aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,603 Commits
7 Branches
161 Tags
204 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c41e64d637'
${ noResults }
Commit Graph

9751 Commits (c41e64d637fc0ce7a95e68c2de08f4d4ea24f49f)

Author SHA1 Message Date
Vadym Malakhatko 65455208a5 plugin: fix typo in long_opts struct 5 years ago
Jeff Lucovsky cc93638d33 napatech: Style -- remove extra space 5 years ago
Jeff Lucovsky 67529bd25a napatech: Use proper parser for type 
This commit uses the proper parser call for the value being parsed.
 5 years ago
Jeff Lucovsky 45b055aca5 napatech: Improve configuration range handling 
This commit corrects issues parsing ranges from the Napatech section of
the configuration file.
 5 years ago
Jeff Lucovsky c408b15c51 napatech: Fix compiler issues w/out bypass 
This commit fixes compiler errors when Napatech bypass is not configured
 5 years ago
Carl Smith 81d7a7aa82 threshold: Change rule parsing to use pcre_copy_substring 
Fixes memory leak when parsing threshold rules.
All parsed strings are less than 16 characters except
for the IP address which could be up to 48 characters.
Remove redefinition of MAX_SUBSTRINGS
 5 years ago
Jason Ish b8994cdaca plugins: track all loaded plugins in a list 
Track the pointer returned from dlopen in a list to prevent a
resource leak by the pointer going out of scope.

Found by Coverity, CID 1465661.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3864
 5 years ago
Jason Ish dbb5dcb1dd plugins: use closedir to close open directory (not free) 
Found by Coverity, CID 1465665: ALLOC_FREE_MISMATCH.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3864
 5 years ago
Jason Ish f2a1626b51 output-json: fix Coverity USE_AFTER_FREE 
Return error if plugin open fails. Fixes Coverity CID 1465664
USE_AFTER_FREE error.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3864
 5 years ago
Victor Julien ac491c6e8d fuzz/pcap: add missing flow queue 5 years ago
Victor Julien 107ad95c41 fuzz/pcap: enable http2 5 years ago
Victor Julien 928d4820f9 plugins: remove unused func, suppressing compile warning 5 years ago
Victor Julien 9902413745 plugins: add missing guards 5 years ago
Jeff Lucovsky abc8bd11b9 output/ssh: Use correct file context 
This commit corrects an issue with the SSH output module that resulted
in a SEGV when SSH output is logged.
 5 years ago
Jason Ish e10d107415 plugins: support for capture plugins 
Allow a plugin to register itself as a capture source. This isn't that
much different than how current sources register, it just happens
a little later on during startup.

One "slot" is reserved for capture plugins, but multiple plugins
implementing a capture can be loaded.  The --capture-plugin command
line option must be used to tell Suricata which plugin
to use.

This is still very much a work in progress, but can load
PF_RING as a capture plugin.
 5 years ago
Jason Ish 8fb35236e6 plugins: initial support for a filetype plugin 
A filetype plugin is a plugin that implements an eve filetype. Most
of the current filetypes could likely be implemented as such a plugin.
Such a plugin must implement Open, Close and Write, where Write
is provided the formatted JSON to be logged.

This commit also includes the plumbing for plugin loading. Example
plugin to come.

Plugins are loaded by the "plugin" section in the configuration
file:

  plugins:
    - /path/to/directory/plugins
    - /path/to/plugin_file.so

This can also be done on the command line with:

  --set plugins.0=/path/plugin_file.so
 5 years ago
Jason Ish f35c25cef2 util-error: define generic plugin error code 5 years ago
Jason Ish 900f1522b4 plugins: config.h: move into src and rename to autoconf.h 
While fixing files that include config.h, just remove the
include if possible.
 5 years ago
Jason Ish f26d6eaf98 http2: log as http to abstract http and http2 a little 
This commit logs http2 as an http event. The idea is to somewhat
normalize http/http2 so common info can be version agnostic.

This puts the http2 specific fields in an "http2" object inside
the "http" object.

HTTP2 headers/values that are in common with HTTP1 are logged
under the "http" object to be compatible with HTTP1 logging.
 5 years ago
Philippe Antoine 1422b18a99 http2: initial support 5 years ago
Philippe Antoine 0507d1e8f8 detect: generic structures for mpm with lists 5 years ago
Victor Julien ee41c0e293 flow/spare: implement pool shrinking 
Remove at most one block per run, so it shrinks slowly.
 5 years ago
Victor Julien b3599507f4 flow: redesign of flow timeout handling 
Goals:
- reduce locking
- take advantage of 'hot' caches
- better locality

Locking reduction

New flow spare pool. The global pool is implmented as a list of blocks,
where each block has a 100 spare flows. Worker threads fetch a block at
a time, storing the block in the local thread storage.

