aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,489 Commits
7 Branches
161 Tags
206 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2ce03fbabb'
${ noResults }
Commit Graph

6489 Commits (2ce03fbabb3468c72cf7d4c27fa64f557c97d10c)
 

Author SHA1 Message Date
Victor Julien 2ce03fbabb detect: split non-mpm list into syn/nosyn 
Since SYN inspecting rules are expensive, this patch splits the
'non-mpm' list (i.e. the rules that are always considered) into
a 'syn' and 'non-syn' list. The SYN list is only inspected if the
packet has the SYN flag set, otherwise the non-syn list is used.

The syn-list contains _all_ rules. The non-syn list contains all
minus the rules requiring the SYN bit in a packet.
 9 years ago
Victor Julien e48d745ed7 mpm: constify search func args 9 years ago
Victor Julien 26517b8b61 detect: mpm store frees mpm_ctx' it owns 9 years ago
Victor Julien 102a82fc7b detect: use mpm store for app layer mpms 
Rework app-layer mpm setup and registration to make this possible.
 9 years ago
Victor Julien fac2cc0560 detect: mpm deduplication 
Create hash for mpm's that we can reuse. Have packet/stream mpms
use this.
 9 years ago
Victor Julien f0ba00e51d detect: remove old unused code 9 years ago
Victor Julien 10b049304f detect: set new defaults for grouping 9 years ago
Victor Julien 2ee9bf2aef detect: rename groupings vars 9 years ago
Victor Julien 1f70ccfc23 detect: remove unused grouping settings 9 years ago
Victor Julien ae80ed5964 detect: make port grouping use config limits 9 years ago
Victor Julien df529b13ce detect: change port grouping 
Update port grouping logic. Previously it would create one consistent
list w/o overlap. It largely still does this, except for the 'catch
all' port group at the end of the list. This port group contains all
the sigs that didn't fit into the other groups.
 9 years ago
Victor Julien a392812302 detect: sort/group port sigs 9 years ago
Victor Julien e570b10abe detect: display unique sgh count 9 years ago
Victor Julien eda9552e95 detect: group proto sghs 9 years ago
Victor Julien d82df4eb8b detect-mpm: make sgh setup proto aware 
Allow multi-proto, multi-direction sgh's.
 9 years ago
Victor Julien 4223ce9aba detect: remove obsolete grouping code 9 years ago
Victor Julien 9ae4cb9e02 detect: debug output 9 years ago
Victor Julien fd5a06017d detect: per port and proto rule grouping 
Replace tree based approach for rule grouping with a per port (tcp/udp)
and per protocol approach.

Grouping now looks like:

               +----+
               |icmp+--->
               +----+
               |gre +--->
               +----+
               |esp +--->
               +----+
          other|... |
        +----->-----+
        |      |N   +--->
        |      +----+
        |
        | tcp  +----+   +----+
        +----->+ 80 +-->+ 139+-->
        |      +----+   +----+
        |
        | udp  +----+   +----+
    +---+----->+ 53 +-->+ 135+-->
    |          +----+   +----+
    |toserver
+--->
    |toclient
    |
    +--->

So the first 'split' in the rules is the direction: toserver or toclient.
Rules that don't have a direction, are in both branches.

Then the split is between tcp/udp and the other protocols. For tcp and
udp port lists are used. For the other protocols, grouping is simply per
protocol.

The ports used are the destination ports for toserver sigs and source
ports for toclient sigs.
 9 years ago
Victor Julien 27e63a1e11 detect: track direction and ipproto of sgh 
Each SGH has a unique ipproto and direction.
 9 years ago
Victor Julien e75a93b125 detect: pass ipproto to rule grouping funcs 9 years ago
Victor Julien c71c991669 detect: delay sgh cleanup 9 years ago
Victor Julien bb662a65f8 detect: delay sgh mpm setup 9 years ago
Victor Julien 18dd54dfa7 Start rule inspect with mask check 9 years ago
Victor Julien bfe49b60f7 rule analyzer: add no/both direction warning 9 years ago
Victor Julien b7d81fc3b0 detect: SYN flags 
Add funcs to see if a rule needs a SYN flag in the packet.
 9 years ago
Victor Julien f720dfd21e detect: validate http_method pattern 
Leading and trailing spaces and tabs are invalid as these are not part
of the buffer as returned by libhtp.
 9 years ago
Victor Julien 66b3dba676 detect: remove dead code 9 years ago
Victor Julien b3dcdb10be detect mpm: remove dead code 9 years ago
Victor Julien 14d9ce7b2e detect/mpm: remove unused max_id param from API 9 years ago
Victor Julien 0d3f671b55 detect: constify mpm/detect funcs 9 years ago
Victor Julien 4f8e1f59a6 mpm: remove obsolete mpm algos 
Remove: ac-gfbs, wumanber, b2g, b3g.
 9 years ago
Victor Julien 262abbb49f mpm: fix ac-ks compilation on cygwin 9 years ago
Victor Julien 58e533858b detect mpm: ac-tile/ac-ks default to single 
Use sgh-mpm-context single is it is set to 'auto' when ac-ks is used.
 9 years ago
Victor Julien 0987fd16dc ac-ks: 32bit fixes 9 years ago
Victor Julien 9c2e374a3d ac-ks: fix mem leaks 9 years ago
Victor Julien 887ddf1ed8 mpm: introduce ac-ks 
Introduce 'ac-ks' or the Kenneth Steele AC implementation. It's
actually 'ac-tile' written by Ken for the Tilera platform. This
patch adds support for it on other architectures as well.

