aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,229 Commits
10 Branches
154 Tags
165 MiB
dependabot/github_actions/actions/checkout-4.2.1
dependabot/github_actions/github/codeql-action-3.26.12
dependabot/github_actions/actions/upload-artifact-4.4.3
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f08fc8d7c5'
${ noResults }
Commit Graph

3229 Commits (f08fc8d7c57cf8248dbd4842601ac2f1dfee1c10)
 

Author SHA1 Message Date
Victor Julien fbbdbb251f flow engine: remove unneeded 'need_srclock' argument for FlowRequeue 13 years ago
Victor Julien 0331da9773 flow engine: introduce FlowRequeueMoveToSpare 
As part of a clean up of how FlowRequeue is used, introduce
FlowRequeueMoveToSpare for moving a flow from a locked queue to the
spare queue.
 13 years ago
Victor Julien 7fa3df33f2 flow engine: introduce FlowRequeueMoveToBot 
As part of a clean up of how FlowRequeue is used, introduce
FlowRequeueMoveToBot for moving a flow to the bottom of it's queue.
 13 years ago
Victor Julien ae1e4c1d7d Add missing hash row unlock. 13 years ago
Victor Julien f47f601f09 Fix unified2 setting the wrong eth_type. 13 years ago
Eric Leblond 9422a36851 unified2: avoid to log RAW packet 
If the packet datalink is ethernet, we add a fake ethernet
header to stream logging to avoid that barnyard2 create
different files.
 13 years ago
Eric Leblond fc56abfcd0 unified2: log an ethernet header for stream alert. 
If packet is a of type ethernet, we log the alert reconstructed
payload as an ethernet packet and not a raw packet. This will avoid
to confuse barnyard2 pcap output.
 13 years ago
Victor Julien 49d6885ec7 Improve debug validation code for packet, add new macro for flow. 13 years ago
Victor Julien 3009429e3c HTTP transaction handling improvement 
In some cases AppLayerTransactionGetInspectId can return -1, which is
now handled by all it's callers.

Improve logic of selecting which transactions are inspected by the various
HTTP keywords.
 13 years ago
Eileen Donlon dbdf2d888f Enable/disable core dump in config (feature 319) 13 years ago
Victor Julien 7b0f261fdc Add some debug statements for debugging a smtp issue. 13 years ago
Victor Julien 004b5dde88 Support libhtp's different handling of CONNECT requests. 13 years ago
Victor Julien 117d51c965 Fix a compile warning when debug is enabled. 13 years ago
Victor Julien 1df3304655 Clean up for unittests code: only compile unittest api code when unittests are enabled. Fix unittest code that wasn't wrapped in the proper UNITTESTS ifdefs. 13 years ago
Victor Julien a138b32533 flow manager: timing change 
Set default timeout for the flow manager to wake up to 1 second. The 0.4 sec
performed best on a Xeon, but in kvm vm's it was horrible:

32 bit vm: 60% cpu for flowmgr when idle.
64 bit vm: 30% cpu for flowmgr when idle.

With the 1 second timeout both are at 0.3% cpu.
 13 years ago
Victor Julien 786148319c Lower flow manager wake up timer to 0.4 seconds as that performs 2% better in my tests. 13 years ago
Anoop Saldanha 776bf633e3 flow manager code cleanup. Remove unused code + fix indentation. Remove unused vars 13 years ago
Anoop Saldanha 5133098bd6 Accomodate pcap-file mode to signal flow mgr to wakeup when it exceeds a certain time interval. This let's the flow mgr keep in sync with pcap timestamp changes 13 years ago
Anoop Saldanha 9917744707 separate timers for flow mgr thread for normal and emerg mode. Signal flow mgr thread when in emerg mode 13 years ago
Eric Leblond 5a63662766 Flow: use condition system instead of short sleep 
Short sleep can lead to some really annoying performance issue in
some environnement like virtual systems. This technic was used in
the flow manager. This patch uses an alternate approach based on
a timed condition which is triggered each time a new flow has to
be created. This avoid to run out of flow. A counter is also done
to be able not to run the cleaning code at each new flow.
 13 years ago
Victor Julien 34450b9b57 Don't parse layers / ext headers above ipv6 frag header. This is taken care of by defrag. 13 years ago
Victor Julien 938e9b3db0 Fix filestore related segv. 13 years ago
Victor Julien e6d8d0443c Unify output functions for alert-debug for IPv4 and IPv6. 13 years ago
Victor Julien 3c7f09d1ea Add debug output to engine event. 13 years ago
Victor Julien fd4e1460cf Add checksum validation rules to decoder events rules. 13 years ago
Victor Julien e6af837b25 Convert StreamTcpSetEvent function into macro. Eases debug. 13 years ago
Victor Julien 58011554b0 Don't consider payload len in ACK value validation check. 13 years ago
Victor Julien 9878eca086 file handling: expand filestore keyword 
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.

