ish	4e0ad5e0bd	rdp: convert transaction list to vecdeque Allows for more efficient removal from front of the list. Ticket: #5295	3 years ago
Jason Ish	3b422e25f3	mqtt: convert transaction list to vecdeque Allows for more efficient removal from front. Ticket: #5294	3 years ago
Jason Ish	3189414788	dns: convert transaction list to vecdeque Allows for more efficient removal from front of the list. Ticket: #5277	3 years ago
Jason Ish	7b11b4d3a1	app-layer: more generic state trait Instead of a method that is required to return a slice of transactions, use 2 methods, one to return the number of transactions in the collection, and another to get a transaction by its index in the collection. This allows for the transaction collection to not be a contiguous array and instead can be a VecDeque, or possibly another collection type that supports retrieval by index. Ticket #5278	3 years ago
Juliana Fajardini	bbd9a2ff1a	pgsql: apply clippy fixes	3 years ago
Juliana Fajardini	0fc9ade7a9	pgsql: fix uint overflow and optimizations Fuzzers found a possible integer overflow bug when parsing response messages. To fix that, removed the case where we incremented the parsed field length and created a new message type for situations where Suri parsers an Unknown message. This is good because there may happen that an unknown message to Suri is valid, and in this case, we would still be able to log it. Philippe Antoine found the bug while fuzzing with rust debug assertions. Bug #5016	3 years ago
Juliana Fajardini	8daa79513a	pgsql: fix clippy is_null usage warning	3 years ago
Philippe Antoine	d2f00ac824	dcerpc: use wrappingadd for padding parsing As we compute a modulo, we can safely wrap around even if there is an overflow Ticket: #5301	3 years ago
Philippe Antoine	464ff80c6a	smb: protocol detection on pattern without midstream To recognize a protocol, Suricata first looks for patterns, which can be confirmed by a probing parser. If this does not work, Suricata can try to run some probing parsers on some ports. This is the case for SMB. This commit makes handling the confirming and the probing paser differently even if they share much code. The confirmation parser knows that a pattern has been found. So, it must not do the midstream case of looking for this pattern in the whole buffer, but only check it at the beginning. But it must reverse direction if needed.	3 years ago
Victor Julien	dc57460427	smb: fix event types for limit exceeded rules	3 years ago
Jason Ish	0623ada24d	dns: better error handling when parsing names The DNS name parser will error out with an error even if the error is incomplete. Instead of manually generating errors, use '?' to let the nom error ripple up the error handling chain. The reason this wasn't done in the first place is this code predates the ? operator, or we were not aware of it at the time. This prevents the case where probing fails when there is enough data to parse the header, but not enough to complete name parser. In such a case a parse error is returned (instead of incomplete) resulting in the payload not being detected as DNS. Ticket #5034	3 years ago
Jason Ish	27679a12aa	dns: don't parse a full request during probe if not enough data If there is more data than a header, but not enough for a complete DNS message, the hostname parser could return an error causing the probe to fail on valid DNS messages. So only parse the complete message if we have enough input data. This is reliable for TCP as DNS messages are prefixed, but for UDP its just going to be the size of the input buffer presented to the parser, so incomplete could still happen. Ticket #5034	3 years ago
Victor Julien	fc9b65d8d3	smb2: validate negotiate read/write max sizes Raise event if they exceed the configured limit.	3 years ago
Victor Julien	4be8334c9e	smb2: allow limiting in-flight data size/cnt Allow limiting in-flight out or order data chunks per size or count. Implemented for read and writes separately: app-layer.protocols.smb.max-write-queue-size app-layer.protocols.smb.max-write-queue-cnt app-layer.protocols.smb.max-read-queue-size app-layer.protocols.smb.max-read-queue-cnt	3 years ago
Victor Julien	2c5ad8858e	filetracker: track total queued data (in_flight) As well as expose number of chunks.	3 years ago
Victor Julien	90d4b8e438	smb: log max read/write sizes	3 years ago
Victor Julien	5bcc4162f7	smb2: add options for max read/write size Add options for the max read/write size accepted by the parser.	3 years ago
Victor Julien	f28888513a	smb2: track max read/write size and enforce its values	3 years ago
Victor Julien	594acec5dc	smb: minor function cleanup Remove used argument from `filetracker_newchunk()`. We're not using fill_bytes with smb.	3 years ago
Victor Julien	c7a474c725	filetracker: make FileChunk private	3 years ago
Philippe Antoine	3b13008c1b	mqtt: fix consumed bytes computation for truncated msg Ticket: 5268	3 years ago
Philippe Antoine	704bc878ea	dcerpc: store consumed_bytes as i32 As it can grow bigger than u16	3 years ago
