aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,572 Commits
7 Branches
161 Tags
170 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '07df1ce6af'
${ noResults }
Commit Graph

8999 Commits (07df1ce6afffb35c0acd25b3b787ce04643306b1)

Author SHA1 Message Date
Victor Julien e104c3d913 classtype: reduce scope of functions 6 years ago
Victor Julien a37e09cbe0 detect/classtype: change duplicate classtype behavior 
Detect duplicate instances and use the one with the highest
priority.

Use new priority flag to make the logic around explicit priority
sets easier to follow.

Minor code cleanups. Also clean up unittests.
 6 years ago
Victor Julien c471d81f04 detect/priority: change duplicate priority behavior 
Introduce Signature init_flag to indicate priority has been set.
This will be needed in a follow-up classtype update.

Detect duplicate priority instances in a keyword, and use the
highest priority in the rule. Do issue a warning in this case.
 6 years ago
Victor Julien 828d2572f8 detect: use BIT_U32 macros for INIT flags 6 years ago
Victor Julien 3fd4e7bd05 detect/priority: minor cleanups 6 years ago
Victor Julien bfee28db5e detect/classtype: clean up error handling 6 years ago
Victor Julien 5e5761a29c detect/classtype: warn on duplicate classtype 
Issue warning instead of erroring and invalidating the rule.

It's not a very serious issue, so don't error out.
 6 years ago
Victor Julien 282e1c2520 detect/classtype: fix parsing error checking 6 years ago
Jason Ish 2d0b3d7320 detect/test: update test for file prune changes 
As the file prune is now moved to the flow worker, the file
prune is run later, meaning the first file has not yet
been pruned from the file container list.

Adjust test to look for a second file, and check the
flags on that file.

For commit addressing bug 2490.
 6 years ago
Jason Ish ebcc4db84a file extraction: always prune files after detect 
If a keyword like filemd5 was being used without a filestore,
or a file output enabled, it would be pruned before detection
had a chance to match.

Consolidate file pruning to the end of the flow worker so files
are available for detection even when a file output is not
enabled.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2490
 6 years ago
Victor Julien c7e4433fe9 afl/decode: fix stats related memleak reports 6 years ago
Shivani Bhardwaj 8940a9d326 afp: nicer error message in case of fanout failure 
Use clearer message in case fanout is not supported or cluster_id is
already in use.

Closes redmine ticket #1940.
 6 years ago
Shivani Bhardwaj ac55b21184 suricata: Check if default log dir is writable 
At the startup, if the default log dir provided either by command line
options or suricat.yaml is not writable, the error comes quite later.
This patch makes suricata exit if there is such an error in the
beginning itself.

Closes redmine ticket #2386.
 6 years ago
Victor Julien 6dca50a322 runmode: consider test mode a user mode 6 years ago
Victor Julien 914c5b7975 datasets: fix error handling 6 years ago
Victor Julien 1021465f23 datasets: improve and doc return codes 6 years ago
Jason Ish a2fcc304e7 dataset: fix return value check on isnotset 
The dataset api returns -1 for not found.
 6 years ago
Victor Julien c6cda99bcd thash: fix prealloc config setting 6 years ago
Victor Julien e264a0cee8 datasets: fix hash table config 
Example:

datasets:
  ua-seen:
    type: string
    state: ua-seen.lst
    hash:
      hash-size: 100000
      prealloc: 1000
      memcap: 256mb
 6 years ago
Victor Julien 9b64b6794b datasets: change config to map 
Example:

