aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,056 Commits
7 Branches
161 Tags
169 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '218b5d3ba0'
${ noResults }
Commit Graph

2871 Commits (218b5d3ba032f8b7e158ab2325d13b51e0007450)

Author SHA1 Message Date
Anoop Saldanha 1b434f5fff hhd unittests for response headers 14 years ago
Anoop Saldanha e5c3e2cdb1 carry out hhd mpm on both request/response headers 14 years ago
Anoop Saldanha 30247dce8c bug 389 - support http response header inspection + fix bug with stateful inspection for sigs that would have both request/response inpection 14 years ago
Victor Julien 64f717c880 Set 'livedev' in pcap acquisition module for older libpcap version as well. Fixes a segv. 14 years ago
Victor Julien 026a4efc57 Make sure that continued stateful detection only inspects sigs in the proper direction. 14 years ago
Victor Julien 21ee59e6f3 Add signature direction (flow:toserver/flow:toclient) as a signature flag. 14 years ago
Victor Julien d5402d33d4 Simplify detection loop. Inspect packet keywords before the state. 14 years ago
Victor Julien 7fa22e8453 Rename app_layer_events to app-layer-events. Misc fixes/changes. 14 years ago
Victor Julien ecd457db7b Allow flowint names to have dots in them. 14 years ago
Anoop Saldanha 5311cd4866 Support for smtp decoder events 14 years ago
Anoop Saldanha eea5ab4a7a Support for app layer decoder events added + app_layer_event keyword added 14 years ago
Victor Julien 4c1e417d49 Allow non-existing flowints to be incremented. A 'set' to 0 is implied in this case. 14 years ago
Victor Julien d24b3a0e50 Clean up csum detection output, misc fixes. 14 years ago
Eric Leblond 9a2a4802f4 pf-ring: add support for checksum verif mode 
This patch adds support for checksum verification mode.
Supported mode are yes, no, auto and rx-only.
 14 years ago
Eric Leblond 0399a06f4f pcap: fix typo 14 years ago
Eric Leblond db5ca0f3a4 pcap: add auto mode support 14 years ago
Eric Leblond a565148fb1 af-packet: fallback if 'kernel' mode is not supported 
This patch adds a fallback to full checksum validation if 'kernel'
mode is not supported by the running kernel.
 14 years ago
Eric Leblond 51eb96053c af-packet: auto mode support 14 years ago
Eric Leblond c3eaa6cc60 Add per-interface counter for invalid checksum. 
This patch adds a per-device counter for invalid checksum as
well as a simple packet counter.
 14 years ago
Eric Leblond 745b61171a Introduce LiveGetDevice function 14 years ago
Eric Leblond e893e860d4 Rename LiveGetDevice to LiveGetDeviceName 
The function LiveGetDevice is returning a point to
the name of the interface. This patch renames it to
LiveGetDeviceName which is more appropriate.
 14 years ago
Eric Leblond 1d1271fd38 pcap: add support for checksum verif mode 
This patch adds support for checksum verification mode.
Auto mode is not yet supported.
 14 years ago
Eric Leblond 6062e00c2b af-packet: add support for checksum verif mode 
This patch adds support for checksum verification mode.
Auto mode is not yet supported.
 14 years ago
Eric Leblond 551cb3e4c2 decode: introduce checksum mode enum. 14 years ago
Eric Leblond 623bb38d1c af-packet: Fix typo in error message. 14 years ago
Eric Leblond 8d635ddfc2 detect-csum: incomplete checksum is a valid checksum 
This patch modify checksum match to not alert on packet with
incomplete checksum. They will be checksummed later and thus
can be considered as valid one.
 14 years ago
Eric Leblond 67f791e891 af-packet: add variable to disable offloading detection 
This flag adds variable to disable offloading detection. The effect
of the flag is to avoid to transmit auxiliary data at each packet.
This could result in a potential performance gain.
 14 years ago
Eric Leblond f6ddaf3341 af-packet: parse message to find lack of checksum 
Emitted packet can have checksum offloading. This patch reads
af-packet message parameter to see if the kernel has sent a non
checksummed packet.
 14 years ago
Eric Leblond 5dc46ae7c7 pf-ring: Mark emitted traffic as non checksummed 
The traffic sent by an interface is potentially offloaded. This
patch adds detection of TX packets and set the corresponding flag.
 14 years ago
Eric Leblond 81bc6f5518 Treat incomplete checksum. 
Checksum of local traffic is often offloaded to the network device.
This causes some problems on parsing of this traffic. This patch