Philippe Antoine	dfd17e9acc	ike: fix integer underflow in parse_proposal By not restricting a usize to i16	3 years ago
Victor Julien	93d5bce0aa	rust: update regex & memchr dependencies Bug: #5260.	3 years ago
Victor Julien	053a9d2e68	smb/ntlmssp: add stricter len/offset validation	3 years ago
Philippe Antoine	3e48881b78	smb: prevents integer underflow Ticket: 5246 If msg_id is 0, we cannot find the previous request	3 years ago
Philippe Antoine	e72036f12f	smb: ntlmssp domain_blob_offset underflow check Ticket: 5246	3 years ago
Philippe Antoine	817a5001a5	smb: check on param parsing Ticket: 5246 so as not to overflow u16	3 years ago
Sascha Steinbiss	7eb279ac53	mqtt: remove redundant "where" keyword	3 years ago
Sascha Steinbiss	d63e5b8c51	mqtt: make some functions non-public	3 years ago
Sascha Steinbiss	2a3ed9a6ae	mqtt: rustfmt	3 years ago
Sascha Steinbiss	1ba62993d5	mqtt: raise event on parse error	3 years ago
Sascha Steinbiss	5618273ef4	mqtt: ensure we do not request extra data after buffering This addresses Redmine bug #5018 by ensuring that the parser never requests additional data via the Incomplete error, but to raise an actual parse error, since it is supposed to have all the data as specified by the message length in the header already.	3 years ago
Victor Julien	6d30f4442c	http2: fix file accounting for ranged files Increment files_opened for tx that 'gets' reassembled ranged file	3 years ago
Victor Julien	b336882008	smb1: apply close to direction Instead of closing files in both direction when receiving a close request, close only toserver files for the request and close toclient on receiving a response.	3 years ago
Victor Julien	b9cd502249	smb: convert 'close' parser to function	3 years ago
Sam Muhammed	3a490fb16c	nfs: Implement frames Feature #4872 Frames: - RPC Frames: Generic over TCP/UDP - rpc.pdu - rpc.hdr - rpc.data - rpc.creds -- for rpc calls - NFSv2, NFSv3 - nfs.pdu - nfs.status -- for nfs responses - NFSv4 Only Frames - nfs4.pdu - nfs4.hdr - nfs4.ops -- for compound request/response operations - nfs4.status -- for nfs4 responses RPC tcp/udp frames created with separate registeration functions e.g: add_rpc_tcp_tc_frames() add_rpc_udp_tc_frames()	3 years ago
Sam Muhammed	d090dcbce9	rpc: Improve rpc_record struct Add creds_len field to rpc_record needed for rpc.creds frame length calculation	3 years ago
Sam Muhammed	8064a5348d	rust/nfs4: Add NFSPROC4_DESTROY_CLIENTID op parsers	3 years ago
Sam Muhammed	9d1fad28a7	rust/nfs4: Add NFSPROC4_DESTROY_SESSION op parsers Also add respective request unittest test_nfs4_request_destroy_session()	3 years ago
Sam Muhammed	ff81cad4f1	rust/nfs4: Add NFSPROC4_LAYOUTRETURN op parsers Also add respective request unittest test_nfs4_request_layoutreturn()	3 years ago
Sam Muhammed	073244a0b8	rust/nfs4: Add NFSPROC4_GETDEVINFO op parsers Also add respective response/request unittests test_nfs4_response_getdevinfo() test_nfs4_request_getdevinfo()	3 years ago
Sam Muhammed	ff54a6d9d5	rust/nfs4: Add NFSPROC4_LAYOUTGET op parsers Also add respective response/request unittests test_nfs4_response_layoutget() test_nfs4_request_layoutget()	3 years ago
Sam Muhammed	3d542fcc67	rust/nfs4: Add NFSPROC4_SECINFO_NO_NAME op parsers	3 years ago
Sam Muhammed	b35d635ac7	rust/nfs4: Add NFSPROC4_RECLAIM_COMPLETE op parsers	3 years ago
Sam Muhammed	2a41b46eca	rust/nfs4: Add NFSPROC4_CREATE_SESSION op parsers Also add respective response/request unittests test_nfs4_request_create_session() test_nfs4_response_create_session()	3 years ago
Sam Muhammed	0a69c66153	rust/nfs4: Add NFSPROC4_EXCHANGEID response parser Also add test_nfs4_response_exchangeid() unittest	3 years ago
Sam Muhammed	fe7a49b737	rust/nfs4: improve NFSPROC4_OPEN op parser Improve nfs4_res_open() parser to reflect other file-delegation types Reflect the changes on test_nfs4_response_open() unittest	3 years ago
Jason Ish	2341f47755	smb: handle records in the wrong direction If an SMB record is seen in the wrong direction, set an event on the PDU frame and don't process the record in the state. No error is returned, so the next record will be processed.	3 years ago
Jason Ish	09e2d3b216	smb: expose smb1 request/reply flags with a method Adds `.is_request()` and `.is_reply()` to check if a SMB record flags say the message is a request or a reply.	3 years ago
Jason Ish	7b659489c8	smb: fix smb2 header flag parsing The bits were being parsed in the order they're displayed in Wireshark, rather than the order they were being seen on the wire, resulting in direction and async being 0 more often than they should be. Instead of bits, take the 4 bytes as an le_u32 and just use bit masks to extract what we need into a struct, I think its easier to reason about this way when comparing to the Microsoft documentation.	3 years ago
Philippe Antoine	bfcd6cb46a	range: validity check when end is bigger than size Ticket: 5132 Down the line, HttpRangeOpenFileAux assumes the range has a valid value when doing buflen = end - start + 1;	3 years ago
