]> git.ipfire.org Git - thirdparty/suricata.git/log
thirdparty/suricata.git
7 years agorust/dhcp: free events and destate at tx end 3446/head
Victor Julien [Mon, 6 Aug 2018 10:08:20 +0000 (12:08 +0200)] 
rust/dhcp: free events and destate at tx end

7 years agodecode: set pktlen of decode handler to uint32
Maurizio Abba [Tue, 16 Jan 2018 16:53:51 +0000 (16:53 +0000)] 
decode: set pktlen of decode handler to uint32

Change the decode handler signature to increase the size of its decode
handler, from uint16 to uint32. This is necessary to let suricata use
interfaces with mtu > 65535 (ex: lo interface has default size 65536).

It's necessary to change several primitive for Packet manipulation, to
unify the parameter "packet length" whenever we are before IP decoding.

Add tests before calling DecodeIPVX function to avoid a possible
integer overflow over the len parameter.

7 years agodetect: free rule group init memory at the end of startup
Victor Julien [Sat, 4 Aug 2018 08:10:58 +0000 (10:10 +0200)] 
detect: free rule group init memory at the end of startup

7 years agodetect: fix fileext and filename negated match
Maurizio Abba [Tue, 31 Jul 2018 06:08:10 +0000 (07:08 +0100)] 
detect: fix fileext and filename negated match

fix bug in fileext and filename preventing negated match to work
correctly. Previously, negated fileext (such as !"php") would cause a
match anyway on files that have extension php, as the last if would not
be accessed.

Using the same workflow as detect-filemagic we remove the final
isolated if and set it as a branch of the previous if.

7 years agoeve/smb: use flow direction for tuple 3440/head
Victor Julien [Thu, 2 Aug 2018 13:10:15 +0000 (15:10 +0200)] 
eve/smb: use flow direction for tuple

7 years agosmb1: add SMB1_COMMAND_QUERY_INFO_DISK command mapping
Victor Julien [Thu, 2 Aug 2018 13:09:52 +0000 (15:09 +0200)] 
smb1: add SMB1_COMMAND_QUERY_INFO_DISK command mapping

7 years agosmb: add smb-events.rules to dist
Victor Julien [Thu, 2 Aug 2018 11:49:26 +0000 (13:49 +0200)] 
smb: add smb-events.rules to dist

7 years agooutput-json: ensure string is json-encodable
Maurizio Abba [Thu, 26 Jul 2018 12:54:58 +0000 (13:54 +0100)] 
output-json: ensure string is json-encodable

Substitute json_string with SCJsonString custom function.
SCJsonString will ensure string passed is json-encodable (utf-8).
If it's not, the string will be converted in such a way that any
non-printable character will be encoded in its hex form.
The resulting json object will be returned.

rust modification will encode any non-printable character during its
conversion in to_cstring.

7 years agodevices: clean up device init code
Victor Julien [Thu, 2 Aug 2018 11:21:51 +0000 (13:21 +0200)] 
devices: clean up device init code

7 years agosuricata: fix init process for layer 2 IPS
Eric Leblond [Tue, 24 Jul 2018 15:28:47 +0000 (17:28 +0200)] 
suricata: fix init process for layer 2 IPS

4474889667d664a66c1c123f4f7d2756e8a7fbb9 did break the logic of IPS
mode detection for layer 2 IPS mode like Netmap and AF_PACKET. This
pach fixes the issue by calling the IPS detection mode after
complete registration of the interfaces.

Reported-by: Alexander Gozman <a.gozman@securitycode.ru>
7 years agooutput/tls: don't pass NULL fingerprint to json logging
Victor Julien [Thu, 2 Aug 2018 10:31:40 +0000 (12:31 +0200)] 
output/tls: don't pass NULL fingerprint to json logging

7 years agossl: fix uninitialized variable warning
Victor Julien [Thu, 2 Aug 2018 06:12:48 +0000 (08:12 +0200)] 
ssl: fix uninitialized variable warning

7 years agodetect/analyzer: log mask flags and more engine details
Victor Julien [Wed, 1 Aug 2018 21:42:29 +0000 (23:42 +0200)] 
detect/analyzer: log mask flags and more engine details

