aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,572 Commits
7 Branches
161 Tags
169 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '07df1ce6af'
${ noResults }
Commit Graph

8999 Commits (07df1ce6afffb35c0acd25b3b787ce04643306b1)

Author SHA1 Message Date
Jason Ish cb62c8dacf dcerpc: add tx detect flags 6 years ago
Jason Ish 21f014f5c3 modbus: add tx detect flags 6 years ago
Jason Ish 20bc08a722 app-layer: add tx detect functions to register struct 6 years ago
Jason Ish fdb587d2fc detect-engine: check for tx detect flag support 
When registing a detection engine, check that the app-layer
protocol supports tx detect flags. Exit with a fatal
error if it does not as this is a code implementation
error that should be resolved during development.
 6 years ago
Jason Ish b1beb76fd7 ftpdata: add tx detect flags 6 years ago
Jason Ish 62e4211f04 debug: add SCReturnBool function exit macro 6 years ago
Jason Ish 739df21e2d app-layer: method to see if parser supports tx detect flags 
Add method to check if a parser for an app-layer protocol
supports tx detect flags.

This is a bit of a hack for now as where we need to run
this check from we do not have the IP protocol.
 6 years ago
Jeff Lucovsky 218a5c4345 mpm: Fix typos and spelling errors 6 years ago
Jeff Lucovsky aef24bee96 detect: Fix spelling errors 6 years ago
Jeff Lucovsky f318a46d34 detect: Improve handling of variable values 
When one of offset/depth/distance is from a variable, adjust the depth
by the offset as is done with scalar values at parse time.
 6 years ago
Jeff Lucovsky db8527e7b3 detect/mpm: Improved handling of variable values 
This commit removes the offset and depth if either of these values are
dependent upon a byte-extract operation.
 6 years ago
Victor Julien 94982ae690 http: split request/response tx id handling 
When HTTP pipelining was in use, the transaction id used for events
and files could be off. If the request side was several requests ahead
of the responses, it would use the HtpState::transaction_cnt for events
and files, even though that is only incremented on complete requests.

Split request and response tx id tracking. The response is still handled
by the HtpState::transaction_cnt, but the request side is now handled by
its own logic.
 6 years ago
Victor Julien b82e71b95e files: remove FILE_USE_TRACKID flag 
Once it was optional but as it no longer is it is no longer useful.

Remove it.
 6 years ago
Victor Julien f9155aa121 files: simplify pruning logic 
Since ebcc4db84a the flow worker runs
file pruning after parsing, detection and loging. This means we can
simplify the pruning logic. If a file is in state >= CLOSED, we can
prune it. Detection and outputs will have had a final chance to
process it.

Remove the calls to the pruning code from Rust. They are no longer
needed.
 6 years ago
Victor Julien ab471c3054 app-layer: don't consider tx flags if not registered 
If a protocol does not support TxDetectFlags, don't try to use them.

The consequence of trying to use them was that a TX would never be
considered done, and it would never be freed. This would lead to excessive
memory use and performance problems due to walking an ever increasing
list.
 6 years ago
Eric Leblond 54d3620662 source-pcap-file: honor bpf filter on command line 
When a BPF filter is given on the command line when reading a
pcap file, the BPF filter is not honored.

The regression has been introduced in:

commit 3ab9120821
Author: Dana Helwig <dana.helwig@protectwise.com>
Date:   Thu Apr 27 11:17:16 2017 -0600

    source-pcap-file: Pcap Directory Mode (Feature #2222)

Reported-By: Tim Colin <tcolin@et.esiea.fr>
 6 years ago
Eric Leblond 860f43753c source-pcap-file: fix memory leak on pcap filter 6 years ago
Philippe Antoine 20e06f45c0 util: removes warning about double conversion 
From clang 10 :
implicit conversion from 'unsigned long' to 'double' changes value
from 18446744073709551615 to 18446744073709551616
 6 years ago
Victor Julien 502a8b5fb3 detect: fix inspection buffer for packet engines 
Fix buffers not being reset per inspection round for packet engines.

Bug #3341.
 6 years ago
Victor Julien 58b9a2dc21 threading: add debug validation for stale packets 6 years ago
Victor Julien fe9aeed0f0 threading: fix shutdown race condition 
A BUG_ON statement would seemingly randomly trigger during the threading
shutdown logic. After a packet thread reached the THV_RUNNING_DONE state,
it would sometimes still receive flow timeout packets which would then
remain unprocessed.

