aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,947 Commits
7 Branches
161 Tags
209 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'afb97d1dee'
${ noResults }
Commit Graph

10584 Commits (afb97d1dee271b95e51a5a9985165346ca36d4ed)

Author SHA1 Message Date
Victor Julien 27cd54dc0d frames: address coverity issue 
Minor cleanups to assist coverity.

Bug: #5065.
 4 years ago
Modupe Falodun 786cf41599 detect-bytetest: remove unittests 
These tests are reimplemented as Suricata-Verify

Task: 4911
 4 years ago
Victor Julien c96d22e8a1 frames: support UDP frames 
UDP frames point to the UDP packet payloads.

The frames are removed after each packet.

Ticket: #4983.
 4 years ago
Victor Julien 97ef60cd9b output/file: remove 'waldo' code 
It was no longer used after "file-store v1" was removed.
 4 years ago
Victor Julien f9c04992c3 file/store: warning grammer fixup 4 years ago
Victor Julien b06bd1a1fe htp: rearrange tx user data for more efficiency 4 years ago
Victor Julien 39b1f1aca6 output/lua: minor cleanups 4 years ago
Victor Julien e5fd0d4f76 output/streaming: use unique thread data name 4 years ago
Victor Julien b36683e04f output/stats: use unique thread data name 4 years ago
Victor Julien 008f4aee69 output/packet: use unique thread data name 4 years ago
Victor Julien dd1dc88c65 output/filedata: use unique thread data name 4 years ago
Victor Julien c7db9aa50d output/file: use unique thread data name 4 years ago
Victor Julien 45f13b3d01 output/tx: use unique thread data name 4 years ago
Victor Julien 0be99f3e35 output: minor header cleanups 4 years ago
Victor Julien 645a04c233 output: declare OutputLoggerThreadStore once 4 years ago
Victor Julien 0ccf5b9147 app-layer: fix error counter logic 4 years ago
Modupe Falodun cf5c58c075 detect-uricontent: convert unittests to FAIL/PASS APIs 4 years ago
Modupe Falodun dc8908b282 detect-uricontent: remove unittests 
These tests are reimplemented as Suricata-verify

Task: 4911
 4 years ago
Modupe Falodun 26c9e66586 detect-engine-enip: remove unittests 
These test is reimplemented in Suricata-Verify

Task: 4911
 4 years ago
Victor Julien 609a7eaab2 app-layer: error counters 
Per app-layer error counters for:
gap, parser, internal (AppLayerResult issues), alloc
 4 years ago
Victor Julien ae0b8d92da flow/manager: remove dead code 4 years ago
Victor Julien 5618886aa9 stream: remove unused defines 4 years ago
Modupe Falodun d2dad66a2b detect-dce-opnum: remove unittests 
These tests are reimplemented in Suricata-Verify

Task: 4911
 4 years ago
Philippe Antoine 4247605d87 smtp: check if we have a current transaction 
Ticket: 4948

This is not the perfect solution, but it prevents to trigger
the assert, and keep the assert.
A better solution would need to create transaction from
the reponse parsing, in case a later command was buffered and
not answered. But this would not be enough as NoNewTx prevents
the creation of a new transaction for RSET...
 4 years ago
Philippe Antoine 2ef4172437 ftp: limits the number of active transactions per flow 
Ticket: 4530

As for HTTP2 and MQTT.
In FTP case, transactions are pipelined, not identified by an id.
So, there are less chances of DOS by quadratic complexity.
 4 years ago
Philippe Antoine b39554b11f fuzz: target for applayer cleans transactions 
Ticket: 4530

Otherwise, we timeout because we kept too many of them
as Suricata would not
 4 years ago
Aaron Bungay a5d3a1f92c src: use bool instead of int 4 years ago
Aaron Bungay 272786908c smtp/mime: configurable url scheme extraction 
Parse extract-url-schemes from the mime config.
e.g. 'extract-urls-schemes: [http, https, ftp, mailto]'
Update MimeDecConfig struct to new url extraction fields.
Change app-layer-smtp.c & util-decode-mime.c to initialize new struct
fields for MimeDecConfig.
Sets the default value for extract-url-schemes if not found in the
config to 'extract-urls-schemes: [http]' for backwards compatibility.

