This patch implements reconnection handling for the redis output.
A reconnect limitation has been implemented with a limitation of
one connection per second.
This patch implements redis pipelining. This consist in contacting
the redis server every N events to minimize the number of TCP
exchange. This is optional and setup via the configuration file.
Introduce a function to realize the parsing and config file and
opening of connection to the database. Only used by output-json
for now it will be usable by other logging modules.
Introduce a function LogFileWrite that will handle the writing with
respect of the type defined in the configuration. This is used in
this patch to remove the write complexity from output-json.
When using redis output, we are loosing the host key (added by
logstash or logstash-forwarder) and we can't find anymore what
Suricata did cause the alert.
This patch is adding this key during message generation using the
'sensor-name' variable or the hostname is 'sensor-name' is not
defined.
This adds a counter indicating how many times
the flow max memcap has been reached
Since there is no always a reference to FlowManagerThreadData,
the counter is put in DecodeThreadVars.
Currently when there is no counter increase in one call of FlowGetNew
because we don't have tv or dtv at the time of the call.
The following is a snippet of the generated EVE entry:
"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7085248}
The code was not correct and coverity did detect a potential
overflow problem that should not happen because of the structure
of md5 string and of format.
Unlike other app-layer protocols which are enabled by default,
disable this one by default as it likely shouldn't be enabled
in production use of Suricata.
Two structure fields were uninitialized and used has a bit field.
Weird behavior were seen in list of logged fields due to that with
some build options.
Multiple events can be applied on a transaction so we may need to
log the same header twice.
The HDR_IS_LOGGED flag was making it impossible. And this system
is usless as email application layer is transaction based.
Add a boolean option named "payload" to the unified2-alert output type.
Such options makes suricata omit the payload in the resulting unified2
file. The default value is true in order to preserve the current behaviour.
- Some tests always passed due to the result value being
initialized to 1.
- Fix tests that now fail. Looks like just the test were wrong
and that the code does the right thing.
Remove the old tracker reset macro which is no longer being used.
Clear last_seen and remove flags on initialization.
Remove extra call to DefragTrackerInit as it was being called 2x
for each new tracker.
Now that DefragTrackerNew is just a wrapper for DefragTrackerAlloc,
remove it and just call DefragTrackerAlloc directly.
These trackers are likely for completed fragments, but have
not been cleaned up. If a packet on the same flow with an
already seen IP ID is seen, it could be reused prior to
being properly reinitialized.
Previous code was wrongly supposing the lines are ending with CRLF.
But this is not the case so we must propagate the length of end of
line delimiter to be able to compute the md5 of the mail body.
To be able to correlate between events, it is better to have the
tx_id information in the root object. This function adds a new
function to automate the addition of the field.
Eric Leblond
Giuseppe Longo
cardigliano
Jason Ish
Torgeir Natvig
Mats Klepsland
Alessandro Guido
Victor Julien
Alexander Gozman