aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,870 Commits
7 Branches
154 Tags
168 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7d706563ef'
${ noResults }
Commit Graph

3870 Commits (7d706563ef87a3f99cd8598263ac8e5f77b16754)
 

Author SHA1 Message Date
Victor Julien 13e60c0040 stream: detect keep-alive packets so we don't consider those invalid 12 years ago
Victor Julien 9094eb4783 stream: ignore ack value if ack flag is not set. Add stream.pkt_broken_ack event for when ack value is not 0 and ack flag not set. 12 years ago
Victor Julien a5d9442c2d stream: handle retransmission of lost data packet on TIME_WAIT state 12 years ago
Victor Julien 037d67cc66 stream: go from FIN_WAIT_1 to CLOSING on simultaneous close. 12 years ago
Victor Julien 6544475670 stream: don't reject RST as response to SYN because of ACK 12 years ago
Victor Julien 6f76ac176d stream: add option to match on overlapping data 
Set event on overlapping data segments that have different data.

Add stream-events option stream-event:reassembly_overlap_different_data and
add an example rule.

Issue 603.
 12 years ago
Victor Julien 0b68da0b31 libhtp: don't use internal iterator 
It violates thread safety. #601.

Suricata assures thread safety on the flow level for HTTP tracking. Part of the flow is (in case of HTTP) libhtp's htp_connp_t state. At startup the libhtp glue layer, app-layer-htp initializes as many htp_cfg_t instances as there are libhtp server configurations in the yaml. At HTTP session start, we look up the proper htp_cfg_t based on the server ip and pass it to htp_connp_create.  A ptr to the relevant htp_cfg_t is part of the htp_connp_t. The htp_cfg_t contains "hooks". The are registered based on yaml config at init time.

The hooks have lists of type list_t. The list is run with a built in iterator. The iterator is reset at the start of each "hook_run_all". Since multiple flows share the same htp_cfg_t flow A can reset the iterator while flow B is using it. The flow lock has no effect as flows share the htp_cfg_t.

This has been observed in real traffic. hook_response_body_data was run on the same data multiple times, leading to corrupt extracted files.
 12 years ago
Victor Julien d68fd54a76 Fix/suppress a couple of harmless compiler warnings. 12 years ago
Anoop Saldanha 870a98b528 Remove dead comment about flow reference api duplicate 12 years ago
Anoop Saldanha f08497d1e4 Move Flow Reference/Dereferene api from flow-util.h to flow.h. 
Remove duplicate FlowDeReference from decode.h
 12 years ago
Anoop Saldanha 67981d1c5c Update suricata to use FlowReference/FlowDeReference for the ones left out 
from last update.
 12 years ago
Victor Julien bb14cf899b yaml: default to cluster_flow type for AF_PACKET and PF_RING 12 years ago
Victor Julien 72782e5a6a profiling: fix rule profiling output sometimes missing sid,rev,gid. Bug #576. 12 years ago
Victor Julien 10a11b750d Add dsize check to prefilter stage 
Many sigs with dsize have a weak fast_pattern. Those patterns
are likely to match. By filtering on dsize early, we safe a lot
of cycles later.
 12 years ago
Victor Julien 45cbef0735 For signatures with the dsize option set depth on any content match in that sig. 12 years ago
Victor Julien d774d6e226 Update changelog to reflect 1.4beta2 changes 12 years ago
Victor Julien 63c64ed2cc Clean up and update bundled docs 12 years ago
Victor Julien 4464657ca2 remove reference to non-existing file from Makefile.am 12 years ago
Victor Julien a01130d2ed packet src: move pkt_src field up in the structure to fix in an existing hole (found with pahole -C Packet_ src/.libs/suricata). 12 years ago
Anoop Saldanha b33986c887 Add a packet src for every packet generated inside suricata. 12 years ago
Eric Leblond 58bf4ea4a4 nfq: fix detection of type nfq_get_payload function. 12 years ago
Eric Leblond 19756488ab nfq: close the queue when leaving acquisition. 
This patch adds a call to close the queue when the acquisition
loop is ending. This way the incoming packets will be accepted
during all the shutdown phase (if the queue-bypass option of
NFQUEUE is used). At the same time the currently processed packets
will be dropped but the time scale are different: suricata will
drop 20 ms of packets and the shutdown can take 0.5 seconds.

