git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <vjulien@oisf.net>
	Fri, 3 Dec 2021 07:14:34 +0000 (08:14 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Tue, 18 Jan 2022 11:21:52 +0000 (12:21 +0100)
commit	a492d94826f4078d1b9299cea4f21ba3d87e3f1f
tree	f67cb30f5f1cf347aee301e7a5e36c1523545518	tree \| snapshot
parent	02f98796a76cc7750ca9c30829cc26b90ac256b2	commit \| diff

detect/frames: implement 'frame' keyword

Implement a special sticky buffer to select frames for inspection.

This keyword takes an argument to specify the per protocol frame type:

    alert <app proto name> ... frame:<specific frame name>

Or it can specify both in the keyword:

    alert tcp ... frame:<app proto name>.<specific frame name>

The latter is useful in some cases like http, where "http" applies to
both HTTP and HTTP/2.

    alert http ... frame:http1.request;
    alert http1 ... frame:request;

Examples:

    tls.pdu
    smb.smb2.hdr
    smb.smb3.data

Consider a rule like:

    alert tcp ... flow:to_server; content:"|ff|SMB"; content:"some smb 1 issue";

this will scan all toserver TCP traffic, where it will only be limited by a port,
depending on how rules are grouped.

With this work we'll be able to do:

    alert smb ... flow:to_server; frame:smb1.data; content:"some smb 1 issue";

This rule will only inspect the data portion of SMB1 frames. It will not affect
any other protocol, and it won't need special patterns to "search" for the
SMB1 frame in the raw stream.

src/Makefile.am		diff \| blob \| blame \| history
src/detect-engine-register.c		diff \| blob \| blame \| history
src/detect-engine-register.h		diff \| blob \| blame \| history
src/detect-frame.c	[new file with mode: 0644]	blob
src/detect-frame.h	[new file with mode: 0644]	blob