aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,143 Commits
7 Branches
161 Tags
184 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd5bb41011c'
${ noResults }
Commit Graph

9450 Commits (d5bb41011c0afd0219f9e450e982e49bdd670ee8)

Author SHA1 Message Date
Jason Ish cc4f9d7f3d alert/eve: remove jansson specific feature (jsonbuilder prep) 
Remove the Jansson specific feature of being able to delete
an object from json_t, in prep for refactors to JsonBuilder.

Instead create a new header for each alert to be logged.
 5 years ago
Jason Ish f4f1fdbf86 alert/eve: move logging of rule text (jsonbuilder prep) 
Move the logging of the rule text to where the alert object
is being logged to remove the usage of json_object_get...

Getting previously logged objects will not be possible with
JsonBuilder.
 5 years ago
Victor Julien f8f2a2bbc0 detect/pcre: set app proto correctly when using modifiers 5 years ago
Victor Julien 9fd56e8430 detect/pcre: minor code cleanups 5 years ago
Victor Julien de6c9b9441 detect: clarify and slightly cleanup non-pf logic 5 years ago
Victor Julien 5acfdfcc76 flow/manager: fix management tasks not running 
Fix tasks not running on the first manager, even if there is just
a single manager.
 5 years ago
Eric Leblond ae5650d443 magic: get rid of global lock 
Global magic context was involving a lock that appear to be really
costly for some traffic.
 5 years ago
Victor Julien d8c82d4f39 af-packet: fix warnings by undefined sanitizer 5 years ago
Victor Julien 3957750731 capture: optimize checksum handling 
Don't use a flag in the livedev, but overwrite the config setting after
'auto' mode has determined checksums should be disabled.
 5 years ago
Victor Julien bbdc11842d windows: fix timestring timezone display 
Bug: #3690
 5 years ago
Jeff Lucovsky 12148bc53c detect/pcre: Use the keyword context for JIT stack 
When PCRE `jit` is available, store the JIT stack in the keyword context
instead of on a global id. This ensures proper cleanup and
re-initialization over a rule reload.
 5 years ago
Victor Julien d1e690ccb3 profiling: c11 atomics fixup 5 years ago
Jason Ish ca88e4d0e3 filestore v1: remove 
File store v1 has been deprecated and was scheduled for removal
by June 2020.

Log an error if a file-store configuration is loaded without
version set to 2.
 5 years ago
Philippe Antoine 69b4fffdae parse: move SSH parser from C to Rust 5 years ago
Shivani Bhardwaj 6457754fd6 dcerpc: Replace C function calls with Rust 
All the dead code in C after the Rust implementation is hereby removed.
Invalid/migrated tests have also been deleted.
All the function calls in C have been replaced with appropriate calls to
Rust functions. Same has been done for smb/detect.rs as a part of this
migration.
 5 years ago
Philippe Antoine 2fe82ce0d6 fuzz: do not reuse global variable named suricata 5 years ago
Philippe Antoine 304aedfa95 fuzz: improves sigpcap target 
So that it can cover alert generation
ie in function DetectRun, get past scratch.sgh == NULL condition
 5 years ago
Jeff Lucovsky 690bd14371 napatech: Fix parameters passed to thread-check 
This commit corrects an error introduced earlier: the call to
`TmThreadsCaptureHandleTimeout` is passing too many parameters.
 5 years ago
Jeff Lucovsky 9db8a917a2 dag: Fix parameters passed to thread-check 
This commit corrects an error introduced earlier: the call to
`TmThreadsCaptureHandleTimeout` is passing too many parameters.
 5 years ago
Victor Julien a0392c6027 fuzz/sigpcap: enable protocols, add more outputs 5 years ago
Victor Julien 032f31b7d3 htp: fix test after libhtp changes 5 years ago
Jeff Lucovsky beb45c564e detect/smtp: Refactor command check 
This commit refactors the code that matches reply with command.

Bug: #3677
 5 years ago
Jeff Lucovsky dc7a991bfb app-layer/smtp: Improve RSET handling 
This commit improves how the parser handles the `RSET` command.
Termination of the transaction occurs when the `RSET` ack is seen (reply
code 250).