Enable ac-tile for other archs as 'ac-ks'.

Fix a bunch of OOB reads in the loops that triggered ASAN.
 9 years ago
Victor Julien 3781b00dbc Open Suricata 3.1 development branch 9 years ago
Victor Julien 71a3c4caac Update Changelog for 3.0.1 9 years ago
Mats Klepsland f9ac42b36f util-decode-der: fix NULL dereference bug 
Make sure that the length is not longer than the size of the buffer
provided.
 9 years ago
Mats Klepsland c0dd911591 util-decode-der: fix heap-buffer-overflow 9 years ago
Mats Klepsland d07c495ed1 app-layer-tls-handshake: fix heap-buffer overflow 
Fix heap-buffer overflow that occurs when we are given repeatedly
certificates with the length of zero.
 9 years ago
Victor Julien ba035e601e hyperscan: fix minor coverity warning 1358023 
*** CID 1358023:  Null pointer dereferences  (REVERSE_INULL)
/src/util-mpm-hs.c: 860 in SCHSDestroyThreadCtx()
854         if (thr_ctx->scratch != NULL) {
855             hs_free_scratch(thr_ctx->scratch);
856             mpm_thread_ctx->memory_cnt--;
857             mpm_thread_ctx->memory_size -= thr_ctx->scratch_size;
858         }
859
>>>     CID 1358023:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "mpm_thread_ctx->ctx" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
860         if (mpm_thread_ctx->ctx != NULL) {
861             SCFree(mpm_thread_ctx->ctx);
862             mpm_thread_ctx->ctx = NULL;
863             mpm_thread_ctx->memory_cnt--;
864             mpm_thread_ctx->memory_size -= sizeof(SCHSThreadCtx);
865         }
 9 years ago
Victor Julien 2ccf028eac hyperscan: fix minor coverity warning 1358024 
*** CID 1358024:  Null pointer dereferences  (REVERSE_INULL)
/src/util-mpm-hs.c: 1043 in SCHSPrintInfo()
1037         printf("  SCHSPattern    %" PRIuMAX "\n", (uintmax_t)sizeof(SCHSPattern));
1038         printf("Unique Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt);
1039         printf("Smallest:        %" PRIu32 "\n", mpm_ctx->minlen);
1040         printf("Largest:         %" PRIu32 "\n", mpm_ctx->maxlen);
1041         printf("\n");
1042
>>>     CID 1358024:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "ctx" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1043         if (ctx) {
1044             char *db_info = NULL;
1045             if (hs_database_info(pd->hs_db, &db_info) == HS_SUCCESS) {
1046                 printf("HS Database Info: %s\n", db_info);
1047                 SCFree(db_info);
1048             }
 9 years ago
browner87 070a35fd3b source-pcap-file: fix stats not being reset 
Fix for redmine #1737. Clears stats between each scanned PCAP instead of just 
on load in Unix socket mode.
 9 years ago
browner87 d05883af9b Fix for redmine bug 1737 
PCAP stats not reset between files in Unix socket mode. Added a memset to the Global Init function to clear these stats.
 9 years ago
Jason Ish 06dcaec335 byte-extract: for string, default to base "dec" if not provided 
For Snort compatibility, as Snort defaults to "dec" if not provided.

Fixed issue 1697:
https://redmine.openinfosecfoundation.org/issues/1697
 9 years ago
Victor Julien ffb5498228 detect: fix potential deadlock during reload 
If interrupted during the BreakLoop stage during reload, a deadlock
could happen.
 9 years ago
Victor Julien f836256e20 detect: fix small mem leak on duplicate sigs 
Direct leak of 80 byte(s) in 5 object(s) allocated from:
    #0 0x4c673b in __interceptor_malloc (/home/victor/dev/suricata/src/suricata+0x4c673b)
    #1 0xb7a425 in DetectEngineSignatureIsDuplicate /home/victor/dev/suricata/src/detect-parse.c:1715:10
    #2 0xb79390 in DetectEngineAppendSig /home/victor/dev/suricata/src/detect-parse.c:1836:19
    #3 0x86fe56 in DetectLoadSigFile /home/victor/dev/suricata/src/detect.c:357:15
    #4 0x815fee in ProcessSigFiles /home/victor/dev/suricata/src/detect.c:419:13
    #5 0x8139a8 in SigLoadSignatures /home/victor/dev/suricata/src/detect.c:499:15
    #6 0xfe435d in LoadSignatures /home/victor/dev/suricata/src/suricata.c:1979:9
    #7 0xfcd87e in main /home/victor/dev/suricata/src/suricata.c:2345:17
    #8 0x7fb66bf7cec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
 9 years ago
Victor Julien 31ed7042b5 hyperscan: add DrMemory suppressions 9 years ago
Justin Viiret 13b87f5aff mpm: add Hyperscan integration 
This adds an MPM implementation that uses the Hyperscan regex engine
library from Intel, accessible as the "hs" mpm-algo.
 9 years ago