datasets:
  ua-seen:
    type: string
    state: ua-seen.lst
  dns-sha256-seen:
    type: sha256
    state: dns-sha256-seen.lst
 6 years ago
Jason Ish 342fa8ee26 magic/test: remove NULL as format string 
Remove passing NULL as a format string parameter
in test. Convert to FAIL_IF_NULL.
 6 years ago
Jason Ish 0b02539ea9 drop.log: log deprecation warning if used 6 years ago
Jason Ish bfacedfad1 unified2: log deprecation warning when used 6 years ago
Jason Ish 57b4259640 filestore(v1): deprecation log warning when enabled 
Notify the user with a warning log that this feature is
deprecated and will be remove in v6 of Suricata.
 6 years ago
Jeff Lucovsky 04ee27bcd2 log/anomaly: Remove event_no from alert 6 years ago
Victor Julien 9340769ad2 enip: fix compile warnings in gcc-8 
In file included from suricata-common.h:471,
                 from app-layer-enip-common.c:27:
app-layer-enip-common.c: In function ‘DecodeCIPRequestPathPDU’:
util-debug.h:222:31: warning: ‘req_path_class8’ may be used uninitialized in this function [-Wmaybe-uninitialized]
             int _sc_log_ret = snprintf(_sc_log_msg, SC_LOG_MAX_LOG_MSG_LEN, __VA_ARGS__);   \
                               ^~~~~~~~
app-layer-enip-common.c:589:13: note: ‘req_path_class8’ was declared here
     uint8_t req_path_class8;
             ^~~~~~~~~~~~~~~
app-layer-enip-common.c:607:9: warning: ‘segment’ may be used uninitialized in this function [-Wmaybe-uninitialized]
         switch (segment)
         ^~~~~~
app-layer-enip-common.c: In function ‘DecodeCIPResponsePDU’:
app-layer-enip-common.c:773:13: warning: ‘service’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     service &= 0x7f; //strip off top bit to get service code.  Responses have first bit as 1
             ^~
app-layer-enip-common.c: In function ‘DecodeCIPRequestPDU’:
app-layer-enip-common.c:503:25: warning: ‘path_size’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     offset += path_size * sizeof(uint16_t); //move offset past pathsize
               ~~~~~~~~~~^~~~~~~~~~~~~~~~~~
app-layer-enip-common.c:506:5: warning: ‘service’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     switch (service)
     ^~~~~~

Bug #3139.
 6 years ago
Victor Julien c769909dad eve/stats: update warning for new default behavior 6 years ago
Victor Julien 76e1836aed counters: improve handling missing global config 
Improve warnings when eve.stats can't work because of the global config
missing or disabled.

Issue warning if global config is missing but stats are still enabled due
to the legacy stats.log.

Issue clearer warning when stats are disabled and unix socket dump-counters
command is issued.

Warnings include links to docs.

Bug #2465.
 6 years ago
Victor Julien 2d381f93f3 stats: add global way to check if API is enabled 6 years ago
Victor Julien 5bfedf78fc posix: replace bzero with memset 
bzero(3): The bzero() function is deprecated (marked as LEGACY in
POSIX.1-2001); use memset(3) in new programs.  POSIX.1-2008 removes
the specification of bzero().

Use memset instead.
 6 years ago
Victor Julien 2da90a1cd8 posix: remove deprecated index/rindex calls 
Replace index by strchr and rindex by strrchr.

index(3) states "POSIX.1-2008 removes the specifications of index() and
rindex(), recommending strchr(3) and strrchr(3) instead."

Add index/rindex to banned function check so they don't get reintroduced.

Bug #1443.
 6 years ago
Victor Julien b82a0e2cad detect/port: more cleanups 
Remove unused funcs. Minor style updates.
 6 years ago
Victor Julien 8b0b301a15 detect/port: remove function only used in tests 6 years ago
Victor Julien ada0708e51 detect/port: unittest cleanups 6 years ago
Victor Julien 7864e8e7cc der/asn1: reduce max depth limit to 32 
OpenSSL uses 30, so this seems a reasonable limit.

Set a smaller limit than before to reduce the resources spent on
specially crafted input designed to be maximally expensive.
 6 years ago
Victor Julien 335ad2d8cc der/asn1: don't pass on more data than is specified 
Set and Sequence parsers would pass on max available data instead
of the size of their object.

Malformed data could trigger massive recursion this way, leading
to spending much more resources than necessary.

Found using AFL.

Bug #3185.
 6 years ago
Victor Julien 4ca83ca489 decode/ipv4: fix ts opt flags decoding 
Field is at data+1 offset, not +3. Also makes sure we always stay
within checked data bounds.

Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3176.
 6 years ago
Victor Julien 7bb3dfcfc8 decode/ipv4: unittest to show parsing issue 6 years ago
Victor Julien 922f4f7d78 ssl: fix bounds checking in version decoding 
Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3169.
 6 years ago
Jason Ish c8b49aee56 defrag: check minimum size of reassembled packet 
Before re-assembling, check that the first fragment is large
enough to contain the IPv4 or IPv6 header to prevent
an out of bounds read (IPv4) or write (IPv6).

Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3171.
 6 years ago
Victor Julien 229eccdd04 ssl: minor cleanups 6 years ago
Mats Klepsland 05f6f5481a tls-log: restructure code for writing to buffer 
Restructure code to make it clearer that either 'basic', 'extended'
or 'custom' is being printed, by creating one function for each of
the possibilities.
 6 years ago
Mats Klepsland 03c8b82bfe tls-log: quick code cleanup 6 years ago
Mats Klepsland a151fe2225 tls-log: remove a wrongful comment 
The app-layer parser for TLS has been TX aware for quite some time.
Remove a comment that is stating that it is not.
 6 years ago
Mats Klepsland 85536e8918 tls-log: fix so buffer is reset on custom logging 
Move MemBufferReset() so it also works when using custom tls
logging. This avoids duplicate tls log entries.

