aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,354 Commits
8 Branches
163 Tags
187 MiB
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2953b3f640'
${ noResults }
Commit Graph

4017 Commits (2953b3f6403e94874c0c7b19faf52706cff66138)

Author SHA1 Message Date
Victor Julien 2f4e11b1ca Fix compiler warning 
app-layer-parser.c: In function ‘AppLayerPPTestData’:
app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable]
     int dir = 0;
         ^
 12 years ago
Ken Steele 85a51638c9 Improve Signature sorting speed 
Changed the signature sorting code to use a a single merge sort instead
of the multiple pass sorting that was being used. This reduces startup
time on Tile by a factor of 3.

Also replace the user array of pointers to ints with a simpler array of
ints.
 12 years ago
Victor Julien 5c08b2296f DNS: copy only the length of the hardcoded string, not the length of the destination buffer. 12 years ago
Anoop Saldanha 57ed5dfd32 Fix return value from DetectProtoParse() which is used by probing 
parser.
 12 years ago
Anoop Saldanha ac65784cbc Fix coverity scan defect #1099714. 
Sending back uninitialized variable in DetectParseProto().
 12 years ago
Anoop Saldanha e383cc27cd Fix a leak in probing parsers. We were freeing just the head of the list, 
instead of all the members.
 12 years ago
Anoop Saldanha 980934d670 Fix a leak in app layer parser proto code. Free the proto signatures 
allocated internally for PM parser.
 12 years ago
Anoop Saldanha fc82614025 Fix mem leak in b2g. 12 years ago
Anoop Saldanha 06db1e4cb8 Remove unused vars alp_content_module_handle and proto_map from 
struct AlpProtoDetectCtx.
 12 years ago
Anoop Saldanha 558f5705eb Remove the unused flow flags - FLOW_TS_PM_PP_ALPROTO_DETECT_DONE and 
FLOW_TC_PM_PP_ALPROTO_DETECT_DONE.
 12 years ago
Anoop Saldanha 36220b689b Reset some flow flags when port numbers are re-used and we re-use the 
flow as a part of a new session.
 12 years ago
Anoop Saldanha af1df7a89d Remove the smtp parser restriction that it accepts data only in to client 
direction first.
 12 years ago
Anoop Saldanha 3ec411486e Fix compilation failure when we don't enable unittests. Got to #ifdef 
ALPROTO_TEST.
 12 years ago
Anoop Saldanha d76a5bedbc Update stream inline to use the improved app proto detection. 12 years ago
Anoop Saldanha 96d1ba9106 Cosmetic changes to app parser struct. 
Removed a flag parameter introuced earlier to indicate the data
that is first acceptable by the parser.  We now use a differently
named parameter to carry out the same activity.
 12 years ago
Anoop Saldanha 2cb5bdd3fa Cosmetic changes to code. Introduce human readabel flag values for some constants. Here the parameter in question is "data_first_seen_dir" for session context. 12 years ago
Anoop Saldanha e42905f3b9 indentation fix. 12 years ago
Anoop Saldanha 6bef5fda06 If we have proto mismatch from 2 directions, use one of the protos, instead of erroring out and not sending the data further to the parser. 
The logic we use currently is if we have already sent some data to
a parser before we figure out we have a proto mismatch, we use the
proto from the first direction from which we have already sent the
data to the parser, else we stick to the the to client direction.
 12 years ago
Anoop Saldanha 976a86def4 Introduce convenience macro to set Stream app proto completion flag. 12 years ago
Anoop Saldanha 16144fe38a Rename function pointer var to use the FuncPtr typing convention. Resupply "dns" as the alproto name for ALPROTO_DNS. 12 years ago
Anoop Saldanha 8ae92c7a5e Add unittest to test for http ambiguous host header. 
Previously we would not check the port part of the host from the uri
hostname, while we did use the port part from the host header, leading
to FPs.
 12 years ago
Anoop Saldanha d0c5f51293 Update rule engine relationship with regard to setting ip protocol between specifying protocol after action, ip_proto and app-layer-protocol. 
Now we can specify alproto, ip_proto combinations this way

alert dns (ip_proto:[tcp/udp];)
alert ip (app-layer-protocol:dns;)
alert ip (app-layer-protocol:dns; ip_proto:tcp;)
alert tcp (app-layer-protocol:dns:)

so on.  Neater than using dnstcp/dnsudp.

