aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,572 Commits
7 Branches
161 Tags
169 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '07df1ce6af'
${ noResults }
Commit Graph

8999 Commits (07df1ce6afffb35c0acd25b3b787ce04643306b1)

Author SHA1 Message Date
Jeff Lucovsky b4070b6dcd ftp: Use rust parsers to parse dynamic ports 6 years ago
Philippe Antoine 9cbf9ef7a4 HTTP new parser warning for Ambiguous C-L 6 years ago
Shivani Bhardwaj d801c3e588 detect: Make keyword description consistent 
Closes redmine ticket #3137.
 6 years ago
Victor Julien d4bc460381 smtp: fix file_data inspection 
Continue tracking data if API is used with detect. Detection engine
then manages the tracking.

Bug #2395.
 6 years ago
Jason Ish afe065c7ac sip fixup: _Bool -> bool 6 years ago
Giuseppe Longo e06291922f detect/sip.response_line: add sticky buffer 
Matches on response line field in SIP.
 6 years ago
Giuseppe Longo 17de4a8023 detect/sip.request_line: add sticky buffer 
Matches on request line field in SIP.
 6 years ago
Giuseppe Longo 8939ece538 detect/sip.stat_msg: add sticky buffer 
Matches on status msg field in SIP.
 6 years ago
Giuseppe Longo bd2219cac6 detect/sip.stat_code: add sticky buffer 
Matches on status code field in SIP.
 6 years ago
Giuseppe Longo 8454122eb2 detect/sip.protocol: add sticky buffer 
Matches on protocol field in SIP.
 6 years ago
Giuseppe Longo 2661c5b298 detect/sip.uri: add sticky buffer 
Matches on uri field in SIP.
 6 years ago
Giuseppe Longo 424eead8c0 detect/sip.method: add sticky buffer 
Matches on uri field in SIP.
 6 years ago
Giuseppe Longo c88559dc72 output/json-alert: add sip metadata 
Put SIP information to alert event.
 6 years ago
Giuseppe Longo edc2a583a9 rust/sip: add SIP logger 6 years ago
Giuseppe Longo 2e975a0481 rust/sip: add parser for SIP protocol 6 years ago
Victor Julien a2356a89f7 detect/dns.opcode: improve error reporting 6 years ago
Jason Ish d79c23baa3 dns/detect: dns.opcode keyword 
Add a rule keyword, dns.opcode to match on the opcode flag
found in the DNS request and response headers.

Only exact matches are allowed with negation.

Examples:
  - dns.opcode:4;
  - dns.opcode:!1;
 6 years ago
Victor Julien c68fbfcfe6 htp: simplify depth check 6 years ago
Giuseppe Longo de904db830 app-layer-htp: use stream depth with filestore 
This permits to use stream-depth value set for file-store.

Currently if a file is being stored and hits a limit,
such as request or response body, it will be truncated
although file-store.stream-depth is enabled but the file should be
closed and not truncated.

Two unit tests have been added to verify that:
- a file is stored correctly
- chunk's length computation doesn’t cause an underflow
 6 years ago
Giuseppe Longo ed5a439b8e app-layer-parser: flag a tx to use stream depth 
This adds a new API that permit to set the stream-depth
file for file-storing when a rule with filestore keyword is matched.
 6 years ago
Shivani Bhardwaj b5b429c288 detect: Add missing keyword URLs and description 
Add missing keyword URLs and their description. Fix the ones that
were incorrect.

Partially closes redmine ticket #2974.
 6 years ago
Travis Green 08423282aa doc: add to sigmatch_table 6 years ago
Travis Green 4612d4b50a detect: syntax regex logic update 
Updated regex logic to include more spaces. Fixed spelling.
 6 years ago
Mats Klepsland e976d8cf74 output-lua: register app-layer parser logger for SSH 
Bug #3162
 6 years ago
Mats Klepsland 1e9f767deb output-lua: register app-layer parser logger for TLS 
Bug #3162
 6 years ago
Jason Ish 61a6eaf330 htp/lzma: set limit from configuration 
Also use a default defined in Suricata, not libhtp.
 6 years ago
Victor Julien c9c23d5cda htp: set lzma memlimit from config 6 years ago
Jeff Lucovsky 7808b946e3 detect/transform: add dotprefix keyword 6 years ago
Jeff Lucovsky 9df44afa30 logging/anomaly: Add warning code for anomaly log 6 years ago
Jeff Lucovsky aaacbf28c2 logging/anomaly: Support configuration filter types 6 years ago
Jason Ish 664605b5f1 rdp: disable rdp by default for 5.0 6 years ago
Jason Ish 0f10298990 rdp: address comments in pull request 
Pull request:
https://github.com/OISF/suricata/pull/4174

