aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,805 Commits
7 Branches
161 Tags
173 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1d9f37a60e'
${ noResults }
Commit Graph

9182 Commits (1d9f37a60e7fde720768f41e5680ee2e02b78ffc)

Author SHA1 Message Date
Victor Julien 77539e08fc stream: in IDS mode, call app-layer at EOF 
On stream end call app-layer with empty message in IDS mode.
 6 years ago
Victor Julien eceb7dcba4 eve: support pcap_filename for unix socket mode 
Bug #3390.
 6 years ago
Philippe Antoine 4a2918e6b5 yaml: clarify comment about dump-all-headers 
Logs a warning if the value is unknown
Fixes #2810
 6 years ago
Victor Julien 007a461d69 detect/parse: track negation during address parsing 
Fix address negation detection not resolving variables when
looking for the negation.

This patch makes use of the actual parsing routines to relay this
information to the signature parser.

Bug #3389.

Fixes: 92f08d85aa ("detect/iponly: improve negation handling in parsing")
 6 years ago
Victor Julien 34b7035a0d detect/iponly: debug output improvements 6 years ago
Victor Julien 618ad0d92f app-layer: optimize inspection id tracking 
Increase the inspect id for a completely inspected tx in any case.
This avoids re-evaluating transactions.

Reported-by: Ilya Bakhtin
 6 years ago
Victor Julien f302f3543f files: add call for setting inspect sizes 
The inspect sizes are currently only used during file prune
house keeping for SMTP.
 6 years ago
Victor Julien f9f958d66e smtp: fix and clean up new file handling 
Set tx id on files that were just opened.

Move logic to a small util func.
 6 years ago
Victor Julien 683b22d114 smtp: use FILE_USE_DETECT for raw-extract 6 years ago
Victor Julien 21760bfc76 files: change pruning behavior 
If file prune is called inspect has already run. So if file is closed
we can just prune. No need to consider a window anymore.

When still in progress, fix the left_edge calculation.
 6 years ago
Victor Julien 682014619f files: fix FILE_USE_DETECT with --disable-detection 
Don't set FILE_USE_DETECT flag if detect is disabled.
 6 years ago
Victor Julien 4ac9cd2c70 files: move smtp prune logic to main 
Now that we call the file prune loop very regularly, we can move the
SMTP specific inspection pruning logic into this loop. Helps with
cases there we don't (often) update a files inspection trackers.
 6 years ago
Victor Julien 4b7599af90 http/file: modernize unittests 
Part of ticket #2975.
 6 years ago
Victor Julien 1cdb2182e4 fastlog: apply icmp type logic to icmpv6 too 6 years ago
Victor Julien 5ef05ffad1 http/multipart: small cleanup 6 years ago
Victor Julien aae00df4df http/multipart: use wider type for boundary lengths 
Use uint32_t for a local type instead of uint8_t to avoid casts.

Length should always stay under this regardless.
 6 years ago
Victor Julien 4d0db9cb4a http/multipart: optimize form end search 
If we already know that the boundary exists, we can start looking
there. Otherwise, we can skip trying as the boundary is a subset
of the form end marker.
 6 years ago
Victor Julien 54d93e1eb9 http/multipart: process incomplete file data 
Start processing multipart data as soon as it is available to
allow inspection sooner.
 6 years ago
Jeff Lucovsky fcfb679893 detect/analyzer: Suppress direction warnings 
This commit ensures direction warnings for ICMP v4 and v6
are suppressed and corrects check so that both protocols
are checked (instead of the same protocol being checked twice).
 6 years ago
Eric Leblond 1b9009ea0e suricata: fix computing of default packet size 
Update the default packet size computation to use LiveDeviceName
instead of LiveDevice as the LiveDevice list is not built when
the default packet size is built.
 6 years ago
Victor Julien c010f092e0 detect/replace: fix debug print issue 
Don't print field that will likely not be 0 terminated.
 6 years ago
Victor Julien c3ea5e71e5 detect/file.data: fix buffer reusing id 0 6 years ago
Victor Julien cd66c37711 http/multipart: use proper progress value to test eof 6 years ago
Philippe Antoine 08b84e060b fastlog: use icmp type and code instead of port 
Fixes #3266
 6 years ago
Philippe Antoine 75a7d9641c fastlog: move code to reduce variable scope 6 years ago
Philippe Antoine c2fdd7c969 transform: fixes comment about compress_whitespace 6 years ago
Philippe Antoine 9126fc25c1 transform: updates doc about compress_whitespace 
And removes duplicate test from strip_whitespace
 6 years ago
Eric Leblond 3ded7f1170 qa/coccinelle: fix false positive in setter getter 
Coccinelle test was doing a false positive on the function
AppLayerParserStateSetFlag and AppLayerParserStateIssetFlag.
To address that, this patch adds a new coccinelle markup:

 /* coccinelle: AppLayerParserStateSetFlag():2,2:APP_LAYER_PARSER_ */

It indicates that AppLayerParserStateSetFlag is a setter and getter
and that the checks should be disabled inside the function.

