Victor Julien [Fri, 30 Oct 2020 12:40:17 +0000 (13:40 +0100)]
app-layer: remove callback for completion status
Since the completion status was a constant for all parsers, remove the
callback logic and instead register the values themselves. This should
avoid a lot of unnecessary callback calls.
Base64Encode function requires the maximum length of the output string
as its last parameter. Use the macro BASE64_BUFFER_SIZE to calculate it
correctly.
The size of encoded_data array and the maximum output length parameter
to Base64Encode function were incorrect leading to buffer overflow for
certain cases. The algorithm requires at least 5 bytes of space to even
convert a string of length 1.
Use BASE64_BUFFER_SIZE macro to correctly calculate this output length.
Set size of encoded_data array to the calculated output length.
Maximum length of a base64 encoded string can be 33% over the actual
length of the input string. The formula to best cover all the edge cases
is mathematically
(4 * (input_length + 2) / 3) + 1
Add a macro to calculate this for a given input length.
Philippe Antoine [Sat, 31 Oct 2020 16:12:19 +0000 (17:12 +0100)]
ssl: improves keyword ssl_version parsing
Removes the use of PCRE for performance
Forbids empty negations after a valid pattern
Forbids mixing negative and positive forms as it is irrelevant
Forbids useless repetition of a version
Philippe Antoine [Wed, 14 Oct 2020 19:25:40 +0000 (21:25 +0200)]
detect: null sanity checks for pkthdr
Even when the rules are only applied on traffic with the protocol
the structure for the protocol header can be set to NULL if there
was an error parsing the header
Jason Ish [Mon, 30 Nov 2020 21:11:57 +0000 (15:11 -0600)]
rust: handle windows naming change from .lib to .a
Prior to Rust 1.44, Cargo would name static libs with the .lib
extension. 1.44 changes this extension to .a when running under
a GNU environment on Windows like msys to make it more similar
to other unix environments.
Now assume static library name to be the same on Windows and
unix, but rename the .lib if found to still support older
versions of Rust on Windows.
Victor Julien [Mon, 30 Nov 2020 06:44:54 +0000 (07:44 +0100)]
detect: fix inspection order with stateful rules
When stateful detection rules, for which detection has already started
for a previous packet, are added to the candidates array, the array
is sorted to mantain the correct inspection order. However, due to a
trivial error in the sort helper the array was sorted in descending
instead of ascending order.
Philippe Antoine [Thu, 19 Nov 2020 14:50:54 +0000 (15:50 +0100)]
rust: fix warnings found by nightly compiler
warning: getting the inner pointer of a temporary `CString`
this `CString` is deallocated at the end of the statement,
bind it to a variable to extend its lifetime
Jason Ish [Mon, 23 Nov 2020 18:11:42 +0000 (12:11 -0600)]
dnp3: set byte order when logging dnp3 src and dst
DNP3 uses little endian on the wire, for the most part this
is handled as the messages are deserialize. However, the link
header is a cast over raw data, so swap these bytes as they
are being logged.
Jason Ish [Mon, 16 Nov 2020 17:36:39 +0000 (11:36 -0600)]
rust/log: expand macros after checking log level
Expand macros in the do_log macro after checking the log level
instead of each log macro (ie: SCLogDebug) expanding the macros
then passing off to do_log to have the log level check.
Will eliminate any expense of expanding macros if this log level
does not permit the given message to be logged.
Shivani Bhardwaj [Thu, 12 Nov 2020 11:06:39 +0000 (16:36 +0530)]
dcerpc/log: Log fields particular to an RPC version
Log fields that only are meant to be in a PDU for a particular RPC
version. Since DCERPC/UDP works on RPC version 4 and DCERPC/TCP works on
RPC version 5, there are certain fields that are particular to each
version.
Remove call_id from the logger for UDP.
Add activityuuid and seqnum fields to the logger for UDP.
call_id and (activityuuid + seqnum) fields are used to uniquely pair a
request with response for RPC versions 5 and 4 respectively.
Ilya Bakhtin [Tue, 10 Nov 2020 10:05:18 +0000 (15:35 +0530)]
dcerpc/udp: Fix pairing of request response
So far, request and response were paired with serial number fields in
the header. This is incorrect. According to
https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm,
"Together, the activity UUID and the sequence number uniquely identify
a remote procedure call."
Hence, add activity uuid and sequence number to the transaction and pair
the request accordingly. Remove incorrect handling of this and fix
tests.
app-layer: lower limit for protocol detection on protocol change
So that protocol detection does not run for too long because
TCPProtoDetectCheckBailConditions somehow relies on its TCP stream
to start from zero, which is not the case on protocol change
Adds also debug validation checks, such as
both sides are known on protocol change