The filestore keyword now takes 2 optional options:

filestore:<direction>,<scope>;

By default the direction is "same as rule match", and scope is "currently
inspected file".

For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".

For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.

For the above case, where a suspious request should lead to a response file
download, this would work:

alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
 13 years ago
Victor Julien ddfa5c49c6 Stream engine: gap handling 
Set a stream event for stream gaps.
Add a (disabled by default) signature to the stream-event.rules.
 13 years ago
Victor Julien 45d86ff58a Stream reassembly / app layer: disable gap errors 
Gap errors on the app layer are now silently handled. No longer printed
to the screen.
 13 years ago
Victor Julien 425294f912 stream reassembly: account stream gaps 
Add counter to the stream reassembly engine to count stream gaps. Stream gaps
are the result of missing packets (usually due to packet loss). This missing
data stops the reassembly for the app layer.
 13 years ago
Victor Julien d8d8fdd9f5 Improve handling of packets when stream is in the fin_wait1 or fin_wait2 state. 13 years ago
Victor Julien b74c73309b file handling: improve filestore keyword handling 
In stateful detection only inspect the file portion of the rule after all
other conditions matched. This to prevent "filestore" from tagging files
for storage during a partial match.

Add a couple of unittests to test the behaviour change.
 13 years ago
Victor Julien 4cbe7519fa Add missing file util code. 13 years ago
Victor Julien a556338936 Add magic-file example to suricta.yaml. 13 years ago
Victor Julien 56b96363b8 Fix merge artefact. 13 years ago
Victor Julien 63c9a3ab85 Remove duplicate include. 13 years ago
Victor Julien b3e1679321 file handling: add example files.rules file 
Adding a rule file with various examples for using the fileext, filename,
filemagic and filestore keywords.
 13 years ago
Victor Julien 53df3982a1 Update suricata.yaml for file extraction. 13 years ago
Victor Julien 042fd850fc Make sure we check the sgh for no magic and no store once per flow direction. 13 years ago
Victor Julien f3fbc1a44c file handling: filemagic matching improvement 
Magic buffer is a null terminated string. Allow matching on the final
\0 using filemagic:"somevalue|00|"; so we can anchor to the end of the
buffer.
 13 years ago
Victor Julien 2ccd35c6e4 Fix code after rebase. 13 years ago
Victor Julien 33848124d1 Fix a multipart body parsing issue. 13 years ago
Victor Julien 96d20098b0 file inspect: stateful inspection split 
Split stateful detection of the files in a HTTP state between toserver
and toclient inspection.
 13 years ago
Victor Julien d59ca75e46 file extract: split toserver and toclient tracking 
Split toserver and toclient file tracking for the http state.
 13 years ago
Victor Julien 04ea70ccf7 file extract: pruning 
Add pruning of files in memory so we keep only memory what we really need.
Fix magic logic.
Reset file part of the de_state on receiving another file in the same tx.
 13 years ago
Victor Julien 1c934acc85 Don't store fd per file (too many fd's). Enable IPv6 storing. Close file on receiving stream end flag. 13 years ago
Victor Julien b402d97179 File carving -- enable reponse file extraction 
- Enable response body tracking
- Enable file extraction for responses
- File store meta file includes magic, close reason.
- Option to force magic lookup for all stored files.
- Fix libmagic calls thead safety.
 13 years ago
Victor Julien 66a3cd96a8 Prepare HTTP response body tracking. 13 years ago
Victor Julien 417495e542 file-extraction: remove no longer used files. 13 years ago