aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,286 Commits
7 Branches
161 Tags
178 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bac37fc9ae'
${ noResults }
Commit Graph

6627 Commits (bac37fc9ae5e3469652fda2ef268de617de485dd)

Author SHA1 Message Date
Eric Leblond 51bfe4960a flow: discard packets belonging to bypassed flows 9 years ago
Eric Leblond 724069626d flow: downgrade to local bypass if we see packets 
If we see packets for a capture bypassed flow after some times, it
means that the capture method is not handling correctly the bypass
so it is better to switch to local bypass method.
 9 years ago
Eric Leblond 4cf887b4f7 flow: update lastts in FlowHandlePacketUpdate 
This allows to make it conditional to the state of packet and
then trigger modified behavior.
 9 years ago
Giuseppe Longo 5b71b5834f filestore: avoid conflict with bypass keyword 
If a packet triggers a rule which contains both
bypass and filestore keywords,
it won't be stored since it's not inspected.

To avoid that, when a rule containing filestore keyword
we make sure that also bypass keyword is present.
 9 years ago
Giuseppe Longo 07564c4e41 detect: add bypass keyword 
This adds a new keyword which permits to call the
bypass callback when a sig is matched.

The callback must be called when the match of the sig
is complete.
 9 years ago
Eric Leblond c19cd12620 flow: bypass encrypted and after stream depth flow 
This patch activates bypass for encrypted flow and for flow
that have reached stream depth on both side.

For encrypted flow , suricata is stopping the inspection so
we can just get it out via bypass. The same logic apply
for flow that have reached the stream depth.

For a basic test of feature, use the following ruleset:

```
table ip filter {
	chain output {
		type filter hook output priority 0; policy accept;
		ct mark 0x1 counter accept
		oif lo counter queue num 0
	}

	chain connmark_save {
		type filter hook output priority 1; policy accept;
		mark 0x1 ct mark set mark counter
		ct mark 0x1 counter
	}
}
```

And use bypass mark and mask of 1 in nfq configuration. Then you
can test the system by scp big file to 127.0.0.1. You can also
use iperf to measure the performance on localhost. It is recommended
to lower the MTU to 1500 to get something more realistic by increasing
the number of packets..
 9 years ago
Giuseppe Longo 177df305d4 stream-tcp: enable bypass setting 
This permits to enable/disable in suricata.yaml
and the bypass function will be called
when stream.depth is reached.
 9 years ago
Giuseppe Longo 97783f8142 nfq: introduce bypass function 9 years ago
Eric Leblond 285b4dd981 decode: implement bypass function 
Call the packet bypass callback if necessary and update the flow
state. In case of failure we switch to local bypassed state and set
capture bypassed state if the callback is successful.
 9 years ago
Eric Leblond 68d9677eea flow: force reassembly for bypassed flows 
As capture method like nfq will cut both side of the flow instantly
we will not get the hack for most data which have been received. So
it is better to force reassembly to be sure to get the timeout of
the entry.
 9 years ago
Eric Leblond 39c8786a8e flow: get bypass info in get used flow function 9 years ago
Eric Leblond 07ef451c2b flow: add pruned bypassed flow counter 9 years ago
Eric Leblond 745dad9809 flow: display info about bypass in log 9 years ago
Eric Leblond e88555caf9 flow: add bypassed states 
This patch adds two new states to the flow:
* local bypass: for suricata only bypass, packets belonging to
a flow in this state will be discard fast
* capture bypass: capture method is handling the bypass and suricata
will discard packets that are currently queued

