suricata

Commit Graph

Author	SHA1	Message	Date
Victor Julien	64f717c880	Set 'livedev' in pcap acquisition module for older libpcap version as well. Fixes a segv.	14 years ago
Victor Julien	026a4efc57	Make sure that continued stateful detection only inspects sigs in the proper direction.	14 years ago
Victor Julien	21ee59e6f3	Add signature direction (flow:toserver/flow:toclient) as a signature flag.	14 years ago
Victor Julien	d5402d33d4	Simplify detection loop. Inspect packet keywords before the state.	14 years ago
Victor Julien	7fa22e8453	Rename app_layer_events to app-layer-events. Misc fixes/changes.	14 years ago
Victor Julien	ecd457db7b	Allow flowint names to have dots in them.	14 years ago
Anoop Saldanha	5311cd4866	Support for smtp decoder events	14 years ago
Anoop Saldanha	eea5ab4a7a	Support for app layer decoder events added + app_layer_event keyword added	14 years ago
Victor Julien	4c1e417d49	Allow non-existing flowints to be incremented. A 'set' to 0 is implied in this case.	14 years ago
Victor Julien	d24b3a0e50	Clean up csum detection output, misc fixes.	14 years ago
Eric Leblond	9a2a4802f4	pf-ring: add support for checksum verif mode This patch adds support for checksum verification mode. Supported mode are yes, no, auto and rx-only.	14 years ago
Eric Leblond	0399a06f4f	pcap: fix typo	14 years ago
Eric Leblond	db5ca0f3a4	pcap: add auto mode support	14 years ago
Eric Leblond	a565148fb1	af-packet: fallback if 'kernel' mode is not supported This patch adds a fallback to full checksum validation if 'kernel' mode is not supported by the running kernel.	14 years ago
Eric Leblond	51eb96053c	af-packet: auto mode support	14 years ago
Eric Leblond	c3eaa6cc60	Add per-interface counter for invalid checksum. This patch adds a per-device counter for invalid checksum as well as a simple packet counter.	14 years ago
Eric Leblond	745b61171a	Introduce LiveGetDevice function	14 years ago
Eric Leblond	e893e860d4	Rename LiveGetDevice to LiveGetDeviceName The function LiveGetDevice is returning a point to the name of the interface. This patch renames it to LiveGetDeviceName which is more appropriate.	14 years ago
Eric Leblond	1d1271fd38	pcap: add support for checksum verif mode This patch adds support for checksum verification mode. Auto mode is not yet supported.	14 years ago
Eric Leblond	6062e00c2b	af-packet: add support for checksum verif mode This patch adds support for checksum verification mode. Auto mode is not yet supported.	14 years ago
Eric Leblond	551cb3e4c2	decode: introduce checksum mode enum.	14 years ago
Eric Leblond	623bb38d1c	af-packet: Fix typo in error message.	14 years ago
Eric Leblond	8d635ddfc2	detect-csum: incomplete checksum is a valid checksum This patch modify checksum match to not alert on packet with incomplete checksum. They will be checksummed later and thus can be considered as valid one.	14 years ago
Eric Leblond	67f791e891	af-packet: add variable to disable offloading detection This flag adds variable to disable offloading detection. The effect of the flag is to avoid to transmit auxiliary data at each packet. This could result in a potential performance gain.	14 years ago
Eric Leblond	f6ddaf3341	af-packet: parse message to find lack of checksum Emitted packet can have checksum offloading. This patch reads af-packet message parameter to see if the kernel has sent a non checksummed packet.	14 years ago
Eric Leblond	5dc46ae7c7	pf-ring: Mark emitted traffic as non checksummed The traffic sent by an interface is potentially offloaded. This patch adds detection of TX packets and set the corresponding flag.	14 years ago
Eric Leblond	81bc6f5518	Treat incomplete checksum. Checksum of local traffic is often offloaded to the network device. This causes some problems on parsing of this traffic. This patch introduces a PKT_INCOMPLETE_CHECKSUM flag which can be used to indicate that the checksum is not computed/correct for good reason.	14 years ago
Victor Julien	9324ed7b90	Fix icmpv6 ip-only rule not firing. #363 .	14 years ago
Anoop Saldanha	517040c4af	indentation fix	14 years ago
Anoop Saldanha	37b223645a	fix detection engine for alert stability. Fix cases where we have multiple rules having same pattern. We should see good perf increase(~5%) with this change, now that we avoid unnecessary inspection"	14 years ago
Anoop Saldanha	42bc22cfa5	indendation fix	14 years ago
Anoop Saldanha	ecc7a769a7	reclaim mpm contexts if no patterns are added to it, even in non-full mode	14 years ago
Anoop Saldanha	1389cf6913	update cuda mpm to support per proto mpm contexts. Fix faulty stream mpm usage of cuda	14 years ago
Anoop Saldanha	92643f6110	introduce separate mpm ctxs for tcp/udp/other_protos	14 years ago
Anoop Saldanha	a5dec3cb2e	refactor all http mpm engine code	14 years ago
Anoop Saldanha	34cf557abf	fix indentation	14 years ago
Anoop Saldanha	5b91cec4ae	remove unnecessary if/else checks	14 years ago
Victor Julien	ada4066238	Add counters for SYN, SYN/ACK and RST TCP packets. Issue #251 .	14 years ago
Victor Julien	298289f43f	Let flow:only_stream and flow:no_stream set the require packet and require stream flags. Toss out sigs with conflicting settings. Rename flow:stream_only to flow:only_stream. Fixes #261 .	14 years ago
Victor Julien	c04f45ccb9	Add tcp-pkt and tcp-stream 'protocols' to force a signature to inspect only packet or stream data.	14 years ago
Victor Julien	2c62b50ed5	Fix 2 compiler warnings.	14 years ago
Mike Pomraning	cfced01641	Use strlcpy	14 years ago
Mike Pomraning	914b10a8e6	Touch up Makefile for SCConfLogOpenGeneric.	14 years ago
Mike Pomraning	dfec9c0f6a	Switch 'fast', 'http-log', 'drop' and 'alert-debug' to SCConfLogOpenGeneric.	14 years ago
Mike Pomraning	dec34afa40	SCConfLogOpenGeneric() abstraction for regular and AF_UNIX logs. util-logopenfile.[ch] implements the abstraction; util-error.[ch] modified to include a socket-specific error code; output.h adds a default filetype for logs ("regular").	14 years ago
Victor Julien	a1cb769205	Switch log-file module to use new absolute path detection code.	14 years ago
Victor Julien	4cbaeb408c	Add functions to determine whether a path is absolute or relative.	14 years ago
Victor Julien	a397599fbb	file extraction: add waldo option to file log module. This will store the last used file_id so extracted files won't get overwritten is Suricata is restarted.	14 years ago
Victor Julien	effe01ae7b	Add Init and DeInit calls to the thread module API.	14 years ago
Eric Leblond	7fb78a0ff6	Fix compilation warning.	14 years ago
Victor Julien	08f3ef7685	Reshuffle version printing so -V prints it only once.	14 years ago
Eric Leblond	1bebb9831d	logging: don't display debug message before setting params.	14 years ago
Eric Leblond	05f562fdc3	logging: use SCLogDebug instead of printf This patch uses SCLogDebug instead of printf to enable filtering of the log message by the log filtering option.	14 years ago
Eric Leblond	9545a56426	ipfw: suppress poll before sendto Calling poll before using sendto seems a bit overkill.	14 years ago
Eric Leblond	6f1b40dd4b	ipfw: don't use socket lock in 'worker' mode This patch is the IPFW version of NFQ latest patch.	14 years ago
Eric Leblond	58855494c1	nfq: do not use mutex in 'worker' mode Using a mutex on the queue handle is not necessary in 'worker' mode as there is no concurrent access to it.	14 years ago
Eric Leblond	ef3951d914	runmode: export running mode This will permit to put some optimisation in different components. This is done via the RunmodeGetActive() function.	14 years ago
Victor Julien	c908574545	Use strtoul instead of strtol for sid parsing. Fixes parsing of really large sid numbers. Fixes #393 .	14 years ago
Victor Julien	c1a40447c1	IP Only cleanup: make most functions static. Add error message on address parsing issues.	14 years ago
Victor Julien	e0cf2ccb91	Fix invalid direction error message.	14 years ago
Eric Leblond	db19680794	pcap: fix auto runmode This patch fixes initialization of a pointer. The lack of it was causing an invalid interface value to be given to suricata (in the case no interface was given on the command line). Reported-by: Delta Yeh <delta.yeh@gmail.com>	14 years ago
Victor Julien	5a769c02ee	Stream engine: handling packets with ACK\|CWR.	14 years ago
Anoop Saldanha	999c34111e	bug #341 - support for urilen check on both norm and raw buffers	14 years ago
Victor Julien	158d72e7f3	file-inspection: inspect new files in same tx but opposite direction as well.	14 years ago
Victor Julien	a6e75aff21	file-extraction: improve handling of complex multipart bodies.	14 years ago
Victor Julien	4eda31df4d	file inspection: unset new file available flag when appropriate, prevents duplicate alerts.	14 years ago
Anoop Saldanha	6e2c921037	indentation fixes for ac-gfbs	14 years ago
Anoop Saldanha	2eb3aff0af	Further improve compression for ac-gfbs. Character codes shifted to 8 bits from 16/32 bits	14 years ago
Victor Julien	0712300a1c	Remove stream BUG_ON's that could fire on TCP session reuse.	14 years ago
Anoop Saldanha	0cde8072f4	fix ffr shutdown segv. We need to supply stream TV the the stream engine	14 years ago
Anoop Saldanha	5620844f7d	ac-gfbs fix output presence combination with mod table	14 years ago
Anoop Saldanha	153f2ad3eb	ac-gfbs update. Minor improvement of compression for state 0. Improves performance	14 years ago
Anoop Saldanha	c6cd59bda4	Update ac-gfbs with some rearrangement. Increased performance from 4-10%	14 years ago
Anoop Saldanha	e18cf72c13	fix bug in size parsing API. Pass the string returned by pcre_get_substring and not the passed arg. Also use strtod. Solves usage issues on windows	14 years ago
Victor Julien	842b01cc9c	Remove duplicate sys/prctl.h configure check. Wrap another include in HAVE_SYS_PRCTL_H.	14 years ago
Eileen Donlon	aaa5a78dfe	Moved prctl.h check to configure	14 years ago
deltay	37dc83d411	ignore signal SIGPIPE and SIGSYS	14 years ago
Victor Julien	c2c539942b	Rework the way the http parser can tell the de_state to reset it's file section on arrival of new files in the same tx. Fixes a dead lock in the auto runmode.	14 years ago
Victor Julien	679b8ec1ba	Fix filestore match code not expecting NULL file ptr.	14 years ago
