Commit Graph

234 Commits (f08cc1f3db1cae44274c15855d1e4fce6141ff31)

Author SHA1 Message Date
Giuseppe Longo 26ba647d58 filedata: read inspected tracker settings from suricata.yaml 11 years ago
Eric Leblond bd0041470f rules: add app layer events rules
Some application layer events are defined but the corresponding
rules were not available in the rules directory.
11 years ago
Eric Leblond 9fb82390ab suricata.yaml: add missing mpm-algo 11 years ago
Victor Julien 0704ece4d7 detect-reload: enable unconditionally
Reloading is available unconditionally now.
11 years ago
Victor Julien 2e754ca6fa drop json: make alerts logging optional
Make logging out alerts that caused the drop optional.
11 years ago
Eric Leblond 881f32cc02 json-alert: add SSH fields in alert logging 11 years ago
Eric Leblond 180faece7c json-alert: log tls info in alert
This patch adds the capabilities to log the TLS information the
same way it is currently possible to do with HTTP. As it is
quite hard to read ASN.1 directly in the stream, this will help
people to understand why suricata is firing on alert relative
to TLS.
11 years ago
gureedo 10104066e1 netmap support 11 years ago
Victor Julien 9327b08ab1 tcp: add stream.reassembly.zero-copy-size option
The option sets in bytes the value at which segment data is passed to
the app layer API directly. Data sizes equal to and higher than the
value set are passed on directly.

Default is 128.
11 years ago
Ken Steele 5008d0a58b Remove the b2gm and b2gc MPMs
These MPMs have code that looks like it won't work and updating them to
for the new MPM optimization wasn't working.
11 years ago
Duarte Silva 496200dd08 Prepared everything for the proxy deployment configuration
- Added the suricata.yaml configurations and updated the comments
- Renamed the field in the configuration structure to something generic
- Added two new constants and the warning codes
11 years ago
Duarte Silva 4e04cd2d1b Adding XFF support to EVE alert output
- Created app-layer-htp-xff.c and app-layer-htp-xff.h
- Added entries in the Makefile.am
- Added the necessary configuration options to EVE alert section
- Updated Unified2 XFF configuration comments and removed unnecessary whitespace
- Created a generic function to parse the configuration
- Release the flow locks sooner and remove debug logging
- Added XFF support to EVE alert output
11 years ago
DIALLO David bacbe113d0 Add a warning in Modbus section of YAML file to remind user to modify stream depth (unlimited) 11 years ago
Victor Julien c174c9d779 af-packet: threads: auto, default to workers
Add a new default value for the 'threads:' setting in af-packet: "auto".
This will create as many capture threads as there are cores.

Default runmode of af-packet to workers.
11 years ago
Victor Julien a95c95f74c stats: introduce global config
As the stats api calls the loggers at a global interval, the global
interval should be configured globally.

 # global stats configuration
 stats:
   enabled: yes
   # The interval field (in seconds) controls at what interval
   # the loggers are invoked.
   interval: 8

If this config isn't found, the old config will be supported.
11 years ago
DIALLO David 5a0409959f App-layer: Add Modbus protocol parser
Decode Modbus request and response messages, and extracts
MODBUS Application Protocol header and the code function.

In case of read/write function, extracts message contents
(read/write address, quantity, count, data to write).

Links request and response messages in a transaction according to
Transaction Identifier (transaction management based on DNS source code).

MODBUS Messaging on TCP/IP Implementation Guide V1.0b
(http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf)
MODBUS Application Protocol Specification V1.1b3
(http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf)

Based on DNS source code.

Signed-off-by: David DIALLO <diallo@et.esia.fr>
11 years ago
Tom DeCanio e5c36952d6 app-layer-smtp: move old smtp-mime section in suricata.yaml into
app-layer-protocols.smtp.mine section and update code to accomodate.
11 years ago
Tom DeCanio f1c160ed22 smtp: turn on smtp mime decoding and enable smtp eve logging. 11 years ago
David Abarbanel c2dc686742 SMTP MIME Email Message decoder 11 years ago
Giuseppe Longo 07fffa6a7d Fixes comments for pfring section in suricata.yaml
Bug #1301
11 years ago
Victor Julien d44cb3f6fe pcap-log: add option to honor pass rules
Add option (disabled by default) to honor pass rules. This means that
when a pass rule matches in a flow, it's packets are no longer stored
by the pcap-log module.
11 years ago
Jason Ish 5b9c6d4774 Comment out in the action-order section, as its not needed if
the default configuration is used.
11 years ago
Victor Julien 936db9c02a output-lua: add config to yaml
Disabled by default.
11 years ago
Victor Julien 47cd497447 yaml: add eve flow and netflow entries
Added, commented out by default.