Currently this markup is only used for that but following patch will
add some checks on option value.
 6 years ago
Jeff Lucovsky 8f4f1cb633 detect/analyzer: Improved fast pattern display 
When transforms are part of a rule, improve information displayed with
fast patterns to include the original buffer name and whether any
transform(s) are applied.
 6 years ago
Jeff Lucovsky c88c1f1e14 detect/analyzer: Suppress direction warnings 
This commit suppresses direction warnings by the rules analyzer for ICMP
and ICMPV6 since it's not actionable.
 6 years ago
Victor Julien 83bbe287e7 stats: fix stats not always syncing in flow timeout 6 years ago
Jason Ish ba3a2c31bf app-layer: validate TX detect flag callbacks 
Check that both are set or unset.
 6 years ago
Jason Ish 706558d4d5 enip: add tx detect flags 6 years ago
Jason Ish cb62c8dacf dcerpc: add tx detect flags 6 years ago
Jason Ish 21f014f5c3 modbus: add tx detect flags 6 years ago
Jason Ish 20bc08a722 app-layer: add tx detect functions to register struct 6 years ago
Jason Ish fdb587d2fc detect-engine: check for tx detect flag support 
When registing a detection engine, check that the app-layer
protocol supports tx detect flags. Exit with a fatal
error if it does not as this is a code implementation
error that should be resolved during development.
 6 years ago
Jason Ish b1beb76fd7 ftpdata: add tx detect flags 6 years ago
Jason Ish 62e4211f04 debug: add SCReturnBool function exit macro 6 years ago
Jason Ish 739df21e2d app-layer: method to see if parser supports tx detect flags 
Add method to check if a parser for an app-layer protocol
supports tx detect flags.

This is a bit of a hack for now as where we need to run
this check from we do not have the IP protocol.
 6 years ago
Jeff Lucovsky 218a5c4345 mpm: Fix typos and spelling errors 6 years ago
Jeff Lucovsky aef24bee96 detect: Fix spelling errors 6 years ago
Jeff Lucovsky f318a46d34 detect: Improve handling of variable values 
When one of offset/depth/distance is from a variable, adjust the depth
by the offset as is done with scalar values at parse time.
 6 years ago
Jeff Lucovsky db8527e7b3 detect/mpm: Improved handling of variable values 
This commit removes the offset and depth if either of these values are
dependent upon a byte-extract operation.
 6 years ago
Victor Julien 94982ae690 http: split request/response tx id handling 
When HTTP pipelining was in use, the transaction id used for events
and files could be off. If the request side was several requests ahead
of the responses, it would use the HtpState::transaction_cnt for events
and files, even though that is only incremented on complete requests.

Split request and response tx id tracking. The response is still handled
by the HtpState::transaction_cnt, but the request side is now handled by
its own logic.
 6 years ago
Victor Julien b82e71b95e files: remove FILE_USE_TRACKID flag 
Once it was optional but as it no longer is it is no longer useful.

Remove it.
 6 years ago
Victor Julien f9155aa121 files: simplify pruning logic 
Since ebcc4db84a the flow worker runs
file pruning after parsing, detection and loging. This means we can
simplify the pruning logic. If a file is in state >= CLOSED, we can
prune it. Detection and outputs will have had a final chance to
process it.

Remove the calls to the pruning code from Rust. They are no longer
needed.
 6 years ago
Victor Julien ab471c3054 app-layer: don't consider tx flags if not registered 
If a protocol does not support TxDetectFlags, don't try to use them.

The consequence of trying to use them was that a TX would never be
considered done, and it would never be freed. This would lead to excessive
memory use and performance problems due to walking an ever increasing
list.
 6 years ago
Eric Leblond 54d3620662 source-pcap-file: honor bpf filter on command line 
When a BPF filter is given on the command line when reading a
pcap file, the BPF filter is not honored.

The regression has been introduced in:

commit 3ab9120821
Author: Dana Helwig <dana.helwig@protectwise.com>
Date:   Thu Apr 27 11:17:16 2017 -0600

    source-pcap-file: Pcap Directory Mode (Feature #2222)

Reported-By: Tim Colin <tcolin@et.esiea.fr>
 6 years ago
Eric Leblond 860f43753c source-pcap-file: fix memory leak on pcap filter 6 years ago
Philippe Antoine 20e06f45c0 util: removes warning about double conversion 
From clang 10 :
implicit conversion from 'unsigned long' to 'double' changes value
from 18446744073709551615 to 18446744073709551616
 6 years ago
Victor Julien 502a8b5fb3 detect: fix inspection buffer for packet engines 
Fix buffers not being reset per inspection round for packet engines.

Bug #3341.
 6 years ago
Victor Julien 58b9a2dc21 threading: add debug validation for stale packets 6 years ago
Victor Julien fe9aeed0f0 threading: fix shutdown race condition 
A BUG_ON statement would seemingly randomly trigger during the threading
shutdown logic. After a packet thread reached the THV_RUNNING_DONE state,
it would sometimes still receive flow timeout packets which would then
remain unprocessed.

1 main:   TmThreadDisableReceiveThreads(); <- stop capturing packets
2 worker: -> TmThreadTimeoutLoop (THV_FLOW_LOOP) phase starts
3 main:   FlowForceReassembly();           <- inject packets from flow engine
4 main:   TmThreadDisablePacketThreads();  <- then disable packet threads
5 main:   -> checks if 'worker' is ready processing packets
6 main:   -> sends THV_KILL to worker
7 worker: breaks out of TmThreadTimeoutLoop and changes to THV_RUNNING_DONE.

Part of the problem was with (5) above. When checking if the worker was
already done with its work, TmThreadDisablePacketThreads would not consider
the injected flow timeout packets. The second part of the problem was with (7),
where the worker checked if it was ready with the TmThreadTimeoutLoop in a
thread unsafe way.

As a result TmThreadDisablePacketThreads would not wait long enough for the
worker(s) to finish its work and move the threads to the THV_RUNNING_DONE
phase by issuing the THV_KILL command.

