aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,865 Commits
7 Branches
161 Tags
209 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '90ab0b0ec2'
${ noResults }
Commit Graph

48 Commits (90ab0b0ec2e8fe6f5746ee397bddf67e2bdac7a7)

Author SHA1 Message Date
Victor Julien 3c05379cbd detect: fix mix of pass and noalert 
Noalert rules did not apply pass logic to the flow.

Bug #1888.
 8 years ago
Victor Julien 971ab18b95 detect / stream: new 'raw' stream inspection 
Remove the 'StreamMsg' approach from the engine. In this approach the
stream engine would create a list of chunks for inspection by the
detection engine. There were several issues:

1. the messages had a fixed size, so blocks of data bigger than ~4k
   would be cut into multiple messages

2. it lead to lots of data copying and unnecessary memory use

3. the StreamMsgs used a central pool

The Stream engine switched over to the streaming buffer API, which
means that the reassembled data is always available. This made the
StreamMsg approach even clunkier.

The new approach exposes the streaming buffer data to the detection
engine. It has to pay attention to an important issue though: packet
loss. The data may have gaps. The streaming buffer API tracks the
blocks of continuous data.

To access the data for inspection a callback approach is used. The
'StreamReassembleRaw' function is called with a callback and data.
This way it runs the MPM and individual rule inspection code. At
the end of each detection run the stream engine is notified that it
can move forward it's 'progress'.
 8 years ago
Victor Julien 859cb89c7e detect alert/threshold/tag: sm_list -> sm_array 9 years ago
Victor Julien bfd4bc8233 detect: constify Signature/SigMatch use at runtime 9 years ago
Mats Klepsland d9b87e502d flow: set flag to indicate that a flow has alerts 
Set FLOW_HAS_ALERTS flag on the flow on alerts. Add FlowHasAlerts(..)
and FlowSetHasAlertsFlag(..) to check and set this flag.
 9 years ago
Victor Julien e072e70ea6 alert: fix rate_filter issues 
Fix rate_filter issues: if action was modified it wouldn't be logged
in EVE. To address this pass the PacketAlert structure to the threshold
code so it can flag the PacketAlert as modified. Use this in logging.

Update API to use const where possible. Fix a timout issue that this
uncovered.
 9 years ago
Victor Julien 408948815f detect: simplify flow locking 
To simplify locking, move all locking out of the individual detect
code. Instead at the start of detection lock the flow, and at the
end of detection unlock it.

The lua code can be called without a lock still (from the output
code paths), so still pass around a lock hint to take care of this.
 9 years ago
Victor Julien 06ee2bc87e detect: set flow noinspect on pass in applayer/stream 
If a pass rule matches in the reassembled stream and/or in the
app-layer state, it means the rest of the flow should not be
inspected.
 10 years ago
Victor Julien e9857200b3 detect: set action from utility function 
Set actions that are set directly from Signatures using the new
utility function DetectSignatureApplyActions. This will apply
the actions and also store info about the 'drop' that first made
the rule drop.
 11 years ago
Victor Julien c914f7bcdc detect: cleanup, remove unused order_id 
No longer used, so remove.
 11 years ago
Ken Steele 923a77e952 Change Match() function to take const SigMatchCtx* 
The Match functions don't need a pointer to the SigMatch object, just the
context pointer contained inside, so pass the Context to the Match function
rather than the SigMatch object. This allows for further optimization.

Change SigMatch->ctx to have type SigMatchCtx* rather than void* for better
type checking. This requires adding type casts when using or assigning it.

The SigMatch contex should not be changed by the Match() funciton, so pass it
as a const SigMatchCtx*.
 11 years ago
Ken Steele 8f1d75039a Enforce function coding standard 
Functions should be defined as:

int foo(void)
{
}

Rather than:
int food(void) {
}

All functions where changed by a script to match this standard.
 11 years ago
Victor Julien 7b687da726 profiling: add tracking of missing keywords 12 years ago
Victor Julien edeeb7ed44 Store TX id with alerts 
When generating an alert and storing it in the packet, store the tx_id
as well. This way the output modules can log the tx_id and access the
proper tx for logging.

Issue #904.
 12 years ago
Victor Julien 8ce38ac8fe Split Thresholds and Suppression 
Thresholds and suppression can be handled independently. Suppression
only suppresses output, and is not related to Threshold state tracking.

This simplifies mixing suppression and thresholding rules.