Bug #1257.
11 years ago
Victor Julien cd78705e3a streaming-loggers: add configuration
Add a (disabled by default) config to the yaml
11 years ago
Giuseppe Longo b188d93630 json-alert: include HTTP info on the alerts
Extends the JSON alert output to include the HTTP data
at the time of the alert.
11 years ago
Victor Julien 2bcd48bc12 pcap-log: yaml comment update 11 years ago
Victor Julien 0ac94ef777 flow-recycler: support multiple instances
Use new management API to run the flow recycler.

Make number of threads configurable:

flow:
  memcap: 64mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
  managers: 2
  recyclers: 2

This sets up 2 flow recyclers.
11 years ago
Victor Julien e0841218f0 flow-manager: support multiple instances
Use new management API to run the flow manager.

Support multiple flow managers, where each of them works with it's
own part of the flow hash.

Make number of threads configurable:

flow:
  memcap: 64mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
  managers: 2

This sets up 2 flow managers.

Handle misc tasks only in instance 1: Handle defrag hash timeout
handing, host hash timeout handling and flow spare queue updating
only from the first instance.
11 years ago
Victor Julien fdd407751e Fix eve 'filetype' parsing
Now that we use 'filetype' instead of 'type', we should also
use 'regular' instead of 'file'.

Added fallback to make sure we stay compatible to old configs.
11 years ago
Alexander Gozman 54193e89d5 Fixed variables names in suricata.yaml.in Changed logging logic - now it's possible to enable different payload dumping modes separately Fixed bug in dumping packet without stream segments Fixed indents 11 years ago
Alexander Gozman 2a4c7ee5dc Add ability to encode payload in Base64 11 years ago
Ken Steele 0dd16461cf Update max-pending-packet comments to show it is now per-thread.
Updated suricata.yaml and comments in the code.
11 years ago
Eric Leblond de6dac0043 Remove pcapinfo output
EVE logging is a really good substitute for pcapinfo. Suriwire is
now supporting EVE output so it is not anymore necessary to have
pcapinfo in Suricata.
11 years ago
Victor Julien 9ec23bd593 pcap log: document multi option
Add yaml documentation for new 'multi' option.
11 years ago
Victor Julien adde58d2cb log-pcap: improve profiling
Add profiling to a logfile. Default is $log_dir/pcaplog_stats.log

The counters for open, close, rotate, write and handles are written
to it, as well as:
- total bytes written
- cost per MiB
- cost per GiB

Option is disabled by default.
11 years ago
Giuseppe Longo 62aaae24fd Adds a configuration example for nflog support in suricata.yaml 12 years ago
Tom DeCanio 4838b9bf4f json: add custom output capability to http eve log 12 years ago
Victor Julien eae5b1ba35 app-layer: proto detection update
Instead of the notion of toserver and toclient protocol detection, use
destination port and source port.

Independent of the data direction, the flow's port settings will be used
to find the correct probing parser, where we first try the dest port,
and if that fails the source port.

Update the configuration file format, where toserver is replaced by 'dp'
and toclient by 'sp'. Toserver is intrepreted as 'dp' and toclient as
'sp' for backwards compatibility.

Example for dns:

    dns:
      # memcaps. Globally and per flow/state.
      #global-memcap: 16mb
      #state-memcap: 512kb

      # How many unreplied DNS requests are considered a flood.
      # If the limit is reached, app-layer-event:dns.flooded; will match.
      #request-flood: 500

      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53

Like before, progress of protocol detection is tracked per flow direction.

Bug #1142.
12 years ago
Victor Julien c07427c643 yaml: remove rbn, add tls
Remove rbn rule files from default rule list. The files are empty
causing a warning.