Victor Julien	18d79c4215	file store: respect flowbits and other keywords The filestore keyword until now flagged a file, tx or ssn for storage as soon as the keyword was inspected. This happens before flowbits and some other keywords, so files were stored that weren't supposed to. This patch makes the filestore keyword fill an array in the detect engine thread ctx. Then if the full signature matches, a post-match filestore function makes the store final.	14 years ago
Victor Julien	7173256754	Fix compiler warnings in a couple of unittests.	14 years ago
Victor Julien	6d8aa6829d	Remove unused variable.	14 years ago
Anoop Saldanha	b164247fb8	Changed my email address to anoopsaldanha@gmail.com from my current one - Should have been an amend over my previous commit, but that commit's pushed out	14 years ago
Anoop Saldanha	f514b141ce	fix ipv6 header setup in pseudo pkt creation	14 years ago
Victor Julien	416b463c51	file-data: add more unittests	14 years ago
Victor Julien	296ce8b5f9	file-data: make bytejump, bytetest, byteextract and isdataat work better with file_data.	14 years ago
Victor Julien	077970051e	file-data: implement relative pcre support.	14 years ago
Victor Julien	07e560b137	file-data: initial file_data support Support file_data for: content, pcre (relative), byte_test, byte_jump, byte_extract, isdataat. File_data support is handled at signature parsing time, all matches occurring after the file_data in the rule are converted to http_server_body matches. Content matches relative to the file_data are converted. Within to depth, distance to offset. Relative to the start of the body buffer.	14 years ago
Victor Julien	7adac3048d	file-data: create initial keyword registration.	14 years ago
Anoop Saldanha	420befb180	Changed my email address to anoopsaldanha at gmail dot com from my current one	14 years ago
Victor Julien	fa0152fa80	Shrink signature flags field to 32 bits.	14 years ago
Victor Julien	dd9da1a56f	Merge all http mpm related signature flags into a single set: SIG_FLAG_MPM_HTTP and SIG_FLAG_MPM_HTTP_NEG.	14 years ago
Victor Julien	d5ed28b065	Remove SIG_FLAG_MPM flag.	14 years ago
Victor Julien	fe48920514	Remove per sgh mpm_streamcontent_maxlen variable. It was checked but never set.	14 years ago
Victor Julien	4992f7c417	Remove SIG_FLAG_MPM_URI flag. It was checked but never set.	14 years ago
Victor Julien	2650551192	Rename signature init flags to indicate they are init flags.	14 years ago
Victor Julien	6ebd71545b	Fix signature flag definitions on 32 bit.	14 years ago
Victor Julien	291ddd95f2	Detection engine -- mpm Each signature is in one mpm ctx at max, but there were 3 separate id's in use: packet, stream, http. Merged them all into one. Could shrink the SignatureHeader structure with 8 bytes because of this, should lead to better caching performance.	14 years ago
Victor Julien	7db72bce75	Optimize detection engine prefiltering logic.	14 years ago
Victor Julien	89f83e714c	Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.	14 years ago
Eric Leblond	6e7a8f38bf	ipfw: Add support for autofp and worker runmode This patch convert ipfw code to the PcktAcqLoop API and rework the running mode to use the running mode wrapper already used by NFQ.	14 years ago
Eric Leblond	c1ad64b333	ips: update copyright date and author list.	14 years ago
Eric Leblond	d4cbc7c38c	ipfw: funnier to manage capability in running code.	14 years ago
Eric Leblond	f1cb4da442	ipfw: fix indentation of the file. I will have to work a lot on this one. It will be easier with a correct indentation.	14 years ago
Eric Leblond	acc9634106	nfq: add some comments about possible evolution	14 years ago
Eric Leblond	9ca7257279	nfq: suppress unused functions.	14 years ago
Eric Leblond	58b20359a7	nfq: add worker runmode support.	14 years ago
Eric Leblond	aee2e3ddd6	nfq: Add autofp mode support	14 years ago
Eric Leblond	115c3499d2	nfq: factorize auto mode	14 years ago
Eric Leblond	70c574fb63	runmode: Add support for IPS running mode This patch adds the 'auto', 'autofp' and 'worker' runmode for IPS. It provides a set of ready-to-use functions that can be used by NFQ and IPFW to implement this running mode.	14 years ago
Eric Leblond	5cfdd7594f	util-device: Modify function name. This patch modifies LiveBuildQueueList name to LiveBuildDeviceList to have a consistent naming accross function. It also adds a doxygen comment to add author and description of util-device.c file.	14 years ago
Eric Leblond	7096e11ab5	af-packet: simplify code.	14 years ago
Eric Leblond	5cec22ac37	threads: Add sanity check.	14 years ago
Eileen Donlon	327fd048a0	Fixed coredump windows compile issue	14 years ago
Eric Leblond	6c55af847b	'auto' running mode does not support 'threads' var. This patch modifies the RunModeSetLiveCaptureAuto() prototype to be able to detect that a 'threads' variable (telling how much threads must listen to one socket in IDS mode) has been used in the configuration file. It then print a warning message if this is the case.	14 years ago
Victor Julien	6f0ca120d1	Make sure existing log-pcap and unified2-alert 'limit' settings don't break.	14 years ago
Victor Julien	678213c9f4	Fix ParseSizeString return code and a compiler warning.	14 years ago
Anoop Saldanha	4b8ebb5c53	set default response body limit for specific http server conf	14 years ago
Anoop Saldanha	6240131a4e	updates to accomodate master rebase	14 years ago
Anoop Saldanha	7c9d1b80fd	Update size parsing API with new calls for returing u8, u16, u32 and u64 values. Make updates in the codebase to use these new calls	14 years ago
Anoop Saldanha	e0c13434ef	bug 333 - support new Size Parsing API. Update various conf params inside the engine to use this API to parse sizes in the format xxx <-just the no represents bytes, xxxkb <- kilobytes, xxxmb <- megabytes, xxxgb <- gigabytes, where xxx is a \d+	14 years ago
Eileen Donlon	79e0299643	Fixed coredump compile problems on bsd, windows	14 years ago
Anoop Saldanha	b970273163	fix broken unittest	14 years ago
Anoop Saldanha	651f91e4de	fix setting pseudo packet from this commit: commit 259e022f721a7c3a70c26447b1cf730bb8a1f6cd Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Sun Dec 4 13:20:43 2011 +0530 fix setting ipv4 header in pseudo packet	14 years ago
Anoop Saldanha	d40fb5b933	Remove unnecessary flow NULL check	14 years ago
Anoop Saldanha	8533cd2cdf	fix mapping of tcp states to flow_established and flow_closed. Improves accuracy	14 years ago
Anoop Saldanha	cc7db6315c	Move setting packet iponly flags from decode section to stream section	14 years ago
Anoop Saldanha	eaf15911e7	fix setting ipv4 header in pseudo packet	14 years ago
Victor Julien	322779fb23	flow engine: release flow lock earlier in flow kill/prune process. Minor cleanups.	14 years ago
Victor Julien	5401764697	flow engine: minor cleanup.	14 years ago
Victor Julien	bfa872b9b7	flow engine: no longer allow FlowRequeue to be called with the same src and dst queue.	14 years ago
Victor Julien	84c7480c06	flow engine: convert flow hash code FlowRequeue call to FlowEnqueue.	14 years ago
Victor Julien	ad4e016288	flow engine: make FlowEnqueue lock the queue. Adapt callers.	14 years ago
Victor Julien	fbbdbb251f	flow engine: remove unneeded 'need_srclock' argument for FlowRequeue	14 years ago
Victor Julien	0331da9773	flow engine: introduce FlowRequeueMoveToSpare As part of a clean up of how FlowRequeue is used, introduce FlowRequeueMoveToSpare for moving a flow from a locked queue to the spare queue.	14 years ago
Victor Julien	7fa3df33f2	flow engine: introduce FlowRequeueMoveToBot As part of a clean up of how FlowRequeue is used, introduce FlowRequeueMoveToBot for moving a flow to the bottom of it's queue.	14 years ago
Victor Julien	ae1e4c1d7d	Add missing hash row unlock.	14 years ago
Victor Julien	f47f601f09	Fix unified2 setting the wrong eth_type.	14 years ago
Eric Leblond	9422a36851	unified2: avoid to log RAW packet If the packet datalink is ethernet, we add a fake ethernet header to stream logging to avoid that barnyard2 create different files.	14 years ago
Eric Leblond	fc56abfcd0	unified2: log an ethernet header for stream alert. If packet is a of type ethernet, we log the alert reconstructed payload as an ethernet packet and not a raw packet. This will avoid to confuse barnyard2 pcap output.	14 years ago
Victor Julien	49d6885ec7	Improve debug validation code for packet, add new macro for flow.	14 years ago
Victor Julien	3009429e3c	HTTP transaction handling improvement In some cases AppLayerTransactionGetInspectId can return -1, which is now handled by all it's callers. Improve logic of selecting which transactions are inspected by the various HTTP keywords.	14 years ago
Eileen Donlon	dbdf2d888f	Enable/disable core dump in config (feature 319)	14 years ago
Victor Julien	7b0f261fdc	Add some debug statements for debugging a smtp issue.	14 years ago
Victor Julien	004b5dde88	Support libhtp's different handling of CONNECT requests.	14 years ago
Victor Julien	117d51c965	Fix a compile warning when debug is enabled.	14 years ago
Victor Julien	1df3304655	Clean up for unittests code: only compile unittest api code when unittests are enabled. Fix unittest code that wasn't wrapped in the proper UNITTESTS ifdefs.	14 years ago
Victor Julien	a138b32533	flow manager: timing change Set default timeout for the flow manager to wake up to 1 second. The 0.4 sec performed best on a Xeon, but in kvm vm's it was horrible: 32 bit vm: 60% cpu for flowmgr when idle. 64 bit vm: 30% cpu for flowmgr when idle. With the 1 second timeout both are at 0.3% cpu.	14 years ago
Victor Julien	786148319c	Lower flow manager wake up timer to 0.4 seconds as that performs 2% better in my tests.	14 years ago
Anoop Saldanha	776bf633e3	flow manager code cleanup. Remove unused code + fix indentation. Remove unused vars	14 years ago
Anoop Saldanha	5133098bd6	Accomodate pcap-file mode to signal flow mgr to wakeup when it exceeds a certain time interval. This let's the flow mgr keep in sync with pcap timestamp changes	14 years ago
Anoop Saldanha	9917744707	separate timers for flow mgr thread for normal and emerg mode. Signal flow mgr thread when in emerg mode	14 years ago
Eric Leblond	5a63662766	Flow: use condition system instead of short sleep Short sleep can lead to some really annoying performance issue in some environnement like virtual systems. This technic was used in the flow manager. This patch uses an alternate approach based on a timed condition which is triggered each time a new flow has to be created. This avoid to run out of flow. A counter is also done to be able not to run the cleaning code at each new flow.	14 years ago
