suricata

Commit Graph

Author	SHA1	Message	Date
Jason Ish	e5ac439226	output-flow.h: include flow.h and decode.h A library/plugin user wanting to register a custom flow logger must include "output-flow.h", however that depends on some other includes. One train of thought with respect to include files in libraries, is that they should include all their dependencies on behalf of the user. To make a custom flow logger just a little easier, include "flow.h" and "decode.h". Ticket: #7227	12 months ago
Jason Ish	0d16ce2af4	output-flow: remove ThreadExitPrintStats callback The callback, ThreadExitPrintStats is not used in the flow loggers. Ticket: #7227	12 months ago
Jason Ish	0506043dea	output-flow: use void * instead of OutputCtx * for initdata The use of OutputCtx as the data type for initdata was leaking Eve submodule logic into the low level flow logger. Instead use void *, as the flow logging module is not concerned with the type of data here. Also document this initdata parameter. Ticket: #7227	12 months ago
Jason Ish	bd81f9f4d3	output-flow: document the name field as for debugging only Ticket: #7227	12 months ago
Jason Ish	afcf591719	output-flow: remove unused initdata argument The initdata argument to OutputFlowThreadInit was always NULL, remove it. Internally the ThreadInit functions still get initdata, but this is the data provided when that logging instance was registered. Ticket: #7227	12 months ago
Jason Ish	15fe844ae7	syslog: deprecate The standalone syslog output is now deprecated for Suricata 8. Display a warning on use and add notes to the userguide. Ticket: #6544	12 months ago
Jason Ish	5853fb922d	tls-log: deprecate tls-log is now deprecated and will be removed in Suricata 9.0. Display a deprecation notice on use, and add notes to the user guide. Ticket: #6542	12 months ago
Jason Ish	ab26323a96	http-log: deprecate http-log is now deprecated and will be removed in Suricata 9.0. Display a deprecation notice on use, and add notes to the userguide. Issue: #6543	12 months ago
Jason Ish	d7e33a51bc	arp: profiling logger id must come before LOGGER_SIZE Also added comment to make this more clear.	12 months ago
Eric Leblond	4668c95513	datasets: fix parsing of ip4 in ip6 The lookup function was not taking into account that we can have an IPv4 or an IPv6 address as parameters and that this addresses need to be converted to Suricata internal storage. By using the already defined dedicated parsing function, we are fixing the issue. Issue: #6969	12 months ago
Lukas Sismis	a32b68985f	profiling: use correct conditional on packet profiling data dump Ticket: #7218	12 months ago
Victor Julien	cff82f16b3	pcap-file: limit setvbuf to linux As it fails to work correctly on FreeBSD and OpenBSD. On FreeBSD, these are the errors: Info: pcap: Pcap-file will use 4096 buffer size [PcapFileGlobalInit:source-pcap-file.c:159] Error: pcap: failed to get first packet timestamp. pcap_next_ex(): -2 [PeekFirstPacketTimestamp:source-pcap-file-helper.c:186] Warning: pcap: Failed to init pcap file input.pcap, skipping [ReceivePcapFileThreadInit:source-pcap-file.c:299] Error: pcap: pcap file reader thread failed to initialize [ReceivePcapFileLoop:source-pcap-file.c:185]	12 months ago
Victor Julien	688bd538cf	pcap: implement pcap-file-buffer-size option Allows easy specification of buffer size on the commandline. Ticket: #7155.	12 months ago
Victor Julien	7b730c2e68	pcap-file: improve setvbuf implementation Make optional through `pcap-file.buffer-size` config option. Make sure to check through configure. Ticket: #7155.	12 months ago
Jason Ish	5f2aef7777	pcap-file: use larger buffer for reading pcap files Inspired by a recent Zeek blog post, this could speed up PCAP processing by a few percent. Ticket: #7155.	12 months ago
Victor Julien	96a0ffadde	packetpool: allow larger max-pending-packets Original limit was due to a specific data structure.	12 months ago
Giuseppe Longo	edf70276d6	rust/ldap: enable parser for udp This introduces a new parser registration function for LDAP/UDP, and update ldap configuration in order to be able to enable/disable a single parser independently (such as dns). Also, GAPs are accepted only for TCP parser and not for UDP. Ticket #7203	1 year ago
Philippe Antoine	ede77bc4db	rfb: move app-layer registration code to rust Ticket: 7178	1 year ago
Philippe Antoine	62a186ceef	detect/rfb: move keywords to rust Ticket: 7178 On the way, convert rfb.secresult to a generic integer with enumeration cf ticket 6723	1 year ago
Philippe Antoine	61cb14d272	detect: make events prefilterable Ticket: 6728	1 year ago
Philippe Antoine	bd23185f7d	detect: minor optimization for tx do not bother to clean the buffers, if we did not run detection for this transaction.	1 year ago
Philippe Antoine	3ad15f5c37	detect/tx: avoid a call to memset just initialize the small struct to zero	1 year ago
Philippe Antoine	3f8251bd47	fuzz: make confyaml.c an explicit source Ticket: 7181 Allows confyaml.c to be in the release archive	1 year ago
Philippe Antoine	f96994fb3b	source: fix -Wshorten-64-to-32 warnings Ticket: #6186	1 year ago
Philippe Antoine	4ae5799720	log: fix -Wshorten-64-to-32 warnings Ticket: #6186	1 year ago
Philippe Antoine	87eb4b5077	output/tx: use dynamic number of app-layer protos Ticket: 5053	1 year ago
Philippe Antoine	323610c1e8	output: use dynamic number of app-layer protos Ticket: 5053	1 year ago
Philippe Antoine	dacb965fb8	runmodes: use dynamic number of app-layer protos Ticket: 5053	1 year ago
Philippe Antoine	6ae294c770	detect: run frames on pseudo flush packets for SSH packets that mark the end of plaintext	1 year ago
