[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-3.2.1-343-gf6e3755

OISF Git noreply at openinfosecfoundation.org
Mon May 8 12:32:51 UTC 2017

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".

The branch, master has been updated
       via  f6e3755b5c43c81e65a5b79e924ec28872be494e (commit)
       via  9c071d1724797466853da1d8f27481e9dd42a2c4 (commit)
       via  88177694fdf74cd577710f90ac687be8289b1230 (commit)
       via  d9908216d8d5a9c8795dc27225d2e1749f36fecc (commit)
       via  6f42ae91c7f3a92788801e024362d061a90ecaeb (commit)
       via  72c757433aab3bab836eb41bc8dc5a2cb3d04116 (commit)
       via  11b9e6fdab8a273d262d4cf68f5b85528feb20d9 (commit)
       via  8125f78f5f40a5969c681a55f84bf1ee09a9ea65 (commit)
       via  74aa65073b01d72e027e6abe696b3298c3f7ac2b (commit)
       via  e8800b1893b440b2fe56736f45e0d5222ea4f60b (commit)
       via  b6c2b7052b189a9076ab4d119201a6cff39b5091 (commit)
       via  893f868b4282e8eaeda35d81b8e0f40ec2f374e5 (commit)
       via  b8d13f354b0b17fbd6fff5db5b1b81d3e10c4dea (commit)
       via  9b1f74409bcb88e3801aa26bb1520bb728d49d0c (commit)
      from  3ff5dc3653fef0d0aac0b312c53e47766819dc55 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f6e3755b5c43c81e65a5b79e924ec28872be494e
Author: Victor Julien <victor at inliniac.net>
Date:   Fri May 5 11:22:44 2017 +0200

    lua: extend SCFlowAppLayerProto
    Change SCFlowAppLayerProto to return 5 values:
    <alproto> <alproto_ts> <alproto_tc> <alproto_orig> <alproto_expect>:
    alproto: detected protocol
    alproto_ts: detected protocol in toserver direction
    alproto_tc: detected protocol in toclient direction
    alproto_orig: pre-change/upgrade protocol
    alproto_expected: expected protocol in change/upgrade
    Orig and expect are used when changing and upgrading protocols. In a
    SMTP STARTTLS case, orig would normally be set to "smtp" and expect
    to "tls".

commit 9c071d1724797466853da1d8f27481e9dd42a2c4
Author: Victor Julien <victor at inliniac.net>
Date:   Fri May 5 10:54:06 2017 +0200

    eve.flow: log original and expected app_protocols
    Log protocols if they are available.

commit 88177694fdf74cd577710f90ac687be8289b1230
Author: Victor Julien <victor at inliniac.net>
Date:   Mon May 8 13:26:13 2017 +0200

    nfq: don't try to verdict detect/log flush pkts

commit d9908216d8d5a9c8795dc27225d2e1749f36fecc
Author: Victor Julien <victor at inliniac.net>
Date:   Fri Feb 17 11:44:27 2017 +0100

    connect/starttls: handle detection corner cases
    When switching protocol from http to tls the following corner case
    was observed:
     pkt 6, TC "200 connection established"
     pkt 7, TS acks pkt 6 + adds "client hello"
     pkt 8 TC, acks pkt 7
     pkt 8 is where normally the detect on the 200 connection established
           would run however before detection runs the app-layer is called
           and it resets the state
    So the issue is missed detection on the last data in the original
    protocol before the switch.
    Another case was:
    TS ->    STARTTLS
    TC ->    Ack "STARTTLS data"
    TS ->    Ack "220 data"
             Client Hello
    In IDS mode, this made a rule that wanted to look at content:"STARTTLS"
    in combination with the protocol SMTP 'alert smtp ... content:"STARTTLS";'
    impossible. By the time the content would match, the protocol was already
    This patch fixes this case by creating a 'Detect/Log Flush' packet in
    both directions. This will force final inspection and logging of the
    pre-upgrade protocol (SMTP in this example) before doing the final

commit 6f42ae91c7f3a92788801e024362d061a90ecaeb
Author: Victor Julien <victor at inliniac.net>
Date:   Fri Feb 17 11:41:02 2017 +0100

