aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,056 Commits
7 Branches
161 Tags
170 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '218b5d3ba0'
${ noResults }
Commit Graph

2871 Commits (218b5d3ba032f8b7e158ab2325d13b51e0007450)

Author SHA1 Message Date
Victor Julien a138b32533 flow manager: timing change 
Set default timeout for the flow manager to wake up to 1 second. The 0.4 sec
performed best on a Xeon, but in kvm vm's it was horrible:

32 bit vm: 60% cpu for flowmgr when idle.
64 bit vm: 30% cpu for flowmgr when idle.

With the 1 second timeout both are at 0.3% cpu.
 14 years ago
Victor Julien 786148319c Lower flow manager wake up timer to 0.4 seconds as that performs 2% better in my tests. 14 years ago
Anoop Saldanha 776bf633e3 flow manager code cleanup. Remove unused code + fix indentation. Remove unused vars 14 years ago
Anoop Saldanha 5133098bd6 Accomodate pcap-file mode to signal flow mgr to wakeup when it exceeds a certain time interval. This let's the flow mgr keep in sync with pcap timestamp changes 14 years ago
Anoop Saldanha 9917744707 separate timers for flow mgr thread for normal and emerg mode. Signal flow mgr thread when in emerg mode 14 years ago
Eric Leblond 5a63662766 Flow: use condition system instead of short sleep 
Short sleep can lead to some really annoying performance issue in
some environnement like virtual systems. This technic was used in
the flow manager. This patch uses an alternate approach based on
a timed condition which is triggered each time a new flow has to
be created. This avoid to run out of flow. A counter is also done
to be able not to run the cleaning code at each new flow.
 14 years ago
Victor Julien 34450b9b57 Don't parse layers / ext headers above ipv6 frag header. This is taken care of by defrag. 14 years ago
Victor Julien 938e9b3db0 Fix filestore related segv. 14 years ago
Victor Julien e6d8d0443c Unify output functions for alert-debug for IPv4 and IPv6. 14 years ago
Victor Julien 3c7f09d1ea Add debug output to engine event. 14 years ago
Victor Julien e6af837b25 Convert StreamTcpSetEvent function into macro. Eases debug. 14 years ago
Victor Julien 58011554b0 Don't consider payload len in ACK value validation check. 14 years ago
Victor Julien 9878eca086 file handling: expand filestore keyword 
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.

The filestore keyword now takes 2 optional options:

filestore:<direction>,<scope>;

By default the direction is "same as rule match", and scope is "currently
inspected file".

For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".

For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.

For the above case, where a suspious request should lead to a response file
download, this would work:

alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
 14 years ago
Victor Julien ddfa5c49c6 Stream engine: gap handling 
Set a stream event for stream gaps.
Add a (disabled by default) signature to the stream-event.rules.
 14 years ago
Victor Julien 45d86ff58a Stream reassembly / app layer: disable gap errors 
Gap errors on the app layer are now silently handled. No longer printed
to the screen.
 14 years ago
Victor Julien 425294f912 stream reassembly: account stream gaps 
Add counter to the stream reassembly engine to count stream gaps. Stream gaps
are the result of missing packets (usually due to packet loss). This missing
data stops the reassembly for the app layer.
 14 years ago
Victor Julien d8d8fdd9f5 Improve handling of packets when stream is in the fin_wait1 or fin_wait2 state. 14 years ago
Victor Julien b74c73309b file handling: improve filestore keyword handling 
In stateful detection only inspect the file portion of the rule after all
other conditions matched. This to prevent "filestore" from tagging files
for storage during a partial match.

Add a couple of unittests to test the behaviour change.
 14 years ago
Victor Julien 4cbe7519fa Add missing file util code. 14 years ago
Victor Julien 56b96363b8 Fix merge artefact. 14 years ago
Victor Julien 63c9a3ab85 Remove duplicate include. 14 years ago
Victor Julien 042fd850fc Make sure we check the sgh for no magic and no store once per flow direction. 14 years ago
Victor Julien f3fbc1a44c file handling: filemagic matching improvement 
Magic buffer is a null terminated string. Allow matching on the final
\0 using filemagic:"somevalue|00|"; so we can anchor to the end of the
buffer.
 14 years ago
Victor Julien 2ccd35c6e4 Fix code after rebase. 14 years ago
Victor Julien 33848124d1 Fix a multipart body parsing issue. 14 years ago
Victor Julien 96d20098b0 file inspect: stateful inspection split 
Split stateful detection of the files in a HTTP state between toserver
and toclient inspection.
 14 years ago
Victor Julien d59ca75e46 file extract: split toserver and toclient tracking 
Split toserver and toclient file tracking for the http state.
 14 years ago
Victor Julien 04ea70ccf7 file extract: pruning 
Add pruning of files in memory so we keep only memory what we really need.
Fix magic logic.
Reset file part of the de_state on receiving another file in the same tx.
 14 years ago
Victor Julien 1c934acc85 Don't store fd per file (too many fd's). Enable IPv6 storing. Close file on receiving stream end flag. 14 years ago
Victor Julien b402d97179 File carving -- enable reponse file extraction 
- Enable response body tracking
- Enable file extraction for responses
- File store meta file includes magic, close reason.
- Option to force magic lookup for all stored files.
- Fix libmagic calls thead safety.
 14 years ago
Victor Julien 66a3cd96a8 Prepare HTTP response body tracking. 14 years ago
Victor Julien 417495e542 file-extraction: remove no longer used files. 14 years ago
Victor Julien e1022ee5ae file-extraction: Disconnect file handling from flow and move into the app layer state. 14 years ago
Victor Julien 27645f64c6 Remove unused util-filetype.[ch] from Makefile.am. 14 years ago
Victor Julien 9b62ec65ab Make sure filemagic works properly regardless of filestore being in use for a flow. 14 years ago
Victor Julien 5945e652d6 Initial implementation of filemagic keyword. 14 years ago
Victor Julien f4a6f4b293 Add libmagic detection, linking and a basic API. 14 years ago
Victor Julien 23e01d23d3 Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored. 14 years ago
Victor Julien 3e7baa6810 Fix improper error handling in http body chunk function. 14 years ago
Victor Julien 403b2788d6 Add support for extracting PUT files. 14 years ago
Victor Julien 59cda9a358 Fix not using new htp callback when using the bundled htp. Add indication to --build-info. Fix valgrind warning in test and further improve test. 14 years ago
Victor Julien ef0536794c Adding comments, some cleanups. 14 years ago
Victor Julien 21acd72adf Cleanups to the Multipart parsing code. Fixes to negation in filename and fileext. 14 years ago
Victor Julien 70f0d3d2e7 Add negation to filename and fileext, use same syntax as with content. 14 years ago
Victor Julien 32fb9f375d log-file log-dir option added, meta file created, fixes. 14 years ago
Victor Julien a6b7a560f1 Fix a bug in the HTTP file closing. 14 years ago
Victor Julien 7e3d537338 Fix setting libhtp personality. 14 years ago
Victor Julien 1eef36b011 Initial checkin of a log-file module, that can write files extracted from flows to disk. 14 years ago
Victor Julien 3c1edf3763 Add a file descriptor to the flow file structure. 14 years ago
Victor Julien cd618e48df Allow for 0 (unlimited) HTTP request_body_limit, fix option parsing. 14 years ago
Victor Julien 4723f07254 Improve testing and fix some bugs. 14 years ago
Victor Julien 9d5d46c4bb Implement flow file storage API, create HTP wrappers for it, use it in HTTP parsing. 14 years ago
Victor Julien a0ee6ade3e Improve HTTP multipart parsing, add streaming parsing for files. 14 years ago
Victor Julien 4537f889ef Handle all strings as raw strings in HTTP content-type and content-disposition header parsing. 14 years ago
System Administrator 222bc6e935 Flow files 14 years ago
Pablo Rincon 6d60b3a747 filename and fileext keywords 14 years ago
Victor Julien 06b1d71032 Small optimizations to IPV4 and TCP header parsing. 14 years ago
Eric Leblond 0256ca2422 af-packet: fix compilation on new systems. 
Inclusion of if_packet.h was missing when the support of new options
related to packet fanout is present in the file.
 14 years ago
Anoop Saldanha bf24272c28 changes to accomodate master rebase 14 years ago
Anoop Saldanha 997eaf42a8 add thread local storage support for smtp + remove pmq that was init/freed as part of smtp_state alloc to use the thread local data passed by the app layer engine 14 years ago
Anoop Saldanha 9a6aef459e modify all relevant app layer API calls to accomodate passing parser local storage argument 14 years ago
Anoop Saldanha d3468d88b0 app layer udp cleanup + update dcerpc udp todo 14 years ago
Anoop Saldanha 01a35bb604 introduce app layer local storage api support 14 years ago
Anoop Saldanha 87599bc78d minor changes in smtp parser decoder wrt direction check loop + add missing ifdef unittests 14 years ago
Anoop Saldanha 3a856fed12 update detection engine to compare flow alproto with sig_alproto, rather than sm alproto. 14 years ago
Anoop Saldanha 4d38a571cc smtp reply code mpm phase support added 14 years ago
Anoop Saldanha 4a6908d3e9 fix smtp parser handling fragmented lines + add new unittests to check the same 14 years ago
Anoop Saldanha 2b356dadff Support for tos keyword added 14 years ago
deltay 211193b0af Get pidfile from config file if not available in command options 14 years ago
Victor Julien 262a7300d7 flow: shrink Flow datatype 
Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address
that doesn't have the family in it like the Address structure. Instead, the
family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6.