- fix commit: range -> set
- OUTPUT_BUFFER_SIZE -> JSON_OUTPUT_BUFFER_SIZE
- output: check for initdata first
 6 years ago
Zach Kelly caef8b5b38 protocol parser: rdp 
Initial implementation of feature 2314:
1. Add protocol parser for RDP
2. Add transactions for RDP negotiation
3. Add eve logging of transactions
 6 years ago
Shivani Bhardwaj 59da7ae302 counters: Add new default for decoder events 
Set the new default for decoder events to `decoder.event` instead of the
previously used `decoder`. Remove the corresponding warning for 5.0.
 6 years ago
Victor Julien 7cabb025ea ips: fix wrong thread for bridge ips modes 6 years ago
Phil Young 8aeff8f973 stream: fix bypass callback for stream.depth 
Fix bug with bypass callback when called with stream depth threshold.
bug report: https://redmine.openinfosecfoundation.org/issues/2986
 6 years ago
Jason Ish 52187d8548 ftp: removing uninitialized variable warning 
output-json-ftp.c: In function ‘JsonFTPLogger’:
output-json-ftp.c:129:9: warning: ‘js_respcode_list’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  129 |         json_object_set_new(cjs, "completion_code", js_respcode_list);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
output-json-ftp.c:74:13: note: ‘js_respcode_list’ was declared here
   74 |     json_t *js_respcode_list;
      |             ^~~~~~~~~~~~~~~~
output-json-ftp.c:128:9: warning: ‘js_resplist’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  128 |         json_object_set_new(cjs, "reply", js_resplist);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
output-json-ftp.c:73:13: note: ‘js_resplist’ was declared here
   73 |     json_t *js_resplist;
      |             ^~~~~~~~~~~
 6 years ago
Victor Julien a272e433a8 pd: don't reverse flow if TCP session not midstream 6 years ago
Jason Ish 5f1d21f247 dns: handle mid stream pickup on response packet 
Related Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2146
 6 years ago
Travis Green 9f8dcad287 doc: update of ssh-kewords documentation 
Modifies ssh-keywords.rst to fix syntax error in example rule as well as
update descriptions to indicate older keywords have been deprecated.
 6 years ago
Jeff Lucovsky 79d308db73 detect/analyzer: Add missing http_accept_enc handling 6 years ago
Victor Julien a3e5b91668 detect/dataset: fix 'state' path handling 6 years ago
Victor Julien 7ae86a0ae9 datarep: remove notice messages 6 years ago
Victor Julien 8045746bd1 datasets: remove notice messages and improve errors 6 years ago
Victor Julien 1d6a358d8a datasets: unix socket dataset-add command 6 years ago
Victor Julien 317376f59d datasets: match on lists of data 
Datasets are sets/lists of data that can be accessed or added from
the rule language.

This patch implements 3 data types:

1. string (or buffer)
2. md5
3. sha256

The patch also implements 2 new rule keywords:

1. dataset
2. datarep

The dataset keyword allows matching against a list of values to see if
it exists or not. It can also add the value to the set. The set can
optionally be stored to disk on exit.

The datarep support matching/lookups only. With each item in the set a
reputation value is stored and this value can be matched against. The
reputation value is unsigned 16 bit, so values can be between 0 and 65535.

Datasets can be registered in 2 ways:

1. through the yaml
2. through the rules

The goal of this rules based approach is that rule writers can start using
this without the need for config changes.

A dataset is implemented using a thash hash table. Each dataset is its own
separate thash.
 6 years ago
Victor Julien b286c14324 thash: generalize hash table as used in flow 
Thread safe hash table implementation based on the Flow hash, IP Pair
hash and others.

Hash is array of buckets with per bucket locking. Each bucket has a
list of elements which also individually use locking.
 6 years ago
Victor Julien 0b120bbe34 suricata: expose system as global 6 years ago
Victor Julien 5d5612f98e suricata: --data-dir option 6 years ago
Victor Julien dbbdfedb98 lzma: make mandatory 
Libhtp is starting to use it as well, so its safe to make it mandatory
here.

Remove guards for flash file decompression code.
 6 years ago
Philippe Antoine 8d4cbb3f7b http: fixes stream flags for http tests 6 years ago
Philippe Antoine 9665ab0409 http: wait for response line for filename 
See http evader case 481
 6 years ago
Victor Julien 579cc9f02b const: constify decoder, app-layer, detect funcs 6 years ago
Victor Julien 399ab35aa1 afl: fix compile warnings for decoder fuzz funcs 6 years ago
Philippe Antoine aa73d834b5 boyermoore: avoid one tolower call 
Fixes #1218
 6 years ago
Jeff Lucovsky 86deaefe66 ftp: Ensure non-zero command length with MPM init 6 years ago
Shivani Bhardwaj 85b56b633e detect: Improve rule keyword alproto registration 
1. Set WARN_UNUSED macro on DetectSignatureSetAppProto.
2. Replace all direct 'sets' of Signature::alproto from keyword registration.

