7049 Commits (ee7e689b5423295d17f1560e2a3b1a1491cdf314)

Author	SHA1	Message	Date
Jason Ish	b0de5ad1a8	dns: increment tx id when allocated during response	9 years ago
Victor Julien	fe4e119278	common: improve BUG_ON ... When BUG_ON is a wrapper for assert(), we risk getting rid of certain code lines. Assert is a no-op when NDEBUG is defined. This patch defines an alternate path for BUG_ON that exits after printing an error. Bug #2003.	9 years ago
Andreas Herz	98e8b13bf0	decode-icmpv6: add missing types ... There have been some ICMPv6 types missing within the DecodeICMPV6 that are added by this commit and the code check is adjusted to always use the DEFINE.	9 years ago
Jason Ish	bcdbd12839	dns (tcp): register a to_client (response) probing parser ... Just a minimal parser to make sure the data contains at least a header.	9 years ago
Jason Ish	c35c18a797	app-layer: support to server and to client probing parsers ... When registering a probing parser allow to_server and to_client parsers to be registered. Previously the probing parser may be called for both directions which in some cases works OK, but in others can cause the to_client side to be detected as failed.	9 years ago
Victor Julien	586774203f	redis: support for all output types	9 years ago
Victor Julien	2820ed332e	redis: use 'binary' notation for output	9 years ago
Victor Julien	df28c1ac6e	common: add WARN_UNUSED macro	9 years ago
Victor Julien	8c65d45d55	detect: remove dead code	9 years ago
Eric Leblond	63a3b84127	util-magic: fix build when magic is not available ... If HAVE_MAGIC is not defined then we don't have the test functions so we can't register them.	9 years ago
Victor Julien	cb08f02140	xbits: clean up parsing and tests	9 years ago
Jason Ish	27ec811187	pcap-log: fix memory leak during initialization of ring buffer ... A free was missing when files are removed during initialization of the ring buffer. Redmine issue: https://redmine.openinfosecfoundation.org/issues/1985	9 years ago
Eric Leblond	9f6b58747b	smtp: commands and replies are not case sensitive ... RFC states that "Commands and replies are not case sensitive" and patterns were registered to be case sensitive. So this patch fixes a trivial evasion of SMTP signatures.	9 years ago
Mats Klepsland	ffcb4ad232	tls: fix tls_cert_subject prefilter bug ... If check in prefilter was checking that issuer was non-NULL, when it in fact should be checking subject.	9 years ago
Mats Klepsland	10c93221fa	tls: increase max number of tls records per packet ... Tls packets may contain several records. This increase the number of allowed records per packet from 30 to 255, and adds a new and more informative decoder event when this limit is reached.	9 years ago
Mats Klepsland	554065189c	tls: don't trigger decoder event on no extensions in CLIENT_HELLO ... No extensions are allowed in <TLSv.1.2, so don't trigger SURICATA TLS handshake invalid length decoder event when no extensions are specified in CLIENT HELLO.	9 years ago
Victor Julien	810e43f373	magic: make optional ... Make libmagic optional. If installed it will be enabled by default in configure. Use --disable-libmagic to disable.	9 years ago
Jason Ish	79a3c6c7b1	log-pcap: use a snaplen of 262144 instead of -1. ... Newer versions of libpcap will not open pcap files with a snaplen of -1, instead use the current maximum value of 262144. Issue: https://redmine.openinfosecfoundation.org/issues/1987	9 years ago
Victor Julien	a44b612a41	hostbits/xbits: free hostbit ... Fix memory leak. Hostbits were not actually freed. Bug #1975.	9 years ago
Victor Julien	579d6d3ff7	http: allow lower/mixed case in proto detect ... In HTTP detection registered patterns were upper case only. Since the detection is based on both sides this would still work for sessions where one of the talkers misbehaved. If both sides misbehave this would fail however, so this patch introduces case insensive matching.	9 years ago
Jason Ish	92885d6960	profiling: fix shadow error ... Local variable store was shadowing variable in function definition.	9 years ago
Victor Julien	abbc0f76eb	unix-socket: clean up path handling ... Create/check socket path in a single place. Don't use dynamic memory allocation.	9 years ago
Victor Julien	c5e550b10d	unix-socket: create socket directory if possible ... Create the socket directory in the default case. Since we're doing stat+mkdir indicate to Coverity not to worry about the toctou case.	9 years ago
Victor Julien	3f741e450b	unix-socket: be more specific about problems	9 years ago