Uses the schemes defined in the mime config value for
extract-urls-schemes to search for URLS starting with those scheme
names followed by "://".
Logs the URLS with the scheme + '://' at the start if the
log-url-scheme is set in the mime config, otherwise the old behaviour
is reverted to and the urls are logged with the schemes stripped.

Removed unused constant URL_STR now that URLS are being searched for
using extract-urls-schemes mime config values instead of just URL's
starting with 'http://'.

Added commented out new options for extract-urls-schemes and
log-url-scheme to suricata.yaml.in.

Update FindUrlStrings comments.
Remove old outdated comments/commented code from FindUrlStrings.
Update test case for mime which now needs schemes list to be set.
Add Test Cases for FindUrlStrings() method.

Feature: #2054
 4 years ago
Modupe Falodun b77d1d7d2e detect-flowbits: remove unittests 
These tests are reimplemented in Suricata-Verify

Task: 4911
 4 years ago
Philippe Antoine 1e1a4ab1c4 detect: logs an error if a protocol is disabled 
So that the user knows that the rule cannot match
 4 years ago
Philippe Antoine bf30eb344a detect: checking validity of rules with http protocol 
We want to check that a rule beginning with alert http
can be valid, that is if either HTTP1 or HTTP2 is enabled.
So, AppLayerProtoDetectGetProtoName will do a more complex
check for this ALPROTO_HTTP (any).
 4 years ago
Jeff Lucovsky b53fced452 general: Fix typo 4 years ago
Jeff Lucovsky be2155b4ed config/ref: Raise errors for ref.config parsing 
This commit raises an error in configuration test mode if there was an
error parsing reference.config.

Issue: 4659
 4 years ago
Modupe Falodun 8d615842f9 detect/bypass: remove unittest 
This test is reimplemented in Suricata-Verify

Task: 4911
 4 years ago
Victor Julien 738e756eaf eve/pgsql: log txs in flow direction 4 years ago
Angelo Mirabella 41a139b590 stream-tcp-reassemble: fix reassembly direction for FIN packets 
Suricata invokes the stream reassembly logic only for the current packet
direction if the packet contains a FIN flag. However, this does not
handle the case in which the packet ACKs data from the opposing direction.
This patch forces the invocation of the stream reassembly logic
on both direction when Suricata sees a FIN packet.
 4 years ago
Jason Ish 9e096dda4e windows: exit early if live capture requested without npcap 4 years ago
Modupe Falodun 154e4eb395 http-response-line: remove unittest 
This test is reimplemented in Suricata-Verify

Task: 4911
 4 years ago
Modupe Falodun 926c02a141 detect/modbus: remove unittests 
These tests are reimplemented in Suricata-Verify

Task: 4911
 4 years ago
Modupe Falodun 0984528ddb detect-http-request-line: remove unittests 
These tests are reimplemented as Suricata-Verify

Task: 4911
 4 years ago
Modupe Falodun dff7e7d34e detect/hostbits: remove unittests 
These tests are reimplemented as Suricata-Verify tests

Task: 4911
 4 years ago
Modupe Falodun 47f70bf1f4 detect/proto: remove unittests 
This test is reimplemented in Suricata-Verify

Task: 4911
 4 years ago
Philippe Antoine 749b9c7635 fuzz: cleans all flow after one run 
Completes commit e2370d6861
for all the fuzz targets processing pcaps
using a generic function.

FlowShutdown is not used because it uses the loop to destroy
mutexes, which we want to reuse for fuzzing
 4 years ago
Victor Julien 40c315aa35 detect/frames: fix coverity warning 
Harmless warning, but it was correct in that the code made no sense:
1497420 Dereference before null check
 4 years ago
Victor Julien e902aaf838 detect/frames: fix crash when parsing bad rule 
Indexing of Signature::init_data::smlists would fail for a rule that
used a frame w/o content, as the array would only be expanded when
adding a content. Adding a check to see if there list id is in bounds
is an implicit check for the "no content" case.

