aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,279 Commits
7 Branches
161 Tags
210 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6eb8f66f0a'
${ noResults }
Commit Graph

290 Commits (6eb8f66f0ae6bac3891c9716cb9380138eb6c793)

Author SHA1 Message Date
Anoop Saldanha f592c481dc Introduce a separate inspection engine for app events. 12 years ago
Anoop Saldanha 94e40907e2 feature #727 - Add support for app-layer-protocol:<protocol> keyword 12 years ago
Ken Steele 50f859e9f2 Move SIMD implementations out of detect.c 
Move SIMD the implementations of SigMatchSignaturesBuildMatchArray()
for SSE3 and Tile out of detect.c to reduce the size of the file.

Also moved SIMD unit tests to detect-simd.c
 12 years ago
Ken Steele eb4f0da97f Change one more atomic size in detect.h 
Change uint16_t to int for better tile atomic performance. Checked with
pahole that it doesn't increase the size of the structure.
 12 years ago
Ken Steele 784843b146 Use Tilera SIMD for Signature matching ala SSE3 
Makes use of 8-wide byte compare instructions in signature matching.

For allocating aligned memory, _mm_malloc() is SSE only, so added
check for __tile__ to use memalign() instead.

Shows a 13% speed up.
 12 years ago
Victor Julien 055b422c28 Remove obsolete code: flow alert sid storage 12 years ago
Eric Leblond 2f2916d9ec ccccinelle: add formatted comment for flag test 12 years ago
Victor Julien 7292998a58 Content: set up sticky buffers like file_data and dce_stub_data w/o flags, but with a list variable 12 years ago
Anoop Saldanha fba95e9125 Remove mpm ctxs in the wrong direction. 
A lot of http mpm ctxs have now been removed as a result of this.
 12 years ago
Victor Julien 6645620c03 Merge SIG_FLAG_MPM_HTTP and SIG_FLAG_MPM_DNS into SIG_FLAG_MPM_APPLAYER, do the same for the _NEG variant. 12 years ago
Victor Julien 43ba5a677e DNS: enable mpm/fast_pattern support for dns_query 12 years ago
Victor Julien f10dd603ff DNS: adding dns_request content modifier 12 years ago
Anoop Saldanha b787da5643 Remove all cuda related code in the engine except for the cuda api wrappers 12 years ago
Victor Julien 6e18ed0489 luajit flowvar support 
This patch adds flowvar support to luajit. It does so by exposing two special
C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
 12 years ago
Anoop Saldanha ab1f8afbc3 Removed Signature->order_id and replaced it with Signature->num. 12 years ago
Anoop Saldanha d4d18e3136 Transaction engine redesigned. 
Improved accuracy, improved performance.  Performance improvement
noticeable with http heavy traffic and ruleset.

A lot of other cosmetic changes carried out as well.  Wrappers introduced
for a lot of app layer functions.

Failing dce unittests disabled.  Will be reintroduced in the updated dce
engine.

Cross transaction matching taken care of.  FPs emanating from these
matches have now disappeared.  Double inspection of transactions taken
care of as well.
 12 years ago
Victor Julien 4cd736fcc9 flowvar: fix deadlock with http buffers 
Bug #802

Flowvars are set from pcre, and lock the flow when being set. However
when HTTP buffers were inspected, flow was already locked: deadlock.

This patch introduces a post-match list in the detection engine thread
ctx, where store candidates are kept. Then a post-match function is used
to finalize the storing if the rule matches.

Solves the deadlock and brings the handling of flowvars more in line
with flowbits and flowints.
 12 years ago
Victor Julien 9ea4d36f7a Minor reshuffling of Signature struct. 12 years ago
Victor Julien eb11280888 Use define instead of magic number for pmq's per detect thread 12 years ago
Anoop Saldanha 4c6efa2d40 Update content id assignment. 
All fp id assignment now happens in one go.
Also noticing a slight perf increase, probably emanating from improved cache
perf.
Removed irrelevant unittests as well.
 13 years ago
Anoop Saldanha c63317d02e Detect sm_list rearranged for performance reasons. 13 years ago
Anoop Saldanha 51dcf19817 turn dce_stub_data into a sticky buffer. 13 years ago
Anoop Saldanha 3511f91bba Add support for the new keyword - http_raw_host header. 
The corresponding pcre modifier would be 'Z'.
 13 years ago
Anoop Saldanha c4ce19a1be Add support for a new keyword to inspect http_host header. 
The corresponding content keyword would now be - http_host.
The corresponding pcre modifier would be W.
 13 years ago
Ignacio Sanchez d771e08156 Adds support for the geoip keyword 
Adds support for match-on conditions (src, dst, any, both)
Uses GEOIP_MEMORY_CACHE for performance reasons
Adds support for negation and multiple countries in the same rule