7 years agodcerpc: fix dce_iface not matching
Victor Julien [Wed, 1 Aug 2018 19:52:16 +0000 (21:52 +0200)] 
dcerpc: fix dce_iface not matching

7 years agodetect/dce: fix false positives in detection
Victor Julien [Wed, 1 Aug 2018 15:32:34 +0000 (17:32 +0200)] 
detect/dce: fix false positives in detection

If a signature didn't explicitly specified 'dcerpc' or 'smb' as the
app proto, false positives on other traffic could happen. This was
caused by the sig not having a app_proto set. This isn't set as the
rule is supposed to match against either ALPROTO_DCERPC or ALPROTO_SMB.

To avoid adding runtime costs for checking for both protocols, this
patch adds a new flag for DCERPC in the 'mask' logic. The flag is set
on the sig if dce_* keywords are present and set on the packet if the
flow's app proto is either ALPROTO_DCERPC or ALPROTO_SMB.

Bug #2559

Reported-by: Jason Taylor
7 years agodetect: minor code cleanups
Victor Julien [Wed, 1 Aug 2018 15:12:17 +0000 (17:12 +0200)] 
detect: minor code cleanups

7 years agodetect/dce: keyword cleanups
Victor Julien [Wed, 1 Aug 2018 15:06:26 +0000 (17:06 +0200)] 
detect/dce: keyword cleanups

7 years agosmb: probing parser improvement
Victor Julien [Tue, 31 Jul 2018 17:20:15 +0000 (19:20 +0200)] 
smb: probing parser improvement

7 years agoproto/detect: remove probing parser offset argument
Victor Julien [Tue, 31 Jul 2018 07:34:29 +0000 (09:34 +0200)] 
proto/detect: remove probing parser offset argument

Remove offset argument as it was unused.

7 years agodetect/flow: minor code cleanups
Victor Julien [Mon, 30 Jul 2018 17:27:09 +0000 (19:27 +0200)] 
detect/flow: minor code cleanups

7 years agodetect: avoid potential use-after-free in error path
Victor Julien [Mon, 30 Jul 2018 15:04:57 +0000 (17:04 +0200)] 
detect: avoid potential use-after-free in error path

7 years agoproto/detect: minor cleanup
Victor Julien [Sun, 29 Jul 2018 11:12:21 +0000 (13:12 +0200)] 
proto/detect: minor cleanup

7 years agodetect: clean up counter registration
Victor Julien [Sat, 28 Jul 2018 12:23:01 +0000 (14:23 +0200)] 
detect: clean up counter registration

7 years agoflow: fix comment typos
Victor Julien [Thu, 26 Jul 2018 08:47:52 +0000 (10:47 +0200)] 
flow: fix comment typos

7 years agonfs4: create tx for CREATE procedure 3432/head
Victor Julien [Mon, 23 Jul 2018 09:47:39 +0000 (11:47 +0200)] 
nfs4: create tx for CREATE procedure

7 years agonfs: fix applying nfs3 logging logic to nfs4
Victor Julien [Mon, 23 Jul 2018 09:47:05 +0000 (11:47 +0200)] 
nfs: fix applying nfs3 logging logic to nfs4

7 years agonfs4: log remove procedure + add multi-proc support
Victor Julien [Sat, 21 Jul 2018 16:13:32 +0000 (18:13 +0200)] 
nfs4: log remove procedure + add multi-proc support

Add TX creation for NFS4 transactions. Start with the 'REMOVE' procedure.

Start on logging all procs. In NFS4 COMPOUND records there are multiple
procedures. One of them can be considered the 'main' procedure, with others
as supporting utility. This patch adds the first step in supporting to
track those in the TX for logging and inspection.

