Feat/sslproxy/v15 #13960
Draft
Feat/sslproxy/v15 #13960
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
victorjulien
force-pushed
the
feat/sslproxy/v15
branch
2 times, most recently
from
8bd3b11 to
2b95481
Compare
|
WARNING: ERROR: QA failed on IPS_AFP_drop_chk.
Pipeline = 27854 |
|
WARNING: ERROR: QA failed on IPS_AFP_drop_chk.
Pipeline = 27855 |
For SSLproxy that gives no hint about the decrypted protocol.
Allow a parser to return OK with only consuming partial data and then immediately processing the rest of the data, giving it a change to rerun protocol detection on the remaining data. For this a new AppLayerResult::ok_partial_continue has been added, which only indicates the number of bytes consumed. Meant for SSLproxy, where the data will include the special header as well as the first line of the decrypted protocol. The SSLproxy parser will then be able to return after the special header and have the data for it consumed.
Allow tagging of a flow as decrypted. This also allows the caller to set a new flow tuple that will be used to translate new packets to the new tuple. This is developed for the SSLproxy usecase, where the packets on the wire do not reflect the real tuple, but instead a connection between the proxy and a helper tool. The SSLproxy header at the start of the connection holds the original tuple, so that can then be applied to the packets.
Implement support for SSLproxy as a minimalistic app-layer parser. It will: - be detected as a SSLproxy connection - parse the special header containing the original tuple - mark the flow as decrypted and set the original tuple as the translation tuple - trigger a protocol detection on the data post SSLproxy header Flow records will then have `app_proto_orig` set to `sslproxy`. Ticket: OISF#7979.
Improve detection after TLS decrypt.
Improve multiline commands and SASL auth. Work around missing support in crate for empty server challenge and SASL base64 data. Ticket: OISF#7709.
victorjulien
force-pushed
the
feat/sslproxy/v15
branch
from
2b95481 to
5d68f89
Compare
|
WARNING: ERROR: QA failed on IPS_AFP_drop_chk.
Pipeline = 27856 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements initial SSLproxy decrypted traffic parsing.
https://redmine.openinfosecfoundation.org/issues/7979
Improves on pop3 parser so it doesn't error out on trivial traffic.
https://redmine.openinfosecfoundation.org/issues/7709
Misc other improvements.
SV_BRANCH=OISF/suricata-verify#2675