Victor Julien	34450b9b57	Don't parse layers / ext headers above ipv6 frag header. This is taken care of by defrag.	14 years ago
Victor Julien	938e9b3db0	Fix filestore related segv.	14 years ago
Victor Julien	e6d8d0443c	Unify output functions for alert-debug for IPv4 and IPv6.	14 years ago
Victor Julien	3c7f09d1ea	Add debug output to engine event.	14 years ago
Victor Julien	e6af837b25	Convert StreamTcpSetEvent function into macro. Eases debug.	14 years ago
Victor Julien	58011554b0	Don't consider payload len in ACK value validation check.	14 years ago
Victor Julien	9878eca086	file handling: expand filestore keyword Filestore keyword by default (... filestore; ... ) marks only the file in the same direction as the rule match for storing. This makes sense when inspecting individual files (filemagic, filename, etc) but not so much when looking at suspicious file requests, where the actual file is in the response. The filestore keyword now takes 2 optional options: filestore:<direction>,<scope>; By default the direction is "same as rule match", and scope is "currently inspected file". For direction the following values are possible: "request" and "to_server", "response" and "to_client", "both". For scope the following values are possible: "tx" for all files in the current HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow. For the above case, where a suspious request should lead to a response file download, this would work: alert http ... content:"/suspicious/"; http_uri; filestore:response; ...	14 years ago
Victor Julien	ddfa5c49c6	Stream engine: gap handling Set a stream event for stream gaps. Add a (disabled by default) signature to the stream-event.rules.	14 years ago
Victor Julien	45d86ff58a	Stream reassembly / app layer: disable gap errors Gap errors on the app layer are now silently handled. No longer printed to the screen.	14 years ago
Victor Julien	425294f912	stream reassembly: account stream gaps Add counter to the stream reassembly engine to count stream gaps. Stream gaps are the result of missing packets (usually due to packet loss). This missing data stops the reassembly for the app layer.	14 years ago
Victor Julien	d8d8fdd9f5	Improve handling of packets when stream is in the fin_wait1 or fin_wait2 state.	14 years ago
Victor Julien	b74c73309b	file handling: improve filestore keyword handling In stateful detection only inspect the file portion of the rule after all other conditions matched. This to prevent "filestore" from tagging files for storage during a partial match. Add a couple of unittests to test the behaviour change.	14 years ago
Victor Julien	4cbe7519fa	Add missing file util code.	14 years ago
Victor Julien	56b96363b8	Fix merge artefact.	14 years ago
Victor Julien	63c9a3ab85	Remove duplicate include.	14 years ago
Victor Julien	042fd850fc	Make sure we check the sgh for no magic and no store once per flow direction.	14 years ago
Victor Julien	f3fbc1a44c	file handling: filemagic matching improvement Magic buffer is a null terminated string. Allow matching on the final \0 using filemagic:"somevalue\|00\|"; so we can anchor to the end of the buffer.	14 years ago
Victor Julien	2ccd35c6e4	Fix code after rebase.	14 years ago
Victor Julien	33848124d1	Fix a multipart body parsing issue.	14 years ago
Victor Julien	96d20098b0	file inspect: stateful inspection split Split stateful detection of the files in a HTTP state between toserver and toclient inspection.	14 years ago
Victor Julien	d59ca75e46	file extract: split toserver and toclient tracking Split toserver and toclient file tracking for the http state.	14 years ago
Victor Julien	04ea70ccf7	file extract: pruning Add pruning of files in memory so we keep only memory what we really need. Fix magic logic. Reset file part of the de_state on receiving another file in the same tx.	14 years ago
Victor Julien	1c934acc85	Don't store fd per file (too many fd's). Enable IPv6 storing. Close file on receiving stream end flag.	14 years ago
Victor Julien	b402d97179	File carving -- enable reponse file extraction - Enable response body tracking - Enable file extraction for responses - File store meta file includes magic, close reason. - Option to force magic lookup for all stored files. - Fix libmagic calls thead safety.	14 years ago
Victor Julien	66a3cd96a8	Prepare HTTP response body tracking.	14 years ago
Victor Julien	417495e542	file-extraction: remove no longer used files.	14 years ago
Victor Julien	e1022ee5ae	file-extraction: Disconnect file handling from flow and move into the app layer state.	14 years ago
Victor Julien	27645f64c6	Remove unused util-filetype.[ch] from Makefile.am.	14 years ago
Victor Julien	9b62ec65ab	Make sure filemagic works properly regardless of filestore being in use for a flow.	14 years ago
Victor Julien	5945e652d6	Initial implementation of filemagic keyword.	14 years ago
Victor Julien	f4a6f4b293	Add libmagic detection, linking and a basic API.	14 years ago
Victor Julien	23e01d23d3	Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored.	14 years ago
Victor Julien	3e7baa6810	Fix improper error handling in http body chunk function.	14 years ago
Victor Julien	403b2788d6	Add support for extracting PUT files.	14 years ago
Victor Julien	59cda9a358	Fix not using new htp callback when using the bundled htp. Add indication to --build-info. Fix valgrind warning in test and further improve test.	14 years ago
Victor Julien	ef0536794c	Adding comments, some cleanups.	14 years ago
Victor Julien	21acd72adf	Cleanups to the Multipart parsing code. Fixes to negation in filename and fileext.	14 years ago
Victor Julien	70f0d3d2e7	Add negation to filename and fileext, use same syntax as with content.	14 years ago
Victor Julien	32fb9f375d	log-file log-dir option added, meta file created, fixes.	14 years ago
Victor Julien	a6b7a560f1	Fix a bug in the HTTP file closing.	14 years ago
Victor Julien	7e3d537338	Fix setting libhtp personality.	14 years ago
Victor Julien	1eef36b011	Initial checkin of a log-file module, that can write files extracted from flows to disk.	14 years ago
Victor Julien	3c1edf3763	Add a file descriptor to the flow file structure.	14 years ago
Victor Julien	cd618e48df	Allow for 0 (unlimited) HTTP request_body_limit, fix option parsing.	14 years ago
Victor Julien	4723f07254	Improve testing and fix some bugs.	14 years ago
Victor Julien	9d5d46c4bb	Implement flow file storage API, create HTP wrappers for it, use it in HTTP parsing.	14 years ago
Victor Julien	a0ee6ade3e	Improve HTTP multipart parsing, add streaming parsing for files.	14 years ago
Victor Julien	4537f889ef	Handle all strings as raw strings in HTTP content-type and content-disposition header parsing.	14 years ago
System Administrator	222bc6e935	Flow files	14 years ago
Pablo Rincon	6d60b3a747	filename and fileext keywords	14 years ago
Victor Julien	06b1d71032	Small optimizations to IPV4 and TCP header parsing.	14 years ago
Eric Leblond	0256ca2422	af-packet: fix compilation on new systems. Inclusion of if_packet.h was missing when the support of new options related to packet fanout is present in the file.	14 years ago
Anoop Saldanha	bf24272c28	changes to accomodate master rebase	14 years ago
Anoop Saldanha	997eaf42a8	add thread local storage support for smtp + remove pmq that was init/freed as part of smtp_state alloc to use the thread local data passed by the app layer engine	14 years ago
Anoop Saldanha	9a6aef459e	modify all relevant app layer API calls to accomodate passing parser local storage argument	14 years ago
Anoop Saldanha	d3468d88b0	app layer udp cleanup + update dcerpc udp todo	14 years ago
Anoop Saldanha	01a35bb604	introduce app layer local storage api support	14 years ago
Anoop Saldanha	87599bc78d	minor changes in smtp parser decoder wrt direction check loop + add missing ifdef unittests	14 years ago
Anoop Saldanha	3a856fed12	update detection engine to compare flow alproto with sig_alproto, rather than sm alproto.	14 years ago
Anoop Saldanha	4d38a571cc	smtp reply code mpm phase support added	14 years ago
Anoop Saldanha	4a6908d3e9	fix smtp parser handling fragmented lines + add new unittests to check the same	14 years ago
Anoop Saldanha	2b356dadff	Support for tos keyword added	14 years ago
deltay	211193b0af	Get pidfile from config file if not available in command options	14 years ago
Victor Julien	262a7300d7	flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.	14 years ago
Victor Julien	06904c9024	App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.	14 years ago
Victor Julien	a0b532dc45	stream reassembly: simplify base_seq tracking for protocol detection. Shrinks TcpStream structure.	14 years ago
Victor Julien	7e3c15e54a	stream: improve TCP ssn reuse cleanup.	14 years ago
Victor Julien	9769510ba3	flow: support requeue of flows from closed to new list for TCP ssn reuse.	14 years ago
Anoop Saldanha	4130c5e2b8	if flow has disabled app layer inspection, disable buffering the segments unnecessarily in inline reassembly	14 years ago
Anoop Saldanha	43cbed8c92	enable toclient alproto detection for inline reassembly	14 years ago
Anoop Saldanha	f684b60127	if flow has disabled app layer inspection, disable buffering the segments unnecessarily	14 years ago
Anoop Saldanha	08bd8ec4e2	on failed alproto detection on both sides, only disable app layer inspection. No reassembly disabling for any direction	14 years ago
Victor Julien	c9960473bb	Fix stream reassembly engine rejecting valid packet for reassembly.	14 years ago
Anoop Saldanha	55ed6c2a55	disable session reassembly for either/both the directions, only when we have established failed proto detection in both the directions	14 years ago
Anoop Saldanha	4650bf7170	minor code cleanup. remove commented out code	14 years ago
Anoop Saldanha	de9ad02b59	Remove leftover imap and msn toclient alproto PM contents	14 years ago
Anoop Saldanha	caf26c2618	More updates to FFR code. Handle cases where we actually need to force stream reassembly and just have smsgs to be processsed by detection engine separately	14 years ago
Anoop Saldanha	bc216a3396	fix/updates to app layer proto detection	14 years ago