Closes redmine ticket #3006.
 6 years ago
Nick Price d0a85b7550 ja3: Mention LibNSS dependency for JA3 6 years ago
Fabrice Fontaine 9b05db7db0 fix build on m68k with uclibc 
uclibc on m68k defines _POSIX_SPIN_LOCKS but does not define
pthread_spin_unlock so check for this function before using
pthread_spin_xxx functions

Fixes:
 - http://autobuild.buildroot.org/results/ed923bcc1454ce90444b8dac7c064b5f4ea4a0a5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 6 years ago
Jeff Lucovsky 86fabef093 ftp: address review comments 6 years ago
Jeff Lucovsky f79316d71a ftp: remove RUST guards 6 years ago
Jeff Lucovsky cc5e9ca179 eve/ftp: Modifications for MPM-enabled command descriptor table 6 years ago
Jeff Lucovsky bc68ef4657 app-layer: Invoke FTP parser cleanup function 6 years ago
Jeff Lucovsky 09ab032a8d ftp: Use MPM for command lookup 6 years ago
Jeff Lucovsky 4f2a485c55 ftp: Remove LIBJANSSON guards 6 years ago
Jeff Lucovsky 3df2b3437c eve/ftp: Move "get next line" into app-layer-ftp.c 6 years ago
Victor Julien f43584661c stream: support debug notice message in tfo 6 years ago
Eric Leblond 5366f80941 bypass: fix build on Windows 
For the sake of unittests, we need to build capture bypass so we
end up with a Windows build of flow bypass.
 6 years ago
Eric Leblond 53a62953e9 bypass: introduce CAPTURE_OFFLOAD 
This define is used to remove reference to capture bypass in case
no capture method implementing this is active.

This patch also introduces CAPTURE_OFFLOAD_MANAGER that is defined
if we need the flow bypass manager code.
 6 years ago
Eric Leblond 094d28d40e flow-hash: generalize function 
THis patch generalizes the function to get a flow by its flowkey
by removing the call setting it to capture bypassed state.
 6 years ago
Victor Julien 7384744c3e detect: fix FP on ICMP unreachable errors 
ICMP unreachable errors are linked to the flow they send an error for.
This would lead to the detection engine calling the TX inspection
engines on them.

The stream inspect engine would default to a match for non-UDP
and non-TCP as for ICMP we're not expected to use a TX inspect engine
for stream data.

This all would lead to a false positive match.

This patch fixes this by making sure the TX engines are not called if
the packet protocol and flow protocol are not the same.

Bug #2769.
 6 years ago
Jeff Lucovsky 240520a3cc main: fix typo in output 6 years ago
Jeff Lucovsky ef327ab194 stream/tcp: correct spelling typos 6 years ago
Victor Julien bc2267f131 stream/tcp: support TCP fast open 6 years ago
Victor Julien 8f8581beda decode/tcp: TCP fast open option decoding 
Support both regular TFO and TFO as part of the experimental
options support.
 6 years ago
Philippe Antoine c775a4af43 signature: fixes leak with duplicate signatures 6 years ago
Philippe Antoine 63deb8862f boyermoore: optimization with one alloc less 
Fixes #1220
 6 years ago
Philippe Antoine 5ff50773bd detectproto: adding missing probing parsers 
In direction TO_CLIENT for symetric protocols
 6 years ago
Eric Leblond cf98b0223e detect-geoip: add info for list keywords 6 years ago
Shivani Bhardwaj 9d6f1d318a unix/socket: Add rev date to version info 6 years ago
Jeff Lucovsky be22b23d2e cleanup: eliminate warnings/errors with debug build on macos 6 years ago
Shivani Bhardwaj 26bc0d6e1d src/detect: check DetectBufferSetActiveList return code 
Make sure to always check the return codes of DetectBufferSetActiveList.
Also, force this warning on function prototype.

Closes redmine ticket #3005.
 6 years ago
Philippe Antoine 15783fb322 signature: avoids overflow from VariableNameHash 6 years ago
Jeff Lucovsky 140bfd7b0c detect/analyzer: remove HAVE_LIBJANSSON cpp guards 6 years ago
Jeff Lucovsky 87bfce025d spelling: correct spelling typo 6 years ago
Jeff Lucovsky dcf5e247ca detect/analyzer: add support for http_content_type 6 years ago
jason taylor da2c4d7382 applayer: fix typo in debug output 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 6 years ago
Andreas Herz 6ebb1b2cc4 rule-reload: enable rule-reload for -s and -S run as well 6 years ago
Victor Julien 3a912446ad pcap: fix breakloop error handling 
Ticket #3004
 6 years ago
Victor Julien 06d3e1d3d8 netmap: suppress format truncation warning 
CC       source-netmap.o
source-netmap.c: In function ‘NetmapOpen’:
source-netmap.c:327:56: error: ‘%s’ directive output may be truncated writing up to 15 bytes into a region of size between 10 and 57 [-Werror=format-truncation=]
         snprintf(devname, sizeof(devname), "netmap:%s%s%s",
                                                        ^~
                 ns->iface, strlen(optstr) ? "/" : "", optstr);
                                                       ~~~~~~
source-netmap.c:327:9: note: ‘snprintf’ output 8 or more bytes (assuming 70) into a destination of size 64
         snprintf(devname, sizeof(devname), "netmap:%s%s%s",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 ns->iface, strlen(optstr) ? "/" : "", optstr);
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
source-netmap.c:330:59: error: ‘%s’ directive output may be truncated writing up to 15 bytes into a region of size between 8 and 55 [-Werror=format-truncation=]
         snprintf(devname, sizeof(devname), "netmap:%s-%d%s%s",
                                                           ^~
                 ns->iface, ring, strlen(optstr) ? "/" : "", optstr);
                                                             ~~~~~~
source-netmap.c:330:9: note: ‘snprintf’ output 10 or more bytes (assuming 72) into a destination of size 64
         snprintf(devname, sizeof(devname), "netmap:%s-%d%s%s",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 ns->iface, ring, strlen(optstr) ? "/" : "", optstr);
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
source-netmap.c:316:54: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
         snprintf(devname, sizeof(devname), "%s}%d%s%s",
                                                      ^
source-netmap.c:316:9: note: ‘snprintf’ output 3 or more bytes (assuming 65) into a destination of size 64
         snprintf(devname, sizeof(devname), "%s}%d%s%s",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 ns->iface, ring, strlen(optstr) ? "/" : "", optstr);
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