Victor Julien	9368013645	unix-socket: don't error out on unix socket failure ... If --init-errors-fatal is specified do error out. Bug https://redmine.openinfosecfoundation.org/issues/1973	9 years ago
Jason Ish	2ce95babd6	dnp3: use _ in keyword names instead of "." ... dnp3.ind -> dnp3_ind dnp3.func -> dnp3_func dnp3.obj -> dnp3_obj The variations with a "." are now aliases.	9 years ago
Victor Julien	ab8faefd37	af-packet: fix fanout support on Debian Jessie ... Debian Jessie with kernel 3.16 would not accept the 'id' of 99 used in the test. Id 1 does work.	9 years ago
Alexander Gozman	e492f0dc89	Fix port parsing in config file, added one more corresponding test. ... Some examples from wiki caused parsing errors. For example, "[1:80,![2,4]]" was treated as a mistake. Also fixed loop detection in variables declaration. For example, 'A: "HOME_NET, !$HOME_NET"' resulted in parsing error.	9 years ago
Jason Ish	ba6a1aa73e	unittest-helper: fix format string compiler warnings	9 years ago
Jason Ish	4aceaf9fcd	detect-stream_size: fix format string compiler warnings	9 years ago
Jason Ish	c0377a9870	stream-tcp: fix format string compiler warnings	9 years ago
Jason Ish	5c80a3edf7	modbus: fix format string compiler warnings	9 years ago
Jason Ish	53a8c75385	dnp3: rename "index" variables to "point_index" ... Gcc 4.6 will warning with -Wshadow for a local variable named "index" as <strings.h> has a function named "index". Newer versions of gcc handle this case.	9 years ago
Victor Julien	b4ac048b41	proto detect: fix -Wshadow warning	9 years ago
Victor Julien	07e1e3e02a	dcerpc: fix -Wshadow warnings	9 years ago
Victor Julien	783d2991e5	commandline: fix -Wshadow warnings	9 years ago
Victor Julien	66c213f30c	detect-address: fix -Wshadow warnings	9 years ago
Victor Julien	9a20335b6d	asn1: fix -Wshadow warnings	9 years ago
Victor Julien	dab51144af	asn1: modernize test	9 years ago
Victor Julien	613174e9ce	yaml: fix tests for -Wshadow	9 years ago
Victor Julien	968813b655	dnp3: fix test for -Wshadow	9 years ago
Victor Julien	bb2d8a7133	runmodes: fix -Wshadow warnings	9 years ago
Victor Julien	8c1d157cd2	mpm ac-bs: fix -Wshadow warnings	9 years ago
Victor Julien	0d6d8e01c8	threads: fix -Wshadow warnings	9 years ago
Victor Julien	cd04da673b	commandline: fix -Wshadow warnings	9 years ago
Victor Julien	69ee2f0eb9	nfq: fix -Wshadow warnings ... Rename globals to make sure it's clear they are globals.	9 years ago
Victor Julien	65d2443ccd	reputation: fix -Wshadow warnings	9 years ago
Victor Julien	d893bc55e0	eve-flow: fix -Wshadow warning	9 years ago
Victor Julien	9477fd4628	eve-file: fix -Wshadow warnings	9 years ago
Victor Julien	ed0918bc35	ippair: fix -Wshadow warning	9 years ago
Victor Julien	5f786b5cd7	host: fix -Wshadow warning	9 years ago
Victor Julien	0c3b89356e	flow: fix -Wshadow warning	9 years ago
Victor Julien	70452f67a4	within: fix -Wshadow warning	9 years ago
Victor Julien	47c4a8cd28	prefilter: fix -Wshadow warnings	9 years ago
Victor Julien	f2f0f84cca	detect: fix -Wshadow warning	9 years ago
Victor Julien	070a6caaf3	app engines: fix -Wshadow warning	9 years ago
Victor Julien	691fae6520	address: fix -Wshadow warning	9 years ago
Victor Julien	34b030b45f	distance: fix -Wshadow warning	9 years ago
Victor Julien	d50b4b8471	content: fix -Wshadow warning	9 years ago
Victor Julien	02df79f67b	mem: fix SCStrdup -Wshadow warning	9 years ago
Victor Julien	f97e857c02	dns: fix -Wshadow warnings	9 years ago
Victor Julien	6a971a5a02	app-layer-proto-detect: fix -Wshadow warning	9 years ago
Victor Julien	287fd83796	dnp3: fix coverity CID 1374300	9 years ago
Victor Julien	8915f2de38	flow: suppress coverity CID 400600	9 years ago
Victor Julien	edcc8e7ec9	stat: suppress CID 1293508 and 1312013	9 years ago
Victor Julien	7021959689	nfq: suppress CID 1374302 and 1374303	9 years ago
Victor Julien	da6bf0c1b6	host-info: coverity 1298890	9 years ago
Victor Julien	9904b3f348	ttl: coverity 400560 + minor cleanups	9 years ago
Victor Julien	d30f7f6b48	tos: coverity 400559	9 years ago
Victor Julien	ad8f9f9334	ssl-state: coverity 400558	9 years ago
Jason Ish	c91974e24a	issue 1961: depth: fail if numeric value has trailing text ... Catches the case where the depth is not terminated with a semicolon (eg: "depth:17 classtype:trojan-activity") which is usually a sign the rule has a missing semi-colon.	9 years ago
Jason Ish	a1eca40611	log-pcap.c: cleanup scan-build warning ... Don't initialize value to a value that is never used.	9 years ago