When waiting for packet processing threads to process all in-flight packets,
also consider the 'stream_pq'. This will have received the flow timeout
packets.

Bug #1871.
 6 years ago
Victor Julien 825173a2ba threading: fix flow timeout loop race 6 years ago
Victor Julien 56354afd41 threading: improve thread queues checking by dumping more info 6 years ago
Victor Julien 0a809bf577 packet: set unique pkt_src 'flush' packets 
Set unique type for capture timeout and for detect reload flush
to assist in debugging.
 6 years ago
Victor Julien 6bc7636826 stream: remove unused code 
Remove now unused 'pkt_src' type as well.

Remove related unittests.
 6 years ago
Victor Julien 1633744fcb nfq: remove unused queue handler type 6 years ago
Victor Julien ab01cbe345 log-pcap: remove stale comments 6 years ago
Victor Julien 6de025bb12 alert-syslog: remove stale comments 6 years ago
Jeff Lucovsky 90c2e3561c Add general purpose `ARRAY_SIZE` macro 
This commit adds `ARRAY_SIZE` as an helper for determining the number of
elements in an initialized array. The calculation is the same but the
macro provides a convenient shortcut. The implementation was borrowed
from the kernel sources.
 6 years ago
Jeff Lucovsky ae198add6d detect/analyzer: Refactor engine analysis code 
This commit changes the analysis code to be table driven to better
identify the rule elements covered by the analysis.
 6 years ago
Philippe Antoine 6e63c957ff signature: Fixes memory leak in parsing app layer event 6 years ago
Jason Ish fccbd36d37 dns: log addresses in flow direction, not packet 
Ticket #3340.
https://redmine.openinfosecfoundation.org/issues/3340
 6 years ago
Victor Julien 0824b04134 filestore: don't assume flow is TCP 
Filestore can be used by UDP based protocols as well. NFSv2 is one
that Suricata supports.

Bug #3277.
 6 years ago
Victor Julien 2a55afbd89 decode/pppoe: fix potential crash in debug statement 6 years ago
Victor Julien 2ab7fb4b41 version: automate and cleanup ver handling 
Create a single function to return the version string, to avoid lots
of ifdefs in multiple places.

Make the version determine the 'release' status. If the version from
autoconf has '-dev' in the name, it is not a release. If it hasn't
it is considered a release version.
 6 years ago
Victor Julien 51ec980e80 dataset: fix string length handling in hash 6 years ago
Eric Leblond 1721da91ef dataset: fix hash computation 6 years ago
Victor Julien 64a789bbf6 nfq: clear memory of queue before using it 
Avoids using uninitialized memory. Show showed itself
in nonsense values in counters, and in nfq_handle_packet
errors that were likely the result of passing uninitialized
memory to the nfq API.

Bug 3263.
Bug 3120.

Fixes: b2a6c60dee ("source-nfq: increase maximum queues number to 65535")
 6 years ago
Victor Julien 2fd1174a56 nfq: micro optimization 6 years ago
Victor Julien 9d6087f7d6 nfq: don't warn on 'handle_packet' error 
NFQ can generate warnings/errors with a delay. After Suricata has
succesfully passed a verdict to the kernel, there are still things
that can go wrong for that verdict. This is then passed to the
queue through a netlink error message, which leads to nfq_handle_packet
returning an error code.

Suppress the warning. Also remove the errno/strerror use as
nfq_handle_packet does not set the errno.

Thanks to Florian Westphal.

Bug 3120.
 6 years ago
Victor Julien f8acad7fca nfq: code cleanups 6 years ago
Alexander Gozman f280e66f84 nfq: check for EAGAIN after recv() call in NFQRecvPkt() 6 years ago
Victor Julien 4cc90e9a4c nfq: minor code cleanups 6 years ago
Victor Julien 01cea2ec89 datasets: suppress noisy debug statement 6 years ago
Victor Julien 505b2dd256 log-pcap: don't print (null) for compression method 6 years ago
Victor Julien fb26268c6b tcp: don't set event on empty SACK opt 
TCP_OPT_INVALID_LEN was set if the opt len was 2. While useless
an empty SACK is not uncommon.

Seen on an iOS device talking to an Apple server.

Bug #3254.
 6 years ago
Victor Julien aae76a84cd suricata: use version from autoconf 6 years ago
Eric Leblond 2d11e9394c detect-base64: fix url in list keywords commands 6 years ago
Jason Ish 6eada54fc8 eve/dns: don't log warning if dns log version not set 
If the DNS log version is not set, we default to v2. This should
not be warning, but better logged at the config level.

A warning will still be logged if the value is set but is not
1 or 2.
 6 years ago
Philippe Antoine 989a6461b0 signature: leak fix in DetectAddressParse2 6 years ago
Philippe Antoine c1e41632c1 config: use logging instead of stderr 6 years ago
Wesley van der Ree bf1b65558b mpls: Allow MPLS after vlan. 
Fixes #2771
 6 years ago
Victor Julien 7cca9005fb dns: minor cleanup 6 years ago
Victor Julien 4164c0bbd6 app-layer: make dns,smb,tls parsers less noisy w/o config 6 years ago
Victor Julien 0526878fee detect/tls: set alternatives for legacy tls keywords 6 years ago
Victor Julien 3019f10ac7 detect/tls: tls.cert_fingerprint is a sticky buffer 
Not a content modifier.
 6 years ago
Jeff Lucovsky 42452b327c mem: Use correct len with strlcpy 6 years ago
Victor Julien d19ded6c43 stream: fix progress for min_inspect_depth 
Make sure progress don't exceed raw_progress.
 6 years ago
Victor Julien 5f15e7c6a4 smtp: implement min_inspect_depth logic 
Implement min_inspect_depth for SMTP so that file_data and
regular stream matches don't go out of sync on the stream start.