Victor Julien	07b1100713	nfs: clean up partial record handling There should be no remaining data after parsing the partial RPC record, so don't handle it but instead add a debug validation bug on. Successful processing for NFSv3 read/write records returns AppLayerResult::ok() directly as all data is consumed.	3 years ago
Victor Julien	d85b77cad0	nfs3: improve read validation; fix partial handling	3 years ago
Victor Julien	4418fc1b02	nfs3: fix partial write record handling	3 years ago
Victor Julien	5baf94e40d	nfs3: enforce more values Enforce values of a number of u32's that are used as bools or for really low values.	3 years ago
Victor Julien	1c57e3c18d	rpc: enforce various field values Minimal frag_len. Correct msgtype and others.	3 years ago
Victor Julien	64d8a1e16e	nfs/rpc: update full record parsers to be more exact Instead of 'take'ing all data for the RPC prog_data and then letting the higher level parsers figure out which part to use take the exact amount.	3 years ago
Victor Julien	bfb5ae867e	nfs: break out partial record handling	3 years ago
Victor Julien	fe76ab1803	nfs/rpc: enforce length field limits Limits based on the Linux kernel limits. Then multiplied a few times to allow for other implementations to have higher limits.	3 years ago
Victor Julien	5ecb626e50	nfs4: verify bool fields	3 years ago
Jason Ish	b1c09369af	rust/derive: pin proc-macro-crate to v1.1.0. The just released proc-macro-crate v1.1.2 requires at least Rust 1.53. Pin to the previous release for now.	3 years ago
Pierre Chifflier	b8f767d84c	rust/mime: convert parser to nom7	3 years ago
Juliana Fajardini	5a7645fac1	rust: add comment tags to support documentation With these, the portion of code within the tags should be included in the related code-snippets (for frame support documentation) w/o errors, even if the code within changes. The tags can also work as a reminder that the existing code is being shown elsewhere, so folks know documentation might need updates, in case of major changes.	3 years ago
Juliana Fajardini	e0dd1820c2	sip: apply rustfmt to a few functions Our current rust code isn't always documentation friendly when it comes to using code snippets. Used rustfmt to apply rust default formatting on functions that we wanted to show in our documentation for Frame support	3 years ago
Juliana Fajardini	71cbd2bf0e	telnet: apply rustfmt to parse_request When we want to share our code in our documentation pages, the current rust formatting isn't so nice to read. Formatted just the portion of the code that will be shown, for now.	3 years ago
Philippe Antoine	8adf172ab8	nfs: limits the number of active transactions per flow Ticket: 4530	3 years ago
Philippe Antoine	0e85dea3ff	nfs: remove unused events variable	3 years ago
Philippe Antoine	e4f2f8f78d	nfs: derive AppLayerEvent for NFSEvent	3 years ago
Jason Ish	2ebb525f7e	build: remove configure check for cargo vendor cargo vendor has been part of the core cargo command since Rust 1.37, and are minimum Rust version is not 1.41, so remove the check. Its always available now.	3 years ago
Jason Ish	62cc813f88	rust/make: fix maintainer-clean-local target Was using the wrong name, so vendored Rust crates were not being cleaned up on make maintainer-clean.	3 years ago
Pierre Chifflier	8dc3431d86	rust/dcerpc: convert parser to nom7 functions	3 years ago
Pierre Chifflier	b5166bdb93	rust/ntp: upgrade dependency on ntp-parser	3 years ago
Pierre Chifflier	fa63945bdc	rust/ike: convert parser to nom7 functions and upgrade dependency	3 years ago
Pierre Chifflier	3493537ec3	rust/rfb: convert parser to nom7 functions	3 years ago
Victor Julien	474e0e3644	sip: enable for 5061/udp	3 years ago
Victor Julien	1203750388	sip: add frames support Frames: - sip.pdu - sip.request_line - sip.response_line - sip.request_headers - sip.response_headers - sip.request_body - sip.response_body The `sip.pdu` frame is always created, the rest only if the record parser succeeded. Ticket: #5036.	3 years ago
Philippe Antoine	e42094f238	mqtt: make max transactions configurable Allows users to find balance between completeness of decoding and increases resource consumption, which can DOS suricata.	3 years ago
Philippe Antoine	4f90d4254e	http2: makes some settings configurable max-streams and max-table-size Allows users to find balance between completeness of decoding and increases resource consumption, which can DOS suricata.	3 years ago
Philippe Antoine	a8079dc978	mqtt: limits the number of active transactions per flow Ticket: 4530 So, that we do not get DOS by quadratic complexity, while looking for a new pkt_id over the ever growing list of active transactions	3 years ago
Philippe Antoine	5475212f21	http2: limits the number of active transactions per flow Ticket: 4530 So, that we do not get DOS by quadratic complexity, while looking for a new stream id over the ever growing list of active streams	3 years ago
Philippe Antoine	f0e869b26b	mqtt: parse properties with the right buffer's length	3 years ago