Philippe Antoine	7f6c963ac4	doh2: log like dns v3	1 year ago
Philippe Antoine	bd5ad0d74a	util/profiling: remove assertion Now a flow alproto can be changed by a call to AppLayerParserParse when HTTP2 forces the flow to turn into DOH2.	1 year ago
Philippe Antoine	0ccad8fd88	doh: make dns and http keywords for doh2 Ticket: 5773	1 year ago
Philippe Antoine	1e82e20c65	doh: implement dns over http2 app-proto Ticket: 5773	1 year ago
Philippe Antoine	10ef4e832f	runmodes: fix -Wshorten-64-to-32 warnings Ticket: #6186	1 year ago
Philippe Antoine	ce2c087e92	defrag: fix -Wshorten-64-to-32 warnings Ticket: #6186	1 year ago
Philippe Antoine	bb9a45cfd0	datasets: fix -Wshorten-64-to-32 warnings Ticket: #6186	1 year ago
Giuseppe Longo	910a5b226c	rust/ldap: implement logger	1 year ago
Giuseppe Longo	93da339975	rust/ldap: implement app-layer	1 year ago
Philippe Antoine	b8c12090f7	smtp: add port 465 for probing	1 year ago
Philippe Antoine	eac9cd959f	smtp: do not return error on NULL buffer for end of stream	1 year ago
Philippe Antoine	e2d1d05878	smtp: recognize more reply codes Ticket: 6821	1 year ago
Philippe Antoine	694b2797cd	ftp: adds server side detection	1 year ago
Philippe Antoine	cc3dde8ada	smtp: adds server side detection Ticket: #1125	1 year ago
mmaatuq	64d18e3cc2	imap: extend detection patterns Ticket: #2886 Signed-off-by: mmaatuq <mahmoudmatook.mm@gmail.com>	1 year ago
Philippe Antoine	bce8f4b853	detect/ssh: remove deprecated keywords Ticket: 2377	1 year ago
Philippe Antoine	0a1062fad2	detect/mqtt: move keywords to rust Ticket: 4863 On the way, convert some keywords to use the first-class integer support. And helpers for pure rust the support for multi-buffer. Move the C unit tests about keyword mqtt.protocol_version to unit tests for generic integer parsing, and test version 5 instead of testing twice version 3. Also iterate all tx's messages for reason code as is done for other keywords. And allow detection on empty topics.	1 year ago
Philippe Antoine	f4e7d1e217	detect: helper function for multibuffer registration So that rust does not need to know about SIG_FLAG_TOCLIENT value	1 year ago
Philippe Antoine	4e074b8f38	output/alert: remove now unused include Including the mqtt one, now that it is almost rust only	1 year ago
Philippe Antoine	daad7f2d41	detect/integers: harmonize parser return handling Ticket: 7172 When parsing an integer for a rule keyword fails, we return error straight away, without bothering to try to free the NULL pointer. On the way, remove some one-line wrapper around DetectUxParse	1 year ago
Jason Ish	fcc1b1067b	eve/dns: make version required The "eve.version" field is not always logged. Update the schema to enforce that it is, and fix it for records that don't log it. Ticket: #7167	1 year ago
Jason Ish	b318e78b3a	pf-ring: bring back command line arguments Bring back the pf-ring command line arguments, but instead of initializing the pfring runmode, initialize the capture plugin runmode with a plugin named "pfring". Ticket: #7162	1 year ago
Jason Ish	c3092b6e5a	pf-ring: remove, to make room for plugin Ticket: #7162	1 year ago
Victor Julien	342aec8f1c	parse/size: support IEEE 1541 size units Introduce KiB, MiB and GiB. They are case sensitive as a lower case 'b' means bits in the IEEE 1541 scheme. KiB = 1024 MiB = 1048576 GiB = 1073741824 Ticket: #1457.	1 year ago
Victor Julien	0e03691fdb	parse/size: fix unit test checks	1 year ago
Victor Julien	855cc89636	profiling: allow absolute paths Ticket #6490.	1 year ago
Victor Julien	a404fd26af	tcp: fix 'broken ack' on flow timeout Don't set an ACK value if ACK flag is no longer set. This avoids a bogus `pkt_broken_ack` event set. Fixes: `ebf465a11b` ("tcp: do not assign TCP flags to pseudopackets") Ticket: #7158.	1 year ago
Shivani Bhardwaj	f2de3e01cb	src: remove truncate fn and glue code truncate fn is only active and used by dcerpc and smb parsers. In case stream depth is reached for any side, truncate fn is supposed to set the tx entity (request/response) in the same direction as complete so the other side is not forever waiting for data. However, whether the stream depth is reached is already checked by AppLayerParserGetStateProgress fn which is called by: - DetectTx - DetectEngineInspectBufferGeneric - AppLayerParserSetTransactionInspectId - OutputTxLog - AppLayerParserTransactionsCleanup and, in such a case, StateGetProgressCompletionStatus is returned for the respective direction. This fn following `efc9a7a`, always returns 1 as long as the direction is valid meaning that the progress for the current direction is marked complete. So, there is no need for the additional callback to mark the entities as done in case of depth or a gap. Remove all such glue code and callbacks for truncate fns. Bug 7044	1 year ago
Shivani Bhardwaj	80159eb519	applayer: remove truncation logic as its functionality is already covered by the generic code. This removes APP_LAYER_PARSER_TRUNC_TC and APP_LAYER_PARSER_TRUNC_TS flags as well as FlowGetDisruptionFlags sets STREAM_DEPTH flag in case the respective stream depth was reached. This flag tells that whether all the open files should be truncated or not. Bug 7044	1 year ago
Philippe Antoine	090079cdd8	decode: fix -Wshorten-64-to-32 warnings Ticket: #6186	1 year ago
Philippe Antoine	eeb290384a	flow: fix -Wshorten-64-to-32 warnings Ticket: #6186	1 year ago
Philippe Antoine	9c0875b2a4	features: fix -Wshorten-64-to-32 warnings Ticket: #6186	1 year ago
Philippe Antoine	b5140c43ca	counters: fix -Wshorten-64-to-32 warnings Ticket: #6186	1 year ago
Philippe Antoine	d28c646662	output/dcerpc: call jb_get_mark just before jb_open_object	1 year ago
