aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,787 Commits
7 Branches
155 Tags
194 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5037ea93f3'
${ noResults }
Commit Graph

5787 Commits (5037ea93f3727a8689acb0df4d067f9a6d9aab1d)
 

Author SHA1 Message Date
Victor Julien a80cc696d7 detect: allow det_ctx->de_ctx to be NULL 
When freeing det_ctx, allow de_ctx to be NULL.
 10 years ago
Victor Julien c9a8262ccf detect: reload thread init cleanup 
Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap
to DetectEngineThreadCtxInitForReload and change it's logic to take the
new detection engine as argument and let it return the
DetectEngineThreadCtx or NULL on error.

The old approach used the thread init API format, but it wasn't used in
that way.
 10 years ago
Victor Julien 55e7370fc5 detect reload: allow master update during reload 
Add DetectEngineReference, which takes a reference to a detect engine,
and make DetectEngineThreadCtxInitForLiveRuleSwap use it. This way
reload will not depend on master staying the same. This allows master
to be updated in between w/o affecting the reload that is in progress.
 10 years ago
Victor Julien b1c54a8673 detect: remove old live reload implementation 
Remove code that ran the reload in it's own thread. Simplify the
signal handling.
 10 years ago
Victor Julien 0c263105cd detect: move reload into main loop 
Use new DetectEngineReload() function. It's called from the main loop
instead of it being spawned into it's own temporary thread. This greatly
simplifies the signal handling.

An added advantage is that this seems to improve the memory usage.

Related to bug #1358
 10 years ago
Victor Julien e7882da178 detect: introduce 'minimal' detect engine 
The minimal detect engine has only the minimal memory use and setup
time. It's to be used for 'delayed' detect where the first detection
engine is essentially empty.

The threads setup are also minimal.
 10 years ago
Victor Julien f4617d5357 threading: remove 'dummy' slot logic 
Now that delayed detect is not using it anymore, the dummy logic
can be removed.
 10 years ago
Victor Julien b0cb4c17ec detect: unify delayed detect and reload 
Instead of threading logic with dummy slots and all, use the regular
reload logic for delayed detect.

This means we pass a empty detect engine to the threads and then
reload (live swap) it as soon as the engine is running.
 10 years ago
Victor Julien 38b349af1e runmodes: remove DetectEngineCtx passing from API 
No longer pass a pointer to the current detection engine to the
runmode API calls.

Note: breaks delayed detect. Will be fixed in a future commit.
 10 years ago
Victor Julien b038b6a2f8 unittests: add exception to detect engine setup 
Add code to allow for unittests not following the complete api.

Update replace tests as they don't use the unittests runmode that
powers the workaround based on RunmodeIsUnittests().
 10 years ago
Victor Julien d66fa1add1 detect: update detect engine management 
Update detect engine management to make it easier to reload the detect
engine.

Core of the new approach is a 'master' ctx, that keeps a list of one or
more detect engines. The detect engines will not be passed to any thread
directly, but instead will only be accessed through the detect engine
thread contexts. As we can replace those atomically, replacing a detect
engine becomes easier.

Each thread keeps a reference to its detect context. When a detect engine
is replaced or removed, it's added to a free list. Once its reference
count reaches 0, it is freed.
 10 years ago
Victor Julien 664100c074 suricatasc: allow for much longer response times 10 years ago
Victor Julien 092ddc1853 detect: no exit on reference/classification errors 
Don't exit on errors during classification and reference parsing.

Add some suppression of error messages when in unittest mode.
 10 years ago
Victor Julien 49bad2cfba detect: consolidate more setup into DetectEngineCtxInit 
Loading of classifications, references and action order was done
unconditionally, so can be done in one place.
 10 years ago
Victor Julien 69f99245c5 unix-command: fix duplicate registration error msg 10 years ago
Victor Julien 60a49657df Bug 1401: on midstream pickup, fix packet direction 
On midstream SYN/ACK pickups, we would flip the direction of packets
after the first. This meant the first (pickup) packet's direction
was wrong.

This patch fixes that.
 10 years ago
Jason Ish ee7e813256 Bug 1417 - Record sequence nodes as sequences. 
Nodes that are sequences weren't being recorded as such, causing
rules to fail to load.

Change sequence test name to reflect better what it tests, and
test that the sequence node is detected as a sequence.
 10 years ago
Victor Julien e250040b72 detect-state: implement tx state reset for reload 
In case of Detect Reload, we need to reset active tx' state.
 10 years ago
Victor Julien da3e8ad8f6 detect-state: split flow and tx state 
Use separate data structures for storing TX and FLOW (AMATCH) detect
state.