Philippe Antoine	df2cbd6517	http2: event for variable-length integer overflow http2_parse_var_uint can overflow the variable-length integer it is decoding. In this case, it now returns an error of kind LengthValue. The new function http2_parse_headers_blocks, which factorizes the code loop for headers, push promise, and continuation, will check for this specific error, and instead of erroring itself, will return the list of so far parsed headers, plus another one with HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIntegerOverflow This status is then checked by process_headers to create an app-layer event.	3 years ago
Philippe Antoine	b86beb9b68	http2: check overflow before it happens instead of checking afterwards if value got smaller	3 years ago
Eloy Pérez González	bff0774767	smb/dce_iface: avoid deleting current ifaces from state The smb dce_iface keyword must match for all those dcerpc requests and responses sent in the context of the given interface. They are not matching as the current bind interfaces are deleted by any non bind message. Ticket: 4767	3 years ago
Eloy Pérez González	1ae22fd5de	smb/dce_iface: use DCERPC_TYPE_REQUEST The smb dce_iface keyword must match for all those dcerpc requests and responses sent in the context of the given interface. They are not matching because in rs_smb_tx_get_dce_iface, x.req_cmd is erroneously compared with 1. Fix this by comparing with DCERPC_TYPE_REQUEST instead. Ticket: 4767	3 years ago
Eloy Pérez González	333db3b385	smb/dce_opnum: move range if to outer context The smb dce_opnum matches all the opnums that are higher that the indicated opnum. This is due the range comparison if was put in the exact comparison context, and in case the opnum doesn't match exactly, then the range comparison is triggered (the upper limit is always true). Move the erroneus if to the outer context, as else option of the block checks if comparison should be exact or range. Ticket: 4767	3 years ago
Eloy Pérez González	8dca3d0416	smb/dce_opnum: use DCERPC_TYPE_REQUEST The smb dce_opnum keyword doesn't match the dcerpc requests/responses. This occurs because in the rs_smb_tx_match_dce_opnum function, the x.req_cmd is matched against the erroneous code 1. Fix this by using DCERPC_TYPE_REQUEST for the comparison instead. Ticket: 4767	3 years ago
Eloy Pérez González	15f493f516	dcerpc: remove prev_tx_call_id and clear_bind_cache from DCERPCState remove those fields since are not used because of the removal of handle_bind_cache.	3 years ago
Eloy Pérez González	1aca2676a6	dcerpc: avoid delete the rpc state interface context The bug: The dcerpc dce_iface keyword just match the packet following the bind. Only the next request after the rpc is sent will match. However the expected behaviour it that all the rpc requests/responses sent under the context of the given interface would match. In the Open Group c706 the following is indicated: In 2.2.1 Binding-related Operations, indicates that one category of binding operations are those that "operations that establish internal call routing information for the server." (The other are to establish the protocol which is not relevant here). And the following statement can be found: Operations in the second category establish a set of mappings that the server can use to route calls internally to the appropriate manager routine. This routing is based on the interface and version, operation and any object requested by the call. It indicates that server routes (to call methods) are based on the operation, interface and object. - Operation: To indicate the method to call, and operation number is specified as indicated in the second step of 2.3.3.2 (Client Binding Steps). - Interface: An interface is a set of remotely callable operations offered by a server and invokable by clients. (2.1.1.1) - Object: Is the manager that implements the interface, as stated in section Interface and Manager Selection of 2.3.3.3. It is not mandatory, can be nil. To call a method, a client must send a request message as defined in 2.6.4.9, that contains these identifiers: - opnum: The opnum field identifies the operation being invoked within the interface. - p_cont_id (Context ID in Wireshark): The p_cont_id field holds a presentation context identifier that identifies the data representation and interface, as defined in 12.6.3.4 (Context Identifiers). - object: The object field is contained if the PFC_OBJECT_UUID is set. (Could be interesting to create a keyword dce_object for matching this UUID) Therefore, to get the correct method to invoke, the server must map the context to the correct interface. This is negotiated by the bind request Interfaces are first negotiated using the bind message (12.6.4.3), contained in the p_context_elem array. Then they are accepted or rejected using the bind_ack message (12.6.4.4). Once these contexts are established, both client and server can use the context id, which is the index of the p_context_elem array, to refer the interface they are using. Moreover, in the middle of the connection, the context can be changed with the alter_context message. This is way suricata shouldn't delete the bindack attribute, that contains the contexts, used by match_backuuid. This is the only way to know the interface a request message is referring to. ticket: 4769 https://redmine.openinfosecfoundation.org/issues/4769	3 years ago
