Victor Julien [Thu, 25 Feb 2021 20:36:27 +0000 (21:36 +0100)]
detect/file.data: fix mixing transforms (http)
Fix handling of file progress tracking for regular file.data along
with transform combinations for the part of the implementation that
uses the HTTP inspection logic.
Fix handling of file progress tracking for regular file.data along
with transform combinations for the part of the implementation that
uses the File API.
Victor Julien [Thu, 25 Feb 2021 19:06:40 +0000 (20:06 +0100)]
detect: track base id for xform buffers
Buffers with transforms are based on the non-transformed "base"
buffer, with a new ID assigned and the transform callbacks added.
This patch stores the id of the original buffer in the new buffer
inspect and prefilter structures. This way the buffers with and
without transforms can share some of the logic are progression
of file and body inspection trackers.
Shivani Bhardwaj [Sat, 13 Feb 2021 12:27:42 +0000 (17:57 +0530)]
dcerpc/udp: improve detection
Lately, Wireguard proto starting w pattern |04 00| is misdetected as
DCERPC/UDP which also starts with the same pattern, add more checks
to make sure that it is the best guess for packet to be dcerpc/udp.
Shivani Bhardwaj [Sat, 20 Feb 2021 06:30:17 +0000 (12:00 +0530)]
dcerpc/udp: remove transmute
The book defines transmute as "This is really, truly, the most horribly unsafe
thing you can do in Rust. The guardrails here are dental floss."
Transmute can result into mind boggling undefined behaviors. Get rid of
it wherever possible.
Ilya Bakhtin [Mon, 15 Feb 2021 17:36:46 +0000 (18:36 +0100)]
protodetect: improve midstream handling
Set "done flag" only if parsers for both directions are not found in a
case of midstream parsers from other direction are tried if nothing is found
for the initial one. "done flag" must be set if nothing is found in both
directions. Otherwise processing of incomplete data is terminated at the very
first try.
Victor Julien [Sat, 13 Feb 2021 16:10:15 +0000 (17:10 +0100)]
host: improve compare logic
The old compare macro would compare all bytes of an address, even
when for IPv4 addresses the additional bytes were not in use. This
made the logic vulnerable to mistakes like in issue #4280.
Eric Leblond [Sun, 24 Jan 2021 21:40:02 +0000 (22:40 +0100)]
suricata: avoid at exit crash in nfq mode
When Suricata was build with ebpf support and when it was started
in NFQ mode, it was crashing at exit because it was trying to free
the device extension.
This patch fixes the issue by only trigger the eBPF related code
when Suricata is running in AFP_PACKET mode.
Victor Julien [Mon, 1 Feb 2021 21:23:47 +0000 (22:23 +0100)]
app-layer: fix transaction cleanup
Fix a 'skipped' transaction early in the list leading to all further
transactions getting skipped, even if they were fully processed and
ready to be cleaned up.
Victor Julien [Thu, 4 Feb 2021 13:48:11 +0000 (14:48 +0100)]
detect: fix heap overflow issue with buffer setup
In some cases, the InspectionBufferGet function would be followed by
a failure to set the buffer up, for example due to a HTTP body limit
not yet being reached. Yet each call to InspectionBufferGet would lead
to the matching list_id to be added to the
DetectEngineThreadCtx::inspect.to_clear_queue. This array is sized to
add each list only once, but in this case the same id could be added
multiple times, potentially overflowing the array.
Jason Ish [Fri, 18 Dec 2020 17:34:30 +0000 (11:34 -0600)]
filestore: fix global counter init in unix socket mode
Move initialization of filestore global counter to PreRunInit,
so they get registered during program initialization, or as
required in unix-socket mode, initialized for each file run.
Jeff Lucovsky [Tue, 12 Jan 2021 15:14:54 +0000 (10:14 -0500)]
lua: Use SC prefix for Lua functions
This commit adds additional Lua API interfaces to bring consistency to
functions such that the `SC` prefix is available consistently across
flow int and flow var functions.
Jason Ish [Wed, 30 Dec 2020 19:32:53 +0000 (13:32 -0600)]
mime: postpone md5 calculation to parse complete
Instead of calculating the MD5 at the end of every part, only
compute it when parsing is complete.
With libnss, the hash never updates after the first HASH_End, so
the md5 of only the first part of the body is logged, rather than
the md5 of all the parts.
Jason Ish [Thu, 10 Dec 2020 15:48:06 +0000 (09:48 -0600)]
github-ci: use a unique id for the commit check cargo cache
All builds have been using the same cache id for ~/.cargo which
could lead us to conflict situations which is what I think we are
seeing with the commit-check job.
Base64Encode function requires the maximum length of the output string
as its last parameter. Use the macro BASE64_BUFFER_SIZE to calculate it
correctly.
The size of encoded_data array and the maximum output length parameter
to Base64Encode function were incorrect leading to buffer overflow for
certain cases. The algorithm requires at least 5 bytes of space to even
convert a string of length 1.
Use BASE64_BUFFER_SIZE macro to correctly calculate this output length.
Set size of encoded_data array to the calculated output length.
Maximum length of a base64 encoded string can be 33% over the actual
length of the input string. The formula to best cover all the edge cases
is mathematically
(4 * (input_length + 2) / 3) + 1
Add a macro to calculate this for a given input length.
Philippe Antoine [Sat, 31 Oct 2020 16:12:19 +0000 (17:12 +0100)]
ssl: improves keyword ssl_version parsing
Removes the use of PCRE for performance
Forbids empty negations after a valid pattern
Forbids mixing negative and positive forms as it is irrelevant
Forbids useless repetition of a version
Philippe Antoine [Wed, 14 Oct 2020 19:25:40 +0000 (21:25 +0200)]
detect: null sanity checks for pkthdr
Even when the rules are only applied on traffic with the protocol
the structure for the protocol header can be set to NULL if there
was an error parsing the header
Jason Ish [Mon, 30 Nov 2020 21:11:57 +0000 (15:11 -0600)]
rust: handle windows naming change from .lib to .a
Prior to Rust 1.44, Cargo would name static libs with the .lib
extension. 1.44 changes this extension to .a when running under
a GNU environment on Windows like msys to make it more similar
to other unix environments.
Now assume static library name to be the same on Windows and
unix, but rename the .lib if found to still support older
versions of Rust on Windows.
Victor Julien [Mon, 30 Nov 2020 06:44:54 +0000 (07:44 +0100)]
detect: fix inspection order with stateful rules
When stateful detection rules, for which detection has already started
for a previous packet, are added to the candidates array, the array
is sorted to mantain the correct inspection order. However, due to a
trivial error in the sort helper the array was sorted in descending
instead of ascending order.
projects / thirdparty / suricata.git / log