Anoop Saldanha	78e6a7f713	enable toclient alproto detection. Detection all current alproto toclient PMP patterns	14 years ago
Anoop Saldanha	9c8d404db1	FFR update-fix. Fix check where we decide whether we need to send pseudo pkt or not	14 years ago
Anoop Saldanha	b08b390bcd	fix for bug 375 - update radix test that wrongly uses memset and sizeof	14 years ago
Victor Julien	3d845b6c77	Consider Windows new line chars as well when parsing rule files. Bug #374 .	14 years ago
Eileen Donlon	a92d15ed37	Fixed duplicate signature check	14 years ago
Anoop Saldanha	99baf18c8d	updates to ac-gfbs search. Remove unnecessary casting of pointers	14 years ago
Anoop Saldanha	11e7dda59a	updates to ac-gfbs search. Introduce handling cases where state_count is < 32k	14 years ago
Anoop Saldanha	708c4ad055	updates to ac-gfbs search. Combine output presence with mod goto table	14 years ago
Anoop Saldanha	a4ea7e6197	updates to ac-gfbs search. Combine failure table along with mod goto table for better cache perf	14 years ago
Anoop Saldanha	b69ac9514f	updates to ac-gfbs search. Disable handling < 65k states separately. Now any state count would be given same treatment	14 years ago
Anoop Saldanha	efb4c27b1f	updates to ac-gfbs search. Add new unittests + fix cases where we have 2 patterns that are same but one is CS and other CI + Use SCMemcmp for state < 65k instead of custom memcmp	14 years ago
Anoop Saldanha	0920296aaa	updates to ac-gfbs search. Remove unnecessary casting of pointers	14 years ago
Anoop Saldanha	d149a5e806	updates to ac-gfbs search. Use SCMemcmp instead of the custom pattern searching used	14 years ago
Anoop Saldanha	47f2d6e07b	updates to ac-gfbs search. Optimize pointer de-referencing for pid_pat_list	14 years ago
Anoop Saldanha	991f6d2d83	updates to ac-gfbs search. Optimize pointer de-referencing for frequently used pointers	14 years ago
Anoop Saldanha	ffb925e3b3	indentation fixes for ac-gfbs	14 years ago
Anoop Saldanha	e9eb0e502c	updates to ac-gfbs search. Handle cases where we have a single entry for a state goto transition, just like how we handle for no entry for a particular state	14 years ago
Eric Leblond	9b75de3339	pfring: fix compilation when pfring is desactivated.	14 years ago
Eric Leblond	0ac1cabf2a	autotools: fix problem of pfring configuration.	14 years ago
deltay	d5e254d504	Add pfring bpf filter, require pfring >= 5.1	14 years ago
Eric Leblond	9f73503daa	capability: rework capability assignement THis patch rework the capability code to use a switch instead of a if. It also "reduces" PF_RING and NFQ capabilities.	14 years ago
Anoop Saldanha	d034b10180	remove debug prints added to ac code	14 years ago
Anoop Saldanha	781e7c776f	fix indentation in ac code	14 years ago
Anoop Saldanha	5c56053a33	Reintroduced optimized support for < 32k states for ac	14 years ago
Victor Julien	fb76561b09	Set version to 1.2dev to reflect we're in the 1.2 branch.	14 years ago
Victor Julien	8cc82c7241	Add -S commandline option that loads a rule file exclusively. Issue #338 .	14 years ago
Victor Julien	c484b7a59e	Bump version to 1.1 (final)	14 years ago
Eric Leblond	62e63e3fe9	af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).	14 years ago
Eric Leblond	361bf22121	af-packet: suppress annoying debug message. This message was firing multiple per second when a monitored interface disappear.	14 years ago
Victor Julien	0fadd93011	Fix an invalid free in bpf code.	14 years ago
Victor Julien	ea53f72f7d	Fix CUDA build.	14 years ago
Eric Leblond	9f7ee03deb	log: read output filter from config file. The output filter was not read from configuration file and thus not used in this case.	14 years ago
Eric Leblond	866d681ff2	pfring: fix stupid enum usage. pfring code is not using standard notation for the cluster_type enum and this leads to a horrific code in pfring acquisition code.	14 years ago
Eric Leblond	a6a0d4eae6	pfring: use deinit function. This fixes #368.	14 years ago
Eric Leblond	a54afe7052	Fix printing of sizeof.	14 years ago
Victor Julien	2d16abcf8b	Minor code cleanups fixing all GCC 4.6 compiler warnings for default, debug and unittests mode.	14 years ago
Eric Leblond	2387c6b0e8	pcap: Fix setting of buffer size from command line.	14 years ago
Victor Julien	1be65e7b68	Fixes for building in Cygwin.	14 years ago
Victor Julien	85033f5afe	Fix windows adapter id being truncated for pcap mode.	14 years ago
Eric Leblond	2bc0be6e65	af-packet: fix compilation problem on windows.	14 years ago
Victor Julien	404868c28b	Get rid of strcasestr call as win32 doesn't have it.	14 years ago
Victor Julien	561630d864	Fix SMTP unittest.	14 years ago
Victor Julien	47abd0ef19	Fix compiler warning.	14 years ago
Anoop Saldanha	0acfcc206c	fix unittests. fix replace unittests that allow alproto keywords with replace	14 years ago
Anoop Saldanha	a0eec3d846	fix detection code that handles cases when we use recursion(from recursive keyword)	14 years ago
Anoop Saldanha	7433d92dd2	undo this commit - commit `eff08f93d8` Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.	14 years ago
Anoop Saldanha	1b1332fff0	fix mpm bug on running stream mpm for packets not added to stream mpm	14 years ago
Victor Julien	9f0e3f7c85	Bump version to 1.1rc1.	14 years ago
Victor Julien	55da9787a4	Win32 compile fixes.	14 years ago
Victor Julien	d070869c48	Reinstate replace validation check.	14 years ago
Anoop Saldanha	eff08f93d8	update failing unittest to reflect the mpm design update	14 years ago
Victor Julien	af51493da2	Mpm update: Toss out signatures that mix pkt and stream/state. Update profiling code to track new mpm.	14 years ago
Anoop Saldanha	539ce13695	fix broken unittests	14 years ago
Anoop Saldanha	17f3f36d38	packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same	14 years ago
Anoop Saldanha	e0c36f7aff	fix dsize sigs handling. We can't use more than 2 dsizes in the same sig	14 years ago
Anoop Saldanha	c7b9d3fecb	Remove broken dsize_sm in SigMatch used by dsize in detection engine	14 years ago
Anoop Saldanha	d3ca65de03	support bdat smtp keyword - bug #347	14 years ago
Victor Julien	91957d70a8	Fix unittest compiler warning.	14 years ago
Victor Julien	b5e17ec1d8	Rewrite SetupLogging to not leak the fd. Thanks to Steve Grubb for advice on this.	14 years ago
Eric Leblond	ba9fb53461	threshold: fix handling of multiple threshold. This patch fixes the unittest and may fix the real work.	14 years ago
Eric Leblond	142fe6e4b6	threshold: fix recently introduced function.	14 years ago
Victor Julien	e0d7f64a14	Fix thresholding code suppressing an alert if no threshold/suppress rules needed to be checked.	14 years ago
Eric Leblond	86f9759427	threshold: fix thresholding on signature with multiple threshold. This patch uses the newly introduced SigGetThresholdTypeIter function to try all threshold for a signature. This should fix issue #366.	14 years ago
Eric Leblond	e5b638e5e8	threshold: introduce SigGetThresholdTypeIter function This patch introduces a function called SigGetThresholdTypeIter which iterate on all Threshold for a given signature returning the next DetectThresholdData.	14 years ago
Victor Julien	ab28a6253f	Fix broken fix. Shame on me for committing without testing.	14 years ago
Victor Julien	8528333035	Fix broken tests.	14 years ago
Victor Julien	8186565240	Fix a number of potential issues found by CLANG and cppcheck.	14 years ago
Victor Julien	362c25ec8a	Fix potential suppression parsing issue found by CLANG.	14 years ago
Victor Julien	0fd71c45c5	Improve asn1 keyword handling of a malformed asn1 state.	14 years ago
Victor Julien	9b437caaea	Fix stream unittests.	14 years ago
Victor Julien	b39acddf28	Add flow counters: memuse, pruning stats, emergency mode. Bug #348 .	14 years ago
Victor Julien	b8659daef7	Add stream engine counters Added stream counters: - tcp.reassembly_memuse -- current memory use by reassembly in bytes - tcp.memuse -- current memory use by stream tracking in bytes - tcp.reused_ssn -- ssn reused by new session with identical tuple - tcp.no_flow -- TCP packets with no flow - indicating flow engine memory at its limits	14 years ago
Victor Julien	5395071c11	Make http logging code more robust against cases where the htp state is incomplete (out of memory conditions).	14 years ago
Eric Leblond	7bf1de022c	Add AF_PACKET to capability system. This patch adds the necessary code to have AF_PACKET using the same capability dropping mechanism as pcap. This should fix #361.	14 years ago
Victor Julien	7eb83314b4	Fix compiler warning and fix using GET_IPV4_DST_ADDR_PTR macro to access IPv6 header.	14 years ago
Eric Leblond	1df183ac38	http log: factorize logging function. With the introduction of the PrintInet function there was almost no difference between IPv4 and IPv6 HTTP logging functions. This patch adds a wrapper that factorizes the code.	14 years ago
Eric Leblond	2a8ffe07ea	http log: factorize extended logging Extended logging is not dependant on IP protocol version.	14 years ago
Eric Leblond	a5b1de4f0d	http log: Add extended option This patch adds a extended option to log extended HTTP information when activated.	14 years ago
Chris Wakelin	8b81063fc2	http log: Add extended information	14 years ago
Eileen Donlon	1adf4b868c	set layer4 protocol when no ipv6 extension headers	14 years ago
Eric Leblond	9549faae95	af-packet: add kernel statistics to exit stats. This patch should fix #325.	14 years ago
Eric Leblond	acf10525f6	doc: add decode group and related documentation.	14 years ago
Eric Leblond	6220134a48	doc: describe some features and structures.	14 years ago
Eric Leblond	eefdbfb55b	doc: add mainpage.	14 years ago
Eric Leblond	60a99915c1	doc: create http support group This patch create an httplayer group and adds related files to it. It also fixes some typo in documentation string and format.	14 years ago
Eric Leblond	b5a3e737c9	doc: comment link between Flow and application layer.	14 years ago
Eric Leblond	b055a21d63	doc: create doxygen group for state detection.	14 years ago
Eric Leblond	0468dbd575	doc: doxygenise some comments.	14 years ago
Eric Leblond	a64eea9628	Fix minor error message.	14 years ago
Eric Leblond	92d74fd480	doc: Add missing params in func description.	14 years ago