A bypassed state to flow that will be set on flow when a bypass
decision is taken. In the case of capture bypass this will allow
to remove faster the flow entry from the flow table instead of
waiting for the "established" timeout.
 9 years ago
Giuseppe Longo 616782aa98 packet: add API for bypass 9 years ago
Jason Ish 1f4725fcab detect-tls: make check on fingerprint directional 9 years ago
Jason Ish 44c846f2f8 tls-json: make tls events direction sensitive 
Previously the src/dest ips in TLS events would differ between
IDS and IPS modes. Make the header creation direction sensitive
so they are identical in both modes.
 9 years ago
Mats Klepsland c0f93503b7 util-decode-der-get: fix coverity warning 
*** CID 1373380:  Control flow issues  (DEADCODE)
/src/util-decode-der-get.c: 126 in UtctimeToTime()
120         year = strtol(yy, NULL, 10);
121         if (year >= 50)
122             snprintf(buf, sizeof(buf), "%i%s", 19, utctime);
123         else if (year < 50)
124             snprintf(buf, sizeof(buf), "%i%s", 20, utctime);
125         else
>>>     CID 1373380:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "goto error;".
126             goto error;
127
128         time = GentimeToTime(buf);
129         if (time == -1)
130             goto error;
131
 9 years ago
Victor Julien d6f051cdf9 http: removed unused flags 9 years ago
Eric Leblond a194dfbd5b app-layer: tx counter implementation 
This patch adds a transaction counter for application layers
supporting it. Analysis is done after the parsing by the
different application layers.

This result in new data in the stats output, that looks like:
```
    "app-layer": {
      "tx": {
        "dns_udp": 21433,
        "http": 12766,
        "smtp": 0,
        "dns_tcp": 0
      }
    },
```
 9 years ago
Giuseppe Longo 675fa56497 app-layer: add ThreadVars to AppLayerParserParse 
To be able to add a transaction counter we will need a ThreadVars
in the AppLayerParserParse function.
This function is massively used in unittests
and this result in an long commit.
 9 years ago
Giuseppe Longo 5908dd0804 app-layer: add flow counters 
This adds per flow counters for all
supported protocols.

This results in new data in stats output that looks like:
```
    "app-layer": {
      "flow": {
        "http": 9310,
        "ftp": 0,
        "smtp": 0,
        "tls": 71,
        "ssh": 0,
        "imap": 0,
        "msn": 0,
        "smb": 170,
        "dcerpc_udp": 0,
        "dns_udp": 870,
        "dcerpc_tcp": 2,
        "dns_tcp": 0
      },
    },
```
 9 years ago
Eric Leblond 398489e6df stream: fix depth reached detection 
When a segment only partially fit in streaming depth, the stream
depth reached flag was not set resulting in a continuous
inspection of the rest of the session.

By setting the stream depth reached flag when the segment partially
fit we avoid to reenter the code and we don't take anymore a code
path resulting in the flag not to be set.
 9 years ago
Mats Klepsland dc8e0b3cf2 detect: add detect engine for tls validity keywords 
Add detect engine for tls validity keywords (tls_cert_notbefore and
tls_cert_notafter).
 9 years ago
Mats Klepsland d91664d67a detect-dns: move DetectEngineInspectGenericList to detect-engine.c 
Move DetectEngineInspectGenericList from detect-engine-dns.c to
detect-engine.c to enable it to be used other places as well.
 9 years ago
Mats Klepsland cad638697d lua: add lua functions for certificate validity dates 
Add functions TlsGetCertNotBefore and TLSGetCertNotAfter to get notBefore
and notAfter fields from TLS certificate in lua scripts.
 9 years ago
Mats Klepsland 67ea821521 util-lua: add (wrapper) function to push integer to lua scripts 9 years ago
Mats Klepsland ee24949065 log-tls: add notBefore and notAfter fields to extended output 
Add notBefore and NotAfter fields from TLS certificate to extended tls
log output.
 9 years ago
Mats Klepsland 5b230bbce5 output-json-tls: add notBefore and notAfter fields to extended output 
Add notBefore and notAfter fields from TLS certificate to extended JSON
output.
 9 years ago
Mats Klepsland ac4e308140 util-time: add function to create a UTC time string 
Add function CreateUtcIsoTimeString to create a UTC time string.
 9 years ago
Mats Klepsland ea5696812f detect: add tls_cert_notbefore and tls_cert_notafter keywords 
Detection plugin for TLS certificate fields notBefore and notAfter.

