Implement common code to easily add more per HTTP header detection
keywords.
Implement http_accept sticky buffer. It operates on the HTTP Accept
header.
We assume session resumption has occurred if the Client Hello message
included a session id, we have not seen the server certificate, but
we have seen a Change Cipher Spec message from the server.
Previously, these transactions were not logged at all because the
server cert was never seen.
Ticket: https://redmine.openinfosecfoundation.org/issues/1969
eve: detects libevent for async redis at configure
eve: moves redis output code to new file - util-log-redis.{c,h}
eve: redis ECHO and QUIT commands for async mode
eve: redis output defaults if conf is missing
If running against a pcap there is no reason to drop events,
a blocking socket is fine here. So only do non-blocking writes
when running off a live device.
Writing to a unix socket can cause Suricata to block in the
packet path. This could happen if the read-endpoint of the
unix socket stays connected, but stops reading, or simply
can't read fast enough as part of its event processing.
To choose packets over events, do non-blocking socket
writes and drop the event if the write would block and
update a dropped counter.
Recursively create new log directories when needed. This makes it
possible to use date modifiers in the file path to create
directories based on date, e.g.:
/var/log/suricata/2017/02/14/
Rotate log file based on time. Support both rotating based on a timer (XXs,
XXm, XXd, XXw) and rotating based on a absolute time, like each minute,
hour or day.
If a subsequent fragment has a lower offset than a previous
one and overlaps, trim off the beginning of the previous
fragment.
Based on an issue reported privately.
Migrate to the new Travis container build system. This build system does
not allow use of sudo, so required packages must be done declaratively
which required reworking how we install packages that are conditional
based on the build being done.
Mac builds are still done with sudo=true.
UnixManagerThreadInit needs to return a failure code if the socket
fails to initialize to avoid entering the UnixManager loop which
will continuously fail on the call to bind, as no listening
socket was setup.
This can occur when the socket fails to initialize due to a
permissions error and fatal init errors is not on.
app-layer-modbus.c:1226:39: warning: taking address of packed member 'transactionId' of class or structure 'ModbusHeader_' may result in an unaligned pointer value [-Waddress-of-packed-member]
if (ModbusExtractUint16(modbus, &(header->transactionId), input, input_len, &offset) ||
^~~~~~~~~~~~~~~~~~~~~
app-layer-modbus.c:1228:39: warning: taking address of packed member 'protocolId' of class or structure 'ModbusHeader_' may result in an unaligned pointer value [-Waddress-of-packed-member]
ModbusExtractUint16(modbus, &(header->protocolId), input, input_len, &offset) ||
^~~~~~~~~~~~~~~~~~
app-layer-modbus.c:1230:39: warning: taking address of packed member 'length' of class or structure 'ModbusHeader_' may result in an unaligned pointer value [-Waddress-of-packed-member]
ModbusExtractUint16(modbus, &(header->length), input, input_len, &offset) ||
^~~~~~~~~~~~~~
3 warnings generated.
Bug #2088
clang-4.0 reported:
util-pool.c:242:13: warning: logical not is only applied to the left hand side of this bitwise operator [-Wlogical-not-parentheses]
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^ ~
util-pool.c:242:13: note: add parentheses after the '!' to evaluate the bitwise operator first
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^
( )
util-pool.c:242:13: note: add parentheses around left hand side expression to silence this warning
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^
( )
util-pool.c:261:13: warning: logical not is only applied to the left hand side of this bitwise operator [-Wlogical-not-parentheses]
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^ ~
util-pool.c:261:13: note: add parentheses after the '!' to evaluate the bitwise operator first
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^
( )
util-pool.c:261:13: note: add parentheses around left hand side expression to silence this warning
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^
( )
2 warnings generated.
In some cases, observed with inspect limits 0, the body tracking could
get confused. When all chunks were already freed, a new chunk would
be considered to be the start of the body. This would overwrite the
bodies 'content_len_so_far' tracker, instead of adding to it. This in
turn could lead to a assertion abort in the inspection code.
This patch redoes the append code to always add the current lenght. It
cleans up the code to remove redundant logic.
Issue: https://redmine.openinfosecfoundation.org/issues/2078
Reported-By: Jørgen Bøhnsdalen
"p" was being used in the macro but was not an argument to
the macro, but it worked due to the context of the macro.
Use the actual macro argument, d2, instead of p.
Results in no change to generated code.
Add SCFlowTimestamps() to return startts and lastts as seconds and
microseconds from flow.
Examples:
startts, lastts = SCFlowTimestamps()
startts_s, lastts_s, startts_us, lastts_us = SCFlowTimestamps()
Victor Julien
Ray Ruvinskiy
fooinha
psanders240
Jason Ish
Mats Klepsland