introduces a PKT_INCOMPLETE_CHECKSUM flag which can be used to
indicate that the checksum is not computed/correct for good reason.
 14 years ago
Victor Julien 9324ed7b90 Fix icmpv6 ip-only rule not firing. #363. 14 years ago
Anoop Saldanha 517040c4af indentation fix 14 years ago
Anoop Saldanha 37b223645a fix detection engine for alert stability. Fix cases where we have multiple rules having same pattern. We should see good perf increase(~5%) with this change, now that we avoid unnecessary inspection" 14 years ago
Anoop Saldanha 42bc22cfa5 indendation fix 14 years ago
Anoop Saldanha ecc7a769a7 reclaim mpm contexts if no patterns are added to it, even in non-full mode 14 years ago
Anoop Saldanha 1389cf6913 update cuda mpm to support per proto mpm contexts. Fix faulty stream mpm usage of cuda 14 years ago
Anoop Saldanha 92643f6110 introduce separate mpm ctxs for tcp/udp/other_protos 14 years ago
Anoop Saldanha a5dec3cb2e refactor all http mpm engine code 14 years ago
Anoop Saldanha 34cf557abf fix indentation 14 years ago
Anoop Saldanha 5b91cec4ae remove unnecessary if/else checks 14 years ago
Victor Julien ada4066238 Add counters for SYN, SYN/ACK and RST TCP packets. Issue #251. 14 years ago
Victor Julien 298289f43f Let flow:only_stream and flow:no_stream set the require packet and require stream flags. Toss out sigs with conflicting settings. Rename flow:stream_only to flow:only_stream. Fixes #261. 14 years ago
Victor Julien c04f45ccb9 Add tcp-pkt and tcp-stream 'protocols' to force a signature to inspect only packet or stream data. 14 years ago
Victor Julien 2c62b50ed5 Fix 2 compiler warnings. 14 years ago
Mike Pomraning cfced01641 Use strlcpy 14 years ago
Mike Pomraning 914b10a8e6 Touch up Makefile for SCConfLogOpenGeneric. 14 years ago
Mike Pomraning dfec9c0f6a Switch 'fast', 'http-log', 'drop' and 'alert-debug' to SCConfLogOpenGeneric. 14 years ago
Mike Pomraning dec34afa40 SCConfLogOpenGeneric() abstraction for regular and AF_UNIX logs. 
util-logopenfile.[ch] implements the abstraction; util-error.[ch]
modified to include a socket-specific error code; output.h adds a
default filetype for logs ("regular").
 14 years ago
Victor Julien a1cb769205 Switch log-file module to use new absolute path detection code. 14 years ago
Victor Julien 4cbaeb408c Add functions to determine whether a path is absolute or relative. 14 years ago
Victor Julien a397599fbb file extraction: add waldo option to file log module. This will store the last used file_id so extracted files won't get overwritten is Suricata is restarted. 14 years ago
Victor Julien effe01ae7b Add Init and DeInit calls to the thread module API. 14 years ago
Eric Leblond 7fb78a0ff6 Fix compilation warning. 14 years ago
Victor Julien 08f3ef7685 Reshuffle version printing so -V prints it only once. 14 years ago
Eric Leblond 1bebb9831d logging: don't display debug message before setting params. 14 years ago
Eric Leblond 05f562fdc3 logging: use SCLogDebug instead of printf 
This patch uses SCLogDebug instead of printf to enable filtering
of the log message by the log filtering option.
 14 years ago
Eric Leblond 9545a56426 ipfw: suppress poll before sendto 
Calling poll before using sendto seems a bit overkill.
 14 years ago
Eric Leblond 6f1b40dd4b ipfw: don't use socket lock in 'worker' mode 
This patch is the IPFW version of NFQ latest patch.
 14 years ago
Eric Leblond 58855494c1 nfq: do not use mutex in 'worker' mode 
Using a mutex on the queue handle is not necessary in 'worker' mode
as there is no concurrent access to it.
 14 years ago
Eric Leblond ef3951d914 runmode: export running mode 
This will permit to put some optimisation in different components.
This is done via the RunmodeGetActive() function.
 14 years ago
Victor Julien c908574545 Use strtoul instead of strtol for sid parsing. Fixes parsing of really large sid numbers. Fixes #393. 14 years ago
Victor Julien c1a40447c1 IP Only cleanup: make most functions static. Add error message on address parsing issues. 14 years ago
Victor Julien e0cf2ccb91 Fix invalid direction error message. 14 years ago
Eric Leblond db19680794 pcap: fix auto runmode 
This patch fixes initialization of a pointer. The lack of it was
causing an invalid interface value to be given to suricata (in
the case no interface was given on the command line).