7 years agonfs4: for putrootfh set 'mount root' as name
Victor Julien [Sat, 21 Jul 2018 14:59:26 +0000 (16:59 +0200)] 
nfs4: for putrootfh set 'mount root' as name

7 years agonfs: rename generic functions from nfs3 to nfs
Victor Julien [Sat, 21 Jul 2018 08:12:41 +0000 (10:12 +0200)] 
nfs: rename generic functions from nfs3 to nfs

7 years agonfs: move v2 parsing into own file
Victor Julien [Sat, 21 Jul 2018 08:06:18 +0000 (10:06 +0200)] 
nfs: move v2 parsing into own file

7 years agonfs3: move nfs3 specific handling into own file
Victor Julien [Sat, 21 Jul 2018 07:54:36 +0000 (09:54 +0200)] 
nfs3: move nfs3 specific handling into own file

7 years agonfs: request parser cleanup
Victor Julien [Sat, 21 Jul 2018 07:46:42 +0000 (09:46 +0200)] 
nfs: request parser cleanup

7 years agochangelog: update to 4.1rc1 suricata-4.1.0-rc1
Victor Julien [Fri, 20 Jul 2018 08:20:17 +0000 (10:20 +0200)] 
changelog: update to 4.1rc1

7 years agochangelog: add missing 4.1beta1 tickets
Victor Julien [Fri, 20 Jul 2018 08:07:29 +0000 (10:07 +0200)] 
changelog: add missing 4.1beta1 tickets

7 years agonfs: get rid of reachable panic statements
Victor Julien [Thu, 19 Jul 2018 17:13:22 +0000 (19:13 +0200)] 
nfs: get rid of reachable panic statements

7 years agonfs4: remove panic calls, set events instead
Victor Julien [Thu, 19 Jul 2018 13:45:08 +0000 (15:45 +0200)] 
nfs4: remove panic calls, set events instead

7 years agonfs4: support 4.1 SEQUENCE procedure
Victor Julien [Thu, 19 Jul 2018 13:28:12 +0000 (15:28 +0200)] 
nfs4: support 4.1 SEQUENCE procedure

7 years agoconfig: better default rule file configuration 3428/head
Jason Ish [Fri, 13 Jul 2018 14:55:12 +0000 (08:55 -0600)] 
config: better default rule file configuration

Move the rule file configuration down near the bottom of the
configuration file under advanced settings. With the bundling
of Suricata-Update, any rule file configuration within
suricata.yaml could be considered advanced.

Add extra comments to the yaml to make it more clear which was
enabled at installation time.

7 years agodetect-parse: fix missing space in error message (2541)
Danny Browning [Tue, 17 Jul 2018 18:17:19 +0000 (12:17 -0600)] 
detect-parse: fix missing space in error message (2541)

Fix missing space in error message.

7 years agoenip: harden byte parsing code
Victor Julien [Thu, 19 Apr 2018 12:55:01 +0000 (14:55 +0200)] 
enip: harden byte parsing code

Make sure we never read more than we have.

Reported-by: Henning Perl
7 years agossh: fix out of bounds read in banner parsing
Victor Julien [Thu, 19 Apr 2018 09:27:43 +0000 (11:27 +0200)] 
ssh: fix out of bounds read in banner parsing

Reported-by: Henning Perl
7 years agostream: support RST getting lost/ignored
Victor Julien [Thu, 10 May 2018 15:23:05 +0000 (17:23 +0200)] 
stream: support RST getting lost/ignored

In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'.
However, the target of the RST may not have received it, or may not
have accepted it. Also, the RST may have been injected, so the supposed
sender may not actually be aware of the RST that was sent in it's name.

In this case the previous behavior was to switch the state to CLOSED and
accept no further TCP updates or stream reassembly.

This patch changes this. It still switches the state to CLOSED, as this
is by far the most likely to be correct. However, it will reconsider
the state if the receiver continues to talk.

To do this on each state change the previous state will be recorded in
TcpSession::pstate. If a non-RST packet is received after a RST, this
TcpSession::pstate is used to try to continue the conversation.

If the (supposed) sender of the RST is also continueing the conversation
as normal, it's highly likely it didn't send the RST. In this case
a stream event is generated.

Ticket: #2501

Reported-By: Kirill Shipulin
7 years agostream-events: fix mapping
Victor Julien [Mon, 21 May 2018 14:15:39 +0000 (16:15 +0200)] 
stream-events: fix mapping

7 years agosmb: log trans2 that enable delete on close 3421/head
Victor Julien [Tue, 10 Jul 2018 15:22:53 +0000 (17:22 +0200)] 
smb: log trans2 that enable delete on close

7 years agosmb1: add support for trans2 set_path_info rename
Victor Julien [Mon, 9 Jul 2018 13:43:02 +0000 (15:43 +0200)] 
smb1: add support for trans2 set_path_info rename

7 years agosmb: improve dcerpc logic
Victor Julien [Sat, 7 Jul 2018 09:47:55 +0000 (11:47 +0200)] 
smb: improve dcerpc logic

Detect whether a pipe is a dcerpc channel based on the name of the
pipe.