Jason Ish	b32f6bf381	eve/dns: allow version to be set with environment variable There is no sane way to set override the DNS eve version in Suricata tests without using a copy of the configuration file, and many of the tests by design use the configuration file of the Suricata under test, so making a copy would break this assumption. To get around this, respect the SURICATA_EVE_DNS_VERSION environment variable as a way to set the version if not explicitly set in the configuration file.	1 year ago
Jason Ish	575e5b471f	dns: add v3 dns logging DNS v3 logging fixes the discrepancies between request and response logging with the main difference being queries always being placed in an array. Bug: #6281	1 year ago
Jason Ish	df656324ba	dns: new v3 style logging for alerts V3 style DNS logging fixes the discrepancies between request and response logging better dns records and alert records. The main change is that queries and answers are always logged as arrays, and header fields are not logged in array items. For alerts this means that answers are now logged as arrays, queries already were. DNS records will get this new format as well, but with a configuration parameter. Bug: #6281	1 year ago
Sascha Steinbiss	ad02040860	mqtt: enable limiting of logged message length Ticket: #6984	1 year ago
Jeff Lucovsky	70bdc37f96	detect/byte_extract: Move keyword parser to Rust Implement the keyword parser in Rust. Issue: 6873	1 year ago
Jeff Lucovsky	73dfc58772	detect/byte: Refactor endian, base Issue: 6873 Refactor the enums for endian and base handling for broader use.	1 year ago
Philippe Antoine	eeec609ac8	util/thash: decrease memuse if array was allocated THashInitConfig may not allocate array and increase memuse. Such a failure leads to THashShutdown which should not decrease the memuse. Ticket: 7135	1 year ago
Lukas Sismis	35dffc6b32	dpdk: replace TSC clock with GetTime (gettimeofday) function Getting clock through Time Stamp Counter (TSC) can be precise and fast, however only for a short duration of time. The implementation across CPUs seems to vary. The original idea is to increment the counter with every tick. Then dividing the delta of CPU ticks by the CPU frequency can return the time that passed. However, the CPU clock/frequency can change over time, resulting in uneven incrementation of TSC. On some CPUs this is handled by extra logic. As a result, obtaining time through this method might drift from the real time. This commit therefore substitues TSC time retrieval by the standard system call wrapped in GetTime function - on Linux it is gettimeofday. Ticket: 7115	1 year ago
Shivani Bhardwaj	a7af371843	applayer/htp-range: fix off by one in expiry check	1 year ago
Shivani Bhardwaj	f1b44ca8c7	datasets: fix memuse to include string len So far, when the data size was passed to the THash API, it was sent as a sizeof(Struct) which works fine for the other data types as they have a fixed length but not for the StringType. However, because of the sizeof construct, the length of a string type dataset was always taken to be 16 Bytes which is only the size of the struct itself. It did not accomodate the actual size of the string that the StringType holds. Fix this so that the memuse that is used to determine whether memcap was reached also takes into consideration the size of the actual string. Bug 3910	1 year ago
Shivani Bhardwaj	00f7038beb	util/thash: add a length getter fn In order to have access to the length of datatypes with variable lengths to correctly update memuse to calculate memcaps. Bug 3910	1 year ago
Philippe Antoine	df5dcfef5f	bypass: really bypass udp flow from first packet Ticket: 7053 As flow state would be overwritten by established...	1 year ago
Philippe Antoine	6b56d5971a	output/tx: use dynamic number of app-layer protos OutputTxLoggerThreadData gets allocated after the number of app-layer protos is definite	1 year ago
Philippe Antoine	6a942f589c	detect/profiling: use dynamic number of app-layer protos	1 year ago
Philippe Antoine	f74997f5c7	app-layer: use already defined constant FLOW_PROTO_APPLAYER_MAX	1 year ago
Philippe Antoine	deb4a5a8cc	detect/file-data: use dynamic number of app-layer protos	1 year ago
Philippe Antoine	647e878f7c	detect: helper function for multibuffer	1 year ago
Victor Julien	12130df21c	detect/threshold: implement backoff type Implement new `type backoff` for thresholding. This allows alerts to be limited. A count of 1 with a multiplier of 10 would generate alerts for matching packets: 1, 10, 100, 1000, 10000, 100000, etc. A count of 1 with a multiplier of 2 would generate alerts for matching packets: 1, 2, 4, 8, 16, 32, etc. Like with other thresholds, rule actions like drop and setting of flowbits will still be performed for each matching packet. Current implementation is only for the by_flow tracker and for per rule threshold statements. Tracking is done using uint32_t. When it reaches this value, the rest of the packets in the tracker will use the silent match. Ticket: #7120.	1 year ago
Victor Julien	a0d515bfdd	detect/threshold: regex cleanup	1 year ago
Victor Julien	2abe0df136	detect/threshold: format file	1 year ago
Victor Julien	7d4fcc311c	detect/threshold: make hash size and memcap configurable	1 year ago
Victor Julien	10eaf550b7	detect/threshold: includes cleanup	1 year ago
Victor Julien	7bcf364095	detect/threshold: expand cache support for rule tracking Use the same hash key as for the regular threshold storage, so include gid, rev, tentant id.	1 year ago
Victor Julien	1e9fdc4005	detect/threshold: consider tenant id in tracking Ticket: #6967.	1 year ago