Reported-by: Delta Yeh <delta.yeh@gmail.com>
 14 years ago
Victor Julien 5a769c02ee Stream engine: handling packets with ACK|CWR. 14 years ago
Anoop Saldanha 999c34111e bug #341 - support for urilen check on both norm and raw buffers 14 years ago
Victor Julien 158d72e7f3 file-inspection: inspect new files in same tx but opposite direction as well. 14 years ago
Victor Julien a6e75aff21 file-extraction: improve handling of complex multipart bodies. 14 years ago
Victor Julien 4eda31df4d file inspection: unset new file available flag when appropriate, prevents duplicate alerts. 14 years ago
Anoop Saldanha 6e2c921037 indentation fixes for ac-gfbs 14 years ago
Anoop Saldanha 2eb3aff0af Further improve compression for ac-gfbs. Character codes shifted to 8 bits from 16/32 bits 14 years ago
Victor Julien 0712300a1c Remove stream BUG_ON's that could fire on TCP session reuse. 14 years ago
Anoop Saldanha 0cde8072f4 fix ffr shutdown segv. We need to supply stream TV the the stream engine 14 years ago
Anoop Saldanha 5620844f7d ac-gfbs fix output presence combination with mod table 14 years ago
Anoop Saldanha 153f2ad3eb ac-gfbs update. Minor improvement of compression for state 0. Improves performance 14 years ago
Anoop Saldanha c6cd59bda4 Update ac-gfbs with some rearrangement. Increased performance from 4-10% 14 years ago
Anoop Saldanha e18cf72c13 fix bug in size parsing API. Pass the string returned by pcre_get_substring and not the passed arg. Also use strtod. Solves usage issues on windows 14 years ago
Victor Julien 842b01cc9c Remove duplicate sys/prctl.h configure check. Wrap another include in HAVE_SYS_PRCTL_H. 14 years ago
Eileen Donlon aaa5a78dfe Moved prctl.h check to configure 14 years ago
deltay 37dc83d411 ignore signal SIGPIPE and SIGSYS 14 years ago
Victor Julien c2c539942b Rework the way the http parser can tell the de_state to reset it's file section on arrival of new files in the same tx. Fixes a dead lock in the auto runmode. 14 years ago
Victor Julien 679b8ec1ba Fix filestore match code not expecting NULL file ptr. 14 years ago
Victor Julien 18d79c4215 file store: respect flowbits and other keywords 
The filestore keyword until now flagged a file, tx or ssn for storage as soon
as the keyword was inspected. This happens before flowbits and some other
keywords, so files were stored that weren't supposed to.

This patch makes the filestore keyword fill an array in the detect engine
thread ctx. Then if the full signature matches, a post-match filestore
function makes the store final.
 14 years ago
Victor Julien 7173256754 Fix compiler warnings in a couple of unittests. 14 years ago
Victor Julien 6d8aa6829d Remove unused variable. 14 years ago
Anoop Saldanha b164247fb8 Changed my email address to anoopsaldanha@gmail.com from my current one - Should have been an amend over my previous commit, but that commit's pushed out 14 years ago
Anoop Saldanha f514b141ce fix ipv6 header setup in pseudo pkt creation 14 years ago
Victor Julien 416b463c51 file-data: add more unittests 14 years ago
Victor Julien 296ce8b5f9 file-data: make bytejump, bytetest, byteextract and isdataat work better with file_data. 14 years ago
Victor Julien 077970051e file-data: implement relative pcre support. 14 years ago
Victor Julien 07e560b137 file-data: initial file_data support 
Support file_data for: content, pcre (relative), byte_test, byte_jump,
byte_extract, isdataat.

File_data support is handled at signature parsing time, all matches
occurring after the file_data in the rule are converted to http_server_body
matches.