Bug: #3677
 5 years ago
Philippe Antoine a15e503b7d enip: more precise probing parser 
Bug: #3615
 5 years ago
Victor Julien 049c5fe230 detect/port: limit recursion in port parsing 
Bug: #3586
 5 years ago
Victor Julien 476b5f21f3 detect/address: limit recursion during parsing 
Allow a max depth of 64.

Bug: #3586
 5 years ago
Victor Julien b6658e6269 detect/address: minor cleanups 5 years ago
Victor Julien 41d0dcae99 decode: cleanup packet properly on bad packets 
In case of bad IPv4, TCP or UDP, the per packet ip4vars/tcpvars/udpvar
structures would not be cleaned up because the cleanup depends on the
'header' pointer being set, but the error handling would unset that.

This could mean these structures were already filled with values before
the error was detected. As packets were recycled, the next packet decoding
would use this unclean structure.

To make things worse these structures are part of unions. IPv4/IPv6 and
TCP/ICMPv4/ICMPv6 share the same memory location.

LibFuzzer+UBSAN found this both locally and in Oss-Fuzz:

decode-ipv6.c:654:9: runtime error: load of value 6, which is not a valid value for type 'bool'
    #0 0x6146f0 in DecodeIPV6 /src/suricata/src/decode-ipv6.c:654:9
    #1 0x617e96 in DecodeNull /src/suricata/src/decode-null.c:70:13
    #2 0x9dd8a4 in DecodePcapFile /src/suricata/src/source-pcap-file.c:412:9
    #3 0x4c8ed2 in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_sigpcap.c:158:25
    #4 0x457e51 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #5 0x457575 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #6 0x459917 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #7 0x45a6a5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5
    #8 0x448728 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
    #9 0x472552 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #10 0x7ff0d097b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x41bde8 in _start (/out/fuzz_sigpcap+0x41bde8)

Bug: #3496
 5 years ago
Victor Julien 3ed188e0bc ssl: support multi-frag certificate assembly 
Support reassembling multi-frag certificates. For this the cert queuing
code is changed to queue just the cert, not entire tls record.

Improve message tracking. Better track where a message starts and ends
before passing data around.

Add wrapper macros to check for 'impossible' conditions that are activate
in debug validation mode. This helps fuzzers find input that might trigger
these conditions, if they exist.
 5 years ago
Victor Julien 4f679fd843 ssl: add asserts for 'impossible' conditions 
Wrap in debug validation so that fuzzing can pick them up.
 5 years ago
Victor Julien 68d5a9dc2c tls/sni: parsing cleanup 
Set proper event on all invalid sni length values.
 5 years ago
Victor Julien 61b8c99236 ssl: improve error checking 5 years ago
Victor Julien bb06298102 ssl: unify main parsing routine 5 years ago
Victor Julien 40be9d2219 ssl: improve debug output 5 years ago
Victor Julien f1bf11f716 ssl: record parsing cleanup 5 years ago
Victor Julien ab44b5edac ssl: handshake parsing code cleanup 5 years ago
Victor Julien d1ada2e13c ssl: copy data using a safe memcpy wrapper 
To avoid future memcpy issues introduce a wrapper and check the
result of it.

When compiled with --enable-debug-validation the wrapper will abort if
the input is wrong.
 5 years ago
Victor Julien cffbdff024 ssl: don't say we consumed bytes if we didn't consume them 5 years ago
Victor Julien 9950ebffe6 ssl: code cleanups 5 years ago
Victor Julien 1578c84605 ssl: bump copyright year 5 years ago
Victor Julien 9a97821c43 ssl: improve 'first cert' check to avoid leaks 
In some error conditions, or potentially in case of multiple 'certificate'
records, the extracted subject, issuerdn and serial could be overwritten
without freeing the original memory.
 5 years ago
Victor Julien fa2a1385ea ssl: fix handshake cert buffer sizing 
'trec' buffer was not grown properly when it was checked as too small.
After this it wasn't checked again so that copying into the buffer could
overflow it.
 5 years ago
Victor Julien 26bcc97515 detect/keywords: dynamic version part of doc URL 5 years ago
Victor Julien 8f2df0f938 logging: fix default log format for release mode 5 years ago
Victor Julien eef7760870 datasets: reputation value validation 5 years ago
Philippe Antoine ae102ca096 detect: refactoring parsing of ip range 
To optimize first netmask
 5 years ago
Philippe Antoine 8ca9c0e8f0 signature: minimizes ip CIDR for ip range 
Example leading to over allocation is 41.232.107.2-43.252.37.6
 5 years ago
Jeff Lucovsky fa082d04dc decode/erspan: Warn on ERSPAN Type I config 
This commit checks whether pre-6.x settings for ERSPAN Type I are
present. ERSPAN Type I is no longer enabled/disabled through a
configuration setting -- it's always enabled.