Bug #5011.
 4 years ago
Victor Julien c6be6d2c6f detect/frames: fix error messages 4 years ago
Juliana Fajardini 0bf1227f0f pgsql: fix defect found by coverity 
Pgsql was using bitwise operations to assign password output config to
its context flags, but mixing that with logic negation of the default
value, resulting in the expressions having a constant value as result.

Bug: #5007
 4 years ago
Jason Ish 59ac1fe277 logging: change ownership of application log if needed 
When running with privilege dropping, the application log file
is opened before privileges are dropped resulting in Suricata
failing to re-open the file for file rotation.

If needed, chown the application to the run-as user/group after
opening.

Ticker #4523
 4 years ago
Jason Ish 08518df373 startup: initialize run as user info sooner 
Initialize the run-as user info after loading the config, but
before setting up logging (previously it was done while initializing
signal handlers). This will allow the log file to be given the
correct permissions if Suricata is configured to run as a non-root
user.
 4 years ago
Lukas Sismis f668524731 dpdk: adjust setting of MTU to the new DPDK API (21.11) 4 years ago
Philippe Antoine e8060990d1 detect: fix possible leak found by coverity 
Conditions to create the leak are likely not reachable,
but this is still a bad pattern.
 4 years ago
Juliana Fajardini 579d7dcc01 pgsql: add initial support 
- add nom parsers for decoding most messages from StartupPhase and
SimpleQuery subprotocols
- add unittests
- tests/fuzz: add pgsql to confyaml

Feature: #4241
 4 years ago
Shivani Bhardwaj 8918f53f6b smtp: use AppLayerResult instead of buffering 
Also, remove tests that check for the removed buffers and any middle
states while parsing and buffering.

Ticket 4907
 4 years ago
Victor Julien e02b52c895 quic: add quic.ua for matching user agent 4 years ago
Victor Julien da8b024b99 detect/quic: add quic.sni sticky buffer 4 years ago
Victor Julien 24a21af4ab quic: redo quic.version; parser cleanups 
Reimplement quic.version as sticky buffer.

Removed unused parts of the parser.

Set unidirectional tx flag to fix double matching.
 4 years ago
Emmanuel Thompson 7e51987263 quic: Add QUIC App Layer 
Parses quic and logs a CYU hash for gquic frames
 4 years ago
Philippe Antoine 23fb139e00 detect: do not upgrade base64 decode when fuzzing 
As fuzzing will put a very big value, and then
ThreadCtxDoInit will try to allocate it,
ending in out of memory
 4 years ago
Victor Julien ca29d33c69 proto-detect: set flags in packet direction for UDP 4 years ago
Victor Julien 449cc82943 proto-detect: fix UDP not setting alproto_ts/tc 
This would lead to the `app-layer-protocol` keyword not matching correctly.
 4 years ago
Philippe Antoine 0cfdec1266 detect: xor transform 
Ticket: 3285

The xor transform applies xor decoding to a buffer, with a key
specified as an option in hexadecimal. Arbitrary key sizes are
accepted.
 4 years ago
Philippe Antoine 1d4fe38ccb detect: adds test with invalid uint mode << 4 years ago
Philippe Antoine 2012b14470 detect: use generic functions for icode parsing 4 years ago
Philippe Antoine e2370d6861 fuzz: cleans all flow after one run 
Makes the fuzz target more stateless

And manages to find bugs on the FlowFree path
 4 years ago
Philippe Antoine add1a0f561 fuzz: use parsed rules in sigpcap target 
Ticket: 4125

As commit d21a252238
But for sigpcap target as well
 4 years ago
Philippe Antoine 529678d501 dns: wrap with HAVE_LUA 
This is just code style, to minimize the compiled code.
 4 years ago
Philippe Antoine 6885b66883 fuzz: enable template protocols 
Ticket: 4125
 4 years ago
Philippe Antoine ed11e32076 enip: fix too restrictive check in probing parser 
As is shown later in the code, enip_len can be
ENIP_LEN_REGISTER_SESSION which is 4, which is
smaller than sizeof(ENIPEncapHdr) which is 24
 4 years ago
Philippe Antoine 09c84d0c26 fuzz: use fuzzing confyaml for protodetect target 
As is done for other targets,
so that all app-layer protocols are enabled,
even the ones disabled by default such as enip

And resets protocol detection every time we try
so that probing_parser_toserver_alproto_masks are fresh.
 4 years ago
Victor Julien 44c9241b6a telnet: initial support with frames 
Bootstrapped using setup script. Basic option parsing for purpose
of tagging frames.
 4 years ago
Victor Julien fc4279de85 htp: improve request/response size accuracy 4 years ago
Victor Julien 52ad906d31 htp: implement basic request/response frames 4 years ago
Victor Julien af797b5926 ssl: implement frames for SSLv3 and TLS 4 years ago
Victor Julien a492d94826 detect/frames: implement 'frame' keyword 
Implement a special sticky buffer to select frames for inspection.