Eric Leblond	fdfa85de37	Add comment to describe file content. The name of the file is not really explicit. This patch adds doxygen to have an easy to use description in the generated documentation.	14 years ago
Eric Leblond	830ca7c2c8	source-nfq: suppress insecable space. This patch supresses an insecable space and fixes an indentation.	14 years ago
Eric Leblond	01beefc1c9	pfring: improve error handling Treat TmThreadsSlotProcessPkt return.	14 years ago
Eric Leblond	0d7f25580d	pcap: improve error handling. Treat TmThreadsSlotProcessPkt return.	14 years ago
Eric Leblond	c469824bed	af-packet: improve error handling The return of TmThreadsSlotProcessPkt function was not handled.	14 years ago
Victor Julien	9ac51900f6	Fix broken macro call.	14 years ago
Eric Leblond	4071d3cf57	PACKET_INITIALIZE is enough for packet init.	14 years ago
Eric Leblond	d296223ffe	cuda: Suppress sprintf usage.	14 years ago
Eric Leblond	6bf15bac31	Fix various packet access. The coccinelle based tests have detected invalid uses of access to Packet data. This patch fixes the detected problems.	14 years ago
Eric Leblond	eef3e28b17	invalid use of strncat. sltrlcat must be used instead.	14 years ago
Eric Leblond	2be09b0c86	Fix Defrag unit test. This patch fixes the unittest for IPV4 defrag. The direct usage of the pkt pointer in the Packet structure is not allowed. This is fixed by using PacketCopyData function. This modification was requiring some other fixes, like using memcmp to compare data instead of an iteration on pkt pointer.	14 years ago
Eric Leblond	324986694a	decode: improve and fix comments.	14 years ago
Eric Leblond	24f15fa321	Don't warn about non enable non existing output module This patch modifies output module loading to only trigger alert message for non existing modules when they are loaded. It also warn about unified1 removal.	14 years ago
Eric Leblond	3944357058	Remove unified related enum. This patch removes the enum related to unified1 output.	14 years ago
Eric Leblond	391d813c82	Remove unified1 output module.	14 years ago
Victor Julien	047fcd6ade	Add missing case sensitive to insensitive conversions for http_header, http_raw_header, http_method, http_cookie and http_raw_uri with 'nocase' set.	14 years ago
Victor Julien	bde55578d6	Override HTP IDS personality normalizing the query string to lowercase. Bug #362 .	14 years ago
Victor Julien	7ef34b7bcc	Exlcude DSIZE LT case from setting the 'need payload' mask bit as it can include 0, which means no payload.	14 years ago
Victor Julien	09b5dca343	Consider signatures with the flags keyword to be packet inspecting only, not stream.	14 years ago
Victor Julien	30d84ab20d	Unlock flow in StreamTcpSegmentForEach if there is no TCP session.	14 years ago
Eric Leblond	9aeadd5696	prelude: suppress unused variable.	14 years ago
Eric Leblond	db17f3de6c	prelude: add stream segment dump This patch should fix #355.	14 years ago
Eric Leblond	2073b9db0c	debuglog: uses state selection system.	14 years ago
Eric Leblond	1596241687	debuglog: fix segment logging. StreamSegmentForEach returns the number of segments or < 0 in case of error. This patch synchronizes debuglog output module with this behaviour.	14 years ago
Victor Julien	3644e90a2c	Don't set higher transaction id's in HTTP sessions than we have.	14 years ago
Victor Julien	67cea09911	Handle failing thread modules that are called by the Pcap file callback.	14 years ago
Victor Julien	bfff14aa78	Improve error detection in the port and address parsing in signatures. Bug #295 .	14 years ago
Anoop Saldanha	ba6bada155	change rev field in Signature to u32 and use strotoul to extract the value. Cleanup some dead code/comments	14 years ago
Anoop Saldanha	ed3b44b3b5	fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords	14 years ago
Victor Julien	18da4a8b73	Add missing cuda header file causing 'make distcheck' to fail.	14 years ago
Victor Julien	c0bc83458c	Bump version to 1.1beta3.	14 years ago
Eric Leblond	89c38b0ced	prelude: fix compilation PrintInet was used without inclusion of 'util-print.h'. This was causing a compilation failure.	14 years ago
Victor Julien	39edb23ac4	Support stream.inline mode in unified2 tcp segments logging.	14 years ago
Victor Julien	2e2e80b812	Add packet alert flag to indicate a match happened (partly) in the app layer state. Make unified2 use this flag.	14 years ago
Eric Leblond	128261cb97	unified2: Fix event_id computation This patch fixes event_id computation which was not incremented for each alert.	14 years ago
Eric Leblond	b3023643ec	unified2: fix multiple alerts case	14 years ago
Eric Leblond	7fd1e9cacc	unified2: synchronize IPv4 and IPv6 code IPv6 code was missing some points.	14 years ago
Eric Leblond	839b0d9bfe	unified2: switch to event->packet->packet mode. Attach multiple packets to an event instead of using one event data per packet. This is currrently unsupported by reporting frontend but at least we don't have multiple alerts.	14 years ago
Eric Leblond	316f2d7289	unified2: segment callback log raw packet. As we don't have any trustable information about the ethernet header, we can simply log RAW packet to avoid to confuse the analyst.	14 years ago
Eric Leblond	a03a402b83	unified2: set datalink to correct value. The value of datalink could have been modified if the logging of segment was attempted. This patch restore it to a correct value.	14 years ago
Eric Leblond	50ddd2df43	Restore old barnyard2 support. Some old version of barnyard2 were needing a workaround in the packet header building. THis patch introduces a enable-old-barnyard2 configure flag which can be used to restore this behaviour.	14 years ago
Eric Leblond	2f24987f15	unified2: improve packet logging logic. This patch improves packet logging logic and fix some place regarding alert generation (event_id, ethernet header).	14 years ago
Eric Leblond	628bfcc1b9	stream: Change return of StreamSegmentForEach The function now returns the number of segment where the callback has ben runned successfully.	14 years ago
Victor Julien	c672bdd863	Improve atomic operation support detection. Fixes #342 .	14 years ago
Anoop Saldanha	0edf053f31	if app layer inspection is disabled, immediately set the eof flag	14 years ago
Anoop Saldanha	fe11e02f58	fix inspect id update bug. This should prevent unnecessary FPs for pipelined requests	14 years ago
Anoop Saldanha	4e44073c79	http logging module should log all txs in the list and not just the last complete tx available on EOF	14 years ago
Anoop Saldanha	c13ad8c28a	Provide a function to set the app layer tx eof flag. Use this in FFR code instead of diretly setting the flag. This cleans up the API as well	14 years ago
Anoop Saldanha	b406af451b	updates to http tx id vars. FFR now flags the app layer session for EOF when creating a pseudo packet for a flow	14 years ago
Anoop Saldanha	67be07bf15	fix threading issue in debug log. locked mutex isn't freed before returning. fixed	14 years ago
Anoop Saldanha	d23e775ae2	fix threading bug. Main thread's restart TV code waiting on a failed TV. Now main thread sets the de_init flag before waiting on the failed thread. Thanks to Eric Leblond for reporting it	14 years ago
Anoop Saldanha	737122663c	IPProto now doesn't accept sigs, which has both < and >, with < value being less than > value. Update affected unittests to reflect the change	14 years ago
Anoop Saldanha	dae099893b	more unittests for ipproto with multiple nots + some fixes	14 years ago
Anoop Saldanha	9887084370	support multiple ipprotos in the same sig + unittest	14 years ago
Anoop Saldanha	a781fb9884	rewrite all ipproto keyword tests	14 years ago
Anoop Saldanha	8033a262a7	cleanup ipproto code	14 years ago
Anoop Saldanha	caf450d325	fix ipproto keyword negation case - bug #340	14 years ago
Eric Leblond	79c329f81b	alert-unified2: logging of stream segments. This patch adds the logging of stream segments. Among other modifications, it uses a wrapper to fwrite to permit to update file statistics in an automated manner. Some memcpy have also been avoided by using pointer to the data.	14 years ago
Eric Leblond	2fa837bcec	alert-debuglog: Add logging of stream segments. This patch introduces logging of the stream segments in case of a signature match on application layer.	14 years ago
Eric Leblond	4f0cdf28a3	Introduce StreamSegmentForEach function This patch introduces a function called StreamMsgForEach which can be used to run a callback on all segments of a stream. This is currently only supported for TCP as this is the only streaming aware protocol.	14 years ago
Anoop Saldanha	d68775d47d	introduce bitmasks instead of alproto_masks for use by the probing parser. Remove all alproto_masks we had previouslys for PP	14 years ago
Victor Julien	f5ef842752	Implement a counter for TCP packets with invalid checksums: tcp.invalid_checksum. Bug #311 .	14 years ago
Anoop Saldanha	d3989e7cee	probing parser updated to always accept u32 buflens. Update all probing parser functions to accomodate this change	14 years ago
Anoop Saldanha	80d80000bb	fix probing parser flag usage during protocol detection	14 years ago
Anoop Saldanha	432c3317d2	app layer probing parser updates	14 years ago
Anoop Saldanha	d68f182ebd	introduce SCPerfSyncCounters/SCPerfSyncCounters macro to synchronize counters	14 years ago
Anoop Saldanha	f7b1972263	update broken stats.log. Use pktacqloop funcs in pcap-file, pfring, pcap-live, af-pkt to sync counters - bug #343	14 years ago
Victor Julien	a1f68bf411	Fix detection engine informational message misrepresenting decoder only signatures.	14 years ago
Eric Leblond	abddbe1c91	unitest helper: Fix copy of packet data. The copy of packet data was causing a memory corruption causing weird crash.	14 years ago
Victor Julien	7beb5cdf58	Add util-optimize.h to suricata-common.h so all code can use it.	14 years ago
Eric Leblond	db42981a3d	Fix suricata start when no interface is given. When no interface was specified on command line, the workers and single mode where not able to start due to the fact there was no registered interfaces.	14 years ago
Eric Leblond	9aabf94c9f	Suppress useless parameter in function ConfigParser is called in the parent function and it is thus not necessary to send it to the per device function.	14 years ago
Eric Leblond	58d7cb20eb	pcap-info: fix compilation warning.	14 years ago