Juliana Fajardini	0bf1227f0f	pgsql: fix defect found by coverity Pgsql was using bitwise operations to assign password output config to its context flags, but mixing that with logic negation of the default value, resulting in the expressions having a constant value as result. Bug: #5007	3 years ago
Pierre Chifflier	ce9efc34c7	rust/pgsql: convert parsers to nom7 functions	3 years ago
Juliana Fajardini	579d7dcc01	pgsql: add initial support - add nom parsers for decoding most messages from StartupPhase and SimpleQuery subprotocols - add unittests - tests/fuzz: add pgsql to confyaml Feature: #4241	3 years ago
Juliana Fajardini	4c743b809c	rust/applayer: add function for upgrading to TLS	3 years ago
Victor Julien	e02b52c895	quic: add quic.ua for matching user agent	3 years ago
Victor Julien	4c13b73c4d	quic: log user agent when available	3 years ago
Victor Julien	da8b024b99	detect/quic: add quic.sni sticky buffer	3 years ago
Victor Julien	7b836af1b2	quic: log sni; reduce number of transactions Only create transactions for long headers. Store SNI in tx, log it.	3 years ago
Victor Julien	ccab28aad3	quic: log version as string Log as Q043, Q044, Q045, Q046. If the version is not supported/recognized, log the 4 bytes as hex. Only log for txs based on long headers.	3 years ago
Victor Julien	24a21af4ab	quic: redo quic.version; parser cleanups Reimplement quic.version as sticky buffer. Removed unused parts of the parser. Set unidirectional tx flag to fix double matching.	3 years ago
Emmanuel Thompson	7e51987263	quic: Add QUIC App Layer Parses quic and logs a CYU hash for gquic frames	3 years ago
Sam Muhammed	c4bd3cd70e	nfs4_records: add unittests Add unittests for setclientid, readdir records Task #4866	3 years ago
Pierre Chifflier	c61cbd9b35	rust: simplify bits parser annotations	3 years ago
Pierre Chifflier	1b25bcbb13	rust/smb: simplify bits parser annotations	3 years ago
Pierre Chifflier	4d6aa6d532	rust: add 'bits' combinator to simplify nom bits parsers Add a specialized version of the 'bits' nom combinator so adding bits-level parsers does not require type annotations.	3 years ago
Victor Julien	44c9241b6a	telnet: initial support with frames Bootstrapped using setup script. Basic option parsing for purpose of tagging frames.	3 years ago
Jason Ish	3cdefd5f8b	smb: use derive AppLayerFrameType	3 years ago
Victor Julien	0c9fdf8f4f	smb: implement frames SMB1 record parsing code simplification. Frames: nbss.pdu nbss.hdr nbss.data smb1.pdu smb1.hdr smb1.data smb2.pdu smb2.hdr smb2.data smb3.pdu smb3.hdr smb3.data The smb* frames are created for valid SMB records.	3 years ago
Jason Ish	8a40b7b42e	cbindgen: ignore frames module	3 years ago
Jason Ish	de870e2fbf	rust: derive macro for app-layer frame type	3 years ago
Jason Ish	0ece208074	rust/applayer: create trait for app-layer frame types	3 years ago
Jason Ish	cb7f7a7e08	app/frames: implement rust API	3 years ago
Victor Julien	e6f49e5a05	app/frames: implement name to id API for frames	3 years ago
Pierre Chifflier	3e19ccdc0c	rust/http2: convert parser to nom7 functions (HTTP2 ranges)	3 years ago
Pierre Chifflier	f8647b0ffb	rust/http2: convert parser to nom7 functions (HTTP2 core functions)	3 years ago
Philippe Antoine	e1c0725e05	doc: fix typo lenght/length	3 years ago
Sam Muhammed	9bea850d53	nfs4_records: add unittests for nom7 parsers Task #4866	3 years ago
Sam Muhammed	463fbdc36d	nfs4_records: add missing field to res_sequence_ok() Missing _seqid in sequence op struct left a trailing four zeros that are parsed by nfs4_res_compound_command() as a cmd causing a Switch Error Code	3 years ago
Sam Muhammed	4e2edd44aa	nfs3-records: add unittests to nom7 parsers Task #4866	3 years ago
Sam Muhammed	03906010a2	nfs3-records: add missing fields and update parsers Add missing fields to some record structures and update their respective parsers	3 years ago
Sam Muhammed	86c273dadc	nfs2-records: add unittests for nom7 parsers Task #4866	3 years ago
Victor Julien	ddf14e51dc	nfs2: improve READ parsing Take fill_bytes into account.	3 years ago
Jason Ish	2011a5579c	rust/app-layer: expose AppLayerEvent derive macro Export the AppLayerEvent derive macro so plugin (or library code) can use it as expected, for example: use suricata::applayer::AppLayerEvent; enum MyEvent { EventOne, EventTwo, }	3 years ago
Jason Ish	ba310440a6	rust/derive: make usable from a plugin or lib user The macro was generating code that references names use the "crate" prefix which will fail if the macro is used by a library user or plugin. Dynamically check where we are running an use the correct import paths as needed.	3 years ago