When a setting exists to enable/disable ERSPAN Type I decoding, a
warning message is logged.

Enabling/disabling ERSPAN Type I decode has been deprecated in 6.x
 5 years ago
Jeff Lucovsky 82da71bbc4 decode/erspan: Add warning ERSPAN Type I config 
This commit adds a warning value when ERSPAN Type I configuration
settings are detected; specifically, when ERSPAN Type I `enabled` is
specified.

Enabling/disabling ERSPAN Type I decode has been deprecated in 6.x
 5 years ago
Victor Julien ad448da3f4 flowbits: fix hang in flowbits 'or' parsing 5 years ago
Victor Julien 07ed0dadae fuzz: suppress too noisy htp errors check 5 years ago
Jeff Lucovsky 2b93898771 napatech: Correct timestamp rounding issue 
This commit fixes the conversion of timestamps. Without the extra
parens, the resulting timestamp value for usecs will be 1 or 0 due to
the operator precedence order (+ takes precedence over ?:)
 5 years ago
Jeff Lucovsky f12adcc58c napatech: Check for out-of-band control operations 
This commit causes the packet source to check for out of band control
operations when there are no packets immediately available.
 5 years ago
Jeff Lucovsky 5b13468bfc dag: Check for out-of-band control operations 
This commit causes the packet source to check for out of band control
operations when there are no packets immediately available.
 5 years ago
Phil Young b48049c51c napatech: Restructure Packet/Hostbuffer release 
The end-of-processing has been restructured so that Packet and Hostbuffer
data structures are now released within the NapatechReleasePacket() callback
function.
 5 years ago
Shivani Bhardwaj e22b345bb6 af-packet: change type of cluster_id to uint16_t 5 years ago
Shivani Bhardwaj e7c0f0ad91 src: remove multiple uses of atoi 
atoi() and related functions lack a mechanism for reporting errors for
invalid values. Replace them with calls to the appropriate
ByteExtractString* functions.

Partially closes redmine ticket #3053.
 5 years ago
Shivani Bhardwaj 92bb52f430 Add wrappers for validating range checks 5 years ago
Victor Julien c2d36ed261 fastlog: copyright year bump and remove stale comments 5 years ago
Victor Julien 28837b203e fastlog: fix unlikely memleak 
Fix memleak is case of alloc error during startup.
 5 years ago
Victor Julien b763885d1b thash: suppress coverity fp's 5 years ago
Victor Julien b0c79c6996 datasets: suppress coverity fp's 5 years ago
Philippe Antoine 053c728871 http: adds debug check against too many warnings 5 years ago
Jeff Lucovsky aa3f784d32 detect/ftp: FTP memory accounting fixes 
This commit continues the work started by @vanlink and corrects the
accounting of FTP memory usage against the memcap limit.
 5 years ago
Victor Julien 7ca94ba0a2 app-layer: fix protocol detection bail conditions for TCP fastopen 5 years ago
Jeff Lucovsky e8ad67fa4f detect/lua: Unregister object during free 
This commit removes the registration for the object being freed.
 5 years ago
Jeff Lucovsky d3a65fe156 detect: Provide `de_ctx` to free functions 
This commit makes sure that the `DetectEngineCtx *` is available
to each detector's "free" function.
 5 years ago
Jeff Lucovsky d1151f3f8e detect: Provide function to clear per-thread ctx 
This commit provides an interface to free previously allocated
per-thread contextual information on the keyword lists.
 5 years ago
Shivani Bhardwaj cf4e4e4ac3 flowbits: Allow support for flowbit ORing 
This patch allows to OR multiple flowbits on isset and isnotset flowbit
actions.