Patch based on an idea of Victor Julien.
 12 years ago
Victor Julien 75cddabd8a fast_pattern: don't consider http_method, http_stat_code and http_stat_msg when automatically giving preference to a HTTP pattern over a stream pattern. 12 years ago
Eric Leblond 928ade1d04 pf-ring: suppress unused variable. 12 years ago
Eric Leblond c3b9a5e97f pf-ring: add missing header. 12 years ago
Eric Leblond 7731cef782 pf-ring: protect definition of (un)likely 
This patch makes (un)likely declared if and only if they are not
declared before.
 12 years ago
Anoop Saldanha fd977601b6 fix for bug #574. 
More of a temporary solution to prevent any possible FPs.  Disable content
inspection bypass for mpm patterns.
 12 years ago
Anoop Saldanha 51c9955c79 fix for bug #577. 
If a pattern has matched on mpm, don't re-inspect it later, subject to certain
conditions met by the pattern - namely, not negated, right chop, no replacet
attached to it.
 12 years ago
Victor Julien 6e0f8a3cb5 htp: update version numbers of bundled htp 12 years ago
Victor Julien aa4ae98d37 http: fix multipart parsing leading to missing chunks of files in file extraction. 12 years ago
Anoop Saldanha 028c6c1782 Make available custom features of libhtp. 
The power of libhtp customisation now available to users.

Options available -

path-backslash-separators: yes
path-compress-separators: yes
path-control-char-handling: none
path-convert-utf8: yes
path-decode-separators: yes
path-decode-u-encoding: yes
path-invalid-encoding-handling: preserve_percent
path-invalid-utf8-handling: none
path-nul-encoded-handling: none
path-nul-raw-handling: none
set-path-replacement-char: ?
set-path-unicode-mapping: bestfit

You can use this for your libhtp customisation.  Options explained in our
wiki.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Advanced_libhtp_customization
 12 years ago
Anoop Saldanha 340542c44e refactor htpconfigure() 12 years ago
Victor Julien 33b0b07107 bug #572: make sure we use profiling fallback for all architectures except x86_64 and i386. 12 years ago
Victor Julien 50da0e80d5 Fix flow keyword compilation failure. 12 years ago
Anoop Saldanha 3d74fa964a Update all flow referencing to use the new FlowReference and FlowDeReference 
macros.
 12 years ago
Anoop Saldanha 6c68f86b8c fix for bug #557. 
In FFRv2, dereference flow from a packet using the new reference/dereference
util macros.  This allows the decr use_cnt for flow and reseting the flow
pointer to NULL for the pseudo pkt to happen simultaneously, in case there we
fail to retrieve a pseudo_packet and have to return the already obtained
pseudo packets, back to the packetpool.
 12 years ago
Anoop Saldanha 88e89d6302 Introduce utility flow macros to help referencing/dereferencing flows. 12 years ago
Anoop Saldanha 4d501778e9 fix for bug #557. 
Reset hhd buffers list len if we exit before allocating the buffer.
 12 years ago
Anoop Saldanha 855726f372 fix for bug #575. 
If sig has no_stream set, don't mask it as requiring flow.  Should get rid of
FNs any.
 12 years ago
Victor Julien 1598425a40 detect: properly store a stateful match if it happens at the start of inspection 12 years ago
Victor Julien c3f4f8d46a Dead code cleanup. Coverity 728047, 728048, 728049. 12 years ago
Victor Julien ee5d6fdb6f profiling: fix some profiling info missing from output 12 years ago
Eric Leblond ffbbff9d6c tm-thread: detect thread death 
When a thread is dead at init the THV_INIT_DONE flag is not set
and the spawn function can freeze (see bug #553 for an example).
In this case THV_RUNNING_DONE is set and we can also check on this
state for leaving the function. This should fix #bug553
 12 years ago
Victor Julien af7f4b347d threshold: improve comments of shipped threshold.config, add links to wiki. 12 years ago
Anoop Saldanha 4e3b206f7b fix http server/client body handling. Update body status based on tx state. 12 years ago
Victor Julien 82fc61770b threshold: allow threshold.config to override rule 
Allow threshold.conf to override rule thresholds in the following
cases:

- threshold.config rule uses threshold or event_filter AND
- threshold.config rule applies to a single signature (so no
  gid 0 or sid 0)

Confirmed to work with both threshold and detection_filter rule
keywords.

Part of bug #425.
 12 years ago
Victor Julien a0c43a8a1c Minor parsing cleanups in detect-engine options. 12 years ago
Victor Julien b6f573d9cb yaml: add addr and port vars commonly used by ET/ETpro 12 years ago
Eric Leblond 28ca36acf7 coccinelle: add test on malloc error check. 
This patch adds a coccinelle code check on SCMalloc, SCCalloc and
SCStrdup and other memory handling functions. It verifies that the
error checking is made.
 12 years ago
Eric Leblond 9f13572843 Fix indentation of win32 files. 12 years ago