aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,493 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a67c31d4e1'
${ noResults }
Commit Graph

7493 Commits (a67c31d4e164b04c1ec5766b692bf984790cdad5)
 

Author SHA1 Message Date
Victor Julien 51bb1f0d77 multi-tenants: fix minor memleak 8 years ago
Victor Julien 059b25b564 detect: suppress debug message for reloads 8 years ago
Victor Julien 321fb6463e vars: small cleanups 8 years ago
Victor Julien e4b2729399 nfq: support bypass for rebuilt fragment packets 8 years ago
Victor Julien 629fa30345 nfq_set_mask: set mark on root pkt for tunnels 8 years ago
Eric Leblond d8acf3542d source-nfq: document bypass function 8 years ago
Eric Leblond e0000eb58d source-nfq: fix tunnel mark callback algorithm 
In case of a tunnel packet, adding a mark to the root packet will have
for consequence to bypass all the flows that are hosted in this tunnel.
This is not the attended behavior and as initial fix let's simply warn
suricata that bypass for NFQ is not possible for this kind of packets.

This patch also fixes a segfault. The root packet was accessed even if it is
NULL causing a NULL dereference:

ASAN:SIGSEGV
=================================================================
==24408==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x00000076f948 bp 0x7f435c000240 sp 0x7f435c000220 T5)
ASAN:SIGSEGV
==24408==AddressSanitizer: while reporting a bug found another one. Ignoring.
    #0 0x76f947 in NFQBypassCallback /home/victor/dev/suricata/src/source-nfq.c:510
    #1 0x4d0f02 in PacketBypassCallback /home/victor/dev/suricata/src/decode.c:395
    #2 0x7b8a95 in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4661
    #3 0x7b9ddd in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:4913
    #4 0x68fa50 in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:194
    #5 0x7f0abd in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:128
    #6 0x7f2958 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:585
    #7 0x7f436368e6f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #8 0x7f4362802b5c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/victor/dev/suricata/src/source-nfq.c:510 NFQBypassCallback
Thread T5 (W#04) created by T0 (Suricata-Main) here:
    #0 0x7f4364ff2253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x7f9c48 in TmThreadSpawn /home/victor/dev/suricata/src/tm-threads.c:1843
    #2 0x8da7c0 in RunModeSetIPSAutoFp /home/victor/dev/suricata/src/util-runmodes.c:519
    #3 0x73e3ff in RunModeIpsNFQAutoFp /home/victor/dev/suricata/src/runmode-nfq.c:74
    #4 0x7503fa in RunModeDispatch /home/victor/dev/suricata/src/runmodes.c:382
    #5 0x7e5cb3 in main /home/victor/dev/suricata/src/suricata.c:2547
    #6 0x7f436271c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
 8 years ago
Victor Julien 0d4b93cafd tls-rules: install on 'make install-full' 8 years ago
Victor Julien 397c541c09 detect: fix multi-tenant loaders 8 years ago
Victor Julien 7e54ee7d0e flow-timeout: fix memory errors on flow bypass 
For flow bypass, the flow timeout handling is triggered which may
create up to 3 pseudo packets that hold a reference to the flow.
However, in the bypass case the code signaled to the timeout logic
that the flow can be freed unconditionally by returning 1. This
lead to packets going through the engine with a pointer to a now
freed/recycled flow.

This patch fixes the logic by removing the special bypass case,
which seemed redundant anyway. Effectively reverts 68d9677.

Bug #1928.
 8 years ago
Victor Julien d1d618a668 flow-manager: cleanups and comment improvements 8 years ago
Victor Julien 368d5d931c flow-timeout: don't leak flow reference in error path 8 years ago
Victor Julien 1aa70fb39e doc: add rate_filter 8 years ago
Victor Julien e072e70ea6 alert: fix rate_filter issues 
Fix rate_filter issues: if action was modified it wouldn't be logged
in EVE. To address this pass the PacketAlert structure to the threshold
code so it can flag the PacketAlert as modified. Use this in logging.

Update API to use const where possible. Fix a timout issue that this
uncovered.
 8 years ago
Jason Ish dcdf160ab2 conf: cleanup compiler warning (unintialized vars) 8 years ago
Jason Ish 1a724ba851 doc: flow: update and add new keywords 8 years ago
Jason Ish 8f56c23468 detect-flow: no_frag and only_frag keyword support 
Support flow:no_frag and flow:only_frag keywords from Snort.
 8 years ago
Jason Ish f81619a13e defrag: set flag on packets reassembled from fragments 
Set the PKT_REBUILT_FRAGMENT on packets that are re-assembled
from fragments.
 8 years ago
Jason Ish 571f56cfcf detect-flow: support flow:not_established 8 years ago
Jason Ish dc762cd44d detect-flow: use new unit test macros 8 years ago
Duarte Silva 6948b2332a file-hashing: Fixed line parsing code 8 years ago
Victor Julien 56ffba9fd8 doc: initial app-layer keywords 
Document app-layer-protocol and make a start with app-layer-event.
 9 years ago
Victor Julien 449c93e062 detect-app-layer-protocol: improve rule validation 
Also add tests for PD-only conditions
 9 years ago
Victor Julien 0ed119068d detect-app-layer-protocol: implement prefilter 
Introduce 'Protocol detection'-only rules. These rules will only be
fully evaluated when the protocol detection completed. To allow
mixing of the app-layer-protocol keyword with other types of matches
the keyword can also inspect the flow's app-protos per packet.