Content matches relative to the file_data are converted. Within to depth,
distance to offset. Relative to the start of the body buffer.
 14 years ago
Victor Julien 7adac3048d file-data: create initial keyword registration. 14 years ago
Anoop Saldanha 420befb180 Changed my email address to anoopsaldanha at gmail dot com from my current one 14 years ago
Victor Julien fa0152fa80 Shrink signature flags field to 32 bits. 14 years ago
Victor Julien dd9da1a56f Merge all http mpm related signature flags into a single set: SIG_FLAG_MPM_HTTP and SIG_FLAG_MPM_HTTP_NEG. 14 years ago
Victor Julien d5ed28b065 Remove SIG_FLAG_MPM flag. 14 years ago
Victor Julien fe48920514 Remove per sgh mpm_streamcontent_maxlen variable. It was checked but never set. 14 years ago
Victor Julien 4992f7c417 Remove SIG_FLAG_MPM_URI flag. It was checked but never set. 14 years ago
Victor Julien 2650551192 Rename signature init flags to indicate they are init flags. 14 years ago
Victor Julien 6ebd71545b Fix signature flag definitions on 32 bit. 14 years ago
Victor Julien 291ddd95f2 Detection engine -- mpm 
Each signature is in one mpm ctx at max, but there were 3 separate
id's in use: packet, stream, http. Merged them all into one.

Could shrink the SignatureHeader structure with 8 bytes because of this,
should lead to better caching performance.
 14 years ago
Victor Julien 7db72bce75 Optimize detection engine prefiltering logic. 14 years ago
Victor Julien 89f83e714c Introduce http_server_body keyword. 
The http_server_body content modifier modifies the previous content to inspect
the normalized (dechunked, unzipped) http_server_body. The workings are similar
to http_client_body. Additionally, a new pcre flag was introduced "/S".

To facilitate this change the signature flags field was changed to be 64 bit.
 14 years ago
Eric Leblond 6e7a8f38bf ipfw: Add support for autofp and worker runmode 
This patch convert ipfw code to the PcktAcqLoop API and
rework the running mode to use the running mode wrapper
already used by NFQ.
 14 years ago
Eric Leblond c1ad64b333 ips: update copyright date and author list. 14 years ago
Eric Leblond d4cbc7c38c ipfw: funnier to manage capability in running code. 14 years ago
Eric Leblond f1cb4da442 ipfw: fix indentation of the file. 
I will have to work a lot on this one. It will be easier with a
correct indentation.
 14 years ago
Eric Leblond acc9634106 nfq: add some comments about possible evolution 14 years ago
Eric Leblond 9ca7257279 nfq: suppress unused functions. 14 years ago
Eric Leblond 58b20359a7 nfq: add worker runmode support. 14 years ago
Eric Leblond aee2e3ddd6 nfq: Add autofp mode support 14 years ago
Eric Leblond 115c3499d2 nfq: factorize auto mode 14 years ago
Eric Leblond 70c574fb63 runmode: Add support for IPS running mode 
This patch adds the 'auto', 'autofp' and 'worker' runmode for
IPS. It provides a set of ready-to-use functions that can be
used by NFQ and IPFW to implement this running mode.
 14 years ago
Eric Leblond 5cfdd7594f util-device: Modify function name. 
This patch modifies LiveBuildQueueList name to LiveBuildDeviceList
to have a consistent naming accross function. It also adds a
doxygen comment to add author and description of util-device.c
file.
 14 years ago
Eric Leblond 7096e11ab5 af-packet: simplify code. 14 years ago
Eric Leblond 5cec22ac37 threads: Add sanity check. 14 years ago
Eileen Donlon 327fd048a0 Fixed coredump windows compile issue 14 years ago
Eric Leblond 6c55af847b 'auto' running mode does not support 'threads' var. 
This patch modifies the RunModeSetLiveCaptureAuto() prototype to
be able to detect that a 'threads' variable (telling how much
threads must listen to one socket in IDS mode) has been used
in the configuration file. It then print a warning message
if this is the case.
 14 years ago
Victor Julien 6f0ca120d1 Make sure existing log-pcap and unified2-alert 'limit' settings don't break. 14 years ago
Victor Julien 678213c9f4 Fix ParseSizeString return code and a compiler warning. 14 years ago
Anoop Saldanha 4b8ebb5c53 set default response body limit for specific http server conf 14 years ago
Anoop Saldanha 6240131a4e updates to accomodate master rebase 14 years ago
Anoop Saldanha 7c9d1b80fd Update size parsing API with new calls for returing u8, u16, u32 and u64 values. Make updates in the codebase to use these new calls 14 years ago
Anoop Saldanha e0c13434ef bug 333 - support new Size Parsing API. Update various conf params inside the engine to use this API to parse sizes in the format xxx <-just the no represents bytes, xxxkb <- kilobytes, xxxmb <- megabytes, xxxgb <- gigabytes, where xxx is a \d+ 14 years ago
Eileen Donlon 79e0299643 Fixed coredump compile problems on bsd, windows 14 years ago
Anoop Saldanha b970273163 fix broken unittest 14 years ago
Anoop Saldanha 651f91e4de fix setting pseudo packet from this commit: 
commit 259e022f721a7c3a70c26447b1cf730bb8a1f6cd
Author: Anoop Saldanha <poonaatsoc@gmail.com>
Date:   Sun Dec 4 13:20:43 2011 +0530