1 main:   TmThreadDisableReceiveThreads(); <- stop capturing packets
2 worker: -> TmThreadTimeoutLoop (THV_FLOW_LOOP) phase starts
3 main:   FlowForceReassembly();           <- inject packets from flow engine
4 main:   TmThreadDisablePacketThreads();  <- then disable packet threads
5 main:   -> checks if 'worker' is ready processing packets
6 main:   -> sends THV_KILL to worker
7 worker: breaks out of TmThreadTimeoutLoop and changes to THV_RUNNING_DONE.

Part of the problem was with (5) above. When checking if the worker was
already done with its work, TmThreadDisablePacketThreads would not consider
the injected flow timeout packets. The second part of the problem was with (7),
where the worker checked if it was ready with the TmThreadTimeoutLoop in a
thread unsafe way.

As a result TmThreadDisablePacketThreads would not wait long enough for the
worker(s) to finish its work and move the threads to the THV_RUNNING_DONE
phase by issuing the THV_KILL command.

When waiting for packet processing threads to process all in-flight packets,
also consider the 'stream_pq'. This will have received the flow timeout
packets.

Bug #1871.
 6 years ago
Victor Julien 825173a2ba threading: fix flow timeout loop race 6 years ago
Victor Julien 56354afd41 threading: improve thread queues checking by dumping more info 6 years ago
Victor Julien 0a809bf577 packet: set unique pkt_src 'flush' packets 
Set unique type for capture timeout and for detect reload flush
to assist in debugging.
 6 years ago
Victor Julien 6bc7636826 stream: remove unused code 
Remove now unused 'pkt_src' type as well.

Remove related unittests.
 6 years ago
Victor Julien 1633744fcb nfq: remove unused queue handler type 6 years ago
Victor Julien ab01cbe345 log-pcap: remove stale comments 6 years ago
Victor Julien 6de025bb12 alert-syslog: remove stale comments 6 years ago
Jeff Lucovsky 90c2e3561c Add general purpose `ARRAY_SIZE` macro 
This commit adds `ARRAY_SIZE` as an helper for determining the number of
elements in an initialized array. The calculation is the same but the
macro provides a convenient shortcut. The implementation was borrowed
from the kernel sources.
 6 years ago
Jeff Lucovsky ae198add6d detect/analyzer: Refactor engine analysis code 
This commit changes the analysis code to be table driven to better
identify the rule elements covered by the analysis.
 6 years ago
Philippe Antoine 6e63c957ff signature: Fixes memory leak in parsing app layer event 6 years ago
Jason Ish fccbd36d37 dns: log addresses in flow direction, not packet 
Ticket #3340.
https://redmine.openinfosecfoundation.org/issues/3340
 6 years ago
Victor Julien 0824b04134 filestore: don't assume flow is TCP 
Filestore can be used by UDP based protocols as well. NFSv2 is one
that Suricata supports.

Bug #3277.
 6 years ago
Victor Julien 2a55afbd89 decode/pppoe: fix potential crash in debug statement 6 years ago
Victor Julien 2ab7fb4b41 version: automate and cleanup ver handling 
Create a single function to return the version string, to avoid lots
of ifdefs in multiple places.

Make the version determine the 'release' status. If the version from
autoconf has '-dev' in the name, it is not a release. If it hasn't
it is considered a release version.
 6 years ago
Victor Julien 51ec980e80 dataset: fix string length handling in hash 6 years ago
Eric Leblond 1721da91ef dataset: fix hash computation 6 years ago
Victor Julien 64a789bbf6 nfq: clear memory of queue before using it 
Avoids using uninitialized memory. Show showed itself
in nonsense values in counters, and in nfq_handle_packet
errors that were likely the result of passing uninitialized
memory to the nfq API.

Bug 3263.
Bug 3120.

Fixes: b2a6c60dee ("source-nfq: increase maximum queues number to 65535")
 6 years ago
Victor Julien 2fd1174a56 nfq: micro optimization 6 years ago
Victor Julien 9d6087f7d6 nfq: don't warn on 'handle_packet' error 
NFQ can generate warnings/errors with a delay. After Suricata has
succesfully passed a verdict to the kernel, there are still things
that can go wrong for that verdict. This is then passed to the
queue through a netlink error message, which leads to nfq_handle_packet
returning an error code.

Suppress the warning. Also remove the errno/strerror use as
nfq_handle_packet does not set the errno.

