aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,442 Commits
8 Branches
165 Tags
229 MiB
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '059b25b564'
${ noResults }
Commit Graph

6738 Commits (059b25b56474ffe3cc0f1811056a99ef321c75cb)

Author SHA1 Message Date
Victor Julien f867bb61e6 http: fix memory leak in error path 9 years ago
Victor Julien 40af9aad02 streaming: improve error handling 
When memory allocations happened in HTTP body and general file
tracking, malloc/realloc errors (most likely in the form of memcap
reached conditions) could lead to an endless loop in the buffer
grow logic.

This patch implements proper error handling for all Append/Insert
functions for the streaming API, and it explicitly enables compiler
warnings if the results are ignored.
 9 years ago
Victor Julien 879c3d8ad7 detect: fix scan-build 0-size alloc warnings 9 years ago
Jason Ish 09c3e1dd8a pcap-log: cleanup allocations at exit 
Particularly in multi-mode, allocations made for each thread were
not being cleaned.

ASAN reports no leaks now on exit.
 9 years ago
Victor Julien f80ce51ddf unix-socket: don't try to change permissions on BSD 
On BSD using fchmod on a socket is not supported and will result
in EINVAL.
 9 years ago
Victor Julien 96c28b2995 bug 1353: don't cut off last char of unix path 9 years ago
Victor Julien 4a190e07a6 pcre: disable JIT if RWX pages not supported 9 years ago
Victor Julien 46f5f4cff8 util: add facility to check for RWX page support 
Some code won't work well when the OS doesn't allow RWX pages. This
page introduces a check for runtime evaluation of the OS' policy on
this.

Thanks to Shawn Webb from HardenedBSD for suggesting this solution.
 9 years ago
Victor Julien a3a1757472 flow-mgr: fix bypass counter registration 9 years ago
Victor Julien 595c20ddf4 der: fix asan/valgrind errors in time parsing 9 years ago
Victor Julien 7e4df3a1d1 tls-validity: fix memory handling 9 years ago
Mats Klepsland 10d827639e detect-tls-cert-validity: clean up unit tests 
Remove locks, unnecessary function calls and conditional statements.
 9 years ago
Mats Klepsland 1fea52dd8a detect: add keyword tls_cert_valid 
Add keyword to check if TLS certificate is valid.
 9 years ago
Mats Klepsland f7e0083269 detect-cert-validity: fix typos 9 years ago
Mats Klepsland f22c9d9781 detect: add keyword tls_cert_expired 
Add keyword to check if TLS certificate is expired.
 9 years ago
Mats Klepsland 07d2312d96 detect-tls-validity: use flags for modes 
Use flags for modes to support using multiple modes at the same time.
 9 years ago
Giuseppe Longo 3f214b506a file-store: add depth setting 
When a rules match and fired filestore we may want
to increase the stream reassembly depth for this specific.

This add the 'depth' setting in file-store config,
which permits to specify how much data we want to reassemble
into a stream.
 9 years ago
Giuseppe Longo 4751677e24 app-layer: use StreamTcpSetReassemblyDepth 
This calls StreamTcpSetReassemblyDepth to set the stream depth
specified for the protocol.
 9 years ago
Giuseppe Longo 9ab1194f68 modbus: set stream depth 
Some protocol like modbus requires
a infinite stream depth because session
are kept open and we want to analyze everything.

Since we have a stream reassembly depth per stream,
we can also set a stream reassembly depth per proto.
 9 years ago
Giuseppe Longo b160c49e9e app-layer-parser: add stream depth 
This permits to set a stream depth value for each
app-layer.

By default, the stream depth specified for tcp is set,
then it's possible to specify a own value into the app-layer
module with a proper API.
 9 years ago
Eric Leblond a63c6b320e stream: per TcpStream reassembly depth 9 years ago
Victor Julien 960ebb2822 enip: fix scan-build warnings 
detect-cipservice.c:161:29: warning: Assigned value is garbage or undefined
    cipserviced->cipservice = input[0];
                            ^ ~~~~~~~~
detect-cipservice.c:162:27: warning: Assigned value is garbage or undefined
    cipserviced->cipclass = input[1];
                          ^ ~~~~~~~~
detect-cipservice.c:163:31: warning: Assigned value is garbage or undefined
    cipserviced->cipattribute = input[2];
                              ^ ~~~~~~~~
3 warnings generated.
 9 years ago
Victor Julien 80c3aedbfc enip: parsing and tests cleanup 9 years ago
Victor Julien 72b5da4313 enip/cip: improve output & style 
Remove printf, remove \n from SCLogDebug. Add SCLogError for
rule parsing issues.

