protocol-change: sets event in case of failure #7296

catenacyber · 2022-04-25T06:42:10Z

Link to redmine ticket:
None

Describe changes:

Sets an event if protocol change fails (ie if there is already protocol change going on)

Another way to do this would be to set a packet's app-layer event, but AppLayerRequestProtocolChange does not have access to the current Packet and its caller FTPParseResponse does not have it neither...
So, this PR implements different events for the different app-layer protocols.
FTP and PGSQL do not have events yet, and are not part of this...

Protocol change can fail if one protocol change is already occuring.

codecov · 2022-04-25T06:59:31Z

Codecov Report

Merging #7296 (8ec51d8) into master (ddf9c9d) will decrease coverage by 0.04%.
The diff coverage is 58.33%.

@@            Coverage Diff             @@
##           master    #7296      +/-   ##
==========================================
- Coverage   75.82%   75.77%   -0.05%     
==========================================
  Files         656      656              
  Lines      190051   190057       +6     
==========================================
- Hits       144102   144020      -82     
- Misses      45949    46037      +88

Flag	Coverage Δ
fuzzcorpus	`60.30% <58.33%> (-0.12%)`	⬇️
suricata-verify	`51.50% <63.63%> (-0.03%)`	⬇️
unittests	`61.01% <45.45%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

catenacyber · 2022-04-27T12:45:22Z

Victor, you requested this event, so assigning this draft to you ;-)

suricata-qa · 2022-05-03T06:35:04Z

Information:

ERROR: QA failed on tlpw1_files_sha256.

field	test	baseline	%
	tlpr1_stats_chk
.flow.memuse	530312768	498197568	106.45%

Pipeline 7251

victorjulien · 2022-05-03T07:42:48Z

rules/http-events.rules

@@ -87,4 +87,6 @@ alert http any any -> any any (msg:"SURICATA HTTP invalid Range header value"; f

 alert http any any -> any any (msg:"SURICATA HTTP file name too long"; flow:established; app-layer-event:http.file_name_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221052; rev:1;)

-# next sid 2221053
+alert http any any -> any any (msg:"SURICATA HTTP failed protocol change"; flow:established; app-layer-event:http.failed_protocol_change; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221053; rev:1;)


is there any case where this isn't about a HTTPS upgrade?

HTTP1->HTTP2

victorjulien · 2022-05-03T07:43:04Z

rules/smtp-events.rules

@@ -30,4 +30,5 @@ alert smtp any any -> any any (msg:"SURICATA SMTP Mime boundary length exceeded"
 alert smtp any any -> any any (msg:"SURICATA SMTP duplicate fields"; flow:established,to_server; app-layer-event:smtp.duplicate_fields; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220018; rev:1;)
 alert smtp any any -> any any (msg:"SURICATA SMTP unparsable content"; flow:established,to_server; app-layer-event:smtp.unparsable_content; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220019; rev:1;)
 alert smtp any any -> any any (msg:"SURICATA SMTP filename truncated"; flow:established,to_server; app-layer-event:smtp.mime_long_filename; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220020; rev:1;)
-# next sid 2220021
+alert smtp any any -> any any (msg:"SURICATA SMTP failed protocol change"; flow:established; app-layer-event:smtp.failed_protocol_change; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220021; rev:1;)


this is always about STARTTLS, right?

victorjulien · 2022-05-03T07:44:18Z

Are there pcaps to test this scenario? If not can you craft them?

catenacyber · 2022-08-22T15:57:01Z

Replaced by #7745 with S-V test linked ;-)

So as to avoid undefined behavior with a 0-sized variable length array Ticket: OISF#7296

protocol-change: sets event in case of failure

8ec51d8

Protocol change can fail if one protocol change is already occuring.

suricata-qa added the needs ticket Needs (link to) redmine ticket label Apr 25, 2022

catenacyber assigned victorjulien Apr 27, 2022

victorjulien reviewed May 3, 2022

View reviewed changes

catenacyber closed this Aug 22, 2022

catenacyber added a commit to catenacyber/suricata that referenced this pull request Oct 3, 2024

transform/base64: check for 0-sized buffer

d1d82ff

So as to avoid undefined behavior with a 0-sized variable length array Ticket: OISF#7296

catenacyber added a commit to catenacyber/suricata that referenced this pull request Oct 3, 2024

transform/base64: check for 0-sized buffer

85d566c

So as to avoid undefined behavior with a 0-sized variable length array Ticket: OISF#7296

victorjulien pushed a commit to victorjulien/suricata that referenced this pull request Oct 8, 2024

transform/base64: check for 0-sized buffer

40e9742

So as to avoid undefined behavior with a 0-sized variable length array Ticket: OISF#7296

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

protocol-change: sets event in case of failure #7296

protocol-change: sets event in case of failure #7296

catenacyber commented Apr 25, 2022

codecov bot commented Apr 25, 2022

catenacyber commented Apr 27, 2022

suricata-qa commented May 3, 2022

victorjulien May 3, 2022

catenacyber May 4, 2022

victorjulien May 3, 2022

catenacyber May 4, 2022

victorjulien commented May 3, 2022

catenacyber commented Aug 22, 2022

protocol-change: sets event in case of failure #7296

protocol-change: sets event in case of failure #7296

Conversation

catenacyber commented Apr 25, 2022

codecov bot commented Apr 25, 2022

Codecov Report

catenacyber commented Apr 27, 2022

suricata-qa commented May 3, 2022

victorjulien May 3, 2022

Choose a reason for hiding this comment

catenacyber May 4, 2022

Choose a reason for hiding this comment

victorjulien May 3, 2022

Choose a reason for hiding this comment

catenacyber May 4, 2022

Choose a reason for hiding this comment

victorjulien commented May 3, 2022

catenacyber commented Aug 22, 2022