Gcc 8 with -Wformat-truncation=1
 6 years ago
Victor Julien bdd74d413b detect/mpm: put transform into 'profile name' 
So that profiling gives more info about cost of the mpm
engines when they use transforms.
 6 years ago
Victor Julien 5c735f340f detect/dns: register correct profile name 6 years ago
Victor Julien 8a59ad6096 string: making shortening function global 6 years ago
Victor Julien 26c5249574 device: break string shortening out of device shortening 6 years ago
Victor Julien 7eff6ec500 device: remove duplicate length check 
Shorten code handles all cases correctly.
 6 years ago
Victor Julien 2a136c917f detect: move includes/declarations closer to use 6 years ago
Victor Julien bc866ff2a0 detect: fix inaccurate comments 6 years ago
Max Fillinger 4f3bb48f83 pfring: Fix kernel version in comment 6 years ago
Eric Leblond b37554e0bc af-packet: fix build on recent Linux kernels 6 years ago
Philippe Antoine 477328f79b ssl: register probing for port 443 if no config 6 years ago
Shivani Bhardwaj 8c2c78f0b6 configure: Add date with rev information 
Date makes it even clearer that when was the last commit for the build
that one is running. Add this info alongwith rev. Change inspired by
rustc.

Before
```
$ suricata -V
This is Suricata version 5.0.0-dev (rev 2d217e666)
```

After
```
This is Suricata version 5.0.0-dev (2d217e666 2019-07-12)
```

Closes redmine ticket #3092
 6 years ago
Jeff Lucovsky 3d5eccf084 output/json: Refactor output buffer size macro 6 years ago
Jeff Lucovsky 66c565e9e7 eve/json: Break multiline FTP responses into array 
This changeset breaks multi-line FTP responses into separate array
entries. Multi-line responses are those with "text-1\r\ntext-2[...]".
Each of \r\n delimited text segments is reported in the `reply` array;
each text segment _may_ include a completion code; completion codes are
reported in the `completion_code` array.
 6 years ago
Jeff Lucovsky 9cf4e2e432 eve/ftp: Refactor and reduce logging functions 6 years ago
Jeff Lucovsky 911d423a6b ftp: Generalize prelim positive reply 
Extend special case for reply code 150 to handle all preliminary
positive reply -- reply codes with `1xy`.
 6 years ago
Victor Julien 343ba45916 ftp: reply code 150 doesn't end tx 6 years ago
Victor Julien b595da6c51 ftp: fix reply without request 
Permit picking up any reply w/o a request. Observed unsolicited server
messages before connection termination.

Previously the code assumed that this could only happen on connection
start when there was no previously recorded command.
 6 years ago
Victor Julien dc80d520af ftp: implement progress tracking 
Make sure FTP_STATE_FINISHED is returned for transactions that
are marked 'done'.

This is necessary for timely logging and inspection.
 6 years ago
Victor Julien 8ae691155d ftp: be more strict with tx type 6 years ago
Jeff Lucovsky fb019213e7 eve/ftp: minor cleanups and fixes 6 years ago
Zach Kelly 1588cd8735 eve/ftp: Bug fix and banner capture 
1. Correct off-by-one error in server response whitespace removal
2. Include banner response (before first command entered)
 6 years ago
Jeff Lucovsky a04b1c1664 eve/ftp: Log initial responses 
This changeset ensures that unknown commands are logged.
Unknown commands are either
- Banner responses when connecting to the FTP port
- Commands not includes in the FtpCommands descriptor table
 6 years ago
Jeff Lucovsky 2149807bd6 eve/ftp: Transaction support for unmatched requests 
Modified transaction logic to create a new transaction with each
request; replies location transactions by using the oldest "open"
(unmatched) transaction or the last transaction if none are open.
 6 years ago
Jeff Lucovsky 1930b1f504 eve/ftp: Log FTP transactions 
This changeset includes changes that
1. Add transaction support to the FTP parser
2. Support eve json logging of FTP transactions
 6 years ago
Philippe Antoine 2d217e6661 http: fixes overflow in range parsing 6 years ago
Victor Julien 5ddfc42b87 stream: fix midstream reverse flow handling 
When a TCP session is picked up from the response the flow is
reversed by the protocol detection code.

This would lead to duplicate logging of the response. The reason this
happened was that the per stream app progress tracker was not handled
correctly by the direction reversing code. While the streams were
swapped the stream engine would continue to use a now outdated pointer
to what had become the wrong direction.

This patches fixes this by making the stream a ptr to ptr that can be
updated by the protocol detection as well.