Implement prefilter for the 'PD-only' rules.
 9 years ago
Victor Julien 8094b2b12e detect-app-layer-protocol: convert to pkt match 9 years ago
Victor Julien c28d9d0538 eve: print app_proto_ts/app_proto_tc 9 years ago
Victor Julien dbb3a12b32 logging: return string for ALPROTO_FAILED 9 years ago
Victor Julien 93298e91c7 app-layer counters: count failed protocol detect 9 years ago
Victor Julien 3b98feef01 proto-detect: clean up UDP handling 
Set FAILED instead of using a flow flag. Flag packets in both
sides when detection is done. Detection is only done in one
direction.
 9 years ago
Victor Julien 90bf2b5a32 proto detect: improve error case handling 
Improve flags logic, update tests.
 9 years ago
Victor Julien e955cf3366 detect-app-layer-protocol: improve error handling 
Redo tests.
 9 years ago
Victor Julien 9560e8b5b2 proto-detect: update mismatch handling 
Improve protocol mismatch handling. Preserve both protos. Use otherdir
if already sent to parser, use toclient otherwise.
 9 years ago
Victor Julien 7d7ec78cc3 app-layer-protocol: improve detection 
Add negated matches to match list instead of amatch.

Allow matching on 'failed'.

Introduce per packet flags for proto detection. Flags are used to
only inspect once per direction. Flag packet on PD-failure too.
 9 years ago
Victor Julien ac2cf526f1 proto detect: remove flow data tracking 
The Flow::data_al_so_far was used for tracking data already
parsed when protocol for the current direction wasn't known yet. As
this behaviour has changed the tracking can be removed.
 9 years ago
Victor Julien d7c828bcb0 proto detect: update behavior on partial detection 
When the current direction doesn't get a protocol detection, but the
opposing direction did, previously we would send the current data to
the parser. Then when we'd be invoked again (until the protocol
detection finally failed) we'd get the same data + the new data. To
make sure we'd not send the same data to the parser again, the flow
kept track of how much was already sent to the app-layer using
data_al_so_far.

This patch changes the behaviour. Instead of sending the data for
the current direction right away, we only do this when protocol
detection is complete. This way we won't have to track anything.
 9 years ago
Victor Julien 6022fa44a5 proto detect: TCP cleanup 
Split function into multiple smaller ones.
 9 years ago
Victor Julien 8347aa01fa app-layer: clean up counters registration 9 years ago
Victor Julien c6134e007e doc: app-layer tls including no-reassemble 9 years ago
Victor Julien b789d2ae3d tls: change 'no-reassemble' option to default off 
This option was broken so there should be no visible change to
actual deployments.
 9 years ago
Thomas Andrejak c17402fdcb prelude: add IPv6 support 9 years ago
Thomas Andrejak dcce225102 prelude: add missing TCP header to additional data 9 years ago
Thomas ANDREJAK 671320aab8 prelude: update URL 9 years ago
Thomas Andrejak e33060cee0 prelude: coding style, it's better to use macro 9 years ago
Thomas Andrejak b1c1699699 prelude: Add other actions than just ACTION_DROP when packet drop 9 years ago
Thomas Andrejak 4d4a3d0b8f prelude: Add log when failed to create assessment or impact object 9 years ago
Thomas Andrejak 18c9312380 Add macro for TCP and UDP header access 9 years ago
Eric Leblond 4eca40ac34 app-layer-tls: stop detection if no reassembly 
It no-reassembly is asked in TLS conf then we can stop inspection
after handshake and cause bypass to be triggered on the flow.
 9 years ago
Eric Leblond 69e1ff7ba7 stream-tcp: bypass encrypted when both side ready 
Suricata should not completely bypass a flow before both end of it
have reached the stream depth or have reached a certain state.
Justification is that suricata need the ACK to treat the other side
so we can't really decide to cut only one side.
 9 years ago
Nicolas Thill 3750c15632 doc: add SCPacketTimestamp Lua function 
Signed-off-by: Nicolas Thill <ntl@p1sec.com>
 9 years ago
Nicolas Thill e95e6ccded lua: add an SCPacketTimestamp function 
The SCPacketTimestamp function returns packet timestamps as 2 real
numbers (seconds & microseconds).

Example:

  local sec, usec = SCPacketTimestamp()

Signed-off-by: Nicolas Thill <ntl@p1sec.com>
 9 years ago