e.g.
Earlier in order to check if either fb1 or fb2 was set, it was required
to write two rules,
```
alert ip any any -> any any (msg:\"Flowbit fb1 isset\"; flowbits:isset,fb1; sid:1;)
alert ip any any -> any any (msg:\"Flowbit fb2 isset\"; flowbits:isset,fb2; sid:2;)
```

now, the same can be achieved with
```
alert ip any any -> any any (msg:\"Flowbit fb2 isset\"; flowbits:isset,fb1|fb2; sid:23;)
```

This operator can be used to check if one of the many flowbits is set
and also if one of the many flowbits is not set.
 5 years ago
Philippe Antoine fef124b92d ftp: use switch for ftp commands for style 5 years ago
Philippe Antoine 6f36403219 ftp: FTPGetAlstateProgress for done port commands 
For a done transaction with command PORT,
we expect FTP_STATE_FINISHED
and we got FTP_STATE_PORT_DONE instead
which prevented logging of these transactions

We change the order of the evaluations to get the right result
 5 years ago
Philippe Antoine 699d6682da ftp: indent FTPParseResponse again 5 years ago
Philippe Antoine a6294d6ec2 ftp: FTPParseResponse bufferizes lines 
Protects against evasion by TCP packet splitting

The problem arised if the FTP response is split on multiple packets

The fix is to bufferize the content, until we get a complete line
 5 years ago
Philippe Antoine cd26fc139e detect: fix insertion in linked list for fast pattern 
Make sure we do not add the same list_id twice
by checking at least all the lists with the current priority
 5 years ago
Victor Julien 0ce489bcc9 conf/datadir: fix possible out of bounds array access 5 years ago
Victor Julien 1d8d03184d datasets: remove useless variables 5 years ago
Victor Julien 7a6269798b datasets: add 'dataset-remove' unix command 5 years ago
Victor Julien af06883f65 datasets: add 'remove' support 5 years ago
Victor Julien 51726e0a0f thash: add 'remove' support 5 years ago
Victor Julien b80ab56d10 datasets: improve 'dataset-add' error checking 5 years ago
Victor Julien ff55a444d4 datasets: fix return values for 'add's 5 years ago
Victor Julien 381bc2dd64 datasets: fix ref cnt handling 
Each 'add' and 'lookup' would increment the use_cnt, without anything
bringing it back down.

Since there is no removal yet, nothing is actually affected by it yet.
 5 years ago
Victor Julien 03dc5d1d74 datasets: silence noisy 'dataset-add' log 5 years ago
Victor Julien f8159bd372 build: default to c11 standard 
Rearrange pcap includes to fix builds on MinGW
 5 years ago
Victor Julien 1893e40e79 build: don't limit C std to c99 (gnu99) 
Now that C11 atomics and thread local storage are supported, the
compiler can figure out what version to use.
 5 years ago
Victor Julien 7691fc4f9e configure: check for u_int and friends 5 years ago
Victor Julien cb4b5296da fuzz: include pcap headers through suricata-common.h 5 years ago
Victor Julien d4f86e3709 threads: remove u_long usage 5 years ago
Victor Julien 3ba4afd40b threads: make thread local storage manadatory 
Support either the __thread GNUism or the C11 _Thread_local.

Use 'thread_local' to point to the one that is used. Convert existing
__thread user to 'thread_local'.

Remove non-thread-local code from the packet pool code.
 5 years ago
Victor Julien 32cfd71f1a atomics: stdatomics.h version of SC_ATOMIC_* wrappers 5 years ago
Victor Julien 7553937a22 detect-engine/tags: avoid confusion over data type 5 years ago
Victor Julien 5b9d17b485 atomics: remove unused macros 5 years ago
Victor Julien c83a607b6a atomics: add SC_ATOMIC_INITPTR macro 
Until now both atomic ints and pointers were initialized by SC_ATOMIC_INIT
by setting them to 0. However, C11's atomic pointer type cannot be
initialized this way w/o causing compiler warnings.

