Websockets 2695 v7.1

doc/userguide/rules/index.rst

@@ -35,6 +35,7 @@ Suricata Rules
    quic-keywords
    nfs-keywords
    smtp-keywords
+   websocket-keywords
    app-layer
    xbits
    thresholding

doc/userguide/rules/intro.rst

@@ -110,6 +110,7 @@ you can pick from. These are:
 * snmp
 * tftp
 * sip
+* websocket
 
 The availability of these protocols depends on whether the protocol
 is enabled in the configuration file, suricata.yaml.

doc/userguide/rules/websocket-keywords.rst

@@ -0,0 +1,50 @@
+WebSocket Keywords
+==================
+
+websocket.payload
+-----------------
+
+A sticky buffer on the unmasked payload,
+limited by suricata.yaml config value ``websocket.max-payload-size``.
+
+Examples::
+
+  websocket.payload; pcre:"/^123[0-9]*/";
+  websocket.payload content:"swordfish";
+
+``websocket.payload`` is a 'sticky buffer' and can be used as ``fast_pattern``.
+
+websocket.fin
+-------------
+
+A boolean to tell if the payload is complete.
+
+Examples::
+
+  websocket.fin:true;
+  websocket.fin:false;
+
+websocket.mask
+--------------
+
+Matches on the websocket mask if any.
+It uses a 32-bit unsigned integer as value (big-endian).
+
+Examples::
+
+  websocket.mask:123456;
+  websocket.mask:>0;
+
+websocket.opcode
+----------------
+
+Matches on the websocket opcode.
+It uses a 8-bit unsigned integer as value.
+Only 16 values are relevant.
+It can also be specified by text from the enumeration
+
+Examples::
+
+  websocket.opcode:1;
+  websocket.opcode:>8;
+  websocket.opcode:ping;

etc/schema.json

@@ -3833,6 +3833,9 @@
                                 },
                                 "tls": {
                                     "$ref": "#/$defs/stats_applayer_error"
+                                },
+                                "websocket": {
+                                    "$ref": "#/$defs/stats_applayer_error"
                                 }
                             },
                             "additionalProperties": false
@@ -3950,6 +3953,9 @@
                                 },
                                 "tls": {
                                     "type": "integer"
+                                },
+                                "websocket": {
+                                    "type": "integer"
                                 }
                             },
                             "additionalProperties": false
@@ -4061,6 +4067,9 @@
                                 },
                                 "tls": {
                                     "type": "integer"
+                                },
+                                "websocket": {
+                                    "type": "integer"
                                 }
                             },
                             "additionalProperties": false
@@ -5498,6 +5507,21 @@
                 }
             },
             "additionalProperties": false
+        },
+        "websocket": {
+            "type": "object",
+            "properties": {
+                "fin": {
+                    "type": "boolean"
+                },
+                "mask": {
+                    "type": "integer"
+                },
+                "opcode": {
+                    "type": "string"
+                }
+            },
+            "additionalProperties": false
         }
     },
     "$defs": {

rules/Makefile.am

@@ -22,4 +22,5 @@ smb-events.rules \
 smtp-events.rules \
 ssh-events.rules \
 stream-events.rules \
-tls-events.rules
+tls-events.rules \
+websocket-events.rules

rules/websocket-events.rules

@@ -0,0 +1,8 @@
+# WebSocket app-layer event rules.
+#
+# These SIDs fall in the 2235000+ range. See:
+#    http://doc.emergingthreats.net/bin/view/Main/SidAllocation and
+#    https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+
+alert websocket any any -> any any (msg:"SURICATA Websocket skipped end of payload"; app-layer-event:websocket.skip_end_of_payload; classtype:protocol-command-decode; sid:2235000; rev:1;)
+alert websocket any any -> any any (msg:"SURICATA Websocket reassembly limit reached"; app-layer-event:websocket.reassembly_limit_reached; classtype:protocol-command-decode; sid:2235001; rev:1;)

rust/derive/src/lib.rs

@@ -23,6 +23,7 @@ use proc_macro::TokenStream;
 
 mod applayerevent;
 mod applayerframetype;
+mod stringenum;
 