Victor Julien	2be998fbcd	detect/threshold: include rev in threshold tracking	1 year ago
Victor Julien	3471c0f6ad	detect/threshold: improve hash function	1 year ago
Victor Julien	b8028bf386	thresholds: use dedicated storage Instead of a Host and IPPair table thresholding layer, use a dedicated THash to store both. This allows hashing on host+sid+tracker or ippair+sid+tracker, to create more unique hash keys. This allows for fewer hash collisions. The per rule tracking also uses this, so that the single big lock is no longer a single point of contention. Reimplement storage for flow thresholds to reuse as much logic as possible from the host/ippair/rule thresholds. Ticket: #426.	1 year ago
Victor Julien	ac400af8f4	range: use thash expiry API for timeout	1 year ago
Victor Julien	00e1e89449	thash: add expiration logic Add a callback and helper function to handle data expiration. Update datasets to explicitly not use expiration.	1 year ago
Victor Julien	114fc37294	detect/address: constify ipv6 cmp funcs	1 year ago
Victor Julien	3a7247b1ed	detect/threshold: minor rate filter cleanup	1 year ago
Victor Julien	ab5e04525f	detect/threshold: minor code cleanup Packet pointer is not used during allocation.	1 year ago
Victor Julien	6622dc7444	detect/threshold: minor cleanup	1 year ago
Victor Julien	c08c81cacf	detect/threshold: implement per thread cache Thresholding often has 2 stages: 1. recording matches 2. appling an action, like suppress E.g. with something like: threshold:type limit, count 10, seconds 3600, track by_src; the recording state is about counting 10 first hits for an IP, then followed by the "suppress" state that might last an hour. By_src/by_dst are expensive, as they do a host table lookup and lock the host. If many threads require this access, lock contention becomes a serious problem. This patch adds a thread local cache to avoid the synchronization overhead. When the threshold for a host enters the "apply" stage, a thread local hash entry is added. This entry knows the expiry time and the action to apply. This way the action can be applied w/o the synchronization overhead. A rbtree is used to handle expiration. Implemented for IPv4.	1 year ago
Victor Julien	c963158443	detect: add ticket id to var related todos	1 year ago
Victor Julien	405491c3fc	detect/detection_filter: add support for track by_flow	1 year ago
Victor Julien	f028648750	detect/content: fix wrong value for depth check Limits propegation checked for DETECT_DEPTH as a content flag, which appears to have worked by chance. After reshuffling the keyword id's it no longer worked. This patch uses the proper flag DETECT_CONTENT_DEPTH.	1 year ago
Victor Julien	d0f3f2d462	detect: group content inspect keyword id's	1 year ago
Victor Julien	022173d7ab	detect: group types used in traffic variables Traffic variables (flowvars, flowbits, xbits, etc) use a smaller int for their type than detection types. As a workaround make sure the values fit in a uint8_t.	1 year ago
Victor Julien	cfd55ead74	threshold: add by_flow support for global thresholds Allow rate_filter and thresholds from the global config to specify tracking "by_flow".	1 year ago
Victor Julien	1552f0953a	detect/threshold: implement tracking 'by_flow' Add support for 'by_flow' track option. This allows using the various threshold options in the context of a single flow. Example: alert tcp ... stream-event:pkt_broken_ack; \ threshold:type limit, track by_flow, count 1, seconds 3600; The example would limit the number of alerts to once per hour for packets triggering the 'pkt_broken_ack' stream event. Implemented as a special "flowvar" holding the threshold entries. This means no synchronization is required, making this a cheaper option compared to the other trackers. Ticket: #6822.	1 year ago
Victor Julien	a81b23254c	util/var: add comments explaining types	1 year ago
Victor Julien	1fa13e4b81	util/var: remove printf; add assert	1 year ago
Victor Julien	ce727cf4b1	detect: remove unnecessary detect thread flags stores	1 year ago
Philippe Antoine	b34d4b1314	detect/nfs: do not free a null pointer https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69840	1 year ago
Jeff Lucovsky	5b97f4040c	detect/base64: Use Rust defined modes everywhere Issue: 6487 To avoid ambiguity, a single definition for base 64 decoding modes will be used. The Rust base64 transform contains the definitions for the existing mode types: Strict, RFC2045, RFC4648	1 year ago
Jeff Lucovsky	f042e9034b	detect/transform: Add from_base64 transform Issue: 6487 Implement the from_base64 transform: [bytes value] [offset value] [mode strict\|rfc4648\|rfc2045] The value for bytes and offset may be a byte_ variable or an unsigned integer.	1 year ago
Shivani Bhardwaj	903283d76e	flow: declare and use constansts where possible	1 year ago
Shivani Bhardwaj	00a644c5c2	flow/manager: make fn calls only when necessary	1 year ago
Shivani Bhardwaj	eb95d2bf66	flow/timeout: cleanup fn names and comments	1 year ago
Shivani Bhardwaj	8818b9cbe0	flow: remove unneeded args to fn	1 year ago
Shivani Bhardwaj	f97b4ec1e8	flow/manager: add fn docs	1 year ago
Shivani Bhardwaj	14cd594d3c	flow: add defensive check	1 year ago
Shivani Bhardwaj	a87c8eb46f	packetpool: use DEBUG_VALIDATE statement	1 year ago
Shivani Bhardwaj	87fa7f10ef	flow: use bool wherever possible	1 year ago
Philippe Antoine	8b831e6751	detect/icmp: require real packet in signature Fixes: `956c8bebd1` ("detect/prefilter: use sig mask to exclude pkt engines")	1 year ago
Philippe Antoine	0a953fe1ce	detect: add to signature mask for decode events Ticket: 6291	1 year ago
Philippe Antoine	4e584ed201	detect: fix check for app_layer events Ticket: 7106	1 year ago