As a preparation to supporting C11's atomics, this patch introduces a
new macro to initialize atomic pointers and updates the relevant callers
to use it.
 5 years ago
Victor Julien 531ff3ddec atomics: change SC_ATOMIC_ADD to 'fetch_add' 
Until this point the SC_ATOMIC_ADD macro pointed to a 'add_fetch'
intrinsic. This patch changes it to a 'fetch_add'.

There are 2 reasons for this:

1. C11 stdatomics.h has only 'atomic_fetch_add' and no 'add_fetch'
   So this patch prepares for adding support for C11 atomics.

2. It was not consistent with SC_ATOMIC_SUB, which did use 'fetch_sub'
   and not 'sub_fetch'.

Most callers are not using the return value, so these are unaffected.
The callers that do use the return value are updated.
 5 years ago
Victor Julien 109b2ae551 atomics: avoid unnecessary (direct) CAS use 5 years ago
Victor Julien c660757153 atomics: remove useless SC_ATOMIC_DESTROY 5 years ago
Victor Julien 1cb7eec52d atomics: remove spinlocked fallback 5 years ago
Victor Julien 967340e901 fuzz: fix applayer eof check segv 5 years ago
Philippe Antoine 4fda7ed4bd fuzz: stop app layer target as Suricata 
Before being overwhelmed by successive errors
 5 years ago
Philippe Antoine fe1d36ec7e conf: returns instead of exiting in ConfYamlParse 
So that we can keep on fuzzing even on too much recursion
 5 years ago
Victor Julien dfdf2eb050 fuzz: add missing debug validation to configure 5 years ago
Victor Julien c76f98073e fuzz: add configure wrapper for oss-fuzz 5 years ago
Victor Julien 5e13816380 includes: don't include sys/types.h twice 5 years ago
Victor Julien df79613fb5 privs: include headers in suricata-common.h 5 years ago
Victor Julien 61c9e01f87 conf/yaml: include yaml.h after suricata-common.h 5 years ago
Victor Julien f6bf86f136 fuzz/sigpcap: enable all of eve 5 years ago
Victor Julien 4d50eb1647 detect/iponly: fix parsing of '0' valued netmask 5 years ago
Victor Julien d4613e5c70 util/mem: reduce scope of win32 specific include 5 years ago
Victor Julien 415c992909 util/mem: cleanup by moving atomic from mem hdr 5 years ago
Victor Julien 3b877929e3 util/mem: move most logic to functions 
Reduce macro use and simplify code. Also reduces compiled code
size.
 5 years ago
Victor Julien 48bb26abe7 util/mem: remove old debug code for counting allocs 5 years ago
Victor Julien 481a1923b4 logging: turn SCLog and SCLogErr into funcs 
Reduces compiled code size.
 5 years ago
Victor Julien 64e307936e common: add ATTR_FMT_PRINTF wrapper 
Wraps around __attribute__((format(printf, (x), (y))))
 5 years ago
Victor Julien a8c8e2d5c9 common: use suricata-common.h in more places 5 years ago
Victor Julien b856caad94 common: use WARN_UNUSED macro 5 years ago
Victor Julien f903766849 detect/mpm: don't process empty store 5 years ago
Victor Julien a95fa3c156 dns/tests: comment typo fixes 5 years ago
Victor Julien d5712efc91 decode: return bool network layer 
So that the caller can set the correct event type on error.
 5 years ago
Victor Julien 328a94206e decode/hdlc: initial support 5 years ago
Victor Julien 136d351e40 decode: single network layer entrypoint 
This way new layers can be added in a single place.
 5 years ago
Victor Julien 88bccfb80e decode: create linklayer entry point 
Make AF_PACKET and PCAP mode use it.
 5 years ago
Victor Julien 685d490d07 decode/ieee8021ah: fix possible packet truncation 5 years ago
Victor Julien 5404dc7f6d fuzz/siginit: cleanup detect engine every 1024 runs 5 years ago
Andreas Herz aaa604b4c6 app-layer-template: fix log typo 5 years ago
Jason Ish 4dc80a6e6f conf/yaml: limit recursion depth while paring YAML 
A deeply nested YAML file can cause a stack-overflow while
reading in the configuration to do the recursive parser. Limit
the recursion level to something sane (128) to prevent this
from happening.