Jason Ish	553f7ec290	log-pcap.c: fix resource leak found by coverity ... Goto the failure label instead of returning which will allow the open directory to get cleaned up. Fixes: *** CID 1394675: Resource leaks (RESOURCE_LEAK) /src/log-pcap.c: 615 in PcapLogInitRingBuffer() 609 * failure as the file might just not be a pcap log file. */ 610 continue; 611 } 612 613 PcapFileName *pf = SCCalloc(sizeof(*pf), 1); 614 if (unlikely(pf == NULL)) { >>> CID 1394675: Resource leaks (RESOURCE_LEAK) >>> Variable "dir" going out of scope leaks the storage it points to. 615 return TM_ECODE_FAILED; 616 } 617 char path[PATH_MAX]; 618 snprintf(path, PATH_MAX - 1, "%s/%s", pattern, entry->d_name); 619 if ((pf->filename = SCStrdup(path)) == NULL) { 620 goto fail; This also means that pf can be NULL which should clear up CID 1394676 (REVERSE_INULL).	9 years ago
Jason Ish	bbb93e487e	pcap-log: seed ring buffer on start up ... On start, look for existing pcap log files and add them to the ring buffer. This makes pcap-log self maintaining over restarts removing the need for external tools to clear orphaned files.	9 years ago
Eric Leblond	a2e2f50fb9	documentation: fix list keywords URLs ... Update URLs in keyword definition to point to sphinx documentation.	9 years ago
Jason Ish	fffdc6e3fd	logging: hook the application log file into rotation	9 years ago
Jason Ish	73a1d04779	logging: open application log file in append mode ... It was being open in read/write mode, which was likely a mistake with append mode being the intention.	9 years ago
Jason Ish	666fecc579	dns: accept a data length of 0 without marking as malformed ... Addresses issue: https://redmine.openinfosecfoundation.org/issues/1924	9 years ago
Jason Ish	d5eca41a71	ipfw: disable more code to suppress compiler warnings ... Disabled code lead to unused variable warnings, so disable the variable code as well.	9 years ago
Jason Ish	2b874abada	compiler warnings: fix compiler warnings in format strings	9 years ago
Victor Julien	3f8ee2afd3	detect-lua: unify on using 'lua' name vs 'luajit'	9 years ago
Victor Julien	0366d47608	luajit: remove unused instance counter	9 years ago
Victor Julien	3da7dad514	lua: luajit improvements ... Luajit has a strange memory requirement, it's 'states' need to be in the first 2G of the process' memory. This patch improves the pool approach by moving it to the front of the start up. A new config option 'luajit.states' is added to control how many states are preallocated. It defaults to 128. Add a warning when more states are used then preallocated. This may fail if flow/stream/detect engines use a lot of memory. Add hint at exit that gives the max states in use if it's higher than the default.	9 years ago
Victor Julien	064c070db7	pcap-file: minor cleanup	9 years ago
Victor Julien	238163bc8d	ENIP: disable parser if no config found	9 years ago
Victor Julien	080a2f0cfb	DNP3: disable in case of no dnp3 config	9 years ago
Jason Ish	65bf06975c	dnp3: fix coverity checks; return value not checked	9 years ago
Victor Julien	1f670837ac	detect: add missing break (CID 1374301)	9 years ago
Victor Julien	c0f25bddaf	eve: make payload printing in alerts more robust	9 years ago
Victor Julien	39a23d8d1b	flowint: allow / in name	9 years ago
Victor Julien	56ff853e73	hostbits: test fixes	9 years ago
Victor Julien	8831e5b375	pkt-var: const name	9 years ago
Victor Julien	5dc9c1b874	DNP3: minor cleanup	9 years ago
Victor Julien	7cf231c7ec	DNP3: don't leak memory on dnp3_obj parsing	9 years ago
Jason Ish	f0de1d04a9	DNP3: Use directional logging. ... Instead of waiting for a transaction complete, log the request as soon as it is completes which will give it a more accurate timestamp.	9 years ago
Jason Ish	f70badeb0e	DNP3: --afl-dnp3 entry point	9 years ago
Jason Ish	a59f31a99f	DNP3: Lua detect support. ... Adds support for access the DNP3 transaction in Lua rules.	9 years ago
Jason Ish	44a69f6355	DNP3: Log DNP3 info with DNP3 alert.	9 years ago
Jason Ish	1c3f373543	DNP3: Log DNP3 transactions.	9 years ago
Jason Ish	1a31bded4a	DNP3: dnp3_data, dnp3_func, dnp3_ind, dnp3_obj rule keywords	9 years ago
Jason Ish	bbaa79b80e	DNP3: Application layer decoder. ... Decodes TCP DNP3 and raises some DNP3 decoder alerts.	9 years ago
Jason Ish	da40714cb1	common: define json_boolean when not defined ... Older versions of jansson in current use don't have this macro defined.	9 years ago
fooinha	f6c0abaae7	eve: check redis reply in non pipeline mode ... We may lose the reply if disconnection happens. Reconnection is needed.	9 years ago
Victor Julien	2758f82515	flowvar: cleanups	9 years ago