Supports equal to, less than, greater than, and range operations
for both keywords. Dates can be represented as either ISO 8601 or
epoch (Unix time).

Examples:
alert tls [...] tls_cert_notafter:1445852105; [...]
alert tls [...] tls_cert_notbefore:<2015-10-22T23:59:59; [...]
alert tls [...] tls_cert_notbefore:>2015-10-22; [...]
alert tls [...] tls_cert_notafter:2000-10-22<>2020-05-15; [...]
 9 years ago
Mats Klepsland c49cb05399 util-time: add function to parse a date string based on patterns 
Add function SCStringPatternToTime to parse a date string based on an
array of pattern strings.
 9 years ago
Mats Klepsland bfd16dc74e app-layer-ssl: add validity dates from certificate 
Parsing of certificate validity dates to get notBefore and notAfter
fields.
 9 years ago
Mats Klepsland 6c1c53b5a1 util-time: add function to convert tm to time_t 
Add function SCMkTimeUtc to convert broken-down time to Unix epoch in UTC.
 9 years ago
Mats Klepsland 03cda74b95 util-decode-der: decode GeneralizedTime 
Decode ASN.1 element type GeneralizedTime in DER-encoded
structures.
 9 years ago
Mats Klepsland b914861692 app-layer-ssl: use new unit test macros 9 years ago
Mats Klepsland 12356d1fca detect-ssl-version: use new unit test macros 9 years ago
Mats Klepsland 1503ac97a6 detect-tls-version: use new unit test macros 9 years ago
Mats Klepsland d9e2cde585 detect-tls-sni: use new unit test macros 9 years ago
Mats Klepsland 8e77d0c312 detect: fix faulty tls_sni unittests 9 years ago
Mats Klepsland 9d23ad9d25 tls: fix faulty unittests 9 years ago
Mats Klepsland b74f3fd978 coverty: fix CID 1361873 9 years ago
Mats Klepsland c36595eb35 tls: set event if input buffer overflows 
Set HANDSHAKE_INVALID_LENGTH event if input buffer overflows while
decoding client_hello/server_hello.
 9 years ago
Mats Klepsland 1f7b813080 app-layer-tls: add name to authors 9 years ago
Mats Klepsland 12da0e8681 tls: add function for decoding client_hello 
Add function TLSDecodeHandshakeHello() to enable using the same code
for decoding both client_hello and server_hello.
 9 years ago
Jason Ish 04da43d65d rule parsing: check for balanced double quotes 
If a rule option value starts with a double quote, ensure it
ends with a double quote, exclusive of white space which gets
trimmed anyways.

Catches errors like 'filemagic:"picture" sid:5555555;' reporting
that a missing semicolon may be the error.
 9 years ago
Victor Julien 48b3cb0492 unittests: fix tests 9 years ago
Victor Julien 6530c3d0d8 unittests: replace SCMutex* calls by FLOWLOCK_* 9 years ago
Victor Julien 682459d640 file: remove dead code 9 years ago
Victor Julien 70c16f50e7 flow-manager: optimize hash walking 
Until now the flow manager would walk the entire flow hash table on an
interval. It would thus touch all flows, leading to a lot of memory
and cache pressure. In scenario's where the number of tracked flows run
into the hundreds on thousands, and the memory used can run into many
hundreds of megabytes or even gigabytes, this would lead to serious
performance degradation.

This patch introduces a new approach. A timestamp per flow bucket
(hash row) is maintained by the flow manager. It holds the timestamp
of the earliest possible timeout of a flow in the list. The hash walk
skips rows with timestamps beyond the current time.

As the timestamp depends on the flows in the hash row's list, and on
the 'state' of each flow in the list, any addition of a flow or
changing of a flow's state invalidates the timestamp. The flow manager
then has to walk the list again to set a new timestamp.

A utility function FlowUpdateState is introduced to change Flow states,
taking care of the bucket timestamp invalidation while at it.