Flow Recycler now returns flows to the pool is blocks as well.

Flow Recycler fetches all flows to be processed in one step instead of
one at a time.

Cache 'hot'ness

Worker threads now check the timeout of flows they evaluate during lookup.
The worker will have to read the flow into cache anyway, so the added
overhead of checking the timeout value is minimal. When a flow is considered
timed out, one of 2 things happens:

- if the flow is 'owned' by the thread it is handled locally. Handling means
  checking if the flow needs 'timeout' work.

- otherwise, the flow is added to a special 'evicted' list in the flow
  bucket where it will be picked up by the flow manager.

Flow Manager timing

By default the flow manager now tries to do passes of the flow hash in
smaller steps, where the goal is to do full pass in 8 x the lowest timeout
value it has to enforce. So if the lowest timeout value is 30s, a full pass
will take 4 minutes. The goal here is to reduce locking overhead and not
get in the way of the workers.

In emergency mode each pass is full, and lower timeouts are used.

Timing of the flow manager is also no longer relying on pthread condition
variables, as these generally cause waking up much quicker than the desired
timout. Instead a simple (u)sleep loop is used.

Both changes reduce the number of hash passes a lot.

Emergency behavior

In emergency mode there a number of changes to the workers. In this scenario
the flow memcap is fully used up and it is unavoidable that some flows won't
be tracked.

1. flow spare pool fetches are reduced to once a second. This avoids locking
   overhead, while the chance of success was very low.

2. getting an active flow directly from the hash skips flows that had very
   recent activity to avoid the scenario where all flows get only into the
   NEW state before getting reused. Rather allow some to have a chance of
   completing.

3. TCP packets that are not SYN packets will not get a used flow, unless
   stream.midstream is enabled. The goal here is again to avoid evicting
   active flows unnecessarily.

Better Localily

Flow Manager injects flows into the worker threads now, instead of one or
two packets. Advantage of this is that the worker threads can get packets
from their local packet pools, avoiding constant overhead of packets returning
to 'foreign' pools.

Counters

A lot of flow counters have been added and some have been renamed.

Overall the worker threads increment 'flow.wrk.*' counters, while the flow
manager increments 'flow.mgr.*'.

Additionally, none of the counters are snapshots anymore, they all increment
over time. The flow.memuse and flow.spare counters are exceptions.

Misc

FlowQueue has been split into a FlowQueuePrivate (unlocked) and FlowQueue.
Flow no longer has 'prev' pointers and used a unified 'next' pointer for
both hash and queue use.
 5 years ago
Victor Julien e0aa7c1dbc unittests: check for flow memuse 5 years ago
Victor Julien f50c7b6d11 flow-manager: call other timeouts max once a second 
Call Defrag and others only once per second. Flow Manager may wake
up (much) more often when flow engine is under resource pressure.
As this does not affect Defrag and others, it only unnecessarily
adds load.
 5 years ago
Victor Julien 6814f08e93 flow-manager: only update FlowBucket::next_ts if it changed 5 years ago
Victor Julien 1d6d7f0858 flow: unref flow at end of flow worker 5 years ago
Victor Julien 2fd7c87f22 flow: do timeout checks before tuple compare 5 years ago
Victor Julien 48605f4867 flow: don't reorder list on lookup 
Reduces cache misses.
 5 years ago
Victor Julien 2a872ccb86 flow: timeout check on flow lookup 5 years ago
Victor Julien 7583a6c37c flow: simplify hash lookup logic 
Remove double compare paths in favor of a single unified path.
 5 years ago
Victor Julien 8b016cff4b flow: only move lastts forward 
Pcaps with timestamps jumping around could confuse flow timeout
handling otherwise.
 5 years ago
Victor Julien afd4a8012e flow/worker: check pkt src using DEBUG_VALIDATE_BUG_ON 5 years ago
Jason Ish fd5d8b78d0 alert/eve: add snmp metadata for rdp alerts 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3441
 5 years ago
Jason Ish ef0ebc9550 alert/eve: add snmp metadata for snmp alerts 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3441
 5 years ago
Shivani Bhardwaj 4c7f55e636 dcerpc: handle gap for TCP streams 5 years ago
James Dutrisac db5b73d9d6 pcap: read directories recursively 
Describe Changes
- Added ability to recursively read pcap directories
- src/suricata.c: addition of new command line parameter
    --pcap-file-recursive
- src/source-pcap-file.c: parsing of the command line argument
- src/source-pcap-file-directory-helper.h: two thread vars tracking
    directory depth and should recurse
- src/util-error.c / src/util-error.h:
   Added new warning code "SC_WARN_PATH_READ_ERROR"
- Redmine ticket: https://redmine.openinfosecfoundation.org/issues/2363