Add tls-event.rules to the default list.
12 years ago
Victor Julien 4436526a05 yaml: comment out example config
Comment out htp settings that should only serve as an example.
12 years ago
Victor Julien 3fa4712ab6 yaml: increase default memcaps
Increase default flow and stream reassembly memcaps.
12 years ago
Victor Julien 60a79c8220 eve-log: enable in default config
In the default config, eve-log is now enabled by default. All loggers
except 'drop' are enabled.
12 years ago
Victor Julien 1e21b9f5a9 Disable emerging-icmp in default config
The file has no active rules by default.
12 years ago
Victor Julien d2a6b61d76 yaml: add and comment missing dns settings
DNS memcap settings "global-memcap" and "state-memcap" were missing.

Additionally, add request-flood setting.
12 years ago
Victor Julien 8a735a9b90 profiling: add sample-rate yaml option
Add option "profiling.sample-rate":

  # Run profiling for every xth packet. The default is 1, which means we
  # profile every packet. If set to 1000, one packet is profiled for every
  # 1000 received.
  #sample-rate: 1000

This allows for configuration of the sample rate.
12 years ago
Victor Julien 0032ad34d4 stream: yaml addition for recent config options 12 years ago
Tom DeCanio 0c067646a8 Add "united" JSON files output 12 years ago
Tom DeCanio 07d3b38d3b Add support for JSON output to syslog/unix_stream/unix_dgram 12 years ago
Tom DeCanio 1dd6d7a104 Add "united" log to suricata.yaml.in 12 years ago
Tom DeCanio 5498654114 Add JSON formatted alert output 12 years ago
Eric Leblond ced01da822 htp layer: use memcap for HTTP related allocations
This patch introduces wrapper functions around allocation functions
to be able to have a global HTP memcap. A simple subsitution of
function was not enough because allocated size needed to be known
during freeing and reallocation.

The value of the memcap can be set in the YAML and is left by default
to unlimited (0) to avoid any surprise to users.
12 years ago
Anoop Saldanha 429c6388f6 App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].

Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
  parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
  "dnsudp" in the rules.  A user who previously wrote a rule like this -

  "alert dnstcp....." or
  "alert dnsudp....."

  would now have to use,

  alert dns (ipproto:tcp;) or
  alert udp (app-layer-protocol:dns;) or
  alert ip (ipproto:udp; app-layer-protocol:dns;)

  The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
  callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
  STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
  functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0.  This is
  needed by unittests, which would try to clean the flow, and that would
  call the api, AppLayerParserCleanupParserState(), which would try to
  clean the app state, but the app layer now needs an ipproto to figure
  out which api to internally call to clean the state, and if the ipproto
  is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
  they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
Ken Steele 300b739b1f Add more suricata.yaml configuration options for mPIPE.
Add two new mPIPE load-balancing configuration options in suricata.yaml.
1) "sticky" which keep sending flows to one CPU, but if that queue is full,
don't drop the packet, move the flow to the least loaded queue.
2) Round-robin, which always picks the least full input queue for each
packet.

Allow configuring the number of packets in the input queue (iqueue) in
suricata.yaml.

For the mPipe.buckets configuration, which must be a power of 2, round
up to the next power of two, rather than report an error.

Added mpipe.min-buckets, which defaults to 256, so if the requested number
of buckets can't be allocated, Suricata will keep dividing by 2 until either
it succeeds in allocating buckets, or reaches the minimum number of buckets
and fails.
12 years ago
Eric Leblond 105182f582 yaml: remove no more present files
emerging-virus.rules is not present anymore in ET ruleset downloaded
by 'make install-rules'. This patch removes it from the list to avoid
an error message.
12 years ago
Eric Leblond ff784075a2 htp: randomization of htp inspection sizes
This is an implementation of #940. It randomize libhtp request
and response size if the same way this has been done for stream
inspection.
12 years ago
Giuseppe Longo ae9393987e Adds a defrag configuration example in suricata.yaml 12 years ago
Eric Leblond 8b5be26f49 pcap-file: add checksum-checks configuration variable
This patch adds support for checksum-checks in the pcap-file running
mode. This is the same functionnality as the one already existing for
live interface.

It can be setup in the YAML:
  pcap-file:
    checksum-checks: auto

A message is displayed for small pcap to warn that invalid checksum
rate is big on the pcap file and that checksum-check could
be set to no.
12 years ago
Jason Ish 8625c9eba8 Support for configuration include files. 12 years ago
Victor Julien fb4967912c http: add meta-field-limit option
The meta-field-option allows for setting the hard limit of request
and response fields in HTTP. In requests this applies to the request
line and headers, not the body. In responses, this applies to the
response line and headers, not the body.

