aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,947 Commits
7 Branches
155 Tags
204 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'afb97d1dee'
${ noResults }
Commit Graph

59 Commits (afb97d1dee271b95e51a5a9985165346ca36d4ed)

Author SHA1 Message Date
Jeff Lucovsky 1eeb96696b general: Cleanup bool usage 4 years ago
Vadym Malakhatko 126597144c eve: add Hassh fields to SSH JSON logger and add ssh log condition 5 years ago
Vadym Malakhatko 536cee3ba9 rust/ssh: add hassh generation 
Add generation of hassh fingerprints based on fields in the kexinit record
 5 years ago
Philippe Antoine 69b4fffdae parse: move SSH parser from C to Rust 5 years ago
Victor Julien 44d3f264bf app-layer: update API to return more details 
Add AppLayerResult struct as the Parser return type in
preparation of allowing returning 'Incomplete(size)' similar
to what nom in Rust allows.
 5 years ago
Victor Julien 3bcf948a75 app-layer: change return codes 
This patch simplifies the return codes app-layer parsers use,
in preparation of a patch set for overhauling the return type.

Introduce two macros:

APP_LAYER_OK (value 0)
APP_LAYER_ERROR (value -1)

Update all parsers to use this.
 5 years ago
Victor Julien 579cc9f02b const: constify decoder, app-layer, detect funcs 6 years ago
Victor Julien 3526569b25 ssh: test cleanup 
Remove explicit locks. Set ALPROTO_SSH in all tests.
 6 years ago
Victor Julien 76cc03010a ssh: fix banner overflow issue 
Reported-by: Sirko Höer - Code Intelligence
 6 years ago
Philippe Antoine ff52bb14b7 ssh : code style consistency 
Adds SSH_FLAG_VERSION_PARSED to flags before each return
This way, we are sure SSHParseBanner does not get called again
And proto_version does not get leaked
 6 years ago
Victor Julien 9ba89a31ef ssh: fix out of bounds read in banner parsing 
Reported-by: Henning Perl
 7 years ago
Victor Julien 7bc3c3ac6e app-layer: pass STREAM_* flags to parser 
Pass the STREAM_* flags to the app-layer parser functions so that
the parser can know more about how it is called.
 7 years ago
Victor Julien 7548944b49 app-layer: remove unused HasTxDetectState call 
Also remove the now useless 'state' argument from the SetTxDetectState
calls. For those app-layer parsers that use a state == tx approach,
the state pointer is passed as tx.

Update app-layer parsers to remove the unused call and update the
modified call.
 7 years ago
Victor Julien 1bed6e9cae ssh: implement DetectFlags API 7 years ago
Victor Julien bca0cd71ae app-layer: use logger bits to avoid looping 
Avoid looping in transaction output.

Update app-layer API to store the bits in one step
and retrieve the bits in a single step as well.

Update users of the API.
 7 years ago
Eric Leblond 2979a0a2e1 app-layer-ssh: trigger bypass when done 
Trigger bypass when application layer will not inspect anymore.
 8 years ago
Victor Julien ab1200fbd7 compiler: more strict compiler warnings 
Set flags by default:

    -Wmissing-prototypes
    -Wmissing-declarations
    -Wstrict-prototypes
    -Wwrite-strings
    -Wcast-align
    -Wbad-function-cast
    -Wformat-security
    -Wno-format-nonliteral
    -Wmissing-format-attribute
    -funsigned-char

Fix minor compiler warnings for these new flags on gcc and clang.
 8 years ago
Victor Julien a0fad6bb7f mpm: run engines as few times as possible 
In various scenarios buffers would be checked my MPM more than
once. This was because the buffers would be inspected for a
certain progress value or higher.

For example, for each packet in a file upload, the engine would
not just rerun the 'http client body' MPM on the new data, it
would also rerun the method, uri, headers, cookie, etc MPMs.

This was obviously inefficent, so this patch changes the logic.

The patch only runs the MPM engines when the progress is exactly
the intended progress. If the progress is beyond the desired
value, it is run once. A tracker is added to the app layer API,
where the completed MPMs are tracked.

Implemented for HTTP, TLS and SSH.
 8 years ago
Victor Julien a744d00f45 ssh: fix banner state setting 8 years ago
Victor Julien 3ee4989ba7 ssh: convert app-layer parser to be tx aware 
Like with SSL, there is only a single 'tx'.
 8 years ago
Giuseppe Longo 675fa56497 app-layer: add ThreadVars to AppLayerParserParse 
To be able to add a transaction counter we will need a ThreadVars
in the AppLayerParserParse function.
This function is massively used in unittests
and this result in an long commit.
 9 years ago
Victor Julien 48b3cb0492 unittests: fix tests 9 years ago
Victor Julien 6530c3d0d8 unittests: replace SCMutex* calls by FLOWLOCK_* 9 years ago
Victor Julien 48771c1acf debug: fix compiler warnings 9 years ago
Jason Ish 796dd5223b tests: no longer necessary to provide successful return code 
1 pass, 0 is fail.
 9 years ago
Victor Julien 5f39728509 ssh: fix string handling in unittest 9 years ago
Victor Julien f4f53924bb app-layer: fix coverity warnings 10 years ago
Victor Julien 4e7cb7b863 app-layer: update all protocols to accept NULL+EOF 
Update all non-HTTP protocol parsers to accept a NULL+EOF input.
 10 years ago
Victor Julien 04afcf2717 ssh: convert error message to debug statement 
Don't print errors based on traffic issues.
 11 years ago
Eric Leblond 0f61264d68 app-layer-ssh: fix banner parser 
Carefully crafted SSH banner could result in parser error.