Ticket: #2363
 5 years ago
James Dutrisac 5a92d0a704 path: introduce path handling util funcs 
This commit provides changes to util-path.c and util-path.h
to support the recursive reading of directories. It adds
4 functions.
- SCIsRegularFile to provide OS independent file info.
- SCIsRegularDirectory to provide OS independent directory info.
- SCRealPath is an OS independent wrapper for realpath.
- PathJoin to manage path resolution logic.
 5 years ago
Philippe Antoine 3cfc1fcb07 stream/app-layer: break loop on proto change 5 years ago
Shivani Bhardwaj c9a637d854 datasets: fix null pointer deref 5 years ago
Shivani Bhardwaj a8f147d17a datasets: Init even in socket mode 
Closes redmine ticket 3476.
 5 years ago
Sascha Steinbiss 93eef1da84 detect-mqtt: unify error handling in rule parsing 
This is meant to provide a single path to the error case.
This might help make things more clear for static
checkers.
 5 years ago
Sascha Steinbiss 5dc21b0e09 detect-engine: initialize struct fields 5 years ago
Philippe Antoine 9a954e944d http: merge duplicated code 
HtpRequestBodyHandlePUT and HtpRequestBodyHandlePOST
 5 years ago
Philippe Antoine fe6950de08 http: use more precise parameter in HtpRequestBodySetupMultipart 
So that we can see that it does not have to handle gaps
 5 years ago
Philippe Antoine e13b319beb http: remove unused code 
HtpRequestBodySetupPUT function
So that we can see that we do not use data=NULL in there
 5 years ago
Philippe Antoine 28050c967f file: handles gaps natively 
ie data=NULL and len>0 parameters
 5 years ago
Philippe Antoine f0159b2fd2 util: PrintRawDataFp handles null 
for gaps which are data=NULL and len>0
 5 years ago
Philippe Antoine 6343920dfc applayer: allow rust parsers to have only one probe 5 years ago
Sascha Steinbiss 4e1a41a17d output-json: add MAC address output 
This commit adds MAC address output to the EVE-JSON format. We follow the
remarks made in Redmine ticket #962: for packets, log MAC src/dst as a
scalar field in EVE; for flows, log MAC src/dst as lists in EVE. Field names
are different between flow and packet context to avoid type confusion
(src_mac vs. src_macs). Configuration approach and JSON representation is
taken from previous GitHub PR #2700.
 5 years ago
Jeff Lucovsky c42574169e output/anomaly: Restrict anomaly logger count 
This commit restricts the anomaly logger count. The restriction is
necessary due to state maintenance in the logger that doesn't scale
beyond a single logger.

Until that issue's solved, when multiple anomaly loggers are configured,
an error message will be emitted to highlight the restriction.
 5 years ago
Philippe Antoine 61c327dd80 signature: checks for integer overflow in limits propagation 5 years ago
Victor Julien 1c748f394b fuzz/pcap: enable MQTT parser 5 years ago
Shivani Bhardwaj e9fe5ada7f datasets: reload static sets 5 years ago
Sascha Steinbiss c31360070b rust/mqtt: add MQTT parser 5 years ago
Philippe Antoine a5572890a9 detect: adds engine for u8 keywords 5 years ago
Jeff Lucovsky 30ae98f658 output/json: Multi-threaded EVE logging support 
This commit modifies the JSON loggers with changes necessary to support
multi-threaded EVE output.

