Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protodetect enip dns 4388 v7 #6185

Closed
wants to merge 3 commits into from
Closed

Protodetect enip dns 4388 v7 #6185

wants to merge 3 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4388

Describe changes:

  • Improves probing parsers for nfs, enip and dns

so as to avoid protocol detection confusion with TCP splitting

Modifies #6182 with

  • more precision for dns : the sum of the number of records cannot exceed the message length
  • more precision for enip for LIST_INTERFACES
    (found by fuzzing the fixing branch)

@catenacyber catenacyber mentioned this pull request Jun 7, 2021
Closed
@catenacyber
enip: improve probing parser
c393401 
Strict length for register sessions
NOP command must have options=0
@catenacyber
dns: improve probing parser
344a6c3 
Checks opcode is valid
Checks additional_rr do not exceed message length
Better logic for incomplete cases
@catenacyber
nfs: improve probing parser
f355941 
Checks credentials flavor is known
@catenacyber catenacyber force-pushed the protodetect-enip-dns-4388-v7 branch from 27e2809 to f355941 Compare June 7, 2021 18:40
jasonish
jasonish reviewed Jun 7, 2021
View reviewed changes
rust/src/dns/dns.rs
Comment on lines +668 to +676
if header.additional_rr as usize
+ header.answer_rr as usize
+ header.authority_rr as usize
+ header.questions as usize
> rlen
{
//not enough data for additional records
return (false, false, false);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As these are counts not sizes, its not accurate, but also won't false positive. Should the size of the header be calculated in as well? If sizeof(header) + addtional_rr +answer_rr > rlen... Might be a bit more accurate. I think we could also assume a minumum of 2 bytes per expected record being the CLASS is a u16.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, these are counts, not sizes.
And I do not count the header size.
But as each of these has at least one byte, we can do this test to exclude some cases

So, should I include the header size in this sum ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so. Just to confirm, rlen is the size of the record. In TCP this would be the first 2 bytes, in UDP its the payload size.

So a test to make sure its greater than or equal to:

sizeof(header) + (additional_rr * 2) + (answer_rr * 2) + (authority_rr * 2) + (questions * 2)

should be safe and accurate, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so. Just to confirm, rlen is the size of the record. In TCP this would be the first 2 bytes, in UDP its the payload size.

Exactly, you can check the callers do it right

So a test to make sure its greater than or equal to:

sizeof(header) + (additional_rr * 2) + (answer_rr * 2) + (authority_rr * 2) + (questions * 2)

should be safe and accurate, right?

Ok, will do this

@catenacyber
Copy link
Contributor Author

Replaced by #6195

catenacyber added a commit to catenacyber/suricata that referenced this pull request Jun 29, 2023
@catenacyber
mime: compute full body md5
abb2afc 
Previously, the problem was that nested headers/boundaries were not
used to compute the hash

Solution is to move up the call to the hash computation from
ProcessMimeBody to its caller ProcessMimeEntity, and add a set of
conditions to ensure that we are not in the principal headers.

Ticket: OISF#6185
victorjulien pushed a commit to victorjulien/suricata that referenced this pull request Jun 29, 2023
@catenacyber @victorjulien
mime: compute full body md5
42a9377 
Previously, the problem was that nested headers/boundaries were not
used to compute the hash

Solution is to move up the call to the hash computation from
ProcessMimeBody to its caller ProcessMimeEntity, and add a set of
conditions to ensure that we are not in the principal headers.

Ticket: OISF#6185
victorjulien pushed a commit to victorjulien/suricata that referenced this pull request Jun 29, 2023
@catenacyber @victorjulien
mime: compute full body md5
fc009b9 
Previously, the problem was that nested headers/boundaries were not
used to compute the hash

Solution is to move up the call to the hash computation from
ProcessMimeBody to its caller ProcessMimeEntity, and add a set of
conditions to ensure that we are not in the principal headers.

Ticket: OISF#6185
victorjulien pushed a commit to victorjulien/suricata that referenced this pull request Jun 29, 2023
@catenacyber @victorjulien
mime: compute full body md5
a7cfa82 
Previously, the problem was that nested headers/boundaries were not
used to compute the hash

Solution is to move up the call to the hash computation from
ProcessMimeBody to its caller ProcessMimeEntity, and add a set of
conditions to ensure that we are not in the principal headers.

Ticket: OISF#6185
victorjulien pushed a commit to victorjulien/suricata that referenced this pull request Jun 30, 2023
@catenacyber @victorjulien
mime: compute full body md5
3c1f1bd 
Previously, the problem was that nested headers/boundaries were not
used to compute the hash

Solution is to move up the call to the hash computation from
ProcessMimeBody to its caller ProcessMimeEntity, and add a set of
conditions to ensure that we are not in the principal headers.

Ticket: OISF#6185
victorjulien pushed a commit to victorjulien/suricata that referenced this pull request Jun 30, 2023
@catenacyber @victorjulien
mime: compute full body md5
a3168fd 
Previously, the problem was that nested headers/boundaries were not
used to compute the hash

Solution is to move up the call to the hash computation from
ProcessMimeBody to its caller ProcessMimeEntity, and add a set of
conditions to ensure that we are not in the principal headers.

Ticket: OISF#6185
victorjulien pushed a commit to victorjulien/suricata that referenced this pull request Jun 30, 2023
@catenacyber @victorjulien
mime: compute full body md5
86ed6cd 
Previously, the problem was that nested headers/boundaries were not
used to compute the hash

Solution is to move up the call to the hash computation from
ProcessMimeBody to its caller ProcessMimeEntity, and add a set of
conditions to ensure that we are not in the principal headers.

Ticket: OISF#6185
(cherry picked from commit a3168fd)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish left review comments

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @jasonish @victorjulien