In addition, the progress tracking was cleaned up and the GAP error
handling in this case was improved as well.
 6 years ago
Philippe Antoine 94a976d47e ftp: removes one use of atoi 
Fixes only one small part of #3053
 6 years ago
Victor Julien 66d6196e9b pcap: code reformatting and minor cleanups 6 years ago
Victor Julien 255ab1528b flow: minor formatting updates 6 years ago
Max Fillinger bcc03f172a af-packet: Always fill in vlan_id 
The vlan tag will be filled in either from the extended header (for
kernel version >= 3.0) or from the packet itself.

Related to https://redmine.openinfosecfoundation.org/issues/3076
 6 years ago
Max Fillinger 09c54471e5 pfring: Always fill in vlan_id 
Previously, source-pfring.c would copy the vlan_id from the extended
header only if vlan.use-for-tracking was enabled. This commit removes
that check.

Related to https://redmine.openinfosecfoundation.org/issues/3076
 6 years ago
Max Fillinger 44bea80d3c decode erspan: Always fill in vlan_id 
Fill in the vlan_id fields unconditionally. We can now remove the check
for the vlan.use-for-tracking setting in decode.c. The debug log message
is moved to suricata.c.
 6 years ago
Max Fillinger 8d3b04b0e3 decode vlan: Always fill in vlan_id 
Since the vlan.use-for-tracking setting is now handled in flow-hash.c,
we can fill in the vlan_id fields unconditionally. This makes the vlanh
fields unnecessary.

Related to https://redmine.openinfosecfoundation.org/issues/3076
 6 years ago
Max Fillinger cef9961f59 flow hash: Mask vlan_id if not used for tracking 
If vlan.use-for-tracking is disabled, set the vlan_id fields to 0 when
hashing or comparing flows. This is done using a bitmask as suggested by
Victor Julien in IRC, in order to avoid adding more branches to this
code.

Currently, suricata does not fill in vlan_id fields if
vlan.use-for-tracking is disabled and instead leaves them at the default
0 value, so this commit makes no functional change. This change is in
preparation for future commits where the vlan_ids will be always filled
in.

Related to https://redmine.openinfosecfoundation.org/issues/3076
 6 years ago
Max Fillinger 38731d30da flow hash: Make CMP_FLOW macro an inline function 6 years ago
Victor Julien 7ccf14bc60 runmodes: remove unused prototypes 6 years ago
Victor Julien c12252617c afl: fix afl-ftp causing FPE due to missing ippair 6 years ago
Victor Julien 9e70716d5a runmodes: remove no-Rust logic 6 years ago
Victor Julien 8c6251ea6c runmodes: simply default runmode logic 6 years ago
Victor Julien 3282fb4967 runmodes: code cleanups 6 years ago
Philippe Antoine feda5e7392 leak: Fixes leak in AppLayerProtoDetectPMRegisterPattern 
Fixes #3070
 6 years ago
Philippe Antoine 66c500eaac leak: Fixes leak in DetectAppLayerEventPrepare 6 years ago
Philippe Antoine 684f101710 log: use SCLogError instead of fprintf 6 years ago
Philippe Antoine 19ab85f17e leak: fixes leak in DetectAddressParse2 6 years ago
Victor Julien 8b87801b80 geoip: fix unittests w/o db present 6 years ago
Victor Julien a7d65668ae mem: avoid potential shadow vars with 'len' name 6 years ago
Bill Meeks d1525c6fb8 mem: add SCStrndup() function to wrap strndup(). 6 years ago
Bill Meeks a291209e47 detect/geoip: migrate to GeoIP2 database format 
Issue #2765
 6 years ago
Victor Julien d6323ae33d detect/mpm: improve stats reporting 6 years ago
Victor Julien 24f0092b72 detect: add ipv6.hdr sticky buffer 
Inspects IPv6 header and extension headers.
 6 years ago
Victor Julien 3c9a557810 decode/ipv6: track length of ext hdrs 6 years ago
Victor Julien 9252400f68 decoder/ipv6: minor cleanups 
Remove unused field and macros.

Minor code style cleanups.
 6 years ago
Victor Julien 4ac327f5b5 detect/ipv4: add ipv4.hdr sticky buffer 6 years ago
Victor Julien 367e3e1895 detect/tcp/udp: minor cleanups 6 years ago
Victor Julien 4dff903b35 detect: introduce pkt mpm engines 
Instead of the hardcode L4 matching in MPM that was recently introduced,
add an API similar to the AppLayer MPM and inspect engines.

Share part of the registration code with the AppLayer.

Implement for the tcp.hdr and udp.hdr keywords.
 6 years ago
Victor Julien 14896365ef detect: remove Threadvars argument from API calls 
Remove it as it's (almost) never used. If it is really needed it can
be accessed through DetectEngineThreadCtx::tv as well.
 6 years ago
Victor Julien c1dd4534d9 detect/bsize: support transforms in case w/o content 6 years ago
Victor Julien 82de6e0659 decoder/vxlan: improvements and cleanups 
Implement port config handling. Also check both src port and dest
port for tunnels that only set the destination port to the VXLAN
port. At the point of the check we don't know the packet direction
yet.

Implement as Suricata tunnel similar to Teredo.

