Commit Graph

18929 Commits (e98d419d96b6df4ba4cd51325923e76a80f93f9e)
 

Author SHA1 Message Date
Philippe Antoine e98d419d96 ldap: bound the number of responses
Ticket: 8405
2 months ago
Jason Ish 078c08d84b dnp3: bound response reassembly
Ticket: 8460
2 months ago
Philippe Antoine 38d41e6fa6 dnp3: fix off-by-one in array sizes
So that we can write a final zero without overflowing the array
and relying on padding to avoid further problems

Ticket: 8448
2 months ago
Philippe Antoine c25ccd299e dnp3: explicit application layer length is bounded in uint16_t
Ticket: 8460
2 months ago
Philippe Antoine 658684a252 dnp3: bounds reassembly
Ticket: 8460
2 months ago
Philippe Antoine c977b2f31b frames: make sure we use a lowercase buffer name
Ticket: 8526

As some C protocols accepted case-insensitive frame names,
a rule using the same frame twice with different cases,
ended up using 2 different buffers,
which ended up in triggering a buffer overflow
2 months ago
Victor Julien 6ebd0c3cc2 http2: check for HTTP1 protocol during upgrade path
Ticket: 8492
2 months ago
Jason Ish 2d6c3213ae lua: enforce allocation limit on first alloc
Instead of just on re-alloc.

Ticket: #8507
2 months ago
Philippe Antoine 24527d662a defrag: check tracker/packet family in compare
Ticket: 8510

Without this check, in case of a hash collision, and the other
fields are equal, we could end up consider adding an IPv6 packet
to a IPv4 tracker (or vice versa).

Doing so, we end up interpreting an IPv6 packet as an IPv4 one,
and we do not benefit from the bounds checks from ipv4/ipv6 decoder.
2 months ago
Jason Ish 74eb82a8a5 datasets: fix path setup when load and save used with different paths
If load and save were used in the same rule with different paths, proper path
setup was skipped.

Ticket: #8546
2 months ago
Philippe Antoine 10bde66586 nfs: bound file_additional_procs to 1
Ticket: 8418

As we only need to know we saw at least one NFSPROC3_COMMIT
2 months ago
Philippe Antoine aea7ee21b8 nfs: bound namemap by using lru
Ticket: 8418
2 months ago
Philippe Antoine a50f494ef6 nfs: bound requestmap and use lru
Ticket: 8418
2 months ago
Victor Julien 367ca7f430 detect/tx: minor debug additions and fixes 2 months ago
Victor Julien b29226c7ea firewall/analyzer: include all hooks
For protocols using default 0-1 states, add support.

For others, print 'unknown' if no name is yet supported.

Ticket: #8514.
2 months ago
Victor Julien f7c44c4c23 detect/analyzer: log actual policy for app firewall 2 months ago
Victor Julien 7134592fea detect/firewall: configurable default policies
Allow configurable policies, including accept. For app-layer this
requires looping all available hooks to apply the policies.

Support configurable policies for packet-filter, pre-stream, pre-flow.

If there are no rules there is also no rule group (sgh). Make sure
the app hooks policies are correctly handled in this case by allowing
a NULL sgh to be handled as well.

For tx rule match actually apply drop directly. Previously this was
always handled by the default drop:flow policy.

Ticket: #7701.
2 months ago
Victor Julien eaacb41aaf firewall: accept:flow no longer implies pass:flow
Previously a `accept:flow` action would act as both a firewall "accept" and
a threat detection "pass" for the rest of the flow.

This patch changes that. The `accept:flow` action now only accepts the
rest of the packets for the firewall ruleset, but does still continue
threat detection rule evaluation.

Ticket: #8444.
2 months ago
Victor Julien 0093bd6123 detect/firewall: rename flow control variable
For improved readability.
2 months ago
Victor Julien e76728a536 firewall: support multi-action statements in rules
For firewall rules, allow multiple actions to be specified in a list

        accept:flow,pass:flow,alert
        accept:flow,alert
        accept:flow,pass:flow

It is mandatory to make the first action the primary firewall policy
action: accept, drop, reject.

Ticket: #8480.
2 months ago
Victor Julien b7a625d368 detect: suppress noisy debug messages
Fixes: 232276ac19 ("detect: ethernet/arp matching")
2 months ago
Victor Julien b695100491 detect/firewall: apply default policy in no rules case
When there are no rules after prefilter the default policy needs to be invoked.
2 months ago
Victor Julien 33b3793372 firewall: limit action scope packet for app-hooks
For non-UDP (so TCP), don't allow `accept:packet` or `drop:packet` as
this makes the evaluation of other rule hooks unpredictable.