Each "thread-init" function sets up the per-thread log file context for
subsequent calls to the JSON output to buffer function.
 5 years ago
Jeff Lucovsky aa20770277 log: Support multi-threaded eve output. 5 years ago
Jeff Lucovsky 15b4554ab3 output: Check for fwrite_unlocked 
This commit creates a macro for fwrite_unlocked which is probed during
configuration time.
 5 years ago
Jeff Lucovsky 3d0f353ee5 output: Correct typos 5 years ago
Jeff Lucovsky 1b791f34a5 output: Remove unused variables/define 5 years ago
Jeff Lucovsky 92e2e2ec8d log: remove unused include files 5 years ago
Jeff Lucovsky 60658cbe01 output/flow: Eliminate unnecessary parameter 
This commit removes a parameter to an internal-only function call.
Removing the parameter allows an JSON builder optimization to be used.
 5 years ago
Jeff Lucovsky 4aa7c988e8 output/netflow: Eliminate unneeded parameter 
This commit changes an internal-only function to remove a parameter
that's invariant in all use cases. This allows an JSON builder
optimization to be used.
 5 years ago
Philippe Antoine 1569f3e349 transform: adds url_decode keyword 
Fixes https://redmine.openinfosecfoundation.org/issues/2689

Adds a new source file to handle this keyword.
And modifies documentation, Makefile, and registration accordingly.

url_decode decodes url-encoded data, ie replacing '+' with space
and '%HH' with its value.
 5 years ago
Victor Julien 4c8af9cb96 stream: fix endless loop in traffic with gaps 5 years ago
Victor Julien 9b13c1b804 flow: avoid double state update on reuse 
Avoids an unnecessary atomic operation.
 5 years ago
Victor Julien fd2dff8542 flow: minor cleanups 5 years ago
Victor Julien 7bf000731c flow: validate emergency timeout settings 
Make sure they are below the regular values.
 5 years ago
Victor Julien 611c991f27 flow: improve performance in emergency mode 
When the flow engine enters emergency mode, 3 things happen:

1. a different set of (lower) timeout values are applied
2. the flow manager runs more often
3. worker threads go get a flow directly from the hash table

Testing showed that performance went down significantly due to concurrency
issues:

1. worker threads would fight each other over the hash access
2. flow manager would get in the way of workers

This patch changes the behavior in 2 ways:

1. it makes the flow manager slightly less aggressive. It will still
   try to run ~3 times per second, but no longer 10 times.

   This should be reducing the contention. At the same time flows
   won't time out faster if they are checked many times per second.

2. The 'get a used flow' logic optimizes the use of atomics by only
   doing an atomic operation once, and while doing so reserving
   a slice of the hash per worker.

   The worker will also give up much quicker, to avoid the overhead
   of hash walking and taking and releasing locks.

These combined changes show much better 'under stress' behavior, esp
on multi-NUMA systems.
 5 years ago
Philippe Antoine 0da4dc0dea enip: use status for probing parser 5 years ago
Philippe Antoine a99ad4c1e4 signature: checks for integer overflow in limits propagation 5 years ago
Philippe Antoine 5c31383d1c detect: fix read overflow in DetectGetLastSMByListId 5 years ago
Victor Julien b99ffd9ece eve: remove unused jansson code 5 years ago
Victor Julien a8e2399ea9 eve/metadata: create preformatted json string at start up 
Avoid runtime overhead of assembling metadata json string by
pre-creating it at rule parsing time.
 5 years ago
Victor Julien 1a18081a59 detect/profile: convert match dumps to jsonbuilder 
Remove unused code and do minor misc cleanups as well.
 5 years ago
Victor Julien 1639dfa36e pfring: fix compile warning 5 years ago
Victor Julien 38fe11f3b2 eve: remove unused json_t common functions 
These are no longer used as all callers have switched to
the JsonBuilder equivalents.
 5 years ago
Victor Julien 7ccfa177de eve/tls: minor cleanups 5 years ago
Victor Julien 04dad483c1 eve/metadata: convert to jsonbuilder 5 years ago
Victor Julien 556bee2adc stream: call parser with 0 data on EOF 
This way both sides can call the EOF logic.
 5 years ago
Victor Julien 616d7f256b app-layer/tcp: don't use un-ACK'd data 
Still use un-ACK'd data in unclean shutdown. This means any state
before TCP_CLOSED, or TCP_CLOSED that was caused by a RST.
 5 years ago
Victor Julien 42205006d1 flow/timeout: flag last pseudo packet 
Flag the last flow timeout pseudo packet so that we can force
TX logging w/o setting both app-layer flags.

Case this fixes:

1. flow times out when only TS TCP data received, but non of it is ACK'd.
   So there is no app-layer proto yet, or app state or Flow::alparser. So
   EOF flags can't be set.

