Commit Graph

7780 Commits (9da7be81f072bd5ec4e25682595bf7ebab38e9b9)
 

Author SHA1 Message Date
Victor Julien 9da7be81f0 flow-worker: clean up thread init 9 years ago
Victor Julien c859d39f4f coverity: suppress CID 1400648 9 years ago
Victor Julien 955c227127 detect-ssh: cleanup duplicate code 9 years ago
Victor Julien 2f30adb08a detect-lua: setup cleanup, fixing a potential int issue 9 years ago
Victor Julien 511e804915 detect: fix missing unlock in error path 9 years ago
Victor Julien f74eff9eac threads: address sleep under lock issue 9 years ago
Victor Julien f380871057 threads: don't sleep under lock 9 years ago
Victor Julien cc4010343d detect: add and use util func for alproto sets 9 years ago
Victor Julien c477c4370e doc: update for unix socket hostbits 9 years ago
Victor Julien 4a49260897 flowvar: shrink flowvar type by using padded space 9 years ago
Victor Julien 99517cbd53 lua: support key/value flowvars in lua 9 years ago
Victor Julien f0af133c5f flowvar: remove unused DETECT_VAR_TYPE_ALWAYS 9 years ago
Victor Julien 71607c905a doc: update unix socket 9 years ago
Victor Julien 8fde6f967f suricatasc: add/list/remove hostbit commands
Syntax:
    add-hostbit <ip> <bit name> <expire>
Example:
    add-hostbit 1.2.3.4 blacklist 3600

Syntax:
    remove-hostbit <ip> <bit name>
Example:
    remove-hostbit 1.2.3.4 blacklist

Syntax:
    list-hostbit <ip>
Example:
    list-hostbit 1.2.3.4
9 years ago
Victor Julien 88888c3d8b unix-socket: add/list/remove hostbit commands
add-hostbit adds a named hostbit with an expire time in seconds.
remove-hostbit removes hostbit by name.

add-hostbit, remove-hostbit return success or failure.

list-hostbit returns a json array of hostbits with their name and
expire time:

    {
        "message": {
            "count": 1,
            "hostbits":
                [{
                    "expire": 3222,
                    "name": "firefox-users"
                }]
        },
        "return": "OK"
    }
9 years ago
Victor Julien b6e4276792 hostbits: add list API 9 years ago
Victor Julien 996112edf5 pktvars: same name pktvars, key-value vars 9 years ago
Victor Julien 5ca4a2e6fe outputs: vars log
EVE addition called 'vars' that logs pkt/flow vars for each packet/flow.
9 years ago
Victor Julien 1a2ad059a1 eve: log pktvars/flowvars/bits/ints
Optionally logs 'vars' into alerts
9 years ago
Victor Julien 1ba8c2fe3a pcre: new way of specifying var names
Until now the way to specify a var name in pcre substring capture
into pkt and flow vars was to use the pcre named substring support:
e.g. /(?P<pkt_somename>.*)/

This had 2 drawbacks:

1. limitations of the name. The name could be max 32 chars, only have
   alphanumeric and the underscore characters. This imposed limitations
   that are not present in flowbits/ints.

2. we didn't actually use the named substrings in pcre through the
   API. We parsed the names separately. So putting the names in pcre
   would actually be wasteful.

This patch introduces a new way of mapping captures with names:

  pcre:"/(.*)/, pkt:somename";
  pcre:"/([A-z]+) ([0-9]+)/, pkt:somename,flow:anothername";

The order of the captures and the order of the names are mapped 1 on 1.
This method is no longer limited by the pcre API's naming limits. The
'flow:' and 'pkt:' prefixes indicate what the type of variable is. It's
mandatory to specify one.

The old method is still supported as well.
9 years ago
Victor Julien 0f708d427b pkt-var: abuse flowvar postmatch logic for pktvars
Flowvars were already using a temporary store in the detect thread
ctx.

Use the same facility for pktvars. The reasons are:

1. packet is not always available, e.g. when running pcre on http
   buffers.