Bug #3177
 6 years ago
Philippe Antoine af4f816204 http: sets compression bomb limit 6 years ago
Philippe Antoine c09ad01836 http: disable lzma decompression from configuration 6 years ago
Philippe Antoine 94aa36df1b lzma: replaces liblzma with own sdk for swf decompression 
so as to avoid memory exhaustion
 6 years ago
Yujie Zhao a121c7b460 Avoid to shutdown NSS if it is not initialized 6 years ago
Jason Ish 178d420f36 main: enable coredumps after privileges are dropped 
On Linux, by default, coredumps are disabled after
privileges are dropped. This re-enables coredumps
after privileges are dropped.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/1271

Credit to Elazar Broad for the pull request:
https://github.com/OISF/suricata/pull/3362
 6 years ago
Jeff Lucovsky b4070b6dcd ftp: Use rust parsers to parse dynamic ports 6 years ago
Philippe Antoine 9cbf9ef7a4 HTTP new parser warning for Ambiguous C-L 6 years ago
Shivani Bhardwaj d801c3e588 detect: Make keyword description consistent 
Closes redmine ticket #3137.
 6 years ago
Victor Julien d4bc460381 smtp: fix file_data inspection 
Continue tracking data if API is used with detect. Detection engine
then manages the tracking.

Bug #2395.
 6 years ago
Jason Ish afe065c7ac sip fixup: _Bool -> bool 6 years ago
Giuseppe Longo e06291922f detect/sip.response_line: add sticky buffer 
Matches on response line field in SIP.
 6 years ago
Giuseppe Longo 17de4a8023 detect/sip.request_line: add sticky buffer 
Matches on request line field in SIP.
 6 years ago
Giuseppe Longo 8939ece538 detect/sip.stat_msg: add sticky buffer 
Matches on status msg field in SIP.
 6 years ago
Giuseppe Longo bd2219cac6 detect/sip.stat_code: add sticky buffer 
Matches on status code field in SIP.
 6 years ago
Giuseppe Longo 8454122eb2 detect/sip.protocol: add sticky buffer 
Matches on protocol field in SIP.
 6 years ago
Giuseppe Longo 2661c5b298 detect/sip.uri: add sticky buffer 
Matches on uri field in SIP.
 6 years ago
Giuseppe Longo 424eead8c0 detect/sip.method: add sticky buffer 
Matches on uri field in SIP.
 6 years ago
Giuseppe Longo c88559dc72 output/json-alert: add sip metadata 
Put SIP information to alert event.
 6 years ago
Giuseppe Longo edc2a583a9 rust/sip: add SIP logger 6 years ago
Giuseppe Longo 2e975a0481 rust/sip: add parser for SIP protocol 6 years ago
Victor Julien a2356a89f7 detect/dns.opcode: improve error reporting 6 years ago
Jason Ish d79c23baa3 dns/detect: dns.opcode keyword 
Add a rule keyword, dns.opcode to match on the opcode flag
found in the DNS request and response headers.

Only exact matches are allowed with negation.

Examples:
  - dns.opcode:4;
  - dns.opcode:!1;
 6 years ago
Victor Julien c68fbfcfe6 htp: simplify depth check 6 years ago
Giuseppe Longo de904db830 app-layer-htp: use stream depth with filestore 
This permits to use stream-depth value set for file-store.

Currently if a file is being stored and hits a limit,
such as request or response body, it will be truncated
although file-store.stream-depth is enabled but the file should be
closed and not truncated.

Two unit tests have been added to verify that:
- a file is stored correctly
- chunk's length computation doesn’t cause an underflow
 6 years ago
Giuseppe Longo ed5a439b8e app-layer-parser: flag a tx to use stream depth 
This adds a new API that permit to set the stream-depth
file for file-storing when a rule with filestore keyword is matched.
 6 years ago
Shivani Bhardwaj b5b429c288 detect: Add missing keyword URLs and description 
Add missing keyword URLs and their description. Fix the ones that
were incorrect.