    app-layer: protocol change API
    Add API calls to upgrade to TLS or to request a protocol change
    without a specific protocol expectation.
    If the HTTP CONNECT session includes a port on the url, use that to
    look up the probing parser during protocol detection. Solves a
    missed detection of a SSLv2 session that upgrades to TLSv1. SSLv2
    relies on the probing parser which is limited to certain ports.
    In case of STARTTLS in SMTP and FTP, the port is hardcoded to 443.
    A new event APPLAYER_UNEXPECTED_PROTOCOL is set if there was a

commit 72c757433aab3bab836eb41bc8dc5a2cb3d04116
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date:   Wed Feb 15 07:06:15 2017 +0100

    app-layer: add decoder event for missing TLS after STARTTLS

commit 11b9e6fdab8a273d262d4cf68f5b85528feb20d9
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date:   Wed Feb 1 12:56:39 2017 +0100

    app-layer-ftp: add STARTTLS support

commit 8125f78f5f40a5969c681a55f84bf1ee09a9ea65
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date:   Wed Feb 1 10:24:52 2017 +0100

    app-layer-ftp: detect FTP alproto when using AUTH TLS
    Try to detect FTP using the patterns '220 (' and 'FEAT', since 'USER '
    and 'PASS ' are not sent in cleartext when using AUTH TLS.

commit 74aa65073b01d72e027e6abe696b3298c3f7ac2b
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date:   Tue Jan 31 15:02:21 2017 +0100

    output-json-tls: log 'from_proto' field
    Log the original application level protocol when protocol have been
    changed because of STARTTLS, HTTP CONNECT or similar.

commit e8800b1893b440b2fe56736f45e0d5222ea4f60b
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date:   Tue Jan 31 14:58:20 2017 +0100

    app-layer-smtp: add STARTTLS support

commit b6c2b7052b189a9076ab4d119201a6cff39b5091
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date:   Tue Jan 31 14:45:25 2017 +0100

    app-layer-htp: add HTTP CONNECT support

commit 893f868b4282e8eaeda35d81b8e0f40ec2f374e5
Author: Victor Julien <victor at inliniac.net>
Date:   Fri Feb 17 11:43:02 2017 +0100

    proto-detect: add debug output

commit b8d13f354b0b17fbd6fff5db5b1b81d3e10c4dea
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date:   Tue Jan 31 14:34:30 2017 +0100

    app-layer: support changing flow alproto
    Support changing the application level protocol for a flow. This is
    needed by STARTTLS and HTTP CONNECT to switch from the original
    alproto to tls.
    This commit allows a flag to be set 'FLOW_CHANGE_PROTO', which
    triggers a new protocol detection on the next packet for a flow.

commit 9b1f74409bcb88e3801aa26bb1520bb728d49d0c
Author: Victor Julien <victor at inliniac.net>
Date:   Sat May 6 10:49:43 2017 +0200

    magic: fix compile warnings


Summary of changes:
 doc/userguide/output/lua-output.rst |  8 +++-
 rules/app-layer-events.rules        |  6 ++-
 src/app-layer-detect-proto.c        | 83 +++++++++++++++++++++++++++++-------
 src/app-layer-detect-proto.h        |  8 ++++
 src/app-layer-events.c              |  4 ++
 src/app-layer-events.h              |  2 +
 src/app-layer-ftp.c                 | 32 ++++++++++----
 src/app-layer-ftp.h                 |  1 +
 src/app-layer-htp.c                 | 19 +++++++++
 src/app-layer-smtp.c                | 10 ++---
 src/app-layer.c                     | 25 +++++++++++
 src/decode.c                        |  3 ++
 src/decode.h                        |  6 ++-
 src/detect-filemagic.c              |  2 +-
 src/flow-util.h                     |  6 +++
 src/flow-worker.c                   |  4 ++
 src/flow.c                          | 32 ++++++++++++++
 src/flow.h                          | 16 +++++++
 src/output-json-flow.c              |  8 ++++
 src/output-json-tls.c               |  7 +++
 src/source-nfq.c                    |  4 +-
 src/stream-tcp.c                    | 85 +++++++++++++++++++++++++++++++++++++
 src/stream-tcp.h                    |  1 +
 src/util-lua-common.c               | 12 ++++--
 src/util-magic.c                    |  2 +-
 25 files changed, 344 insertions(+), 42 deletions(-)


More information about the Oisf-devel mailing list