aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,644 Commits
7 Branches
161 Tags
169 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f6f2c22574'
${ noResults }
Commit Graph

74 Commits (f6f2c225740e4fd1b6a02296eb9701d94daefea8)

Author SHA1 Message Date
Philippe Antoine d47dba27bf all: remove unused literals 2 years ago
Jason Ish 6344501dba tls: fix date logging for dates before 1970 
The Rust time crate used by the x509-parser crate represents dates
before 1970 as negative numbers which do not survive the conversion to
SCTime_t and formatting with the current time formatting functions.

Instead of fixing our formatting functions to handle such dates,
create a Rust function for logging TLS dates directly to JSON using
the time crate that handles such dates properly.

Also add a FFI function for formatting to a provided C buffer for the
legacy tls-log.

Issue: 5817
 3 years ago
Victor Julien c27df6304d app-layer: introduce common AppLayerStateData API 
Add per state structure for storing flags and other variables.
 3 years ago
Victor Julien 599791fa33 tls: make version and size checks stricter 
This way bad records won't buffer lots of stream data.
 3 years ago
Victor Julien c73d812026 tls: store cert data in heap buffer 
Cert chain is a list of pointers into this buffer, so can't use a
stream slice approach.
 3 years ago
Victor Julien e817a8f968 tls: parse client certificates 
Parse client cerificates and store them in the state similar to how
this is done for server certificates.

Update "progress" handling to not consider the TLS handshake complete
if the server indicated a client cert was needed.
 3 years ago
Victor Julien 82e03bd8fc tls: set event if record size exceeds limit 3 years ago
Victor Julien 4bab6e24e5 tls: support handshake fragmentation 
Implement TLS record defrag for handshake messages.

Ticket: #5183.
 3 years ago
Victor Julien bcaf0f6f7d tls: remove certificate buffering code 
TCP Buffering is now done in the app-layer using the incomplete API, on
the SSL/TLS record level. TLS level fragmentation will be implemented
separately.
 3 years ago
Victor Julien dbf3d1e977 tls: make SSLSetEvent a macro to help debugging 3 years ago
Shivani Bhardwaj 42c3f418c6 tls: add tls.random* keywords 
Add tls.random keyword that matches on the 32 bytes of the TLS
random field for client as well as server.
Add tls.random_time keyword that matches on the first 4 bytes of the TLS
random field for client as well as server.
Add tls.random_bytes keyword that matches on the last 28 bytes of the TLS
random field for client as well as server.

All these are sticky buffers.

Feature 5190
 3 years ago
Philippe Antoine 02f2602dde src: rework includes as per cppclean 3 years ago
Victor Julien af797b5926 ssl: implement frames for SSLv3 and TLS 4 years ago
Philippe Antoine c56b1c99d5 ssl: fix int warnings 
especially increasing padding_len size
 4 years ago
Jason Ish 7732efbec2 app-layer: include decoder events in app-layer tx data 
As most parsers use an events structure we can include it in the
tx_data structure to reduce some boilerplate/housekeeping code
in app-layer parsers.
 4 years ago
Jason Ish 9c67c634c1 app-layer: include DetectEngineState in AppLayerTxData 
Every transaction has an existing mandatory field, tx_data. As
DetectEngineState is also mandatory, include it in tx_data.

This allows us to remove the boilerplate every app-layer has
for managing detect engine state.
 4 years ago
Philippe Antoine 48f0c612e3 ssl: upgarde to uint32 for bytes_processed 
as it can overflow, and is compared with uint32 such as
message_length and message_start and
 5 years ago
Victor Julien fb780c7d92 ssl/tls: support AppLayerTxData 5 years ago
Pierre Chifflier 01aef49cbd rust/x509: map decoding errors to decoder events 5 years ago
Victor Julien 29dcd98ed1 tls/ja3: add way to check active config 6 years ago
Victor Julien 4cd3b84606 tls/ja3: allow dynamic enabling of ja3 6 years ago
Mats Klepsland a4471987ba app-layer-ssl: generate JA3S fingerprints 
Generate JA3S fingerprints based on fields in the ServerHello record.
 6 years ago
Mats Klepsland 033e756905 app-layer-ssl: add Facebook TLSv1.3 draft versions 
Add draft versions for Facebooks custom TLSv1.3 implementation "fizz"
to SSLVersionToString().
 7 years ago
Mats Klepsland 23993c18cd app-layer-ssl: decode early data extension in ClientHello record 
Decode early data extension used by 0-RTT that is used to indicate that
application data will be sent right after the ClientHello record.
 7 years ago
Mats Klepsland 97cc3475bf app-layer-ssl: add function to get string from version 
Add 'SSLVersionToString' to get string from version.
 7 years ago
Mats Klepsland 831ddb62d2 app-layer-ssl: add support for TLSv1.3 from draft 22 
Add support for draft 22 to draft 28 and for the final
version (RFC8446) of TLSv1.3.
 7 years ago
Mats Klepsland e0ef578c46 app-layer-ssl: add support for session tickets 
Add support for logging a session as 'resumed' when using a non-empty
session ticket extension in the client hello record.
 7 years ago
Mats Klepsland 21897a4d7a app-layer-ssl: add better session id support 
Verify that the session id from both the client hello record and the
server hello record matches before marking the session as 'resumed'.
 7 years ago
Mats Klepsland 7f0cfc0717 app-layer-ssl: use BIT_U32 for flags 7 years ago
Mats Klepsland d9ddae4592 tls: replace variable in header file with TAILQ_EMPTY() 
Use TAILQ_EMPTY to check if a certificate exists instead of
setting two variables in the app-layer-ssl header file for
that purpose only.
 7 years ago
Mats Klepsland 0c16cd0120 app-layer-ssl: generate JA3 fingerprints 
Decode additional fields from the client hello packet and generate
JA3 fingerprints.
 8 years ago
Victor Julien d0f19891b4 ssl/tls: use DetectFlags API 8 years ago
Victor Julien a0fad6bb7f mpm: run engines as few times as possible 
In various scenarios buffers would be checked my MPM more than
once. This was because the buffers would be inspected for a
certain progress value or higher.