2. setting of vars should be done post match. Until now it was also
   possible that it is done on a partial match.
9 years ago
Victor Julien 5e39486399 pkt-var: use id instead of name pointer 9 years ago
Victor Julien a0bd15a1c4 pcre: support multiple captures
Support up to 8 substring captures into pkt or flow vars.
9 years ago
Victor Julien 017b16d421 detect-pcre: small cleanups 9 years ago
Victor Julien ac42a44280 alert-debug: print flowvar/int names 9 years ago
Victor Julien e95a0c1344 alert-debug: print flowbit names from VarNameStore 9 years ago
Victor Julien 22f3205664 var-names: expose outside of detect engine
Until now variable names, such as flowbit names, were local to a detect
engine. This made sense as they were only ever used in that context.

For the purpose of logging these names, this needs a different approach.
The loggers live outside of the detect engine. Also, in the case of
reloads and multi-tenancy, there are even multiple detect engines, so
it would be even more tricky to access them from the outside.

This patch brings a new approach. A any time, there is a single active
hash table mapping the variable names and their id's. For multiple
tenants the table is shared between tenants.

The table is set up in a 'staging' area, where locking makes sure that
multiple loading threads don't mess things up. Then when the preparing
of a detection engine is ready, but before the detect threads are made
aware of the new detect engine, the active varname hash is swapped with
the staging instance.

For this to work, all the mappings from the 'current' or active mapping
are added to the staging table.

After the threads have reloaded and the new detection engine is active,
the old table can be freed.

For multi tenancy things are similar. The staging area is used for
setting up until the new detection engines / tenants are applied to
the system.

This patch also changes the variable 'id'/'idx' field to uint32_t. Due
to data structure padding and alignment, this should have no practical
drawback while allowing for a lot more vars.
9 years ago
Victor Julien 43cc06eabe detect: use engine version instead of id
Use engine version based on global detect engine master. This is
incremented between reloads.
9 years ago
Victor Julien 920709fe6f detect: ssh_software sticky buffer 9 years ago
Victor Julien f1ab6a6153 detect: ssh_proto stickybuffer 9 years ago
Victor Julien dfac5276b8 detect: remove unused SIGMATCH_PAYLOAD flag 9 years ago
Victor Julien 14ced15e36 detect: remove unused state file flag 9 years ago
Victor Julien fa1ef158b2 detect: small API cleanup 9 years ago
Victor Julien 073fcbeb7f detect: move file hash common code 9 years ago
Victor Julien 5bafc64c08 detect: unify FileMatch API with other calls 9 years ago
Victor Julien fe415ae518 detect: remove DMATCH list 9 years ago
Victor Julien 1c02cf4542 flow: remove unused Flow::de_state 9 years ago
Victor Julien ad238121e3 detect: remove the AMATCH list 9 years ago
Victor Julien 775e182531 detect: remove AppLayerMatch API call 9 years ago
Victor Julien f018ae94b0 dce: dynamic lists 9 years ago
Victor Julien 84ba9cf9df smb/dcerpc: use tx api 9 years ago
Victor Julien d318bfc934 dcerpc: simplify common detect code 9 years ago
Victor Julien 402eb645a0 ftp: parser and ftpbounce update
Convert parser to TX API.

Convert ftpbounce keyword to use that.
9 years ago
Victor Julien d9a300cd8c detect: move lua smtp support to dynamic list 9 years ago
Victor Julien 96b8100a51 lua: convert lua output to be tx aware 9 years ago
Victor Julien a10b2fdecf detect: make ssh detection use dynamic list 9 years ago
Victor Julien c412352474 ssh: remove single logger limit 9 years ago
Victor Julien 3ee4989ba7 ssh: convert app-layer parser to be tx aware
Like with SSL, there is only a single 'tx'.
9 years ago
Victor Julien 4ae4fd0802 lua: use tls_generic list for ssl/tls 9 years ago
Victor Julien a8975c68e0 detect ssl/tls: use dynamic lists 9 years ago