Thanks to Florian Westphal.

Bug 3120.
 6 years ago
Victor Julien f8acad7fca nfq: code cleanups 6 years ago
Alexander Gozman f280e66f84 nfq: check for EAGAIN after recv() call in NFQRecvPkt() 6 years ago
Victor Julien 4cc90e9a4c nfq: minor code cleanups 6 years ago
Victor Julien 01cea2ec89 datasets: suppress noisy debug statement 6 years ago
Victor Julien 505b2dd256 log-pcap: don't print (null) for compression method 6 years ago
Victor Julien fb26268c6b tcp: don't set event on empty SACK opt 
TCP_OPT_INVALID_LEN was set if the opt len was 2. While useless
an empty SACK is not uncommon.

Seen on an iOS device talking to an Apple server.

Bug #3254.
 6 years ago
Victor Julien aae76a84cd suricata: use version from autoconf 6 years ago
Eric Leblond 2d11e9394c detect-base64: fix url in list keywords commands 6 years ago
Jason Ish 6eada54fc8 eve/dns: don't log warning if dns log version not set 
If the DNS log version is not set, we default to v2. This should
not be warning, but better logged at the config level.

A warning will still be logged if the value is set but is not
1 or 2.
 6 years ago
Philippe Antoine 989a6461b0 signature: leak fix in DetectAddressParse2 6 years ago
Philippe Antoine c1e41632c1 config: use logging instead of stderr 6 years ago
Wesley van der Ree bf1b65558b mpls: Allow MPLS after vlan. 
Fixes #2771
 6 years ago
Victor Julien 7cca9005fb dns: minor cleanup 6 years ago
Victor Julien 4164c0bbd6 app-layer: make dns,smb,tls parsers less noisy w/o config 6 years ago
Victor Julien 0526878fee detect/tls: set alternatives for legacy tls keywords 6 years ago
Victor Julien 3019f10ac7 detect/tls: tls.cert_fingerprint is a sticky buffer 
Not a content modifier.
 6 years ago
Jeff Lucovsky 42452b327c mem: Use correct len with strlcpy 6 years ago
Victor Julien d19ded6c43 stream: fix progress for min_inspect_depth 
Make sure progress don't exceed raw_progress.
 6 years ago
Victor Julien 5f15e7c6a4 smtp: implement min_inspect_depth logic 
Implement min_inspect_depth for SMTP so that file_data and
regular stream matches don't go out of sync on the stream start.

Added toserver bytes tracking.

Bug #3190.
 6 years ago
Victor Julien 58e48bcb87 debug: make it easier to trace flush logic 6 years ago
Victor Julien 876f05aa28 eve/dhcp: remove leftover template comments 6 years ago
Victor Julien 9716c24ba1 eve/alert: clean up proto metadata 
Use a switch statement to select the protocol specific function.
 6 years ago
Victor Julien f66e12f7af dns: rename rust files and funcs 6 years ago
Victor Julien 842037d327 jansson: remove explicit <jansson.h> includes 
Header is included from suricata-common.h
 6 years ago
Victor Julien edd2cd626f jansson: remove HAVE_LIBJANSSON guards 6 years ago
Victor Julien b4318a11e3 rust: remove build system HAVE_RUST guards 6 years ago
Victor Julien 5e9714e384 rust: remove all HAVE_RUST guards 6 years ago
Jason Ish 8425259c88 help: better description for -v 
-v: be more verbose (use multiple times to increase verbosity)
 6 years ago
Jason Ish 71c53484ee logging: used fixed levels of verbosity for -v, -vv... 
Change the meaning of the verbosity flag to change the log
level to fixed levels instead of being relative to whats
configured.

-v    => INFO
-vv   => PERF
-vvv  => CONIFG
-vvvv => DEBUG

But do now allow -v to decrease the verbosity.

Bug #1851
 6 years ago
Jason Ish 89634b6508 logging: respect individual log levels 
The log level of individual loggers (console, file, syslog) was
being capped by the default log level. For example, if the
default log level was notice, setting the file level to info
would still result in notice level logging.