Jason Ish	bbd5e6402b	rust: rename to suricata (from suricata_rust) Rename the Rust lib to simply "suricata" instead of "suricata_rust". This allows Rust plugin/library code to use it under the name "suricata" which is what should be expected. The name was only "suricata_rust" to prevent on-disk conflict with the C code, so just rename the file on disk, which doesn't affect how the code is interacted with from an API layer.	3 years ago
Jason Ish	2ffe88c1f0	rust: remove feature function-macro The function macro existed so it would only be enabled on Rust versions that supported. Now that our MSRV is 1.41, which is greater than 1.38 we can assume we always have support for this macro.	3 years ago
Jason Ish	50fdcd098c	rust/http2: use base64 crate for base64 decode	3 years ago
Jason Ish	6392216f6b	base64: use the Rust base64 encode implementation Replace our internal base64 implementation with a ffi wrapper around the Rust implementation provided by an external crate.	3 years ago
Jason Ish	8181030f72	jsonbuilder: add methods to encode values as base64 Add new methods to set a value as a base64 encoded string of a byte array. This uses the Rust base64 crate and encodes directly into the JsonBuilder buffer with no intermediate buffer required. jb_set_base64: set a field on an object jb_append_base64: append a value to an array	3 years ago
Victor Julien	c073d5cfbf	app-layer: use StreamSlice as input to parsers Remove input, input_len and flags in favor of stream slice.	3 years ago
Victor Julien	6466296b32	app-layer: add StreamSlice to pass data to parsers Since object to contain relevant pointer, length, offset, flags to make it easy to pass these to the parsers.	3 years ago
Jason Ish	0861b66e15	dns: add dns flag to dns request logging Ticket #4515	3 years ago
Odin Jenseg	dfb6f105e8	dns: Logging of Z-bit [Edit by Jason Ish: fix flag bit value] Ticket #4515	3 years ago
Jason Ish	fcbdc30426	dns: create transaction even if z-bit was set It appears that DNS servers will still process a DNS request even if the z-bit is set, our parser will fail the transaction. So create the transaction, but still set the event. Ticket #4924	3 years ago
Pierre Chifflier	d67f8f9196	rust/smb: convert parser to nom7 functions (SMB1)	3 years ago
Pierre Chifflier	895a54cea4	rust/smb: convert parser to nom7 functions (DCERPC records)	3 years ago
Pierre Chifflier	8d77ce1ffc	rust/smb: convert parser to nom7 functions (SMB2)	3 years ago
Pierre Chifflier	5cadb878ff	rust/smb: convert parser to nom7 functions (SMB3)	3 years ago
Pierre Chifflier	4c97dfa851	rust/smb: convert parser to nom7 functions (NTLM/SSP records)	3 years ago
Pierre Chifflier	3da816eb23	rust/smb: convert parser to nom7 functions (NBSS records)	3 years ago
Pierre Chifflier	90f9450971	rust: add nom7 combinator take_until_and_consume	3 years ago
Philippe Antoine	87d9c44ec5	rust: export constants via cbindgen so that constants are not defined twice in Rust anc C So that we are sure they have the same value	3 years ago
Philippe Antoine	784558df2e	mime: handles multiple sections for a parameter Ticket: 4386 as per RFC2231. For instance filename can be split between filename0, filename1, etc...	3 years ago
Philippe Antoine	8feb9c35ae	mime: move FindMimeHeaderTokenRestrict to rust Also fixes the case where the token name is present in a value	3 years ago
Philippe Antoine	1b10848d84	mqtt: fix transaction completion Ticket: 4862 A transaction to client is always considered complete in the direction to server and vice versa. Otherwise, transactions are never complete for AppLayerParserTransactionsCleanup	3 years ago
Jason Ish	7732efbec2	app-layer: include decoder events in app-layer tx data As most parsers use an events structure we can include it in the tx_data structure to reduce some boilerplate/housekeeping code in app-layer parsers.	3 years ago
Philippe Antoine	0caaf6bd23	range: prevents memory leak of file from HTTP2 Ticket: 4811 Completes commit `c023116857` state.free should also close files with ranges as state.free_tx did already And file_range field should be reset so that there is no use after free.	3 years ago
Jeff Lucovsky	23faeaea5c	ftp: Remove diagnostic print This commit removes a diagnostic message displayed during extraction of the EPSV port.	3 years ago
Philippe Antoine	c023116857	range: prevents memory leak of file from HTTP2 If a HTTP2 transaction gets freed before the end of the range request, we need to have the files container which is in the state, to transfer owernship of this file to the files container. Ticket: 4811	3 years ago
Pierre Chifflier	acb3ec6db1	rust/nfs: convert parser to nom7 functions (NFS v2 records)	3 years ago
Pierre Chifflier	ea1d03f8e3	rust/nfs: add a maximum number of operations per compound The `count` combinator preallocates a number of bytes. Since the value is untrusted, this can result in an Out Of Memory allocation. Use a maximum value, large enough to cover all current implementations.	3 years ago
Pierre Chifflier	0ffe123330	rust/nfs: convert parser to nom7 functions (NFS v3 and v4 records)	3 years ago