This is related to feature #424.
 12 years ago
Anoop Saldanha 6eb8f66f0a alert ipv4 and alert ipv6 specified proto rules should be treated and PROTO_ANY just like how we treat alert ip rules. 12 years ago
Anoop Saldanha f592c481dc Introduce a separate inspection engine for app events. 12 years ago
Anoop Saldanha 9e4eec200f Update htp event handler to both warning and error events regardless of any conditions. 12 years ago
Anoop Saldanha b1dffdfbe0 Add app layer protocol packet event detection support. 12 years ago
Anoop Saldanha 5e2d9dbdc3 Add and use EventGetInfo for getting info on an event. 
Also update existing parsers and app-layer-event Setup to use this.
 12 years ago
Anoop Saldanha 60a2b157b2 Fix duplicate packet decoder events. Add event entries that were missing as well. 12 years ago
Anoop Saldanha 1077acecd7 validate dns sigs that are reported as plain dns and not dnsudp or dnstcp. 12 years ago
Anoop Saldanha 6cb0014287 Move app event module registration as a part of app layer proto table. 12 years ago
Anoop Saldanha 64b0939b4a code cleanup. 12 years ago
Anoop Saldanha 0d7159b525 App layer protocol detection updated and improved. We now use 
confirmation from both directions and set events if there's a mismatch
between the 2 directions.

FPs from corrupt flows have disappeared with this.
 12 years ago
Anoop Saldanha 22c05da3cd Replace ssn appproto_detection_completed flag with individual stream ones. 12 years ago
Anoop Saldanha c044541b1c Provide convenience macros for setting flow flags on protocol matching by 
PM and PP phase.

Replace the areas of the code that would otherwise rely on setting/reading
these flags with these macros.

Other minor tweaks to some api calls.
 12 years ago
Anoop Saldanha 00f546e739 update pmp to return whole set of matches, rather than a single match. 12 years ago
Anoop Saldanha 4f7339c423 code cleanup. 12 years ago
Anoop Saldanha 8e8bc49063 Introduce detection parser function pointer. 12 years ago
Anoop Saldanha 94e40907e2 feature #727 - Add support for app-layer-protocol:<protocol> keyword 12 years ago
Anoop Saldanha 6f8cfd999f Allow detection ports for alproto to be specified via the conf file. 
To understand the option have a look at the option

app-layer.protocols.tls.detection-ports
 12 years ago
Anoop Saldanha ddde572fba Introduce new options into the conf file to enable/disable - 
1. Proto detection
2. Parsers

For app layer protocols.

libhtp has now been moved to the section under app-layer.protocols.http,
but we still provide backward compatibility with older conf files.
 12 years ago
Anoop Saldanha d9686fae57 Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well. 12 years ago
Victor Julien 48b5513ed9 Properly clean up decoder event rules 
Addresses:
~~Dr.M~~ Error #3: LEAK 120 direct bytes 0x08a26ac8-0x08a26b40 + 1871 indirect bytes
~~Dr.M~~ # 0 replace_malloc                               [/work/drmemory_package/common/alloc_replace.c:2292]
~~Dr.M~~ # 1 SigGroupHeadAlloc                            [/home/victor/dev/oisf/src/detect-engine-siggroup.c:144]
~~Dr.M~~ # 2 SigGroupHeadAppendSig                        [/home/victor/dev/oisf/src/detect-engine-siggroup.c:1014]
~~Dr.M~~ # 3 DetectEngineAddDecoderEventSig               [/home/victor/dev/oisf/src/detect.c:3026]
~~Dr.M~~ # 4 SigAddressPrepareStage2                      [/home/victor/dev/oisf/src/detect.c:3075]
~~Dr.M~~ # 5 SigGroupBuild                                [/home/victor/dev/oisf/src/detect.c:4311]
~~Dr.M~~ # 6 SigLoadSignatures                            [/home/victor/dev/oisf/src/detect.c:464]
~~Dr.M~~ # 7 LoadSignatures                               [/home/victor/dev/oisf/src/suricata.c:1706]
~~Dr.M~~ # 8 main                                         [/home/victor/dev/oisf/src/suricata.c:1994]
 12 years ago
Victor Julien c43e078db8 ipproto: improve cleanup 
To address:
~~Dr.M~~ Error #2: LEAK 16 direct bytes 0x08399688-0x08399698 + 2 indirect bytes
~~Dr.M~~ # 0 replace_malloc                      [/work/drmemory_package/common/alloc_replace.c:2292]
~~Dr.M~~ # 1 SigMatchAlloc                       [/home/victor/dev/oisf/src/detect-parse.c:201]
~~Dr.M~~ # 2 DetectIPProtoSetup                  [/home/victor/dev/oisf/src/detect-ipproto.c:523]
~~Dr.M~~ # 3 SigParseOptions                     [/home/victor/dev/oisf/src/detect-parse.c:510]
~~Dr.M~~ # 4 SigParseOptions                     [/home/victor/dev/oisf/src/detect-parse.c:523]
~~Dr.M~~ # 5 SigParse                            [/home/victor/dev/oisf/src/detect-parse.c:881]
~~Dr.M~~ # 6 SigInitHelper                       [/home/victor/dev/oisf/src/detect-parse.c:1309]
~~Dr.M~~ # 7 SigInit                             [/home/victor/dev/oisf/src/detect-parse.c:1456]
~~Dr.M~~ # 8 DetectEngineAppendSig               [/home/victor/dev/oisf/src/detect-parse.c:1728]
~~Dr.M~~ # 9 DetectLoadSigFile                   [/home/victor/dev/oisf/src/detect.c:334]
~~Dr.M~~ #10 SigLoadSignatures                   [/home/victor/dev/oisf/src/detect.c:422]
~~Dr.M~~ #11 LoadSignatures                      [/home/victor/dev/oisf/src/suricata.c:1706]
 12 years ago
Victor Julien 1006d905d0 Improve memory cleanup for decoder-events 
To address:

~~Dr.M~~ Error #1: LEAK 1 direct bytes 0x0892c108-0x0892c109 + 0 indirect bytes
~~Dr.M~~ # 0 replace_malloc                        [/work/drmemory_package/common/alloc_replace.c:2292]
~~Dr.M~~ # 1 DetectEngineEventParse                [/home/victor/dev/oisf/src/detect-engine-event.c:173]
~~Dr.M~~ # 2 _DetectEngineEventSetup               [/home/victor/dev/oisf/src/detect-engine-event.c:204]
~~Dr.M~~ # 3 DetectDecodeEventSetup                [/home/victor/dev/oisf/src/detect-engine-event.c:248]
~~Dr.M~~ # 4 SigParseOptions                       [/home/victor/dev/oisf/src/detect-parse.c:510]
~~Dr.M~~ # 5 SigParseOptions                       [/home/victor/dev/oisf/src/detect-parse.c:523]
~~Dr.M~~ # 6 SigParse                              [/home/victor/dev/oisf/src/detect-parse.c:881]
~~Dr.M~~ # 7 SigInitHelper                         [/home/victor/dev/oisf/src/detect-parse.c:1309]
~~Dr.M~~ # 8 SigInit                               [/home/victor/dev/oisf/src/detect-parse.c:1456]
~~Dr.M~~ # 9 DetectEngineAppendSig                 [/home/victor/dev/oisf/src/detect-parse.c:1728]
~~Dr.M~~ #10 DetectLoadSigFile                     [/home/victor/dev/oisf/src/detect.c:334]
~~Dr.M~~ #11 SigLoadSignatures                     [/home/victor/dev/oisf/src/detect.c:422]
 12 years ago
Victor Julien 1be6a8a48b Fix small leak in ports validation at startup 12 years ago
Victor Julien 3601091952 flowint: further setup fixes and cleanups 12 years ago
Victor Julien 8080494e9a counters: consolidate counters after all ThreadInit functions of a thread have run. This prevents duplicate and overwriting memory allocations. 12 years ago
Victor Julien 7f8d256e7c Fix tests that didn't expect radix to be freed 12 years ago
Victor Julien d2d784e31a radix: actually free a tree in SCRadixReleaseRadixTree 12 years ago
Victor Julien c94b920874 flowint: fix compile warning 12 years ago
Victor Julien a8c416fc8b flowint: fix setup memory leaks 12 years ago
Victor Julien 16130cc974 ssh: fix memleaks during ssh.softwareversion init and cleanup 12 years ago
Victor Julien ec724a1e56 urilen: fix memory leak when freeing the rule 12 years ago
Anoop Saldanha cfa2cda42b fix for bug #973. 
An alternative solution for bug #970.

For chopped patterns, which in it's whole is a duplicate of another
pattern we assign an unique content id.
 12 years ago
Anoop Saldanha 4da2f29054 Unittest for bug #973. 12 years ago
Victor Julien 0bfba8352d pcre: check for pcre_free_study, fall back to pcre_free if it unavailable 12 years ago
Victor Julien dd76e679fe mpm: clean up stream thread ctx 12 years ago
Victor Julien 6f450785fc profiling: properly clean up thread local memory. 12 years ago
Victor Julien eca1a8d73a profiling: don't alloc 0 bytes block if no rules are used 12 years ago
Victor Julien 468a8e1ca3 Properly cleanup NSS ctx 12 years ago
Victor Julien eedd4329da Change ParseSize api to not leak memory and only setup pcre once. 12 years ago
Victor Julien 3d78cc8ca6 DNS: free TX events using proper function 12 years ago
Victor Julien 6f2cb141cf Http: improve tx data cleanup 12 years ago
Victor Julien 239ab202c9 stream: clean up queue list in all cases 12 years ago
Victor Julien 67c12c61d3 Http: fix memory leaks when cleaning up our per-tx storage 12 years ago
Victor Julien 6aed56d093 Dns: fix memory leak when events are set 12 years ago
Anoop Saldanha cd80dcbfd4 bug #955 - Fix SSL parsing issue. 
The parser wasn't carrying out a bounds check on record length while
in the middle of parsing a handshake.  As a result we would step onto the
next record header and consider it a part of the current handshake.

