aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,514 Commits
7 Branches
161 Tags
204 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'afb48cfcb5'
${ noResults }
Commit Graph

4514 Commits (afb48cfcb58829e6f2df527520d2c77c73e9616c)
 

Author SHA1 Message Date
Victor Julien a84c502e50 Add SSE support to --build-info 12 years ago
Victor Julien 49a54713da memcmp: don't use SSE intrinsics if less that 16 bytes are available in SSE_4_2 version. 12 years ago
Victor Julien 8ffa30dd88 profiling: don't init rule profiling ctx if rule profiling is disabled 12 years ago
Victor Julien 660636c5bc profiling: when config is missing, keyword profiling is disabled 12 years ago
Victor Julien 2982408155 pcap: register counters for old pcap versions as well 12 years ago
Victor Julien 9a42f621f5 Fix pcre_study error check 
pcre_study returning NULL is not necessarily an error, from the man page
pcre_study(3):

  "If the function returns NULL, either it could not find any additional
   information, or there was an error. You can tell the difference by
   looking at the error value. It is NULL in first case."

Older libpcre versions would return NULL, causing errors.
 12 years ago
Ken Steele c6a8d0ab6b Share Packet checksum values for TCP, UDP, IPv6. ICMPv4 and ICMPv6 
Keep a separate checksum for IPV4, since a packet can have both an IPV4
checksum and a TCPV4 checksum, or IPV4 and UDPV4 checksum.

This will allow future sharing of more values.

Use PACKET_RESET_CHECKSUMS() in Unit Tests in place of setting the
individual checksum values.
 12 years ago
Ken Steele 27caa8aea7 Add missing case for DNS_CONFIG 
Found compiling with -Werror
 12 years ago
Victor Julien 36bc8d5cd0 http & tls: fix transaction handling 
When http and/or tls logging is disabled, the app layer would still
be flagged as logging. This caused transactions not to be freed until
the end of the flow as the logged tx id would never increment.

This fix postpones the setting of the app layer parser "logger"
flag to the point where we know the logger is enabled.
 12 years ago
Victor Julien bee5ff172b dns: fix transaction handling 
When logging is disabled, the app layer would still be flagged
as logging. This caused transactions not to be freed until the
end of the flow as the logged tx id would never increment.

This fix postpones the setting of the app layer parser "logger"
flag to the point where we know the logger is enabled.
 12 years ago
Victor Julien 6730f3d5cc DNS: trigger logging for toserver dir when previous reply is lost. 12 years ago
Victor Julien 61cdd9be6b dns: detect case of request flooding 
In the case where DNS requests are sent over the same flow w/o a
reply being received, we now set an event in the flow and refuse
to add more transactions to the state. This protects the DNS
handling from getting overloaded slowing down everything.

A new option to configure this behaviour was added:

app-layer:
  protocols:
    dnsudp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53
       request-flood: 750

The request-flood parameter can be 0 (disabling this feature) or a
positive integer. It defaults to 500.

This means that if 500 unreplied requests are seen in a row an event
is set. Rule 2240007 was added to dns-events.rules to match on this.
 12 years ago
Ken Steele c1b9f0e1f4 Formatting and comment updates in flow files 
Some reformatting to meet coding standards.

Added a few comments to make it more clear where p->flow gets set.
 12 years ago
Victor Julien 72a147b6f1 detect: only inspect smsg for valid tcp packets 
Packets that are rejected by the stream engine are not considered
part of an established tcp session. By allowing them to inspect
an smsg, some smsgs would not be properly inspected.
 12 years ago
Ken Steele dfc2117e80 Add Unit test to check TCPv4 and IPV4 checksums together. 
Copied SigTest26TCPV4Keyword and added check for invalid IPV4 checksums.
Created new SigTest26TCPV4AndIPV4Keyword test with a new packet with valid
IPV4 checksums.
 12 years ago
Victor Julien 0c12ad6bd0 stream: fix sequence number on smsg 
When multiple segments were put into a smsg, the seq would be updated
each time a segment was added. Because of this, the seq wasn't pointing
to the start of the data.

This caused some false negatives when the fast_pattern was in the raw
stream, but another part of the inspection was in the state. Because of
the wrong seq, the inspection of the smsg could be delayed. This in turn,
could make the inspection engine consider a TX inspected, even if it wasn't
fully yet.
 12 years ago
Ken Steele 86c6861b40 Give Suricata priority to receive packets over Linux with mPIPE. 
When installing the rules to tell mPIPE to send packet to Suricata,
give it a higher priority than the default used by Linux. This way if
Linux also tells mPIPE to send it packets, Suricata will get them
instead, as long as Suricata is running.
 12 years ago
Victor Julien 9a7353e148 http: don't decode + to space by default 
Libhtp decodes the + character in the query string to a space by default.
Suricata rules (e.g. etpro sid 2806767) are expecting to see the space in
the http_uri buffer.