Jason Ish	9d271e9a71	fast-pattern: fix tls_sni ... Use all 38 arguments in call to SigMatchGetLastSMFromLists Was preventing fast_pattern from being applied to tls_sni: https://redmine.openinfosecfoundation.org/issues/1936	9 years ago
Jason Ish	7d734edca8	dns: use new unittest macros	9 years ago
Jason Ish	a8f6fb0f78	dns: support back to back requests without a response ... Address the issue where a DNS response would not be logged when the traffic is like: - Request 1 - Request 2 - Response 1 - Response 2 which can happen on dual stack machines where the request for A and AAAA are sent out at the same time on the same UDP "session". A "window" is used to set the maximum number of outstanding responses before considering the olders lost.	9 years ago
Jason Ish	64cc91a569	tcp dns: unit test for multi-request buffer	9 years ago
Jason Ish	2d4df19401	tcp dns: fix advancement to next request in buffer ... The advancement through the buffer was not taking into account the size of the length field resulting in the second request being detected as bad data.	9 years ago
Victor Julien	db1c47cb6e	multi-tenant: make less verbose	9 years ago
Victor Julien	51bb1f0d77	multi-tenants: fix minor memleak	9 years ago
Victor Julien	059b25b564	detect: suppress debug message for reloads	9 years ago
Victor Julien	321fb6463e	vars: small cleanups	9 years ago
Victor Julien	e4b2729399	nfq: support bypass for rebuilt fragment packets	9 years ago
Victor Julien	629fa30345	nfq_set_mask: set mark on root pkt for tunnels	9 years ago
Eric Leblond	d8acf3542d	source-nfq: document bypass function	9 years ago
Eric Leblond	e0000eb58d	source-nfq: fix tunnel mark callback algorithm ... In case of a tunnel packet, adding a mark to the root packet will have for consequence to bypass all the flows that are hosted in this tunnel. This is not the attended behavior and as initial fix let's simply warn suricata that bypass for NFQ is not possible for this kind of packets. This patch also fixes a segfault. The root packet was accessed even if it is NULL causing a NULL dereference: ASAN:SIGSEGV ================================================================= ==24408==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x00000076f948 bp 0x7f435c000240 sp 0x7f435c000220 T5) ASAN:SIGSEGV ==24408==AddressSanitizer: while reporting a bug found another one. Ignoring. #0 0x76f947 in NFQBypassCallback /home/victor/dev/suricata/src/source-nfq.c:510 #1 0x4d0f02 in PacketBypassCallback /home/victor/dev/suricata/src/decode.c:395 #2 0x7b8a95 in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4661 #3 0x7b9ddd in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:4913 #4 0x68fa50 in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:194 #5 0x7f0abd in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:128 #6 0x7f2958 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:585 #7 0x7f436368e6f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9) #8 0x7f4362802b5c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/victor/dev/suricata/src/source-nfq.c:510 NFQBypassCallback Thread T5 (W#04) created by T0 (Suricata-Main) here: #0 0x7f4364ff2253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253) #1 0x7f9c48 in TmThreadSpawn /home/victor/dev/suricata/src/tm-threads.c:1843 #2 0x8da7c0 in RunModeSetIPSAutoFp /home/victor/dev/suricata/src/util-runmodes.c:519 #3 0x73e3ff in RunModeIpsNFQAutoFp /home/victor/dev/suricata/src/runmode-nfq.c:74 #4 0x7503fa in RunModeDispatch /home/victor/dev/suricata/src/runmodes.c:382 #5 0x7e5cb3 in main /home/victor/dev/suricata/src/suricata.c:2547 #6 0x7f436271c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)	9 years ago
Victor Julien	397c541c09	detect: fix multi-tenant loaders	9 years ago
Victor Julien	7e54ee7d0e	flow-timeout: fix memory errors on flow bypass ... For flow bypass, the flow timeout handling is triggered which may create up to 3 pseudo packets that hold a reference to the flow. However, in the bypass case the code signaled to the timeout logic that the flow can be freed unconditionally by returning 1. This lead to packets going through the engine with a pointer to a now freed/recycled flow. This patch fixes the logic by removing the special bypass case, which seemed redundant anyway. Effectively reverts 68d9677. Bug #1928.	9 years ago
Victor Julien	d1d618a668	flow-manager: cleanups and comment improvements	9 years ago
Victor Julien	368d5d931c	flow-timeout: don't leak flow reference in error path	9 years ago