Bug #3210
 6 years ago
Konstantin Klinger 808ea0dba9 app-layer: remove obsolete msn protocol detection 6 years ago
Victor Julien 6d2bd6607e datasets: make clear the feature is experimental 6 years ago
Jeff Lucovsky d514a38913 log/anomaly: remove leading underscore from static var 6 years ago
Jeff Lucovsky 95879c0d5a logging/alert: Warn if metadata not selected 
Warn when HTTP body logging has been selected but applayer/metadata
logging is not configured.
 6 years ago
Jeff Lucovsky 354074bac6 ftp: Handle malformed RETR/STOR 
Ensure that RETR (STOR) have a filename -- otherwise, treat the command
string as malformed.

Added unittests for each command and verified that SEGV's occur without
parser change and no longer occur with the parser change.
 6 years ago
Victor Julien 7609adb05d Revert "runmode: consider test mode a user mode" 
This reverts commit 6dca50a322.

The test mode should actually test in system mode by default as
that is what tools like Suricata-Update need before issuing a
reload command.
 6 years ago
Victor Julien 0771eb1e0e detect/ja3: print error for one rule only 
Use 'silent error' logic for any other rules using ja3 as well.
 6 years ago
Victor Julien 4d44ca7739 detect/parse: allow signature parsing to fail silently 
A sigmatches 'Setup' function may indicate it intends to fail
silently after the first error. It will return -2 instead of -1
in this case.

This is tracked in the DetectEngineCtx object, so errors will
be shown again at rule reloads.
 6 years ago
Victor Julien aa5a6ab5f1 detect/parser: minor cleanup 6 years ago
Victor Julien c582fd28d9 tls/ja3: allow 'auto' setting for ja3 6 years ago
Victor Julien ca5226f0c7 tls/ja3: try to enable ja3 if rule keywords need it 6 years ago
Victor Julien 29dcd98ed1 tls/ja3: add way to check active config 6 years ago
Victor Julien 4cd3b84606 tls/ja3: allow dynamic enabling of ja3 6 years ago
Victor Julien 09882ec4cb detect/reference: implement strict parsing option 6 years ago
Victor Julien 89a717d41c detect/classtype: implement strict parsing option 6 years ago
Victor Julien b5521b58bc detect/parse: add --strict-rule-keywords option 
Add --strict-rule-keywords commandline option to enable strict rule
parsing.

It can be used without options or with a comma separated list:
--strict-rule-keywords
--strict-rule-keywords=all
--strict-rule-keywords=classtype,reference

Parsing implementations can use SigMatchStrictEnabled to check
if strict parsing is enabled for them and act accordingly.
 6 years ago
Victor Julien 88e26ea914 detect: use named enum for keyword types 6 years ago
Victor Julien 0b40d4ae93 detect/reference: allow undefined references 
References are currently not used in Suricata, so erroring out on
rules using a undefined reference is too harsh.

Just issue a warning once per unique missing reference.
 6 years ago
Victor Julien 61185cc9ba reference: change scope of add func to global 6 years ago
Victor Julien d17a3b3c2b reference: use global defines for size limits 6 years ago
Victor Julien e278953455 detect/reference: code cleanups 6 years ago
Victor Julien 523e91b231 detect/classtype: check size of rule input 6 years ago
Victor Julien e5f6f38481 classtype: handle missing classification.config 
Still initialize the classtype hash table so that the classtypes
rules use can be added to it.

The file missing now reports a warning instead of error, as we
will continue to work.
 6 years ago
Victor Julien 517834e327 classtype: use global defines for size limits 6 years ago
Victor Julien 99bdb54d9f detect/classtype: show file and line for unknown classtype 6 years ago
Victor Julien 43b5234055 detect/priority: use global define for default prio 6 years ago
Victor Julien 954c43daf4 detect/classtype: allow undefined classtypes 
Effect of classification on Suricata's working is minimal. Impact
of adding undefined classtypes is large: rules will fail to load
completely. This also leads multiple lines of log output per rule,
which in a large ruleset can lead to excessive output.

This patch changes the classtype keyword behavior. Instead of erroring
and invalidating a rule, we will merely warn.

The undefined classtype is then defined with a default priority,
so other rules using the classtype will not also warn. This way
there will be just a single warning per missing classtype.
 6 years ago
Victor Julien 323a747f39 classtype: increase id size 
Switch from u8 to u16 to allow for more classtypes.

Rename Signature::class to Signature::class_id to make it clear
it is an id.
 6 years ago
Victor Julien ccf6c5a6ef classtype: small memory reduction 
Reduce memory use by making sure SCClassConfClasstype
has a more optimal memory layout.
 6 years ago
Victor Julien 26e2370f99 classtype: put UNITTESTS guards where appropriate 6 years ago