Add macro's to check the family, copy the address, etc.

Update many unittests to reflect these changes. Introduce unittest helper
functions for creating and initializing a flow and freeing it again.

On 64 bit this shrinks the flow with 8 bytes.
 14 years ago
Victor Julien 06904c9024 App Layer cleanup 
Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate.
Various cleanups and dead code removal from the app layer API.
Should safe 100+ bytes memory per flow on 64 bit.
Updated lots of unittests to reflect these changes.
 14 years ago
Victor Julien a0b532dc45 stream reassembly: simplify base_seq tracking for protocol detection. Shrinks TcpStream structure. 14 years ago
Victor Julien 7e3c15e54a stream: improve TCP ssn reuse cleanup. 14 years ago
Victor Julien 9769510ba3 flow: support requeue of flows from closed to new list for TCP ssn reuse. 14 years ago
Anoop Saldanha 4130c5e2b8 if flow has disabled app layer inspection, disable buffering the segments unnecessarily in inline reassembly 14 years ago
Anoop Saldanha 43cbed8c92 enable toclient alproto detection for inline reassembly 14 years ago
Anoop Saldanha f684b60127 if flow has disabled app layer inspection, disable buffering the segments unnecessarily 14 years ago
Anoop Saldanha 08bd8ec4e2 on failed alproto detection on both sides, only disable app layer inspection. No reassembly disabling for any direction 14 years ago
Victor Julien c9960473bb Fix stream reassembly engine rejecting valid packet for reassembly. 14 years ago
Anoop Saldanha 55ed6c2a55 disable session reassembly for either/both the directions, only when we have established failed proto detection in both the directions 14 years ago
Anoop Saldanha 4650bf7170 minor code cleanup. remove commented out code 14 years ago
Anoop Saldanha de9ad02b59 Remove leftover imap and msn toclient alproto PM contents 14 years ago
Anoop Saldanha caf26c2618 More updates to FFR code. Handle cases where we actually need to force stream reassembly and just have smsgs to be processsed by detection engine separately 14 years ago
Anoop Saldanha bc216a3396 fix/updates to app layer proto detection 14 years ago
Anoop Saldanha 78e6a7f713 enable toclient alproto detection. Detection all current alproto toclient PMP patterns 14 years ago
Anoop Saldanha 9c8d404db1 FFR update-fix. Fix check where we decide whether we need to send pseudo pkt or not 14 years ago
Anoop Saldanha b08b390bcd fix for bug 375 - update radix test that wrongly uses memset and sizeof 14 years ago
Victor Julien 3d845b6c77 Consider Windows new line chars as well when parsing rule files. Bug #374. 14 years ago
Eileen Donlon a92d15ed37 Fixed duplicate signature check 14 years ago
Anoop Saldanha 99baf18c8d updates to ac-gfbs search. Remove unnecessary casting of pointers 14 years ago
Anoop Saldanha 11e7dda59a updates to ac-gfbs search. Introduce handling cases where state_count is < 32k 14 years ago
Anoop Saldanha 708c4ad055 updates to ac-gfbs search. Combine output presence with mod goto table 14 years ago
Anoop Saldanha a4ea7e6197 updates to ac-gfbs search. Combine failure table along with mod goto table for better cache perf 14 years ago
Anoop Saldanha b69ac9514f updates to ac-gfbs search. Disable handling < 65k states separately. Now any state count would be given same treatment 14 years ago
Anoop Saldanha efb4c27b1f updates to ac-gfbs search. Add new unittests + fix cases where we have 2 patterns that are same but one is CS and other CI + Use SCMemcmp for state < 65k instead of custom memcmp 14 years ago
Anoop Saldanha 0920296aaa updates to ac-gfbs search. Remove unnecessary casting of pointers 14 years ago
Anoop Saldanha d149a5e806 updates to ac-gfbs search. Use SCMemcmp instead of the custom pattern searching used 14 years ago
Anoop Saldanha 47f2d6e07b updates to ac-gfbs search. Optimize pointer de-referencing for pid_pat_list 14 years ago
Anoop Saldanha 991f6d2d83 updates to ac-gfbs search. Optimize pointer de-referencing for frequently used pointers 14 years ago
Anoop Saldanha ffb925e3b3 indentation fixes for ac-gfbs 14 years ago
Anoop Saldanha e9eb0e502c updates to ac-gfbs search. Handle cases where we have a single entry for a state goto transition, just like how we handle for no entry for a particular state 14 years ago
Eric Leblond 9b75de3339 pfring: fix compilation when pfring is desactivated. 14 years ago
Eric Leblond 0ac1cabf2a autotools: fix problem of pfring configuration. 14 years ago
deltay d5e254d504 Add pfring bpf filter, require pfring >= 5.1 14 years ago
Eric Leblond 9f73503daa capability: rework capability assignement 
THis patch rework the capability code to use a switch
instead of a if. It also "reduces" PF_RING and NFQ capabilities.
 14 years ago
Anoop Saldanha d034b10180 remove debug prints added to ac code 14 years ago
Anoop Saldanha 781e7c776f fix indentation in ac code 14 years ago
Anoop Saldanha 5c56053a33 Reintroduced optimized support for < 32k states for ac 14 years ago
Victor Julien fb76561b09 Set version to 1.2dev to reflect we're in the 1.2 branch. 14 years ago
Victor Julien 8cc82c7241 Add -S commandline option that loads a rule file exclusively. Issue #338. 14 years ago
Victor Julien c484b7a59e Bump version to 1.1 (final) 14 years ago
Eric Leblond 62e63e3fe9 af-packet: fix reconnection on netdown error. 
AFPRead can fail following a NETDOWN error. This patch treat errors
of AFPRead by forcing a reconnection (instead of exiting thread
with error).
 14 years ago
Eric Leblond 361bf22121 af-packet: suppress annoying debug message. 
This message was firing multiple per second when a monitored
interface disappear.
 14 years ago
Victor Julien 0fadd93011 Fix an invalid free in bpf code. 14 years ago
Victor Julien ea53f72f7d Fix CUDA build. 14 years ago
Eric Leblond 9f7ee03deb log: read output filter from config file. 
The output filter was not read from configuration file and thus
not used in this case.
 14 years ago
Eric Leblond 866d681ff2 pfring: fix stupid enum usage. 
pfring code is not using standard notation for the cluster_type enum
and this leads to a horrific code in pfring acquisition code.
 14 years ago
Eric Leblond a6a0d4eae6 pfring: use deinit function. 
This fixes #368.
 14 years ago
Eric Leblond a54afe7052 Fix printing of sizeof. 14 years ago
Victor Julien 2d16abcf8b Minor code cleanups fixing all GCC 4.6 compiler warnings for default, debug and unittests mode. 14 years ago
Eric Leblond 2387c6b0e8 pcap: Fix setting of buffer size from command line. 14 years ago
Victor Julien 1be65e7b68 Fixes for building in Cygwin. 14 years ago
Victor Julien 85033f5afe Fix windows adapter id being truncated for pcap mode. 14 years ago
Eric Leblond 2bc0be6e65 af-packet: fix compilation problem on windows. 14 years ago
Victor Julien 404868c28b Get rid of strcasestr call as win32 doesn't have it. 14 years ago
Victor Julien 561630d864 Fix SMTP unittest. 14 years ago
Victor Julien 47abd0ef19 Fix compiler warning. 14 years ago
Anoop Saldanha 0acfcc206c fix unittests. fix replace unittests that allow alproto keywords with replace 14 years ago
Anoop Saldanha a0eec3d846 fix detection code that handles cases when we use recursion(from recursive keyword) 14 years ago
Anoop Saldanha 7433d92dd2 undo this commit - 
commit eff08f93d8
Author: Anoop Saldanha <poonaatsoc@gmail.com>
Date:   Thu Nov 3 14:31:24 2011 +0530

