Eric Leblond [Fri, 28 May 2021 09:38:18 +0000 (11:38 +0200)]
stream/tcp: avoid evasion linked to ACK handling
Actual code will completely discard TCP analysis of a packet that
don't have the ACK bit set but have a ACK value set. This will be
for example the case of all SYN packets that have a ACK value.
Problem is that these type of packets are legit for the operating
systems and for the RFC. The consequence is that an attacker
sending a SYN packet with a non null ACK value will open succesfully
a TCP session to its target and this session will have no protocol
discovery, no TCP streaming and no application layer analysis.
Result is a quasi full evasion of the TCP stream that will only
appear in the flow log if this log is enable or alert on tcp-pkt
signature that are uncommon.
The patch is updating the code to only discard packets that do not
have the SYN flag set. This prevents the evasion and complies with the
RFC that states that the ACK bit should always be set once the
TCP session is established.
Victor Julien [Thu, 25 Feb 2021 19:06:40 +0000 (20:06 +0100)]
detect: track base id for xform buffers
Buffers with transforms are based on the non-transformed "base"
buffer, with a new ID assigned and the transform callbacks added.
This patch stores the id of the original buffer in the new buffer
inspect and prefilter structures. This way the buffers with and
without transforms can share some of the logic are progression
of file and body inspection trackers.
Fix handling of file progress tracking for regular file.data along
with transform combinations for the part of the implementation that
uses the File API.
Victor Julien [Thu, 13 May 2021 06:06:11 +0000 (08:06 +0200)]
detect: set event if max inspect buffers exceeded
If a parser exceeds 1024 buffers we stop processing them and
set a detect event instead. This is to avoid parser bugs as well as
crafted bad traffic leading to resources starvation due to excessive
loops.
Jason Ish [Thu, 25 Feb 2021 17:16:28 +0000 (11:16 -0600)]
unix-socket: reset to ready state on startup
As part of commit ea15282f47c6ff781533e3a063f9c903dd6f1afb,
some initialization was moved to happen even in unix socket mode,
however, this initialization does setup some loggers that can only have
one instance enabled (anomaly, drop, file-store).
This will cause these loggers to error out on the first pcap, but work
on subsequent runs of the pcap as some deinitialization is done after
each pcap.
This fix just runs the post pcap-file deinitialization routine to
reset some of the initialization done on startup, like is done after
running each pcap in unix socket mode.
Luke Coughlan [Mon, 26 Apr 2021 12:05:15 +0000 (13:05 +0100)]
flow/bypass: Properly set the ICMP emergency-bypassed value
Currently the ICMP emergency-bypassed value defined in suricata.conf is
overwriting the UDP value rather than correctly setting it for ICMP.
This commit corrects this bug so that the ICMP value can be set as
expected.
Victor Julien [Mon, 1 Feb 2021 21:23:47 +0000 (22:23 +0100)]
app-layer: fix transaction cleanup
Fix a 'skipped' transaction early in the list leading to all further
transactions getting skipped, even if they were fully processed and
ready to be cleaned up.
Jason Ish [Fri, 18 Dec 2020 17:34:30 +0000 (11:34 -0600)]
filestore: fix global counter init in unix socket mode
Move initialization of filestore global counter to PreRunInit,
so they get registered during program initialization, or as
required in unix-socket mode, initialized for each file run.
Ilya Bakhtin [Mon, 15 Feb 2021 17:36:46 +0000 (18:36 +0100)]
protodetect: improve midstream handling
Set "done flag" only if parsers for both directions are not found in a
case of midstream parsers from other direction are tried if nothing is found
for the initial one. "done flag" must be set if nothing is found in both
directions. Otherwise processing of incomplete data is terminated at the very
first try.
Victor Julien [Sat, 13 Feb 2021 16:10:15 +0000 (17:10 +0100)]
host: improve compare logic
The old compare macro would compare all bytes of an address, even
when for IPv4 addresses the additional bytes were not in use. This
made the logic vulnerable to mistakes like in issue #4280.