This keyword takes an argument to specify the per protocol frame type:

    alert <app proto name> ... frame:<specific frame name>

Or it can specify both in the keyword:

    alert tcp ... frame:<app proto name>.<specific frame name>

The latter is useful in some cases like http, where "http" applies to
both HTTP and HTTP/2.

    alert http ... frame:http1.request;
    alert http1 ... frame:request;

Examples:

    tls.pdu
    smb.smb2.hdr
    smb.smb3.data

Consider a rule like:

    alert tcp ... flow:to_server; content:"|ff|SMB"; content:"some smb 1 issue";

this will scan all toserver TCP traffic, where it will only be limited by a port,
depending on how rules are grouped.

With this work we'll be able to do:

    alert smb ... flow:to_server; frame:smb1.data; content:"some smb 1 issue";

This rule will only inspect the data portion of SMB1 frames. It will not affect
any other protocol, and it won't need special patterns to "search" for the
SMB1 frame in the raw stream.
 4 years ago
Victor Julien 02f98796a7 detect/frames: limit mixing frames and other detection 
Don't allow mixing of payload/stream/tx and frame keywords. Initial
support is only for 'pure' frame inspection.
 4 years ago
Victor Julien 3cbe33de57 detect/analyzer: add frame support 4 years ago
Victor Julien f6f124f283 detect/engine: support frames 
Implement the low level detect engine support for inspecting frames,
including MPM, transforms and inspect API's.
 4 years ago
Victor Julien c0ec3984fa eve/alert: add support for logging frame 
If detection was done in a frame, the frame will be added to the
eve.alert output.
 4 years ago
Victor Julien 60bfade351 eve: implement frame logging 
This is mostly to assist development and QA. It produces too much data
for practical use.
 4 years ago
Victor Julien a27ee49c73 app-layer: move app_progress forward on errors as well 
In case of APP_LAYER_ERROR still move the app_progress forward.
This helps validation of frame offsets and should be harmless
otherwise.
 4 years ago
Victor Julien 1556e86c7d app/frames: initial support 
The idea of stream frames is that the applayer parsers can tag PDUs and
other arbitrary frames in the stream while parsing. These frames can then
be inspected from the rule language. This will allow rules that are more
precise and less costly.

The frames are stored per direction in the `AppLayerParserState` and will only
be initialized when actual frames are in use. The per direction storage has a
fixed size static portion and dynamic support for a larger number. This is done
for effeciency.

When the Stream Buffer slides, frames are updated as they use offsets relative
to the stream. A negative offset is used for frames that started before the
current window.

Frames have events to inspect/log parser errors that don't fit the TX model.

Frame id starts at 1. So implementations can keep track of frame ids where 0
is not set.

Frames affect TCP window sliding. The frames keep a "left edge" which
signifies how much data to keep for frames that are still in progress.
 4 years ago
Victor Julien e6f49e5a05 app/frames: implement name to id API for frames 4 years ago
Victor Julien eeee740e84 stream: add util function to get 'usable' data 4 years ago
Lukas Sismis 52d8d35453 dpdk: fix received/error counters 4 years ago
Victor Julien 3cbbe66ea2 tests/pppoe: clean up more tests to use PASS/FAIL macros 4 years ago
Steven Ottenhoff 6bf2117056 pppoe: fix protocol field length variation 
Detect when protocol field is not a 16 bit field.
Added tests to prove logic

Ticket: 4810
 4 years ago
Steven Ottenhoff 260bc03603 test/pppoe: refactor to use FAIL/PASS macros 4 years ago
Modupe Falodun 3dbf74ff10 detect-file-data: remove SMTP unittests 
These tests are reimplemented as Suricata-verify tests

Task: 4938
 4 years ago
Eric Leblond 264eddb81f output/alert: don't call basic logging twice 
Issue: 4106
 4 years ago
Victor Julien a7e77dd22d stream: suppress noisy debug message 4 years ago
Victor Julien 78f5e082f5 stream: fix stream pruning being too aggressive 
Pruning of StreamBufferBlocks could remove blocks that fell entirely
after the target offset due to a logic error. This could lead to data
being evicted that was still meant to be processed in theapp-layer
parsers.

