Commit Graph

5086 Commits (2646edc129c7e6a6f9c820c9ecc01ce450e09a58)
 

Author SHA1 Message Date
Victor Julien 8252416c10 proto-detect: update port logic
If a flow matches both an 'sp' based PP registration and a 'dp' based,
until now we would only check the 'dp' one. This patch changes that. It
will inspect both.
12 years ago
Victor Julien eae5b1ba35 app-layer: proto detection update
Instead of the notion of toserver and toclient protocol detection, use
destination port and source port.

Independent of the data direction, the flow's port settings will be used
to find the correct probing parser, where we first try the dest port,
and if that fails the source port.

Update the configuration file format, where toserver is replaced by 'dp'
and toclient by 'sp'. Toserver is intrepreted as 'dp' and toclient as
'sp' for backwards compatibility.

Example for dns:

    dns:
      # memcaps. Globally and per flow/state.
      #global-memcap: 16mb
      #state-memcap: 512kb

      # How many unreplied DNS requests are considered a flood.
      # If the limit is reached, app-layer-event:dns.flooded; will match.
      #request-flood: 500

      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53

Like before, progress of protocol detection is tracked per flow direction.

Bug #1142.
12 years ago
Victor Julien 7b0f1e9512 stream: improve retransmission handling
When connection are closing, don't reject retransmissions of data
packets.

Bug #1180.
12 years ago
Victor Julien 96adcf6829 refactor IDS/IPS engine mode logic
Instead of error phrone externs with macro's, use functions with a local
static enum var instead.

- EngineModeIsIPS(): in IPS mode
- EngineModeIsIDS(): in IDS mode

To set the modes:

- EngineModeSetIDS(): IDS mode (default)
- EngineModeSetIPS(): IPS mode

Bug #1177.
12 years ago
Ken Steele 354a24e2ef Fix unaligned load in AC-TILE MPM.
The SLOAD define using __insn_ld2s_L2 is used to provide a compiler
hint that the load will come from the L2 cache instead of the L1. It
also specifies that it is a 2 byte signed load. For the Tiny MPM, that
needs to be a 1-byte load, which is what is specified in util-ac-mpm-tile.c,
but the #undef was removing that definition.
12 years ago
Victor Julien fc559ce227 detect: fix alstate handling
Previously, the alstate use in the main detect loop was unsafe. The
alstate pointer would be set duing a lock, but it would again be used
after one or more lock/unlock cycles. If the data pointed to would
disappear, a dangling pointer would be the result.

Due to they way flows are cleaned up using reference counting and
such, changes of this happening were very small. However, at least
one path can lead to this situation. So it had to be fixed.
12 years ago
Victor Julien b6e2a6f525 detect: locking update continued
Make DeStateDetectContinueDetection get it's own alstate pointer instead
of using the one that was passed to it. We now get and use it only
inside a flow lock.
12 years ago
Victor Julien cf31e2cc74 detect: locking update
Make DeStateDetectStartDetection get it's own alstate pointer instead
of using the one that was passed to it. We now get and use it only
inside a flow lock.
12 years ago
Victor Julien 5e1bc99e5b detect: cleanup
Remove unused alstate and app layer flags arguments from
DetectEngineInspectPacketPayload()
12 years ago
Victor Julien 6e0112d737 detect: modify AMATCH locking
This is an intrusive change. This patch modifies the way AMATCH
inspection uses locking.

So far, each keyword did it's own locking. This lead to a situation
where a 'alstate' pointer was passed around that was not always
protected by a lock.

This patch moves the locking to the Stateful detection functions.
12 years ago
Eric Leblond 43b6cbd4bc af-packet: fix error handling
Only exit from synchronization loop on poll error and not in case
of a timeout.
12 years ago
Eric Leblond 6e77c4d1b4 util-ioctl: only get MTU when iface name is set
This patch fixes a warning message when suricata is started without
giving an interface name on the command line. The code was trying
to get the MTU even if pcap_dev was not set.
12 years ago
Victor Julien 79c924af8c Fix 2 compiler warnings
FreeBSD 10 32-bit with clang 3.3:

log-tlslog.c:172:14: error: format specifies type 'long' but the argument has type 'time_t' (aka 'int') [-Werror,-Wformat]
             p->ts.tv_sec,
             ^~~~~~~~~~~~
1 error generated.

detect-engine-payload.c:508:27: warning: format specifies type 'long' but the argument has type 'time_t' (aka 'int') [-Wformat]
    printf("%ld.%06ld\n", tv_diff.tv_sec, (long int)tv_diff.tv_usec);
            ~~~           ^~~~~~~~~~~~~~
            %d
1 warning generated.
12 years ago
Victor Julien 26778b8703 output-api: cleanup handling
Add output 'free list' that contains all the output ctx' that need
cleanup at shutdown. It differs from the runmode output list in that
it will also contain a 'parent' for the submodules that share the
context of it's parent.
12 years ago
Victor Julien c27304451e output api: complete shutdown functions
Add missing function for Filedata API. Clean up list in all functions.
12 years ago
Victor Julien b2d29a85e9 tls-json: add cleanup function
Properly clean up output context when shutting down.
12 years ago
Victor Julien 34069054ce drop-json: fix cleanup
Use proper function for sub-module cleanup. LogFileCtx is not managed
by the sub-module, so don't clean it.
12 years ago
Victor Julien bc1c06b9e4 eve-log: fix mem leak at shutdown
Make sure we free all memory in the shutdown function.
12 years ago
Victor Julien 90c4834709 ssh-json: add clean up functions
Add clean up functions for the SSH json logger.
12 years ago
Victor Julien 3a6be9772f http-json: add missing cleanup functions
Add cleanup functions.
12 years ago
Victor Julien 7ffd227133 file-json: cleanup at shutdown
Fix a memory leak at shutdown. Module didn't have a cleanup function.
12 years ago
Victor Julien 7ee3b456a3 dns-json: fix cleanup
Use specialized cleanup function for sub-module case. Freeing the
LogFileCtx is not the responsibility of a sub-module.
12 years ago
Victor Julien 1f2310bb34 alert-json: fix cleanup
Call specialized clean up function when running as a sub-module.
12 years ago
Victor Julien f62185c207 log-tls: run Disable at shutdown
Call OutputTlsLoggerDisable at cleanup.
12 years ago
Victor Julien f96a54535c drop loggers: call disable func
Call OutputDropLoggerDisable() on cleanup.
12 years ago
Victor Julien 9df045d086 output: add Disable funcs to mirror Enable
For the loggers that we allow only one instance for: tls, ssh, drop, we
track active loggers through Output*Enable functions. Add Disable
functions to mirror this. They are to be called from the shutdown funcs
those loggers use.
12 years ago
Victor Julien 4a104ae315 unified2: fix memory leak at shutdown
Module didn't properly free output context at shutdown. Led to a leak
in Unix Socket mode.
12 years ago
Eric Leblond 9961520316 output: clean file desc at exit.
This is a beginning of implementation for bug #1660:
 https://redmine.openinfosecfoundation.org/issues/1160