Jeff Lucovsky	834cd6fbdb	af-packet: Remove unused preprocessor define Remove unused preprocessor value; exposed by compilation warning	1 year ago
Philippe Antoine	c9ce43b31e	output: configurable payload_length field for alerts Ticket: 7098	1 year ago
Philippe Antoine	a21232828e	dcerpc: add app-layer metadata in alerts Ticket: 6090	1 year ago
Philippe Antoine	5f35035928	filestore: do not try to store a file set to nostore Ticket: 6390 This can happen with keyword filestore:both,flow If one direction does not have a signature group with a filestore, the file is set to nostore on opening, until a signature in the other direction tries to set it to store. Subsequent files will be stored in both directions as flow flags are now set.	1 year ago
Philippe Antoine	0d4efe0c0f	app-layer: fix -Wshorten-64-to-32 warnings Ticket: #6186 Warnings about downcast from 64 to 32 bits	1 year ago
Philippe Antoine	1790aa49a4	util: fix -Wshorten-64-to-32 warnings Ticket: 6186 Warnings about downcast from 64 to 32 bits Generic fixes required to get app-layer clean	1 year ago
Philippe Antoine	dc043d0297	detect: remove unused field content_inspect_window is used in app-layer-smtp, but not directly in detect-file-data	1 year ago
Victor Julien	3d059611c3	detect: add tls.alpn keyword Ticket: #7108.	1 year ago
Victor Julien	c79a382e42	eve/tls: log ALPN for client and server Part of the extended logging. Logs `client_alpns` and `server_alpns` arrays in the tls object. Ticket: #7055.	1 year ago
Victor Julien	0b37654578	tls: store all ALPN records in the state For later logging and detection.	1 year ago
Victor Julien	e3e917d967	detect/icmp-id: remove prefilter pseudo check This is now handled at registration with SIG_MASK_REQUIRE_REAL_PKT.	1 year ago
Victor Julien	8df53d6411	detect/dsize: remove prefilter pseudo check This is now handled at registration with SIG_MASK_REQUIRE_REAL_PKT.	1 year ago
Victor Julien	44d2e1aad7	detect/stream_size: allow match on pseudo packets Often used with stream content, which can be inspected with pseudo packets.	1 year ago
Victor Julien	6958efa2dc	detect/csum: remove pseudo packet checks	1 year ago
Victor Julien	64f5865efc	detect/csum: general code cleanups	1 year ago
Victor Julien	956c8bebd1	detect/prefilter: use sig mask to exclude pkt engines Add an argument to the packet prefilter registration function to include `SignatureMask` flags. This will be used at runtime to only call these prefilter engines when the mask check passes.	1 year ago
Victor Julien	4c2960169c	detect/prefilter: minor function ptr cleanup Use a typedef'd function pointer for packet Prefilter callbacks to make the code consistent with the other callbacks.	1 year ago
Victor Julien	2d1ccb76b1	detect: remove pseudo checks from packet keywords Keep as debug validation check.	1 year ago
Victor Julien	d03660a646	detect: skip pseudo packets if sig needs real pkt If a signature uses a condition that requires a real packet, filter out pseudo packets as early as possible. To do this, the SignatureMask logic is used. This allows for the removal of checks for pseudo packets in individual keywords `Match` functions, which will be done in a follow up commit. Update analyzer to output the new flag. Ticket: #7002.	1 year ago
Philippe Antoine	e3034a6f54	tests: move detect http.uri tests to suricata-verify Ticket: 3725	1 year ago
Philippe Antoine	d59c60410f	fuzz: adapt target to number of keywords being dynamic Ticket: 4683	1 year ago
Philippe Antoine	4fe3f04fa3	detect/enip: move keywords to rust Ticket: 4863	1 year ago
Philippe Antoine	ce1eea4ad6	detect/websocket: move keywords to rust Ticket: 4863	1 year ago
Philippe Antoine	16952d67e7	detect/dhcp: move keywords to rust Ticket: 4863	1 year ago
Philippe Antoine	ae72376ebe	detect/snmp: move keywords to rust Ticket: 4863 On the way, convert unit test DetectSNMPCommunityTest to a SV test. And also, make snmp.pdu_type use a generic uint32 for detection, allowing operators, instead of just equality.	1 year ago
Philippe Antoine	4bbe7d92dc	detect: helper to have pure rust keywords detect: make number of keywords dynamic Ticket: 4683	1 year ago
Eric Leblond	b128a75973	profiling: check packet flag first This fixes the state handling and simplify the logic.	1 year ago
Eric Leblond	eecb3440e2	profiling: add option to active rules profiling at start When replaying a pcap file, it is not possible to get rules profiling because it has to be activated from the unix socket. This patch adds a new option to be able to activate profiling collection at start so a pcap run can get rules profiling information.	1 year ago
Victor Julien	37be66eef9	detect/iprep: update function naming Bring in line with new Rust code naming for FFI functions.	1 year ago
Victor Julien	83976a4cd4	detect/iprep: implement isset and isnotset Implement special "isset" and "isnotset" modes. "isset" matches if an IP address is part of an iprep category with any value. It is internally implemented as ">=,0", which should always be true if there is a value to evaluate, as valid reputation values are 0-127. "isnotset" matches if an IP address is not part of an iprep category. Internally it is implemented outside the uint support. Ticket: #6857.	1 year ago
Victor Julien	3e46c51651	reputation: minor cleanup No need to init ptrs to NULL after SCCalloc.	1 year ago
Jason Ish	f0dbfe863d	misc: prefix functions with SC not Sc	1 year ago
Victor Julien	d02054fa31	detect/noalert: point noalert/alert to new doc	1 year ago
Victor Julien	d5fb8204b6	detect: implement 'alert' keyword as a companion to 'noalert' This can be used to implement alert then pass logic. Add support for alert-then-pass to alert handling routines. Ticket: #5466.	1 year ago