 /// The `AppLayerEvent` derive macro generates a `AppLayerEvent` trait
 /// implementation for enums that define AppLayerEvents.
@@ -50,3 +51,8 @@ pub fn derive_app_layer_event(input: TokenStream) -> TokenStream {
 pub fn derive_app_layer_frame_type(input: TokenStream) -> TokenStream {
     applayerframetype::derive_app_layer_frame_type(input)
 }
+
+#[proc_macro_derive(EnumStringU8, attributes(name))]
+pub fn derive_enum_string_u8(input: TokenStream) -> TokenStream {
+    stringenum::derive_enum_string::<u8>(input, "u8")
+}

rust/derive/src/stringenum.rs

@@ -0,0 +1,127 @@
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+extern crate proc_macro;
+use super::applayerevent::transform_name;
+use proc_macro::TokenStream;
+use quote::quote;
+use syn::{self, parse_macro_input, DeriveInput};
+use std::str::FromStr;
+
+pub fn derive_enum_string<T: std::str::FromStr + quote::ToTokens>(input: TokenStream, ustr: &str) -> TokenStream where <T as FromStr>::Err: std::fmt::Display {
+    let input = parse_macro_input!(input as DeriveInput);
+    let name = input.ident;
+    let mut values = Vec::new();
+    let mut names = Vec::new();
+    let mut fields = Vec::new();
+
+    if let syn::Data::Enum(ref data) = input.data {
+        let mut default_seen = false;
+        for (_, v) in (&data.variants).into_iter().enumerate() {
+            if let Some((_, val)) = &v.discriminant {
+                let fname = transform_name(&v.ident.to_string());
+                names.push(fname);
+                fields.push(v.ident.clone());
+                if let syn::Expr::Lit(l) = val {
+                    if let syn::Lit::Int(li) = &l.lit {
+                        if let Ok(value) = li.base10_parse::<T>() {
+                            values.push(value);
+                        } else {
+                            panic!("EnumString requires explicit {}", ustr);
+                        }
+                    } else {
+                        panic!("EnumString requires explicit literal integer");
+                    }
+                } else {
+                    panic!("EnumString requires explicit literal");
+                }
+            } else {
+                if let syn::Fields::Unnamed(f) = &v.fields {
+                    if default_seen || f.unnamed.len() != 1 {
+                        panic!("EnumString requires explicit values or one Unknown({})", ustr);
+                    }
+                    if v.ident.to_string() != "Unknown" {
+                        panic!("EnumString default case must be Unknown({})", ustr);
+                    }
+                    if let syn::Type::Path(p) = &f.unnamed[0].ty {
+                        if p.path.segments.len() != 1 {
+                            panic!("EnumString requires explicit values or one Unknown({})", ustr);
+                        }
+                        if p.path.segments[0].ident.to_string() != ustr {
+                            panic!("EnumString default case must be Unknown({})", ustr);
+                        }
+                    } else {
+                        panic!("EnumString requires explicit values or one Unknown({})", ustr);
+                    }
+                    default_seen = true;
+                } else {
+                    panic!("EnumString requires explicit values or one Unknown({})", ustr);
+                }
+            }
+        }
+    } else {
+        panic!("EnumString can only be derived for enums");
+    }
+
+    let utype_str = syn::Ident::new(&ustr, proc_macro2::Span::call_site());
+
+    let expanded = quote! {
+        impl #name {
+            pub(crate) fn from_u(v: #utype_str) -> Self {
+                match v {
+                    #( #values => #name::#fields ,)*
+                    _ => #name::Unknown(v),
+                }
+            }
+            pub(crate) fn into_u(&self) -> #utype_str {
+                match *self {
+                    #( #name::#fields => #values ,)*
+                    #name::Unknown(v) => v,
+                }
+            }
+            pub(crate) fn to_string(&self) -> String {
+                match *self {
+                    #( #name::#fields => #names.to_string() ,)*
+                    #name::Unknown(v) => format!("unknown-{}", v),
+                }
+            }
+            pub(crate) fn from_str(s: &str) -> Option<#name> {
+                match s {
+                    #( #names => Some(#name::#fields) ,)*
+                    _ => None
+                }
+            }
+            pub(crate) fn to_detect_ctx(s: &str) -> Option<DetectUintData<#utype_str>> {
+                if let Ok((_, ctx)) = detect_parse_uint::<#utype_str>(s) {
+                    return Some(ctx);
+                }
+                if let Some(arg1) = #name::from_str(s) {
+                    let arg1 = #name::into_u(&arg1);
+                    let ctx = DetectUintData::<#utype_str> {
+                        arg1,
+                        arg2: 0,
+                        mode: DetectUintMode::DetectUintModeEqual,
+                    };
+                    return Some(ctx);
+                }
+                return None;
+            }
+        }
+    };
+
+    proc_macro::TokenStream::from(expanded)
+}