Victor Julien	e072e70ea6	alert: fix rate_filter issues ... Fix rate_filter issues: if action was modified it wouldn't be logged in EVE. To address this pass the PacketAlert structure to the threshold code so it can flag the PacketAlert as modified. Use this in logging. Update API to use const where possible. Fix a timout issue that this uncovered.	9 years ago
Jason Ish	dcdf160ab2	conf: cleanup compiler warning (unintialized vars)	9 years ago
Jason Ish	8f56c23468	detect-flow: no_frag and only_frag keyword support ... Support flow:no_frag and flow:only_frag keywords from Snort.	9 years ago
Jason Ish	f81619a13e	defrag: set flag on packets reassembled from fragments ... Set the PKT_REBUILT_FRAGMENT on packets that are re-assembled from fragments.	9 years ago
Jason Ish	571f56cfcf	detect-flow: support flow:not_established	9 years ago
Jason Ish	dc762cd44d	detect-flow: use new unit test macros	9 years ago
Duarte Silva	6948b2332a	file-hashing: Fixed line parsing code	9 years ago
Victor Julien	449c93e062	detect-app-layer-protocol: improve rule validation ... Also add tests for PD-only conditions	9 years ago
Victor Julien	0ed119068d	detect-app-layer-protocol: implement prefilter ... Introduce 'Protocol detection'-only rules. These rules will only be fully evaluated when the protocol detection completed. To allow mixing of the app-layer-protocol keyword with other types of matches the keyword can also inspect the flow's app-protos per packet. Implement prefilter for the 'PD-only' rules.	9 years ago
Victor Julien	8094b2b12e	detect-app-layer-protocol: convert to pkt match	9 years ago
Victor Julien	c28d9d0538	eve: print app_proto_ts/app_proto_tc	9 years ago
Victor Julien	dbb3a12b32	logging: return string for ALPROTO_FAILED	9 years ago
Victor Julien	93298e91c7	app-layer counters: count failed protocol detect	9 years ago
Victor Julien	3b98feef01	proto-detect: clean up UDP handling ... Set FAILED instead of using a flow flag. Flag packets in both sides when detection is done. Detection is only done in one direction.	9 years ago
Victor Julien	90bf2b5a32	proto detect: improve error case handling ... Improve flags logic, update tests.	9 years ago
Victor Julien	e955cf3366	detect-app-layer-protocol: improve error handling ... Redo tests.	9 years ago
Victor Julien	9560e8b5b2	proto-detect: update mismatch handling ... Improve protocol mismatch handling. Preserve both protos. Use otherdir if already sent to parser, use toclient otherwise.	9 years ago
Victor Julien	7d7ec78cc3	app-layer-protocol: improve detection ... Add negated matches to match list instead of amatch. Allow matching on 'failed'. Introduce per packet flags for proto detection. Flags are used to only inspect once per direction. Flag packet on PD-failure too.	9 years ago
Victor Julien	ac2cf526f1	proto detect: remove flow data tracking ... The Flow::data_al_so_far was used for tracking data already parsed when protocol for the current direction wasn't known yet. As this behaviour has changed the tracking can be removed.	9 years ago
Victor Julien	d7c828bcb0	proto detect: update behavior on partial detection ... When the current direction doesn't get a protocol detection, but the opposing direction did, previously we would send the current data to the parser. Then when we'd be invoked again (until the protocol detection finally failed) we'd get the same data + the new data. To make sure we'd not send the same data to the parser again, the flow kept track of how much was already sent to the app-layer using data_al_so_far. This patch changes the behaviour. Instead of sending the data for the current direction right away, we only do this when protocol detection is complete. This way we won't have to track anything.	9 years ago
Victor Julien	6022fa44a5	proto detect: TCP cleanup ... Split function into multiple smaller ones.	9 years ago
Victor Julien	8347aa01fa	app-layer: clean up counters registration	9 years ago
Victor Julien	b789d2ae3d	tls: change 'no-reassemble' option to default off ... This option was broken so there should be no visible change to actual deployments.	9 years ago
Thomas Andrejak	c17402fdcb	prelude: add IPv6 support	9 years ago
Thomas Andrejak	dcce225102	prelude: add missing TCP header to additional data	9 years ago
Thomas Andrejak	e33060cee0	prelude: coding style, it's better to use macro	9 years ago
Thomas Andrejak	b1c1699699	prelude: Add other actions than just ACTION_DROP when packet drop	9 years ago
Thomas Andrejak	4d4a3d0b8f	prelude: Add log when failed to create assessment or impact object	9 years ago