    update failing unittest to reflect the mpm design update

Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
 14 years ago
Anoop Saldanha 1b1332fff0 fix mpm bug on running stream mpm for packets not added to stream mpm 14 years ago
Victor Julien 9f0e3f7c85 Bump version to 1.1rc1. 14 years ago
Victor Julien 55da9787a4 Win32 compile fixes. 14 years ago
Victor Julien d070869c48 Reinstate replace validation check. 14 years ago
Anoop Saldanha eff08f93d8 update failing unittest to reflect the mpm design update 14 years ago
Victor Julien af51493da2 Mpm update: Toss out signatures that mix pkt and stream/state. Update profiling code to track new mpm. 14 years ago
Anoop Saldanha 539ce13695 fix broken unittests 14 years ago
Anoop Saldanha 17f3f36d38 packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same 14 years ago
Anoop Saldanha e0c36f7aff fix dsize sigs handling. We can't use more than 2 dsizes in the same sig 14 years ago
Anoop Saldanha c7b9d3fecb Remove broken dsize_sm in SigMatch used by dsize in detection engine 14 years ago
Anoop Saldanha d3ca65de03 support bdat smtp keyword - bug #347 14 years ago
Victor Julien 91957d70a8 Fix unittest compiler warning. 14 years ago
Victor Julien b5e17ec1d8 Rewrite SetupLogging to not leak the fd. Thanks to Steve Grubb for advice on this. 14 years ago
Eric Leblond ba9fb53461 threshold: fix handling of multiple threshold. 
This patch fixes the unittest and may fix the real work.
 14 years ago
Eric Leblond 142fe6e4b6 threshold: fix recently introduced function. 14 years ago
Victor Julien e0d7f64a14 Fix thresholding code suppressing an alert if no threshold/suppress rules needed to be checked. 14 years ago
Eric Leblond 86f9759427 threshold: fix thresholding on signature with multiple threshold. 
This patch uses the newly introduced SigGetThresholdTypeIter
function to try all threshold for a signature. This should fix
issue #366.
 14 years ago
Eric Leblond e5b638e5e8 threshold: introduce SigGetThresholdTypeIter function 
This patch introduces a function called SigGetThresholdTypeIter
which iterate on all Threshold for a given signature returning
the next DetectThresholdData.
 14 years ago
Victor Julien ab28a6253f Fix broken fix. Shame on me for committing without testing. 14 years ago
Victor Julien 8528333035 Fix broken tests. 14 years ago
Victor Julien 8186565240 Fix a number of potential issues found by CLANG and cppcheck. 14 years ago
Victor Julien 362c25ec8a Fix potential suppression parsing issue found by CLANG. 14 years ago
Victor Julien 0fd71c45c5 Improve asn1 keyword handling of a malformed asn1 state. 14 years ago
Victor Julien 9b437caaea Fix stream unittests. 14 years ago
Victor Julien b39acddf28 Add flow counters: memuse, pruning stats, emergency mode. Bug #348. 14 years ago
Victor Julien b8659daef7 Add stream engine counters 
Added stream counters:
- tcp.reassembly_memuse -- current memory use by reassembly in bytes
- tcp.memuse -- current memory use by stream tracking in bytes
- tcp.reused_ssn -- ssn reused by new session with identical tuple
- tcp.no_flow -- TCP packets with no flow - indicating flow engine memory at its limits
 14 years ago
Victor Julien 5395071c11 Make http logging code more robust against cases where the htp state is incomplete (out of memory conditions). 14 years ago
Eric Leblond 7bf1de022c Add AF_PACKET to capability system. 
This patch adds the necessary code to have AF_PACKET using
the same capability dropping mechanism as pcap. This should
fix #361.
 14 years ago
Victor Julien 7eb83314b4 Fix compiler warning and fix using GET_IPV4_DST_ADDR_PTR macro to access IPv6 header. 14 years ago
Eric Leblond 1df183ac38 http log: factorize logging function. 
With the introduction of the PrintInet function there was almost
no difference between IPv4 and IPv6 HTTP logging functions. This
patch adds a wrapper that factorizes the code.
 14 years ago
Eric Leblond 2a8ffe07ea http log: factorize extended logging 
Extended logging is not dependant on IP protocol version.
 14 years ago
Eric Leblond a5b1de4f0d http log: Add extended option 
This patch adds a extended option to log extended HTTP information
when activated.
 14 years ago
Chris Wakelin 8b81063fc2 http log: Add extended information 14 years ago
Eileen Donlon 1adf4b868c set layer4 protocol when no ipv6 extension headers 14 years ago
Eric Leblond 9549faae95 af-packet: add kernel statistics to exit stats. 
This patch should fix #325.
 14 years ago
Eric Leblond acf10525f6 doc: add decode group and related documentation. 14 years ago
Eric Leblond 6220134a48 doc: describe some features and structures. 14 years ago
Eric Leblond eefdbfb55b doc: add mainpage. 14 years ago
Eric Leblond 60a99915c1 doc: create http support group 
This patch create an httplayer group and adds related files to
it. It also fixes some typo in documentation string and format.
 14 years ago
Eric Leblond b5a3e737c9 doc: comment link between Flow and application layer. 14 years ago
Eric Leblond b055a21d63 doc: create doxygen group for state detection. 14 years ago
Eric Leblond 0468dbd575 doc: doxygenise some comments. 14 years ago
Eric Leblond a64eea9628 Fix minor error message. 14 years ago
Eric Leblond 92d74fd480 doc: Add missing params in func description. 14 years ago
Eric Leblond fdfa85de37 Add comment to describe file content. 
The name of the file is not really explicit. This patch adds doxygen
to have an easy to use description in the generated documentation.
 14 years ago
Eric Leblond 830ca7c2c8 source-nfq: suppress insecable space. 
This patch supresses an insecable space and fixes an
indentation.
 14 years ago
Eric Leblond 01beefc1c9 pfring: improve error handling 
Treat TmThreadsSlotProcessPkt return.
 14 years ago
Eric Leblond 0d7f25580d pcap: improve error handling. 
Treat TmThreadsSlotProcessPkt return.
 14 years ago
Eric Leblond c469824bed af-packet: improve error handling 
The return of TmThreadsSlotProcessPkt function was not handled.
 14 years ago
Victor Julien 9ac51900f6 Fix broken macro call. 14 years ago
Eric Leblond 4071d3cf57 PACKET_INITIALIZE is enough for packet init. 14 years ago
Eric Leblond d296223ffe cuda: Suppress sprintf usage. 14 years ago
Eric Leblond 6bf15bac31 Fix various packet access. 
The coccinelle based tests have detected invalid uses of access to
Packet data. This patch fixes the detected problems.
 14 years ago
Eric Leblond eef3e28b17 invalid use of strncat. 
sltrlcat must be used instead.
 14 years ago
Eric Leblond 2be09b0c86 Fix Defrag unit test. 
This patch fixes the unittest for IPV4 defrag. The direct usage
of the pkt pointer in the Packet structure is not allowed. This
is fixed by using PacketCopyData function.
This modification was requiring some other fixes, like using
memcmp to compare data instead of an iteration on pkt pointer.
 14 years ago
Eric Leblond 324986694a decode: improve and fix comments. 14 years ago
Eric Leblond 24f15fa321 Don't warn about non enable non existing output module 
This patch modifies output module loading to only trigger alert
message for non existing modules when they are loaded. It also
warn about unified1 removal.
 14 years ago
Eric Leblond 3944357058 Remove unified related enum. 
This patch removes the enum related to unified1 output.
 14 years ago
Eric Leblond 391d813c82 Remove unified1 output module. 14 years ago
Victor Julien 047fcd6ade Add missing case sensitive to insensitive conversions for http_header, http_raw_header, http_method, http_cookie and http_raw_uri with 'nocase' set. 14 years ago
Victor Julien bde55578d6 Override HTP IDS personality normalizing the query string to lowercase. Bug #362. 14 years ago
Victor Julien 7ef34b7bcc Exlcude DSIZE LT case from setting the 'need payload' mask bit as it can include 0, which means no payload. 14 years ago
Victor Julien 09b5dca343 Consider signatures with the flags keyword to be packet inspecting only, not stream. 14 years ago
