aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,032 Commits
8 Branches
165 Tags
219 MiB
main
main-8.0.x
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a4bce14770'
${ noResults }
Commit Graph

5560 Commits (a4bce14770beee46a537eda3c3f6e8e8565d5d0a)

Author SHA1 Message Date
Victor Julien 06ee2bc87e detect: set flow noinspect on pass in applayer/stream 
If a pass rule matches in the reassembled stream and/or in the
app-layer state, it means the rest of the flow should not be
inspected.
 10 years ago
Victor Julien bbc9874b81 http: destroy htp_tx_t even if incomplete 10 years ago
Victor Julien 814f0b4094 detect: make http prefilter use disrupt flags 10 years ago
Victor Julien b592f98727 detect: optimize http prefilter handing 10 years ago
Victor Julien 6946e0be55 detect: pass flags to inspect_id update logic 10 years ago
Victor Julien c087708fa9 output-tx: use disrupt flags 10 years ago
Victor Julien 00ef789ffc app-layer: pass full flags around in tx handling 10 years ago
Victor Julien ea571add73 app-layer: disruption flags 
Stream GAPs and stream reassembly depth are tracked per direction. In
many cases they will happen in one direction, but not in the other.

Example:
HTTP requests a generally smaller than responses. So on the response
side we may hit the depth limit, but not on the request side.

The asynchronious 'disruption' has a side effect in the transaction
engine. The 'progress' tracking would never mark such transactions
as complete, and thus some inspection and logging wouldn't happen
until the very last moment: when EOF's are passed around.

Especially in proxy environments with _very_ many transactions in a
single TCP connection, this could lead to serious resource issues. The
EOF handling would suddenly have to handle thousands or more
transactions. These transactions would have been stored for a long time.

This patch introduces the concept of disruption flags. Flags passed to
the tx progress logic that are and indication of disruptions in the
traffic or the traffic handling. The idea is that the progress is
marked as complete on disruption, even if a tx is not complete. This
allows the detection and logging engines to process the tx after which
it can be cleaned up.
 10 years ago
Victor Julien 8125e04b39 detect: clean up flag usage 10 years ago
Victor Julien 6e2c90a83b detect: constify some DetectMpmPrefilter args 10 years ago
Victor Julien c419f33f44 dns: fix state progress handling 10 years ago
Victor Julien b0f5f7ee97 app-layer: fix args to state progress calls 10 years ago
Victor Julien 62fa9f09d4 Sync alversion/appversion types 
The app layer state 'version' field is incremented with each update
to the state. It is used by the detection engine to see if the current
version of the state has already been inspected. Since app layer and
detect always run closely together there is no need for a big number
here. The detect code really only checks for equal/not-equal, so wrap
arounds are not an issue.
 10 years ago
Victor Julien 11d3f5f67a http: harden tx inspection code 10 years ago
Victor Julien be2849044b flow/stream: xfer noinspect flags to pseudo pkts 
Set noinspection flags for payloads and packets on flow and stream
pseudo packets. Without these, the pseudo packets could trigger
inspection even though this was disabled for a flow.
 10 years ago
Victor Julien a0899cbe85 detect: optimize Signature layout 10 years ago
Victor Julien baadcab1b8 detect: default to u32 for SigIntId 10 years ago
Eric Leblond 1cd97713c2 file-json: add file_id to message 
This will allow to get the filename and by consequence the file
after a parsing of the EVEV log file.
 10 years ago
Eric Leblond 8fde842f97 af-packet: implement rollover option 
This patch implements the rollover option in af_packet capture.
This should heavily minimize the packet drops as well as the
maximum bandwidth treated for a single flow.

The option has been deactivated by default but it is activated in
the af_packet default section. This ensure there is no change for
old users using an existing YAML. And new users will benefit from
the change.