Partially closes redmine ticket #2974.
 6 years ago
Travis Green 08423282aa doc: add to sigmatch_table 6 years ago
Travis Green 4612d4b50a detect: syntax regex logic update 
Updated regex logic to include more spaces. Fixed spelling.
 6 years ago
Mats Klepsland e976d8cf74 output-lua: register app-layer parser logger for SSH 
Bug #3162
 6 years ago
Mats Klepsland 1e9f767deb output-lua: register app-layer parser logger for TLS 
Bug #3162
 6 years ago
Jason Ish 61a6eaf330 htp/lzma: set limit from configuration 
Also use a default defined in Suricata, not libhtp.
 6 years ago
Victor Julien c9c23d5cda htp: set lzma memlimit from config 6 years ago
Jeff Lucovsky 7808b946e3 detect/transform: add dotprefix keyword 6 years ago
Jeff Lucovsky 9df44afa30 logging/anomaly: Add warning code for anomaly log 6 years ago
Jeff Lucovsky aaacbf28c2 logging/anomaly: Support configuration filter types 6 years ago
Jason Ish 664605b5f1 rdp: disable rdp by default for 5.0 6 years ago
Jason Ish 0f10298990 rdp: address comments in pull request 
Pull request:
https://github.com/OISF/suricata/pull/4174

- fix commit: range -> set
- OUTPUT_BUFFER_SIZE -> JSON_OUTPUT_BUFFER_SIZE
- output: check for initdata first
 6 years ago
Zach Kelly caef8b5b38 protocol parser: rdp 
Initial implementation of feature 2314:
1. Add protocol parser for RDP
2. Add transactions for RDP negotiation
3. Add eve logging of transactions
 6 years ago
Shivani Bhardwaj 59da7ae302 counters: Add new default for decoder events 
Set the new default for decoder events to `decoder.event` instead of the
previously used `decoder`. Remove the corresponding warning for 5.0.
 6 years ago
Victor Julien 7cabb025ea ips: fix wrong thread for bridge ips modes 6 years ago
Phil Young 8aeff8f973 stream: fix bypass callback for stream.depth 
Fix bug with bypass callback when called with stream depth threshold.
bug report: https://redmine.openinfosecfoundation.org/issues/2986
 6 years ago
Jason Ish 52187d8548 ftp: removing uninitialized variable warning 
output-json-ftp.c: In function ‘JsonFTPLogger’:
output-json-ftp.c:129:9: warning: ‘js_respcode_list’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  129 |         json_object_set_new(cjs, "completion_code", js_respcode_list);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
output-json-ftp.c:74:13: note: ‘js_respcode_list’ was declared here
   74 |     json_t *js_respcode_list;
      |             ^~~~~~~~~~~~~~~~
output-json-ftp.c:128:9: warning: ‘js_resplist’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  128 |         json_object_set_new(cjs, "reply", js_resplist);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
output-json-ftp.c:73:13: note: ‘js_resplist’ was declared here
   73 |     json_t *js_resplist;
      |             ^~~~~~~~~~~
 6 years ago
Victor Julien a272e433a8 pd: don't reverse flow if TCP session not midstream 6 years ago
Jason Ish 5f1d21f247 dns: handle mid stream pickup on response packet 
Related Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2146
 6 years ago
Travis Green 9f8dcad287 doc: update of ssh-kewords documentation 
Modifies ssh-keywords.rst to fix syntax error in example rule as well as
update descriptions to indicate older keywords have been deprecated.
 6 years ago
Jeff Lucovsky 79d308db73 detect/analyzer: Add missing http_accept_enc handling 6 years ago
Victor Julien a3e5b91668 detect/dataset: fix 'state' path handling 6 years ago
Victor Julien 7ae86a0ae9 datarep: remove notice messages 6 years ago
Victor Julien 8045746bd1 datasets: remove notice messages and improve errors 6 years ago
Victor Julien 1d6a358d8a datasets: unix socket dataset-add command 6 years ago
Victor Julien 317376f59d datasets: match on lists of data 
Datasets are sets/lists of data that can be accessed or added from
the rule language.

This patch implements 3 data types:

1. string (or buffer)
2. md5
3. sha256

The patch also implements 2 new rule keywords:

1. dataset
2. datarep

The dataset keyword allows matching against a list of values to see if
it exists or not. It can also add the value to the set. The set can
optionally be stored to disk on exit.

The datarep support matching/lookups only. With each item in the set a
reputation value is stored and this value can be matched against. The
reputation value is unsigned 16 bit, so values can be between 0 and 65535.

Datasets can be registered in 2 ways:

1. through the yaml
2. through the rules

The goal of this rules based approach is that rule writers can start using
this without the need for config changes.