Empty flow buckets use a special value so that we don't have to take
the flow bucket lock to find out the bucket is empty.

This patch also adds more performance counters:

flow_mgr.flows_checked         | Total    | 929
flow_mgr.flows_notimeout       | Total    | 391
flow_mgr.flows_timeout         | Total    | 538
flow_mgr.flows_removed         | Total    | 277
flow_mgr.flows_timeout_inuse   | Total    | 261
flow_mgr.rows_checked          | Total    | 1000000
flow_mgr.rows_skipped          | Total    | 998835
flow_mgr.rows_empty            | Total    | 290
flow_mgr.rows_maxlen           | Total    | 2

flow_mgr.flows_checked: number of flows checked for timeout in the
                        last pass
flow_mgr.flows_notimeout: number of flows out of flow_mgr.flows_checked
                        that didn't time out
flow_mgr.flows_timeout: number of out of flow_mgr.flows_checked that
                        did reach the time out
flow_mgr.flows_removed: number of flows out of flow_mgr.flows_timeout
                        that were really removed
flow_mgr.flows_timeout_inuse: number of flows out of flow_mgr.flows_timeout
                        that were still in use or needed work

flow_mgr.rows_checked: hash table rows checked
flow_mgr.rows_skipped: hash table rows skipped because non of the flows
                        would time out anyway

The counters below are only relating to rows that were not skipped.

flow_mgr.rows_empty:   empty hash rows
flow_mgr.rows_maxlen:  max number of flows per hash row. Best to keep low,
                        so increase hash-size if needed.
flow_mgr.rows_busy:    row skipped because it was locked by another thread
 9 years ago
Victor Julien aee1f0bb99 flow: simplify timeout logic 
Instead of a single big FlowProto array containing timeouts separately
for normal and emergency cases, plus the 'Free' pointer for the
protoctx, split up these arrays.

An array made of FlowProtoTimeout for just the normal timeouts and an
mirror of that for emergency timeouts are used through a pointer that
will be set at init and by swapped by the emergency logic. It's swapped
back when the emergency is over.

The free funcs are moved to their own array.

This simplifies the timeout lookup code and shrinks the data that is
commonly used.
 9 years ago
Victor Julien 96427cf371 flow: remove dead code 9 years ago
Victor Julien da8f3c987b offloading: make disabling offloading configurable 
Add a generic 'capture' section to the YAML:

  # general settings affecting packet capture
  capture:
    # disable NIC offloading. It's restored when Suricata exists.
    # Enabled by default
    #disable-offloading: false
    #
    # disable checksum validation. Same as setting '-k none' on the
    # commandline
    #checksum-validation: none
 9 years ago
Victor Julien 5e3b61cc65 offloading: reduce verbosity to 'perf' 9 years ago
Victor Julien 2b2984dae9 offloading: implement restoring settings for BSD 9 years ago
Victor Julien 499e27de14 offloading: restore settings on exit 9 years ago
Victor Julien 9d48720f9a af-packet: optionally disable offloading 9 years ago
Victor Julien 98092f63b5 offloading: Linux ethtool offloading support 9 years ago
Victor Julien bc370606fc pcap: optionally disable offloading 9 years ago
Victor Julien 723a14c0fe netmap: optionally disable offloading 9 years ago
Victor Julien 2780fba1d1 device: add global flag for disabling offloading 
Add global flag to disable offloading or just warn on it.
 9 years ago
Victor Julien 7004987670 offloading: preparation for disabling offload on BSD 
Add functions for setting IFCAP flags.
 9 years ago
Jason Ish 30c853a304 detect-ssl-state: use new unit test macros 9 years ago
Jason Ish 487cdda93d ssl: issue 1231 - support ssl state negation 
Snort compatible SSL state negation. Adds "," as a state
separator, but keeps "|" for compatibility with existing
Suricata rules.
 9 years ago
Jason Ish afc796a099 ssl: store current state separately from cumulative state 
The ssl_state keyword needs the current state, not the cumulative state
in order be compatible with Snort's implementation.
 9 years ago
Jason Ish 7ce196e3bf detect-pcre: use new unit test macros 9 years ago
Jason Ish 4cdcada397 pcre: fix missing quote in pcre unit test 9 years ago
Victor Julien f7481c4078 file-hashing: restore 'force-md5' 
We don't want to break existing setups.