Bug: #4953.
 4 years ago
Victor Julien 544ff0fb52 stream: debug code for showing segment list state 4 years ago
Jeff Lucovsky f30d8ece80 detect: Avoid recomputing ntohl() in addr match 
This commit makes a small optimization when comparing IPv4 and IPv6
addresses by making the host order value invariant and calculating the
value once, before entering the loop.
 4 years ago
Philippe Antoine 86ea7f2474 file: define own variable instead of PATH_MAX 
to be used for maximum size of file names,
and not depend on the OS
 4 years ago
Philippe Antoine c56b1c99d5 ssl: fix int warnings 
especially increasing padding_len size
 4 years ago
Philippe Antoine 078e1cdacc smtp: fix int warnings 
and explicitly truncating filename's length
 4 years ago
Philippe Antoine 23f242dfc2 app: fix int warnings in generic app files 4 years ago
Philippe Antoine 334b1382e0 http: : fix int warnings 
Explicitly truncate file names to UINT16_MAX

Before, they got implicitly truncated, meaning a UINT16_MAX + 1
file name, went to 0 file name (because of modulo 65536)
 4 years ago
Philippe Antoine defce022b4 ftp: fix int warnings 
Explicitly truncate a file name if it is longer
than UINT16_MAX
 4 years ago
Jeff Lucovsky 22e89ec4a3 log: Coverity REVERSE_INULL warnings 
This commit addresses Coverity reported "REVERSE_INULL" warnings.

Issue: 4699
 4 years ago
Philippe Antoine e1c0725e05 doc: fix typo lenght/length 4 years ago
Jason Ish 6392216f6b base64: use the Rust base64 encode implementation 
Replace our internal base64 implementation with a ffi wrapper
around the Rust implementation provided by an external crate.
 4 years ago
Jason Ish 6d3dcf27a6 eve: use JsonBuilder for encoding base64 
Replaces all usages of Base64Encode just before writing to a
JsonBuilder with jb_set_base64 and jb_append_base64.
 4 years ago
Victor Julien c073d5cfbf app-layer: use StreamSlice as input to parsers 
Remove input, input_len and flags in favor of stream slice.
 4 years ago
Victor Julien 6466296b32 app-layer: add StreamSlice to pass data to parsers 
Since object to contain relevant pointer, length, offset, flags to make
it easy to pass these to the parsers.
 4 years ago
Jeff Lucovsky 7f0f463b64 logging/diag: Enable stacktrace diagnostic if config'd 
This commit adds a signal handler for SIGSEGV when configured. The
signal handler emits a one line stack trace using SCLogError. The intent
is to provide diagnostic information in deployments where core files are
not possible.

The diagnostic message is from the offending thread and includes the
stack trace; each frame includes the symbol + offset.
 4 years ago
Jeff Lucovsky 501c870a2c error: Add error code for sig-related diagnostics 
This commit adds an error code for the diagnostic code used for
diagnostic messages following unexpected termination due to signals..
 4 years ago
Philippe Antoine bf9bbdd612 detect: fix app-layer-protocol keyword for HTTP 
Ticket: 4920

Completes commit c8dbe24fb6
which introduced AppProtoEquals to have a generic
check for http in signature can mean http1 or http2 in
traffic.

This commit missed this case, as I only looked for
git grep "alproto ==" and here we deal with
alproto_tc and alproto_ts, but not alproto by itself.
 4 years ago
Jason Ish fcbdc30426 dns: create transaction even if z-bit was set 
It appears that DNS servers will still process a DNS request even if the
z-bit is set, our parser will fail the transaction. So create the
transaction, but still set the event.