Libhtp uses a default limit of 18k. If this is reached an event is
raised.

Ticket 986.
12 years ago
Victor Julien a8b971c710 http: strip 'proxy' part of http_uri
Strip the 'proxy' parts from the normalized uri as inspected by http_uri,
urilen, pcre /U and others.

  In a request line like:
    GET http://suricata-ids.org/blah/ HTTP/1.1
  the normalized URI will now be:
    /blah/

This doesn't affect http_raw_uri. So matching the hostname, etc is still
possible through this keyword.

Additionally, a new per HTTP 'personality' option was added to change
this behavior: "uri-include-all":

  uri-include-all: <true|false>
    Include all parts of the URI. By default the
    'scheme', username/password, hostname and port
    are excluded. Setting this option to true adds
    all of them to the normalized uri as inspected
    by http_uri, urilen, pcre with /U and the other
    keywords that inspect the normalized uri.
    Note that this does not affect http_raw_uri.

So adding uri-include-all:true to all personalities in the yaml will
restore the old default behavior.

Ticket 1008.
12 years ago
Victor Julien 97bfcac444 profiling: introduce per keyword profiling
Initial version of per keyword profiling. Prints stats about
how ofter a keyword was checked and what the costs were.
12 years ago
Jason Ish 2953b3f640 Feature #901 - VLAN defrag support.
Take VLAN IDs into account when re-assembling fragments.

Prevents fragments that would otherwise match, but on different
VLANs from being reassembled with each other.
12 years ago
Eric Leblond 7bcacc712a log: change default log level to notice
This patch updates the log level of meaningful start messages to
notice. It also sets the default log level to notice.
12 years ago
Eric Leblond efc12b24ae reject: use host-mode to set interface
This patch update reject code to send the packet on the interface
it comes from when 'host-mode' is set to 'sniffer-only'. When
'host-mode' is set to 'router', the reject packet is sent via
the routing interface.

This should fix #957.
12 years ago
Eric Leblond 6cf7da30e2 Introduce host-mode.
This variable can be used to indicate to suricata that the host
running is running as a router or is in sniffing only mode.
This will used at least to determine which interfaces are used to
send reject message.
12 years ago
Anoop Saldanha 6f8cfd999f Allow detection ports for alproto to be specified via the conf file.
To understand the option have a look at the option

app-layer.protocols.tls.detection-ports
12 years ago
Anoop Saldanha ddde572fba Introduce new options into the conf file to enable/disable -
1. Proto detection
2. Parsers

For app layer protocols.

libhtp has now been moved to the section under app-layer.protocols.http,
but we still provide backward compatibility with older conf files.
12 years ago
Duarte Silva a28ec79912 Modified suricata configuration
- Added the settings for XFF support
 - Removed non printable characters
12 years ago
Ken Steele 316190c6b9 Add TILE-Gx mPIPE packet processing support.
The TILE-Gx processor includes a packet processing engine, called
mPIPE, that can deliver packets directly into user space memory. It
handles buffer allocation and load balancing (either static 5-tuple
hashing, or dynamic flow affinity hashing are used here). The new
packet source code is in source-mpipe.c and source-mpipe.h

A new Tile runmode is added that configures the Suricata pipelines in
worker mode, where each thread does the entire packet processing
pipeline.  It scales across all the Gx chips sizes of 9, 16, 36 or 72
cores. The new runmode is in runmode-tile.c and runmode-tile.h

The configure script detects the TILE-Gx architecture and defines
HAVE_MPIPE, which is then used to conditionally enable the code to
support mPIPE packet processing. Suricata runs on TILE-Gx even without
mPIPE support enabled.

The Suricata Packet structures are allocated by the mPIPE hardware by
allocating the Suricata Packet structure immediatley before the mPIPE
packet buffer and then pushing the mPIPE packet buffer pointer onto
the mPIPE buffer stack.  This way, mPIPE writes the packet data into
the buffer, returns the mPIPE packet buffer pointer, which is then
converted into a Suricata Packet pointer for processing inside
Suricata. When the Packet is freed, the buffer is returned to mPIPE's
buffer stack, by setting ReleasePacket to an mPIPE release specific
function.