- move state storing into util funcs
- remove de_state_m
- simplify reset state logic on reload
 10 years ago
Victor Julien 840efe17fe modbus: tx de_state 10 years ago
Victor Julien e984a57203 smtp: tx de_state 10 years ago
Victor Julien 2a23627a82 dns: implement tx de_state 10 years ago
Victor Julien 774bb90351 http: clean up tx destate at tx destroy 10 years ago
Victor Julien 6279da0fbd http: support per TX destate storage 10 years ago
Victor Julien 1cf02560c8 app-layer: per tx destate 
Add API calls for storing detection state in the TX.
 10 years ago
Victor Julien 866d9684ea detect-state: fix profiling 10 years ago
Victor Julien 7e75279977 detect-state: various cleanups 10 years ago
Victor Julien eec22ce19b detect-state: rip per sig detect out of ContinueDetect 10 years ago
Victor Julien bf818b8fb2 detect-state: remove DeStateResetFileInspection 
It was effectively unused.
 10 years ago
Victor Julien 206f9d4010 detect-state: remove redundant code 10 years ago
Victor Julien e390e24a7c detect-state: add helper to test state 
Add little helper function StateIsValid() to test if the state
can be inspected safely.

Cleans up stateful detection loops.
 10 years ago
Victor Julien 072ae12771 detect-state: add helper to indicate last tx 
Add little helper to indicate current tx is that last we have.
 10 years ago
Victor Julien b710f2dd59 detect-state: cleanup ContinueDetection 
Only lock f->de_state->m when we start to access it. So after
declaration and initialization of local vars.
 10 years ago
Victor Julien 54cb2b6877 detect-state: cleanup retvals 
Use DETECT_ENGINE_INSPECT_SIG_* instead of 0, 1, 2 and 3.
 10 years ago
Victor Julien 97cab030d7 modbus: shrink data structure 10 years ago
Victor Julien 9f1b417660 file: don't 'close' file if we need to track it 10 years ago
Victor Julien 6723d03c7e http: add inspection engine for http request line 
No MPM though.
 10 years ago
Victor Julien c0f265fd82 http: fix stat_msg and stat_code state tracking 10 years ago
Victor Julien 5b8c94db30 Remove spinning PacketPoolWait 
PacketPoolWait in autofp can wait for considerable time. Until now
it was essentially spinning, keeping the CPU 100% busy.

This patch introduces a condition to wait in such cases.

Atomically flag pool that consumer is waiting, so that we can sync
the pending pool right away instead of waiting for the
MAX_PENDING_RETURN_PACKETS limit.
 10 years ago
Victor Julien 2d7f79a62b drop json log: log out 'drop' signature 
If no normal sig was logged as the 'drop' reason, try the stored
drop signature instead, this will also log out 'noalert' sigs.
 10 years ago
Victor Julien 2e754ca6fa drop json: make alerts logging optional 
Make logging out alerts that caused the drop optional.
 10 years ago
Victor Julien 6b172bb010 drop json: add sids (if applicable) 
If a drop is caused by a SID match, add it to the drop record.
 10 years ago
Victor Julien 8a97bb0d04 alert json: move alert info into function 
Move adding the alert info (sid,rev,gid,etc) into it's own function,
so it can be called from other outputs as well.
 10 years ago
Victor Julien e9857200b3 detect: set action from utility function 
Set actions that are set directly from Signatures using the new
utility function DetectSignatureApplyActions. This will apply
the actions and also store info about the 'drop' that first made
the rule drop.
 10 years ago
Victor Julien c914f7bcdc detect: cleanup, remove unused order_id 
No longer used, so remove.
 10 years ago
Eric Leblond b8e7d3a259 flow-timeout: fix init of pseudo packet 
The code was not checking if we had enough room in the direct
data. In case default_packet_size was set really small, this was
resulting in data being written over the data and causing a crash.

The patch fixes the issue by forcing an allocation if the direct
data size in the Packet is to small.
 10 years ago
Eric Leblond e138a2ac1e decode: introduce PacketCallocExtPkt function 
In flow timeout handling we need a function that allocate and blank
a place that will be used to put constructed packet data. This new
function has no other goal.
 10 years ago
Jason Ish ab1d69fc4e When re-opening a log file on HUP, always append. 
This will prevent log files that have not been rotated by some
external tool from being deleted, but log files that were
rotated (moved out of the way) will be re-opened.

This is a better default behaviour, especially when not all
log files are rotated at the same time.

Thanks to iro on IRC.
 10 years ago
Jason Ish 6ed246c041 Don't attempt to load the rule files if the rule-files configuration 
node is not a sequence.  Instead log a warning as this is usually
a configuration error.
 10 years ago
Jason Ish a243a42bdf New function to test if a configuration node is a sequence or not. 10 years ago