This option is available since Linux 3.10. An analysis of af_packet
kernel code shows that setting the flag in all cases should not
cause any trouble for older kernel.
 10 years ago
Eric Leblond dc306f3bad af-packet: implement new load balancing modes 
This patch implements the fanout load balancing modes available
in kernel 4.0. The more interesting is cluster_qm that does the
load balancing based on the RSS queues. So if the network card
is doing a flow based load balancing then a given socket will
receive all packets of a flow indepently of the CPU affinity.
 10 years ago
Eric Leblond 851fcef962 af-packet: sync header with latest features 
Sync the replacement define with the latest Linux code.
This patch also updates the detection part in configure.ac
to do a declaration of all fields if the newest features are
not present.
 10 years ago
Aleksey Katargin caa2438b98 netmap: support SW rings 
Netmap uses SW rings to send and receive packets from OS.
 10 years ago
Aleksey Katargin 823167bde2 netmap: strict check for zero copy mode 
Netmap does not guarantees that mmap'ed regions for different interfaces would be the same.
 10 years ago
Aleksey Katargin 5104b02f32 netmap: fixed autofp mode. 
Previous implementation does not work with this mode.
 10 years ago
Aleksey Katargin 491fca468d netmap: support non-equal count of Rx and Tx rings on interface. 
Netmap does not guarantees that NIC will have equal number of transmit and receive rings.
 10 years ago
Schnaffon 6484299701 Use unlikely for error treatment in alert-prelude.c 
When handling error cases on creation of a new idmef field, we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc.
 10 years ago
Victor Julien 334e8656bf introduce fatal error macro's 
Add 'FatalError' and 'FatalErrorConditonal' that will take the same
args as SCLogError.

FatalError logs the error using SCLogError and then exits with return
code EXIT_FAILURE.

FatalErrorOnInit does the same only during init and with
--init-errors-fatal enabled, otherwise it just calls SCLogWarning. So
then the macro returns to the caller.

Implement this for output setup.
 10 years ago
Victor Julien 4dd53c8f03 lua: dns support 10 years ago
Victor Julien 433e511b63 dns: generic inspect engines for DNS 10 years ago
Victor Julien 110e23964e detect: add AppLayerTxMatch call 10 years ago
Victor Julien e6129f7b47 dns: generic request/response detect lists 10 years ago
Victor Julien 2c8e8c2516 dns: rename type so it's purpose is more clear 10 years ago
Victor Julien a1e50b3138 lua: dns extensions 
Add DNS lua calls for getting queries, answers, authorities. Also
rcode and recusion desired flags.
 10 years ago
Victor Julien c46d472921 lua: initial DNS logging support 10 years ago
Eric Leblond 159a6d1cb4 tls-store: avoid log flooding 
In case we can't write in the certs directory, this is possible
we flood the log for each TLS session or even worse each TLS
packet.  So this patch puts a limit in the number of logged
messages related to file creation.
 10 years ago
Eric Leblond cbf5d88447 filestore: use SCFree instead of free 10 years ago
Eric Leblond b77cd22b98 tls-store: backward compatibility 
This patch implements backward compatibility in suricata.yaml
file. In case the new 'tls-store' output is not present in the
YAML we have to use the value defined in 'tls-log'.
 10 years ago
Eric Leblond 4db0a35f25 tls-store: now a separate module 
An design error was made when doing the TLS storage module which
has been made dependant of the TLS logging. At the time there was
only one TLS logging module but there is now two different ones.

By putting the TLS store module in a separate module, we can now
use EVE output and TLS store at the same time.
 10 years ago
Jeff Barber 893fc9660d Support for reconnecting unix domain socket log files 
Issue #1423
 10 years ago
Jason Ish b512580bbe logging: integrate rotation into SCConfLogOpenGeneric. 
Addresses issue 1492, and will make it harder to omit
rotation on new outputs.
 10 years ago
Jason Ish 14981cb2a8 rule vars: strip leading white space before looking up var. 10 years ago
sfd e58cfb6a05 Fix compile bad dereferences 
The src/source-erf-dag.c code was not compiling. It looks like some stats counters were added but not tested as the dereferences are incorrect.
 11 years ago
Zopieux cd038419fd stream_size operator comparison (fix issue #1488) 
`DetectStreamSizeParse` was first checking if mode[0] is '<', which is true for both '<' and '<=', thus '<=' (and resp. '>=') is never matched. This patch does the `strcmp` to '<=' (resp. '>=') within the if block of '<' (resp. '>') to fix #1488.
 11 years ago
Victor Julien 45fc619f79 logging: json output 
Make JSON output optional.