Do issue a warning that a new option is available.
 9 years ago
Victor Julien 4426f3ff55 file: introduce common flags handling function 9 years ago
Victor Julien 2f5663dfe9 common: introduce BIT_U16 9 years ago
Duarte Silva 53ebe4c538 file-hashing: added configuration options and common parsing code 9 years ago
Duarte Silva 89eb935f73 file-hashing: added support for SHA-256 file hashing 9 years ago
Duarte Silva a6d928e269 file-hashing: added support for SHA-1 file hashing 9 years ago
Duarte Silva 188b382c46 file-hashing: common code added 
Moved and adapted code from detect-filemd5 to util-detect-file-hash,
generalised code to work with SHA-1 and SHA-256 and added necessary
flags and other constants.
 9 years ago
Mats Klepsland f1b550d973 tls: add unit tests for tls_cert_issuer 9 years ago
Mats Klepsland 20b41567d9 tls: add unit tests for tls_cert_subject 9 years ago
Mats Klepsland 4172c4c8ac tls: add (mpm) keyword tls_cert_subject 
This keyword is a replacement for tls.subject.
 9 years ago
Mats Klepsland 9b2717799c tls: add (mpm) keyword tls_cert_issuer 
This keyword is a replacement for tls.issuerdn.
 9 years ago
Victor Julien f1117ba2dc iponly: fix unittests 9 years ago
Victor Julien 215d0d54c7 detect: optimize rule address parsing 
Many rules have the same address vars, so instead of parsing them
each time use a hash to store the string and the parsed result.

Rules now reference the stored result in the hash table.
 9 years ago
Tom DeCanio 04faf1a93a util-decode-mime: remove quote from boundary= string. 
remove quote from the end of the boundary= string.  This was throwing off
the mime parser so that it wouldn't always catch mime boundaries causing
things like missed attachments.
 9 years ago
Eric Leblond f2d1e93e65 unix-socket: add auto mode 
When running in live mode, the new default 'auto' value of
unix-command.enabled causes unix-command to be activated. This
will allow users of live capture to benefit from the feature and
result in no side effect for user running in offline capture.
 9 years ago
Eric Leblond f6c3845397 util-time: new function to know if live or offline 9 years ago
Andreas Herz 7d54d8c590 rule-reload: remember pending USR2 signals 
We did ignore additional USR2 signals while a rule-reload was running.
This changes the counter to be incremented with every additional USR2
signal so we don't ignore them anymore but it's still limited to prevent
huge overload or even overflow.
 9 years ago
Jason Ish b454aa46c6 defrag: use frag_pkt_too_large instead of frag_too_large 
The rules were using the wrong decoder event type, which was
only set in the unlikely event of a complete overlap, which
really had nothing to do with being too large.

Remove FRAG_TOO_LARGE as its no longer being used, an overlap
event is already set in the case where this event would be set.
 9 years ago
Victor Julien 00313b2140 decoder-event: BUG_ON on table mismatches 
Abort when the event enum and the name<>event table are not matching.
 9 years ago
Jason Ish 108d37a52d logging: proper failure on memory allocation error 
unwinds all previous logger allocations
 9 years ago
Jason Ish a1de7e6dae flow-vars: remove flow locks 
Code is now entered under flow lock.
 9 years ago
Jason Ish 5a783e6854 flow-bits: remove flow locks 
Code is now entered under flow lock.
 9 years ago
Jason Ish 8865009fca lua: remove flow locking from the lua layer 9 years ago
Jason Ish 688e8dbe7f stream: remove lock from StreamTcpSegmentForEach 
This is only entered from logging functions which are already
called with a locked flow.
 9 years ago
Jason Ish 55f2704a25 logging: remove the packetqueue's from the logging path 
They are not referenced by any loggers, and they probably
shouldn't be either.
 9 years ago
Jason Ish 00b6e628d1 logging: hook into flow worker thread 9 years ago
Jason Ish f8c2c3653b output-streaming: free thread store on deinit 9 years ago
Jason Ish 1b4ba4496c logging: rename registration functions to not have tmm 
As the logging modules are no longer threading modules, rename
them so they don't look like they are being registered as
threading modules.

