aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,905 Commits
7 Branches
161 Tags
169 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3352c0bee4'
${ noResults }
Commit Graph

449 Commits (3352c0bee419818f138be5837729f63a9b31bb03)

Author SHA1 Message Date
Victor Julien 3352c0bee4 detect: initialization optimization 
A lot of time was spent in `SigMatchListSMBelongsTo` for the `mpm_sm`.

Optimize this by keeping the value at hand during Signature parsing and
detection engine setup.
 3 years ago
Victor Julien ec01a94a5f detect: minor debug fixup 4 years ago
Jeff Lucovsky be2155b4ed config/ref: Raise errors for ref.config parsing 
This commit raises an error in configuration test mode if there was an
error parsing reference.config.

Issue: 4659
 4 years ago
Victor Julien 40c315aa35 detect/frames: fix coverity warning 
Harmless warning, but it was correct in that the code made no sense:
1497420 Dereference before null check
 4 years ago
Victor Julien f6f124f283 detect/engine: support frames 
Implement the low level detect engine support for inspecting frames,
including MPM, transforms and inspect API's.
 4 years ago
Victor Julien ac11502629 detect/engine: store buffer name in local array 
Instead of storing a name and description as a pointer in DetectBufferType
store them in fixed size arrays. This is in preparation of runtime registration
of buffer types, where a constant name/desc is not available.
 4 years ago
Victor Julien ecce116117 detect/fast_pattern: allow for rule time registration 
In preparation of more dynamic logic in rule loading also doing
some registration, allow for buffers to be registered as fast_patterns
during rule parsing.

Leaves the register time registrations mostly as-is, but copies the
resulting list into the DetectEngineCtx and works with that onwards.
This list can then be extended.
 4 years ago
Victor Julien db27244379 detect: add buffer helper functions 4 years ago
Victor Julien 707b75ccda detect: split register time and detect load time buffer funcs 4 years ago
Victor Julien 5bcaae0a01 detect: use hashes for all buffer to id 
Instead of a map that is constantly realloc'd, use 2 hash tables for
DetectBufferType entries: one by name (+transforms), the other by
id. Use these everywhere.
 4 years ago
Philippe Antoine 689ac97d72 inspect: debug validation to ensure correct argument 4 years ago
Sam Muhammed 42d4eb6943 detect-engine: convert unittests to FAIL/PASS APIs 4 years ago
Philippe Antoine d21a252238 fuzz: target must use the rules it parsed 
DetectEngineReloadThreads does not work for the fuzz targets
as there is no_of_detect_tvs = 0 as we did not register
real threads and slots.

So, we force the flow worker module to use the newly detect engine
conetxt with all it needs
 4 years ago
Victor Julien 13a6eb3522 detect: suppress scan-build warning 4 years ago
Victor Julien ed87784907 detect: enforce max app-layer progress 
Allow progress values in the range 0-47 so we have 48 bits to track
prefilter engines.

Mark bits 48-62 as reserved explicitly.

Add debug validation checks to make sure the reserved space isn't used.
 4 years ago
Victor Julien aa93984b7e detect: unify alert handling; fix bugs 
Unify handling of signature matches between various rule types and
between noalert and regular rules.

"noalert" sigs are added to the alert queue initially, but removed
from it after handling their actions. This way all actions are applied
from a single place.

Make sure flow drop and pass are mutually exclusive.

The above addresses issue with pass and drops not getting applied
correctly in various cases.

Bug: #4663
Bug: #4670
 4 years ago
Victor Julien e611adf3dc detect: set event if max inspect buffers exceeded 
If a parser exceeds 1024 buffers we stop processing them and
set a detect event instead. This is to avoid parser bugs as well as
crafted bad traffic leading to resources starvation due to excessive
loops.
 4 years ago
Victor Julien 3dc50322db detect: fix multi inspect buffer issue; clean up 
Fix multi inspect buffer API causing cleanup logic in the single
inspect buffer paths. This could lead to a buffer overrun in the
"to clear" logic.

Multi buffers now use InspectionBufferSetupMulti instead of
InspectionBuffer. This is enforced by a check in debug validation.

Simplify the multi inspect buffer setup code and update the callers.
 4 years ago
Victor Julien 23d7beb458 detect: reformat events table 4 years ago
Jeff Lucovsky 1eeb96696b general: Cleanup bool usage 4 years ago
Victor Julien c3075cba42 detect/analyzer: fix mpm display on payload only rules 5 years ago
Victor Julien 975062cf40 detect: track base id for xform buffers 
Buffers with transforms are based on the non-transformed "base"
buffer, with a new ID assigned and the transform callbacks added.

This patch stores the id of the original buffer in the new buffer
inspect and prefilter structures. This way the buffers with and
without transforms can share some of the logic are progression
of file and body inspection trackers.

