aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,360 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '11990c7117'
${ noResults }
Commit Graph

8360 Commits (11990c71173f24f9c20f568b71f3c80592fe912b)
 

Author SHA1 Message Date
Ralph Broenink 11990c7117 doc: Move the definition of modifier keywords to the introduction 7 years ago
Ralph Broenink dfae19247d doc: Completely rewrite the rules introduction for more clearity 7 years ago
Ralph Broenink 274c36eb2f doc: Meta-settings -> Meta Keywords plus some textual changes 
Most importantly, conventions are now placed in tip boxes
 7 years ago
Ralph Broenink 3413793768 doc: Use lowercased keyword names as section titles 7 years ago
Ralph Broenink a52aacb4ea doc: Replace images of tables and rules with text in rules docs 
In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis.

Additionally, some tables embedded into images were also replaced by reST tables.
 7 years ago
Ralph Broenink 44926e2369 doc: Add suricata.css to allow for some custom styling 7 years ago
Victor Julien 5335d8b877 detect/uri: apply urilen contents as depth 7 years ago
Victor Julien 606eab937c detect/http_uri: remove broken tests 7 years ago
Wolfgang Hotwagner c16509a8b6 conf: stack-based buffer-overflow in ParseFilename 
There is a stack-based buffer-overflow in ParseFilename. Since the length of "outputs.pcap-log.filename" is not checked and the destination buffer "str" has a fixed length of 512 bytes, a buffer overflow happens with long filenames. An attacker could exploit this for code execution if the configuration-file is not protected properly. This commit fixes ticket #2335

This is what the asan-output looks like:

~/suricata-1/src# suricata -T -c ./suricata.yaml
[27871] 3/12/2017 -- 20:48:13 - (suricata.c:1876) <Info> (ParseCommandLine) -- Running suricata under test mode
[27871] 3/12/2017 -- 20:48:13 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev f3fea60b)
=================================================================
==27871==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffbe9d75e0 at pc 0x55897b5f935f bp 0x7fffbe9d72b0 sp 0x7fffbe9d72a8
WRITE of size 1 at 0x7fffbe9d75e0 thread T0 (Suricata-Main)
    0 0x55897b5f935e in ParseFilename /root/suricata-1/src/log-pcap.c:895
    1 0x55897b5fb173 in PcapLogInitCtx /root/suricata-1/src/log-pcap.c:985
    2 0x55897b6af103 in RunModeInitializeOutputs /root/suricata-1/src/runmodes.c:752
    3 0x55897b72c6b5 in PreRunPostPrivsDropInit /root/suricata-1/src/suricata.c:2263
    4 0x55897b730416 in main /root/suricata-1/src/suricata.c:2898
    5 0x7f947f6db2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    6 0x55897b2d4c19 in _start (/usr/local/bin/suricata+0xc4c19)

Address 0x7fffbe9d75e0 is located in stack of thread T0 (Suricata-Main) at offset 672 in frame
    0 0x55897b5f7fcc in ParseFilename /root/suricata-1/src/log-pcap.c:836

  This frame has 3 object(s):
    [32, 104) 'toks'
    [160, 672) 'str' <== Memory access at offset 672 overflows this variable
    [704, 2752) '_sc_log_msg'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/suricata-1/src/log-pcap.c:895 in ParseFilename
Shadow bytes around the buggy address:
  0x100077d32e60: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x100077d32e70: 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
  0x100077d32e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d32e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d32ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100077d32eb0: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
  0x100077d32ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d32ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d32ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d32ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d32f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27871==ABORTING
 7 years ago
Ruslan Usmanov 1090ee9d8d rate_filter by_both through IPPair storage 
Ticket https://redmine.openinfosecfoundation.org/issues/2127
 7 years ago
Danny Browning 84b66b7aaa enum: don't printf on util-enum errors 
When util-enum encounters an error around enum value it should log the error
rather than losing it to console with printf.

Bug #2268
 7 years ago
Victor Julien 999b50476b detect/http_host: add sid to nocase warning 7 years ago
Victor Julien f68067be94 hosts: release packet references to hosts 7 years ago
Gaurav Singh 637a7c8e55 Adds options to mark when a file is final. 
This takes the form of an option to add the pid of the process to file
names. Additionally, it adds a suffix to the file name to indicate it is
not finalized.

Adding the pid to the file name reduces the likelihood that a file is
overwritten when suricata is unexpectedly killed. The number in the
waldo file is only written out during a clean shutdown. In the event
of an improper shutdown, extracted files will be written using the old
number and existing files with the same name will be overwritten.

Writes extracted files and their metadata to a temporary file suffixed
with '.tmp'. Renames the files when they are completely done being
written. As-is there is no way to know that a file on disk is still
being written to by suricata.
 7 years ago
Victor Julien a1f8cf40e2 detect/http_start: check if 'line' is valid 
In certain conditions like low memory the line can be NULL.