This patch adds a cleaning function for each logger of new type
(packet, tx and file). These functions are called in RunModeShutDown().

The state of this patch is that it is crashing suricata when sending
pcap to analyse:
 - At first pcap if tx and file cleaning function are called
 - At second pcap if only packet cleaning function is called

The cause in first case is unknown. In second case this is due to
the necessity of cleaning the list of logger registered to a logging
type.
12 years ago
Pierre Chifflier d476c654ee TLS: add detection for malicious heartbeats (AKA heartbleed)
The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not
check the payload length correctly, resulting in a copy of at most 64k
of memory from the server (ref: CVE-2014-0160).
This patch adds support for decoding heartbeat messages (if not
encrypted), and checking several parts (type, length and padding).
When an anomaly is detected, a TLS event is raised.
12 years ago
Victor Julien ab503873ca erf-file: clean up decode thread local storage
Clean up the thread local data the decode portion of ERF users.

Bug #978
12 years ago
Victor Julien 6da8652a77 endace-dag: clean up decode thread local storage
Clean up the thread local data the decode portion of DAG uses.

Bug #978
12 years ago
Victor Julien 09ebbe08df mpipe: clean up decode thread local storage
Clean up the thread local data the decode portion of mpipe uses.

Bug #978
12 years ago
Victor Julien 8c16fede08 ipfw: clean up decode thread local storage
Clean up the thread local data the decode portion of ipfw uses.

Bug #978
12 years ago
Victor Julien 10c791c937 napatech: clean up decode thread local storage
Clean up the thread local data the decode portion of napatech uses.

Bug #978
12 years ago
Victor Julien c3e193e786 pcap: clean up decode thread local storage
Clean up the thread local data the decode portion of pcap uses.

Bug #978
12 years ago
Victor Julien 900fc6fdc7 pfring: clean up decode thread local storage
Clean up the thread local data the decode portion of pfring uses.

Bug #978
12 years ago
Victor Julien a8b1af3369 nfq: clean up decode thread local storage
Clean up the thread local data the decode portion of nfq uses.

Bug #978
12 years ago
Victor Julien 2864f9eef9 af-packet: clean up decode thread local storage
Clean up the thread local data of the decode part of afpacket.

Bug #978
12 years ago
Victor Julien c8d2a1e417 drmemory: remove bug 978 suppression
Bug is fixed, so suppression is no longer needed.

Bug #978.
12 years ago
Victor Julien bb2e9af40f pcap-file: clean up decode thread local storage
Clean up the thread local data the decode portion of pcap-file use.

Bug #978.
12 years ago
Victor Julien d26ceb2356 decode: introduce DecodeThreadVarsFree
As a mirror of DecodeThreadVarsAlloc, DecodeThreadVarsFree is used
to free the memory that DecodeThreadVarsAlloc alloc'd, including
AppLayer storage.
12 years ago
Victor Julien 552558894c app-layer: cleanups
Clean up AppLayerParserThreadCtxAlloc and AppLayerParserThreadCtxFree.
Both used confusing variables in loops, with the wrong types.
12 years ago
Jason Ish 7e268bd4d4 Force pidfile creation of --pidfile.
A pidfile can be useful when not in daemon mode, for example
when running under a process supervisor.
12 years ago
Tom DeCanio 4085f08602 json: somewhere along the way IP/port pairs had gotten swapped in
http and ssh eve logs
12 years ago
Ken Steele 0011e01e05 Change configure to allow statically linking libpcre.
Statically linking libpcre requires using -lpthread, which is added
when building Suricata, but not while checking for libpcre in configure.
12 years ago
Victor Julien b9227ad20c tls: no event on 'new session ticket' in handshake
Don't set an event on encountering a 'new session ticket' (4) record
in the TLS handshake.
12 years ago
Victor Julien 1195f882b9 ipv6: add support for PAD1
Support PAD1 in IPv6 HOP options header and DST options header.
12 years ago
Victor Julien 7539372db7 icmpv6: add multicast types
Only add them to check if the code is 0 and to make sure the default
case doesn't set an 'unknown type' event.
12 years ago
Victor Julien eb3a9d3076 TLS: register patterns for tls-alerts
Register patterns for when server has an alert as the first message.
12 years ago
Victor Julien a96446d39e detect state: fix indent
AMATCH block was indented too far.
12 years ago