Victor Julien 30d84ab20d Unlock flow in StreamTcpSegmentForEach if there is no TCP session. 14 years ago
Eric Leblond 9aeadd5696 prelude: suppress unused variable. 14 years ago
Eric Leblond db17f3de6c prelude: add stream segment dump 
This patch should fix #355.
 14 years ago
Eric Leblond 2073b9db0c debuglog: uses state selection system. 14 years ago
Eric Leblond 1596241687 debuglog: fix segment logging. 
StreamSegmentForEach returns the number of segments or < 0 in case
of error. This patch synchronizes debuglog output module with this
behaviour.
 14 years ago
Victor Julien 3644e90a2c Don't set higher transaction id's in HTTP sessions than we have. 14 years ago
Victor Julien 67cea09911 Handle failing thread modules that are called by the Pcap file callback. 14 years ago
Victor Julien bfff14aa78 Improve error detection in the port and address parsing in signatures. Bug #295. 14 years ago
Anoop Saldanha ba6bada155 change rev field in Signature to u32 and use strotoul to extract the value. Cleanup some dead code/comments 14 years ago
Anoop Saldanha ed3b44b3b5 fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords 14 years ago
Victor Julien 18da4a8b73 Add missing cuda header file causing 'make distcheck' to fail. 14 years ago
Victor Julien c0bc83458c Bump version to 1.1beta3. 14 years ago
Eric Leblond 89c38b0ced prelude: fix compilation 
PrintInet was used without inclusion of 'util-print.h'. This was
causing a compilation failure.
 14 years ago
Victor Julien 39edb23ac4 Support stream.inline mode in unified2 tcp segments logging. 14 years ago
Victor Julien 2e2e80b812 Add packet alert flag to indicate a match happened (partly) in the app layer state. Make unified2 use this flag. 14 years ago
Eric Leblond 128261cb97 unified2: Fix event_id computation 
This patch fixes event_id computation which was not incremented
for each alert.
 14 years ago
Eric Leblond b3023643ec unified2: fix multiple alerts case 14 years ago
Eric Leblond 7fd1e9cacc unified2: synchronize IPv4 and IPv6 code 
IPv6 code was missing some points.
 14 years ago
Eric Leblond 839b0d9bfe unified2: switch to event->packet->packet mode. 
Attach multiple packets to an event instead of using one
event data per packet. This is currrently unsupported by
reporting frontend but at least we don't have multiple
alerts.
 14 years ago
Eric Leblond 316f2d7289 unified2: segment callback log raw packet. 
As we don't have any trustable information about the ethernet
header, we can simply log RAW packet to avoid to confuse the
analyst.
 14 years ago
Eric Leblond a03a402b83 unified2: set datalink to correct value. 
The value of datalink could have been modified if the logging
of segment was attempted. This patch restore it to a correct value.
 14 years ago
Eric Leblond 50ddd2df43 Restore old barnyard2 support. 
Some old version of barnyard2 were needing a workaround in the
packet header building. THis patch introduces a enable-old-barnyard2
configure flag which can be used to restore this behaviour.
 14 years ago
Eric Leblond 2f24987f15 unified2: improve packet logging logic. 
This patch improves packet logging logic and fix some place
regarding alert generation (event_id, ethernet header).
 14 years ago
Eric Leblond 628bfcc1b9 stream: Change return of StreamSegmentForEach 
The function now returns the number of segment where the callback
has ben runned successfully.
 14 years ago
Victor Julien c672bdd863 Improve atomic operation support detection. Fixes #342. 14 years ago
Anoop Saldanha 0edf053f31 if app layer inspection is disabled, immediately set the eof flag 14 years ago
Anoop Saldanha fe11e02f58 fix inspect id update bug. This should prevent unnecessary FPs for pipelined requests 14 years ago
Anoop Saldanha 4e44073c79 http logging module should log all txs in the list and not just the last complete tx available on EOF 14 years ago
Anoop Saldanha c13ad8c28a Provide a function to set the app layer tx eof flag. Use this in FFR code instead of diretly setting the flag. This cleans up the API as well 14 years ago
Anoop Saldanha b406af451b updates to http tx id vars. FFR now flags the app layer session for EOF when creating a pseudo packet for a flow 14 years ago
Anoop Saldanha 67be07bf15 fix threading issue in debug log. locked mutex isn't freed before returning. fixed 14 years ago
Anoop Saldanha d23e775ae2 fix threading bug. Main thread's restart TV code waiting on a failed TV. Now main thread sets the de_init flag before waiting on the failed thread. Thanks to Eric Leblond for reporting it 14 years ago
Anoop Saldanha 737122663c IPProto now doesn't accept sigs, which has both < and >, with < value being less than > value. Update affected unittests to reflect the change 14 years ago
Anoop Saldanha dae099893b more unittests for ipproto with multiple nots + some fixes 14 years ago
Anoop Saldanha 9887084370 support multiple ipprotos in the same sig + unittest 14 years ago
Anoop Saldanha a781fb9884 rewrite all ipproto keyword tests 14 years ago
Anoop Saldanha 8033a262a7 cleanup ipproto code 14 years ago
Anoop Saldanha caf450d325 fix ipproto keyword negation case - bug #340 14 years ago
Eric Leblond 79c329f81b alert-unified2: logging of stream segments. 
This patch adds the logging of stream segments. Among other
modifications, it uses a wrapper to fwrite to permit to update
file statistics in an automated manner. Some memcpy have also
been avoided by using pointer to the data.
 14 years ago
Eric Leblond 2fa837bcec alert-debuglog: Add logging of stream segments. 
This patch introduces logging of the stream segments in case of
a signature match on application layer.
 14 years ago
Eric Leblond 4f0cdf28a3 Introduce StreamSegmentForEach function 
This patch introduces a function called StreamMsgForEach which
can be used to run a callback on all segments of a stream. This
is currently only supported for TCP as this is the only streaming
aware protocol.
 14 years ago
Anoop Saldanha d68775d47d introduce bitmasks instead of alproto_masks for use by the probing parser. Remove all alproto_masks we had previouslys for PP 14 years ago
Victor Julien f5ef842752 Implement a counter for TCP packets with invalid checksums: tcp.invalid_checksum. Bug #311. 14 years ago
Anoop Saldanha d3989e7cee probing parser updated to always accept u32 buflens. Update all probing parser functions to accomodate this change 14 years ago
Anoop Saldanha 80d80000bb fix probing parser flag usage during protocol detection 14 years ago
Anoop Saldanha 432c3317d2 app layer probing parser updates 14 years ago
Anoop Saldanha d68f182ebd introduce SCPerfSyncCounters/SCPerfSyncCounters macro to synchronize counters 14 years ago
Anoop Saldanha f7b1972263 update broken stats.log. Use pktacqloop funcs in pcap-file, pfring, pcap-live, af-pkt to sync counters - bug #343 14 years ago
Victor Julien a1f68bf411 Fix detection engine informational message misrepresenting decoder only signatures. 14 years ago
Eric Leblond abddbe1c91 unitest helper: Fix copy of packet data. 
The copy of packet data was causing a memory corruption causing
weird crash.
 14 years ago
Victor Julien 7beb5cdf58 Add util-optimize.h to suricata-common.h so all code can use it. 14 years ago
Eric Leblond db42981a3d Fix suricata start when no interface is given. 
When no interface was specified on command line, the workers and
single mode where not able to start due to the fact there was no
registered interfaces.
 14 years ago
Eric Leblond 9aabf94c9f Suppress useless parameter in function 
ConfigParser is called in the parent function and it is thus not
necessary to send it to the per device function.
 14 years ago
Eric Leblond 58d7cb20eb pcap-info: fix compilation warning. 14 years ago
Eric Leblond 27f1d88374 Add pcap-info alert format. 
This patch adds a new alert format called pcap-info. It aims at
providing an easy to parse one-line per-alert format containing
the packet id in the parsed pcap for each alert. This permit to
add information inside the pcap parser.