Ticket: #8497.
2 months ago
Victor Julien d561f6184a detect/firewall: add single call for applying app default policy 2 months ago
Victor Julien 171b14786b detect: clean up firewall rule match handling 2 months ago
Victor Julien b922142865 detect: clean up of last_tx check 2 months ago
Victor Julien 4fd5bbed35 detect: minor code cleanup 2 months ago
Victor Julien 900ae89ed8 firewall: fix hooks getting skipped in some rulesets
If a ruleset would use `dns:request_complete` but not have a rule for
`dns:request_started`, the `request_started` hook default policy would
not get invoked.

Add a check to make sure it is invoked.

Ticket: #8495.
2 months ago
Victor Julien 6d3599e1c2 detect/firewall: clean up flow control
Use an enum for the firewall related flow control, to improve
readability of the firewall inspection logic.
2 months ago
Victor Julien c33c8674d4 reject/respond: use dst livedev for rejectdst
Update ctx caching to take direction into account.
2 months ago
Victor Julien 564b2d47bb packet: track outgoing livedev id 2 months ago
Victor Julien a6ec0e617b af-packet: shrink AFPPeer struct by better layout 2 months ago
Victor Julien 32afba47dd packet: store livedev by id 2 months ago
Victor Julien 293662fc2e flow: store livedev by id
In prep for storing both directions for IPS.
2 months ago
Victor Julien 10367750f1 device: add get id func
Most code uses an opague type for LiveDevice, so add an id getter.
2 months ago
Victor Julien 4a7ded0eea device: start id space at 1
So a value of 0 means no device.
2 months ago
Victor Julien a7ee12c921 device: add O(1) lookup by id 2 months ago
Victor Julien 943fa5f453 respond/reject: use livedev in bridge mode
Clean up host mode tracking, which is used by reject to control how
rejects are sent. Before this patch there were 2 modes: sniffer only
and router. This patch introduces a bridge mode that is automatically
set by the bridge modes. In bridge mode the `Packet::livedev` is used.

Ticket: #8390.
2 months ago
Juliana Fajardini 3c46e36930 detect/tcp: opt-in tcp.flags for firewall mode
The firewall enabling flag for tcp.flags was being overwritten by
another line of code.

Related to
Ticket #8387
2 months ago
Juliana Fajardini d442c3544c detect: opt-in keywords for firewall mode
- tls.cert_chain_len
- datarep
- dataset
- dns.opcode

Part of
Ticket #8387
2 months ago
Lukas Sismis 7b0afb3bbd github-ci: add FreeBSD build test
Expand the Github-CI build coverage by adding another OS that
Suricata targets.

Ticket: 8487
2 months ago
Urval Kheni 121d736560 decode/tcp: avoid unaligned 16-bit option reads
Use a byte-wise helper for 16-bit TCP option parsing instead of
casting option data to uint16_t *.

Ticket: 8543
2 months ago
Philippe Antoine cb62d6d73d frames: do not free on log+flush packet
As we expect a second log+flush packet in the other direction

Ticket: 8336
2 months ago
Philippe Antoine cefd134461 stream: log flush packets in the other order
Ticket: 8336

At the end of a TLS handshake, in IDS mode, the client acks,
and we parse the server hello and use tls.encryption-handling
to know what to do next (for example bypass)

Everything is parsed, but we have not run detection yet on neither
side.

So, in IDS mode, we need to first flush the client side, as the
comment on the function already stated.
2 months ago
Philippe Antoine 1ba411458c detect: do not wait for more in log_flush
Ticket: 8336

When a packet has flag PKT_PSEUDO_DETECTLOG_FLUSH, we do not
expect to rerun detection on the same tx and direction again

So, do not set mpm_in_progress whose purpose is to not store
the state as we will run again.

Allows transactional bidirectional signatures to work on
thse log+flush pair of packets
2 months ago
Sergey Pinaev bb4e79c4f7 reputation: deduplicate skipping empty lines/comments 2 months ago
Sergey Pinaev 2e22ba65e7 reputation: remove unused code
Remove useless while() that led to buffer underflow

Ticket: #8500
2 months ago
Jason Ish 029fd1be59 eve: add rule generation source to alert record
When an alert is generated from firewall context, add an engine value of
"fw", otherwise "td" (for threat detect).

The engine field is only added when firewall mode is enabled.

Ticket: #8456
2 months ago
Philippe Antoine f0e246de34 detect/mqtt: reason_code keyword is now a multi-integer
Ticket: 7929

Builds a vector of the reason code in a tx to do so,
except if we use the default "any", where we do not append
to the vector, but just run detection while iterating
2 months ago
Juliana Fajardini 376eddbe98 security: minor formatting and re-structuring
For readability.
2 months ago