Bug #2307.
 7 years ago
Victor Julien 9abac08cc7 detect/flowint: harden code 
Make sure packet has a flow.

Related to bug #2288.
 7 years ago
Victor Julien 40a819d5a6 detect/flowint: only check if packet has flow 
Fixed bug #2288.
 7 years ago
Victor Julien db24fee16e detect/flowint: improve unittests 
In preparation of fixing bug #2288, make sure the unittests setup
the flow in the packet properly.
 7 years ago
Victor Julien 7394ee17ec unittest/helpers: add helper to assign flow to packet 7 years ago
Victor Julien 83f220a6b0 detect/depth: reject rules with depth smaller than content 7 years ago
Jason Ish d0846cc561 detect-parse: string copy not required 
Without using pcre, copies of the strings are no longer
required.
 7 years ago
Jason Ish 73d1e4bc84 detect-parse: don't use pcre for rule parsing 
Don't use pcre for the high level rule parsing, instead
using a tokenizing parser for breaking out the rule
into keywords and options.

Much faster, especially on older CPUs. Should also allow
us to provide better context where a rule parse error
occurs.
 7 years ago
Victor Julien 93b120e70d runmodes: config test is offline 7 years ago
Victor Julien 71c3141ec6 afl: enable afl dumps by envvar 
If SC_AFL_DUMP_FILES is set the inputs are stored to disk.
 7 years ago
Victor Julien f1da18ec1a http: allow shinking in HTPRealloc 7 years ago
Pierre Chifflier 5748df3eed Add support for PCAP LINKTYPE_IPV4 7 years ago
Victor Julien 223a38aeee mingw: service init compile warning fix 7 years ago
Victor Julien 81408df0cf output: clean up log API unittests 
Disable for MinGW as the setenv/getenv implementations seems to
be undeterministic.
 7 years ago
Victor Julien 7ed1debc96 flow: optimize Flow structure layout 
Shrink structure with 8 bytes by moving new ttl fields into an
existing 'gap'.

Also fixes a strange ASAN issue in GCC 5.4.0 in unittests.
 7 years ago
Victor Julien 17c4623975 thresholds: simplify config parsing 7 years ago
Victor Julien 2a237bdfca detect: make glob.h optional 
glob.h is not available on MinGW.

Simply use the input on the rule list as a literal pattern.
 7 years ago
Victor Julien e1d1a7f2ac detect: fix flow bypass flag handling 7 years ago
Victor Julien ddd3c0b1df detect/analyzer: formatting fixup 7 years ago
Victor Julien e86c3f0a40 detect: constify rule group lookup 7 years ago
Victor Julien a9ee041984 detect: minor profiling cleanup 7 years ago
Victor Julien 26abf5337c detect/mpm: minor cleanup: remove unused function arg 7 years ago
Victor Julien 03274051cf detect-state: minor cleanups 7 years ago
Victor Julien c79b9cb317 detect: constify address match functions 7 years ago
Victor Julien 63291d0f01 detect: style cleanup 7 years ago
Victor Julien 64aec6aaea app-layer: minor cleanup 7 years ago
Victor Julien 66530c6179 app-layer: cleanup: use true bool type for 'logger' 7 years ago
Victor Julien 3fc875955e app-layer: minor cleanups and optimizations 
Use flow protomap instead of dynamically converting the ip proto in
each call.

Use const for vars where possible.
 7 years ago
Victor Julien 6bea6edec1 stream: minor debug addition 7 years ago
Victor Julien ecfdd57ef8 detect: minor cleanups 7 years ago
Victor Julien 1b08615a1e detect: minor comment cleanup 7 years ago
Victor Julien ac57bd8149 detect: run buffer setup callback before validate 7 years ago
Victor Julien bb65a48edd rust: require at least libc 0.2.33 
Required to be higher than 0.2.24 for IPPROTO_UDP. Upgraded to latest
version.
 7 years ago
Pierre Chifflier 83808bbdad rust/ntp: convert parser to new registration method 
Converting the NTP parser to the new registration method is a simple,
3-steps process:
- change the extern functions to use generic input parameters (functions
  in all parsers must share common types to be generic) and cast them
- declare the Parser structure
- remove the C code and call the registration function
 7 years ago
Pierre Chifflier 0b07bdf5d9 rust: generate declaration for extern unsafe funcs 7 years ago
Pierre Chifflier e7c0a53cbf rust/applayer: add registration iface for parsers 
Add Rust support for the common interface to declare and register all
parsers.

Add a common structure definition to contain all required elements
required for registering a parser, similar to the C interface.
This also reduces the risk of incorrectly registering a parser: the
compiler prevents omitting required functions from the structure, and
functions (even if external) are type-checked. Optional functions are
explicitly marked.
 7 years ago