rust/src/http2/parser.rs

@@ -695,6 +695,8 @@ pub enum HTTP2SettingsId {
     InitialWindowSize = 4,
     MaxFrameSize = 5,
     MaxHeaderListSize = 6,
+    EnableConnectProtocol = 8, // rfc8441
+    NoRfc7540Priorities = 9, // rfc9218
 }
 
 impl fmt::Display for HTTP2SettingsId {
@@ -716,6 +718,8 @@ impl std::str::FromStr for HTTP2SettingsId {
             "SETTINGS_INITIAL_WINDOW_SIZE" => Ok(HTTP2SettingsId::InitialWindowSize),
             "SETTINGS_MAX_FRAME_SIZE" => Ok(HTTP2SettingsId::MaxFrameSize),
             "SETTINGS_MAX_HEADER_LIST_SIZE" => Ok(HTTP2SettingsId::MaxHeaderListSize),
+            "SETTINGS_ENABLE_CONNECT_PROTOCOL" => Ok(HTTP2SettingsId::EnableConnectProtocol),
+            "SETTINGS_NO_RFC7540_PRIORITIES" => Ok(HTTP2SettingsId::NoRfc7540Priorities),
             _ => Err(format!("'{}' is not a valid value for HTTP2SettingsId", s)),
         }
     }

rust/src/lib.rs

@@ -103,6 +103,7 @@ pub mod rfb;
 pub mod mqtt;
 pub mod pgsql;
 pub mod telnet;
+pub mod websocket;
 pub mod applayertemplate;
 pub mod rdp;
 pub mod x509;

rust/src/websocket/detect.rs

@@ -0,0 +1,65 @@
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+use super::websocket::WebSocketTransaction;
+use crate::detect::uint::DetectUintData;
+use crate::websocket::parser::WebSocketOpcode;
+use std::ffi::CStr;
+
+#[no_mangle]
+pub unsafe extern "C" fn SCWebSocketGetOpcode(tx: &mut WebSocketTransaction) -> u8 {
+    return WebSocketOpcode::into_u(&tx.pdu.opcode);
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn SCWebSocketGetFin(tx: &mut WebSocketTransaction) -> bool {
+    return tx.pdu.fin;
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn SCWebSocketGetPayload(
+    tx: &WebSocketTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
+) -> bool {
+    *buffer = tx.pdu.payload.as_ptr();
+    *buffer_len = tx.pdu.payload.len() as u32;
+    return true;
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn SCWebSocketGetMask(
+    tx: &mut WebSocketTransaction, value: *mut u32,
+) -> bool {
+    if let Some(xorkey) = tx.pdu.mask {
+        *value = xorkey;
+        return true;
+    }
+    return false;
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn SCWebSocketParseOpcode(
+    ustr: *const std::os::raw::c_char,
+) -> *mut DetectUintData<u8> {
+    let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
+    if let Ok(s) = ft_name.to_str() {
+        if let Some(ctx) = WebSocketOpcode::to_detect_ctx(s) {
+            let boxed = Box::new(ctx);
+            return Box::into_raw(boxed) as *mut _;
+        }
+    }
+    return std::ptr::null_mut();
+}