A dataset is implemented using a thash hash table. Each dataset is its own
separate thash.
 6 years ago
Victor Julien b286c14324 thash: generalize hash table as used in flow 
Thread safe hash table implementation based on the Flow hash, IP Pair
hash and others.

Hash is array of buckets with per bucket locking. Each bucket has a
list of elements which also individually use locking.
 6 years ago
Victor Julien 0b120bbe34 suricata: expose system as global 6 years ago
Victor Julien 5d5612f98e suricata: --data-dir option 6 years ago
Victor Julien dbbdfedb98 lzma: make mandatory 
Libhtp is starting to use it as well, so its safe to make it mandatory
here.

Remove guards for flash file decompression code.
 6 years ago
Philippe Antoine 8d4cbb3f7b http: fixes stream flags for http tests 6 years ago
Philippe Antoine 9665ab0409 http: wait for response line for filename 
See http evader case 481
 6 years ago
Victor Julien 579cc9f02b const: constify decoder, app-layer, detect funcs 6 years ago
Victor Julien 399ab35aa1 afl: fix compile warnings for decoder fuzz funcs 6 years ago
Philippe Antoine aa73d834b5 boyermoore: avoid one tolower call 
Fixes #1218
 6 years ago
Jeff Lucovsky 86deaefe66 ftp: Ensure non-zero command length with MPM init 6 years ago
Shivani Bhardwaj 85b56b633e detect: Improve rule keyword alproto registration 
1. Set WARN_UNUSED macro on DetectSignatureSetAppProto.
2. Replace all direct 'sets' of Signature::alproto from keyword registration.

Closes redmine ticket #3006.
 6 years ago
Nick Price d0a85b7550 ja3: Mention LibNSS dependency for JA3 6 years ago
Fabrice Fontaine 9b05db7db0 fix build on m68k with uclibc 
uclibc on m68k defines _POSIX_SPIN_LOCKS but does not define
pthread_spin_unlock so check for this function before using
pthread_spin_xxx functions

Fixes:
 - http://autobuild.buildroot.org/results/ed923bcc1454ce90444b8dac7c064b5f4ea4a0a5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 6 years ago
Jeff Lucovsky 86fabef093 ftp: address review comments 6 years ago
Jeff Lucovsky f79316d71a ftp: remove RUST guards 6 years ago
Jeff Lucovsky cc5e9ca179 eve/ftp: Modifications for MPM-enabled command descriptor table 6 years ago
Jeff Lucovsky bc68ef4657 app-layer: Invoke FTP parser cleanup function 6 years ago
Jeff Lucovsky 09ab032a8d ftp: Use MPM for command lookup 6 years ago
Jeff Lucovsky 4f2a485c55 ftp: Remove LIBJANSSON guards 6 years ago
Jeff Lucovsky 3df2b3437c eve/ftp: Move "get next line" into app-layer-ftp.c 6 years ago
Victor Julien f43584661c stream: support debug notice message in tfo 6 years ago
Eric Leblond 5366f80941 bypass: fix build on Windows 
For the sake of unittests, we need to build capture bypass so we
end up with a Windows build of flow bypass.
 6 years ago
Eric Leblond 53a62953e9 bypass: introduce CAPTURE_OFFLOAD 
This define is used to remove reference to capture bypass in case
no capture method implementing this is active.

This patch also introduces CAPTURE_OFFLOAD_MANAGER that is defined
if we need the flow bypass manager code.
 6 years ago
Eric Leblond 094d28d40e flow-hash: generalize function 
THis patch generalizes the function to get a flow by its flowkey
by removing the call setting it to capture bypassed state.
 6 years ago
Victor Julien 7384744c3e detect: fix FP on ICMP unreachable errors 
ICMP unreachable errors are linked to the flow they send an error for.
This would lead to the detection engine calling the TX inspection
engines on them.

The stream inspect engine would default to a match for non-UDP
and non-TCP as for ICMP we're not expected to use a TX inspect engine
for stream data.

This all would lead to a false positive match.

This patch fixes this by making sure the TX engines are not called if
the packet protocol and flow protocol are not the same.

