Suricata current master has undergone some major rewrite on its app layer code. This includes app layer protocol detection and the app layer parsing phase. While doing this, it has also introduced a new keyword - "app-layer-protocol". There are certain other changes on how we can now specify an app layer protocol in a rule and how it interacts with an "ipproto(both rule specified or through ipproto keyword)".
App layer rewite
Let me start by introducing the app layer rewrite. The old app layer code had the protocol detection and parsing phase all jumbled up. There was no proper separation between the two. Also the internal app layer protocol registration didn't have a hierarchy based on ip protocol, which meant one couldn't register anything against an app layer protocol without modifying the protocol name by appending the ipproto to it.
For example, to specify a signature to match on the udp and tcp variant of
dns protocol respectively, one would have to write -
alert dnsudp ...... /* to match on dns udp */
alert dnstcp ..... /* to match on dns tcp */
This is now replaced by the cleaner -
alert dns (ipproto:udp; ); OR
alert udp (app-layer-protocol:dns;) OR
alert ip (app-layer-protocol:dns; ipproto:udp;)
New keyword: "app-layer-protocol"
This feature came up with the need to match on negated protocols(feature #727). An an example we want to match on the string "foo" on all app layer streams which are not http -
alert tcp any any -> any any (app-layer-protocol:!"http"; content:"foo"; sid:1;)
Interaction between app-layer-protocol, ipproto and the protocol specified using alert <protocol>
Let's work with some examples.
- Match on dns protocol against all ip-protocols.
alert ip (app-layer-protocol:dns;)
alert dns ()
- Match on udp version of dns protocol.
alert udp (app-layer-protocol:dns;)
alert dns (ipproto:udp;)
alert ip (app-layer-protocol:dns; ipproto:udp;)
- Match on tcp and udp version of dns protocol.
alert udp (app-layer-protocol:dns; ipproto:tcp; ) /* XXX Nooooooo...... */
The above is not allowed. ipproto keyword can be used only with alert ip.
alert dns (ipproto:tcp; ipproto:udp;)
alert ip (app-layer-protocol:dns; ipproto:udp; ipproto:tcp;)
What do all these changes mean for the engine
- We have a neater app layer phase. There's a clear separation between the app layer protocol module and app layer parser module.
- Ipproto based hierarchy in any registration related to an app layer protocol.
From a rule_write/user perspective, this removes the need to tag an ipproto
along with the app_protocol name. For example, we no longer have dnstcp and dnsudp.
- Introduction of the new "app-layer-protocol" keyword allows for richer specification when used along with other keywords like "ipproto".
- Conf yaml changes
Previously,
dnstcp:
enabled: yes
detection-ports:
tcp:
toserver: 53
dnsudp:
enabled: yes
detection-ports:
udp:
toserver: 53
Now,
dns:
tcp:
enabled: yes
detection-ports:
toserver: 53
udp:
enabled: yes
detection-ports:
toserver: 53
No comments:
Post a Comment