Victor Julien	92581dbc06	detect: set ACTION_ALERT for rules that should alert Replaces default "alert" logic and removed SIG_FLAG_NOALERT. Instead, "noalert" unsets ACTION_ALERT. Same for flowbits:noalert and friends. In signature ordering rules w/o action are sorted as if they have 'alert', which is the same behavior as before, but now implemented explicitly. Ticket: #5466.	1 year ago
Victor Julien	8f72a04973	detect/alert: minor loop cleanup	1 year ago
Victor Julien	44e7fdc3ca	detect/noalert: minor cleanup	1 year ago
Philippe Antoine	82c03f72c3	enip: convert to rust Ticket: 3958 - transactions are now bidirectional - there is a logger - gap support is improved with probing for resync - frames support - app-layer events - enip_command keyword accepts now string enumeration as values. - add enip.status keyword - add keywords : enip.product_name, enip.protocol_version, enip.revision, enip.identity_status, enip.state, enip.serial, enip.product_code, enip.device_type, enip.vendor_id, enip.capabilities, enip.cip_attribute, enip.cip_class, enip.cip_instance, enip.cip_status, enip.cip_extendedstatus	1 year ago
Philippe Antoine	0d267e29a5	files: remove the need for state in callbacks As files now belong to transactions	1 year ago
Philippe Antoine	e8438fdb58	app-layer: remove unused parameters	1 year ago
Philippe Antoine	441813aa47	fuzz: build with dependencies on rust and c lib So that there is no need to remove the final binary, to recompile it if there has been changes in the code.	1 year ago
Philippe Antoine	358bc05fa1	ci: fix and test with Wunused-macros Ticket: 6937 Completes `ce9bfba76a`	1 year ago
Juliana Fajardini	69e26de197	pgsql/logger: open json object from logger function Before, the JsonBuilder object for the pgsql event was being created from the C-side function that actually called the Rust logger. This resulted that if another module - such as the Json Alert called the PGSQL logger, we wouldn't have the `pgsql` key present in the log output - only its inner fields. Bug #6983	1 year ago
Victor Julien	306fd795c3	smtp/frames: initial frame support Adds the following frames: command_line data response_line The *_line frames are per line, so in multi-line responses each line will have it's own frame. Ticket: #4905.	1 year ago
Victor Julien	2cebc8368c	flow-worker: debug output about updates	1 year ago
Victor Julien	c17df004ed	stream: process ASYNC in packet dir There will generally not be an opposing direction to handle the app update.	1 year ago
Victor Julien	a9dd1572d4	detect/frames: inspect frames only in correct direction Inspect frames in the correct direction after they have been created.	1 year ago
Victor Julien	866c128c43	app-layer: flag flow for next packet in other dir Add new flags to trigger FLOW_TS_APP_UPDATED/FLOW_TC_APP_UPDATED flags to be set for the next packet in the relevant direction. This allows for app relevant work to be done in the next packet in our direction.	1 year ago
Victor Julien	683363b42d	detect/frames: avoid IPS rescanning Make sure to only scan the data when the app layer has been updated as well. Ticket: #6718.	1 year ago
Victor Julien	2e5e3498a6	app-layer/frames: add by type getter AppLayerFrameGetLastOpenByType: Returns the most recent frame with a type with unknown length (-1). Check if type is globally enabled first.	1 year ago
Victor Julien	803e8dd32e	frames: add FrameGetLastOpenByType Getter for the most recent frame with unknown length (-1).	1 year ago
Victor Julien	c7402d2d01	frames: fix bounds check	1 year ago
Victor Julien	243587805d	stream: minor code clarification 'dir' was too generic, so indicate it's about the app-layer update direction.	1 year ago
Victor Julien	e6c1b9d846	app-layer: minor code clarification 'dir' was too generic, so indicate it's about the app-layer update direction.	1 year ago
Philippe Antoine	a10c1f1dde	smtp: use rust for mime parsing Ticket: #3487	1 year ago
Philippe Antoine	5f75b9a6e3	http: use rust for mime parsing Ticket: #3487	1 year ago
Philippe Antoine	ddb3a0c9de	http: multipart unused code removal	1 year ago
Victor Julien	1190e426f9	defrag: remove trackers on lookup When looking up a tracker, remove any timed out / completed trackers.	1 year ago
Victor Julien	75b78d7643	defrag: add defrag.memuse counter Gives a current snapshot of the memory in use by the defrag engine.	1 year ago
Victor Julien	becc91c306	defrag: timeout check on look up; tag for removal	1 year ago
Victor Julien	83dc703d1f	defrag: add various counters	1 year ago
Victor Julien	dcaeed7b95	defrag: remove tracker on frag pool issues If a frag wasn't inserted due to pool empty or alloc failure, clear and invalidate the tracker.	1 year ago
Victor Julien	fc05d253d2	defrag: add defrag.mgr.tracker_timeout counter Updated by flow manager.	1 year ago
Victor Julien	39876bf566	defrag: update exception policy counter: ptr can't be NULL	1 year ago
Victor Julien	383892463c	defrag: fix test passing NULL pointers	1 year ago
Victor Julien	fc93a3875e	defrag: turn queue into stack Only used by the spare tracker logic, which works better as a stack.	1 year ago
Victor Julien	475c40f9c2	defrag: minor cleanups; dead code removal	1 year ago
Victor Julien	8b57545540	defrag: turn hash row into single linked list	1 year ago
Victor Julien	26a73503aa	defrag: timeout/reuse start of list	1 year ago
Victor Julien	97705c94e4	defrag: simplify lookup/create loops Turn into a simpler do { } while loop like in the flow code.	1 year ago
Victor Julien	3b1fecbab1	output/streaming: suppress noisy start up message	1 year ago