Eric Leblond	27f1d88374	Add pcap-info alert format. This patch adds a new alert format called pcap-info. It aims at providing an easy to parse one-line per-alert format containing the packet id in the parsed pcap for each alert. This permit to add information inside the pcap parser. This format is made to be used with suriwire which is a plugin for wireshark. Its target is to enable the display of suricata results inside wireshark. This format doesn't use append mode per default because a clean file is needed to operate with wireshark. The format is a list of values separated by ':': Packet number:GID of matching signature:SID of signature:REV of signature:Flow:To Server:To Client:0:0:Message of signature The two zero are not yet used values. Candidate for usage is the part of the packet that matched the signature.	14 years ago
Eric Leblond	1d1e7667ae	util-runmode: rename mod_threads_conf to ModThreadsCount.	14 years ago
Eric Leblond	625a1e070f	runmode: suppress printf This patch replaces printf by called to SCLogErroc.	14 years ago
Eric Leblond	2596d3bcdd	runmode: treat SCStrdup error.	14 years ago
Eric Leblond	beaa909eb8	Add "workers" runmode. Previous commits have considerabily empowered the "single" mode which could contain multiple threads. This behaviour was not a target for this runmode and the following patch remedies to the situation by introducing the "workers" mode where each thread do all the tasks from acquisition to logging. This runmode is currently implemented for af-packet and pf-ring.	14 years ago
Eric Leblond	788fa1e5a1	pfring: Fix typo in help.	14 years ago
Eric Leblond	730a86e6b8	pfring: fix warning When PF_RING is disable this function is unused and thus trigger a warning at compilation.	14 years ago
Eric Leblond	3f75b10f79	Suppress useless code. This code was making a warning for some time now. This patch kills it.	14 years ago
Eric Leblond	45d5c3ca59	runmode: introduce configuration dereferencing. A devide configuration can be used by multiple threads. It is thus necessary to wait that all threads stop using the configuration before freeing it. This patch introduces an atomic counter and a free function which has to be called by each thread when it will not use anymore the structure. If the configuration is not used anymore, it is freed by the free function.	14 years ago
Eric Leblond	3261b814db	Make SC_ATOMIC_[SUB\|ADD] return result value This patch modifies the SC_ATOMIC_[SUB\|ADD] to have them return the value of the result. This permit to write test based on return of the macro.	14 years ago
Eric Leblond	d3d99ffa13	Fix coding style and use SC* function. This patch fixes the coding style and uses Suricata function instead of plain lic version.	14 years ago
Eric Leblond	f998fda4dd	pfring: factorize iface and parser initialisation.	14 years ago
Eric Leblond	cc7b80437a	pfring: should not call free	14 years ago
Eric Leblond	93cf2b1690	pfring: add single mode.	14 years ago
Eric Leblond	77869a2df8	single runmode: add support for multiple capture threads	14 years ago
Eric Leblond	c75fffe92d	Improve help message Usage of command line has evolved with the introduction of long option. This patch updates the description of the related options.	14 years ago
Eric Leblond	dc075a74a2	pcap: add --pcap option This patch adds a --pcap option which can be used to select or an interface if an argument is provided or the interfaces defined in the configuration file.	14 years ago
Eric Leblond	b2c281920f	af-packet: should not call free	14 years ago
Eric Leblond	1aab2470db	af-packet: factorise single mode.	14 years ago
Eric Leblond	63d614162c	pcap: should not call free	14 years ago
Eric Leblond	491686c33e	pcap: factorise single mode.	14 years ago
Eric Leblond	abe99ee5f6	runmode: add factorisation function for single mode.	14 years ago
Eric Leblond	c3ba992652	pfring: restore precedence of command line options.	14 years ago
Eric Leblond	b2598f97e7	pcap: restore backward compatibility	14 years ago
Eric Leblond	21663acd3b	pcap: use good var name for live-interface	14 years ago
Eric Leblond	d3d8beb337	pcap: factorize runmode This patch factorizes auto and autofp runmodes for pcap.	14 years ago
Eric Leblond	d9d8286671	pfring: restore compatibility with v1.0 config Compatibility of pfring module with previous version was broken. This patch restores backward compatibility.	14 years ago
Eric Leblond	a64dcfeba2	pfring: use factorisation function This patch convert pfring to pktacqloop and use the new factorisation function. This also fixes commmand line parsing of pfring which is now able to work like af-packet: - 'suricata -c s.yaml --pfring' start suricata with all interfaces in conf - 'suricata -c s.yaml --pfring=eth2' start suricata on eth2	14 years ago
Eric Leblond	cbb36b5182	af-packet: remove unused function	14 years ago
Eric Leblond	75c875b1ac	af-packet: use factorisation function for Auto mode.	14 years ago
Eric Leblond	8bf0897b3c	Add factorisation function for runmode. This patch adds a function which will be used to factorise the Auto runmode between the different IDS mode.	14 years ago
Eric Leblond	d4d62f3099	http-uri: Remove useless function declaration.	14 years ago
Victor Julien	3401defbbb	tag: fixes and cleanups Major fixes for the tag subsystem: - Removed TimeGet call from tag packet runtime to safe a gettimeofday - Removed unused lock from data type - Fixed broken first packet skip logic - Fix broken reference counter logic - Fix memory leak on tag expiration - Cleaned up code	14 years ago
Anoop Saldanha	b7b58074de	fix ac unittest	14 years ago
Anoop Saldanha	d6f9e06bbb	update ac to behave the same way irrespective of the state count. Should improve performance. Also fix unittests to accomodate these changes	14 years ago
Anoop Saldanha	dcaef183e8	fix compiler warning for printf format	14 years ago
Victor Julien	bc5c9f4a52	Fix too many SMTP commands causing an integer overflow in the cmds_cnt variable, in turn causing an out of bounds memory write.	14 years ago
Victor Julien	9baa16af63	Convert flow memcap to u64. Bug #332 .	14 years ago
Victor Julien	8208eacd79	Convert stream memcaps to u64. Bug #332 .	14 years ago
Victor Julien	4c641f0deb	Fix compilation with profiling enabled.	14 years ago
Anoop Saldanha	3ec7b75194	fix timestamps for pseudo packets created during FFR - bug 337	14 years ago
Anoop Saldanha	9d94bb38d5	refactor flow timeout code. fix ipv6 address assignment for pseudo pkt.	14 years ago
Anoop Saldanha	246a4e9fff	for shutdown reassembly properly init the reassembly packet using PACKET_RECYCLE	14 years ago
Victor Julien	1a5931e878	pcap-log: fall back to sguil_base_dir option if 'dir' isn't set. Minor cleanups.	14 years ago
William Metcalf	3b3f5816bf	You spin me right round baby, right round like a rotating packet capture right round. Oh, also log file size counters are now uint64_t	14 years ago
Victor Julien	6bad2dbd79	Don't match on IP only rules that use ports if packet is not (proper) TCP, UDP or SCTP. Rules out frags matching as well.	14 years ago
Anoop Saldanha	63ed36a892	Replace all reallocs with SCReallocs	14 years ago
Anoop Saldanha	4307ea2348	Replace all frees with SCFrees	14 years ago
Anoop Saldanha	797b1a44c7	Replace all strdup with SCStrdup	14 years ago
Anoop Saldanha	13ea299ee0	Replace all mallocs with SCMallocs	14 years ago
Eric Leblond	de59c9f4b1	Add and use utility functions for checksum computing.	14 years ago
Eric Leblond	a85dc9b0e2	Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match.	14 years ago
Eric Leblond	0c34a1c5e7	rewrite constants and add flag for replace This patch make use of bit shift to rewrite some of the mask constants. It also delete an unused flag value and suppress the associated dead code. The numeric value of the flag is now used by the flag needed for replace code.	14 years ago
Victor Julien	77b7089f79	Fix stream-events not working. Stream events won't fit our 'detection only' schema. Fixes #321 .	14 years ago
pilcrow	f5017e0d1a	Always try PCRE_NO_AUTO_CAPTURE first for signature regexes. Many, many pcre: signatures specify (...) when the more efficient (?:...) is all that is needed. This change attempts to force PCRE_NO_AUTO_CAPTURE on all unnamed capture groups, reverting to capturing when necessary, e.g., when \1 is referenced.	14 years ago
Victor Julien	60887131be	Fix minor address parsing compiler warning.	14 years ago
Anoop Saldanha	8028392e9a	fix mpm segv. Use sgh flags to check if the sgh has packet or stream mpm set or not	14 years ago
Anoop Saldanha	41d71a6d70	fix http http transaction id update. Update transactions as soon as we receive a callback on new request	14 years ago
pilcrow	ed69eeab14	Safer macro parenthesization and do/while use	14 years ago
Eric Leblond	bbd04fde30	NFQ: fix race condition at exit. A race condition was observed when leaving NFQ. This was caused by the queue handle being accessed after been nullified. This patch uses the handle mutex to protect the destruction and adds tests on nullity to avoid crashed.	14 years ago
Victor Julien	1ab6443e44	Fix compilation when profiling is enabled.	14 years ago
Anoop Saldanha	b6ba944e6d	Rearrange flow manager functions into flow-manager.[ch]. Some other minor changes/updates	14 years ago
Anoop Saldanha	7c729d2d53	some more code cleanup + comments added	14 years ago
Anoop Saldanha	d14fdb1156	Remove the unnecessary unittest runmode check to get the test working. Modify tests to get it working around this	14 years ago
Anoop Saldanha	16884a0dea	refix failing unittest	14 years ago
Anoop Saldanha	552e72e35e	fix failing unittest	14 years ago
Anoop Saldanha	0957c0f8a4	shutdown timeout reassembly shouldn't check timeout flag set or not on flow	14 years ago
Anoop Saldanha	3f1c4efceb	Add new flags var to tm module. TMs can now set flags to identify special properties. Also use these to identify receive TMs	14 years ago
Anoop Saldanha	54f6e4ff4d	Merge thread kill functions. Merge slot's tm_id with the one used by packet profiling. Remove some junk unused code from ms sync pts. Timeout setup cleanup as well. packet q dbg_maxlen now u32 var.	14 years ago
Anoop Saldanha	e335bdbfbc	Code cleanup. All code to kill flow manager thread under one function now.	14 years ago
Anoop Saldanha	99a496e852	Indentation fixes	14 years ago
Anoop Saldanha	e68ca2f32f	Rewrite forced reassembly v2 using while loop instead of goto	14 years ago