Added an option per htp config to reenable this default behavior:

    query-plusspace-decode: yes

Bug #1035.
 12 years ago
Victor Julien 25636597af Fix live rule reload confusing delayed detect 
Fixes bug 1023 and the previous attempt to fix it.
 12 years ago
Victor Julien 5906eeb8c8 detect: don't do rule reload during delayed detect 
When both rule reloads and delayed detect are enabled, make sure we don't
trigger a reload during delayed detect initialization.

Bug #1023.
 12 years ago
Victor Julien 7b687da726 profiling: add tracking of missing keywords 12 years ago
Victor Julien 5686c673ec profiling: per buffer profiling 12 years ago
Victor Julien 9419b9cbb6 detect: add tostring function for DETECT_SM_LIST_ enum. 12 years ago
Victor Julien 97bfcac444 profiling: introduce per keyword profiling 
Initial version of per keyword profiling. Prints stats about
how ofter a keyword was checked and what the costs were.
 12 years ago
Victor Julien 210eede033 content inspection: introduce no_match label 12 years ago
Victor Julien e416b2cdfb stream: fix IPv6 pseudo packet setup 
Bug #1022: IPv6 pseudo packet setup using reverse logic of IPv4.
 12 years ago
Victor Julien ef17b7b9f4 stream: reduce scope of StreamTcpPseudoPacketSetupHeader 12 years ago
Victor Julien ce4d262c7d IPv4 decoder compile warning fix 12 years ago
Victor Julien 07c97412f3 DNS: fix response name length logic 
In some cases where the length would be calculated as 0 we'd loop until
we'd hit our loop limit.

Update name logic everywhere.
 12 years ago
Anoop Saldanha 95ed53c590 Fix for #1003. 
Now that we call stream reassembly directly from proto detection, we will
need to check if reassembly has been disabled inside the stream reassembly
callback.

This prevents any calls to bypass and re-enter proto detection, despite
having reassembly disabled.
 12 years ago
Victor Julien 7ebd1e6433 Counters: fix delayed-detect counter registration 
Make sure we register the detect.alerts counter before packet runtime starts
even in delayed detect mode. The registration of new counters at packet
runtime is not supported by the counters api and might lead to crashes as there
is no proper locking to allow for this operation.

This changes how delayed detect works a bit. Now we call the ThreadInit
callback twice. The first call will only register the counter. The 2nd call
will do all the other setup. This way the counter is registered before the
counters api starts operating in the packet runtime.

Fixes the segv reported in ticket #1018.
 12 years ago
Victor Julien 9e88c51e24 Counters: move perf critical var to the top of the SCPerfContext struct 12 years ago
Victor Julien ed03196a20 Counter: fix accidental logic change 12 years ago
Victor Julien 45dfecafd4 Counters: remove unused updated field 12 years ago
Victor Julien 49087f21e4 Optimizations to reduce branch misses 12 years ago
Victor Julien 64f5129f12 Counters: remove unused tm_name comparison loops 12 years ago
Victor Julien 76c305c128 Counters: fix unix socket 12 years ago
Victor Julien 25aeeebdf7 Counters: merge SCPerfCounterName into SCPerfCounter as there was a 1 on 1 mapping 12 years ago
Victor Julien 3445d17ae5 Counters: remove SCPerfCounterValue struct as we no longer support multiple data types 12 years ago
Victor Julien 677cd03e52 Counters: more unused code removal 12 years ago
Victor Julien 8d4a61a789 Counters: remove unused code 12 years ago
Victor Julien 698ff4e4aa Counters: remove all unused parts of the API 12 years ago
Eric Leblond 79fcf1378a Use unlikely in malloc failure test. 
This patch is a result of applying the following coccinelle
transformation to suricata sources:

  @istested@
  identifier x;
  statement S1;
  identifier func =~ "(SCMalloc|SCStrdup|SCCalloc|SCMallocAligned|SCRealloc)";
  @@

  x = func(...)
  ... when != x
  - if (x == NULL) S1
  + if (unlikely(x == NULL)) S1
 12 years ago
Eric Leblond c8b3f4418a af-packet: init correctly the config structure 
This fix a crash when interface is not defined in YAML.
 12 years ago
Eric Leblond eea760de3c decode: fix typo in comment 12 years ago
Anoop Saldanha 167597cfb0 Update ftp parser protocol detection to use lowercase patterns. 12 years ago
Anoop Saldanha 36bd444406 Introduce new API to allow case insensitive protocol detection patterns. 12 years ago
Anoop Saldanha 90827ea990 Remove the obsolete DetectFtpBounceMatch() function. 12 years ago
Ken Steele 9fce4da84d Spell fixes in threads-arch-tile.h 12 years ago
Anoop Saldanha e8cd15c823 Support for feature #983. 
Provide support for icmvp4 and icmpv6 as well.  You can now use

alert icmpv4 and
alert icmpv6 as well, apart from the existing

alert icmp, which created a rule that applied to both icmpv4 and icmpv6.
 12 years ago