Related tickets: #4361 #4199 #3616
 5 years ago
Victor Julien 52692da7cf detect/analyzer: fix pkt engine display 5 years ago
Philippe Antoine c8dbe24fb6 proto: introduce signature protocol, as extension to flow protocol 
AppProtoEquals function allows to check if a flow protocol
matches a signature protocol
 5 years ago
Victor Julien 13cebb1857 detect: fix heap overflow issue with buffer setup 
In some cases, the InspectionBufferGet function would be followed by
a failure to set the buffer up, for example due to a HTTP body limit
not yet being reached. Yet each call to InspectionBufferGet would lead
to the matching list_id to be added to the
DetectEngineThreadCtx::inspect.to_clear_queue. This array is sized to
add each list only once, but in this case the same id could be added
multiple times, potentially overflowing the array.
 5 years ago
Victor Julien 84385549fe detect: remove unused arg from generic list inspect 5 years ago
Victor Julien d694dac5a8 detect: remove inspect v1 API 5 years ago
Victor Julien c6c93d1d12 detect/stream: convert to inspect API v2 5 years ago
Victor Julien ee15bd8076 detect/mpm: rename variable to ease code review 5 years ago
Shivani Bhardwaj e9fe5ada7f datasets: reload static sets 5 years ago
Jeff Lucovsky fb409664d2 detect: byte_math support 5 years ago
Jeff Lucovsky 2d055ed1f7 detect: Correct Coverity REVERSE_INULL issue 
This commit corrects the "Null pointer dereferences" issue (CID
1465221).
 5 years ago
Jeff Lucovsky 197a593078 detect: Add transform validation api 
This commit extends the API with a function that validates arguments
against the transforms for the SM list (if any).
 5 years ago
Jeff Lucovsky 5d10db88bc detect/transform: Support transform options 
This commit adds support for transform-specific options. During Setup,
transforms have the signature string available for options detection.
When a transform detects an option, it should convert the option into an
internal format and supply a pointer to this format as the last argument
to DetectSignatureAddTransform.

Transforms that support options must provide a function in their
Sigmatch table entry. When the transform is freed, a pointer to the
internal format of the option is passed to this function.
 5 years ago
Shivani Bhardwaj e7c0f0ad91 src: remove multiple uses of atoi 
atoi() and related functions lack a mechanism for reporting errors for
invalid values. Replace them with calls to the appropriate
ByteExtractString* functions.

Partially closes redmine ticket #3053.
 5 years ago
Jeff Lucovsky d3a65fe156 detect: Provide `de_ctx` to free functions 
This commit makes sure that the `DetectEngineCtx *` is available
to each detector's "free" function.
 5 years ago
Jeff Lucovsky d1151f3f8e detect: Provide function to clear per-thread ctx 
This commit provides an interface to free previously allocated
per-thread contextual information on the keyword lists.
 5 years ago
Victor Julien 7f19da1cc0 detect: more robust against transform issues 
In case of transform issues (transform not consumed before pkt_data
for example), the code would hit an ugly BUG_ON.

Address this by a more graceful error message, that will still
invalidate the sig but not crash the engine.
 5 years ago
Shivani Bhardwaj 0e4f261224 Use StringParse* for all parsers and configurations 5 years ago
Jeff Lucovsky be4c6b85de general: Convert _Bool to bool 
This commit addresses task 3167 and changes usages of '_Bool` to `bool`.
The latter is included from `suricata-common.h`
 6 years ago
Jeff Lucovsky 1cddbc085b detect: Fix typos/spelling errors. 6 years ago
Victor Julien d369e54f1d app-layer: all protocols are tx aware now 
So remove the runtime check for it.
 6 years ago
Victor Julien 550cfdd98d threading: hide 'trans_q' from queue handlers 6 years ago
Victor Julien d7cb0774dd detect: cleanup reload thread handling 6 years ago
Victor Julien 1a8562b3c6 detect: clean up threads handling 
Clean up reload and break loop thread handling.
 6 years ago
Victor Julien e5010d7704 detect: inject packet cleanup 6 years ago
Jason Ish fdb587d2fc detect-engine: check for tx detect flag support 
When registing a detection engine, check that the app-layer
protocol supports tx detect flags. Exit with a fatal
error if it does not as this is a code implementation
error that should be resolved during development.
 6 years ago
Victor Julien 0a809bf577 packet: set unique pkt_src 'flush' packets 
Set unique type for capture timeout and for detect reload flush
to assist in debugging.
 6 years ago
Victor Julien 58e48bcb87 debug: make it easier to trace flush logic 6 years ago
Victor Julien 4dff903b35 detect: introduce pkt mpm engines 
Instead of the hardcode L4 matching in MPM that was recently introduced,
add an API similar to the AppLayer MPM and inspect engines.

Share part of the registration code with the AppLayer.

Implement for the tcp.hdr and udp.hdr keywords.
 6 years ago