Cleanups.
 11 years ago
Victor Julien 126ecb3ebf logging: fix per output log formats 11 years ago
Victor Julien b51c4e608f logging: optional colors output 
Construct message per output method.
 11 years ago
Victor Julien b13de5bf08 logging: change newline handling 11 years ago
Victor Julien 1927b3000c output: cleanup 11 years ago
Victor Julien b30bdc21b5 logging: cleanup output API 
Make SCLogMessage master of the logging. Reduces complexity
of the SCLog macro's.
 11 years ago
Victor Julien d6fc6e874f log: reorganize SCLogOPIfaceCtx to make it more efficient 11 years ago
Victor Julien c2f4031a8c detect: fix settings override for reloads 11 years ago
Alexander Gozman cd9cc2559e Issue 1491: fix capabilities for pf_ring mode when running under non-root account 11 years ago
Alexander Gozman d36eba4e5e Fix issues #1493 and #1494 11 years ago
Giuseppe Longo d592d57039 file_data: check for signature alproto and flow 
Currently the following rule can't be loaded:
alert tcp any any -> any 25 (msg:"SMTP file_data test"; flow:to_server,established; file_data; content:"abc";sid:1;)
and produces the error output:
"Can't use file_data with flow:to_server or from_client with http or smtp."

This checks if the alproto is not http in a signature,
so permits to use flow keyword also.

Issue reported by rmkml.
 11 years ago
Victor Julien e583de0582 Minor unittest cleanups 11 years ago
Victor Julien f4f53924bb app-layer: fix coverity warnings 11 years ago
Victor Julien 6c792cb4cc erspan: respect vlan.use-for-tracking setting 11 years ago
Victor Julien b8211e8c04 htp: hide BUG_ON's behind DEBUG_VALIDATION 11 years ago
Victor Julien bd73553027 smtp json: fix potential crash on malloc failure 
** CID 1298888:    (FORWARD_NULL)
/src/output-json-email-common.c: 117 in JsonEmailLogJson()
/src/output-json-email-common.c: 140 in JsonEmailLogJson()
 11 years ago
Victor Julien 1ed8d7b538 detect analizer: fix minor coverity warning 
** CID 1298889:  Integer handling issues  (NEGATIVE_RETURNS)
/src/detect-engine-analyzer.c: 102 in EngineAnalysisFP()
 11 years ago
Victor Julien dd2afd51f7 file_data smtp: fix minor coverity warning 
CID 1298891:  Null pointer dereferences  (REVERSE_INULL)
Null-checking "curr_file" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
 11 years ago
Victor Julien bcff35fd9f smb: fix coverity warning 
** CID 1298892:  Incorrect expression  (UNUSED_VALUE)
/src/app-layer-smb.c: 1486 in SMBProbingParser()
 11 years ago
Victor Julien aa095864d3 pfring runmode: remove set that is never read 11 years ago
Victor Julien 21db5ee691 counters: reduce global usage 11 years ago
Victor Julien a5168d5977 dce_opnum: improve memory handling on parsing error 11 years ago
Victor Julien b3b7625be5 htp: fix test 11 years ago
Victor Julien c0807c3df5 fast log: clean up tests 11 years ago
Victor Julien 29fbcce50d detect hsbd: simplify resize logic 11 years ago
Victor Julien 4e7cb7b863 app-layer: update all protocols to accept NULL+EOF 
Update all non-HTTP protocol parsers to accept a NULL+EOF input.
 11 years ago
Victor Julien cf9ff6adbd app-layer: improve EOF handling 
On receiving TCP end of stream packets (e.g. RST, but also sometimes FIN
packets), in some cases the AppLayer parser would not be notified. This
could happen in IDS mode, but would especially be an issue in IPS mode.

This patch changes the logic of the AppLayer API to handle this. When no
new data is available, and the stream ends, the AppLayer API now gets
called with a NULL/0 input, but with the EOF flag set.

This allows the AppLayer parser to call it's final routines still in the
context of a real packet.
 11 years ago
Victor Julien df79c1019f print: make PrintRawDataFp take a const arg 11 years ago
Victor Julien 7451d33396 stream: update StreamMsg to don't have fixed size 
StreamMsg would have a fixed size buffer. This patch replaces the buffer
by a dynamically allocated buffer.

Preparation of allowing bigger and customizable buffer sizes.
 11 years ago
Victor Julien 3ffa01d150 stream: remove STREAMTCP_STREAM_FLAG_CLOSE_INITIATED logic 11 years ago
Giuseppe Longo 32563d51d1 http: rework UT 
This reworks UT based on
commit 3203555708
 11 years ago
Victor Julien 573d082219 http: memcap HTTP server inspect body code 11 years ago
Victor Julien 3163a57577 smtp file_data: fix wrong free 11 years ago
Victor Julien 9f52bdd1e5 flow timeout: prevent dead locks 
The flow timeout mechanism called both from the flow manager at run time
and at shutdown creates pseudo packets. For this it has it's own packet
pool, which can be depleted if the timeout logic is faster than the packet
processing threads. In this case the flow timeout would enter a wait loop.
The problem however, is that this wait loop would happen while keeping a
flow locked. This could lead to a race condition when the packet thread(s)
are waiting for the lock that the flow manager has.