Ticket #4924
 4 years ago
Lukas Sismis de53e07559 dpdk/ice: setup RSS for Intel ICE PMD 
Set RSS hash function according to Intel ICE PMD available hash functions

Set hash functions according to the support by the ICE PMD, so that no warning
regarding RSS setting is issued.
 4 years ago
Lukas Sismis 3f7a50eeb7 dpdk/ixgbe: setup RSS for Intel IXGBE PMD 
Set RSS hash function according to Intel IXGBE PMD available hash functions.

During configuration, a warning appeared stating that RSS hash function
has been changed from one value to the other. This has meant that
the supported hash functions did not cover all required hash functions
by the configuration. This commit solves the warning.
 4 years ago
Lukas Sismis 639aa04c5f dpdk/i40e: support RSS on Intel i40e PMD driver 
Due to peculiar behavior of i40e PMD driver, the RSS is required to be set
via rte_flow rules or a hash filter as compared to other NICs where RSS is
configured through port configuration structure.
RTE_FLOW rules are created on 5-tuples (as opposed to 3-tuple configured
on the other NICs). Fragmented traffic have been tested with this setup
and it has been proven that fragmented packets of the same flow are
received on the same queue. At the same time, setting 3-tuple on rte_flow
rules have not yield in the expected results.

Notes from the experiments:

- Configuration of 5-tuple (as is in the commit):
    fragmented and nonfragmented packets are received by the same workers
    even when I applied seed to alter them via tcpreplay-edit (option --seed)

- Setting only ETH_RSS_FRAG_IPV4 and ETH_RSS_IPV4 (i.e. setting 3-tuple):
    when setting ETH_RSS_IPV4, the PMD driver says that pctype is not
    supported (generally this means that the "type" of traffic is not
    a valid configuration for the i40e)

- Setting only ETH_RSS_FRAG_IPV4 and ETH_RSS_NONFRAG_IPV4_OTHER:
    this doesn't work well, packets of the same flow are received on
    the different workers (my explanation is that the fragmented packets are
    matched with ETH_RSS_FRAG_IPV4 but the other UDP packets are not matched
    with ETH_RSS_NONFRAG_IPV4_OTHER rte_flow rule (they would be matched with
    ETH_RSS_NONFRAG_IPV4_UDP).
 4 years ago
Victor Julien f98df5c3fd dpdk: add RSS flags that are set in the NIC 4 years ago
Victor Julien 56dfec48b9 dpdk: add specific error counters 4 years ago
Lukas Sismis a7faed1245 dpdk: initial support with workers runmode 
Register a new runmode - DPDK. This enables a new flag on Suricata start
(--dpdk).

With the flag given, DPDK runmode is enabled.

Runmode loads the configuration and then initializes EAL.

If successful, it configures the physical NICs according to the configuration
file. After that, worker threads are initialized and then are in continuous
receive loop.
 4 years ago
Jason Ish 92eb14c5ad datasets: initialize after dropping privileges 
Move initialization of datasets to a point after privileges
have been dropped.

Ticket 4239
 4 years ago
Philippe Antoine dd32238667 ftp: do not set alproto if one was already found 
Ticket: 4857

If a pattern such as GET is seen ine the beginning of the
file transferred over ftp-data, this flow will get recognized
as HTTP, and a HTTP state will be created during parsing.

Thus, we cannot override directly alproto's values

This solves the segfault, but not the logical bug that the flow
should be classified as FTP-DATA instead of HTTP
 4 years ago
Victor Julien a02f263e56 app-layer/htp: cleanup test 4 years ago
Victor Julien 0a1c3267e6 htp: rename callbacks to make purpose clearer 4 years ago
Victor Julien 258415b23f stream: unify ack'd right edge handling 
Use util function in all code needing the ack'd data.
 4 years ago
Victor Julien ac11502629 detect/engine: store buffer name in local array 
Instead of storing a name and description as a pointer in DetectBufferType
store them in fixed size arrays. This is in preparation of runtime registration
of buffer types, where a constant name/desc is not available.
 4 years ago
Victor Julien 6ee818cb3e stream/reassembly: ignore min_inspect_depth on TCP state CLOSED 4 years ago
Victor Julien 55202f826a detect/http: don't set min-inspect-depth higher than setting 4 years ago
Philippe Antoine 27dd0c6b3d eve/ftp-data: log alert metadata in ftp-data object 
Ticket: 4860