Bug #2769.
 6 years ago
Jeff Lucovsky 240520a3cc main: fix typo in output 6 years ago
Jeff Lucovsky ef327ab194 stream/tcp: correct spelling typos 6 years ago
Victor Julien bc2267f131 stream/tcp: support TCP fast open 6 years ago
Victor Julien 8f8581beda decode/tcp: TCP fast open option decoding 
Support both regular TFO and TFO as part of the experimental
options support.
 6 years ago
Philippe Antoine c775a4af43 signature: fixes leak with duplicate signatures 6 years ago
Philippe Antoine 63deb8862f boyermoore: optimization with one alloc less 
Fixes #1220
 6 years ago
Philippe Antoine 5ff50773bd detectproto: adding missing probing parsers 
In direction TO_CLIENT for symetric protocols
 6 years ago
Eric Leblond cf98b0223e detect-geoip: add info for list keywords 6 years ago
Shivani Bhardwaj 9d6f1d318a unix/socket: Add rev date to version info 6 years ago
Jeff Lucovsky be22b23d2e cleanup: eliminate warnings/errors with debug build on macos 6 years ago
Shivani Bhardwaj 26bc0d6e1d src/detect: check DetectBufferSetActiveList return code 
Make sure to always check the return codes of DetectBufferSetActiveList.
Also, force this warning on function prototype.

Closes redmine ticket #3005.
 6 years ago
Philippe Antoine 15783fb322 signature: avoids overflow from VariableNameHash 6 years ago
Jeff Lucovsky 140bfd7b0c detect/analyzer: remove HAVE_LIBJANSSON cpp guards 6 years ago
Jeff Lucovsky 87bfce025d spelling: correct spelling typo 6 years ago
Jeff Lucovsky dcf5e247ca detect/analyzer: add support for http_content_type 6 years ago
jason taylor da2c4d7382 applayer: fix typo in debug output 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 6 years ago
Andreas Herz 6ebb1b2cc4 rule-reload: enable rule-reload for -s and -S run as well 6 years ago
Victor Julien 3a912446ad pcap: fix breakloop error handling 
Ticket #3004
 6 years ago
Victor Julien 06d3e1d3d8 netmap: suppress format truncation warning 
CC       source-netmap.o
source-netmap.c: In function ‘NetmapOpen’:
source-netmap.c:327:56: error: ‘%s’ directive output may be truncated writing up to 15 bytes into a region of size between 10 and 57 [-Werror=format-truncation=]
         snprintf(devname, sizeof(devname), "netmap:%s%s%s",
                                                        ^~
                 ns->iface, strlen(optstr) ? "/" : "", optstr);
                                                       ~~~~~~
source-netmap.c:327:9: note: ‘snprintf’ output 8 or more bytes (assuming 70) into a destination of size 64
         snprintf(devname, sizeof(devname), "netmap:%s%s%s",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 ns->iface, strlen(optstr) ? "/" : "", optstr);
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
source-netmap.c:330:59: error: ‘%s’ directive output may be truncated writing up to 15 bytes into a region of size between 8 and 55 [-Werror=format-truncation=]
         snprintf(devname, sizeof(devname), "netmap:%s-%d%s%s",
                                                           ^~
                 ns->iface, ring, strlen(optstr) ? "/" : "", optstr);
                                                             ~~~~~~
source-netmap.c:330:9: note: ‘snprintf’ output 10 or more bytes (assuming 72) into a destination of size 64
         snprintf(devname, sizeof(devname), "netmap:%s-%d%s%s",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 ns->iface, ring, strlen(optstr) ? "/" : "", optstr);
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
source-netmap.c:316:54: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
         snprintf(devname, sizeof(devname), "%s}%d%s%s",
                                                      ^
source-netmap.c:316:9: note: ‘snprintf’ output 3 or more bytes (assuming 65) into a destination of size 64
         snprintf(devname, sizeof(devname), "%s}%d%s%s",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 ns->iface, ring, strlen(optstr) ? "/" : "", optstr);
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

Gcc 8 with -Wformat-truncation=1
 6 years ago
Victor Julien bdd74d413b detect/mpm: put transform into 'profile name' 
So that profiling gives more info about cost of the mpm
engines when they use transforms.
 6 years ago
Victor Julien 5c735f340f detect/dns: register correct profile name 6 years ago
Victor Julien 8a59ad6096 string: making shortening function global 6 years ago
Victor Julien 26c5249574 device: break string shortening out of device shortening 6 years ago
Victor Julien 7eff6ec500 device: remove duplicate length check 
Shorten code handles all cases correctly.
 6 years ago
Victor Julien 2a136c917f detect: move includes/declarations closer to use 6 years ago
Victor Julien bc866ff2a0 detect: fix inaccurate comments 6 years ago
Max Fillinger 4f3bb48f83 pfring: Fix kernel version in comment 6 years ago
Eric Leblond b37554e0bc af-packet: fix build on recent Linux kernels 6 years ago
Philippe Antoine 477328f79b ssl: register probing for port 443 if no config 6 years ago
Shivani Bhardwaj 8c2c78f0b6 configure: Add date with rev information 
Date makes it even clearer that when was the last commit for the build
that one is running. Add this info alongwith rev. Change inspired by
rustc.