    fix setting ipv4 header in pseudo packet
 14 years ago
Anoop Saldanha d40fb5b933 Remove unnecessary flow NULL check 14 years ago
Anoop Saldanha 8533cd2cdf fix mapping of tcp states to flow_established and flow_closed. Improves accuracy 14 years ago
Anoop Saldanha cc7db6315c Move setting packet iponly flags from decode section to stream section 14 years ago
Anoop Saldanha eaf15911e7 fix setting ipv4 header in pseudo packet 14 years ago
Victor Julien 322779fb23 flow engine: release flow lock earlier in flow kill/prune process. Minor cleanups. 14 years ago
Victor Julien 5401764697 flow engine: minor cleanup. 14 years ago
Victor Julien bfa872b9b7 flow engine: no longer allow FlowRequeue to be called with the same src and dst queue. 14 years ago
Victor Julien 84c7480c06 flow engine: convert flow hash code FlowRequeue call to FlowEnqueue. 14 years ago
Victor Julien ad4e016288 flow engine: make FlowEnqueue lock the queue. Adapt callers. 14 years ago
Victor Julien fbbdbb251f flow engine: remove unneeded 'need_srclock' argument for FlowRequeue 14 years ago
Victor Julien 0331da9773 flow engine: introduce FlowRequeueMoveToSpare 
As part of a clean up of how FlowRequeue is used, introduce
FlowRequeueMoveToSpare for moving a flow from a locked queue to the
spare queue.
 14 years ago
Victor Julien 7fa3df33f2 flow engine: introduce FlowRequeueMoveToBot 
As part of a clean up of how FlowRequeue is used, introduce
FlowRequeueMoveToBot for moving a flow to the bottom of it's queue.
 14 years ago
Victor Julien ae1e4c1d7d Add missing hash row unlock. 14 years ago
Victor Julien f47f601f09 Fix unified2 setting the wrong eth_type. 14 years ago
Eric Leblond 9422a36851 unified2: avoid to log RAW packet 
If the packet datalink is ethernet, we add a fake ethernet
header to stream logging to avoid that barnyard2 create
different files.
 14 years ago
Eric Leblond fc56abfcd0 unified2: log an ethernet header for stream alert. 
If packet is a of type ethernet, we log the alert reconstructed
payload as an ethernet packet and not a raw packet. This will avoid
to confuse barnyard2 pcap output.
 14 years ago
Victor Julien 49d6885ec7 Improve debug validation code for packet, add new macro for flow. 14 years ago
Victor Julien 3009429e3c HTTP transaction handling improvement 
In some cases AppLayerTransactionGetInspectId can return -1, which is
now handled by all it's callers.

Improve logic of selecting which transactions are inspected by the various
HTTP keywords.
 14 years ago
Eileen Donlon dbdf2d888f Enable/disable core dump in config (feature 319) 14 years ago
Victor Julien 7b0f261fdc Add some debug statements for debugging a smtp issue. 14 years ago
Victor Julien 004b5dde88 Support libhtp's different handling of CONNECT requests. 14 years ago
Victor Julien 117d51c965 Fix a compile warning when debug is enabled. 14 years ago
Victor Julien 1df3304655 Clean up for unittests code: only compile unittest api code when unittests are enabled. Fix unittest code that wasn't wrapped in the proper UNITTESTS ifdefs. 14 years ago
Victor Julien a138b32533 flow manager: timing change 
Set default timeout for the flow manager to wake up to 1 second. The 0.4 sec
performed best on a Xeon, but in kvm vm's it was horrible:

32 bit vm: 60% cpu for flowmgr when idle.
64 bit vm: 30% cpu for flowmgr when idle.