The default Suricata configuration has a recursion level of 128
so there is still lots of room to grow (not that we should).

Redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3630
 5 years ago
Victor Julien fc6ada8541 detect/parse: properly free bidir sigs in error path 5 years ago
Victor Julien 5abead9325 detect/parse: fix minor memory leak in error path 
Only reachable on SCMalloc so should be unlikely to be reached.
 5 years ago
Victor Julien 27186778b8 fuzz: allow uninitialized stats api 5 years ago
Victor Julien 794d9eeb83 fuzz: remove UNITTEST dependency 
Expose UTH flow builder to new 'FUZZ' define as well. Move UTHbufferToFile
as well and rename it to a more generic 'TestHelperBufferToFile'.

This way UNITTESTS can be disabled. This leads to smaller code size
and more realistic testing as in some parts of the code things
behave slightly differently when UNITTESTS are enabled.
 5 years ago
Jason Ish 4639dd7932 source/erf: validate record length before read 
Check the ERF record length before attempting to read it as
a record length less than the size of the record header
is invalid.

Redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3593
 5 years ago
Victor Julien 960c52d7ff fuzz/sigpcap: initialize empty packet pool 
Fixes runs with --enable-debug-validation. The target did not init a
packet pool, so for a tunnel packet would try to get a packet from
an uninitialized pool. In non-debug mode, this silently works by
falling back to a packet from alloc.

    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff35a6801 in __GI_abort () at abort.c:79
    #2  0x00007ffff359639a in __assert_fail_base (fmt=0x7ffff371d7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x555557fe7260 "!(pool->initialized == 0)",
        file=file@entry=0x555557fe7220 "tmqh-packetpool.c", line=line@entry=253, function=function@entry=0x555557fe7500 <__PRETTY_FUNCTION__.21181> "PacketPoolGetPacket") at assert.c:92
    #3  0x00007ffff3596412 in __GI___assert_fail (assertion=0x555557fe7260 "!(pool->initialized == 0)", file=0x555557fe7220 "tmqh-packetpool.c", line=253,
        function=0x555557fe7500 <__PRETTY_FUNCTION__.21181> "PacketPoolGetPacket") at assert.c:101
    #4  0x00005555577e24be in PacketPoolGetPacket () at tmqh-packetpool.c:253
    #5  0x0000555556914ecd in PacketGetFromQueueOrAlloc () at decode.c:183
    #6  0x00005555569161e1 in PacketTunnelPktSetup (tv=0x555559863980 <tv>, dtv=0x614000068e40, parent=0x61e0000fc080, pkt=0x61e0000fc470 "LL", len=72, proto=DECODE_TUNNEL_IPV4) at decode.c:286
    #7  0x00005555569de694 in DecodeIPv4inIPv6 (tv=0x555559863980 <tv>, dtv=0x614000068e40, p=0x61e0000fc080, pkt=0x61e0000fc470 "LL", plen=72) at decode-ipv6.c:59
    #8  0x00005555569e60b5 in DecodeIPV6ExtHdrs (tv=0x555559863980 <tv>, dtv=0x614000068e40, p=0x61e0000fc080, pkt=0x61e0000fc470 "LL", len=112) at decode-ipv6.c:522
    #9  0x00005555569e846f in DecodeIPV6 (tv=0x555559863980 <tv>, dtv=0x614000068e40, p=0x61e0000fc080, pkt=0x61e0000fc420 "cLL", len=255) at decode-ipv6.c:641
    #10 0x0000555556a032f9 in DecodeRaw (tv=0x555559863980 <tv>, dtv=0x614000068e40, p=0x61e0000fc080, pkt=0x61e0000fc420 "cLL", len=255) at decode-raw.c:70
    #11 0x0000555557659ba8 in DecodePcapFile (tv=0x555559863980 <tv>, p=0x61e0000fc080, data=0x614000068e40) at source-pcap-file.c:412
    #12 0x0000555556573401 in LLVMFuzzerTestOneInput (data=0x613000000047 "\241\262\315\064", size=339) at tests/fuzz/fuzz_sigpcap.c:158
    #13 0x0000555557a4dc66 in main (argc=2, argv=0x7fffffffdfa8) at tests/fuzz/onefile.c:51