Fix various style issues
 9 years ago
Victor Julien 6b1c21b115 enip/cip: register inspect engines 9 years ago
kwong a3ffebd835 Adding SCADA EtherNet/IP and CIP protocol support 
Add support for the ENIP/CIP Industrial protocol

This is an app layer implementation which uses the "enip" protocol
and "cip_service" and "enip_command" keywords

Implements AFL entry points
 9 years ago
Victor Julien d9811e58b6 http_header: don't separately inspect trailer yet 
Currently the regular 'Header' inspection code will run each time
after the HTTP progress moved beyond 'headers'. This will include
the trailers if there are any.

Leave the code in place as this model will change in the not too
distant future.
 9 years ago
Victor Julien 358eacf14f http_header: only run trailer mpm if we have trailers 9 years ago
Victor Julien 44022743f2 http: track if request/response have trailers 9 years ago
Victor Julien 798ba010ca prefilter: use array of engines per sgh 
Instead of the linked list of engines setup an array
with the engines. This should provide better locality.

Also shrink the engine structure so that we can fit
2 on a cacheline.

Remove the FreeFunc from the runtime engines. Engines
now have a 'gid' (global id) that can be used to look
up the registered Free function.
 9 years ago
Victor Julien 8321f04ef3 prefilter: clean up setup code 9 years ago
Victor Julien d36c0c15ea detect: reshuffle keyword registration order 
The order of keyword registration currently affects inspect engine
registration order and ultimately the order of inspect engines per
rule. Which in turn affects state keeping.

This patch makes sure the ordering is the same as with older
releases.
 9 years ago
Victor Julien 58ac4027ef detect: clean up inspect engine registration 9 years ago
Victor Julien a24870f29f detect app-layer-event: clean up registration 
Move engine and registration into the keyword file.

Register as 'ALPROTO_UNKNOWN' instead of per alproto. The
registration will only apply it to those rules that have
events set.
 9 years ago
Victor Julien 9e35fa7f41 detect: remove empty app registration table 9 years ago
Victor Julien 8a0bea872c template_buffer: register inspect engine from keyword 9 years ago
Victor Julien 6f253e1ea7 file detect: register inspect engines from keyword 9 years ago
Victor Julien 08d0fe0916 modbus detect: register inspect engine from keyword 9 years ago
Victor Julien 2db094ab7a dns detect: register inspect engine from keyword 9 years ago
Victor Julien c9bb762f64 tls_cert_issuer: register inspect engine from keyword 9 years ago
Victor Julien e28e98bcaa tls_cert_subject: register inspect engine from keyword 9 years ago
Victor Julien a87c196b60 tls_sni: register inspect engine from keyword 9 years ago
Victor Julien 200a4c1593 http_stat_code: register inspect engine from keyword 9 years ago
Victor Julien cd705752db http_stat_msg: register inspect engine from keyword 9 years ago
Victor Julien 20e93ba419 file_data: register inspect engine from keyword 9 years ago
Victor Julien 0496b3f6a5 http_raw_host: register inspect engine from keyword 9 years ago
Victor Julien a00629ab55 http_host: register inspect engine from keyword 9 years ago
Victor Julien edb2936998 http_user_agent: register inspect engine from keyword 9 years ago
Victor Julien fc857c5455 http_raw_uri: register inspect engine from keyword 9 years ago
Victor Julien b1adea6eee http_cookie: register inspect engine from keyword 9 years ago
Victor Julien cd8b1b0b4c http_method: register inspect engine from keyword 9 years ago
Victor Julien b314829614 http_raw_header: register inspect engine from keyword 9 years ago
Victor Julien eb19eb3fe4 http_header: register inspect engine from keyword 9 years ago
Victor Julien 4096f76b1b http_client_body: register inspect engine from keyword 9 years ago
Victor Julien b96c2c5db5 http_uri: register inspect engine from keyword 9 years ago
Victor Julien cc96fedb90 http_response_line: register inspect engine from keyword 9 years ago
Victor Julien 0feeb8d538 http_request_line: register inspect engine from keyword 9 years ago
Victor Julien 5bde86b0e8 detect-engine: new registration call 
Make it more in line with MPM registration.
 9 years ago
Victor Julien 9a0bbd6239 detect mpm: small optimization 9 years ago
Victor Julien ad3c97f470 detect-mpm: cleanup 9 years ago
Victor Julien 5f994756e6 detect-engine: improved inspect engines 
Inspect engines are called per signature per sigmatch list. Most
wrap around DetectEngineContentInspection, but it's more generic.

Until now, the inspect engines were setup in a large per ipproto,
per alproto, per direction table. For stateful inspection each
engine needed a global flag.

This approach had a number of issues:
1. inefficient: each inspection round walked the table and then
   checked if the inspect engine was even needed for the current
   rule.
2. clumsy registration with global flag registration.
3. global flag space was approaching the need for 64 bits
4. duplicate registration for alprotos supporting both TCP and
   TCP (DNS).