Anoop Saldanha	6cc179fad8	flow mgr code doesn't have to bother on immediately exiting on seeing a suricata_ctl flag set	14 years ago
Anoop Saldanha	b09c9751aa	Now flow hash section can force reassemble flows as well	14 years ago
Anoop Saldanha	42493ee6b7	rename pseudo packet creation function. Shift the check for forced reassembly necessity on a session/direction to an inline function in the stream api	14 years ago
Anoop Saldanha	6c95526423	Introduce a new wrapper macro that wait loops till the flag(s) in question have been set	14 years ago
Anoop Saldanha	a7acf9ea8f	Remove all code introduced earlier concerned with ms sync points	14 years ago
Anoop Saldanha	b0a588beeb	Introduce another solution to solve stream timeout shutdown issue using thread flags. No more MSSyncPts	14 years ago
Anoop Saldanha	aef957c6eb	cleanup flow code and pseudo packet creation function	14 years ago
Anoop Saldanha	f2bcf9ea2c	modify post_pq packet handling. - Lock the q just once, once we have detected the presence of packet(s) in the queue. Unlock it when we consume all packets from the q.	14 years ago
Anoop Saldanha	b4887943fb	packet queue len member is now 32 bit unsigned from the previous 16 bit unsigned. Should take care of the overflow for now	14 years ago
Anoop Saldanha	9256c7bf0a	always keep queue locked till we exit flowprune. Should prevent potential threading issues	14 years ago
Anoop Saldanha	d4ba869a35	fix - we need to set direction flags for reassembly pseudo packet. Also reset local flags for every flow that is force reassembled in ForQ	14 years ago
Anoop Saldanha	4ef3679b13	Remove the macro for pktacqloop which is now replaced by an inline function	14 years ago
Anoop Saldanha	edebdee1e5	update flow pruning - v6	14 years ago
Anoop Saldanha	99207c718d	Avoid possiblity of potential engine idling from consumption of all packetpool packets - v1 - Now forced reassembly uses only malloced packets.	14 years ago
Anoop Saldanha	7d3e501f57	shutdown stream reassembly now avoids looking at flows that have already been processed by flow mgr reassembly	14 years ago
Anoop Saldanha	a559bfc165	signal the post pq if possible, whenever pseudo packets are injected into engine flow. Also carry out post pq processing irrespective of packet retrieval from the flow.	14 years ago
Anoop Saldanha	fd9bacb02d	fix usage of htons to htonl in creation of pseudo packet	14 years ago
Anoop Saldanha	56fba8e275	move flow incr cnt while we actually create the pseudo packet in forced reassembly	14 years ago
Anoop Saldanha	51d2b64902	update flow pruning - v5	14 years ago
Anoop Saldanha	c30dbff63d	update flow pruning - v4	14 years ago
Anoop Saldanha	3b0142fa46	update flow pruning - v3	14 years ago
Anoop Saldanha	6dcb68abb0	update flow pruning - v2	14 years ago
Anoop Saldanha	f197b32a55	update flow pruning - v1	14 years ago
Anoop Saldanha	272c2433ec	Cleanup flow.c before further changes	14 years ago
Anoop Saldanha	8363533a02	support for forced stream reassembly for to be pruned flows	14 years ago
Anoop Saldanha	727a950e39	Move time elapsed right after we finish all packet processing	14 years ago
Anoop Saldanha	762ac0fe31	update conditional in shutdown forced reassembly to check for flows that required flow reassemly	14 years ago
Anoop Saldanha	15359dc47e	Slot structure now holds the TV it belongs to	14 years ago
Anoop Saldanha	9552e6f696	Shutdown flow timeout reassembly now supports ipv6	14 years ago
Anoop Saldanha	54f8d56f48	Packet inspection keywords modified to not inspect pseudo packet	14 years ago
Anoop Saldanha	c365bafbf6	We now inspect timed out streams + streams not processed as yet, at engine shutdown	14 years ago
Anoop Saldanha	56432cee16	Single thread kill also checks if inq is cleared before shutting down	14 years ago
Anoop Saldanha	8fa923c5ac	- All threads also check to see if their inq is cleared before they shutdown.	14 years ago
Anoop Saldanha	a844eecb0e	- Updated all runmodes to use synchronization points, right before each thread(slot function) tries to de-init the thread. - Main thread now first disables receive thread(s) before it kills receive and rest of the threads.	14 years ago
Anoop Saldanha	e567c2d002	Introduce master-slave synchronization support for ThreadVars	14 years ago
Anoop Saldanha	94c5ecb069	introduce inline function version of TmThreadsSlotProcessPkt macro. Retain the macro as well	14 years ago
Anoop Saldanha	fd6faac196	update TmThreadsSlotProcessPkt with better error handling + post pq processing	14 years ago
Anoop Saldanha	3fb65f5ec2	fix local var usage for slot in tm-threads.c	14 years ago
Anoop Saldanha	acbcee69ff	support post pq packet processing in var slot	14 years ago
Victor Julien	cc4e89fbe1	Profiling: convert all packet profile counters/variables to u64. Improve output for larger numbers.	14 years ago
Eileen Donlon	e8c51e09e8	fixed bug 291 corrected reference to reference-config-file	14 years ago
Eileen Donlon	89599d3b9b	fixed bug 288; corrected config boolean parsing problems	14 years ago
Eric Leblond	de1d002ea6	Return OK when leaving cleanly.	14 years ago
Eric Leblond	2631e5f14f	pcap: get rid of old API.	14 years ago
Eric Leblond	6f975d3248	pcap: add "autofp" runmode This patch adds "autofp" runmode. This runmode supports multiple devices and uses the new CPU affinity system.	14 years ago
Eric Leblond	effa295489	pcap: add "single" runmode This patch adds support for the "single" mode to the pcap live mode.	14 years ago
Victor Julien	e13181496c	ip-only: added support for matching on ports.	14 years ago
Victor Julien	3d396e8b1e	Update PCRE JIT code to support official JIT implementation in pcre-8.20-RC1.	14 years ago
Victor Julien	751a77a9be	Make sure stream/engine-event signatures are recognized as such.	14 years ago
Victor Julien	c590bba4a4	Undo tunnel reference counting using atomic operations. Revert to mutex based code.	14 years ago
Victor Julien	63f834d9a7	Add profiling to various HTTP buffer MPM calls.	14 years ago
Victor Julien	2675879ff1	Engine and stream events only rules can are deonly compat as well.	14 years ago
Eric Leblond	bd7ac3eaa6	PrintInet: fix compilation on FreeBSD	14 years ago
Anoop Saldanha	3801e00426	fix compliation warnings from runmode-af-packet.c	14 years ago
Victor Julien	baddfcaa1a	Extend packet profiling to other thread 'slot' functions.	14 years ago
Victor Julien	3693a7a9ee	Profiling: add accounting for several detection phases.	14 years ago
Victor Julien	e8e392fb1f	Profiling: add per packet accounting of how much ticks are spend in protocol detection.	14 years ago
Eric Leblond	7425bf5ca6	Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.	14 years ago
Eric Leblond	de65b11c42	decode signature optimisation requires different treatment Decode signature are using the fact that no proto is set on packet to increase the matching speed. This is not the case of stream and other engine events. Thus a difference needs to be made.	14 years ago
Eric Leblond	3f153fb0da	Add 'stream-event' keyword. This patch adds an alias to the 'engine-event' keyword. It is now possible to access to the stream events via the 'stream-event' keyword. A simple transformation is done: stream-event:reassembly_segment_before_base_seq is a shortcut for: engine-event:stream.reassembly_segment_before_base_seq	14 years ago
Eric Leblond	eb0d4e4d8b	Add stream events support to 'engine-event' keyword This patch adds the list of stream events (with associated keywords) to the list of events that can be treated by 'engine-event'.	14 years ago
Eric Leblond	e3a6d8955e	Introduce engine-event keyword This patch renames the 'decode-event' keyword to 'engine-event' and keep it for backword compatibility of rulesets. All DecodeEvent references in the code are replaced by EngineEvent version.	14 years ago
Eric Leblond	2ac8755382	Rename detect-decode-event to detect-engine-event This patch does a simple renaming of detect-decode-event file to the more global detect-engine-event name.	14 years ago
Victor Julien	21f387d2c7	profiling: fix stream ticks miscalculation on stream end pseudo packets.	14 years ago
Eric Leblond	ff6365dd33	af-packet: switch to pcktacqloop API. This patch gets rid of the old API and brings some optimisation by reordering structure and optimisinf an error test.	14 years ago
Eric Leblond	834c91eece	af-packet: add AFP to per packet performance system.	14 years ago
Eric Leblond	fb4be6199f	af-packet: change option name This patch changes the option name. af-packet long option is now used instead of -a to mimic pfring behaviour. This patch improves the standard parsing of the command line. Running suricata -c suricata.yaml --af-packet will start a suricata running in AF_PACKET mode listening on all interfaces defined in the suricata.yaml configuration file. The traditionnal syntax: suricata -c suricata.yaml --af-packet=ppp0 will start a suricata listening on ppp0 only.	14 years ago
Eric Leblond	e253da092c	device: Add function to build interface list from config This patch adds a new function which build the list of interfaces to use by parsing the configuration file. This is using the new format and thus only af-packet can benefit of this feature.	14 years ago
Eric Leblond	df7dbe36b6	af-packet: Add option to disable promiscuous mode This patch adds an option to suricata.yaml to be able to disable the switch of the interface into promiscuous mode.	14 years ago
Eric Leblond	fbca1a4e6b	af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.	14 years ago
Eric Leblond	dc667af1a1	conf: Introduce new function to input configuration. The input modules are needing a per interface configuration. This implies some new operations to be able to parse easily te configuration. The syntax of the configuration file is for example: af-packet: - interface: eth0 threads: 2 - interface: eth1 threads: 3 We need a way to express get a configuration variable for interface[eth0]. This is by using ConfNodeLookupKeyValue() to get the matching node. And after that value can be fetch by using ConfGetChildValue*() functions.	14 years ago
Eric Leblond	e80b30c082	af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.	14 years ago
Eric Leblond	871b21892a	factorize pcap live device function They are not specific to pcap and could thus be used in other module.	14 years ago