This format is made to be used with suriwire which is a plugin for
wireshark. Its target is to enable the display of suricata results
inside wireshark.

This format doesn't use append mode per default because a clean file
is needed to operate with wireshark.

The format is a list of values separated by ':':
  Packet number:GID of matching signature:SID of signature:REV of signature:Flow:To Server:To Client:0:0:Message of signature
The two zero are not yet used values. Candidate for usage is the
part of the packet that matched the signature.
 14 years ago
Eric Leblond 1d1e7667ae util-runmode: rename mod_threads_conf to ModThreadsCount. 14 years ago
Eric Leblond 625a1e070f runmode: suppress printf 
This patch replaces printf by called to SCLogErroc.
 14 years ago
Eric Leblond 2596d3bcdd runmode: treat SCStrdup error. 14 years ago
Eric Leblond beaa909eb8 Add "workers" runmode. 
Previous commits have considerabily empowered the "single" mode which
could contain multiple threads. This behaviour was not a target for
this runmode and the following patch remedies to the situation by
introducing the "workers" mode where each thread do all the tasks
from acquisition to logging. This runmode is currently implemented
for af-packet and pf-ring.
 14 years ago
Eric Leblond 788fa1e5a1 pfring: Fix typo in help. 14 years ago
Eric Leblond 730a86e6b8 pfring: fix warning 
When PF_RING is disable this function is unused and thus trigger a
warning at compilation.
 14 years ago
Eric Leblond 3f75b10f79 Suppress useless code. 
This code was making a warning for some time now. This patch kills
it.
 14 years ago
Eric Leblond 45d5c3ca59 runmode: introduce configuration dereferencing. 
A devide configuration can be used by multiple threads. It is thus
necessary to wait that all threads stop using the configuration before
freeing it. This patch introduces an atomic counter and a free function
which has to be called by each thread when it will not use anymore
the structure. If the configuration is not used anymore, it is freed
by the free function.
 14 years ago
Eric Leblond 3261b814db Make SC_ATOMIC_[SUB|ADD] return result value 
This patch modifies the SC_ATOMIC_[SUB|ADD] to have them return
the value of the result. This permit to write test based on return
of the macro.
 14 years ago
Eric Leblond d3d99ffa13 Fix coding style and use SC* function. 
This patch fixes the coding style and uses Suricata function instead
of plain lic version.
 14 years ago
Eric Leblond f998fda4dd pfring: factorize iface and parser initialisation. 14 years ago
Eric Leblond cc7b80437a pfring: should not call free 14 years ago
Eric Leblond 93cf2b1690 pfring: add single mode. 14 years ago
Eric Leblond 77869a2df8 single runmode: add support for multiple capture threads 14 years ago
Eric Leblond c75fffe92d Improve help message 
Usage of command line has evolved with the introduction of long option.
This patch updates the description of the related options.
 14 years ago
Eric Leblond dc075a74a2 pcap: add --pcap option 
This patch adds a --pcap option which can be used to select or
an interface if an argument is provided or the interfaces defined
in the configuration file.
 14 years ago
Eric Leblond b2c281920f af-packet: should not call free 14 years ago
Eric Leblond 1aab2470db af-packet: factorise single mode. 14 years ago
Eric Leblond 63d614162c pcap: should not call free 14 years ago
Eric Leblond 491686c33e pcap: factorise single mode. 14 years ago
Eric Leblond abe99ee5f6 runmode: add factorisation function for single mode. 14 years ago
Eric Leblond c3ba992652 pfring: restore precedence of command line options. 14 years ago
Eric Leblond b2598f97e7 pcap: restore backward compatibility 14 years ago
Eric Leblond 21663acd3b pcap: use good var name for live-interface 14 years ago
Eric Leblond d3d8beb337 pcap: factorize runmode 
This patch factorizes auto and autofp runmodes for pcap.
 14 years ago
Eric Leblond d9d8286671 pfring: restore compatibility with v1.0 config 
Compatibility of pfring module with previous version was broken. This
patch restores backward compatibility.
 14 years ago
Eric Leblond a64dcfeba2 pfring: use factorisation function 
This patch convert pfring to pktacqloop and use the new factorisation
function. This also fixes commmand line parsing of pfring which is now
able to work like af-packet:
 - 'suricata -c s.yaml --pfring' start suricata with all interfaces in
 conf
 - 'suricata -c s.yaml --pfring=eth2' start suricata on eth2
 14 years ago
Eric Leblond cbb36b5182 af-packet: remove unused function 14 years ago
Eric Leblond 75c875b1ac af-packet: use factorisation function for Auto mode. 14 years ago
Eric Leblond 8bf0897b3c Add factorisation function for runmode. 
This patch adds a function which will be used to factorise the
Auto runmode between the different IDS mode.
 14 years ago
Eric Leblond d4d62f3099 http-uri: Remove useless function declaration. 14 years ago
Victor Julien 3401defbbb tag: fixes and cleanups 
Major fixes for the tag subsystem:

- Removed TimeGet call from tag packet runtime to safe a gettimeofday
- Removed unused lock from data type
- Fixed broken first packet skip logic
- Fix broken reference counter logic
- Fix memory leak on tag expiration
- Cleaned up code
 14 years ago
Anoop Saldanha b7b58074de fix ac unittest 14 years ago
Anoop Saldanha d6f9e06bbb update ac to behave the same way irrespective of the state count. Should improve performance. Also fix unittests to accomodate these changes 14 years ago
Anoop Saldanha dcaef183e8 fix compiler warning for printf format 14 years ago
Victor Julien bc5c9f4a52 Fix too many SMTP commands causing an integer overflow in the cmds_cnt variable, in turn causing an out of bounds memory write. 14 years ago
Victor Julien 9baa16af63 Convert flow memcap to u64. Bug #332. 14 years ago
Victor Julien 8208eacd79 Convert stream memcaps to u64. Bug #332. 14 years ago
Victor Julien 4c641f0deb Fix compilation with profiling enabled. 14 years ago
Anoop Saldanha 3ec7b75194 fix timestamps for pseudo packets created during FFR - bug 337 14 years ago
Anoop Saldanha 9d94bb38d5 refactor flow timeout code. fix ipv6 address assignment for pseudo pkt. 14 years ago
Anoop Saldanha 246a4e9fff for shutdown reassembly properly init the reassembly packet using PACKET_RECYCLE 14 years ago
Victor Julien 1a5931e878 pcap-log: fall back to sguil_base_dir option if 'dir' isn't set. Minor cleanups. 14 years ago
William Metcalf 3b3f5816bf You spin me right round baby, right round like a rotating packet capture right round. Oh, also log file size counters are now uint64_t 14 years ago
Victor Julien 6bad2dbd79 Don't match on IP only rules that use ports if packet is not (proper) TCP, UDP or SCTP. Rules out frags matching as well. 14 years ago
Anoop Saldanha 63ed36a892 Replace all reallocs with SCReallocs 14 years ago
Anoop Saldanha 4307ea2348 Replace all frees with SCFrees 14 years ago
Anoop Saldanha 797b1a44c7 Replace all strdup with SCStrdup 14 years ago
Anoop Saldanha 13ea299ee0 Replace all mallocs with SCMallocs 14 years ago
Eric Leblond de59c9f4b1 Add and use utility functions for checksum computing. 14 years ago
Eric Leblond a85dc9b0e2 Add support for replace keyword. 
This patch adds support for the replace keyword. It is used with
content to change selected part of the payload. The major point
with this patch is that having a replace keyword made necessary
to avoid all stream level check because we need to access to the
could-be-modified packet payload.

One of the main difficulty is to handle complex signature. If there is
other content check, we must do the substitution when we're sure all
match are valid. The patch adds an attribute to the thread context
variable to be able to deal with recursivity of the match function.

Replace is only activated in IPS mode and apply only to raw match.
 14 years ago
Eric Leblond 0c34a1c5e7 rewrite constants and add flag for replace 
This patch make use of bit shift to rewrite some of the mask constants.

