aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,227 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8c3f1aa7a5'
${ noResults }
Commit Graph

9227 Commits (8c3f1aa7a5735bd92d410c19ff7898aa05502079)
 

Author SHA1 Message Date
Mats Klepsland 8c3f1aa7a5 tlslog: don't log as "resumed" without ServerHello 
Don't log a session as "resumed" if a ServerHello record has not been
seen. This makes sure that incomplete TLS sessions where the ClientHello
contains a session ticket, is not logged as a session resumption.
 7 years ago
Mats Klepsland 814e1624c2 output-json-tls: don't log as "resumed" without ServerHello 
Don't log a session as "resumed" if a ServerHello record has not been
seen. This makes sure that incomplete TLS sessions where the ClientHello
contains a session ticket, is not logged as a session resumption.
 7 years ago
Mats Klepsland 4470b05ae4 app-layer-ssl: remove unnecessary length check 
We already check that empty extensions are not decoded, so this length
check is not needed.
 7 years ago
Victor Julien 0b5a2ab49b setup-app-layer: support tests in tests/ 7 years ago
Jason Ish 7ec7d85ecc setup-app-layer.py: integrate detect buffer setup 
Add --detect to setup a detect buffer.

Obsoletes setup-app-layer-detect.sh.
 7 years ago
Jason Ish 35fd10bc2e rust: app-layer detect template for rust parsers 7 years ago
Jason Ish 15922dcd8c setup-app-layer.py: attempt to cd into correct directory 
- If in src, cd to ..
- Error out early if the current directory does not look like a
  Suricata source directory.
 7 years ago
Jason Ish 58933bafc1 rust app layer template: functions to get buffers 
Example functions for getting the request and response buffers.
Useful for running detection on the decoded buffers.
 7 years ago
Jason Ish 01f7dcf5fd rust template parser: sample pcap 7 years ago
Jason Ish c3f1a35e28 rust: app-layer template parser and logger 
The protocol is a simple request/reply based protocol that can
be hand driven with netcat.

Request  -> 12:Hello World!
Response -> 3:Byte

Its of the format <length>:<message> where length is the length
of the message, not including the length or the delimiter.
 7 years ago
Jason Ish 7682b1ba74 rustfmt.toml: set to 80 char line width 
The rustfmt default is 100, set to 80 to be more inline with
the Suricata C code.
 7 years ago
Jason Ish 9636b9de32 rust: expose AppLayerParserStateIssetFlag to Rust. 7 years ago
Jason Ish 90dfcf4907 rust/gen-c-headers: don't attempt to split empty lines 7 years ago
Jason Ish ee3aba9008 templates: C stub output for Rust logger 7 years ago
Jason Ish 96dc20abb1 templates: C stub template for Rust parser 7 years ago
Victor Julien 789b1474ed detect/template2: setup script 7 years ago
Victor Julien 486054595a detect/template2: template with prefilter (copy of ttl) 7 years ago
Victor Julien 4d0fc67560 decode/template: minor updates 7 years ago
Victor Julien 5ed7e4fb5f setup-app-layer-detect: update for tests/ dir 7 years ago
Victor Julien 452355bb63 setup-simple-detect: update for new tests location 7 years ago
Jason Ish 9da00bebf0 scripts/setup: remove 'ed' based setup scripts 
Removes:
- setup-app-layer.sh
- setup-app-layer-logger.sh

These have been replaced by setup-app-layer.py.
 7 years ago
Jason Ish e232fcc415 setup-app-layer: rewrite script in Python 
The idea being that it is easier to read and maintain than
wrapping ed commands.

This script also merges the parser and logger setup into a single
script, but still allows just the parser, or just the logger
to be generated with flags, --logger and --parser.
 7 years ago
Victor Julien a013cece69 app-layer/template: code cleanups 7 years ago
Victor Julien 33914c2f2f detect/template: clean up packet keyword 7 years ago
Victor Julien d3e5c15995 detect/template: move test to own file in src/tests/ 7 years ago
Victor Julien 1bb8fcecec detect/template: switch to v2 API, add MPM 7 years ago
Victor Julien 234d113838 detect/template: clean up unittest 7 years ago
Jacob Masen-Smith b1b45a54c5 detect/analyzer: disable automatic json output 
EngineAnalysisRules2 was in a strange location where it did not respect
the --engine-analysis flag. It has been moved to the same call location
as EngineAnalysisRules.
 7 years ago
Victor Julien 64d75496b8 detect/analyzer: add notes (and warnings) 7 years ago
Victor Julien e02b74dee7 http: implement min size stream logic 
Update HTTP parser to set the min inspect depth per transaction. This
allows for signatures to have their fast_pattern in the HTTP body,
while still being able to inspect the raw stream reliably with it.