2. Flow timeout sees no reason to create pseudo packet in TC direction.

3. TS pseudo packet finds HTTP, creates HTTP state, flag EOF TS.

4. TX logging skips HTTP logging because:
   - TC progress not reached
   - EOF TC flag not set.

The solution has been to flag the very last packet for the flow as such
and use it has a master-EOF flag.
 5 years ago
Victor Julien c825f83633 stream/tcp: track if ssn has been closed with RST 5 years ago
Victor Julien 1b3582325b app-layer: set EOFs on app-layer disable 5 years ago
Victor Julien 1cbbc82647 flow/worker: set EOF flags on change proto 5 years ago
Victor Julien a9f2540203 flow-timeout: set app-layer EOF flag 5 years ago
Victor Julien ecd7862c36 app-layer: add debug 5 years ago
Victor Julien d8d59ac9b5 stream: minor debug fixup 5 years ago
Victor Julien 5fd9386665 app-layer/pd: improve size check in bail conditions 5 years ago
Victor Julien 4f73943df9 app-layer: split EOF flag per direction 5 years ago
Victor Julien 57b75f89da stream: app update from loop 
When the stream engine has data ready for the app-layer it will call
this API from a loop instead of just once. The loop is to ensure that
if we have a very lossy stream where between 'app_progress' and
'last_ack' there are multiple chunks of data and multiple gaps we
process all the chunks.
 5 years ago
Victor Julien e822b30cc2 stream: improve gap handling with 'incomplete' 
Make sure stream requiring more data because of 'incomplete' records
properly move ahead if there is a GAP in the window of required data.
 5 years ago
Victor Julien c7d59a61ea stream: fix IDS mode using un-ACK'd data 5 years ago
Victor Julien 49eba6ac23 stream: code cleanup 5 years ago
Victor Julien f65bf4c7ea flow/tcp: consider pkts established based on 3whs 5 years ago
Victor Julien 7309c97eda detect/flow: test cleanup 5 years ago
Jeff Lucovsky 52cb1b8167 detect/dns-query: Splice UT to rust 5 years ago
Victor Julien 0025467f90 sources: hide RegisterTests behind ifdef UNITTESTS 
Update callers.
 5 years ago
Victor Julien 085eb9fc8e eve/ssh: minor cleanup 5 years ago
Philippe Antoine 0c92b8f7e4 dcerpc: adds invalid signature unit test 5 years ago
Philippe Antoine b8069365f5 dcerpc: check app proto for signature keywords 5 years ago
Victor Julien 6ab323d323 detect: hide RegisterTests behind ifdef UNITTESTS 
Update all callers to more aggressively use UNITTESTS guards as well.
 5 years ago
Xiaofan Wang 071f55dcd7 ftp: fix direction of expectation for STOR command 
Fix direction in active mode.
 5 years ago
Victor Julien 0d24066876 sip: minor cleanup 5 years ago
Victor Julien db3b637ada htp: minor UNITTESTS guarding cleanup 5 years ago
Victor Julien 7c364017da ftp: small code cleanup 5 years ago
Jeff Lucovsky 72e2f36f9b ftp: Restrict file name lengths 
Restrict file name lengths to PATH_MAX - 1 to avoid over subscribing
memory to FTP file name tracking.
 5 years ago
Shivani Bhardwaj c169cfe0a3 bytetest: use ByteExtractString instead of StringParse 5 years ago
Shivani Bhardwaj 6f84515dd9 util: fix trailing char check with ByteExtractString 5 years ago
Zach Kelly 22a2bee614 rdp/eve: convert to jsonbuilder 5 years ago
Joshua Lumb f7c4600482 threads/runmode: Changes to thread config behaviour 5 years ago
Shivani Bhardwaj 333a785efd sip: remove extra jsonbuilder close 5 years ago
Shivani Bhardwaj 9f9670ebdc logging: Add DCERPC logger 5 years ago
Shivani Bhardwaj bab497ab2c dcerpc: Add multi transaction support 
DCERPC parser so far provided support for single transactions only.
Extend that to support multiple transactions.

In order for multiple transactions to work, there is always a
transaction identifier for any protocol in its header that lets a
response match the request. In DCERPC, for TCP, that param is call_id in
the header which is a 32 bit field. For UDP, however since it uses
different version of RPC (4.x), this is defined by serial number field
defined in the header. This field however is not contiguous and needs to
be assembled by the provided serial_low and serial_hi fields.
 5 years ago
Victor Julien 9831839388 detect/mpm: fix hs check 5 years ago
Roland Fischer 9f1efa3c10 pcap: 32bit counters can wrap-around 
Fixes issue 2845.

pcap_stats is based on 32bit counters and given a big enough throughput
will overflow them. This was reported by people using Myricom cards which
should only be a happenstance. The problem exists for all pcap-based
interfaces.