Thomas Andrejak	18c9312380	Add macro for TCP and UDP header access	9 years ago
Eric Leblond	4eca40ac34	app-layer-tls: stop detection if no reassembly ... It no-reassembly is asked in TLS conf then we can stop inspection after handshake and cause bypass to be triggered on the flow.	9 years ago
Eric Leblond	69e1ff7ba7	stream-tcp: bypass encrypted when both side ready ... Suricata should not completely bypass a flow before both end of it have reached the stream depth or have reached a certain state. Justification is that suricata need the ACK to treat the other side so we can't really decide to cut only one side.	9 years ago
Nicolas Thill	e95e6ccded	lua: add an SCPacketTimestamp function ... The SCPacketTimestamp function returns packet timestamps as 2 real numbers (seconds & microseconds). Example: local sec, usec = SCPacketTimestamp() Signed-off-by: Nicolas Thill <ntl@p1sec.com>	9 years ago
Victor Julien	f4b165de94	file: register filedata loggers before file ... This fixes the issue that 'stored' remained false even if the file was stored. Reported-by: Chris Wakelin	9 years ago
Victor Julien	43aed70976	detect: during detection sgh is read only so turn into const	9 years ago
Victor Julien	0e31124609	detect: add util func for post-inspect tasks on first sgh	9 years ago
Victor Julien	d3fb4de1b5	detect: move file flags update into it's own function	9 years ago
Victor Julien	664f9aa906	flow: use BIT_U32 for flags	9 years ago
Victor Julien	c81aaeda7b	flow: move file flags into their own variable ... Move FLOW_FILE_* flags into Flow::file_flags. Rename them to FLOWFILE_* so non updated code will break.	9 years ago
Jason Ish	3fab684f97	logging: don't log that json is disabled in each logger ... A warning log is already emitted if eve-log is enabled in the configuration but json support is not built so the logger registration functions can be silent.	9 years ago
Jason Ish	0bce4b5534	macOS: thread return value affects newer macOS as well ... ALl OS X/macOS versions since 10.10 return EDEADLK here instead of EBUSY. Assume they will moving forward as well.	9 years ago
Victor Julien	f867bb61e6	http: fix memory leak in error path	9 years ago
Victor Julien	40af9aad02	streaming: improve error handling ... When memory allocations happened in HTTP body and general file tracking, malloc/realloc errors (most likely in the form of memcap reached conditions) could lead to an endless loop in the buffer grow logic. This patch implements proper error handling for all Append/Insert functions for the streaming API, and it explicitly enables compiler warnings if the results are ignored.	9 years ago
Victor Julien	879c3d8ad7	detect: fix scan-build 0-size alloc warnings	9 years ago
Jason Ish	09c3e1dd8a	pcap-log: cleanup allocations at exit ... Particularly in multi-mode, allocations made for each thread were not being cleaned. ASAN reports no leaks now on exit.	9 years ago
Victor Julien	f80ce51ddf	unix-socket: don't try to change permissions on BSD ... On BSD using fchmod on a socket is not supported and will result in EINVAL.	9 years ago
Victor Julien	96c28b2995	bug 1353: don't cut off last char of unix path	9 years ago
Victor Julien	4a190e07a6	pcre: disable JIT if RWX pages not supported	9 years ago
Victor Julien	46f5f4cff8	util: add facility to check for RWX page support ... Some code won't work well when the OS doesn't allow RWX pages. This page introduces a check for runtime evaluation of the OS' policy on this. Thanks to Shawn Webb from HardenedBSD for suggesting this solution.	9 years ago
Victor Julien	a3a1757472	flow-mgr: fix bypass counter registration	9 years ago
Victor Julien	595c20ddf4	der: fix asan/valgrind errors in time parsing	9 years ago
Victor Julien	7e4df3a1d1	tls-validity: fix memory handling	9 years ago
Mats Klepsland	10d827639e	detect-tls-cert-validity: clean up unit tests ... Remove locks, unnecessary function calls and conditional statements.	9 years ago
Mats Klepsland	1fea52dd8a	detect: add keyword tls_cert_valid ... Add keyword to check if TLS certificate is valid.	9 years ago
Mats Klepsland	f7e0083269	detect-cert-validity: fix typos	9 years ago
Mats Klepsland	f22c9d9781	detect: add keyword tls_cert_expired ... Add keyword to check if TLS certificate is expired.	9 years ago
Mats Klepsland	07d2312d96	detect-tls-validity: use flags for modes ... Use flags for modes to support using multiple modes at the same time.	9 years ago