7 years agosmb1: improve NT Create response record parsing
Victor Julien [Sat, 7 Jul 2018 08:37:59 +0000 (10:37 +0200)] 
smb1: improve NT Create response record parsing

7 years agohttp: fix setting event on the last tx
Victor Julien [Thu, 5 Jul 2018 09:43:41 +0000 (11:43 +0200)] 
http: fix setting event on the last tx

7 years agopcap-file: fix segv on bad pcap format
Victor Julien [Thu, 5 Jul 2018 08:13:52 +0000 (10:13 +0200)] 
pcap-file: fix segv on bad pcap format

7 years agohttp: set events for too many layers of compression
Victor Julien [Thu, 5 Jul 2018 08:01:47 +0000 (10:01 +0200)] 
http: set events for too many layers of compression

libhtp would already issue warnings, but these were not mapped
to events yet.

7 years agosource-pcap-file: delete when done (2417)
Danny Browning [Tue, 16 Jan 2018 16:24:16 +0000 (09:24 -0700)] 
source-pcap-file: delete when done (2417)

https://redmine.openinfosecfoundation.org/issues/2417

Add option to have pcap files deleted after they have been processed.
This option combines well with pcap file continuous and streaming
files to a directory being processed.

7 years agodetect: fix memory leak in app-layer-event keyword
Victor Julien [Wed, 4 Jul 2018 13:10:34 +0000 (15:10 +0200)] 
detect: fix memory leak in app-layer-event keyword

Bug #2515.

7 years agoapp-layer/tcp: set STREAM_MIDSTREAM flag
Victor Julien [Thu, 21 Jun 2018 13:22:26 +0000 (15:22 +0200)] 
app-layer/tcp: set STREAM_MIDSTREAM flag

7 years agorust/smb: search for record on midstream start
Victor Julien [Thu, 21 Jun 2018 12:31:14 +0000 (14:31 +0200)] 
rust/smb: search for record on midstream start

Calls with both START and MIDSTREAM mean the record might be cut and the
start of it could be missing. For this case, enable the same logic as is
used when catching up after a GAP. Search for the start of the record
instead of assuming it sits exactly at the start of the input data.

7 years agorust: define all STREAM_* types
Victor Julien [Thu, 21 Jun 2018 12:18:02 +0000 (14:18 +0200)] 
rust: define all STREAM_* types

7 years agoapp-layer: pass STREAM_* flags to parser
Victor Julien [Thu, 21 Jun 2018 09:23:27 +0000 (11:23 +0200)] 
app-layer: pass STREAM_* flags to parser

Pass the STREAM_* flags to the app-layer parser functions so that
the parser can know more about how it is called.

7 years agodetect: fix delayed detect
Victor Julien [Sat, 30 Jun 2018 12:13:19 +0000 (14:13 +0200)] 
detect: fix delayed detect

Last multi-detect changes broken delayed-detect by refusing to reload
a 'stub' detect engine. This patch distinguishes between a stub for
multi-tenancy and for delayed detect.

7 years agoadd note about eve-alert metadata
jason taylor [Thu, 28 Jun 2018 18:08:43 +0000 (14:08 -0400)] 
add note about eve-alert metadata

Signed-off-by: jason taylor <jtfas90@gmail.com>
7 years agodoc: alphabetize EXTRA_DIST
Jason Ish [Thu, 28 Jun 2018 16:07:52 +0000 (10:07 -0600)] 
doc: alphabetize EXTRA_DIST

7 years agodoc: add window ips inline doc to extra_dist
Jason Ish [Thu, 28 Jun 2018 16:05:05 +0000 (10:05 -0600)] 
doc: add window ips inline doc to extra_dist