The code checks for the largest Huge page available in Linux when
Suricata is started. TILE-Gx supports Huge pages sizes of 16MB, 64MB,
256MB, 1GB and 4GB. Suricata then divides one of those page into
packet buffers for mPIPE.

The code is not yet optimized for high performance. Performance
improvements will follow shortly.

The code was originally written by Tom Decanio and then further
modified by Tilera.

This code has been tested with Tilera's Multicore Developement
Environment (MDE) version 4.1.5. The TILEncore-Gx36 (PCIe card) and
TILEmpower-Gx (1U Rack mount).
12 years ago
Victor Julien 16c3487444 Add yaml option to disable vlan ids hashing
In some cases using the vlan id(s) in flow hashing is problematic. Cases
of broken routers have been reported. So this option allows for disabling
the use of vlan id(s) while calculating the flow hash, and in the future
other hashes.

Vlan tracking for flow is enabled by default.
12 years ago
Anoop Saldanha 48cf0585fb Suricata upgrade to libhtp 0.5.x.
Remove the support for now unsupported personalities from libhtp -
TOMCAT_6_0, APACHE and APACHE_2_2.  We instead use the APACHE_2
personality.
12 years ago
Victor Julien 2b5d586dbc TLS: add missing options to shipped yaml. Bug #709. 12 years ago
Victor Julien 6229bfab5e DNS: rename dns.rules to dns-events.rules, include it in yaml 12 years ago
Victor Julien aa449d51ca Stream: use per thread ssn pool
Use per thread pools to store and retrieve SSN's from. Uses PoolThread
API.

Remove max-sessions setting. Pools are set to unlimited, but TCP memcap
limits the amount of sessions.

The prealloc_session settings now applies to each thread, so lowered the
default from 32k to 2k.
13 years ago
Victor Julien 16edbfd4ea DNS: disable logging by default 13 years ago
Victor Julien 8e01cba85d DNS TCP and UDP parser and DNS response logger 13 years ago
Anoop Saldanha 602c91ed41 Minor cosmetic changes to the cuda code.
Moved a couple of functions to more cuda relevant files;
Re-structured some data types.
13 years ago
Anoop Saldanha 17c763f855 Version 1 of AC Cuda. 13 years ago
Florian Westphal 8da02115c9 nfq: add support for batch verdicts
Normally, there is one verdict per packet, i.e., we receive a packet,
process it, and then tell the kernel what to do with that packet (eg.
DROP or ACCEPT).

recv(), packet id x
send verdict v, packet id x
recv(), packet id x+1
send verdict v, packet id x+1
[..]
recv(), packet id x+n
send verdict v, packet id x+n

An alternative is to process several packets from the queue, and then send
a batch-verdict.

recv(), packet id x
recv(), packet id x+1
[..]
recv(), packet id x+n
send batch verdict v, packet id x+n

A batch verdict affects all previous packets (packet_id <= x+n),
we thus only need to remember the last packet_id seen.

Caveats:
- can't modify payload
- verdict is applied to all packets
- nfmark (if set) will be set for all packets
- increases latency (packets remain queued by the kernel
  until batch verdict is sent).

To solve this, we only defer verdict for up to 20 packets and
send pending batch-verdict immediately if:
- no packets are currently queue
- current packet should be dropped
- current packet has different nfmark
- payload of packet was modified

This patch adds a configurable batch verdict support for workers runmode.
The batch verdicts are turned off by default.

Problem is that batch verdicts only work with kernels >= 3.1, i.e.
using newer libnetfilter_queue with an old kernel means non-working
suricata. So the functionnality has to be disabled by default.
13 years ago
Eric Leblond 9b235b3d9e streaming: randomize chunk size
By randomizing chunk size around the choosen value, it is possible
to escape some evasion technics that are using the fact they know
chunk size to split the attack at the correct place.
This patch activates randomization by default and set the random
interval to chunk size value +- 10%.
13 years ago
Victor Julien 4c6463f378 stream: handle extra different SYN/ACK
Until now, when processing the TCP 3 way handshake (3whs), retransmissions
of SYN/ACKs are silently accepted, unless they are different somehow. If
the SEQ or ACK values are different they are considered wrong and events
are set. The stream events rules will match on this.

In some cases, this is wrong. If the client missed the SYN/ACK, the server
may send a different one with a different SEQ. This commit deals with this.