Part of the Bug #425 effort.
 12 years ago
Victor Julien d12761233c Don't set tag on pseudo packets 12 years ago
Eric Leblond 3f107fa130 decode: Packet action start with PACKET 
Rename all Packet action macro to have them prefixed by PACKET.
 12 years ago
Eric Leblond a35c367942 action handling: use macro for test. 
Use test macro instead of direct access to action field.

This patch has been obtained by using the following
spatch file:

  @@
  Packet *p;
  expression E;
  @@

  - p->action & E
  + TEST_PACKET_ACTION(p, E)
 12 years ago
Eric Leblond efaa9a7302 action handling: define and use macros 
The action field in Packet structure should not be accessed
directly as the tunneled packet needs to update the root packet
and not the initial packet.

This patch is fixing issue #819 where suricata was not able to
drop fragmented packets in AF_PACKET IPS mode. It also fixes
drop capability for tunneled packets.
 12 years ago
Anoop Saldanha ab1f8afbc3 Removed Signature->order_id and replaced it with Signature->num. 12 years ago
Victor Julien 37c80ea508 If an IP-only pass rule matches, set the no inspect flag for that flow. Bug #718. 13 years ago
Last G 8ae11f73b2 Added parentheses to fix Eclipse static code analysis 
Fixed bug in action priority (REJECT_DST had lowest prio)
 13 years ago
Victor Julien 80d62b59ec Fix drop (and other actions) not being applied to thresholded packets. Bug #613. 13 years ago
Victor Julien ea0d172693 No longer pass StreamMsg to output for alert logging, instead use the same callback code as is used for state alerts. 13 years ago
Anoop Saldanha c34713321a fix rate filter alert suppression. Log error if rate filter has count of 0. Other minor fixes as well 13 years ago
Victor Julien 19a7e7f395 flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default. 14 years ago
Eric Leblond ba9fb53461 threshold: fix handling of multiple threshold. 
This patch fixes the unittest and may fix the real work.
 14 years ago
Victor Julien e0d7f64a14 Fix thresholding code suppressing an alert if no threshold/suppress rules needed to be checked. 14 years ago
Eric Leblond 86f9759427 threshold: fix thresholding on signature with multiple threshold. 
This patch uses the newly introduced SigGetThresholdTypeIter
function to try all threshold for a signature. This should fix
issue #366.
 14 years ago
Eric Leblond 60a99915c1 doc: create http support group 
This patch create an httplayer group and adds related files to
it. It also fixes some typo in documentation string and format.
 14 years ago
Victor Julien 75439863ed Shrink PacketAlerts structure so that Packet structure is a lot smaller. Reduce max events per packet from 256 to 15. 14 years ago
Victor Julien 6cb9bbd1e3 Make sure TAG alerts don't work with an uninitialized alert_msg pointer. 15 years ago
Victor Julien 864c8718e1 Store matching stream msg (ptr) in packets alert structure so it's available to the output plugins. 15 years ago
Victor Julien cac95010f3 Minor unified1-log changes to work around a clang issue, but also to clean up the logic slightly. 15 years ago
Anoop Saldanha ede7be34b5 replace all Signature->tmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_TMATCH] 15 years ago
Victor Julien 8d0bc27fc4 Fix a case where alerting in inline mode would lead dropping on alert sigs. 15 years ago
Pablo Rincon 5c43db85ce Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection 15 years ago
Pablo Rincon 868d4614b9 Tag engine improvements. Output tags only on unified format. Added atomic counter for tagged hosts/sessions 15 years ago
Victor Julien a4cb7fced0 Fix thresholding code for packets that are neither (valid) ipv4 and ipv6. 15 years ago
Pablo Rincon eed0ef6e69 Adding tag keyword support 15 years ago
Pablo Rincon 1ae36b9a6a Adding rate_filter support for threshold.config, multiline support and unittests 15 years ago
Victor Julien cdc9570f0e Have the detect.alerts counter count actual alerts. 15 years ago
Victor Julien 2fd31a1a11 Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory. 15 years ago
Victor Julien 7a6d4b57f0 Add support for class id in classification code. Submitted by firnsy@securixlive.com, thanks. 15 years ago
Victor Julien 42eeb84c9a Properly lock flow before setting IP only action flags. Small alert api cleanups. 15 years ago
Pablo Rincon 9bae6a8628 Moving alert logic to detect-engine-alert.c 15 years ago
Victor Julien a372c1d14e Fix/workaround a strange detection issue. 15 years ago
Pablo Rincon e18e2ec998 Changing threshold logic 15 years ago