Bug fixes

Changed to take flow direction from rule, if present

Comments addressed. Unit tests added.
 13 years ago
Eric Leblond 40891223e9 list-keyword: detect non built keyword 
This patch update the glafs list to be able to indicate that a
flag is not supported. This information is used by list-keyword to
display information to the user.
 13 years ago
Eric Leblond 6842545331 Add documentation url in list-keyword output. 
The output of the list-keyword is modified to include the url to
the keyword documentation when this is available. All documented
keywords should have their link set.

list-keyword can be used with an optional value:
 no option or short: display list of keywords
 csv: display a csv output on info an all keywords
 all: display a human readable output of keywords info
 $KWD: display the info about one keyword.
 13 years ago
Eric Leblond 5e4552fdcd suricata: update list-keyword command 
This patch update the list-keyword command. Without any option,
the previous behavior is conserved. If 'all' is used as option,
suricata print a csv formatted output of keyword information:
	name;features;description
If a keyword name is used as argument, suricata print a readable
message:
tls.subject
Features: state inspecting
Description: Match TLS/SSL certificate Subject field
 13 years ago
Victor Julien e30b1bfe64 Simple IP reputation implementation 13 years ago
Xavier Lange 234922f3c6 Keyword pkt_data 13 years ago
Victor Julien 70bc9e2494 filestore: fix logic flag in continued stateful detection 13 years ago
Victor Julien fd6df00684 Bug 585: use per detect thread libmagic ctx 13 years ago
Anoop Saldanha b0e20a486c update client/server/http_header to use a different form of 
buffering/buffer_retrieval.

Now it happens per tx, based on tx id.  Also notice a perf improvement with
this.
 13 years ago
Victor Julien 10a11b750d Add dsize check to prefilter stage 
Many sigs with dsize have a weak fast_pattern. Those patterns
are likely to match. By filtering on dsize early, we safe a lot
of cycles later.
 13 years ago
Victor Julien 45cbef0735 For signatures with the dsize option set depth on any content match in that sig. 13 years ago
Victor Julien 98484ffdcc luajit: prealloc lua states to increases chances of alloc success. Luajit requires them to be in memory <2GB. 13 years ago
Victor Julien 575c87aeba engine events: prefilter sigs that need a event 13 years ago
Victor Julien c91c359692 profiling: fix build on older systems 13 years ago
Victor Julien ec7e79c748 Rule profiling update 
- Remove usage of counters api.
- Store stats in detect engine thread ctx to remove locking
- Support rule reloads
 13 years ago
Victor Julien ba3260ed38 Thread local ctx for detection keywords 
Some detection keywords need thread local ctx storage. Example is the
filemagic keyword that has a ctx that is modified with each call. That
is not thread safe. This functionality allows registration of thread
local ctxs so that each detect thread works on it's own copy.
 13 years ago
Victor Julien f58e828c5e luajit: stub detection keyword 13 years ago
Eric Leblond 71b4257bc2 sig: add l3_proto keyword 
This patch adds a l3_proto keyword to the signature language. It
can be used to specify if the signature has to match on IPv4, IPv6
or both. For example, one can write:
  alert http any any -> any 22 (msg: "HTTP v6"; l3_proto:ip6; sid:14;)

This should close #494.
 13 years ago
Victor Julien 8f71333e12 file: implement filesize keyword. #489. 13 years ago
Victor Julien 3849588c61 Create separate detect API call (FileMatch) for file detection keywords. #531. 13 years ago
Eric Leblond 7e09cdc265 Delay Detect threads initialization 
This patch modifies the init of Detect threads. They are now started
with a dummy function and their initialisation is done after the
signatures are loaded. Just after this, the dummy function is switched
to normal one.

In IPS mode, this permit to route packets without waiting for the
signature to start and should fix #488.

Offline mode such as pcap file don't use this mode to be sure to
analyse all packets in the file.

The patch introduces a "delayed-detect" configuration variable
under detect-engine. It can be used to activate the feature
(set to "yes" to have signature loaded after capture is started).
 13 years ago
Jean-Paul Roliers c4df7a45ae tls: adding store option for TLS 
This patch adds a TLS store option to save certificate in PEM format.
Each time the store action is met, a file and a metafile are created.

Reworked-by: Eric Leblond <eric@regit.org>
 13 years ago
Jean-Paul Roliers 00d4357362 tls: adding support for fingerprint rule matching. 
Add the support for tls.fingerprint keyword in rules.
 13 years ago
Victor Julien c9e93ec52c filemd5: add support code for md5 handling for signatures. 13 years ago
Anoop Saldanha 0c24bbab0c code cleanup for live swap 13 years ago
Anoop Saldanha ecad4a24fa live rule support added 
To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
 13 years ago