Added toserver bytes tracking.

Bug #3190.
 6 years ago
Victor Julien 58e48bcb87 debug: make it easier to trace flush logic 6 years ago
Victor Julien 876f05aa28 eve/dhcp: remove leftover template comments 6 years ago
Victor Julien 9716c24ba1 eve/alert: clean up proto metadata 
Use a switch statement to select the protocol specific function.
 6 years ago
Victor Julien f66e12f7af dns: rename rust files and funcs 6 years ago
Victor Julien 842037d327 jansson: remove explicit <jansson.h> includes 
Header is included from suricata-common.h
 6 years ago
Victor Julien edd2cd626f jansson: remove HAVE_LIBJANSSON guards 6 years ago
Victor Julien b4318a11e3 rust: remove build system HAVE_RUST guards 6 years ago
Victor Julien 5e9714e384 rust: remove all HAVE_RUST guards 6 years ago
Jason Ish 8425259c88 help: better description for -v 
-v: be more verbose (use multiple times to increase verbosity)
 6 years ago
Jason Ish 71c53484ee logging: used fixed levels of verbosity for -v, -vv... 
Change the meaning of the verbosity flag to change the log
level to fixed levels instead of being relative to whats
configured.

-v    => INFO
-vv   => PERF
-vvv  => CONIFG
-vvvv => DEBUG

But do now allow -v to decrease the verbosity.

Bug #1851
 6 years ago
Jason Ish 89634b6508 logging: respect individual log levels 
The log level of individual loggers (console, file, syslog) was
being capped by the default log level. For example, if the
default log level was notice, setting the file level to info
would still result in notice level logging.

Bug #3210
 6 years ago
Konstantin Klinger 808ea0dba9 app-layer: remove obsolete msn protocol detection 6 years ago
Victor Julien 6d2bd6607e datasets: make clear the feature is experimental 6 years ago
Jeff Lucovsky d514a38913 log/anomaly: remove leading underscore from static var 6 years ago
Jeff Lucovsky 95879c0d5a logging/alert: Warn if metadata not selected 
Warn when HTTP body logging has been selected but applayer/metadata
logging is not configured.
 6 years ago
Jeff Lucovsky 354074bac6 ftp: Handle malformed RETR/STOR 
Ensure that RETR (STOR) have a filename -- otherwise, treat the command
string as malformed.

Added unittests for each command and verified that SEGV's occur without
parser change and no longer occur with the parser change.
 6 years ago
Victor Julien 7609adb05d Revert "runmode: consider test mode a user mode" 
This reverts commit 6dca50a322.

The test mode should actually test in system mode by default as
that is what tools like Suricata-Update need before issuing a
reload command.
 6 years ago
Victor Julien 0771eb1e0e detect/ja3: print error for one rule only 
Use 'silent error' logic for any other rules using ja3 as well.
 6 years ago
Victor Julien 4d44ca7739 detect/parse: allow signature parsing to fail silently 
A sigmatches 'Setup' function may indicate it intends to fail
silently after the first error. It will return -2 instead of -1
in this case.

This is tracked in the DetectEngineCtx object, so errors will
be shown again at rule reloads.
 6 years ago
Victor Julien aa5a6ab5f1 detect/parser: minor cleanup 6 years ago
Victor Julien c582fd28d9 tls/ja3: allow 'auto' setting for ja3 6 years ago
Victor Julien ca5226f0c7 tls/ja3: try to enable ja3 if rule keywords need it 6 years ago
Victor Julien 29dcd98ed1 tls/ja3: add way to check active config 6 years ago
Victor Julien 4cd3b84606 tls/ja3: allow dynamic enabling of ja3 6 years ago
Victor Julien 09882ec4cb detect/reference: implement strict parsing option 6 years ago
Victor Julien 89a717d41c detect/classtype: implement strict parsing option 6 years ago
Victor Julien b5521b58bc detect/parse: add --strict-rule-keywords option 
Add --strict-rule-keywords commandline option to enable strict rule
parsing.

It can be used without options or with a comma separated list:
--strict-rule-keywords
--strict-rule-keywords=all
--strict-rule-keywords=classtype,reference

Parsing implementations can use SigMatchStrictEnabled to check
if strict parsing is enabled for them and act accordingly.
 6 years ago
Victor Julien 88e26ea914 detect: use named enum for keyword types 6 years ago
Victor Julien 0b40d4ae93 detect/reference: allow undefined references 
References are currently not used in Suricata, so erroring out on
rules using a undefined reference is too harsh.

Just issue a warning once per unique missing reference.
 6 years ago
Victor Julien 61185cc9ba reference: change scope of add func to global 6 years ago
Victor Julien d17a3b3c2b reference: use global defines for size limits 6 years ago
Victor Julien e278953455 detect/reference: code cleanups 6 years ago
Victor Julien 523e91b231 detect/classtype: check size of rule input 6 years ago
Victor Julien e5f6f38481 classtype: handle missing classification.config 
Still initialize the classtype hash table so that the classtypes
rules use can be added to it.