Also, move the registration to the output.c which will handle
registration of the loggers.
 9 years ago
Jason Ish 04a44a077d logging: convert pcap log to non-thread module 9 years ago
Jason Ish a093580527 logging: just return if no tx loggers 9 years ago
Jason Ish fc35a78ba1 logging: use a single entry point for all loggers 
Introduces a new thread module, TMM_LOGGER, which is the
root most logger.

Only handles loggers in the packet path, stats and flow
logging are not included.

The loggers are made up of a hierarchy of loggers. At the top we
have the root logger which is the main entry point to
logging. Under the root there exists parent loggers that are the
entry point for specific types of loggers such as packet logger,
transaction loggers, etc. Each parent logger may have 0 or more
loggers that actual handle the job of producing output to something
like a file.
 9 years ago
Jason Ish d2c17ce9a0 logging: remove output priorities: not used 9 years ago
Jason Ish 9489d5b9e3 logging: remove dead code from output-json 
The "parent" json logger was setup like a real logger, but
some of that code was never being called.
 9 years ago
Jason Ish 8b38b9d728 output.[ch]: consistent style 
- Clean up function declaration.
- Consistenly use typedefs for function points.

No functional changes.
 9 years ago
Jason Ish fa27a76462 logging: add profiling back for non-tmm loggers 
The loggers moved away from a TMM required a new
profiling support.
 9 years ago
Jason Ish 42b8f30272 logging: convert lua output to non-thread module 9 years ago
Jason Ish 7a0737b9a9 logging: convert tls log to non-thread module 9 years ago
Jason Ish 7cb16bc90d logging: convert alert debug log to non-thread module 9 years ago
Jason Ish 7a8e8343e5 logging: convert tcp data logging to non-thread module 9 years ago
Jason Ish 4d8b8ca046 logging: convert tls store logging to non-thread module 9 years ago
Jason Ish 60b6ccc3c4 logging: convert file data logging to non-thread module 9 years ago
Jason Ish f9bb9029c5 logging: convert file logging to non-thread module 9 years ago
Jason Ish 669827ae16 logging: convert unified2 to non-thread module 9 years ago
Jason Ish b580016c80 logging: convert stats loggers to non-thread module 9 years ago
Jason Ish 9475c83713 logging: convert http log to non-thread module 9 years ago
Jason Ish e00dcd52a0 logging: convert alert syslog to non-thread module 9 years ago
Jason Ish 869d2eb701 logging: convert drop output to non-thread module 9 years ago
Jason Ish 5bbb4fd134 logging: convert json template output to non-thread module 9 years ago
Jason Ish b605984f34 tests: setup unit test framework earlier 
Allows tests to be registered early, in support of moving
outputs away from thread modules.
 9 years ago
Jason Ish bac65f09e8 logging: convert json drop output to non-thread module 9 years ago
Jason Ish 38354479b7 logging: convert json smtp output to non-thread module 9 years ago
Jason Ish 3fea12d7b3 logging: convert json ssh output to non-thread module 9 years ago
Jason Ish 01cc508257 logging: convert json netflow output to non-thread module 9 years ago
Jason Ish 983a619ff0 logging: convert json flow output to non-thread module 9 years ago
Jason Ish ad15ac8297 logging: convert json alert output to non-thread module 9 years ago
Jason Ish aaa65f3d16 logging: convert json tls output to non-thread module 9 years ago
Jason Ish 31663f1627 logging: convert prelude output to non-thread module 9 years ago
Jason Ish dedda33f01 logging: convert eve http to non-thread module 9 years ago
Jason Ish 687602c0ca logging: convert eve dns logging to non-thread module 9 years ago
Jason Ish b1200dba54 logging: convert fast log to a non-thread module 9 years ago
Jason Ish 637aa34610 logging: convert dns log to a non-thread module 9 years ago
Victor Julien 99dce740ef detect: mark alproto in keyword reg deprecated 
No existing code uses it, and it had been useless for some time.
 9 years ago
Victor Julien 9030e89c94 detect: don't set alproto while registering keyword 
The field is not used except for some printing, and is wrong for
many keywords.
 9 years ago
Victor Julien c957c62824 detect file: enable HTTP inspection from validate func 9 years ago
Victor Julien 621860f5b2 detect file: enforce protocol in single place 
Instead of trying to enforce the app layer protocol in each file
function, enforce it in the generic validation function.
 9 years ago
Victor Julien bcfa484bce app-layer: add function to check if app-layer supports files 9 years ago
Victor Julien 85db260eed threads: remove EngineKill & SURICATA_KILL 
EngineStop and EngineKill were effectively doing the same, so
removed the kill variant.
 9 years ago
Victor Julien 045c10db43 threads: failed thread is a fatal error now 9 years ago
Victor Julien fb655d5f15 threading: remove thread restart logic 
Thread restarts never worked well and the rest of the engine was
never really expecting errors to lead to thread restarts. Either
and error is recoverable in the thread, or not at all.