instead of directly in root
 4 years ago
Philippe Antoine 87d9c44ec5 rust: export constants via cbindgen 
so that constants are not defined twice in Rust anc C
So that we are sure they have the same value
 4 years ago
Philippe Antoine 8feb9c35ae mime: move FindMimeHeaderTokenRestrict to rust 
Also fixes the case where the token name is present
in a value
 4 years ago
Modupe Falodun 76131c8cff detect-ipopts: convert unittests to FAIL/PASS APIs 
Bug: 4047
 4 years ago
Victor Julien ecce116117 detect/fast_pattern: allow for rule time registration 
In preparation of more dynamic logic in rule loading also doing
some registration, allow for buffers to be registered as fast_patterns
during rule parsing.

Leaves the register time registrations mostly as-is, but copies the
resulting list into the DetectEngineCtx and works with that onwards.
This list can then be extended.
 4 years ago
Victor Julien db27244379 detect: add buffer helper functions 4 years ago
Victor Julien 707b75ccda detect: split register time and detect load time buffer funcs 4 years ago
Victor Julien 5bcaae0a01 detect: use hashes for all buffer to id 
Instead of a map that is constantly realloc'd, use 2 hash tables for
DetectBufferType entries: one by name (+transforms), the other by
id. Use these everywhere.
 4 years ago
Victor Julien 51dcf3d76a detect: increase SigMatch type from u8 to u16 4 years ago
Victor Julien bb3d49d5bf detect: use bool for uint16_t used as bool 4 years ago
Victor Julien 6d7c1519ed common: fix missing ; in header 4 years ago
Philippe Antoine c9d222a483 detect: allows <> syntax for uint ranges 4 years ago
Philippe Antoine 5af4ef4532 detect: use prefilter values for modes 4 years ago
Philippe Antoine 3f15b2492c detect: errors for rule with impossible conditions 
Such as >255 for an uint8 field
 4 years ago
Philippe Antoine f4449d3fb3 fuzz: restrict flags passed to AppLayerProtoDetectGetProto 
Completes commit 05f9b3ffc6
 4 years ago
Jason Ish 7732efbec2 app-layer: include decoder events in app-layer tx data 
As most parsers use an events structure we can include it in the
tx_data structure to reduce some boilerplate/housekeeping code
in app-layer parsers.
 4 years ago
Philippe Antoine 86f5d33f75 enip: fix int warnings 
There seems to fix a real bug when an ENIP connection
has more than 65k transactions
 4 years ago
Philippe Antoine 86b5c81ea2 dnp3: fix int warnings 
There is a hack to know the type of an integer
and do an explicit cast in the python script
generating the C file

Also extends some bounds check against negative values
 4 years ago
Philippe Antoine 53fc70a9a7 protodetect: fix int warnings 
There is actually a real evasion with AppLayerProtoDetectPMGetProto
using u16 instead of u32 for buflen
 4 years ago
Philippe Antoine 46981ccd98 warning: explicit casts to double 4 years ago
Philippe Antoine b88f015bfb source/pcap: remove unused code 4 years ago
Philippe Antoine 05f9b3ffc6 fuzz: restrict flags passed to AppLayerProtoDetectGetProto 
So that rust does not panic with an unhandled value
 4 years ago
Victor Julien 39bf623fdd af-packet: add send error counter 4 years ago
Victor Julien 373278438d packetpool: ReleasePacket callback check on getter 
Any packet coming from the pool should have `PacketPoolReturnPacket`
as its callback. Check that this is the case.
 4 years ago
Victor Julien 8a5b945c7b af-packet: only ref mpeer if needed in tpacket v2 
We only use it in autofp mode, for reference counting purposes.

Removes 2 atomic operations per packet in the more common workers
runmode.
 4 years ago
Victor Julien d272075da0 af-packet: minor output updates 4 years ago
Victor Julien e9c6ad19b3 af-packet: optimize packet setup 
Don't set fields we don't use in V3.
 4 years ago