Cleanups.
 6 years ago
Henrik Lund Kramshoej 3519b011b7 decoder/vxlan: initial implementation of decoder 6 years ago
Victor Julien 35b88991c3 mem: fix shadow declaration warning 
Avoid clash by adding a leading underscore to the declaration in the
macro. These temporary vars should never clash with valid variables
from the code where they are called from.
 6 years ago
Philippe Antoine e30a77c5a1 warnings : Fixes integer sizes in format strings 6 years ago
Victor Julien ba5679de0f profiling: fix undefined profiling code use 6 years ago
Victor Julien ac694b089a detect: add udp.hdr sticky buffer 6 years ago
Victor Julien bdf53f449c detect/tcp: rename tcp keyword files 6 years ago
Victor Julien 47919fd0e4 detect/tcp: add tcp.<field> notation variants 6 years ago
Victor Julien 0cecb1c3b2 detect/prefilter: minor error handling cleanup 6 years ago
Victor Julien 35be8385eb detect: tcp.hdr sticky buffer 
Sticky buffer to inspect the TCP header.
 6 years ago
Victor Julien 47ef8f5822 detect/mpm: add l4-header support 
Prepare MPM part of the detection engine for a new type of per
packet matching, where the L4 header will be inspected.

Preparation for TCP header inspection keyword.
 6 years ago
Victor Julien 0965afd661 detect: pkt inspect engines 
Instead of hard coded calls to the inspection logic for
payload inspection and 'MATCH'-list inspection use a callback
approach. This will register a callback per 'sm_list' much like
how app-layer inspect engines are registered.

This will allow for adding more types later without adding
runtime overhead.

Implement the callback for the PMATCH and MATCH logic.
 6 years ago
Victor Julien 2a778e439a detect/build: minor code cleanups 6 years ago
Victor Julien 66648df099 detect: add tcp.mss keyword 
Allows matching on TCP option MSS.

Syntax:

    tcp.mss:<value>;
    tcp.mss:<value1>-<value2>;
    tcp.mss:<op><value>;

Operator can be: >, <.
 6 years ago
Jeff Lucovsky d2fdbc7d6f output/json: Avoid use of uninitialized value 
In JsonPacket, a Base64Decode error could cause an uninitialized
variable to be used because its return value is ignored.
 6 years ago
Jeff Lucovsky a5d9d37c34 rust/parser: Extend Rust parser for event-by-id 
Extend the Rust parsing infrastructure with the "get event info by id"
calls. This changeset extends the parser structure, the C-based
registration handlers and the template parser.
 6 years ago
Jeff Lucovsky 294d0e8cba snmp: Fix type 6 years ago
Jeff Lucovsky 9ccc28baeb rust/smb: Implement get event by id 6 years ago
Victor Julien 28ed0d3a18 nfs: implement get_event_info_by_id callback 6 years ago
Victor Julien 429ca858dc rust/gen: turn *mut*const T into const T ** 6 years ago
Jeff Lucovsky d568e7fadd eve/logging: 2991 Optimize logging by TX 
This changeset makes changes to the TX logging path. Since the txn
is passed to the TX logger, the TX can be used directly instead of
through the TX id.
 6 years ago
Jeff Lucovsky 488446cf37 logging/anomaly: Track event log progress 
This changeset adds a mechanism to track when individual events
are logged. Transactions can be provided more than once; track
events to prevent event re-logging.
 6 years ago
Jeff Lucovsky 4a39d7a1ee app-layer: Extend event container with progress 6 years ago
Jeff Lucovsky 07c05f7dd8 logging/anomaly: TX based logging addition 6 years ago
Jeff Lucovsky 36644907f5 app-layer/logging Add TX packet logging support 
Add transactional logging support for packet based loggers, like
the anomaly logger.
 6 years ago
Jeff Lucovsky f7b934f83f app-layer/logging: protocol parser updates 6 years ago
Jeff Lucovsky 49438569a2 logging: anomaly log updates 6 years ago
Jeff Lucovsky 50e23ba93a app-layer: Initial app layer logging 6 years ago
Victor Julien 4e8d38348f flow: no bypass manager for Windows 6 years ago
Victor Julien 287b87b81b bypass: switch to gettimeofday 6 years ago
Victor Julien d8614a15c6 mingw: fix compile error 
Declare _POSIX_C_SOURCE before sys/time.h to avoid:

util-time.c: In function 'SCUtcTime':
util-time.c:222:12: error: implicit declaration of function 'gmtime_r'; did you mean 'gmtime_s'? [-Werror=implicit-function-declaration]
  222 |     return gmtime_r(&timep, result);
      |            ^~~~~~~~
      |            gmtime_s
util-time.c:222:12: warning: returning 'int' from a function with return type 'struct tm *' makes pointer from integer without a cast [-Wint-conversion]
  222 |     return gmtime_r(&timep, result);
      |            ^~~~~~~~~~~~~~~~~~~~~~~~
util-time.c: In function 'SCLocalTime':
util-time.c:305:9: error: implicit declaration of function 'localtime_r'; did you mean 'localtime_s'? [-Werror=implicit-function-declaration]
  305 |         localtime_r(&timep, &cached_local_tm[lru]);
      |         ^~~~~~~~~~~
      |         localtime_s
util-time.c:321:56: warning: comparison between pointer and integer
  321 |         if (localtime_r(&timep, &cached_local_tm[lru]) == NULL)
      |                                                        ^~
cc1.exe: some warnings being treated as errors

