suricata

Commit Graph

Author	SHA1	Message	Date
Victor Julien	3521c37d4a	http: use body limit in inspection When inspecting HTTP bodies there are several limits involved. In this patch the reaching of the body limit will trigger body inspection. Without this, the body would only be inspected when inspection limits "request-body-minimal-inspect-size" or "response-body-minimal-inspect-size" were reached. If the body limit was smaller than this value, the body would only be inspected at the end of the tx or stream.	12 years ago
Anoop Saldanha	54847e396f	unittests for gzip, deflate http compression, multiple stacked compressions, cunning compression that's not what it says it is, etc. These unittests are tweaked to pass. When libhtp fixes these issues we will have to reenable them.	12 years ago
Anoop Saldanha	94e2527606	Introduce a saner way to validate the completion of request and response bodies. Also don't change app state for http from inside inspection.	12 years ago
Eric Leblond	cd3e32ce19	unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.	12 years ago
Anoop Saldanha	48cf0585fb	Suricata upgrade to libhtp 0.5.x. Remove the support for now unsupported personalities from libhtp - TOMCAT_6_0, APACHE and APACHE_2_2. We instead use the APACHE_2 personality.	12 years ago
Victor Julien	56c6dd9bb2	bytetest: add unittest showing missed detection Tests recursive and relative negative byte_test matching.	12 years ago
Anoop Saldanha	ab4b15c2e7	fix for #788 . Now depth is kept in mind when we inspect chunks in client/server body. This takes care of FPs originating from inspecting subsequent chunks that match with depth, but shouldn't.	12 years ago
Anoop Saldanha	d4d18e3136	Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.	12 years ago
Victor Julien	3156407746	http: fix client and server body sometimes being inspected in wrong order	13 years ago
Anoop Saldanha	2ab62920aa	fix segv in hcbd and hsbd buffering. Increase bufffers_list_len, only we open up a space for a new tx.	13 years ago
Victor Julien	2763a61213	http: allow configuration of request and response body inspection limits. Issue #560 .	13 years ago
Anoop Saldanha	b99f9fe890	New app inspection engine introduced. Moved existing inspecting engines to use it.	13 years ago
Anoop Saldanha	7b4eac3e8d	Change all inspect callbacks to accept TV and a tx_id param.	13 years ago
Anoop Saldanha	10a6e6a3eb	Engine cleanup. Remove all old engine inspection and mpm functions.	13 years ago
Anoop Saldanha	b0e20a486c	update client/server/http_header to use a different form of buffering/buffer_retrieval. Now it happens per tx, based on tx id. Also notice a perf improvement with this.	13 years ago
Anoop Saldanha	4e3b206f7b	fix http server/client body handling. Update body status based on tx state.	13 years ago
Victor Julien	43c7fd7585	file inspection: improve logging when stream.depth limit is reached. #493 .	13 years ago
Victor Julien	59ec493f7c	http body inspection: force body inspection on stream eof.	13 years ago
Victor Julien	108da566bc	http: make client and server body inspection more robust in cases where realloc fails	13 years ago
Victor Julien	d378b76c04	http: body inspection improvement Improve http_client_body and file_data performance when request and response body limits are set to high values.	13 years ago
Victor Julien	19a7e7f395	flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default.	14 years ago
Anoop Saldanha	603d4a719a	remove det_ctx->payload_offset and use det_ctx->buffer_offset. Update hscd and hsmd to use the new generic content inspection engine	14 years ago
Anoop Saldanha	d1d5507679	remove all old content inspection engines and references to them. We have cleaned the entire content inspection phase and improved alert accuracy	14 years ago
Anoop Saldanha	35f1f7e8d9	unify payload detection engines + fix other bugs in pcre init	14 years ago
Anoop Saldanha	09313cf9bd	Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S	14 years ago
Anoop Saldanha	419cdc8558	support splitting mpm ctxs based on direction v2	14 years ago
Victor Julien	416b463c51	file-data: add more unittests	14 years ago
Victor Julien	07e560b137	file-data: initial file_data support Support file_data for: content, pcre (relative), byte_test, byte_jump, byte_extract, isdataat. File_data support is handled at signature parsing time, all matches occurring after the file_data in the rule are converted to http_server_body matches. Content matches relative to the file_data are converted. Within to depth, distance to offset. Relative to the start of the body buffer.	14 years ago
Anoop Saldanha	420befb180	Changed my email address to anoopsaldanha at gmail dot com from my current one	14 years ago
Victor Julien	89f83e714c	Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.	14 years ago

30 Commits (2913a4a86084441a2e9504bcd32a373f15aa65a9)