For example, for each packet in a file upload, the engine would
not just rerun the 'http client body' MPM on the new data, it
would also rerun the method, uri, headers, cookie, etc MPMs.

This was obviously inefficent, so this patch changes the logic.

The patch only runs the MPM engines when the progress is exactly
the intended progress. If the progress is beyond the desired
value, it is run once. A tracker is added to the app layer API,
where the completed MPMs are tracked.

Implemented for HTTP, TLS and SSH.
 8 years ago
Ray Ruvinskiy 7539973109 tls: logging for session resumption 
We assume session resumption has occurred if the Client Hello message
included a session id, we have not seen the server certificate, but
we have seen a Change Cipher Spec message from the server.

Previously, these transactions were not logged at all because the
server cert was never seen.

Ticket: https://redmine.openinfosecfoundation.org/issues/1969
 8 years ago
Mats Klepsland 2c1a36dd6e app-layer-tls: decode certificate serial number 9 years ago
Victor Julien 473dae75b5 tls: introduce 'cert ready' state 9 years ago
Mats Klepsland 10c93221fa tls: increase max number of tls records per packet 
Tls packets may contain several records. This increase the number
of allowed records per packet from 30 to 255, and adds a new and
more informative decoder event when this limit is reached.
 9 years ago
Mats Klepsland bfd16dc74e app-layer-ssl: add validity dates from certificate 
Parsing of certificate validity dates to get notBefore and notAfter
fields.
 9 years ago
Mats Klepsland c36595eb35 tls: set event if input buffer overflows 
Set HANDSHAKE_INVALID_LENGTH event if input buffer overflows while
decoding client_hello/server_hello.
 9 years ago
Jason Ish afc796a099 ssl: store current state separately from cumulative state 
The ssl_state keyword needs the current state, not the cumulative state
in order be compatible with Snort's implementation.
 9 years ago
Mats Klepsland ed33f5f148 tlsstore: use TxLogger 9 years ago
Mats Klepsland 47a4daeeb8 output: allow more than one TLS logger 9 years ago
Mats Klepsland 88bf866381 output-lua: use LuaTxLogger for TLS 9 years ago
Mats Klepsland 1f98915ebe tls: register logger functions 9 years ago
Mats Klepsland e4f03b18ba tls: make TX aware 9 years ago
Mats Klepsland 7602f650b1 app-layer-ssl: fix memleak 
Avoid that the SNI extension code is executed twice sometimes, causing
memory leaks.
 10 years ago
Mats Klepsland 3ac1a3d9fe app-layer-ssl: get server name from SNI extension 
Decode client hello handshake to get server name from SNI extension.
 10 years ago
Mats Klepsland e634fcee60 lua: TLS lua output support 
Support TLS in lua output scripts (Feature #1568).

function init (args)
    local needs = {}
    needs["protocol"] = "tls"
    return needs
end

function setup (args)
    filename = SCLogPath() .. "/" .. "lua_tls.log"
    file = assert(io.open(filename, "a"))
end

function log (args)
    ts = SCPacketTimeString()
    ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()

    version, subject, issuer, fingerprint = TlsGetCertInfo();
    if version == nil then
        return 0
    end

    file:write(ts .. " " .. srcip .. ":" .. sp .. " -> " .. dstip  ..
               ":" .. dp .. "  TLS: " .. "Subject='" .. subject ..
               "' " .. "Issuerdn='" .. issuer .. "\n")
    file:flush()
end

function deinit (args)
    file:close(file)
end
 10 years ago
Eric Leblond 4db0a35f25 tls-store: now a separate module 
An design error was made when doing the TLS storage module which
has been made dependant of the TLS logging. At the time there was
only one TLS logging module but there is now two different ones.

By putting the TLS store module in a separate module, we can now
use EVE output and TLS store at the same time.
 10 years ago
Victor Julien db563ed4b0 tls: check SSL3/TLS version per record 
Set event if SSL3/TLS record isn't within the acceptable range.
 11 years ago