The file missing now reports a warning instead of error, as we
will continue to work.
 6 years ago
Victor Julien 517834e327 classtype: use global defines for size limits 6 years ago
Victor Julien 99bdb54d9f detect/classtype: show file and line for unknown classtype 6 years ago
Victor Julien 43b5234055 detect/priority: use global define for default prio 6 years ago
Victor Julien 954c43daf4 detect/classtype: allow undefined classtypes 
Effect of classification on Suricata's working is minimal. Impact
of adding undefined classtypes is large: rules will fail to load
completely. This also leads multiple lines of log output per rule,
which in a large ruleset can lead to excessive output.

This patch changes the classtype keyword behavior. Instead of erroring
and invalidating a rule, we will merely warn.

The undefined classtype is then defined with a default priority,
so other rules using the classtype will not also warn. This way
there will be just a single warning per missing classtype.
 6 years ago
Victor Julien 323a747f39 classtype: increase id size 
Switch from u8 to u16 to allow for more classtypes.

Rename Signature::class to Signature::class_id to make it clear
it is an id.
 6 years ago
Victor Julien ccf6c5a6ef classtype: small memory reduction 
Reduce memory use by making sure SCClassConfClasstype
has a more optimal memory layout.
 6 years ago
Victor Julien 26e2370f99 classtype: put UNITTESTS guards where appropriate 6 years ago
Victor Julien e104c3d913 classtype: reduce scope of functions 6 years ago
Victor Julien a37e09cbe0 detect/classtype: change duplicate classtype behavior 
Detect duplicate instances and use the one with the highest
priority.

Use new priority flag to make the logic around explicit priority
sets easier to follow.

Minor code cleanups. Also clean up unittests.
 6 years ago
Victor Julien c471d81f04 detect/priority: change duplicate priority behavior 
Introduce Signature init_flag to indicate priority has been set.
This will be needed in a follow-up classtype update.

Detect duplicate priority instances in a keyword, and use the
highest priority in the rule. Do issue a warning in this case.
 6 years ago
Victor Julien 828d2572f8 detect: use BIT_U32 macros for INIT flags 6 years ago
Victor Julien 3fd4e7bd05 detect/priority: minor cleanups 6 years ago
Victor Julien bfee28db5e detect/classtype: clean up error handling 6 years ago
Victor Julien 5e5761a29c detect/classtype: warn on duplicate classtype 
Issue warning instead of erroring and invalidating the rule.

It's not a very serious issue, so don't error out.
 6 years ago
Victor Julien 282e1c2520 detect/classtype: fix parsing error checking 6 years ago
Jason Ish 2d0b3d7320 detect/test: update test for file prune changes 
As the file prune is now moved to the flow worker, the file
prune is run later, meaning the first file has not yet
been pruned from the file container list.

Adjust test to look for a second file, and check the
flags on that file.

For commit addressing bug 2490.
 6 years ago
Jason Ish ebcc4db84a file extraction: always prune files after detect 
If a keyword like filemd5 was being used without a filestore,
or a file output enabled, it would be pruned before detection
had a chance to match.

Consolidate file pruning to the end of the flow worker so files
are available for detection even when a file output is not
enabled.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2490
 6 years ago
Victor Julien c7e4433fe9 afl/decode: fix stats related memleak reports 6 years ago
Shivani Bhardwaj 8940a9d326 afp: nicer error message in case of fanout failure 
Use clearer message in case fanout is not supported or cluster_id is
already in use.

Closes redmine ticket #1940.
 6 years ago
Shivani Bhardwaj ac55b21184 suricata: Check if default log dir is writable 
At the startup, if the default log dir provided either by command line
options or suricat.yaml is not writable, the error comes quite later.
This patch makes suricata exit if there is such an error in the
beginning itself.

Closes redmine ticket #2386.
 6 years ago
Victor Julien 6dca50a322 runmode: consider test mode a user mode 6 years ago
Victor Julien 914c5b7975 datasets: fix error handling 6 years ago
Victor Julien 1021465f23 datasets: improve and doc return codes 6 years ago
Jason Ish a2fcc304e7 dataset: fix return value check on isnotset 
The dataset api returns -1 for not found.
 6 years ago
Victor Julien c6cda99bcd thash: fix prealloc config setting 6 years ago
Victor Julien e264a0cee8 datasets: fix hash table config 
Example:

datasets:
  ua-seen:
    type: string
    state: ua-seen.lst
    hash:
      hash-size: 100000
      prealloc: 1000
      memcap: 256mb
 6 years ago
Victor Julien 9b64b6794b datasets: change config to map 
Example:

datasets:
  ua-seen:
    type: string
    state: ua-seen.lst
  dns-sha256-seen:
    type: sha256
    state: dns-sha256-seen.lst
 6 years ago
Jason Ish 342fa8ee26 magic/test: remove NULL as format string 
Remove passing NULL as a format string parameter
in test. Convert to FAIL_IF_NULL.
 6 years ago
Jason Ish 0b02539ea9 drop.log: log deprecation warning if used 6 years ago
Jason Ish bfacedfad1 unified2: log deprecation warning when used 6 years ago
Jason Ish 57b4259640 filestore(v1): deprecation log warning when enabled 
Notify the user with a warning log that this feature is
deprecated and will be remove in v6 of Suricata.
 6 years ago
Jeff Lucovsky 04ee27bcd2 log/anomaly: Remove event_no from alert 6 years ago
Victor Julien 9340769ad2 enip: fix compile warnings in gcc-8 
In file included from suricata-common.h:471,
                 from app-layer-enip-common.c:27:
app-layer-enip-common.c: In function ‘DecodeCIPRequestPathPDU’:
util-debug.h:222:31: warning: ‘req_path_class8’ may be used uninitialized in this function [-Wmaybe-uninitialized]
             int _sc_log_ret = snprintf(_sc_log_msg, SC_LOG_MAX_LOG_MSG_LEN, __VA_ARGS__);   \
                               ^~~~~~~~
app-layer-enip-common.c:589:13: note: ‘req_path_class8’ was declared here
     uint8_t req_path_class8;
             ^~~~~~~~~~~~~~~
app-layer-enip-common.c:607:9: warning: ‘segment’ may be used uninitialized in this function [-Wmaybe-uninitialized]
         switch (segment)
         ^~~~~~
app-layer-enip-common.c: In function ‘DecodeCIPResponsePDU’:
app-layer-enip-common.c:773:13: warning: ‘service’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     service &= 0x7f; //strip off top bit to get service code.  Responses have first bit as 1
             ^~
app-layer-enip-common.c: In function ‘DecodeCIPRequestPDU’:
app-layer-enip-common.c:503:25: warning: ‘path_size’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     offset += path_size * sizeof(uint16_t); //move offset past pathsize
               ~~~~~~~~~~^~~~~~~~~~~~~~~~~~
app-layer-enip-common.c:506:5: warning: ‘service’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     switch (service)
     ^~~~~~

Bug #3139.
 6 years ago
Victor Julien c769909dad eve/stats: update warning for new default behavior 6 years ago
Victor Julien 76e1836aed counters: improve handling missing global config 
Improve warnings when eve.stats can't work because of the global config
missing or disabled.

Issue warning if global config is missing but stats are still enabled due
to the legacy stats.log.

Issue clearer warning when stats are disabled and unix socket dump-counters
command is issued.

Warnings include links to docs.

Bug #2465.
 6 years ago
Victor Julien 2d381f93f3 stats: add global way to check if API is enabled 6 years ago
Victor Julien 5bfedf78fc posix: replace bzero with memset 
bzero(3): The bzero() function is deprecated (marked as LEGACY in
POSIX.1-2001); use memset(3) in new programs.  POSIX.1-2008 removes
the specification of bzero().

Use memset instead.
 6 years ago
Victor Julien 2da90a1cd8 posix: remove deprecated index/rindex calls 
Replace index by strchr and rindex by strrchr.

index(3) states "POSIX.1-2008 removes the specifications of index() and
rindex(), recommending strchr(3) and strrchr(3) instead."

Add index/rindex to banned function check so they don't get reintroduced.

Bug #1443.
 6 years ago
Victor Julien b82a0e2cad detect/port: more cleanups 
Remove unused funcs. Minor style updates.
 6 years ago
Victor Julien 8b0b301a15 detect/port: remove function only used in tests 6 years ago
Victor Julien ada0708e51 detect/port: unittest cleanups 6 years ago
Victor Julien 7864e8e7cc der/asn1: reduce max depth limit to 32 
OpenSSL uses 30, so this seems a reasonable limit.

Set a smaller limit than before to reduce the resources spent on
specially crafted input designed to be maximally expensive.
 6 years ago
Victor Julien 335ad2d8cc der/asn1: don't pass on more data than is specified 
Set and Sequence parsers would pass on max available data instead
of the size of their object.

Malformed data could trigger massive recursion this way, leading
to spending much more resources than necessary.

Found using AFL.

Bug #3185.
 6 years ago
Victor Julien 4ca83ca489 decode/ipv4: fix ts opt flags decoding 
Field is at data+1 offset, not +3. Also makes sure we always stay
within checked data bounds.

Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3176.
 6 years ago
Victor Julien 7bb3dfcfc8 decode/ipv4: unittest to show parsing issue 6 years ago
Victor Julien 922f4f7d78 ssl: fix bounds checking in version decoding 
Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3169.
 6 years ago
Jason Ish c8b49aee56 defrag: check minimum size of reassembled packet 
Before re-assembling, check that the first fragment is large
enough to contain the IPv4 or IPv6 header to prevent
an out of bounds read (IPv4) or write (IPv6).

Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3171.
 6 years ago
Victor Julien 229eccdd04 ssl: minor cleanups 6 years ago
Mats Klepsland 05f6f5481a tls-log: restructure code for writing to buffer 
Restructure code to make it clearer that either 'basic', 'extended'
or 'custom' is being printed, by creating one function for each of
the possibilities.
 6 years ago
Mats Klepsland 03c8b82bfe tls-log: quick code cleanup 6 years ago
Mats Klepsland a151fe2225 tls-log: remove a wrongful comment 
The app-layer parser for TLS has been TX aware for quite some time.
Remove a comment that is stating that it is not.
 6 years ago
Mats Klepsland 85536e8918 tls-log: fix so buffer is reset on custom logging 
Move MemBufferReset() so it also works when using custom tls
logging. This avoids duplicate tls log entries.