This patch introduces a new approach.

First, it does away with the per ipproto engines. This wasn't used.

Second, it adds a per signature list of inspect engine containing
only those engines that actually apply to the rule.

Third, it gets rid of the global flags and replaces it with flags
assigned per rule per engine.
 9 years ago
Victor Julien bac37fc9ae detect state: reorganize flags 
List the common non-buffer specific flags on top.
 9 years ago
Victor Julien f1e3840516 http_response_body: implement keyword with mpm 
Implemented as 'stickybuffer'.
 9 years ago
Victor Julien 4c98b6cef3 http_request_line: implement keyword and mpm 
Implemented as 'stickybuffer'.

Move all logic into the keyword file and remove bad tests that tested
URI instead of request line.
 9 years ago
Victor Julien 960461f4db fast_pattern: register app layer mpms automatically 
Allow for duplicate registrations for the same list. After the first
registration new calls will be ignored.
 9 years ago
Victor Julien 6dd4dff7b2 mpm: remove empty app_mpms table 9 years ago
Victor Julien e68b2214e5 tls: register mpm from keywords 9 years ago
Victor Julien 57ae3c43e5 dns_query: register mpm from keyword 9 years ago
Victor Julien a1a2187a0c http_cookie: register mpm from keyword 9 years ago
Victor Julien 74661449e0 http_raw_host: register mpm from keyword 9 years ago
Victor Julien b5cd4889ae http_host: register mpm from keyword 9 years ago
Victor Julien 91695c81aa http_client_body: register mpm from keyword 9 years ago
Victor Julien 644d4dc61b http_stat_code: register mpm from keyword 9 years ago
Victor Julien cf96db095a http_stat_msg: register mpm from keyword 9 years ago
Victor Julien 43b281a510 file_data: register mpm from keyword 9 years ago
Victor Julien 6d0632a9c6 http_method: register mpm from keyword 9 years ago
Victor Julien e4ea38a8de http_raw_header: register mpm from keyword 9 years ago
Victor Julien 7813a834d0 http_user_agent: register mpm from keyword 9 years ago
Victor Julien 7b98c0073f http_header: register mpm from keyword 9 years ago
Victor Julien 38e018e2d3 http_raw_uri: register mpm from keyword 9 years ago
Victor Julien 7289d12f1b http_uri: register mpm from keyword 9 years ago
Victor Julien 5b2e36a1b0 mpm: add App Layer MPM registery 
Register keywords globally at start up.

Create a map of the registery per detection engine. This we need because
the sgh_mpm_context value is set per detect engine.

Remove APP_MPMS_MAX.
 9 years ago
Victor Julien ae5846b4de detect: simplify content inspection types 
Instead of a type per buffer type, pass just 3 possible types:
packet, stream, state.

The individual types weren't used. State is just there to be
not packet and not stream.
 9 years ago
Victor Julien e1eb481647 prefilter: cleanup and optimization 9 years ago
Victor Julien dba14b676c profiling: more prefilter profiling 9 years ago
Victor Julien 125603871b detect: config opt to enable keyword prefilters 9 years ago
Victor Julien 36f713c8d4 prefilter: in profiling print totals 9 years ago
Victor Julien 2e878c2024 prefilter: alloc CLS aligned memory 9 years ago
Victor Julien 732921922a detect mpm: consider sgh direction when adding rules 9 years ago
Victor Julien 9bb12ccb27 prefilter: move payload engines into separate list 9 years ago
Victor Julien e3b98d5bbf detect-ack: extra match support 9 years ago
Victor Julien a41bf2ae14 detect-seq: extra match support 9 years ago
Victor Julien a1accbbaf0 detect-ttl: extra match support 9 years ago
Victor Julien a270dfa008 detect-id: extra match support 9 years ago
Victor Julien fbb0490c31 detect-dsize: extra match support 9 years ago
Victor Julien 34e3484dad detect-flags: prefilter extra match support 9 years ago
Victor Julien ace8f9f5df detect-flow: prefilter extra match support 9 years ago
Victor Julien e2eb9f8ede prefilter: add 'extra match' logic to packet engines 
Many of the packet engines are very generic. Rules are generally more
limited.

A rule like 'alert tcp any any -> any 888 (flags:S; sid:1;)' would still
be inspected against every SYN packet in most cases (it depends a bit on
rule grouping though).

This extra match logic adds an additional check to these packet engines.
It can add a check based on alproto, source port and dest port. It uses
only one of these 3. Priority order is src port > alproto > dst port.

For the ports only 'single' ports are used at this time.
 9 years ago
Victor Julien 9187c20782 detect mpm: negated setup fix 9 years ago
Victor Julien 5537e25f38 detect-icmp-id: prefilter 9 years ago