Giuseppe Longo	3f214b506a	file-store: add depth setting ... When a rules match and fired filestore we may want to increase the stream reassembly depth for this specific. This add the 'depth' setting in file-store config, which permits to specify how much data we want to reassemble into a stream.	9 years ago
Giuseppe Longo	4751677e24	app-layer: use StreamTcpSetReassemblyDepth ... This calls StreamTcpSetReassemblyDepth to set the stream depth specified for the protocol.	9 years ago
Giuseppe Longo	9ab1194f68	modbus: set stream depth ... Some protocol like modbus requires a infinite stream depth because session are kept open and we want to analyze everything. Since we have a stream reassembly depth per stream, we can also set a stream reassembly depth per proto.	9 years ago
Giuseppe Longo	b160c49e9e	app-layer-parser: add stream depth ... This permits to set a stream depth value for each app-layer. By default, the stream depth specified for tcp is set, then it's possible to specify a own value into the app-layer module with a proper API.	9 years ago
Eric Leblond	a63c6b320e	stream: per TcpStream reassembly depth	9 years ago
Victor Julien	960ebb2822	enip: fix scan-build warnings ... detect-cipservice.c:161:29: warning: Assigned value is garbage or undefined cipserviced->cipservice = input[0]; ^ ~~~~~~~~ detect-cipservice.c:162:27: warning: Assigned value is garbage or undefined cipserviced->cipclass = input[1]; ^ ~~~~~~~~ detect-cipservice.c:163:31: warning: Assigned value is garbage or undefined cipserviced->cipattribute = input[2]; ^ ~~~~~~~~ 3 warnings generated.	9 years ago
Victor Julien	80c3aedbfc	enip: parsing and tests cleanup	9 years ago
Victor Julien	72b5da4313	enip/cip: improve output & style ... Remove printf, remove \n from SCLogDebug. Add SCLogError for rule parsing issues. Fix various style issues	9 years ago
Victor Julien	6b1c21b115	enip/cip: register inspect engines	9 years ago
kwong	a3ffebd835	Adding SCADA EtherNet/IP and CIP protocol support ... Add support for the ENIP/CIP Industrial protocol This is an app layer implementation which uses the "enip" protocol and "cip_service" and "enip_command" keywords Implements AFL entry points	9 years ago
Victor Julien	d9811e58b6	http_header: don't separately inspect trailer yet ... Currently the regular 'Header' inspection code will run each time after the HTTP progress moved beyond 'headers'. This will include the trailers if there are any. Leave the code in place as this model will change in the not too distant future.	9 years ago
Victor Julien	358eacf14f	http_header: only run trailer mpm if we have trailers	9 years ago
Victor Julien	44022743f2	http: track if request/response have trailers	9 years ago
Victor Julien	798ba010ca	prefilter: use array of engines per sgh ... Instead of the linked list of engines setup an array with the engines. This should provide better locality. Also shrink the engine structure so that we can fit 2 on a cacheline. Remove the FreeFunc from the runtime engines. Engines now have a 'gid' (global id) that can be used to look up the registered Free function.	9 years ago
Victor Julien	8321f04ef3	prefilter: clean up setup code	9 years ago
Victor Julien	d36c0c15ea	detect: reshuffle keyword registration order ... The order of keyword registration currently affects inspect engine registration order and ultimately the order of inspect engines per rule. Which in turn affects state keeping. This patch makes sure the ordering is the same as with older releases.	9 years ago
Victor Julien	58ac4027ef	detect: clean up inspect engine registration	9 years ago
Victor Julien	a24870f29f	detect app-layer-event: clean up registration ... Move engine and registration into the keyword file. Register as 'ALPROTO_UNKNOWN' instead of per alproto. The registration will only apply it to those rules that have events set.	9 years ago
Victor Julien	9e35fa7f41	detect: remove empty app registration table	9 years ago
Victor Julien	8a0bea872c	template_buffer: register inspect engine from keyword	9 years ago
Victor Julien	6f253e1ea7	file detect: register inspect engines from keyword	9 years ago
Victor Julien	08d0fe0916	modbus detect: register inspect engine from keyword	9 years ago
Victor Julien	2db094ab7a	dns detect: register inspect engine from keyword	9 years ago
Victor Julien	c9bb762f64	tls_cert_issuer: register inspect engine from keyword	9 years ago
Victor Julien	e28e98bcaa	tls_cert_subject: register inspect engine from keyword	9 years ago
Victor Julien	a87c196b60	tls_sni: register inspect engine from keyword	9 years ago
Victor Julien	200a4c1593	http_stat_code: register inspect engine from keyword	9 years ago