Signed-off-by: Eric Leblond <eric@regit.org>
 11 years ago
Ken Steele 8f1d75039a Enforce function coding standard 
Functions should be defined as:

int foo(void)
{
}

Rather than:
int food(void) {
}

All functions where changed by a script to match this standard.
 11 years ago
Victor Julien f6bb867df8 ssh: fix scan-build warnings 
app-layer-ssh.c:165:5: warning: Value stored to 'input_len' is never read
    input_len -= 1;
    ^            ~
1 warning generated.

app-layer-ssh.c:160:5: warning: Value stored to 'input_len' is never read
    input_len -= 4;
    ^            ~
1 warning generated.
 11 years ago
Victor Julien 0967f0777c ssh: improve banner checking 
Don't use input_len as banner length. Instead, look for banner end
to calculate banner length.

Add test for banner buffering corner case.
 11 years ago
Victor Julien 669b351dad ssh: fixes for minor scan-build warnings 
/usr/share/clang/scan-build/ccc-analyzer -DHAVE_CONFIG_H -I. -I..   -I./../libhtp/  -I/usr/include/nspr   -I/usr/include/nss -I/usr/include/nspr   -DLOCAL_STATE_DIR=\"/usr/local/var\" -g -O2 -Wall -Wno-unused-parameter -std=gnu99 -DHAVE_LIBNET11 -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DHAVE_LIBNET_ICMPV6_UNREACH  -I/usr/include -DLIBPCAP_VERSION_MAJOR=1 -DHAVE_PCAP_SET_BUFF -DHAVE_LIBCAP_NG -DREVISION="51e0dee" -MT app-layer-ssh.o -MD -MP -MF .deps/app-layer-ssh.Tpo -c -o app-layer-ssh.o app-layer-ssh.c
app-layer-ssh.c:164:5: warning: Value stored to 'input' is never read
    input += 1;
    ^        ~
app-layer-ssh.c:165:5: warning: Value stored to 'input_len' is never read
    input_len -= 1;
    ^            ~
app-layer-ssh.c:212:13: warning: Value stored to 'ret' is never read
            ret = 0;
            ^     ~
3 warnings generated.
 11 years ago
Victor Julien 65b228ccfd ssh: improve large and fragmented banner handling 
Including tests.
 11 years ago
Victor Julien b4aeb43af1 ssh: disable inspection in encrypted phase 
When both sides of the session have completed the encryption setup,
flag the stream to disable detection.
 11 years ago
Victor Julien 294ff49f6d ssh: allow for space characters in the software version 
Previously the software version would only contain up to the first
space.

E.g. in SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu3

It would contain "OpenSSH_4.7p1".

This patch changes the behavior to:

"OpenSSH_4.7p1 Debian-8ubuntu3"
 11 years ago
Victor Julien b792234dd0 ssh: clean up flags 11 years ago
Victor Julien 884cecd9af ssh: handle fragmented banner 
Cleanups.
 11 years ago
Victor Julien 32fcdfe6eb ssh: server support, cleanups 11 years ago
Victor Julien 3648adb533 ssh: record parser 11 years ago
Victor Julien a3c9832b90 ssh: reenable parser as stub 
Reenable the SSH parser. It now compiles, however the actual parsing
code is still disabled (commented out).
 11 years ago
Anoop Saldanha abded4200a Disabling the ssh parser temporarily, since we are moving away from some 
of the archaic features we use in the app layer. We will reintroduce this
parser shortly. Also do note that keywords that rely on the ssh parser
would now be disabled.
 11 years ago
Anoop Saldanha 0d7159b525 App layer protocol detection updated and improved. We now use 
confirmation from both directions and set events if there's a mismatch
between the 2 directions.

FPs from corrupt flows have disappeared with this.
 12 years ago
Anoop Saldanha ddde572fba Introduce new options into the conf file to enable/disable - 
1. Proto detection
2. Parsers

For app layer protocols.

libhtp has now been moved to the section under app-layer.protocols.http,
but we still provide backward compatibility with older conf files.
 12 years ago
Eric Leblond cd3e32ce19 unittests: some functions needs a flow lock. 
In debug validation mode, it is required to call application layer
parsing and other functions with a lock on flow. This patch updates
the code to do so.
 12 years ago
Victor Julien 9faa4b740d Add --unittests-coverage option to list how many code modules have tests 12 years ago
Victor Julien e2444f0ed5 Coverity 1038092 & 1038093: remove dead code 12 years ago
Eric Leblond e176be6fcc Use unlikely for error treatment. 
When handling error case on SCMallog, SCCalloc or SCStrdup
we are in an unlikely case. This patch adds the unlikely()
expression to indicate this to gcc.

This patch has been obtained via coccinelle. The transformation
is the following:

@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)";
@@

x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
 13 years ago
Anoop Saldanha 109662450d Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs 13 years ago