Eric Leblond [Sun, 24 Jan 2021 21:40:02 +0000 (22:40 +0100)]
suricata: avoid at exit crash in nfq mode
When Suricata was build with ebpf support and when it was started
in NFQ mode, it was crashing at exit because it was trying to free
the device extension.
This patch fixes the issue by only trigger the eBPF related code
when Suricata is running in AFP_PACKET mode.
Jeff Lucovsky [Sat, 16 Jan 2021 14:34:20 +0000 (09:34 -0500)]
rust/json: Rework scope for short-lived vars
This commit corrects scope issues identified during CI with
FC32/strict-rust:
"this `CString` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
"
Jason Ish [Wed, 30 Dec 2020 19:32:53 +0000 (13:32 -0600)]
mime: postpone md5 calculation to parse complete
Instead of calculating the MD5 at the end of every part, only
compute it when parsing is complete.
With libnss, the hash never updates after the first HASH_End, so
the md5 of only the first part of the body is logged, rather than
the md5 of all the parts.
Jason Ish [Thu, 10 Dec 2020 15:48:06 +0000 (09:48 -0600)]
github-ci: use a unique id for the commit check cargo cache
All builds have been using the same cache id for ~/.cargo which
could lead us to conflict situations which is what I think we are
seeing with the commit-check job.
Uses "cargo doc --no-deps" to build the documentation just for
our Suricata package. Without --no-deps, documentation will be
build for all our dependencies as well.
The generated documentation will end up in target/doc as HTML.
Jason Ish [Fri, 10 Jul 2020 19:19:35 +0000 (13:19 -0600)]
script/dnp3-gen: update generator to reflect in tree changes
Some changes were made to the generated files instead of the
generator script. Update the script to generate what is
in the current state of the in-tree generated files.
Philippe Antoine [Wed, 14 Oct 2020 19:25:40 +0000 (21:25 +0200)]
detect: null sanity checks for pkthdr
Even when the rules are only applied on traffic with the protocol
the structure for the protocol header can be set to NULL if there
was an error parsing the header
Victor Julien [Mon, 30 Nov 2020 06:44:54 +0000 (07:44 +0100)]
detect: fix inspection order with stateful rules
When stateful detection rules, for which detection has already started
for a previous packet, are added to the candidates array, the array
is sorted to mantain the correct inspection order. However, due to a
trivial error in the sort helper the array was sorted in descending
instead of ascending order.
Philippe Antoine [Thu, 19 Nov 2020 14:50:54 +0000 (15:50 +0100)]
rust: fix warnings found by nightly compiler
warning: getting the inner pointer of a temporary `CString`
this `CString` is deallocated at the end of the statement,
bind it to a variable to extend its lifetime
Jason Ish [Mon, 23 Nov 2020 18:11:42 +0000 (12:11 -0600)]
dnp3: set byte order when logging dnp3 src and dst
DNP3 uses little endian on the wire, for the most part this
is handled as the messages are deserialize. However, the link
header is a cast over raw data, so swap these bytes as they
are being logged.
Angelo Mirabella [Wed, 11 Mar 2020 15:11:19 +0000 (15:11 +0000)]
unix-socket: fix alert metadata logging
This changeset fixes a bug that was preventing suricata to dump
alert metadata info when running in unix-socket mode.
When running in unix-socket mode, suricata was skipping the
initialization of the output modules and, as a consequence,
the metadata output module was never invoked.
Jason Ish [Mon, 30 Nov 2020 21:11:57 +0000 (15:11 -0600)]
rust: handle windows naming change from .lib to .a
Prior to Rust 1.44, Cargo would name static libs with the .lib
extension. 1.44 changes this extension to .a when running under
a GNU environment on Windows like msys to make it more similar
to other unix environments.
Now assume static library name to be the same on Windows and
unix, but rename the .lib if found to still support older
versions of Rust on Windows.
projects / thirdparty / suricata.git / log