With the 1 second timeout both are at 0.3% cpu.
 14 years ago
Victor Julien 786148319c Lower flow manager wake up timer to 0.4 seconds as that performs 2% better in my tests. 14 years ago
Anoop Saldanha 776bf633e3 flow manager code cleanup. Remove unused code + fix indentation. Remove unused vars 14 years ago
Anoop Saldanha 5133098bd6 Accomodate pcap-file mode to signal flow mgr to wakeup when it exceeds a certain time interval. This let's the flow mgr keep in sync with pcap timestamp changes 14 years ago
Anoop Saldanha 9917744707 separate timers for flow mgr thread for normal and emerg mode. Signal flow mgr thread when in emerg mode 14 years ago
Eric Leblond 5a63662766 Flow: use condition system instead of short sleep 
Short sleep can lead to some really annoying performance issue in
some environnement like virtual systems. This technic was used in
the flow manager. This patch uses an alternate approach based on
a timed condition which is triggered each time a new flow has to
be created. This avoid to run out of flow. A counter is also done
to be able not to run the cleaning code at each new flow.
 14 years ago
Victor Julien 34450b9b57 Don't parse layers / ext headers above ipv6 frag header. This is taken care of by defrag. 14 years ago
Victor Julien 938e9b3db0 Fix filestore related segv. 14 years ago
Victor Julien e6d8d0443c Unify output functions for alert-debug for IPv4 and IPv6. 14 years ago
Victor Julien 3c7f09d1ea Add debug output to engine event. 14 years ago
Victor Julien e6af837b25 Convert StreamTcpSetEvent function into macro. Eases debug. 14 years ago
Victor Julien 58011554b0 Don't consider payload len in ACK value validation check. 14 years ago
Victor Julien 9878eca086 file handling: expand filestore keyword 
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.

The filestore keyword now takes 2 optional options:

filestore:<direction>,<scope>;

By default the direction is "same as rule match", and scope is "currently
inspected file".

For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".

For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.

For the above case, where a suspious request should lead to a response file
download, this would work:

alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
 14 years ago
Victor Julien ddfa5c49c6 Stream engine: gap handling 
Set a stream event for stream gaps.
Add a (disabled by default) signature to the stream-event.rules.
 14 years ago
Victor Julien 45d86ff58a Stream reassembly / app layer: disable gap errors 
Gap errors on the app layer are now silently handled. No longer printed
to the screen.
 14 years ago
Victor Julien 425294f912 stream reassembly: account stream gaps 
Add counter to the stream reassembly engine to count stream gaps. Stream gaps
are the result of missing packets (usually due to packet loss). This missing
data stops the reassembly for the app layer.
 14 years ago
Victor Julien d8d8fdd9f5 Improve handling of packets when stream is in the fin_wait1 or fin_wait2 state. 14 years ago
Victor Julien b74c73309b file handling: improve filestore keyword handling 
In stateful detection only inspect the file portion of the rule after all
other conditions matched. This to prevent "filestore" from tagging files
for storage during a partial match.