Bug #3177
 6 years ago
Philippe Antoine af4f816204 http: sets compression bomb limit 6 years ago
Philippe Antoine c09ad01836 http: disable lzma decompression from configuration 6 years ago
Philippe Antoine 94aa36df1b lzma: replaces liblzma with own sdk for swf decompression 
so as to avoid memory exhaustion
 6 years ago
Yujie Zhao a121c7b460 Avoid to shutdown NSS if it is not initialized 6 years ago
Jason Ish 178d420f36 main: enable coredumps after privileges are dropped 
On Linux, by default, coredumps are disabled after
privileges are dropped. This re-enables coredumps
after privileges are dropped.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/1271

Credit to Elazar Broad for the pull request:
https://github.com/OISF/suricata/pull/3362
 6 years ago
Jeff Lucovsky b4070b6dcd ftp: Use rust parsers to parse dynamic ports 6 years ago
Philippe Antoine 9cbf9ef7a4 HTTP new parser warning for Ambiguous C-L 6 years ago
Shivani Bhardwaj d801c3e588 detect: Make keyword description consistent 
Closes redmine ticket #3137.
 6 years ago
Victor Julien d4bc460381 smtp: fix file_data inspection 
Continue tracking data if API is used with detect. Detection engine
then manages the tracking.

Bug #2395.
 6 years ago
Jason Ish afe065c7ac sip fixup: _Bool -> bool 6 years ago
Giuseppe Longo e06291922f detect/sip.response_line: add sticky buffer 
Matches on response line field in SIP.
 6 years ago
Giuseppe Longo 17de4a8023 detect/sip.request_line: add sticky buffer 
Matches on request line field in SIP.
 6 years ago
Giuseppe Longo 8939ece538 detect/sip.stat_msg: add sticky buffer 
Matches on status msg field in SIP.
 6 years ago
Giuseppe Longo bd2219cac6 detect/sip.stat_code: add sticky buffer 
Matches on status code field in SIP.
 6 years ago
Giuseppe Longo 8454122eb2 detect/sip.protocol: add sticky buffer 
Matches on protocol field in SIP.
 6 years ago
Giuseppe Longo 2661c5b298 detect/sip.uri: add sticky buffer 
Matches on uri field in SIP.
 6 years ago
Giuseppe Longo 424eead8c0 detect/sip.method: add sticky buffer 
Matches on uri field in SIP.
 6 years ago
Giuseppe Longo c88559dc72 output/json-alert: add sip metadata 
Put SIP information to alert event.
 6 years ago
Giuseppe Longo edc2a583a9 rust/sip: add SIP logger 6 years ago
Giuseppe Longo 2e975a0481 rust/sip: add parser for SIP protocol 6 years ago
Victor Julien a2356a89f7 detect/dns.opcode: improve error reporting 6 years ago
Jason Ish d79c23baa3 dns/detect: dns.opcode keyword 
Add a rule keyword, dns.opcode to match on the opcode flag
found in the DNS request and response headers.

Only exact matches are allowed with negation.

Examples:
  - dns.opcode:4;
  - dns.opcode:!1;
 6 years ago
Victor Julien c68fbfcfe6 htp: simplify depth check 6 years ago
Giuseppe Longo de904db830 app-layer-htp: use stream depth with filestore 
This permits to use stream-depth value set for file-store.

Currently if a file is being stored and hits a limit,
such as request or response body, it will be truncated
although file-store.stream-depth is enabled but the file should be
closed and not truncated.

Two unit tests have been added to verify that:
- a file is stored correctly
- chunk's length computation doesn’t cause an underflow
 6 years ago
Giuseppe Longo ed5a439b8e app-layer-parser: flag a tx to use stream depth 
This adds a new API that permit to set the stream-depth
file for file-storing when a rule with filestore keyword is matched.
 6 years ago
Shivani Bhardwaj b5b429c288 detect: Add missing keyword URLs and description 
Add missing keyword URLs and their description. Fix the ones that
were incorrect.

Partially closes redmine ticket #2974.
 6 years ago
Travis Green 08423282aa doc: add to sigmatch_table 6 years ago
Travis Green 4612d4b50a detect: syntax regex logic update 
Updated regex logic to include more spaces. Fixed spelling.
 6 years ago
Mats Klepsland e976d8cf74 output-lua: register app-layer parser logger for SSH 
Bug #3162
 6 years ago
Mats Klepsland 1e9f767deb output-lua: register app-layer parser logger for TLS 
Bug #3162
 6 years ago
Jason Ish 61a6eaf330 htp/lzma: set limit from configuration 
Also use a default defined in Suricata, not libhtp.
 6 years ago
Victor Julien c9c23d5cda htp: set lzma memlimit from config 6 years ago
Jeff Lucovsky 7808b946e3 detect/transform: add dotprefix keyword 6 years ago
Jeff Lucovsky 9df44afa30 logging/anomaly: Add warning code for anomaly log 6 years ago
Jeff Lucovsky aaacbf28c2 logging/anomaly: Support configuration filter types 6 years ago
Jason Ish 664605b5f1 rdp: disable rdp by default for 5.0 6 years ago
Jason Ish 0f10298990 rdp: address comments in pull request 
Pull request:
https://github.com/OISF/suricata/pull/4174