Let's use internal 64bit counters that drag along the pcap_stats and
handle pcap_stats wrap-around as we update the 64bit stats "often enough"
before the pcap_stats can wrap around twice.
 5 years ago
Shivani Bhardwaj 67e7be633c krb: convert to jsonbuilder 
Closes redmine ticket 3754.
 5 years ago
Shivani Bhardwaj 72dab0a8b7 snmp: convert to jsonbuilder 
Closes redmine ticket 3756.
 5 years ago
Jason Ish 53aa967e0b applayer: add flags to parser registration struct 
This will allow Rust parsers to register for gap handing from
Rust (some Rust parsers do handle gaps, but they set the flag
from C).
 5 years ago
Jason Ish 7476399f43 template: add gap handling 5 years ago
Victor Julien 4726d7027c detect/mpm: 'mpm-algo' parsing cleanups 5 years ago
Victor Julien f2a3d6d834 flow: fix unlikely issue with int handling 
Thanks for reporting this magenbluten PR 4575.
 5 years ago
Victor Julien fa2b46cdc3 detect/stream_size: minor code cleanups 5 years ago
Victor Julien ac3cf6ff75 detect/config: set config for special cases 
Allow app-layer to declare the txs are uni-directional and special
care is needed for applying config.
 5 years ago
Victor Julien 2145cf99a3 detect/config: initial version 5 years ago
Victor Julien a2f249cc86 app-layer: handle AppLayerTxData being NULL 
Http parser can have 'NULL' user data in case of memcap limit getting
reached.
 5 years ago
Victor Julien 5dd4d948d9 app-layer: remove unused detect flags API 5 years ago
Victor Julien f88657206c app-layer: GetTxData callback is mandatory 5 years ago
Victor Julien 8fe9faecb2 app-layer: remove DetectFlags API. Replaced by AppLayerTxData 5 years ago
Victor Julien 9664f73f75 app-layer: remove logged API calls 5 years ago
Victor Julien 455eab370e template: support AppLayerTxData 5 years ago
Victor Julien e0debed0b4 tftp: support AppLayerTxData 5 years ago
Victor Julien a1e06247a6 dcerpc/udp: support AppLayerTxData 5 years ago
Victor Julien 3202d29325 dcerpc: support AppLayerTxData 5 years ago
Victor Julien 8cd55124a3 modbus: support AppLayerTxData 5 years ago
Victor Julien 7d663ed5cf enip: support AppLayerTxData 5 years ago
Victor Julien fb780c7d92 ssl/tls: support AppLayerTxData 5 years ago
Victor Julien bc11a1c23e smtp: support AppLayerTxData 5 years ago
Victor Julien c98f597831 ftp: support AppLayerTxData 5 years ago
Victor Julien 302cf49486 dnp3: support AppLayerTxData 5 years ago
Victor Julien 77a95eddd9 smb: support AppLayerTxData 5 years ago
Victor Julien 7a7805cde6 nfs: support AppLayerTxData 5 years ago
Victor Julien 910922cdc4 htp: support AppLayerTxData 5 years ago
Victor Julien 5665fc8301 app-layer: add ApplyTxConfig API 
Optional callback a parser can register for applying configuration
to the 'transaction'. Most parsers have a bidirectional tx. For those
parsers that have different types of transaction handling, this new
callback can be used to properly apply the config.
 5 years ago
Victor Julien df27205451 output/tx: implement filtering 5 years ago
Victor Julien e15995e2d2 detect: store detect flags in AppLayerTxData 5 years ago
Victor Julien c797c9f09c app-layer: add logger flags to AppLayerTxData 5 years ago
Victor Julien 411f428a38 app-layer: define AppLayerTxData and AppLayerTxConfig 
AppLayerTxData is a structure each tx should include that will contain
the common fields the engine needs for tracking logging, detection and
possibly other things.

AppLayerTxConfig will be used by the detection engine to configure
the transaction.
 5 years ago
Victor Julien 274a033d65 htp: alloc user data at tx start 
This way the AppLayerTxData is set up from the start. Any type of
processing (logging, detection) will lead to setting up the user
data later on anyway.

Remove other places where it was added.
 5 years ago