aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,947 Commits
7 Branches
161 Tags
205 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'afb97d1dee'
${ noResults }
Commit Graph

10584 Commits (afb97d1dee271b95e51a5a9985165346ca36d4ed)

Author SHA1 Message Date
Victor Julien afb97d1dee stream: add offset to raw stream callback 
This gives the called function to understand where it is in the
stream.
 3 years ago
Victor Julien 205bc1e288 app-layer: disable stream app tracking on no parser 
If protocol has no parser enabled or implemented, disable the app
progress tracking in the stream engine to reduce the workload in
the stream engine.
 3 years ago
Philippe Antoine 8ecf7e403e source: pcap timestamp microsecond consistency 
That is it should be less than 1 000 000.
Have the same for fuzz targets where the bug came from.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44177
 3 years ago
Philippe Antoine dccf2e4c30 detect: config checks alstate before getting tx 
Ticket: 4972

As is done in detect-lua-extensions.
We can have a flow with alproto unknown, no state, and therefore
cannot run AppLayerParserGetTx which could try to run a NULL
function
 3 years ago
Philippe Antoine 45d1a9ae77 detect: faster linked list copy 
In DetectAppLayerInspectEngineCopyListToDetectCtx
Avoid quadratic complexity by remembering last element
of the linked list we are inserting into
 3 years ago
Philippe Antoine 2a22b4ca1f flow: fix integer warnings 
Ticket: 4516
 3 years ago
Philippe Antoine 1cc9762b6a host/ippair: fix integer warnings 
Ticket: 4516
 3 years ago
Philippe Antoine b1eaa1e8cd util: using size_t len for byte utils 
Ticket: 4516

Like ByteExtractStringUint64, because most of their inputs come
from strlen which returns a size_t
 3 years ago
Philippe Antoine f30975fb16 app-layer: fix integer warnings 
Ticket: 4516
 3 years ago
Victor Julien 1c8559b3ab debug: support %m output format again 
Use thread local storage to avoid the previous dead lock issues.
 3 years ago
Victor Julien ce4e543719 threading: simplify thread name logic 3 years ago
Victor Julien 013fb2dde3 frames: remove dead condition in eof check 3 years ago
Victor Julien 86e8611f5e app-layer: don't switch dir if proto already known 3 years ago
Victor Julien 7b55f8b2e3 fuzz/sigpcap_aware: set pkt_src to wire 
Avoids an assert if DEBUG is compiled in:

fuzz_sigpcap_aware: source-pcap-file.c:420: TmEcode DecodePcapFile(ThreadVars *, Packet *, void *): Assertion `!(p->pkt_src != PKT_SRC_WIRE && p->pkt_src != PKT_SRC_FFR)' failed.
 3 years ago
Victor Julien 61df4120da detect/frame: improve assert accuracy 
Handle frames of unknown size correctly.

Bug: #5226.
 3 years ago
Victor Julien c824804e2b eve: allow /dev/null in threaded mode 
Avoids creation of actual files called /dev/null.N which take
up space in /dev/ which lives in memory.
 3 years ago
Victor Julien 5deb479f4c flow: cleanup locking debug leftovers 3 years ago
Victor Julien 57533d3e47 flow: fix and simplify locking 
Since:

9551cd0535 ("threading: don't pass locked flow between threads")

`MoveToWorkQueue()` unconditionally unlocks the flow. This allows simpler
locking handling, including of tcp reuse flows.

The simpler logic also fixes a scenario where TCP reuse flows got "unlocked"
twice, once in `FlowGetFlowFromHash()` and once in `MoveToWorkQueue()`.

Bug: #5248.
Coverity: 1494354.
 3 years ago
Philippe Antoine e3180e3248 output: fix integer warnings 
Ticket: 4516
 3 years ago
Philippe Antoine 0cba561fec detect: not an iponly signature if it needs app-layer 
Ticket: 4972

This may happen with `config` keyword which is postmatch,
but may require a transaction
 3 years ago
Juliana Fajardini a6bda3596b unittests: alloc Packet with PacketGetFromAlloc 
Some unittests used SCMalloc for allocating new Packet the unittests.
While this is valid, it leads to segmentation faults when we move to
dynamic allocation of the maximum alerts allowed to be triggered by a
single packet.

This massive patch uses PacketGetFromAlloc, which initializes a Packet
in such a way that any dynamic allocated structures within will also be
initialized.

Related to
Task #4207
 3 years ago
Shivani Bhardwaj 6d2a2a0731 detect/dataset: fix space condition in rule lang 
If there is a space following a keyword that does not expect a value,
the rule fails to load due to improper value evaluation.
e.g. Space after "set" command
alert http any any -> any any (http.user_agent; dataset:set  ,ua-seen,type string,save datasets.csv; sid:1;)

gives error
[ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - dataset action "" is not supported.