Jason Ish	eb6cc62937	dhcp: fix url in comment rustdoc was complaining about the format of the URL in a comment while trying to generate documentation. Convert the comment to a non-rustdoc comment for now to satisfy rustdoc.	3 years ago
Jason Ish	b57280ff48	rdp: fix transaction id By our convention the transaction ID is incremented then applied to the new transaction. And the generic transaction iterator requires this behaviour.	3 years ago
Jason Ish	9c67c634c1	app-layer: include DetectEngineState in AppLayerTxData Every transaction has an existing mandatory field, tx_data. As DetectEngineState is also mandatory, include it in tx_data. This allows us to remove the boilerplate every app-layer has for managing detect engine state.	3 years ago
Jason Ish	f4b4d531b0	rdp: add tx iterator	3 years ago
Jason Ish	238ec953b7	krb5: use tx iterator	3 years ago
Jason Ish	ef0c351953	ntp: add tx iterator	3 years ago
Jason Ish	871fb035b4	sip: add tx iterator	3 years ago
Jason Ish	d6b2d7e16a	ike: add tx iterator For IKE the manual iterator functions were there, but never registered. So this commit does add a tx iterator to ike.	3 years ago
Jason Ish	3f2d2bc12b	snmp: use generic tx iterator	3 years ago
Jason Ish	ac4c5ada2f	dhcp: use generic tx iterator	3 years ago
Jason Ish	54e62ddf71	http2: use generic tx iterator	3 years ago
Jason Ish	6cffecfe3e	template: use generic tx iterator	3 years ago
Jason Ish	a936755731	nfs: use generic tx iterator	3 years ago
Jason Ish	0188a01daf	rfb: use generic tx iterator	3 years ago
Jason Ish	b335409690	mqtt: use generic tx iterator	3 years ago
Jason Ish	d71bcd82d9	modbus: use generic tx iterator	3 years ago
Jason Ish	fcfc9876ce	smb: use generic tx iterator	3 years ago
Jason Ish	049d43212e	rust/app-layer: provide generic implementation of iterator Create traits for app-layer State and Transaction that allow a generic implementation of a transaction iterator that parser can use when the follow the common pattern for iterating transactions. Also convert DNS to use the generic for testing purposes.	3 years ago
Shivani Bhardwaj	26c7d3cc35	http2: remove needless borrows	3 years ago
Shivani Bhardwaj	f3a1e3b92e	core: Remove unneeded consts	3 years ago
Shivani Bhardwaj	b5a123adb1	ssh: use Direction enum	3 years ago
Shivani Bhardwaj	baf30cfc05	snmp: use Direction enum	3 years ago
Shivani Bhardwaj	89cb337930	smb: use Direction enum	3 years ago
Shivani Bhardwaj	8f9f78c2d0	sip: use Direction enum	3 years ago
Shivani Bhardwaj	11c438a07d	nfs: use Direction enum	3 years ago
Shivani Bhardwaj	a7ac79bed7	mqtt: use Direction enum	3 years ago
Shivani Bhardwaj	209e2f17fa	krb: use Direction enum	3 years ago
Shivani Bhardwaj	243960a511	ike: use Direction enum	3 years ago
Shivani Bhardwaj	ee5b300ccf	http2: use Direction enum	3 years ago
Shivani Bhardwaj	0c6e9ac931	files: use Direction enum	3 years ago
Shivani Bhardwaj	a19d2b4e1e	dns: use Direction enum	3 years ago
Shivani Bhardwaj	a866499bca	dcerpc: use Direction enum	3 years ago
Shivani Bhardwaj	9512bfd729	core: add Direction enum Ticket: 3832	3 years ago
Philippe Antoine	3212fa7d2b	ntp: fixes leak of de_state Bug: #4752.	3 years ago
Philippe Antoine	28a3181a2d	snmp: fixes leak of de_state Bug: #4752.	3 years ago
Philippe Antoine	f37240a3e2	smb: midstream probing checks for netbios message type If it is available Bug: #4620.	3 years ago
Philippe Antoine	8f8823b6f2	rust: right condition for both uint to be zero Theay can overflow leading to their addition to be zero If a NFS read reply indicates a count of 0xFFFFFFFF Bug: #4680.	3 years ago
Pierre Chifflier	ce652511bd	rust/tftp: convert parser to nom7 functions	3 years ago
Pierre Chifflier	c525a1337c	rust/dns: convert parser to nom7 functions	3 years ago
Pierre Chifflier	74be8b94ec	rust/ssh: convert parser to nom7 functions	3 years ago
Pierre Chifflier	8a584c211e	rust/mqtt: convert parser to nom7 functions	3 years ago
Pierre Chifflier	d27125d77a	rust/sip: convert parser to nom7 functions	3 years ago
Pierre Chifflier	1046a7d1a3	rust/ftp: convert parser to nom7 functions	3 years ago
Pierre Chifflier	ebd5883da8	rust/dhcp: convert parser to nom7 functions	3 years ago
Pierre Chifflier	17170c41aa	rust: add nom7 dependency	3 years ago
Modupe Falodun	a87c7e5c08	rust: remove unnecessary nested match Bug: #4605	3 years ago
Modupe Falodun	74c39500c3	rust: fix inherent to string Bug: OISF#4618	3 years ago
Sam Muhammed	922a453da5	rust(lint): use is_null() instead of ptr::null_mut() Bug: #4594	3 years ago
Sam Muhammed	23768c7181	rust(lint): use is_null() instead of ptr::null() Bug: #4594	3 years ago
Sam Muhammed	da0a976e23	rust(lint): use let for binding single value `match` is better used with binding to multiple variables, for binding to a single value, `let` statement is recommended. Bug: #4616	3 years ago
Philippe Antoine	5bd065cb3c	range: checks that end is after start for HTTP2 As was done only for HTTP1 in previous commit The verification part stays separated from the parsing part, as we want to keep on logging invalid ranges values.	3 years ago
