rust/ldap: udp and frames support v2 #11535

glongo · 2024-07-19T17:01:54Z

Make sure these boxes are signed before submitting your Pull Request -- thank you.

I have read the contributing guide lines at
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
I have signed the Open Information Security Foundation contribution agreement at
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)
I have created a ticket at
https://redmine.openinfosecfoundation.org/projects/suricata/issues
(if applicable)

Link to ticket: https://redmine.openinfosecfoundation.org/issues/1199

Describe changes:

Enable parser and logger for LDAP traffic over UDP
Add PDU frames
Fix comments in rust/ldap: udp and frames support v1 #11522

SV_BRANCH=OISF/suricata-verify#1984

This permits to parse and log ldap over udp traffic.

This adds a pdu frame for both request and response, and removes invalid returns in SCLdapParseRequest and SCLdapParseResponse.

suricata-qa · 2024-07-20T07:15:03Z

ERROR:

ERROR: QA failed on ASAN_TLPR1_suri.

Pipeline 21667

victorjulien · 2024-07-20T08:33:12Z

suricata: app-layer-parser.c:1373: int AppLayerParserParse(ThreadVars *, AppLayerParserThreadCtx *, Flow *, AppProto, uint8_t, const uint8_t *, uint32_t): Assertion `!((f->proto != IPPROTO_TCP))' failed.
Error: suricata: stacktrace:sig 6:pthread_kill+0x0000012c;raise+0x00000016;abort+0x000000d3;__libc_freeres+0x000000d3;__assert_fail+0x00000046;AppLayerParserParse+0x000012e9;AppLayerHandleUdp+0x0000113c;FlowWorker+0x00000ff1;TmThreadsSlotVarRun+0x00000226;TmThreadsSlotVar+0x00000f56;pthread_condattr_setpshared+0x00000513;__xmknodat+0x00000230 [SignalHandlerUnexpected:suricata.c:327]

victorjulien · 2024-07-20T10:37:48Z

With a protocol like dns, yaml looks like this:

    dns:
      tcp:                                                                                
        enabled: yes             
        detection-ports:           
          dp: 53                                        
      udp:                                                                         
        enabled: yes                                                          
        detection-ports:                                         
          dp: 53

Why is this not similar for ldap here?

glongo · 2024-07-22T08:28:13Z

With a protocol like dns, yaml looks like this:

    dns:
      tcp:                                                                                
        enabled: yes             
        detection-ports:           
          dp: 53                                        
      udp:                                                                         
        enabled: yes                                                          
        detection-ports:                                         
          dp: 53

Why is this not similar for ldap here?

This configuration seems to be used only for DNS, whereas other protocols (such as SIP and KRB) are not.
How should this be handled?

glongo · 2024-07-22T08:29:37Z

suricata: app-layer-parser.c:1373: int AppLayerParserParse(ThreadVars *, AppLayerParserThreadCtx *, Flow *, AppProto, uint8_t, const uint8_t *, uint32_t): Assertion `!((f->proto != IPPROTO_TCP))' failed.
Error: suricata: stacktrace:sig 6:pthread_kill+0x0000012c;raise+0x00000016;abort+0x000000d3;__libc_freeres+0x000000d3;__assert_fail+0x00000046;AppLayerParserParse+0x000012e9;AppLayerHandleUdp+0x0000113c;FlowWorker+0x00000ff1;TmThreadsSlotVarRun+0x00000226;TmThreadsSlotVar+0x00000f56;pthread_condattr_setpshared+0x00000513;__xmknodat+0x00000230 [SignalHandlerUnexpected:suricata.c:327]

Is there a way to reproduce this issue?

victorjulien · 2024-07-26T12:32:29Z

suricata: app-layer-parser.c:1373: int AppLayerParserParse(ThreadVars *, AppLayerParserThreadCtx *, Flow *, AppProto, uint8_t, const uint8_t *, uint32_t): Assertion `!((f->proto != IPPROTO_TCP))' failed.
Error: suricata: stacktrace:sig 6:pthread_kill+0x0000012c;raise+0x00000016;abort+0x000000d3;__libc_freeres+0x000000d3;__assert_fail+0x00000046;AppLayerParserParse+0x000012e9;AppLayerHandleUdp+0x0000113c;FlowWorker+0x00000ff1;TmThreadsSlotVarRun+0x00000226;TmThreadsSlotVar+0x00000f56;pthread_condattr_setpshared+0x00000513;__xmknodat+0x00000230 [SignalHandlerUnexpected:suricata.c:327]

Is there a way to reproduce this issue?

I don't have a reproducer to share, sorry. Private data.

victorjulien · 2024-07-26T12:32:48Z

With a protocol like dns, yaml looks like this:

    dns:
      tcp:                                                                                
        enabled: yes             
        detection-ports:           
          dp: 53                                        
      udp:                                                                         
        enabled: yes                                                          
        detection-ports:                                         
          dp: 53

Why is this not similar for ldap here?

This configuration seems to be used only for DNS, whereas other protocols (such as SIP and KRB) are not. How should this be handled?

I think we need the dns approach.

glongo · 2024-07-26T12:33:58Z

With a protocol like dns, yaml looks like this:

    dns:
      tcp:                                                                                
        enabled: yes             
        detection-ports:           
          dp: 53                                        
      udp:                                                                         
        enabled: yes                                                          
        detection-ports:                                         
          dp: 53

Why is this not similar for ldap here?

This configuration seems to be used only for DNS, whereas other protocols (such as SIP and KRB) are not. How should this be handled?

I think we need the dns approach.

Yep, already implemented that approach. PR coming.

glongo · 2024-07-26T12:54:46Z

Replaced with #11558

glongo added 2 commits July 19, 2024 17:30

ldap: enable parser for udp

571a561

This permits to parse and log ldap over udp traffic.

rust/ldap: add pdu frames

881f52c

This adds a pdu frame for both request and response, and removes invalid returns in SCLdapParseRequest and SCLdapParseResponse.

glongo requested review from jasonish, victorjulien and a team as code owners July 19, 2024 17:01

victorjulien approved these changes Jul 20, 2024

View reviewed changes

victorjulien added this to the 8.0 milestone Jul 20, 2024

victorjulien added the waiting for qa label Jul 20, 2024

suricata-qa removed the waiting for qa label Jul 20, 2024

victorjulien removed this from the 8.0 milestone Jul 20, 2024

victorjulien self-requested a review July 20, 2024 10:37

glongo closed this Jul 26, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rust/ldap: udp and frames support v2 #11535

rust/ldap: udp and frames support v2 #11535

glongo commented Jul 19, 2024

suricata-qa commented Jul 20, 2024

victorjulien commented Jul 20, 2024

victorjulien commented Jul 20, 2024

glongo commented Jul 22, 2024

glongo commented Jul 22, 2024

victorjulien commented Jul 26, 2024

victorjulien commented Jul 26, 2024

glongo commented Jul 26, 2024

glongo commented Jul 26, 2024

rust/ldap: udp and frames support v2 #11535

rust/ldap: udp and frames support v2 #11535

Conversation

glongo commented Jul 19, 2024

suricata-qa commented Jul 20, 2024

victorjulien commented Jul 20, 2024

victorjulien commented Jul 20, 2024

glongo commented Jul 22, 2024

glongo commented Jul 22, 2024

victorjulien commented Jul 26, 2024

victorjulien commented Jul 26, 2024

glongo commented Jul 26, 2024

glongo commented Jul 26, 2024