Before
```
$ suricata -V
This is Suricata version 5.0.0-dev (rev 2d217e666)
```

After
```
This is Suricata version 5.0.0-dev (2d217e666 2019-07-12)
```

Closes redmine ticket #3092
 6 years ago
Jeff Lucovsky 3d5eccf084 output/json: Refactor output buffer size macro 6 years ago
Jeff Lucovsky 66c565e9e7 eve/json: Break multiline FTP responses into array 
This changeset breaks multi-line FTP responses into separate array
entries. Multi-line responses are those with "text-1\r\ntext-2[...]".
Each of \r\n delimited text segments is reported in the `reply` array;
each text segment _may_ include a completion code; completion codes are
reported in the `completion_code` array.
 6 years ago
Jeff Lucovsky 9cf4e2e432 eve/ftp: Refactor and reduce logging functions 6 years ago
Jeff Lucovsky 911d423a6b ftp: Generalize prelim positive reply 
Extend special case for reply code 150 to handle all preliminary
positive reply -- reply codes with `1xy`.
 6 years ago
Victor Julien 343ba45916 ftp: reply code 150 doesn't end tx 6 years ago
Victor Julien b595da6c51 ftp: fix reply without request 
Permit picking up any reply w/o a request. Observed unsolicited server
messages before connection termination.

Previously the code assumed that this could only happen on connection
start when there was no previously recorded command.
 6 years ago
Victor Julien dc80d520af ftp: implement progress tracking 
Make sure FTP_STATE_FINISHED is returned for transactions that
are marked 'done'.

This is necessary for timely logging and inspection.
 6 years ago
Victor Julien 8ae691155d ftp: be more strict with tx type 6 years ago
Jeff Lucovsky fb019213e7 eve/ftp: minor cleanups and fixes 6 years ago
Zach Kelly 1588cd8735 eve/ftp: Bug fix and banner capture 
1. Correct off-by-one error in server response whitespace removal
2. Include banner response (before first command entered)
 6 years ago
Jeff Lucovsky a04b1c1664 eve/ftp: Log initial responses 
This changeset ensures that unknown commands are logged.
Unknown commands are either
- Banner responses when connecting to the FTP port
- Commands not includes in the FtpCommands descriptor table
 6 years ago
Jeff Lucovsky 2149807bd6 eve/ftp: Transaction support for unmatched requests 
Modified transaction logic to create a new transaction with each
request; replies location transactions by using the oldest "open"
(unmatched) transaction or the last transaction if none are open.
 6 years ago
Jeff Lucovsky 1930b1f504 eve/ftp: Log FTP transactions 
This changeset includes changes that
1. Add transaction support to the FTP parser
2. Support eve json logging of FTP transactions
 6 years ago
Philippe Antoine 2d217e6661 http: fixes overflow in range parsing 6 years ago
Victor Julien 5ddfc42b87 stream: fix midstream reverse flow handling 
When a TCP session is picked up from the response the flow is
reversed by the protocol detection code.

This would lead to duplicate logging of the response. The reason this
happened was that the per stream app progress tracker was not handled
correctly by the direction reversing code. While the streams were
swapped the stream engine would continue to use a now outdated pointer
to what had become the wrong direction.

This patches fixes this by making the stream a ptr to ptr that can be
updated by the protocol detection as well.

In addition, the progress tracking was cleaned up and the GAP error
handling in this case was improved as well.
 6 years ago
Philippe Antoine 94a976d47e ftp: removes one use of atoi 
Fixes only one small part of #3053
 6 years ago
Victor Julien 66d6196e9b pcap: code reformatting and minor cleanups 6 years ago
Victor Julien 255ab1528b flow: minor formatting updates 6 years ago
Max Fillinger bcc03f172a af-packet: Always fill in vlan_id 
The vlan tag will be filled in either from the extended header (for
kernel version >= 3.0) or from the packet itself.

Related to https://redmine.openinfosecfoundation.org/issues/3076
 6 years ago
Max Fillinger 09c54471e5 pfring: Always fill in vlan_id 
Previously, source-pfring.c would copy the vlan_id from the extended
header only if vlan.use-for-tracking was enabled. This commit removes
that check.