Tickets: #2994 #3051
 6 years ago
Eric Leblond 6126f105ea util-ebpf: fix creation of flow from pinned maps 6 years ago
Eric Leblond 7df3007066 af-packet: xdp pinned maps need to be read 6 years ago
Eric Leblond 4ba02830b6 flow-bypass: registration of non periodic check 
This patch adds the capability to register a set of functions
without providing a periodic check function. This permit to
run a task only at init.
 6 years ago
Eric Leblond 3e8fd26ee3 flow-hash: real hash computation for FlowKey 6 years ago
Eric Leblond 0963fea390 util-ebpf: log bypassed flow maps count 6 years ago
Eric Leblond 7e5439bc15 bypass: add counter for local captured bypass 
Packets from captured bypassed flows that are received by Suricata
before the capture method start to bypass them can represent an
important part due to various buffer and insertion delay.

This patch adds a two counters to know the number of packets and
bytes in this case.
 6 years ago
Eric Leblond de52e78e65 bypass: flow bypass is not ebpf only 6 years ago
Eric Leblond c938dbde27 util-ebpf: early exit if no map 6 years ago
Eric Leblond e5d325a6ca util-ebpf: reindex 6 years ago
Eric Leblond aa989a7445 af-packet: some conditional fields 6 years ago
Eric Leblond abbb066a96 bypass: bytes and pkts counters for local bypass 6 years ago
Eric Leblond 9206b30fe1 af-packet: better accounting and error handling 
This patch improves the bypass error handling add adds more counters
to the interface so it is possible to get a view on success and
failure of insertion in the eBPF maps via the `iface-bypassed-stat`
command.
 6 years ago
Eric Leblond aeb2bd3aa1 util-ebpf: optimization on flow storage queries 6 years ago
Eric Leblond 288f335aa5 util-ebpf: simplify free function 
First key can't be null.
 6 years ago
Eric Leblond f4abe2f9c0 util-ebpf: set livedev in flow 
This will fix the accounting for pinned maps as the livedev field
of Flow is used to do the accounting of bypass flows.
 6 years ago
Eric Leblond 98e7d9d1c0 util-device: introduce bypassed stats sub function 6 years ago
Eric Leblond f29a4b8bee flow-manager: move bypass timeout to a inline func 6 years ago
Eric Leblond 89e8cb50ed util-ebpf: case is not possible so remove warning 6 years ago
Eric Leblond 8c97998cb9 bypass: implement iface-bypassed-stat for callback 6 years ago
Eric Leblond 51ab06256a bypass: account callback method in stats 6 years ago
Eric Leblond f78e5ba1e1 bypass: restore interface counter 6 years ago
Eric Leblond d119845d98 bypass: compress flow keys structure 6 years ago
Eric Leblond 69d2c8eb75 ebpf: get rid of hash in map value 6 years ago
Eric Leblond b07bda7a7b bypass: new callback stragegy 
This patch introduces and uses a new bypass strategy
based on a callback. EBPF bypass implementation is
updated to use this new strategy.

Once the flow manager detect that a flow should be timeouted,
it asks the capture method if it has seen packets in the interval.
If it is the case the lastts of the flow is updated and the timeout
is postponed.
 6 years ago
Eric Leblond fcae1c18de af-packet: improve error handling for some hw 
Some cards seems to return EAGAIN when there is no more place in
the hash table.
 6 years ago
Eric Leblond 0bfbb4a889 bypass: fix accounting 
The flow bypass stats is computed at every pass so the accounting
needs to be done at each pass. This patch fixes the accounting
in the flow_bypassed counters.
 6 years ago
Eric Leblond 44566e5a24 ebpf: only display that file is loaded if we do it 6 years ago
Eric Leblond 5e62ae6d28 af-packet: avoid error flooding when bypass fails 6 years ago
Eric Leblond af6daceeda util-ebpf: more useful error message 
At the time of the writing, libbpf output useful error message
on strdout only and errno is not really interesting. So let's
tell user to look at stdout.
 6 years ago
Eric Leblond 0f64c25b73 util-ebpf: improve code readability 
As pointed by Victor Julien, the pkts_cnt usage was quite confusing
so functions are now returning a bool.
 6 years ago
Eric Leblond a8f35cc30e util-ebpf: discard flow if no Flow storage 6 years ago
Eric Leblond efb648aa24 util-ebpf: fix ebpf bypass 
Fix endian order in eBPF bypass. It has to be updated after the
bypassed flows handling change.
 6 years ago
Eric Leblond f8aa9ee986 bypass: fix wait time at exit 
The loop on bypassed flow maps can take a few seconds on heavily
loaded system causing Suricata to not honor a stop before a few
seconds.

This patch adds the code needed to detect the need to exit from
the check loop.
 6 years ago
Eric Leblond a277f2eb0c af-packet: fix use after free on config 
ASAN did find that afp config was used after free. This was in
fact done in the Flow bypass manager hence this patch.
 6 years ago
Eric Leblond fc2f2fa7d3 bypass: allow bypass for packet without flow 
For capture method that have their own flow structure (not maintained
by Suricata), it can make sense to bypass a packet even if there is
no Flow in Suricata.

For AF_PACKET it does not make sense as the eBPF map entry will
be destroyed as soon as it will be checked by the flow bypass
manager. Thus we shortcut the bypass function if ever no Flow is
attached to the packet.