That line:

    BUG_ON(pool->initialized == 0);
 5 years ago
Todd Mortimer 944209592f detect/threshold: Add tests for thresholding by_rule and by_both. 5 years ago
Todd Mortimer 50e5b80463 detect/threshold: Add a common function to (re)allocate the by_rule threshold table. 
Ensure that the by_rule threshold table is initialized if a rule
is thresholded by_rule. Replace manual table reallocaton with calls
to the common function.
 5 years ago
Todd Mortimer 82dc61f4c3 detect/threshold: Refactor threshold calculation to handle by_rule and by_both. 
The only difference between threshold calculations for by_src/by_dst,
by_rule or by_both is which table stores the DetectThresholdEntry.
Refactor the ThresholdHandlePacket* functions to do table lookup and
storage individually, but calculate thresholds in a common function.
 5 years ago
Todd Mortimer 9fafc1031c time: Add TIMEVAL_EARLIER and TIMEVAL_DIFF_SEC macros. 
Make it easy to compare 'struct timeval's and get their difference.
 5 years ago
Todd Mortimer e945dea244 detect/threshold: Parse by_rule and by_both in rules. 
Also add tests for parsing them.
 5 years ago
Victor Julien ed8f48b053 app-layer/proto-detect: minor cleanup 
Make sure the mask calculation is u32.
 5 years ago
Victor Julien aba4e19548 detect/pktvar: fix memory leaks 5 years ago
Philippe Antoine 240df05af5 fuzz: limit input size for protocol detection consistency check 5 years ago
Jeff Lucovsky 6bffe0bd35 detect/ssl: Fix memory leak in version parsing 
This commit fixes a memory leak in the SSL version handling that
manifests when the version identifier is incomplete or incorrect.
 5 years ago
Philippe Antoine 91b2930891 fuzz: build compatibility with oss-fuzz flags 
ie C define FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 5 years ago
Victor Julien 09a21545ce flow: cleanup expectations first 
Make sure to cleanup expectations for a flow as the first step, before
parts of the flow itself are getting cleaned/freed.

Also indicate use unlikely as flows with expectations should be relatively
rare.
 6 years ago
Eric Leblond fcfeeeb694 app-layer-expectation: update copyright date 6 years ago
Eric Leblond 1ddd77fae0 app-layer-expectation: clean expectation at flow end 
When a flow timeout, we can have still existing expectations that
are linked to this flow. Given that there is a delay between the
real ending of the flow and its destruction by Suricata, the
expectation should be already honored so we can assume the risk
to clean the expectations that have been triggered by the
to-be-deleted flow.
 6 years ago
Eric Leblond 6c9d1c0861 app-layer-expectation: limit number of expectations 
This patch introduces a limitation in term of number of
expectations attached to one IPPair. This is done using
a circle list so we have a FIFO approach on expectation
handling.

Circleq list code is copied from BSD code like was pre existing code
in queue.h.
 6 years ago
Eric Leblond 03e4bfeb02 app-layer-expectation: remove unused parameter 6 years ago
Jeff Lucovsky 0ae6b0b250 tests/bsize: Fuzzing test case added 
This commit adds a test case to validate the issue found during fuzz
testing.
 6 years ago
Jeff Lucovsky 5b38bc9894 detect/bsize: Ensure numeric values fit 
This commit ensures that the numeric values will not exceed the size of
the containers used to hold them.
 6 years ago
Victor Julien 095981cb2a detect/parse: fix crash on 'internal' keyword use 
When keyword __flowvar__postmatch__, an internal keyword, is used
in a rule the 'Setup' func ptr will be NULL. This caused a crash.
 6 years ago
Victor Julien 1e71eecf47 fuzz/siginit: fix leak in case of bidir sig 6 years ago