Related to https://redmine.openinfosecfoundation.org/issues/3076
 6 years ago
Max Fillinger 44bea80d3c decode erspan: Always fill in vlan_id 
Fill in the vlan_id fields unconditionally. We can now remove the check
for the vlan.use-for-tracking setting in decode.c. The debug log message
is moved to suricata.c.
 6 years ago
Max Fillinger 8d3b04b0e3 decode vlan: Always fill in vlan_id 
Since the vlan.use-for-tracking setting is now handled in flow-hash.c,
we can fill in the vlan_id fields unconditionally. This makes the vlanh
fields unnecessary.

Related to https://redmine.openinfosecfoundation.org/issues/3076
 6 years ago
Max Fillinger cef9961f59 flow hash: Mask vlan_id if not used for tracking 
If vlan.use-for-tracking is disabled, set the vlan_id fields to 0 when
hashing or comparing flows. This is done using a bitmask as suggested by
Victor Julien in IRC, in order to avoid adding more branches to this
code.

Currently, suricata does not fill in vlan_id fields if
vlan.use-for-tracking is disabled and instead leaves them at the default
0 value, so this commit makes no functional change. This change is in
preparation for future commits where the vlan_ids will be always filled
in.

Related to https://redmine.openinfosecfoundation.org/issues/3076
 6 years ago
Max Fillinger 38731d30da flow hash: Make CMP_FLOW macro an inline function 6 years ago
Victor Julien 7ccf14bc60 runmodes: remove unused prototypes 6 years ago
Victor Julien c12252617c afl: fix afl-ftp causing FPE due to missing ippair 6 years ago
Victor Julien 9e70716d5a runmodes: remove no-Rust logic 6 years ago
Victor Julien 8c6251ea6c runmodes: simply default runmode logic 6 years ago
Victor Julien 3282fb4967 runmodes: code cleanups 6 years ago
Philippe Antoine feda5e7392 leak: Fixes leak in AppLayerProtoDetectPMRegisterPattern 
Fixes #3070
 6 years ago
Philippe Antoine 66c500eaac leak: Fixes leak in DetectAppLayerEventPrepare 6 years ago
Philippe Antoine 684f101710 log: use SCLogError instead of fprintf 6 years ago
Philippe Antoine 19ab85f17e leak: fixes leak in DetectAddressParse2 6 years ago
Victor Julien 8b87801b80 geoip: fix unittests w/o db present 6 years ago
Victor Julien a7d65668ae mem: avoid potential shadow vars with 'len' name 6 years ago
Bill Meeks d1525c6fb8 mem: add SCStrndup() function to wrap strndup(). 6 years ago
Bill Meeks a291209e47 detect/geoip: migrate to GeoIP2 database format 
Issue #2765
 6 years ago
Victor Julien d6323ae33d detect/mpm: improve stats reporting 6 years ago
Victor Julien 24f0092b72 detect: add ipv6.hdr sticky buffer 
Inspects IPv6 header and extension headers.
 6 years ago
Victor Julien 3c9a557810 decode/ipv6: track length of ext hdrs 6 years ago
Victor Julien 9252400f68 decoder/ipv6: minor cleanups 
Remove unused field and macros.

Minor code style cleanups.
 6 years ago
Victor Julien 4ac327f5b5 detect/ipv4: add ipv4.hdr sticky buffer 6 years ago
Victor Julien 367e3e1895 detect/tcp/udp: minor cleanups 6 years ago
Victor Julien 4dff903b35 detect: introduce pkt mpm engines 
Instead of the hardcode L4 matching in MPM that was recently introduced,
add an API similar to the AppLayer MPM and inspect engines.

Share part of the registration code with the AppLayer.

Implement for the tcp.hdr and udp.hdr keywords.
 6 years ago
Victor Julien 14896365ef detect: remove Threadvars argument from API calls 
Remove it as it's (almost) never used. If it is really needed it can
be accessed through DetectEngineThreadCtx::tv as well.
 6 years ago
Victor Julien c1dd4534d9 detect/bsize: support transforms in case w/o content 6 years ago
Victor Julien 82de6e0659 decoder/vxlan: improvements and cleanups 
Implement port config handling. Also check both src port and dest
port for tunnels that only set the destination port to the VXLAN
port. At the point of the check we don't know the packet direction
yet.

Implement as Suricata tunnel similar to Teredo.

Cleanups.
 6 years ago
Henrik Lund Kramshoej 3519b011b7 decoder/vxlan: initial implementation of decoder 6 years ago
Victor Julien 35b88991c3 mem: fix shadow declaration warning 
Avoid clash by adding a leading underscore to the declaration in the
macro. These temporary vars should never clash with valid variables
from the code where they are called from.
 6 years ago