Philippe Antoine	accdad7881	ike: do not keep server transforms in state Fixes #4534 Now, only the tx with the transforms will match with ike.chosen_sa_attribute	3 years ago
Philippe Antoine	83887510a8	modbus: tx iterator When there are a lot of open transactions, as is possible with modbus, the default tx_iterator will loop for the whole transacations vector to find each transaction, that means quadratic complexity. Reusing the tx_iterator from the template, and keeping as a state the last index where to start looking avoids this quadratic complexity.	3 years ago
Philippe Antoine	ea4a509a54	app-layer: disable by default if not in configuration DNP3, ENIP, HTTP2 and Modbus are supposed to be disabled by default. That means the default configuration does it, but that also means that, if they are not in suricata.yaml, the protocol should stay disabled.	3 years ago
Philippe Antoine	8e8899c90c	http2: range: check return value when opening HttpRangeContainerOpenFile can return NULL so, http2_range_open can set file_range to NULL And we should check this before calling http2_range_close	3 years ago
Philippe Antoine	cb30772372	style: remove latest warnings about unused variables	3 years ago
Philippe Antoine	98f84d5a9b	http2: follow range requests Move the content-range parsing code to rust	3 years ago
Philippe Antoine	56fae072b2	http2: better rust lifetimes so that borrow check gets happy	3 years ago
Philippe Antoine	a1f9e0c97a	rust: rename to StreamingBufferConfig as in C	3 years ago
Shivani Bhardwaj	42da0fb5c5	smb: fix broken stream depth setting The stream depth setting was broken since it was moved to Rust because of a missing parser for memory values in configuration. Use get_memval fn from conf.rs to calculate and fetch the correct values.	3 years ago
Shivani Bhardwaj	0cfe512ef0	rust/conf: add getter for memval Add a parser for memory values like 50kb, 20mb, etc on the Rust side.	3 years ago
Shivani Bhardwaj	f3fcc39738	ssh: remove futile default port setting	4 years ago
Shivani Bhardwaj	1f48714e75	smb: remove futile default port setting	4 years ago
Shivani Bhardwaj	13741540ce	rfb: remove futile default port setting	4 years ago
Shivani Bhardwaj	7c9d573800	nfs: remove futile default port setting	4 years ago
Shivani Bhardwaj	f4f6387a00	dcerpc: use null for default ports	4 years ago
Philippe Antoine	596a4a9d6e	http2: better rust style	4 years ago
Philippe Antoine	48ed874dda	http2: concatenate one headers multiple values For detection, as is done with HTTP1	4 years ago
Philippe Antoine	e3ff0e7731	http2: generic http2_header_blocks so as not to forget continuation and push promise when iterating over headers	4 years ago
Philippe Antoine	0b0649d98e	http2: http.header keyword now works for HTTP2 As well as http.header.raw	4 years ago
Philippe Antoine	9b9f909d7d	http2: http.header_names keyword now works for HTTP2	4 years ago
Philippe Antoine	547e9f4ab4	http2: http.host normalized keyword now works for HTTP2	4 years ago
Philippe Antoine	75f75e1eb0	http2: turn Host header into authority during upgrade HTTP1 uses Host, but HTTP2 uses rather :authority cf HPACK	4 years ago
Philippe Antoine	bb98a18b3d	http2: better file tracking If an HTTP2 file was within only ont DATA frame, the filetracker would open it and close it in the same call, preventing the firther call to incr_files_opened Also includes rustfmt again for all HTTP2 files	4 years ago
Philippe Antoine	1378b2f451	http2: support deflate decompression cf #4556	4 years ago
Victor Julien	c9cee7af49	smb: add debug validation on file counts	4 years ago
Victor Julien	114d3ba730	smb: count files in tx	4 years ago
Victor Julien	c1dfb619c4	http2: support per-tx file accounting	4 years ago
Victor Julien	1b3c3225cd	nfs: add debug validation on file counts	4 years ago
Victor Julien	1d48601c25	nfs: support per-tx file accounting	4 years ago
Victor Julien	67759795c6	nfs: don't reuse file transactions After a file has been closed (CLOSE, COMMIT command or EOF/SYNC part of READ/WRITE data block) mark it as such so that new file commands on that file do not reuse the transaction. When a file transfer is completed it will be flagged as such and not be found anymore by the NFSState::get_file_tx_by_handle() method. This forces a new transaction to be created.	4 years ago
Victor Julien	56d3e28a3a	filestore: track files getting stored per tx Avoid evicting a tx before the filedata logger has decided it is done.	4 years ago
Victor Julien	c78f5ac316	app-layer/transactions: track files opens and logs To make sure a transaction is not evicted before all file logging is complete.	4 years ago
Philippe Antoine	9b8be5a650	smb: get file name in case of chained commands	4 years ago
Philippe Antoine	3e5f59e2cb	smb: fix parsing of file deletion over SMB1	4 years ago
Philippe Antoine	fde753d9d2	smb: recognizes file deletion over SMB2 using set_info_level == SMB2_FILE_DISPOSITION_INFO	4 years ago

... 5 6 7 8 9 ...

1383 Commits (d3354555afdf1bdd0e442a42d002c96b66f80115)