The inspect depth is set per transaction as it:
- depends on the per personality config for min inspect size
- is set to the size of the actual body if it is smaller

After the initial inspection is done, it is set to 0 which disables
the feature for the rest of the transaction.

This removes the rescanning flush logic in commit
7e004f52c6 and provides an alternative
fix for bug #2522. The old approach caused too much rescanning of
HTTP body data leading to a performance degradation.

Bug #2522
 7 years ago
Victor Julien 7186ce7b99 stream: introduce min inspect depth logic 
Some rules need to inspect both raw stream data and higher level
buffers together. When this higher level buffer is a streaming
buffer itself, the risk of mismatch exists.

This patch allows an app-layer parser to set a 'min inspect depth'.
The value is used by the stream engine to keep at least this
depth worth of data, so that the detection engine can request
all of it for inspection.

For rules that have the SIG_FLAG_FLUSH flag set, data is inspected
not from offset raw_progress, but from raw_progress minus
min_inspect_depth.

At this time this is only used for sigs that have their fast_pattern
in a HTTP body and have raw stream match as well.
 7 years ago
Jason Ish 9b86c7c5c0 defrag: break out of loop in linux profile when able to 7 years ago
Jason Ish aa98678662 defrag: remove fragments that have complete overlap 
Instead of just marking fragments that have been completely
overlapped and won't be part of the assembled packet, remove
them from the fragment tree when detected.
 7 years ago
Jason Ish fe6e96a8c1 defrag: use rb tree to store fragments 7 years ago
Victor Julien 023a2fe9ab unittests: fix format-truncation warning 7 years ago
Victor Julien 269313a53e stream/segments: change packing to reduce size 
Change the way fields are ordered to reduce TcpSegment structure
with 8 bytes.
 7 years ago
Victor Julien b6b9b56e45 stream/segments: keep track of tree right edge 
Use this in places where we need to use the outer right
edge of our sequence space.

This way we can avoid walking the tree to find this, which
is a potentially expensive operation.
 7 years ago
Victor Julien ea771c69af streaming/sbb: convert RB_MIN to 'head' 7 years ago
Victor Julien bbf1f78ffe streaming: keep track of tree 'head' 7 years ago
Victor Julien 450500e667 streaming: use rbtree for stream blocks 
Switch StreamBufferBlocks implementation to use RBTREE instead of
a list. This makes inserts/removals and lookups a lot cheaper if
the number of data gaps is large.

Use separate compare functions for inserts and regular lookups.
Inserts care about the offset, while lookups care about the blocks
right edge as well.
 7 years ago
Victor Julien 9bda558c59 stream/sack: optimize SACK size handling 
Optimize by keeping count during insert/remove instead of
walking the tree per check.
 7 years ago
Victor Julien 7ec7d234cc stream/sack: turn SACK record list into rbtree 
Convert to rbtree from linked list. These ranges, of which there can
be multiple per packet, are fully controlled by an attacked. The
attacker could craft a stream of packet in such a way that the list
would grow very large. This would make inserts/removals very expensive,
as well as the list walk that is done and size calculation and pruning
operations.

The RBTREE makes inserts/removals much cheaper, at a slight overhead
for 'normal' operations and slightly higher per record memory use.
 7 years ago
Victor Julien 51ce03e76a stream/segments: speed up inserts 
Don't try to do a 'fast path' by checking RB_MAX. RB_MAX walks the
tree which means it can be quite expensive. This cost would be paid
for virtually every data segment. The actual insert that follows would
walk the tree again.

Instead, simply insert it. There is a slight cost of the unnecessary
overlap check, but this is much less than the tree walk in a full
tree.
 7 years ago
Victor Julien f4ff33969e stream/segments: remove RB_MIN/RB_MAX 7 years ago
Victor Julien 00e65e3cfa stream/segments: optimize overlap tree operations 
Now that with the RBTREE we have a properly sorted Segment tree,
where with exact SEQ matches the tree is sorted by payload_len
smallest to largest, we can avoid walking backwards when checking
for overlaps. Our direct RB_PREV either overlaps or not and that
is a reliable verdict for the rest of the tree.
 7 years ago
Victor Julien 26b5e1ed13 stream/segments: turn linked list into rbtree 
To improve worst case performance turn the segments list into a rbtree.
This greatly improves inserts, lookups and removals if the number of
segments gets very large.

The tree is sorted by the segment sequence number as its primary key.
If 2 segments have the same seq, the payload_len (segment length) is
used. Then the larger segment will be places after the smaller segment.
Exact matches are not added to the tree.
 7 years ago
Victor Julien 6a0cf0dd74 tree: add scan-build assertions to suppress FPs 7 years ago
Victor Julien 555fb15ab4 tree: add 2-clause BSD licensed tree.h 7 years ago
Victor Julien 9266334430 stream: expand GAP detection 7 years ago
Victor Julien 3a0eca9fde detect/mpm: minor code cleanup 7 years ago