- fix commit: range -> set
- OUTPUT_BUFFER_SIZE -> JSON_OUTPUT_BUFFER_SIZE
- output: check for initdata first
 6 years ago
Zach Kelly caef8b5b38 protocol parser: rdp 
Initial implementation of feature 2314:
1. Add protocol parser for RDP
2. Add transactions for RDP negotiation
3. Add eve logging of transactions
 6 years ago
Shivani Bhardwaj 59da7ae302 counters: Add new default for decoder events 
Set the new default for decoder events to `decoder.event` instead of the
previously used `decoder`. Remove the corresponding warning for 5.0.
 6 years ago
Victor Julien 7cabb025ea ips: fix wrong thread for bridge ips modes 6 years ago
Phil Young 8aeff8f973 stream: fix bypass callback for stream.depth 
Fix bug with bypass callback when called with stream depth threshold.
bug report: https://redmine.openinfosecfoundation.org/issues/2986
 6 years ago
Jason Ish 52187d8548 ftp: removing uninitialized variable warning 
output-json-ftp.c: In function ‘JsonFTPLogger’:
output-json-ftp.c:129:9: warning: ‘js_respcode_list’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  129 |         json_object_set_new(cjs, "completion_code", js_respcode_list);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
output-json-ftp.c:74:13: note: ‘js_respcode_list’ was declared here
   74 |     json_t *js_respcode_list;
      |             ^~~~~~~~~~~~~~~~
output-json-ftp.c:128:9: warning: ‘js_resplist’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  128 |         json_object_set_new(cjs, "reply", js_resplist);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
output-json-ftp.c:73:13: note: ‘js_resplist’ was declared here
   73 |     json_t *js_resplist;
      |             ^~~~~~~~~~~
 6 years ago
Victor Julien a272e433a8 pd: don't reverse flow if TCP session not midstream 6 years ago
Jason Ish 5f1d21f247 dns: handle mid stream pickup on response packet 
Related Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2146
 6 years ago
Travis Green 9f8dcad287 doc: update of ssh-kewords documentation 
Modifies ssh-keywords.rst to fix syntax error in example rule as well as
update descriptions to indicate older keywords have been deprecated.
 6 years ago
Jeff Lucovsky 79d308db73 detect/analyzer: Add missing http_accept_enc handling 6 years ago
Victor Julien a3e5b91668 detect/dataset: fix 'state' path handling 6 years ago
Victor Julien 7ae86a0ae9 datarep: remove notice messages 6 years ago
Victor Julien 8045746bd1 datasets: remove notice messages and improve errors 6 years ago
Victor Julien 1d6a358d8a datasets: unix socket dataset-add command 6 years ago
Victor Julien 317376f59d datasets: match on lists of data 
Datasets are sets/lists of data that can be accessed or added from
the rule language.

This patch implements 3 data types:

1. string (or buffer)
2. md5
3. sha256

The patch also implements 2 new rule keywords:

1. dataset
2. datarep

The dataset keyword allows matching against a list of values to see if
it exists or not. It can also add the value to the set. The set can
optionally be stored to disk on exit.

The datarep support matching/lookups only. With each item in the set a
reputation value is stored and this value can be matched against. The
reputation value is unsigned 16 bit, so values can be between 0 and 65535.

Datasets can be registered in 2 ways:

1. through the yaml
2. through the rules

The goal of this rules based approach is that rule writers can start using
this without the need for config changes.

A dataset is implemented using a thash hash table. Each dataset is its own
separate thash.
 6 years ago
Victor Julien b286c14324 thash: generalize hash table as used in flow 
Thread safe hash table implementation based on the Flow hash, IP Pair
hash and others.

Hash is array of buckets with per bucket locking. Each bucket has a
list of elements which also individually use locking.
 6 years ago
Victor Julien 0b120bbe34 suricata: expose system as global 6 years ago
Victor Julien 5d5612f98e suricata: --data-dir option 6 years ago
Victor Julien dbbdfedb98 lzma: make mandatory 
Libhtp is starting to use it as well, so its safe to make it mandatory
here.

Remove guards for flash file decompression code.
 6 years ago
Philippe Antoine 8d4cbb3f7b http: fixes stream flags for http tests 6 years ago
Philippe Antoine 9665ab0409 http: wait for response line for filename 
See http evader case 481
 6 years ago
Victor Julien 579cc9f02b const: constify decoder, app-layer, detect funcs 6 years ago
Victor Julien 399ab35aa1 afl: fix compile warnings for decoder fuzz funcs 6 years ago
Philippe Antoine aa73d834b5 boyermoore: avoid one tolower call 
Fixes #1218
 6 years ago
Jeff Lucovsky 86deaefe66 ftp: Ensure non-zero command length with MPM init 6 years ago
Shivani Bhardwaj 85b56b633e detect: Improve rule keyword alproto registration 
1. Set WARN_UNUSED macro on DetectSignatureSetAppProto.
2. Replace all direct 'sets' of Signature::alproto from keyword registration.

Closes redmine ticket #3006.
 6 years ago
Nick Price d0a85b7550 ja3: Mention LibNSS dependency for JA3 6 years ago
Fabrice Fontaine 9b05db7db0 fix build on m68k with uclibc 
uclibc on m68k defines _POSIX_SPIN_LOCKS but does not define
pthread_spin_unlock so check for this function before using
pthread_spin_xxx functions

Fixes:
 - http://autobuild.buildroot.org/results/ed923bcc1454ce90444b8dac7c064b5f4ea4a0a5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 6 years ago
Jeff Lucovsky 86fabef093 ftp: address review comments 6 years ago
Jeff Lucovsky f79316d71a ftp: remove RUST guards 6 years ago
Jeff Lucovsky cc5e9ca179 eve/ftp: Modifications for MPM-enabled command descriptor table 6 years ago
Jeff Lucovsky bc68ef4657 app-layer: Invoke FTP parser cleanup function 6 years ago
Jeff Lucovsky 09ab032a8d ftp: Use MPM for command lookup 6 years ago
Jeff Lucovsky 4f2a485c55 ftp: Remove LIBJANSSON guards 6 years ago
Jeff Lucovsky 3df2b3437c eve/ftp: Move "get next line" into app-layer-ftp.c 6 years ago
Victor Julien f43584661c stream: support debug notice message in tfo 6 years ago