Victor Julien	621fe38dbf	output/lua: handle registration error Use error message instead of info message.	1 year ago
Eric Leblond	21916b9743	eve: revert ethernet addresses when needed EVE logging has a direction parameter that can cause the logging of an application layer to be done in a direction that is not linked to the packet. As a result the source IP addres could be assigned the MAC address of the destination IP and reverse. This patch addresses this by propagating the direction to the ethernet logging function and using it there to define the correct mapping. Issue #6405	1 year ago
Alexey Simakov	a8217d288a	util/radix-tree: fix potential dereference of nullptr Fix potential dereferece of nullptr in case of unsuccessful allocation of memory leak for tree nodes Bug: #7049	1 year ago
Jason Ish	10a367b116	lua: use quoted include style to avoid system includes Use quoted include style for Lua includes ("lua.h" instead of <lua.h>) as this could result in system includes being picked up instead of the includes from our vendor directory.	1 year ago
Philippe Antoine	20423fdd38	style: remove some useless return and remove empty line before end of function	1 year ago
Philippe Antoine	a262e203f9	src: remove some unused parameters	1 year ago
Victor Julien	41b9836b11	threads: give threads more time to get ready In certain conditions, it can take a long time for threads to start up. For example in af-packet, setting up the socket, rings, etc has been observed to take close to half a second per thread, and since the threads go one by one in a preset order, this means the start up can take a lot of time if there are many threads. The old logic would just allow a hard coded 60s. This was not always enough when the number of threads was high. This patch makes the wait time take the number of threads into account. It adds a second of time budget to the base 60s for each thread. So as an example, if a system has 112 af-packet threads, it would wait 172 seconds (60 + 112) for the threads to get ready. Ticket: #7048.	1 year ago
Victor Julien	85fd4b2ec7	threads: optimize start up check When starting a large amount of threads, the loop was inefficient. It would loop over the threads and if one wasn't yet ready it would sleep a bit and then reevaluate all the threads. This reevaluation of threads already checked was inefficient, and could lead to the time budget running out. This patch splits the check, and keeps track of the threads that have already passed. This avoids the rescanning of already checked threads.	1 year ago
Victor Julien	121955d5c1	tls-store: support client logging Adds a `client-` prefix to the logged certs and meta files. Ticket: #7045.	1 year ago
Victor Julien	6fe5b739b4	tlsstore: remove stale FIXME	1 year ago
Victor Julien	032bc04a1e	detect/tls.store: fix direction check STREAM_* flags are invalid for `Flow::flags`. Fixes: `dfcb429524` ("detect/cert: Use client side certs")	1 year ago
Jason Ish	10e6028175	lua: track memory limit exceede errors Update the Lua allocated to set a code on memory allocation limit exceeded errors so an appropriate error message can be logged and a state incremented. Fixes the tracking of the allocated size by using the difference between original size, and new size and toss in some debug validations.	1 year ago
Jason Ish	011f0ba994	lua: remove sandbox lib for now Not sure if I see a use for it, some extra debug logging might be just as useful for those writing Lua scripts.	1 year ago
Jason Ish	5a1cba72f0	lua: add logging and counter for instruction limit being exceeded	1 year ago
Jason Ish	c8fa454cb2	lua: add blocked functions as a special log type plus stat Distinguish between a generic Lua script error and an error created by a function being blocked, so each is logged once respective of each other. Also add a stat that is incremented when a script fails due to a blocked function. NOTE: This does not catch calls to functions that are blocked by not having the library loaded, such as "io.open", as they are blocked by not even loading the "io" library.	1 year ago
Jason Ish	86f9e43068	lua: use a function allow list instead of a deny list The Lua library surface area is small enough to manage an allow list, which is generally better than a deny list, as we'll explicitly need to opt-in to new functions provided by the Lua runtime.	1 year ago
Jason Ish	2e440169d6	lua: remove lua as a compile time feature Its always built-in. However, can be disabled at runtime.	1 year ago
Jason Ish	bc011f2205	lua: use rust crate to vendor (bundle) lua Remove lua-dev(el) from all CI tests.	1 year ago
Jason Ish	afb705d278	lua: reset instruction counter before calling script	1 year ago
Jason Ish	1f05a17fb9	lua: misc cleanups in sandbox implementation Including: - rename guards - SCMalloc to SCCalloc - remove unused enum - rename public functions to our naming standard	1 year ago
Jo Johnson	04adb0c0f6	lua: Add config to allow sandbox bypass	1 year ago
Jo Johnson	e946b20e0f	lua: Add config override for lua sandbox limits	1 year ago
Jo Johnson	8428b0b9d7	lua: Add lua sandbox for detection rules	1 year ago
Jo Johnson	01c8af766c	lua: remove internal references to luajit	1 year ago
Jo Johnson	d5c6c3a21c	lua: build lua by default Ticket: #4776 [Edits by Jason Ish] - Add Lua in CI where needed - Disable Lua for builds that don't have Lua 5.4	1 year ago
Jo Johnson	712496bb3f	lua: Remove luajit support lua 5.4 support is not available in luajit Ticket: #4776	1 year ago
Jason Ish	6e2a1ec5d6	misc: move prototypes to correct header Move prototypes for functions that exist in util-port-interval-tree.c from detect-engine-port.h to util-port-interval-tree.h. Fix header guard names while there.	1 year ago