Add a couple of unittests to test the behaviour change.
 14 years ago
Victor Julien 4cbe7519fa Add missing file util code. 14 years ago
Victor Julien 56b96363b8 Fix merge artefact. 14 years ago
Victor Julien 63c9a3ab85 Remove duplicate include. 14 years ago
Victor Julien 042fd850fc Make sure we check the sgh for no magic and no store once per flow direction. 14 years ago
Victor Julien f3fbc1a44c file handling: filemagic matching improvement 
Magic buffer is a null terminated string. Allow matching on the final
\0 using filemagic:"somevalue|00|"; so we can anchor to the end of the
buffer.
 14 years ago
Victor Julien 2ccd35c6e4 Fix code after rebase. 14 years ago
Victor Julien 33848124d1 Fix a multipart body parsing issue. 14 years ago
Victor Julien 96d20098b0 file inspect: stateful inspection split 
Split stateful detection of the files in a HTTP state between toserver
and toclient inspection.
 14 years ago
Victor Julien d59ca75e46 file extract: split toserver and toclient tracking 
Split toserver and toclient file tracking for the http state.
 14 years ago
Victor Julien 04ea70ccf7 file extract: pruning 
Add pruning of files in memory so we keep only memory what we really need.
Fix magic logic.
Reset file part of the de_state on receiving another file in the same tx.
 14 years ago
Victor Julien 1c934acc85 Don't store fd per file (too many fd's). Enable IPv6 storing. Close file on receiving stream end flag. 14 years ago
Victor Julien b402d97179 File carving -- enable reponse file extraction 
- Enable response body tracking
- Enable file extraction for responses
- File store meta file includes magic, close reason.
- Option to force magic lookup for all stored files.
- Fix libmagic calls thead safety.
 14 years ago
Victor Julien 66a3cd96a8 Prepare HTTP response body tracking. 14 years ago
Victor Julien 417495e542 file-extraction: remove no longer used files. 14 years ago
Victor Julien e1022ee5ae file-extraction: Disconnect file handling from flow and move into the app layer state. 14 years ago
Victor Julien 27645f64c6 Remove unused util-filetype.[ch] from Makefile.am. 14 years ago
Victor Julien 9b62ec65ab Make sure filemagic works properly regardless of filestore being in use for a flow. 14 years ago
Victor Julien 5945e652d6 Initial implementation of filemagic keyword. 14 years ago
Victor Julien f4a6f4b293 Add libmagic detection, linking and a basic API. 14 years ago
Victor Julien 23e01d23d3 Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored. 14 years ago
Victor Julien 3e7baa6810 Fix improper error handling in http body chunk function. 14 years ago
Victor Julien 403b2788d6 Add support for extracting PUT files. 14 years ago
Victor Julien 59cda9a358 Fix not using new htp callback when using the bundled htp. Add indication to --build-info. Fix valgrind warning in test and further improve test. 14 years ago
Victor Julien ef0536794c Adding comments, some cleanups. 14 years ago
Victor Julien 21acd72adf Cleanups to the Multipart parsing code. Fixes to negation in filename and fileext. 14 years ago
Victor Julien 70f0d3d2e7 Add negation to filename and fileext, use same syntax as with content. 14 years ago
Victor Julien 32fb9f375d log-file log-dir option added, meta file created, fixes. 14 years ago
Victor Julien a6b7a560f1 Fix a bug in the HTTP file closing. 14 years ago
Victor Julien 7e3d537338 Fix setting libhtp personality. 14 years ago
Victor Julien 1eef36b011 Initial checkin of a log-file module, that can write files extracted from flows to disk. 14 years ago
Victor Julien 3c1edf3763 Add a file descriptor to the flow file structure. 14 years ago
Victor Julien cd618e48df Allow for 0 (unlimited) HTTP request_body_limit, fix option parsing. 14 years ago
Victor Julien 4723f07254 Improve testing and fix some bugs. 14 years ago
Victor Julien 9d5d46c4bb Implement flow file storage API, create HTP wrappers for it, use it in HTTP parsing. 14 years ago
Victor Julien a0ee6ade3e Improve HTTP multipart parsing, add streaming parsing for files. 14 years ago
Victor Julien 4537f889ef Handle all strings as raw strings in HTTP content-type and content-disposition header parsing. 14 years ago
System Administrator 222bc6e935 Flow files 14 years ago
Pablo Rincon 6d60b3a747 filename and fileext keywords 14 years ago
Victor Julien 06b1d71032 Small optimizations to IPV4 and TCP header parsing. 14 years ago
Eric Leblond 0256ca2422 af-packet: fix compilation on new systems. 
Inclusion of if_packet.h was missing when the support of new options
related to packet fanout is present in the file.
 14 years ago
Anoop Saldanha bf24272c28 changes to accomodate master rebase 14 years ago
Anoop Saldanha 997eaf42a8 add thread local storage support for smtp + remove pmq that was init/freed as part of smtp_state alloc to use the thread local data passed by the app layer engine 14 years ago
Anoop Saldanha 9a6aef459e modify all relevant app layer API calls to accomodate passing parser local storage argument 14 years ago
Anoop Saldanha d3468d88b0 app layer udp cleanup + update dcerpc udp todo 14 years ago
Anoop Saldanha 01a35bb604 introduce app layer local storage api support 14 years ago
Anoop Saldanha 87599bc78d minor changes in smtp parser decoder wrt direction check loop + add missing ifdef unittests 14 years ago
Anoop Saldanha 3a856fed12 update detection engine to compare flow alproto with sig_alproto, rather than sm alproto. 14 years ago
Anoop Saldanha 4d38a571cc smtp reply code mpm phase support added 14 years ago
Anoop Saldanha 4a6908d3e9 fix smtp parser handling fragmented lines + add new unittests to check the same 14 years ago
Anoop Saldanha 2b356dadff Support for tos keyword added 14 years ago
deltay 211193b0af Get pidfile from config file if not available in command options 14 years ago
Victor Julien 262a7300d7 flow: shrink Flow datatype 
Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address
that doesn't have the family in it like the Address structure. Instead, the
family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6.