This path also removes reference to Flow in the bypass functions
for AF_PACKET. It was not necessary and we possibly could benefit
of it if ever we change the bypass algorithm.
 6 years ago
Eric Leblond 6ab1cbcb8e bypass: use flow storage for bypass counter 
There is a synchronization issue occuring when a flow is
added to the eBPF bypass maps. The flow can have packets
in the ring buffer that have already passed the eBPF stage.
By consequences, they are not accounted in the eBPF counter
but are accounted by Suricata flow engine.

This was causing counters to be completely wrong. This code
fixes the issue by avoiding the counter change in invalid
case.

To avoid adding 4 64bits integers to the Flow structure for the
bypass accounting, we use instead a FlowStorage. This limits the
memory usage to the size of a pointer.
 6 years ago
Eric Leblond 4e6add7faa bypass: generalize iface bypass stats 
Introduce functions in util-device.c to be able to manage the
flow bypassed count stats.
 6 years ago
Eric Leblond 258e90be76 util-ebpf: change flow accounting logic 
Update the flow counters during the life of a bypassed flow
instead of just accounting at the end of it.
 6 years ago
Eric Leblond 3026e9a80d util-ebpf: better error handling 6 years ago
Eric Leblond 2ffd3ad2b7 util-ebpf: better error handling of map unlink 6 years ago
Eric Leblond b952b32a26 util-ebpf: rename field 'unlink' to avoid confusion 6 years ago
Eric Leblond edf2db4e30 af-packet: improve warning message 6 years ago
Eric Leblond 567b5ee1bc af-packet: rename option 'no-percpu-hash' 6 years ago
Eric Leblond 0f6b1297a9 af-packet: warn when XDP is not supported 6 years ago
Eric Leblond b1c9b39435 af-packet: remove question from code 6 years ago
Eric Leblond 1992093c88 flow-bypass: rename variables 6 years ago
Eric Leblond d239e0f2d5 flow-hash: doc and code cleaning 6 years ago
Eric Leblond b736344975 flow-bypass: clock_gettime error handling 
Only reason clock_gettime could fail is a permission so let's
error and leave the flow bypass manager if it is the case.

Also let's suppress the error message if ever the error appear in
the middle of a run (which is unlikely).
 6 years ago
Eric Leblond 4129938c21 util-ebpf: log level fixes and code cleaning 6 years ago
Eric Leblond 140269a6be util-ebpf: init code optimization 6 years ago
Eric Leblond c5e2af0545 util-ebpf: fix error reported by coccinelle check 
Some allocation errors were not checked during init phase.
 6 years ago
Eric Leblond c1fd0da550 af-packet: add vlan_id in bypass key 
Bypassing on vlan was not supported due to the missing key.
 6 years ago
Eric Leblond 651a27e4fb ebpf: fix percpu hash handling 
An alignement issue was preventing the code to work properly.
We introduce macros taken from Linux source code sample to get
something that should work on the long term.
 6 years ago
Eric Leblond 142c69e1ef flow-bypass: increase bypass timeout 
This is needed as we did switch from counter maintained in kernel
to internal polling so we need a bigger value.
 6 years ago
Eric Leblond b8e184ceb5 flow-bypass: fix timeout of maps bypassed flows 
The time is taken from the parameter and is checked against real
flow entries so we need a standard time.
 6 years ago
Eric Leblond 07d0bd3a0f util-ebpf: fix IPv6 deletion loop 6 years ago
Eric Leblond b481f290e2 af-packet: fix bypass for IPv6 6 years ago
Eric Leblond 3bd8ba5d00 util-ebpf: add message if key deletion fails 6 years ago
Eric Leblond 269f601f8a util-ebpf: can't delete in place so update algo 6 years ago
Eric Leblond 5b056c15bf af-packet: fix default in pinned maps name 6 years ago
Eric Leblond eff56acca5 af-packet: be sure to nullify option if not set 6 years ago
Eric Leblond 36c6a62954 util-ebpf: simplify function declarations 6 years ago
Eric Leblond 69630d7a17 util-ebpf: micro optimization 6 years ago
Eric Leblond d21c3a6555 util-ebpf: create flow from bypassed flows 6 years ago
Eric Leblond 04c65a309e flow-hash: new function to get flow from flowkey 6 years ago
Eric Leblond 885fc992de ebpf: make table iterator generic 
Also adds a basic skeleton for flow creation loop.
 6 years ago
Eric Leblond 880c42f11c af-packet: bypass with init function 6 years ago
Eric Leblond 522e98d830 util-ebpf: fix iteration in flow timeout 
We were not setting the key using the correct item in map. Result
was deletion of wrong flow.
 6 years ago
Eric Leblond 0c3e1e8579 af-packet: correctly set up hardware offload 6 years ago
Eric Leblond bd28f77a1e af-packet: fix loading of ebpf filter 6 years ago
Eric Leblond 6fdcb127e9 af-packet: fix the start when XDP is pinned 6 years ago
Eric Leblond 7e0ef4cec8 util-ebpf: change return of pinned maps loading 
The calling function needs to be able to see when this is a success
and XDP do not need to be reloaded.
 6 years ago