As it is impossible to predict which one the client will accept, each is
added to a list. Then on receiving the final ACK from the 3whs, the list
is checked and the state is updated according to the queued SYN/ACK.
13 years ago
Anoop Saldanha 4e7adec750 Update comment in yaml to indicate size limit for the following vars -
stream.reassembly.toserver-chunk-size and stream.reassembly.toclient-chunk-size
13 years ago
Anoop Saldanha 45ff67a2e0 Enable a conf option to enable/disable legacy keywords.
Currently, uricontent is declared a legacy keyword, and is enabled by default.
13 years ago
Matt Keeler ebccb9ffcd Added host buffer allowance and stream configuration for Napatech 3GD
Added a napatech section in the yaml configuration.
	hba - host buffer allowance
	use-all-streams - whether all streams should be used
	streams - list of stream numbers to use when use-all-streams is no

The source-napatech.* files were modified to support the host buffer allowance configuration.
The runmode-napatech.c file was modified to support both the host buffer allowance configuration and stream configuration

Signed-off-by: Matt Keeler <mk@npulsetech.com>
13 years ago
Eric Leblond 2f0927fe9b pcap: add snaplen YAML variable
This patch introduces 'snaplen' a new YAML variable in the pcap section.
It can be set per-interface to force pcap capture snaplen. If not set
it defaults to interface MTU if MTU can be known via a ioctl call and to
full capture if not.
13 years ago
Eric Leblond e8aa66a44c pcap: add 'promisc' YAML configuration variable
This patch adds a promisc variable to pcap configuration. It is
used to decided if interface is switched to promiscuous mode.
13 years ago
Eric Leblond 1aaa828b63 pcap: set snaplen to MTU if available.
Main objective of this patch is to use a dynamic snaplen to avoid
to truncate packet at the currently fixed snaplen.

It set snaplen to MTU length if the MTU can be retrieved. If not, it
does not set the snaplen which results in using a 65535 snaplen.

libpcap is trying to use mmaped capture and setup the ring by using buffer_size
as the total memory. It also use "rounded" snaplen as frame size. So if we set
snaplen to MTU when available we are optimal regarding the building of the ring.
13 years ago
Jake Gionet bf0ebcbef7 Adding comment in suricata.yaml.in to indicate sensor-id option. 13 years ago
Eric Leblond f59c63c457 pcap: add support for 'default' interface 13 years ago
Eric Leblond feabe6e9a2 pfring: add support for 'default' interface 13 years ago
Eric Leblond 4ae27756b0 af-packet: add support for 'default' interface
This patch adds support for 'default' interface which is used to get
parameter values when per-interface is not defined.
13 years ago
Eric Leblond 20a8b9dbe5 unix-manager: add unix command socket and associated script
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
 * Client connects to the socket
 * It sends a version message: { "version": "$VERSION_ID" }
 * Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.

The format of command is the following:
 {
   "command": "pcap-file",
   "arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
 }
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
 {
   "return": "OK|NOK",
   "message": JSON_OBJECT or information string
 }

A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code.  The first command line argument of suricatasc is
used to specify the socket to connect to.

Configuration of the feature is made in the YAML under the 'unix-command'
section:
  unix-command:
    enabled: yes
    filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.

A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.

To start this mode, Suricata must be started with the --unix-socket
 option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.

THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.

This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.

Two other commands exists to get info on the remaining tasks:
 * pcap-file-number: return the number of files in the waiting queue
 * pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
 {
  'count': 2,
  'files': ['file1.pcap', 'file2.pcap']
 }
13 years ago
Eric Leblond a9ffd82116 yaml: fix typo 13 years ago
Victor Julien e30b1bfe64 Simple IP reputation implementation 13 years ago
Eric Leblond a1d1abfc05 suricata: add daemon-directory config variable
It is now possible to use the 'daemon-directory' configuration
variable to specify the working directory of suricata in daemon
mode. This will permit to specify the place for core and other
related files.
13 years ago
Eric Leblond fc9e0df33b suricata: add run-as.user and run-as.group yaml var
This patch update the YAML to be able to specify the user or the
group to run Suricata as:
 run-as:
   user: suri
   group: suri
13 years ago
Eric Leblond e744760613 yaml: document the threads setting in pcap section. 13 years ago
Eric Leblond b12967534a stream.inline: add 'auto' mode
stream.inline YAML configuration variable now support the 'auto' value.
In this case, inline mode is activated for IPS running mode (NFQ and
IPFW) and is deactivated for IDS mode. This patch should fix bug #592.
13 years ago
Victor Julien 2763a61213 http: allow configuration of request and response body inspection limits. Issue #560. 13 years ago
Victor Julien bb14cf899b yaml: default to cluster_flow type for AF_PACKET and PF_RING 13 years ago
Victor Julien b6f573d9cb yaml: add addr and port vars commonly used by ET/ETpro 13 years ago
Victor Julien 7a044a99ee Defrag engine
Big rewrite of defrag engine to make it more scalable and fix some
locking logic flaws.