7 years agodoc: make warnings errors when building man page
Jason Ish [Thu, 28 Jun 2018 15:24:46 +0000 (09:24 -0600)] 
doc: make warnings errors when building man page

7 years agodoc: link in windows ips setup page
Jason Ish [Thu, 28 Jun 2018 15:07:55 +0000 (09:07 -0600)] 
doc: link in windows ips setup page

7 years agodetect: reload-rules shouldn't reload a stub
Victor Julien [Thu, 28 Jun 2018 14:31:40 +0000 (16:31 +0200)] 
detect: reload-rules shouldn't reload a stub

7 years agodetect/debug: suppress noisy info messages 3409/head
Victor Julien [Thu, 28 Jun 2018 08:43:25 +0000 (10:43 +0200)] 
detect/debug: suppress noisy info messages

7 years agodetect/multi-tenant: fix mix of default detect engine and tenants
Victor Julien [Wed, 27 Jun 2018 20:17:34 +0000 (22:17 +0200)] 
detect/multi-tenant: fix mix of default detect engine and tenants

7 years agodetect: make detect engine types explicit
Victor Julien [Wed, 27 Jun 2018 11:44:06 +0000 (13:44 +0200)] 
detect: make detect engine types explicit

There are 3 types of detect engine objects:
    1. normal
       The normal detection engine if no multi-tenancy is in use

    2. tenant
       A per tenant detection engine

    3. stub
       A stub (or minimal as it was called before) detect engine
       that is needed to have something in place when there are
       only tenants.

       A stub is also used in case of 'delayed detect', where we
       need a minimal detect engine to start up which is replaced
       by a full (normal type) detect engine after startup.

This patch adds a new field 'type' to the DetectEngineCtx object
to distinguish between the types. This replaces the boolean 'minimal'.

7 years agodhcp: suppress notice message at startup
Victor Julien [Mon, 25 Jun 2018 09:17:29 +0000 (11:17 +0200)] 
dhcp: suppress notice message at startup

7 years agorust/dns - remove extra parantheses
Jason Ish [Mon, 25 Jun 2018 14:40:54 +0000 (08:40 -0600)] 
rust/dns - remove extra parantheses

Removes rust compiler warning.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2521

7 years agoyaml-loader: fix memory leak on fail include
Jason Ish [Mon, 25 Jun 2018 13:08:38 +0000 (07:08 -0600)] 
yaml-loader: fix memory leak on fail include

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/1929

If an include failed to load, either by the file not existing or
a parse error, the file pointer and yaml parser instance were
leaked.

7 years agooutput-json-alert: log correct dns and dnp3 tx
Eric Leblond [Thu, 21 Jun 2018 19:05:16 +0000 (21:05 +0200)] 
output-json-alert: log correct dns and dnp3 tx

Using transaction log entry is not correct to log the transaction
that did cause the alert. The tx_id in the PacketAlert is correct
so let's use that.

7 years agodetect/multi-tenant: fix removing of tenant id 0
Victor Julien [Tue, 26 Jun 2018 11:27:09 +0000 (13:27 +0200)] 
detect/multi-tenant: fix removing of tenant id 0

7 years agounix/multi-tenant: improve (log) messages
Victor Julien [Mon, 25 Jun 2018 11:57:16 +0000 (13:57 +0200)] 
unix/multi-tenant: improve (log) messages

7 years agodetect/tenants: fix crash when adding mapping
Victor Julien [Mon, 25 Jun 2018 09:15:16 +0000 (11:15 +0200)] 
detect/tenants: fix crash when adding mapping

When no tenants and mappings are defined in 'live' mode, adding a
mapping resulted in a crash.

7 years agodetect: remove lock from global keyword logic
Victor Julien [Sun, 24 Jun 2018 09:06:24 +0000 (11:06 +0200)] 
detect: remove lock from global keyword logic

The global keyword registration and per thread init handling used
the lock from the DetectEngineMasterCtx. This lead to a dead lock
situation at multi-tenancy tenant reloads.

The lock was unnecessary however, as the only time the registration
list is updated is at engine initialization. At that time Suricata
is still running in a single thread. After this, the data structure
doesn't change anymore.

Bug #2516.