It also delete an unused flag value and suppress the associated dead code.
The numeric value of the flag is now used by the flag needed for replace
code.
 14 years ago
Victor Julien 77b7089f79 Fix stream-events not working. Stream events won't fit our 'detection only' schema. Fixes #321. 14 years ago
pilcrow f5017e0d1a Always try PCRE_NO_AUTO_CAPTURE first for signature regexes. 
Many, many pcre: signatures specify (...) when the more efficient
(?:...) is all that is needed.  This change attempts to force
PCRE_NO_AUTO_CAPTURE on all unnamed capture groups, reverting to
capturing when necessary, e.g., when \1 is referenced.
 14 years ago
Victor Julien 60887131be Fix minor address parsing compiler warning. 14 years ago
Anoop Saldanha 8028392e9a fix mpm segv. Use sgh flags to check if the sgh has packet or stream mpm set or not 14 years ago
Anoop Saldanha 41d71a6d70 fix http http transaction id update. Update transactions as soon as we receive a callback on new request 14 years ago
pilcrow ed69eeab14 Safer macro parenthesization and do/while use 14 years ago
Eric Leblond bbd04fde30 NFQ: fix race condition at exit. 
A race condition was observed when leaving NFQ. This was caused by
the queue handle being accessed after been nullified. This patch
uses the handle mutex to protect the destruction and adds tests
on nullity to avoid crashed.
 14 years ago
Victor Julien 1ab6443e44 Fix compilation when profiling is enabled. 14 years ago
Anoop Saldanha b6ba944e6d Rearrange flow manager functions into flow-manager.[ch]. Some other minor changes/updates 14 years ago
Anoop Saldanha 7c729d2d53 some more code cleanup + comments added 14 years ago
Anoop Saldanha d14fdb1156 Remove the unnecessary unittest runmode check to get the test working. Modify tests to get it working around this 14 years ago
Anoop Saldanha 16884a0dea refix failing unittest 14 years ago
Anoop Saldanha 552e72e35e fix failing unittest 14 years ago
Anoop Saldanha 0957c0f8a4 shutdown timeout reassembly shouldn't check timeout flag set or not on flow 14 years ago
Anoop Saldanha 3f1c4efceb Add new flags var to tm module. TMs can now set flags to identify special properties. Also use these to identify receive TMs 14 years ago
Anoop Saldanha 54f6e4ff4d Merge thread kill functions. Merge slot's tm_id with the one used by packet profiling. Remove some junk unused code from ms sync pts. Timeout setup cleanup as well. packet q dbg_maxlen now u32 var. 14 years ago
Anoop Saldanha e335bdbfbc Code cleanup. All code to kill flow manager thread under one function now. 14 years ago
Anoop Saldanha 99a496e852 Indentation fixes 14 years ago
Anoop Saldanha e68ca2f32f Rewrite forced reassembly v2 using while loop instead of goto 14 years ago
Anoop Saldanha 6cc179fad8 flow mgr code doesn't have to bother on immediately exiting on seeing a suricata_ctl flag set 14 years ago
Anoop Saldanha b09c9751aa Now flow hash section can force reassemble flows as well 14 years ago
Anoop Saldanha 42493ee6b7 rename pseudo packet creation function. Shift the check for forced reassembly necessity on a session/direction to an inline function in the stream api 14 years ago
Anoop Saldanha 6c95526423 Introduce a new wrapper macro that wait loops till the flag(s) in question have been set 14 years ago
Anoop Saldanha a7acf9ea8f Remove all code introduced earlier concerned with ms sync points 14 years ago
Anoop Saldanha b0a588beeb Introduce another solution to solve stream timeout shutdown issue using thread flags. No more MSSyncPts 14 years ago
Anoop Saldanha aef957c6eb cleanup flow code and pseudo packet creation function 14 years ago
Anoop Saldanha f2bcf9ea2c modify post_pq packet handling. 
- Lock the q just once, once we have detected the presence of packet(s)
  in the queue.  Unlock it when we consume all packets from the q.
 14 years ago
Anoop Saldanha b4887943fb packet queue len member is now 32 bit unsigned from the previous 16 bit unsigned. Should take care of the overflow for now 14 years ago
Anoop Saldanha 9256c7bf0a always keep queue locked till we exit flowprune. Should prevent potential threading issues 14 years ago
Anoop Saldanha d4ba869a35 fix - we need to set direction flags for reassembly pseudo packet. Also reset local flags for every flow that is force reassembled in ForQ 14 years ago
Anoop Saldanha 4ef3679b13 Remove the macro for pktacqloop which is now replaced by an inline function 14 years ago
Anoop Saldanha edebdee1e5 update flow pruning - v6 14 years ago
Anoop Saldanha 99207c718d Avoid possiblity of potential engine idling from consumption of all packetpool packets - v1 
- Now forced reassembly uses only malloced packets.
 14 years ago
Anoop Saldanha 7d3e501f57 shutdown stream reassembly now avoids looking at flows that have already been processed by flow mgr reassembly 14 years ago
Anoop Saldanha a559bfc165 signal the post pq if possible, whenever pseudo packets are injected into engine flow. Also carry out post pq processing irrespective of packet retrieval from the flow. 14 years ago
Anoop Saldanha fd9bacb02d fix usage of htons to htonl in creation of pseudo packet 14 years ago
Anoop Saldanha 56fba8e275 move flow incr cnt while we actually create the pseudo packet in forced reassembly 14 years ago
Anoop Saldanha 51d2b64902 update flow pruning - v5 14 years ago
Anoop Saldanha c30dbff63d update flow pruning - v4 14 years ago
Anoop Saldanha 3b0142fa46 update flow pruning - v3 14 years ago
Anoop Saldanha 6dcb68abb0 update flow pruning - v2 14 years ago
Anoop Saldanha f197b32a55 update flow pruning - v1 14 years ago
Anoop Saldanha 272c2433ec Cleanup flow.c before further changes 14 years ago
Anoop Saldanha 8363533a02 support for forced stream reassembly for to be pruned flows 14 years ago
Anoop Saldanha 727a950e39 Move time elapsed right after we finish all packet processing 14 years ago
Anoop Saldanha 762ac0fe31 update conditional in shutdown forced reassembly to check for flows that required flow reassemly 14 years ago
Anoop Saldanha 15359dc47e Slot structure now holds the TV it belongs to 14 years ago
Anoop Saldanha 9552e6f696 Shutdown flow timeout reassembly now supports ipv6 14 years ago
Anoop Saldanha 54f8d56f48 Packet inspection keywords modified to not inspect pseudo packet 14 years ago
Anoop Saldanha c365bafbf6 We now inspect timed out streams + streams not processed as yet, at engine shutdown 14 years ago
Anoop Saldanha 56432cee16 Single thread kill also checks if inq is cleared before shutting down 14 years ago
Anoop Saldanha 8fa923c5ac - All threads also check to see if their inq is cleared before they shutdown. 14 years ago
Anoop Saldanha a844eecb0e - Updated all runmodes to use synchronization points, right before each thread(slot function) tries to de-init the thread. - Main thread now first disables receive thread(s) before it kills receive and rest of the threads. 14 years ago
Anoop Saldanha e567c2d002 Introduce master-slave synchronization support for ThreadVars 14 years ago
Anoop Saldanha 94c5ecb069 introduce inline function version of TmThreadsSlotProcessPkt macro. Retain the macro as well 14 years ago
Anoop Saldanha fd6faac196 update TmThreadsSlotProcessPkt with better error handling + post pq processing 14 years ago
Anoop Saldanha 3fb65f5ec2 fix local var usage for slot in tm-threads.c 14 years ago
Anoop Saldanha acbcee69ff support post pq packet processing in var slot 14 years ago
Victor Julien cc4e89fbe1 Profiling: convert all packet profile counters/variables to u64. Improve output for larger numbers. 14 years ago
Eileen Donlon e8c51e09e8 fixed bug 291 corrected reference to reference-config-file 14 years ago
Eileen Donlon 89599d3b9b fixed bug 288; corrected config boolean parsing problems 14 years ago
Eric Leblond de1d002ea6 Return OK when leaving cleanly. 14 years ago
Eric Leblond 2631e5f14f pcap: get rid of old API. 14 years ago
Eric Leblond 6f975d3248 pcap: add "autofp" runmode 
This patch adds "autofp" runmode. This runmode supports multiple
devices and uses the new CPU affinity system.
 14 years ago
Eric Leblond effa295489 pcap: add "single" runmode 
This patch adds support for the "single" mode to the pcap live
mode.
 14 years ago
Victor Julien e13181496c ip-only: added support for matching on ports. 14 years ago
Victor Julien 3d396e8b1e Update PCRE JIT code to support official JIT implementation in pcre-8.20-RC1. 14 years ago
Victor Julien 751a77a9be Make sure stream/engine-event signatures are recognized as such. 14 years ago
Victor Julien c590bba4a4 Undo tunnel reference counting using atomic operations. Revert to mutex based code. 14 years ago
Victor Julien 63f834d9a7 Add profiling to various HTTP buffer MPM calls. 14 years ago
Victor Julien 2675879ff1 Engine and stream events only rules can are deonly compat as well. 14 years ago
Eric Leblond bd7ac3eaa6 PrintInet: fix compilation on FreeBSD 14 years ago
Anoop Saldanha 3801e00426 fix compliation warnings from runmode-af-packet.c 14 years ago
Victor Julien baddfcaa1a Extend packet profiling to other thread 'slot' functions. 14 years ago
Victor Julien 3693a7a9ee Profiling: add accounting for several detection phases. 14 years ago
Victor Julien e8e392fb1f Profiling: add per packet accounting of how much ticks are spend in protocol detection. 14 years ago
Eric Leblond 7425bf5ca6 Rename some decode event structure and macro. 
This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some
other structures to ENGINE equivalent to take into account the fact
the event list is now related to all engines and not only to decoder.
 14 years ago
Eric Leblond de65b11c42 decode signature optimisation requires different treatment 
Decode signature are using the fact that no proto is set on packet
to increase the matching speed. This is not the case of stream and
other engine events. Thus a difference needs to be made.
 14 years ago
Eric Leblond 3f153fb0da Add 'stream-event' keyword. 
This patch adds an alias to the 'engine-event' keyword. It is now
possible to access to the stream events via the 'stream-event'
keyword. A simple transformation is done:
    stream-event:reassembly_segment_before_base_seq
is a shortcut for:
    engine-event:stream.reassembly_segment_before_base_seq
 14 years ago
Eric Leblond eb0d4e4d8b Add stream events support to 'engine-event' keyword 
This patch adds the list of stream events (with associated
keywords) to the list of events that can be treated by 'engine-event'.
 14 years ago
Eric Leblond e3a6d8955e Introduce engine-event keyword 
This patch renames the 'decode-event' keyword to 'engine-event' and
keep it for backword compatibility of rulesets. All *DecodeEvent*
references in the code are replaced by EngineEvent version.
 14 years ago
Eric Leblond 2ac8755382 Rename detect-decode-event to detect-engine-event 
This patch does a simple renaming of detect-decode-event file to
the more global detect-engine-event name.
 14 years ago
Victor Julien 21f387d2c7 profiling: fix stream ticks miscalculation on stream end pseudo packets. 14 years ago
Eric Leblond ff6365dd33 af-packet: switch to pcktacqloop API. 
This patch gets rid of the old API and brings some optimisation
by reordering structure and optimisinf an error test.
 14 years ago
Eric Leblond 834c91eece af-packet: add AFP to per packet performance system. 14 years ago
Eric Leblond fb4be6199f af-packet: change option name 
This patch changes the option name. af-packet long option is
now used instead of -a to mimic pfring behaviour.

