Enables IPS functionality on Windows using the open-source
(LGPLv3/GPLv2) WinDivert driver and API.
From https://www.reqrypt.org/windivert-doc.html : "WinDivert is a
user-mode capture/sniffing/modification/blocking/re-injection package
for Windows Vista, Windows Server 2008, Windows 7, and Windows 8.
WinDivert can be used to implement user-mode packet filters, packet
sniffers, firewalls, NAT, VPNs, tunneling applications, etc., without
the need to write kernel-mode code."
- adds `--windivert [filter string]` and `--windivert-forward [filter
string]` command-line options to enable WinDivert IPS mode.
`--windivert[-forward] true` will open a filter for all traffic. See
https://www.reqrypt.org/windivert-doc.html#filter_language for more
information.
Limitation: currently limited to `autofp` runmode.
Additionally:
- `tmm_modules` now zeroed during `RegisterAllModules`
- fixed Windows Vista+ `inet_ntop` call in `PrintInet`
- fixed `GetRandom` bug (nonexistent keys) on fresh Windows installs
- fixed `RandomGetClock` building on Windows builds
- Added WMI queries for MTU
Victor Julien [Thu, 24 May 2018 12:56:30 +0000 (14:56 +0200)]
tls: new config for dealing with encrypted traffic
Much of encrypted traffic is uninteresting to Suricata. Once encrypted
communication starts, inspecting the packet payloads is generally
not interesting anymore. The default behavior is to disable the parts
of the detection engine and stream reassembly that relate to raw content
inspection.
The tls app-layer parser also had a crude option to affect this behavior:
set 'no-reassemble' to true went much further than the default behavior.
It disabled the TCP reassembly on the flow completely, disabled all
inspection on the flow and enabled bypass if available.
This patch adds a new option: full inspection. This continues to treat
a TLS session as any other, so without any limits to inspection.
The new option is implemented in a new config option 'encrypt-handling',
that replaces 'no-reassemble'. The new option has 3 values:
'default', 'full' and 'bypass'. Default is the current default behavior,
'bypass' is the current 'no-reassemble = true' behavior and 'full'
is the new full inspection mode.
Victor Julien [Wed, 23 May 2018 11:55:30 +0000 (13:55 +0200)]
detect/stream_size: apply rule to packets & stream
The use of stream_size in combination with raw content matches is an
indication that the rule needs to be evaluated per packet, not just
per reassembled stream chunk.
Jason Ish [Tue, 8 May 2018 23:49:52 +0000 (17:49 -0600)]
rust/dhcp: Rust based DHCP decoder and logger.
This is a DHCP decoder and logger written in Rust. Unlike most
parsers, this one is stateless so responses are not matched
up to requests by Suricata. However, the output does contain
enough fields to match them up in post-processing.
Rules are included to alert of malformed or truncated options.
Jason Ish [Wed, 13 Jun 2018 22:36:49 +0000 (16:36 -0600)]
eve: check if enabled before attempting to setup
Before setting up a sub eve-logger, check that it is enabled. This
allows us to set "enabled: no" for loggers that are not registered
with the system without generating an error. An example of this
is loggers that are only available with Rust.
Jason Ish [Thu, 31 May 2018 22:39:22 +0000 (16:39 -0600)]
rust/app-layer: macros to export de_state functions
These macros generate the extern "C" functions for transactions
structs that need provide functions for setting and getting
the de_state. The idea is to provide macros do avoid code
duplication and make it simpler to create an app-layer.
A trait would be the correct solution, but it doesn't look like
you can use traits to export extern "C" functions.
Eric Leblond [Wed, 23 May 2018 06:57:13 +0000 (08:57 +0200)]
util-random: workaround getrandom unavailability
getrandom syscall availability is detected at runtime. So it is
possible that the build is done on a box that supports it but
the run is done on a system with no availability. So a workaround
solution is needed to fix this case.
Also we have seen some issue in docker environment where the build
is detecting getrandom but where it does not work at runtime.
For both reasons, the code is updated to have a call to a fallback
function if ever the getrandom call returns that the syscall is
not available.
Jason Ish [Thu, 3 May 2018 17:35:18 +0000 (11:35 -0600)]
qa/coccinelle: allow to run from non git directory
For example, when I put the contents of a git worktree into
a Docker image for a test build .git will not be a directory
causing the run_check.sh script to fail.
Maurizio Abba [Mon, 15 Jan 2018 15:59:28 +0000 (15:59 +0000)]
xff: Use XFF configuration in eve and filestore
XFF configuration is already set in app-layer-htp-xff, and in
output-json-alert. Extending XFF configuration to files and HTTP allow
to get the same behavior as for alerts.
Extend the configuration of filestore json to let filestore metafile
dump be aware of xff. This is available only if write-fileinfo is set
to yes and file-store version is 2.
Elazar Broad [Wed, 2 May 2018 16:38:40 +0000 (12:38 -0400)]
Fix segfault when the protocol is anything other than HTTP
When a file is transferred over anything other than HTTP, the previously hard-coded HTTP protocol would trigger a non-existent index into htp_list_array_get(), causing a segfault. This patch mimics the logic in detect-lua-extensions.c.
Validate that the content that follows the 'tls_cert_serial' keyword
is on the correct form. If it's longer than two bytes it should be
separated by colons.
Max Fillinger [Mon, 15 Jan 2018 09:18:53 +0000 (10:18 +0100)]
Add an option for compressing pcap-log files
Introduces the option 'outputs.pcap-log.compression' which can be set
to 'none' or 'lz4', plus options to set the compression level and to
enable checksums. SCFmemopen is used to make pcap_dump() write to a
buffer which is then compressed using liblz4.
Eric Leblond [Thu, 19 Apr 2018 17:13:20 +0000 (19:13 +0200)]
af-packet: dump counters when timeout occurs
When traffic is becoming null (mainly seen in tests) we reach the
situation where there is timeouts in the poll on the socket and
only that. Existing code is then just looping on the poll and
the result is that the packet iface counters are not updated.
This patch calls the dump counter function to be sure to get
the counter right faster (and not only right at exit).
Jason Ish [Thu, 26 Apr 2018 13:15:39 +0000 (07:15 -0600)]
rules: install to $datadir/suricata/rules
Common /usr/share/suricata/rules or /usr/local/share/suricata/rules.
The rules provided by the distribution are installed here as part
of the Suricata install process so will always be installed, even
without the use of install-rules.
Eric Leblond [Fri, 20 Apr 2018 17:23:21 +0000 (19:23 +0200)]
stream-tcp: fix stream depth computation
The stream depth computation was partly done with the stream_config
depth instead of using the value in the TCP session. As a result,
some configuration were resulting in abnormal behavior.
In particular, when stream depth was 0 and the file store depth was
not 0, Suricata was stopping the streaming on the flow as soon as
the filestore was started.
There is a difference in the size of the buffer length as passed from
the content buffers (cfr HttpReassembledBody.buffer_len) and the buflen
variable passed to mpm primitives. This can cause a misdetection
whenever the bufferlen is multiple of 65536 (as uint16(X*65536) == 0).
Increasing the buflen variable type to uint32 solves the issue (this
does not cause any issue with primitives, they all accept uint32).
Victor Julien [Fri, 6 Apr 2018 10:57:24 +0000 (12:57 +0200)]
files: properly close files on flow timeout
If a file transfer stops on flow timeout, it won't be closed or
truncated. This patch makes sure that in such cases the files
are indeed truncated. This fixes the filestore-v2 output module,
as that requires a sha256 for storing the partial file correctly.
projects / thirdparty / suricata.git / log