So this patch removes the functionality completely.
 9 years ago
Victor Julien 54503ef310 Open Suricata 3.2 development branch 9 years ago
Victor Julien 471b61a0e1 magic: fix broken tests after CentOS6 update 9 years ago
Victor Julien 82282a9e68 mpls: add missing event type + rule 9 years ago
Victor Julien 71c8d1f46c bpf: fix file parsing memory handling 
Fix improper fread string handling. Improve error handling.

Skip trailing spaces for slightly more pretty printing.

Coverity CID 400763.

Thanks to Steve Grubb for helping address this issue.
 9 years ago
Victor Julien 519b2970ec detect: don't print (null) in --list-keywords=all 9 years ago
Eric Leblond ed90a16e89 detect: fix setup for some keywords 
Fix problems found by siginit.cocci.
 9 years ago
Jason Ish 17e70483c5 detect-flowbits: more unittest macro usage 
Also cleanup some tests by removing extra code after a test was
determined to fail.
 9 years ago
Jason Ish 3c5d8e65d4 hostbits: use new unittest macros 9 years ago
Jason Ish c4945607e3 hostbits: fail parse on unexpected trailing data 
Address issue https://redmine.openinfosecfoundation.org/issues/1889
for hostbits. This involves updating the regular expresssion
to capture any trailing data as the regex already keeps
spaces out of the name.

A unit test was converted to new macros to find out which
line it was failing at after updating regex.
 9 years ago
Jason Ish 24f2387b23 flowbits: validate that there are no spaces in the name 
Fixes issue: https://redmine.openinfosecfoundation.org/issues/1889

To catch the issue where the ';' is missing we have to expand the
regex to capture the whole name string, not just the leading
valid stuff. Then verify that there are no spaces in the name
(Snort has the same restriction) and fail if there is.
 9 years ago
Eric Leblond 1cdd062dc6 unix-manager: fix output of version command 
Make it consistent with the output of version command line flag.
 9 years ago
Andreas Herz 65fd09a399 rule-parsing: reject unescaped double quote within content section 9 years ago
Victor Julien 2997d086be eve-drop: allow logging all drops 
- drop:
    alerts: yes      # log alerts that caused drops
    flows: all       # start or all: 'start' logs only a single drop
                     # per flow direction. All logs each dropped pkt.
 9 years ago
Victor Julien 1cc5f9825d dns: use nonnull attr for log functions 9 years ago