Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

next/56/20230703/v1 #9134

Closed
wants to merge 3 commits into from
Closed

next/56/20230703/v1 #9134

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a30ce4d
rfb: ensure logging of incompletely parsed txs
satta Jun 29, 2023
2739f7e
rfb: also set unimplemented auth types
satta Jun 30, 2023
39ec3d1
exception: fix use of master switch with default
jufajardini Jun 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions doc/userguide/configuration/exception-policies.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,13 @@ also defined in the yaml file.
Auto
''''

**In IPS mode**, the default behavior for all exception policies is to drop
the flow, or the packet, when the flow action is not supported. It is possible
to disable this default, by setting the exception policies' "master switch" yaml
config option to ``ignore``.
**In IPS mode**, the default behavior for most of the exception policies is to
fail close. This means droping the flow, or the packet, when the flow action is
not supported. The default policy for the midstream exception will be ignore if
midstream flows are accepted.

It is possible to disable this default, by setting the exception policies'
"master switch" yaml config option to ``ignore``.

**In IDS mode**, setting ``auto`` mode actually means disabling the
``master-switch``, or ignoring the exception policies.
Expand Down
30 changes: 22 additions & 8 deletions rust/src/rfb/rfb.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,15 @@ impl RFBState {
current = rem;

let chosen_security_type = request.security_type;

if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_security_type_selection = Some(request);
current_transaction.chosen_security_type =
Some(chosen_security_type as u32);
} else {
debug_validate_fail!("no transaction set at security type stage");
}

match chosen_security_type {
2 => self.state = parser::RFBGlobalState::TCVncChallenge,
1 => self.state = parser::RFBGlobalState::TSClientInit,
Expand All @@ -256,14 +265,6 @@ impl RFBState {
return AppLayerResult::ok();
}
}

if let Some(current_transaction) = self.get_current_tx() {
current_transaction.ts_security_type_selection = Some(request);
current_transaction.chosen_security_type =
Some(chosen_security_type as u32);
} else {
debug_validate_fail!("no transaction set at security type stage");
}
}
Err(Err::Incomplete(_)) => {
return AppLayerResult::incomplete(
Expand All @@ -274,6 +275,7 @@ impl RFBState {
Err(_) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
current_transaction.complete = true;
}
// We failed to parse the security type.
// Continue the flow but stop trying to map the protocol.
Expand Down Expand Up @@ -312,6 +314,7 @@ impl RFBState {
Err(_) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
current_transaction.complete = true;
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
Expand Down Expand Up @@ -348,6 +351,7 @@ impl RFBState {
Err(_) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
current_transaction.complete = true;
}
// We failed to parse the client init.
// Continue the flow but stop trying to map the protocol.
Expand All @@ -371,6 +375,7 @@ impl RFBState {
SCLogDebug!("Invalid state for request: {}", self.state);
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::ConfusedState);
current_transaction.complete = true;
}
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
Expand Down Expand Up @@ -479,6 +484,7 @@ impl RFBState {
Err(_) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
current_transaction.complete = true;
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
Expand Down Expand Up @@ -511,6 +517,7 @@ impl RFBState {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction
.set_event(RFBEvent::UnimplementedSecurityType);
current_transaction.complete = true;
} else {
debug_validate_fail!(
"no transaction set at security type stage"
Expand Down Expand Up @@ -542,6 +549,7 @@ impl RFBState {
Err(_) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
current_transaction.complete = true;
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
Expand Down Expand Up @@ -579,6 +587,7 @@ impl RFBState {
Err(_) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
current_transaction.complete = true;
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
Expand Down Expand Up @@ -614,6 +623,7 @@ impl RFBState {
} else {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::UnknownSecurityResult);
current_transaction.complete = true;
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
Expand All @@ -629,6 +639,7 @@ impl RFBState {
Err(_) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
current_transaction.complete = true;
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
Expand All @@ -655,6 +666,7 @@ impl RFBState {
Err(_) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
current_transaction.complete = true;
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
Expand Down Expand Up @@ -695,6 +707,7 @@ impl RFBState {
Err(_) => {
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::MalformedMessage);
current_transaction.complete = true;
}
// Continue the flow but stop trying to map the protocol.
self.state = parser::RFBGlobalState::Skip;
Expand All @@ -718,6 +731,7 @@ impl RFBState {
SCLogDebug!("Invalid state for response: {}", self.state);
if let Some(current_transaction) = self.get_current_tx() {
current_transaction.set_event(RFBEvent::ConfusedState);
current_transaction.complete = true;
}
self.state = parser::RFBGlobalState::Skip;
return AppLayerResult::ok();
Expand Down
14 changes: 9 additions & 5 deletions src/util-exception-policy.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,7 @@ static enum ExceptionPolicy ExceptionPolicyConfigValueParse(
return policy;
}

/* Select an exception policy in case the configuration value was set to 'auto' */
static enum ExceptionPolicy ExceptionPolicyPickAuto(bool midstream_enabled, bool support_flow)
{
enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET;
Expand All @@ -190,10 +191,8 @@ static enum ExceptionPolicy ExceptionPolicyPickAuto(bool midstream_enabled, bool
static enum ExceptionPolicy ExceptionPolicyMasterParse(const char *value)
{
enum ExceptionPolicy policy = ExceptionPolicyConfigValueParse("exception-policy", value);
if (policy == EXCEPTION_POLICY_AUTO) {
policy = ExceptionPolicyPickAuto(false, true);
} else if (!EngineModeIsIPS() &&
(policy == EXCEPTION_POLICY_DROP_PACKET || policy == EXCEPTION_POLICY_DROP_FLOW)) {
if (!EngineModeIsIPS() &&
(policy == EXCEPTION_POLICY_DROP_PACKET || policy == EXCEPTION_POLICY_DROP_FLOW)) {
policy = EXCEPTION_POLICY_NOT_SET;
}
g_eps_have_exception_policy = true;
Expand All @@ -209,6 +208,11 @@ static enum ExceptionPolicy ExceptionPolicyGetDefault(
enum ExceptionPolicy p = EXCEPTION_POLICY_NOT_SET;
if (g_eps_have_exception_policy) {
p = GetMasterExceptionPolicy(option);

if (p == EXCEPTION_POLICY_AUTO) {
p = ExceptionPolicyPickAuto(midstream, support_flow);
}

if (!support_flow) {
p = PickPacketAction(option, p);
}
Expand Down Expand Up @@ -277,7 +281,7 @@ enum ExceptionPolicy ExceptionPolicyMidstreamParse(bool midstream_enabled)
}
}
} else {
policy = ExceptionPolicyPickAuto(midstream_enabled, true);
policy = ExceptionPolicyGetDefault("stream.midstream-policy", true, midstream_enabled);
}

if (policy == EXCEPTION_POLICY_PASS_PACKET || policy == EXCEPTION_POLICY_DROP_PACKET) {
Expand Down
Loading