7 years agoAdds WinDivert support to Windows builds 3402/head
Jacob Masen-Smith [Wed, 20 Jun 2018 20:44:26 +0000 (13:44 -0700)] 
Adds WinDivert support to Windows builds

Enables IPS functionality on Windows using the open-source
(LGPLv3/GPLv2) WinDivert driver and API.

From https://www.reqrypt.org/windivert-doc.html : "WinDivert is a
user-mode capture/sniffing/modification/blocking/re-injection package
for Windows Vista, Windows Server 2008, Windows 7, and Windows 8.
WinDivert can be used to implement user-mode packet filters, packet
sniffers, firewalls, NAT, VPNs, tunneling applications, etc., without
the need to write kernel-mode code."

- adds `--windivert [filter string]` and `--windivert-forward [filter
    string]` command-line options to enable WinDivert IPS mode.
    `--windivert[-forward] true` will open a filter for all traffic. See
    https://www.reqrypt.org/windivert-doc.html#filter_language for more
    information.

Limitation: currently limited to `autofp` runmode.

Additionally:
- `tmm_modules` now zeroed during `RegisterAllModules`
- fixed Windows Vista+ `inet_ntop` call in `PrintInet`
- fixed `GetRandom` bug (nonexistent keys) on fresh Windows installs
- fixed `RandomGetClock` building on Windows builds
- Added WMI queries for MTU

7 years agotravis: use gcc-7 on cocci build 3401/head
Jason Ish [Tue, 19 Jun 2018 17:03:04 +0000 (11:03 -0600)] 
travis: use gcc-7 on cocci build

Catches more errors, like switch statements fall throughs
that are caught in private QA.

7 years agodoc: fix minor typo 3399/head
Chris Speidel [Sun, 17 Jun 2018 22:25:23 +0000 (18:25 -0400)] 
doc: fix minor typo

7 years agofilestore: fix truncation warnings
Jason Ish [Sat, 16 Jun 2018 13:37:28 +0000 (07:37 -0600)] 
filestore: fix truncation warnings

7 years agopacket: gre over ip link type
fooinha [Fri, 1 Jun 2018 11:45:10 +0000 (12:45 +0100)] 
packet: gre over ip link type

7 years agotls: document encrypt-handling option
Victor Julien [Tue, 29 May 2018 19:37:21 +0000 (21:37 +0200)] 
tls: document encrypt-handling option

Document in sample yaml and user guide.

7 years agotls: new config for dealing with encrypted traffic
Victor Julien [Thu, 24 May 2018 12:56:30 +0000 (14:56 +0200)] 
tls: new config for dealing with encrypted traffic

Much of encrypted traffic is uninteresting to Suricata. Once encrypted
communication starts, inspecting the packet payloads is generally
not interesting anymore. The default behavior is to disable the parts
of the detection engine and stream reassembly that relate to raw content
inspection.

The tls app-layer parser also had a crude option to affect this behavior:
set 'no-reassemble' to true went much further than the default behavior.
It disabled the TCP reassembly on the flow completely, disabled all
inspection on the flow and enabled bypass if available.

This patch adds a new option: full inspection. This continues to treat
a TLS session as any other, so without any limits to inspection.

The new option is implemented in a new config option 'encrypt-handling',
that replaces 'no-reassemble'. The new option has 3 values:
'default', 'full' and 'bypass'. Default is the current default behavior,
'bypass' is the current 'no-reassemble = true' behavior and 'full'
is the new full inspection mode.

7 years agodetect/stream_size: code cleanups
Victor Julien [Thu, 24 May 2018 12:56:03 +0000 (14:56 +0200)] 
detect/stream_size: code cleanups

7 years agodetect/stream_size: apply rule to packets & stream
Victor Julien [Wed, 23 May 2018 11:55:30 +0000 (13:55 +0200)] 
detect/stream_size: apply rule to packets & stream

The use of stream_size in combination with raw content matches is an
indication that the rule needs to be evaluated per packet, not just
per reassembled stream chunk.

