This patch is a result of applying the following coccinelle
transformation to suricata sources:
@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc|SCMallocAligned|SCRealloc)";
@@
x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
Provide support for icmvp4 and icmpv6 as well. You can now use
alert icmpv4 and
alert icmpv6 as well, apart from the existing
alert icmp, which created a rule that applied to both icmpv4 and icmpv6.
cppcheck:
[detect-fast-pattern.c:1183] -> [detect-fast-pattern.c:1183]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1217] -> [detect-fast-pattern.c:1217]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1449] -> [detect-fast-pattern.c:1449]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1479] -> [detect-fast-pattern.c:1479]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1509] -> [detect-fast-pattern.c:1509]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1539] -> [detect-fast-pattern.c:1539]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1570] -> [detect-fast-pattern.c:1570]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1686] -> [detect-fast-pattern.c:1686]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1716] -> [detect-fast-pattern.c:1716]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1746] -> [detect-fast-pattern.c:1746]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1776] -> [detect-fast-pattern.c:1776]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1806] -> [detect-fast-pattern.c:1806]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1836] -> [detect-fast-pattern.c:1836]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1866] -> [detect-fast-pattern.c:1866]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1896] -> [detect-fast-pattern.c:1896]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:1926] -> [detect-fast-pattern.c:1926]: (style) Same expression on both sides of '&'.
[detect-fast-pattern.c:2022] -> [detect-fast-pattern.c:2022]: (style) Same expression on both sides of '&'.
cppcheck said:
[decode-pppoe.c:58] -> [decode-pppoe.c:60]: (performance, inconclusive) Variable 'pppoedh' is reassigned a value before the old one has been used if variable is no semaphore variable.
Take VLAN IDs into account when re-assembling fragments.
Prevents fragments that would otherwise match, but on different
VLANs from being reassembled with each other.
Fix bug #995. Tag time setting was initialized using "usec" field
instead of "sec" field. This led to immediate timing out of tag.
Added proper matching unittests for all tagging types.
Bug #995.
We don't support jabber protocol detection atm. Disable the code check
inside suricata to check if jabber protocol detection is enabled in the
yaml file.
Also updated an error log message for app layer.
In case of recursive call to protocol detection from within protocol
detection, and the recursively invoked stream still hasn't been ack'ed
yet, protocol detection doesn't take place. In such cases we will end up
still calling the app layer with the wrong direction data. Introduce a
check to not call app layer with wrong direction data.
When sockets are re-used reset all relevant vars correctly.
This commit fixes a bug where we were not reseting app proto detection
vars.
While fixing #989, we discovered some other bugs which have also been
fixed, or rather some features which are now updated. One of the feature
update being if we recieve wrong direction data first, we don't reset the
protocol values for the flow. We let the flow retain the detected
values.
Unittests have been modified to accomodate the above change.
Use the tx id stored for each alert to find the correct XFF address
to add to the extra-data field.
In overwrite mode we still only grab the first available XFF addr,
as this address is set in the header preceeding the individual alerts.
Issue #904.
When generating an alert and storing it in the packet, store the tx_id
as well. This way the output modules can log the tx_id and access the
proper tx for logging.
Issue #904.
Some events we retrieved from error messages are flag now, so check
those. Not all can be converted though. These are no longer set:
HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE
HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT
Part of Bug #982.
We have follow TCP RFC (http://tools.ietf.org/html/rfc793#section-3.4).
There is two cases depending on wether the original packet contains a
ACK.
If packet has no ACK, the RST seq number is 0 and the ACK is built the
standard way.
If packet has a ACK, the seq of the RST packet is equal to the ACK of
incoming packet and the ACK is build using packet sequence number and
size of the data.
Regarding standard Ack number, it is computed using seq number of captured
packet added to packet length. Finally 1 is added so we respect the
RFC:
If the ACK control bit is set this field contains the value of the
next sequence number the sender of the segment is expecting to
receive. Once a connection is established this is always sent.
With this patch we have some correct results. With the following rule:
reject ssh any any -> 192.168.56.3 any (msg:"no SSH way"; sid:3; rev:1;)
ssh connection to 192.168.56.3 is correctly resetted on client side.
But this is not perfect. If we have the following rule:
reject tcp any any -> 192.168.56.3 22 (msg:"no way"; sid:2; rev:1;)
then the connection is not resetted on a standard ethernet network. But
if we introduce 20ms delay on packets, then it is correctly resetted.
This is explained when looking at the network trace. The reset is sent
as answer to the SYN packet and it is emitted after the SYN ACK from
server because the exchange is really fast. So this is discarded by the
client OS which has already seen a ACK for the same sequence number.
This should fix#895.
This patch update reject code to send the packet on the interface
it comes from when 'host-mode' is set to 'sniffer-only'. When
'host-mode' is set to 'router', the reject packet is sent via
the routing interface.
This should fix#957.
This variable can be used to indicate to suricata that the host
running is running as a router or is in sniffing only mode.
This will used at least to determine which interfaces are used to
send reject message.
Split threads.h into several files, where each of these files defines
all lock types and macro's.
threads.h defines the normal case
threads-debug.h defines the debug variants
threads-profile.h defines the lock profiling variants
Finally, threads-arch-tile.h moves the Tilera specifics out
Thresholds and suppression can be handled independently. Suppression
only suppresses output, and is not related to Threshold state tracking.
This simplifies mixing suppression and thresholding rules.
Part of the Bug #425 effort.
On Tile, replace pthread_mutex_locks with queued spin locks (ticket
locks) for dataplane processing code. This is safe when running on
dataplane cores with one thread per core. The condition variables are
no-ops when the thread is spinning anyway.
For control plane threads, unix-manager, stats-logs, thread startup,
use pthread_mutex_locks. For these locks replaced SCMutex with SCCtrlMutex
and SCCond with SCCtrlCond.
app-layer-parser.c: In function ‘AppLayerPPTestData’:
app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable]
int dir = 0;
^
Changed the signature sorting code to use a a single merge sort instead
of the multiple pass sorting that was being used. This reduces startup
time on Tile by a factor of 3.
Also replace the user array of pointers to ints with a simpler array of
ints.
Removed a flag parameter introuced earlier to indicate the data
that is first acceptable by the parser. We now use a differently
named parameter to carry out the same activity.
The logic we use currently is if we have already sent some data to
a parser before we figure out we have a proto mismatch, we use the
proto from the first direction from which we have already sent the
data to the parser, else we stick to the the to client direction.
Now we can specify alproto, ip_proto combinations this way
alert dns (ip_proto:[tcp/udp];)
alert ip (app-layer-protocol:dns;)
alert ip (app-layer-protocol:dns; ip_proto:tcp;)
alert tcp (app-layer-protocol:dns:)
so on. Neater than using dnstcp/dnsudp.
This is related to feature #424.
Victor Julien
Eric Leblond
Anoop Saldanha
Ken Steele
Nelson Escobar
Jason Ish