Add macro's to check the family, copy the address, etc.

Update many unittests to reflect these changes. Introduce unittest helper
functions for creating and initializing a flow and freeing it again.

On 64 bit this shrinks the flow with 8 bytes.
 14 years ago
Victor Julien 06904c9024 App Layer cleanup 
Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate.
Various cleanups and dead code removal from the app layer API.
Should safe 100+ bytes memory per flow on 64 bit.
Updated lots of unittests to reflect these changes.
 14 years ago
Victor Julien a0b532dc45 stream reassembly: simplify base_seq tracking for protocol detection. Shrinks TcpStream structure. 14 years ago
Victor Julien 7e3c15e54a stream: improve TCP ssn reuse cleanup. 14 years ago
Victor Julien 9769510ba3 flow: support requeue of flows from closed to new list for TCP ssn reuse. 14 years ago
Anoop Saldanha 4130c5e2b8 if flow has disabled app layer inspection, disable buffering the segments unnecessarily in inline reassembly 14 years ago
Anoop Saldanha 43cbed8c92 enable toclient alproto detection for inline reassembly 14 years ago
Anoop Saldanha f684b60127 if flow has disabled app layer inspection, disable buffering the segments unnecessarily 14 years ago
Anoop Saldanha 08bd8ec4e2 on failed alproto detection on both sides, only disable app layer inspection. No reassembly disabling for any direction 14 years ago
Victor Julien c9960473bb Fix stream reassembly engine rejecting valid packet for reassembly. 14 years ago
Anoop Saldanha 55ed6c2a55 disable session reassembly for either/both the directions, only when we have established failed proto detection in both the directions 14 years ago
Anoop Saldanha 4650bf7170 minor code cleanup. remove commented out code 14 years ago
Anoop Saldanha de9ad02b59 Remove leftover imap and msn toclient alproto PM contents 14 years ago
Anoop Saldanha caf26c2618 More updates to FFR code. Handle cases where we actually need to force stream reassembly and just have smsgs to be processsed by detection engine separately 14 years ago
Anoop Saldanha bc216a3396 fix/updates to app layer proto detection 14 years ago
Anoop Saldanha 78e6a7f713 enable toclient alproto detection. Detection all current alproto toclient PMP patterns 14 years ago
Anoop Saldanha 9c8d404db1 FFR update-fix. Fix check where we decide whether we need to send pseudo pkt or not 14 years ago
Anoop Saldanha b08b390bcd fix for bug 375 - update radix test that wrongly uses memset and sizeof 14 years ago
Victor Julien 3d845b6c77 Consider Windows new line chars as well when parsing rule files. Bug #374. 14 years ago
Eileen Donlon a92d15ed37 Fixed duplicate signature check 14 years ago
Anoop Saldanha 99baf18c8d updates to ac-gfbs search. Remove unnecessary casting of pointers 14 years ago
Anoop Saldanha 11e7dda59a updates to ac-gfbs search. Introduce handling cases where state_count is < 32k 14 years ago
Anoop Saldanha 708c4ad055 updates to ac-gfbs search. Combine output presence with mod goto table 14 years ago
Anoop Saldanha a4ea7e6197 updates to ac-gfbs search. Combine failure table along with mod goto table for better cache perf 14 years ago
Anoop Saldanha b69ac9514f updates to ac-gfbs search. Disable handling < 65k states separately. Now any state count would be given same treatment 14 years ago
Anoop Saldanha efb4c27b1f updates to ac-gfbs search. Add new unittests + fix cases where we have 2 patterns that are same but one is CS and other CI + Use SCMemcmp for state < 65k instead of custom memcmp 14 years ago
Anoop Saldanha 0920296aaa updates to ac-gfbs search. Remove unnecessary casting of pointers 14 years ago
Anoop Saldanha d149a5e806 updates to ac-gfbs search. Use SCMemcmp instead of the custom pattern searching used 14 years ago
Anoop Saldanha 47f2d6e07b updates to ac-gfbs search. Optimize pointer de-referencing for pid_pat_list 14 years ago
Anoop Saldanha 991f6d2d83 updates to ac-gfbs search. Optimize pointer de-referencing for frequently used pointers 14 years ago
Anoop Saldanha ffb925e3b3 indentation fixes for ac-gfbs 14 years ago