This patch introduces a new packet pool call 'PacketPoolWaitForN', meant
to make sure that the thread's packet pool has at least N available
packets. The flow timeout paths use this to make sure enough packets are
available *before* grabbing the flow lock. If there aren't enough packets
available yet, the wait happens before the lock as well.

This still means the wait can happen while the flow hash row is locked, so
we do make sure some more packets are available when entering that. But
perhaps in the future we need a more precise logic there as well.
 11 years ago
Victor Julien 423d5fd0de http: improve inline body tracking 
Rewrite the sliding window handling for IPS mode for the server body.

The buffer used will have the following properties:
    left edge: inspected data - window_size
    right edge: the most recent data

Due to handling of compressed bodies, the data can be much bigger than
the configured window size.
 11 years ago
Victor Julien 79d34f4575 http: body pruning update 
Take inspect limits into account. Consider per direction inspect settings.
 11 years ago
Giuseppe Longo 8f1998e35f hsbd: inspect buffer depending on the engine mode 
Currently, data is buffered up to response-body-minimal size
and response-body-inspect-window before being inspected.
With this, in IPS mode, inspect data as it comes in up.

The sliding window concept is used here,
some data chunks are copied into the window (buffer)
then it's inspected.
 11 years ago
Giuseppe Longo a459376d2e app-layer-htp: add http_body_inline setting 11 years ago
Victor Julien 80615f7d43 ips: move counters in common struct and funcs 11 years ago
Victor Julien 813930f027 nfq: add ips stats 11 years ago
Victor Julien 14466a803d decode: create util function for basic counter updates 11 years ago
Jason Ish e3ce29f694 json-stats: log deltas 
If "deltas" is yes, log delta values as the name of the value
suffixed with _delta.
 11 years ago
Victor Julien 3e14aa729a detect-state: remove/hide BUG_ON statements 11 years ago
Victor Julien b7f1e9e370 file extract: add app_proto to logging 11 years ago
Victor Julien 925aac854e alproto: improve AppProtoToString 
Make AppProtoToString compilation fail on missing 'case's.
 11 years ago
Eric Leblond 0bafc71689 app-layer: add modbus to AppProtoToString 
It was missing causing protocol identified as modbus not to be
displayed in netflow events.
 11 years ago
Victor Julien ebb42f831c suppress: add track by_either mode 
So far suppress rules would apply to src or dst addresses of a packet.
This meant that if a ip would need to suppressed both as src and as dst,
2 suppress rules would be needed.

This patch introduces track by_either, which means that the ip(s) in the
suppress rule are tested against both the packets source and dest ip's.
If either of them is on the suppress list, the alert is suppressed.
 11 years ago
Victor Julien e85a44c383 suppress: support ip-lists 
Ticket: 1137

Support supplying a list of IP's to the suppress keyword. Variables from
the address-groups and negation is supported. The same logic (and code) is
used that is also used in parting the IP portions of regular detection
rules.
 11 years ago
Jason Ish 26fc5682ad hostbits: ignore leading and trailing white space 
Ignore leading and trailing space around the name and
direction tokens.
 11 years ago
Jason Ish 7c40c73482 json-stats: reorg threads and totals 
Totals are now placed at the top level instead of under a "Total"
object.

Threads are placed under a "threads" object.
 11 years ago
Jason Ish 1f2caf78c3 json-stats: log uptime in seconds, instead of a string 11 years ago
Jason Ish 0f1dd0d7ea flowbits: strip leading and trailing spaces in name 
Redmine bug 1481. Strip leading and trailing white space. Factor
out parsing from setup while in here.
 11 years ago
Zachary Rasmor 0edf28a4f8 Add Feature #1454. Generic eve-log prefix support. 11 years ago
Victor Julien a083513c49 decode: optimize DecodeThreadVars layout 
Put common counters on the first cache line. Please the flow output
pointer last as it's use depends on the flow logging being enabled
and even then it's only called very rarely.
 11 years ago
Victor Julien fe5a85aea0 decode: add erspan counter 11 years ago
Victor Julien 928957f0a3 decode: add ERSPANv1 decoder 
Only allow v1 to be parsed as thats what is tested.

Take vlan_id from the ERSPAN layer.
 11 years ago
Victor Julien aa6b24f814 decode: clean up tunnel decode logic 
Don't use mix of existing and custom types to indicate the next
layer.
 11 years ago