7 years agokerberos: minor doc updates, add author 3398/head
Victor Julien [Mon, 18 Jun 2018 08:53:14 +0000 (10:53 +0200)] 
kerberos: minor doc updates, add author

7 years agodhcp: add author
Victor Julien [Mon, 18 Jun 2018 08:52:59 +0000 (10:52 +0200)] 
dhcp: add author

7 years agodhcp: update user guide 3395/head
Jason Ish [Fri, 8 Jun 2018 19:18:03 +0000 (13:18 -0600)] 
dhcp: update user guide

7 years agodhcp: add dhcp app-layer rules file
Jason Ish [Thu, 31 May 2018 23:05:52 +0000 (17:05 -0600)] 
dhcp: add dhcp app-layer rules file

7 years agorust/dhcp: Rust based DHCP decoder and logger.
Jason Ish [Tue, 8 May 2018 23:49:52 +0000 (17:49 -0600)] 
rust/dhcp: Rust based DHCP decoder and logger.

This is a DHCP decoder and logger written in Rust. Unlike most
parsers, this one is stateless so responses are not matched
up to requests by Suricata. However, the output does contain
enough fields to match them up in post-processing.

Rules are included to alert of malformed or truncated options.

7 years agorust: a Rust ConfNode wrapper.
Jason Ish [Wed, 13 Jun 2018 22:03:33 +0000 (16:03 -0600)] 
rust: a Rust ConfNode wrapper.

A Rust wrapper around the C ConfNode object. Currenlty only exposes
ConfGetChildValueBool and ConfGetChildValue.

7 years agoeve: check if enabled before attempting to setup
Jason Ish [Wed, 13 Jun 2018 22:36:49 +0000 (16:36 -0600)] 
eve: check if enabled before attempting to setup

Before setting up a sub eve-logger, check that it is enabled. This
allows us to set "enabled: no" for loggers that are not registered
with the system without generating an error. An example of this
is loggers that are only available with Rust.

7 years agorust/app-layer: macros to export de_state functions
Jason Ish [Thu, 31 May 2018 22:39:22 +0000 (16:39 -0600)] 
rust/app-layer: macros to export de_state functions

These macros generate the extern "C" functions for transactions
structs that need provide functions for setting and getting
the de_state. The idea is to provide macros do avoid code
duplication and make it simpler to create an app-layer.

A trait would be the correct solution, but it doesn't look like
you can use traits to export extern "C" functions.

7 years agorust: add get_tx_iterator to parser registration
Jason Ish [Thu, 31 May 2018 22:38:53 +0000 (16:38 -0600)] 
rust: add get_tx_iterator to parser registration

7 years agoapp-layer-register: add GetTxIterator
Jason Ish [Thu, 31 May 2018 22:34:23 +0000 (16:34 -0600)] 
app-layer-register: add GetTxIterator

Add a field to set the GetTxIterator function to the AppLayerParser
registration struct.

7 years agoapp-layer-detect-proto: remove unnecessary gotos
Jason Ish [Mon, 28 May 2018 22:00:18 +0000 (16:00 -0600)] 
app-layer-detect-proto: remove unnecessary gotos

7 years agoKerberos 5: properly handle TCP buffering 3391/head
Pierre Chifflier [Thu, 24 May 2018 07:27:25 +0000 (09:27 +0200)] 
Kerberos 5: properly handle TCP buffering

7 years agoDocument Kerberos 5 parsing events
Pierre Chifflier [Tue, 15 May 2018 14:54:31 +0000 (16:54 +0200)] 
Document Kerberos 5 parsing events

7 years agoAdd krb5_err_code detection keyword
Pierre Chifflier [Mon, 7 May 2018 06:16:53 +0000 (08:16 +0200)] 
Add krb5_err_code detection keyword

7 years agoAdd krb5_cname and krb5_sname detection keywords
Pierre Chifflier [Sat, 5 May 2018 14:10:51 +0000 (16:10 +0200)] 
Add krb5_cname and krb5_sname detection keywords

7 years agoAdd krb5_msg_type detection keyword
Pierre Chifflier [Sat, 5 May 2018 14:06:54 +0000 (16:06 +0200)] 
Add krb5_msg_type detection keyword

7 years agoKerberos 5: rename weak crypto to weak encryption, and log it
Pierre Chifflier [Thu, 19 Apr 2018 21:15:42 +0000 (23:15 +0200)] 
Kerberos 5: rename weak crypto to weak encryption, and log it