Now uses a hash of trackers similar to Flow and Host hashes.
13 years ago
Eric Leblond 27b5136bf2 af-packet: add optional emergency mode
Flush all waiting packets to be in sync with kernel when drop
occurs. This mode can be activated by setting use-emergency-flush
to yes in the interface configuration.
13 years ago
Eric Leblond 662dccd8a5 af-packet: IPS and TAP feature
This patch adds a new feature to AF_PACKET capture mode. It is now
possible to use AF_PACKET in IPS and TAP mode: all traffic received
on a interface will be forwarded (at the Ethernet level) to an other
interface. To do so, Suricata create a raw socket and sends the receive
packets to a interface designed in the configuration file.

This patch adds two variables to the configuration of af-packet
interface:
 copy-mode: ips or tap
 copy-iface: eth1 #the interface where packet are copied
If copy-mode is set to ips then the packet wth action DROP are not
copied to the destination interface. If copy-mode is set to tap,
all packets are copied to the destination interface.
Any other value of copy-mode results in the feature to be unused.
There is no default interface for copy-iface and the variable has
to be set for the ids or tap mode to work.

For now, this feature depends of the release data system. This
implies you need to activate the ring mode and zero copy. Basically
use-mmap has to be set to yes.

This patch adds a peering of AF_PACKET sockets from the thread on
one interface to the threads on another interface. Peering is
necessary as if we use an other socket the capture socket receives
all emitted packets. This is made using a new AFPPeer structure to
avoid direct interaction between AFPTreadVars.

There is currently a bug in Linux kernel (prior to 3.6) and it is
not possible to use multiple threads.

You need to setup two interfaces with equality on the threads
variable. copy-mode variable must be set on the two interfaces
and use-mmap must be set to activated.

A valid configuration for an IPS using eth0 and vboxnet1 interfaces
will look like:

af-packet:
  - interface: eth0
    threads: 1
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: vboxnet1
    buffer-size: 64535
    use-mmap: yes
  - interface: vboxnet1
    threads: 1
    cluster-id: 97
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: eth0
    buffer-size: 64535
    use-mmap: yes
13 years ago
Eric Leblond 8879df8004 af-packet: improve mmaped running mode.
The mmaped mode was using a too small ring buffer size which was
not able to handle burst of packets coming from the network. This
may explain the important packet loss rate observed by Edward
Fjellskål.
This patch increases the default value and adds a ring-size
variable which can be used to manually tune the value.
13 years ago
pi-rho 0df4c5838d spelling corrections documented in redmine bug#533 13 years ago
Eric Leblond 7e09cdc265 Delay Detect threads initialization
This patch modifies the init of Detect threads. They are now started
with a dummy function and their initialisation is done after the
signatures are loaded. Just after this, the dummy function is switched
to normal one.

In IPS mode, this permit to route packets without waiting for the
signature to start and should fix #488.

Offline mode such as pcap file don't use this mode to be sure to
analyse all packets in the file.

The patch introduces a "delayed-detect" configuration variable
under detect-engine. It can be used to activate the feature
(set to "yes" to have signature loaded after capture is started).
13 years ago
Jean-Paul Roliers c4df7a45ae tls: adding store option for TLS
This patch adds a TLS store option to save certificate in PEM format.
Each time the store action is met, a file and a metafile are created.

Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
Jean-Paul Roliers bf386a396d tls: adding fingerprint to TLS Log information.
Improve TLS logging by adding the certificate fingerprint to TLS Log file.
Add the extending option to the tls-log entry in suricata.yaml.
13 years ago
Jean-Paul Roliers efdf96ccba tls: adding TLS Log support
Creation of the log-tlslog file in order to log tls message.
Need to add some information into suricata.yaml to work.