Philippe Antoine	b91e7fe2ae	detect/http-server-body: clean up tests Ticket: 4083	1 year ago
Philippe Antoine	ce16a56a1f	detect: unify functions for multi-buffer Ticket: 6575 Multi buffers keywords now use a single registration function DetectAppLayerMultiRegister with a GetBuffer argument. This GetBuffer function pointer is similar to the ones used by single-buffer keyword, except that it takes an additional parameter which is the index of the buffer to get. Under the hood, an anonymous union between these 2 functions pointers types is used. In the end, this deduplicates code, especially the calls to DetectEngineContentInspection	1 year ago
Philippe Antoine	55bc5f2290	detect/template: make template use DetectEngineInspectBufferGeneric	1 year ago
Philippe Antoine	ce9bfba76a	ci: fix and test with Wunused-macros Ticket: 6937	1 year ago
Philippe Antoine	b3eb1c4f81	clean: remove unused struct definitions Found with git grep "typedef struct" src/ \| awk '{print $3}' \| sort \| uniq \| sed 's/_$//' \| while read i; do echo -n $i; git grep $i \| wc -l; done \| awk '$2 < 3' Ticket: 4083	1 year ago
Richard McConnell	fc2e49f84a	app-layer: Set sc_errno upon error return Bug: https://redmine.openinfosecfoundation.org/issues/6782 Callers to these allocators often use ``sc_errno`` to provide context of the error. And in the case of the above bug, they return ``sc_errno``, but as it has not been set ``sc_errno = 0; == SC_OK``. This patch simply sets this variable to ensure there is context provided upon error.	1 year ago
Victor Julien	52a008e358	detect/http-host: clean up tests	1 year ago
Victor Julien	6c937a9243	pcap-log: use correct pkthdr size for limit enforcement The on-disk pcap pkthdr is 16 bytes. This was calculated using `sizeof(struct pcap_pkthdr)`, which is 24 bytes on 64 bit Linux. On Macos, it's even worse, as a comment field grows the struct to 280 bytes. Address this by hardcoding the value of 16. Bug: #7037.	1 year ago
Victor Julien	9b980b18a8	pcap-log: minor cleanups	1 year ago
Victor Julien	ea8c283dc7	pcap-log: minor cleanup Use same pointer to one location consistently.	1 year ago
Victor Julien	8c4b96129f	pcap-log: always pass 'comp' to PcapWrite The variable is always available.	1 year ago
Victor Julien	5aa00aae0a	pcap-log: rename connp to comp Matches other variable names for the compression settings.	1 year ago
Victor Julien	3eb74c9992	pcap-log: don't check variable that is never set `rotate` was never modified.	1 year ago
Victor Julien	5455799795	time: only consider packet threads In offline mode, a timestamp is kept per thread, and the lowest timestamp of the active threads is used. This was also considering the non-packet threads, which could lead to the used timestamp being further behind that needed. This would happen at the start of the program, as the non-packet threads were set up the same way as the packet threads. This patch both no longer sets up the timestamp for non-packet threads as well as not considering non-packet threads during timestamp retrieval. Fixes: `6f560144c1` ("time: improve offline time handling") Bug: #7034.	1 year ago
Shivani Bhardwaj	0aaec69303	flow: use debug validate macro	1 year ago
Shivani Bhardwaj	d6b63b38ca	flow: add defensive check on memuse	1 year ago
Shivani Bhardwaj	7144b9421d	tcp: use bool wherever possible	1 year ago
Shivani Bhardwaj	f4b8f706fa	flow: use bool wherever possible	1 year ago
Shivani Bhardwaj	2c751dba73	flow: remove unneeded else	1 year ago
Shivani Bhardwaj	7bd9f88ecd	flow: minor loop cleanups	1 year ago
Philippe Antoine	fd262df457	http: fix nul deref on memcap reached HttpRangeOpenFileAux may return NULL in different cases, including when memcap is reached. But is only caller did not check it before calling HttpRangeAppendData which would dereference the NULL value. Ticket: 7029	1 year ago
Shivani Bhardwaj	232c44eb4a	output/json: log tls subjectaltname Feature 5234	1 year ago
Shivani Bhardwaj	83af42cc03	detect/tls-subjectaltname: add sticky buffer Add TLS SubjectAltName sticky buffer. It is implemented as multi-buffer. Feature 5234	1 year ago
Shivani Bhardwaj	3a1c12414a	tls: store list of subject alternative names So far, the SANs were available as a part of IssuerDN via x509_parser crate but SANs were not available to the SSLState* to be directly used to setup and match against a sticky buffer. Expose it to SSLStateConnp. Feature 5234	1 year ago
Jason Ish	6d2d8c26d3	detect-lua: small cleanups - remove unused headers - cleanup/rename flags	1 year ago
Jason Ish	224f55ba21	detect/lua: don't treat a crashed script as no match If a rule script crashed, the return value was treated as a no match. This would make a negation of the rule match and alert. Instead cleanup and exit early if the rule script crashed and don't run negation logic. A stat, detect.lua.errors has been added to count how many times a script crashes. Also consolidates the running of the Lua script and return value handling to a common function. Bug: #6940	1 year ago
Philippe Antoine	f2c39fc87b	ftp: protocol detection avoiding FP on POP3	1 year ago
Philippe Antoine	2c305ba37e	pop3: protocol detection Ticket: #6366	1 year ago
Philippe Antoine	ed895c04ff	smtp: exit data mode if data command was rejected And the server was advertising pipelining. Ticket: 6906	1 year ago
Philippe Antoine	dfdf2e2d1a	detect: checks for space in http.protcol keyword	1 year ago
Philippe Antoine	7582b18a9f	http: configures libhtp to allow spaces in uri Ticket: #2881	1 year ago

... 3 4 5 6 7 ...

12932 Commits (c587e90ebccfe8883ea951e723be461dc58dcc06)