This patch improves the standard parsing of the command line.
Running
 suricata -c suricata.yaml --af-packet
will start a suricata running in AF_PACKET mode listening on all
interfaces defined in the suricata.yaml configuration file. The
traditionnal syntax:
 suricata -c suricata.yaml --af-packet=ppp0
will start a suricata listening on ppp0 only.
 14 years ago
Eric Leblond e253da092c device: Add function to build interface list from config 
This patch adds a new function which build the list of interfaces to
use by parsing the configuration file. This is using the new format
and thus only af-packet can benefit of this feature.
 14 years ago
Eric Leblond df7dbe36b6 af-packet: Add option to disable promiscuous mode 
This patch adds an option to suricata.yaml to be able to disable
the switch of the interface into promiscuous mode.
 14 years ago
Eric Leblond fbca1a4e6b af-packet: multi interface support 
This patch adds multi interface support to AF_PACKET. A structure
is used at thread creation to give all needed information to the
input module. Parsing of the options is done in runmode preparation
through a dedicated function which return the configuration in a
structure usable by thread creation.
 14 years ago
Eric Leblond dc667af1a1 conf: Introduce new function to input configuration. 
The input modules are needing a per interface configuration. This
implies some new operations to be able to parse easily te configuration.

The syntax of the configuration file is for example:
af-packet:
  - interface: eth0
    threads: 2
  - interface: eth1
    threads: 3
We need a way to express get a configuration variable for interface[eth0].
This is by using ConfNodeLookupKeyValue() to get the matching node. And
after that value can be fetch by using ConfGetChildValue*() functions.
 14 years ago
Eric Leblond e80b30c082 af-packet: finalize code 
This patch handles the end of AF_PACKET socket support work. It
provides conditional compilation, autofp and single runmode.

It also adds a 'defrag' option which is used to activate defrag
support in kernel to avoid rx_hash computation in flow mode to fail
due to fragmentation.

This patch contains some fixes by Anoop Saldanha, and incorporate
change following review by Anoop Saldanha and Victor Julien.

AF_PACKET support is only build if the --enable-af-packet flag is
given to the configure command line. Detection of code availability
is also done: a check of the existence of AF_PACKET in standard
header is done. It seems this variable is Linux specific and it
should be enough to avoid compilation of AF_PACKET support on other
OSes.
Compilation does not depend on up-to-date headers on the system. If
none are present, wemake our own declaration of FANOUT variables. This
will permit compilation of the feature for system where only the kernel
has been updated to a version superior to 3.1.
 14 years ago
Eric Leblond 871b21892a factorize pcap live device function 
They are not specific to pcap and could thus be used in other module.
 14 years ago
Eric Leblond c45d898572 af-packet: basic support for AF_PACKET socket 
This patch provides basic support for AF_PACKET socket. It is
completed by a subsequent patches prodiding extended features
and bugfixes.
 14 years ago
Anoop Saldanha 58b595cc21 fastlog print updates for ipv6. combine the io write 14 years ago
Anoop Saldanha e8f9557664 fastlog print updates. combine the io write 14 years ago
Victor Julien fca541f40e Add per app layer parser profiling 
Per packet per app layer parser profiling. Example summary output:

Per App layer parser stats:

App Layer              IP ver   Proto   cnt        min      max          avg
--------------------   ------   -----   ------     ------   ----------   -------
ALPROTO_HTTP            IPv4       6    163394        126     38560320     42814
ALPROTO_FTP             IPv4       6       644        117        26100      2566
ALPROTO_TLS             IPv4       6       670        117         7137       799
ALPROTO_SMB             IPv4       6    114794        126       225270       957
ALPROTO_DCERPC          IPv4       6      5207        126        25596      1266

Also added to the csv out.

In the csv out there is a new column "stream (no app)" that removes the
app layer parsers from the stream tracking. So raw stream engine performance
becomes visible.
 14 years ago
Victor Julien 0cc9f39200 Move TlsConfig structure out of app-layer-protos.h and rename it to SslConfig. 14 years ago
Victor Julien 820b0ded82 Add per packet profiling. 
Per packet profiling uses tick based accounting. It has 2 outputs, a summary
and a csv file that contains per packet stats.

Stats per packet include:
 1) total ticks spent
 2) ticks spent per individual thread module
 3) "threading overhead" which is simply calculated by subtracting (2) of (1).

A number of changes were made to integrate the new code in a clean way:
a number of generic enums are now placed in tm-threads-common.h so we can
include them from any part of the engine.

Code depends on --enable-profiling just like the rule profiling code.

New yaml parameters:

profiling:
  # packet profiling
  packets:

    # Profiling can be disabled here, but it will still have a
    # performance impact if compiled in.
    enabled: yes
    filename: packet_stats.log
    append: yes

    # per packet csv output
    csv:

      # Output can be disabled here, but it will still have a
      # performance impact if compiled in.
      enabled: no
      filename: packet_stats.csv

Example output of summary stats:

IP ver   Proto   cnt        min      max          avg
------   -----   ------     ------   ----------   -------
 IPv4       6     19436      11448      5404365     32993
 IPv4     256         4      11511        49968     30575

Per Thread module stats:

Thread Module              IP ver   Proto   cnt        min      max          avg
------------------------   ------   -----   ------     ------   ----------   -------
TMM_DECODEPCAPFILE          IPv4       6     19434       1242        47889      1770
TMM_DETECT                  IPv4       6     19436       1107       137241      1504
TMM_ALERTFASTLOG            IPv4       6     19436         90         1323       155
TMM_ALERTUNIFIED2ALERT      IPv4       6     19436        108         1359       138
TMM_ALERTDEBUGLOG           IPv4       6     19436         90         1134       154
TMM_LOGHTTPLOG              IPv4       6     19436        414      5392089      7944
TMM_STREAMTCP               IPv4       6     19434        828      1299159     19438

The proto 256 is a counter for handling of pseudo/tunnel packets.

Example output of csv:

pcap_cnt,ipver,ipproto,total,TMM_DECODENFQ,TMM_VERDICTNFQ,TMM_RECEIVENFQ,TMM_RECEIVEPCAP,TMM_RECEIVEPCAPFILE,TMM_DECODEPCAP,TMM_DECODEPCAPFILE,TMM_RECEIVEPFRING,TMM_DECODEPFRING,TMM_DETECT,TMM_ALERTFASTLOG,TMM_ALERTFASTLOG4,TMM_ALERTFASTLOG6,TMM_ALERTUNIFIEDLOG,TMM_ALERTUNIFIEDALERT,TMM_ALERTUNIFIED2ALERT,TMM_ALERTPRELUDE,TMM_ALERTDEBUGLOG,TMM_ALERTSYSLOG,TMM_LOGDROPLOG,TMM_ALERTSYSLOG4,TMM_ALERTSYSLOG6,TMM_RESPONDREJECT,TMM_LOGHTTPLOG,TMM_LOGHTTPLOG4,TMM_LOGHTTPLOG6,TMM_PCAPLOG,TMM_STREAMTCP,TMM_DECODEIPFW,TMM_VERDICTIPFW,TMM_RECEIVEIPFW,TMM_RECEIVEERFFILE,TMM_DECODEERFFILE,TMM_RECEIVEERFDAG,TMM_DECODEERFDAG,threading
1,4,6,172008,0,0,0,0,0,0,47889,0,0,48582,1323,0,0,0,0,1359,0,1134,0,0,0,0,0,8028,0,0,0,49356,0,0,0,0,0,0,0,14337

First line of the file contains labels.

2 example gnuplot scripts added to plot the data.
 14 years ago
Victor Julien 1bd1a62526 Rename profile macro's and variables to reflect that they are for rule profiling. 14 years ago
Eric Leblond 88559901d4 pcap-file: Allocated packet must be free if there's error 14 years ago