Victor Julien	cd705752db	http_stat_msg: register inspect engine from keyword	9 years ago
Victor Julien	20e93ba419	file_data: register inspect engine from keyword	9 years ago
Victor Julien	0496b3f6a5	http_raw_host: register inspect engine from keyword	9 years ago
Victor Julien	a00629ab55	http_host: register inspect engine from keyword	9 years ago
Victor Julien	edb2936998	http_user_agent: register inspect engine from keyword	9 years ago
Victor Julien	fc857c5455	http_raw_uri: register inspect engine from keyword	9 years ago
Victor Julien	b1adea6eee	http_cookie: register inspect engine from keyword	9 years ago
Victor Julien	cd8b1b0b4c	http_method: register inspect engine from keyword	9 years ago
Victor Julien	b314829614	http_raw_header: register inspect engine from keyword	9 years ago
Victor Julien	eb19eb3fe4	http_header: register inspect engine from keyword	9 years ago
Victor Julien	4096f76b1b	http_client_body: register inspect engine from keyword	9 years ago
Victor Julien	b96c2c5db5	http_uri: register inspect engine from keyword	9 years ago
Victor Julien	cc96fedb90	http_response_line: register inspect engine from keyword	9 years ago
Victor Julien	0feeb8d538	http_request_line: register inspect engine from keyword	9 years ago
Victor Julien	5bde86b0e8	detect-engine: new registration call ... Make it more in line with MPM registration.	9 years ago
Victor Julien	9a0bbd6239	detect mpm: small optimization	9 years ago
Victor Julien	ad3c97f470	detect-mpm: cleanup	9 years ago
Victor Julien	5f994756e6	detect-engine: improved inspect engines ... Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.	9 years ago
Victor Julien	bac37fc9ae	detect state: reorganize flags ... List the common non-buffer specific flags on top.	9 years ago
Victor Julien	f1e3840516	http_response_body: implement keyword with mpm ... Implemented as 'stickybuffer'.	9 years ago
Victor Julien	4c98b6cef3	http_request_line: implement keyword and mpm ... Implemented as 'stickybuffer'. Move all logic into the keyword file and remove bad tests that tested URI instead of request line.	9 years ago
Victor Julien	960461f4db	fast_pattern: register app layer mpms automatically ... Allow for duplicate registrations for the same list. After the first registration new calls will be ignored.	9 years ago
Victor Julien	6dd4dff7b2	mpm: remove empty app_mpms table	9 years ago
Victor Julien	e68b2214e5	tls: register mpm from keywords	9 years ago
Victor Julien	57ae3c43e5	dns_query: register mpm from keyword	9 years ago
Victor Julien	a1a2187a0c	http_cookie: register mpm from keyword	9 years ago
Victor Julien	74661449e0	http_raw_host: register mpm from keyword	9 years ago
Victor Julien	b5cd4889ae	http_host: register mpm from keyword	9 years ago
Victor Julien	91695c81aa	http_client_body: register mpm from keyword	9 years ago
Victor Julien	644d4dc61b	http_stat_code: register mpm from keyword	9 years ago
Victor Julien	cf96db095a	http_stat_msg: register mpm from keyword	9 years ago
Victor Julien	43b281a510	file_data: register mpm from keyword	9 years ago
Victor Julien	6d0632a9c6	http_method: register mpm from keyword	9 years ago
Victor Julien	e4ea38a8de	http_raw_header: register mpm from keyword	9 years ago
Victor Julien	7813a834d0	http_user_agent: register mpm from keyword	9 years ago
Victor Julien	7b98c0073f	http_header: register mpm from keyword	9 years ago
Victor Julien	38e018e2d3	http_raw_uri: register mpm from keyword	9 years ago
Victor Julien	7289d12f1b	http_uri: register mpm from keyword	9 years ago
Victor Julien	5b2e36a1b0	mpm: add App Layer MPM registery ... Register keywords globally at start up. Create a map of the registery per detection engine. This we need because the sgh_mpm_context value is set per detect engine. Remove APP_MPMS_MAX.	9 years ago
Victor Julien	ae5846b4de	detect: simplify content inspection types ... Instead of a type per buffer type, pass just 3 possible types: packet, stream, state. The individual types weren't used. State is just there to be not packet and not stream.	9 years ago
Victor Julien	e1eb481647	prefilter: cleanup and optimization	9 years ago
Victor Julien	dba14b676c	profiling: more prefilter profiling	9 years ago
Victor Julien	125603871b	detect: config opt to enable keyword prefilters	9 years ago
Victor Julien	36f713c8d4	prefilter: in profiling print totals	9 years ago
Victor Julien	2e878c2024	prefilter: alloc CLS aligned memory	9 years ago
Victor Julien	732921922a	detect mpm: consider sgh direction when adding rules	9 years ago