  - tls-log:
      enabled: yes	# Log TLS connections.
      filename: tls.log # File to store TLS logs.
13 years ago
Ignacio Sanchez b057a20f10 Custom logging feature for log-httplog 13 years ago
Eric Leblond 6475f99bea defrag: Fix description of params
The max-frags params is not what it is.
13 years ago
Eric Leblond b1b4cd2729 defrag: really use 'max-frags' variable.
The 'max-frags' variable was not used and the 'trackers' variable was
not documented. This patch fixes the two issues.
13 years ago
Eric Leblond 2c57275921 nfq: implement "fail-open" support.
On linux >= 3.6, you can use the fail-open option on a NFQ queue
to have the kernel accept the packet if userspace is not able to keep
pace.

Please note that the kernel will not trigger an error if the feature is activated
in userspace libraries but not available in kernel.

This patch implements the option for suricata by adding a nfq.fail-open
configuration variable which is desactivated by default.
13 years ago
Eric Leblond 9e54819121 yaml: suppress old variable in pfring section. 13 years ago
Victor Julien e839cea9e5 Http: don't double decode URI path and query by default. Instead add per server options to enable double decoding for both cases. #464 #504. 13 years ago
Victor Julien a5587fec2e flow: remove unused prune-flows option 13 years ago
Victor Julien 9f3e079bcf Make live reloads optional and disabled by default. 14 years ago
Eric Leblond f2a6fb8a5a af-packet: add support for BPF filter.
This patch adds support for BPF in AF_PACKET running
mode. The command line syntax is the same as the one
used of PF_RING.
The method is the same too: The pcap_compile__nopcap()
function is used to build the BPF filter. It is then
injected into the kernel with a setsockopt() call. If
the adding of the BPF fail, suricata exit.
14 years ago
Victor Julien 4d4671c470 default config: add engine-analysis.rules directive. 14 years ago
Victor Julien ba4613aef1 Add host section to stock yaml. 14 years ago
Victor Julien 8d1fe9f2fa Make 'autofp' the default runmode. Increase default max-pending-packets to 1024. Move some advanced and uncommonly changed settings down in the stock suricata.yaml. Closes #433. 14 years ago
Victor Julien 40ed10ab38 Minor flowq updates. 14 years ago
Anoop Saldanha 7115fa3e72 Introduce the address hash based flow q handler 14 years ago
Anoop Saldanha 5ffb050ada Adapt flow tmqh counters to be atomic vars. Remove support for active flows q handler. Introduce SC_ATOMIC_SET 14 years ago
Anoop Saldanha 4e417b72b5 support flow q handler schedulers active_flows and active_packets. Support new yaml option autofp_scheduler. Support for printing q handler stats as well 14 years ago
Victor Julien d908e707d7 profiling: add per lock location profiling
Add profiling per lock location in the code. Accounts how often a
lock is requested, how often it was contended, the max number of
ticks spent waiting for it, avg number of ticks waiting for it and
the total ticks for that location.

Added a new configure flag --enable-profiling-locks to enable this
feature.
14 years ago
Nikolay Denev 0fc878b391 Consistently use dashes instead of underscores in the sample config file. 14 years ago
Nikolay Denev a67d78eda6 Consistently use dashes instead of underscores in the sample config file. 14 years ago
Victor Julien 2197f1a625 file-inspection: split 'file' output module into file-store and file-log. Store stores files. Log logs json records. 14 years ago
Eric Leblond 49b7b00fcf af-packet: mmap support
This patch adds mmap support for af-packet. Suricata now makes
use of the ring buffer feature of AF_PACKET if 'use-mmap' variable
is set to yes on an interface.
14 years ago
Eric Leblond 4c3f0b258e del rules file deleted 14 years ago
Eric Leblond 25804f5aa8 Add install-conf command to build system.
This patch adds support for customisation of suricata.yaml and
automatic download of emerging threat GPL rules. By running
'make install-full' after 'make install', files necessary to run
suricata are copied in the configuration directory and the latest
ruleset is downloaded and installed. Suricata can then be run
without files edition.
This patch has a special treatment for the windows build which
requires some different paths.
suricata.yaml is also updated to load all rules files provided by
emergingthreat ruleset.
14 years ago