Fix this by handling values correctly for such cases.
 3 years ago
Shivani Bhardwaj 7366396011 detect/dataset: cleanup dead code 3 years ago
Victor Julien 2b5eeab7d4 detect/urilen: don't pass null pointer to pcre2 free 
Bug #5228.
 3 years ago
Victor Julien 087151ddc3 detect/mpm: initialization micro optimization 3 years ago
Victor Julien 54a6dd09dd detect: pattern id assignment through hash table 
Only consider active part of the pattern for mpm (so consider chop).

Move data structure to hash list table over the custom array logic.
 3 years ago
Victor Julien a14854bce9 detect: keyword list to hash to improve perf 
Since the switch to pcre2 this was much more heavily used, which
would lead to measurable time spent in list handling.
 3 years ago
Victor Julien 9e6370ae2e detect: optimize mpm-engine setup 
Instead of a loop over the rules in a group *per engine* do a single
loop in which all the engines are prepared in parallel.
 3 years ago
Victor Julien 3352c0bee4 detect: initialization optimization 
A lot of time was spent in `SigMatchListSMBelongsTo` for the `mpm_sm`.

Optimize this by keeping the value at hand during Signature parsing and
detection engine setup.
 3 years ago
Victor Julien b804a84c93 hash: constify data input 3 years ago
Victor Julien 4b0e3d79bb detect/analyzer: support frames in pattern dump 3 years ago
Victor Julien 47629b7aeb detect/filemagic: don't pass unused pointer 3 years ago
Arne Welzel 8ef066318d flow-manager: fix off-by-one in flow_hash row allocation 
The current code doesn't cover all rows when more than one flow manager is
used. It leaves a single row between ftd->max and ftd->min of the next
manager orphaned. As an example:

    hash_size=1000
    flowmgr_number=3
    range=333

    instance  ftd->min  ftd->max
    0         0         333
    1         334       666
    2         667       1000

    Rows not covered: 333, 666
 3 years ago
Victor Julien 9537d119b9 http: fix reassembled range file accounting 3 years ago
Victor Julien 6d30f4442c http2: fix file accounting for ranged files 
Increment files_opened for tx that 'gets' reassembled ranged file
 3 years ago
Victor Julien 54d34c96f5 files: open/log debug validation bugon 
Meant to find more cases where there is a mismatch.
 3 years ago
Philippe Antoine cfcade58ad http: move xff logging to alert object 
Ticket: 4860

instead of root field
 3 years ago
Philippe Antoine 862e84877f ssl: first pass limit when allocating buffer for certificates 
With this check, on the first packet of a certificate presenting
a length of 16Mbytes, we only allocate up to 65Kb

When we get to the point where need more than 65Kb, we realloc
to the true size.

With this check, it makes it more expensive for an attacket to use
this allocation as a way to trigger ressource exhaustion...
 3 years ago
Philippe Antoine 99b3443369 smtp: check if there is a transaction to close 
Ticket: 4948

When parsing the response for starttls
 3 years ago
Philippe Antoine 68fa080069 tmqh: fix possible null dereference 
Coverity ID: 1502953

As we check just on the next line my_pool against NULL, we should
not dereference it, even for debug validation
 3 years ago
Philippe Antoine 568ab841d8 detect: remove dead code about xbits keyword 3 years ago
Philippe Antoine 4640b15d8c log: prevents use of uninitialized variable 
Even if the code seems unreachable for now
 3 years ago
Jason Ish 8d1e4a1d0b detect-content: error on single char hex pairs 
Fix parsing of content like "|aa b cc|" which was parsed as "|aa bc|"
without error or warning. This will now fail out, requiring all hex
values to be 2 chars.

Ticket #5201
 3 years ago
Victor Julien 6e90bf4739 streaming: remove unused 'auto slide' support 
Add debug validation checks for "impossible" conditions.
 3 years ago
Philippe Antoine 00da0d3420 detect: makes config keyword really require a flow 
Ticket: 4972

Completes commit c3a220647

DETECT_CONFIG is added as DETECT_SM_LIST_POSTMATCH and not
as DETECT_SM_LIST_MATCH as other keywords handled in SignatureCreateMask
 3 years ago
Modupe Falodun 54bc43d3ed detect-pcre: remove unittests 
These tests are reimplemented in Suricata-Verify

Task: 4911
 3 years ago
Philippe Antoine df83f7899d fuzz: fix integer warnings 
Ticket: 4516
 3 years ago
Philippe Antoine 5790280c95 utils: fix integer warnings in r files 
Ticket: 4516
 3 years ago
Philippe Antoine dca76a45a8 stream-tcp: fix integer warnings 
Ticket: 4516
 3 years ago
Philippe Antoine 068fb700df util: fix int warnings in tm threads 
Ticket: 4516
 3 years ago