Eric Leblond	c45d898572	af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.	14 years ago
Anoop Saldanha	58b595cc21	fastlog print updates for ipv6. combine the io write	14 years ago
Anoop Saldanha	e8f9557664	fastlog print updates. combine the io write	14 years ago
Victor Julien	fca541f40e	Add per app layer parser profiling Per packet per app layer parser profiling. Example summary output: Per App layer parser stats: App Layer IP ver Proto cnt min max avg -------------------- ------ ----- ------ ------ ---------- ------- ALPROTO_HTTP IPv4 6 163394 126 38560320 42814 ALPROTO_FTP IPv4 6 644 117 26100 2566 ALPROTO_TLS IPv4 6 670 117 7137 799 ALPROTO_SMB IPv4 6 114794 126 225270 957 ALPROTO_DCERPC IPv4 6 5207 126 25596 1266 Also added to the csv out. In the csv out there is a new column "stream (no app)" that removes the app layer parsers from the stream tracking. So raw stream engine performance becomes visible.	14 years ago
Victor Julien	0cc9f39200	Move TlsConfig structure out of app-layer-protos.h and rename it to SslConfig.	14 years ago
Victor Julien	820b0ded82	Add per packet profiling. Per packet profiling uses tick based accounting. It has 2 outputs, a summary and a csv file that contains per packet stats. Stats per packet include: 1) total ticks spent 2) ticks spent per individual thread module 3) "threading overhead" which is simply calculated by subtracting (2) of (1). A number of changes were made to integrate the new code in a clean way: a number of generic enums are now placed in tm-threads-common.h so we can include them from any part of the engine. Code depends on --enable-profiling just like the rule profiling code. New yaml parameters: profiling: # packet profiling packets: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: yes filename: packet_stats.log append: yes # per packet csv output csv: # Output can be disabled here, but it will still have a # performance impact if compiled in. enabled: no filename: packet_stats.csv Example output of summary stats: IP ver Proto cnt min max avg ------ ----- ------ ------ ---------- ------- IPv4 6 19436 11448 5404365 32993 IPv4 256 4 11511 49968 30575 Per Thread module stats: Thread Module IP ver Proto cnt min max avg ------------------------ ------ ----- ------ ------ ---------- ------- TMM_DECODEPCAPFILE IPv4 6 19434 1242 47889 1770 TMM_DETECT IPv4 6 19436 1107 137241 1504 TMM_ALERTFASTLOG IPv4 6 19436 90 1323 155 TMM_ALERTUNIFIED2ALERT IPv4 6 19436 108 1359 138 TMM_ALERTDEBUGLOG IPv4 6 19436 90 1134 154 TMM_LOGHTTPLOG IPv4 6 19436 414 5392089 7944 TMM_STREAMTCP IPv4 6 19434 828 1299159 19438 The proto 256 is a counter for handling of pseudo/tunnel packets. Example output of csv: pcap_cnt,ipver,ipproto,total,TMM_DECODENFQ,TMM_VERDICTNFQ,TMM_RECEIVENFQ,TMM_RECEIVEPCAP,TMM_RECEIVEPCAPFILE,TMM_DECODEPCAP,TMM_DECODEPCAPFILE,TMM_RECEIVEPFRING,TMM_DECODEPFRING,TMM_DETECT,TMM_ALERTFASTLOG,TMM_ALERTFASTLOG4,TMM_ALERTFASTLOG6,TMM_ALERTUNIFIEDLOG,TMM_ALERTUNIFIEDALERT,TMM_ALERTUNIFIED2ALERT,TMM_ALERTPRELUDE,TMM_ALERTDEBUGLOG,TMM_ALERTSYSLOG,TMM_LOGDROPLOG,TMM_ALERTSYSLOG4,TMM_ALERTSYSLOG6,TMM_RESPONDREJECT,TMM_LOGHTTPLOG,TMM_LOGHTTPLOG4,TMM_LOGHTTPLOG6,TMM_PCAPLOG,TMM_STREAMTCP,TMM_DECODEIPFW,TMM_VERDICTIPFW,TMM_RECEIVEIPFW,TMM_RECEIVEERFFILE,TMM_DECODEERFFILE,TMM_RECEIVEERFDAG,TMM_DECODEERFDAG,threading 1,4,6,172008,0,0,0,0,0,0,47889,0,0,48582,1323,0,0,0,0,1359,0,1134,0,0,0,0,0,8028,0,0,0,49356,0,0,0,0,0,0,0,14337 First line of the file contains labels. 2 example gnuplot scripts added to plot the data.	14 years ago
Victor Julien	1bd1a62526	Rename profile macro's and variables to reflect that they are for rule profiling.	14 years ago
Eric Leblond	88559901d4	pcap-file: Allocated packet must be free if there's error	14 years ago
Eric Leblond	f6628f140d	detect: fix regular expression used for check.	14 years ago
Eric Leblond	a354034cfc	nfq: Fix deinit phase If receive thread is failling, we need to restart it but the code was not restarting the queue (this was done in verdict thread).	14 years ago
Eric Leblond	eddcedba0a	nfq: make thread abort if NFQ verdict fail	14 years ago
Eric Leblond	2ffcef0a8e	nfq: Add iterator on nfq_set_verdict This patch adds retry to nfq_set_verdict in case of error.	14 years ago
Eric Leblond	a8b21066df	tm-thread: fix documentation string	14 years ago
Eric Leblond	a8ae1c42c3	Fix macro about default packet size Being pessimistic about packet default size has side effect in some module. Falling back to the sane correct value.	14 years ago
Eric Leblond	685e0e1a63	Rename rule_type_t to ThresholdRuleType.	14 years ago
Eric Leblond	8787e6f6d0	suppress: use DetectAddress instead of DetectAddressHead	14 years ago
Eric Leblond	8ff8ec4f82	Export some DetectAddress related function.	14 years ago
Eric Leblond	7938344e1b	threshold: refactoring of parsing code This patch factorize the regular expression to be ease the parsing process. It also adds a missing free and factorize exit code.	14 years ago
Eric Leblond	03c185a3ad	threshold: add suppress keyword This patch adds the suppress keyword to the threshold.config file. The alerts are suppressed but the other elements like flowbits are maintained.	14 years ago
Eric Leblond	85e8d8e200	Add sanity check to DetectAdressParse. The function is only used at parsing time, this is not costly to add a simple sanity check.	14 years ago
Eric Leblond	7168e0aafc	threshold: fix trivial typo in parsing.	14 years ago
Eric Leblond	a56f8dd6b2	doc: introduce doxygen group "threshold" This patch introduces a doxygen group to put together the documentation relative to threshold. Group appear in a separate page and they can have their own documentation. This is useful when a feature is splitted into different files.	14 years ago
Victor Julien	dc218388e5	Fix flowint keyword pcre_get_substring issue.	14 years ago
Victor Julien	1740c3a7c7	Fix urilen keyword pcre_get_substring issue.	14 years ago
Victor Julien	f52b54f63e	Fix ssl keyword pcre_get_substring issue.	14 years ago
Eric Leblond	6b9d1012ff	Transform inet_ntop call into PrintInet one.	14 years ago
Eric Leblond	2fa07780c2	Introduce PrintInet function This function has the same signature than inet_ntop() and it will be used as substitution in the code. For IPv4 this is a simple wrapper. For IPv6, it display addresses with fixed length.	14 years ago
Victor Julien	7e1d911215	Small optimizations to pkt acq loop code.	14 years ago
Victor Julien	b753ecce50	Implement a pkt acq loop infra with support for pcap-file.	14 years ago
Anoop Saldanha	975ebf2e4f	Minor changes to move function calls that kills threads + frees resources to the clean up phase right to the end of main thread	14 years ago
Anoop Saldanha	ff7284e7b7	Fix code that allows the engine to restart threads that have exited on failure	14 years ago
Anoop Saldanha	524af82b1a	code cleanup in tm-threads.c	14 years ago
Anoop Saldanha	4f7df1029d	Unify the use of slots to a single struct for threading API. Remove separate slot append functions for 1slot and varslot	14 years ago
William	6730c3ace1	Actually limit recursion and backtracking and stack usage by PCRE. Logic was broken, no example was provided in suricata.yaml even though it could be set from there.	14 years ago
William	61fe05b220	Fix for silly pcap counters mistake made by me. ps_recv includes dropped packets.	14 years ago
William	b3f7e6a2fc	Only set PF_RING cluster if we have more than one receive thread. Gives us accurate drop stats.	15 years ago
Anoop Saldanha	d3bc3f0fe5	coverity fix for counters api	15 years ago
Anoop Saldanha	be3996ac02	coverity fix - 1.1beta branch - add some comments to indicate false positives by coverity for future reference - mainly comments for switch statement fall through	15 years ago
Victor Julien	df3ca322a4	Fixes for out of bounds pcre_get_substring calls no longer silently accepted by modern pcre.	15 years ago
William	1099093e0f	Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required.	15 years ago
Eric Leblond	a0b4068041	autotools: fix duplicate check command in Makefile. It seems that check target can not be used in Makefile.am. Using check-am fix a make failure.	15 years ago
Eric Leblond	586aae0ff3	Indentation fix on source-pcap.	15 years ago
Anoop Saldanha	c8701cf8d1	fix var name parsing in byte_extract	15 years ago
Anoop Saldanha	7e5c52c80b	add flowbits:set; only sigs to be treated as ip only	15 years ago
William	bca8fbc79e	Add Num, Rev, and Gid columns to rule perf output	15 years ago
Victor Julien	0625d54267	Improve HTPParserTest07 test to be more helpful if it fails.	15 years ago
Victor Julien	862b708a70	Fix stream unittest.	15 years ago
Anoop Saldanha	88115902b0	Have separate parser vars in smtp to hold dynamic buffers for parsing fragmented lines	15 years ago
Anoop Saldanha	576ec7da66	smtp parser support	15 years ago
Victor Julien	add02a4ef3	Fix handling of FIN/ACK packet on TCP state TCP_FIN_WAIT2.	15 years ago
Victor Julien	16b41a5eff	Use p->proto in detect to determine TCP/UDP/SCTP.	15 years ago
Victor Julien	ebe99a2597	Fix unified2 packet length not being set properly for reassembled stream packets.	15 years ago
Victor Julien	047b19d271	Fix a reassembly bug that in some cases could lead to a crash.	15 years ago
Victor Julien	22a97af226	Only compile byte_extract unittests if --enable-unittests is enabled.	15 years ago
Eric Leblond	5727fac988	cpu affinity: detect a missed invalid case This patch improves the error handling in the definition of cpu set. It detect when the max value is too big and display the name of the invalid cpu set in error message.	15 years ago
Eric Leblond	d34e85c203	Fix #290 : avoid looping when affinity is invalid This patch adds a loop counter to detect when the cpu_set does not intersect the set of available CPUs.	15 years ago
Victor Julien	e5cc68a91f	Attempt to work around missing __WORDSIZE define on FreeBSD.	15 years ago
Victor Julien	4025567a5a	Fix a number of unittests not properly initializing a packet causing issues on some archs.	15 years ago
Victor Julien	43b2e63c1e	Fix minor compiler comments in CUDA code.	15 years ago
Martin Beyer	2f1262b446	fixed cuda build: portability issues and nvcc version check	15 years ago
Martin Beyer	736f09c4bc	fixed ptxdump for python3	15 years ago

... 10 11 12 13 14 ...

3218 Commits (0eeccb4b176b3a0a4c2717f14fd0bd668520e6fa)