- Contains an unittest to test the issue.
- Disable the duplicate parser unittest registration.

The issue came to light through an irregular ssl record, which was
reported by Sebastian Roschke, via CVE-2013-5919.

Thanks to Sebastian Roschke for reporting this issue.
 12 years ago
Anoop Saldanha 8c1e855632 fix for bug #970(ac-gfbs). 
Content strings that are a duplicate of a pattern from another sig, but
have a fast_pattern chop being applied, would end up being assigned the
same pattern id as the duplicate string.  But the string supplied to the
mpm would be the chopped string, which might result in the state_table
output_state content entry being over-riden by the the fuller string at
the final state of the smaller content length, because of which during a
match we might end up inspecting the search buffer against the fuller
content pattern, instead of the chopped pattern, which would end up being
an inspection beyond the buffer bounds.
 12 years ago
Anoop Saldanha 92a8b2b738 Unittest to display bug #970(ac-gfbs). 12 years ago
Anoop Saldanha 496f30a5e4 fix for bug #970(ac-bs). 
Content strings that are a duplicate of a pattern from another sig, but
have a fast_pattern chop being applied, would end up being assigned the
same pattern id as the duplicate string.  But the string supplied to the
mpm would be the chopped string, which might result in the state_table
output_state content entry being over-riden by the the fuller string at
the final state of the smaller content length, because of which during a
match we might end up inspecting the search buffer against the fuller
content pattern, instead of the chopped pattern, which would end up being
an inspection beyond the buffer bounds.
 12 years ago
Anoop Saldanha af95df67a5 Unittest to display bug #970(ac-bs). 12 years ago
Victor Julien 68ba9df8a0 Fix valgrind warning on memrchr unittest. 12 years ago
Anoop Saldanha d2ea799d38 fix for bug #970. 
Content strings that are a duplicate of a pattern from another sig, but
have a fast_pattern chop being applied, would end up being assigned the
same pattern id as the duplicate string.  But the string supplied to the
mpm would be the chopped string, which might result in the state_table
output_state content entry being over-riden by the the fuller string at
the final state of the smaller content length, because of which during a
match we might end up inspecting the search buffer against the fuller
content pattern, instead of the chopped pattern, which would end up being
an inspection beyond the buffer bounds.
 12 years ago
Anoop Saldanha da75db9330 Unittest to display bug #970. 12 years ago
Victor Julien 397a55457d Add sanity checks for command line argument handling 
Coverity 1075221.

Normally getopt_long should cover this case, but can't hurt to
add in some extra checks.
 12 years ago
Victor Julien c8b71938ff Add a fallback memrchr implementation for those platforms that dont support it. Bug #963. 12 years ago
Victor Julien e77b21a7f7 Suppress compiler warning about comparing signed and unsigned vars 12 years ago
Victor Julien bb8298ffa2 Move header thread_affinity declaration to extern to avoid duplicate declarations. 12 years ago
Victor Julien 3470b07ea5 Fix several compile and runtime warnings found by clang 3.2 with the -fsanitize=address option. 12 years ago
Victor Julien c82ecf553a Tag: document in the code that 'tag' is compatible with ip only 12 years ago
Victor Julien d12761233c Don't set tag on pseudo packets 12 years ago
Victor Julien 02cbbd0b89 unified2: fix tags not being logged. Bug #968 12 years ago
Anoop Saldanha 3749fc98fd Modify handling of negated content. 
The old behaviour of returning a failure if we found a pattern while
matching on negated content is now changed to continuing searching
for other combinations where we don't find the pattern for the
negated content.

Thanks to Will Metcalf for reporting this.
 12 years ago
Victor Julien 8539791c7e Coverity 1038102: remove dead code from host hash 12 years ago
Victor Julien 8237bbf18a Coverity 1038101: remove dead code from host hash timeout code 12 years ago
Victor Julien 440124a4b9 Coverity 1038100: remove dead code from flow hash timeout code(2) 12 years ago
Victor Julien 243060a6b7 Coverity 1038099: remove dead code from flow hash timeout code 12 years ago
Victor Julien 2e82772a0a Coverity 1038098: remove dead code from flow hash 12 years ago
Victor Julien aecefd00bd Coverity 1038095: remove dead code from defrag hash timeout code 12 years ago
Victor Julien 16056d51f2 Coverity 1038094: remove dead code from defrag hash 12 years ago
Victor Julien 32503bafaa Coverity 1038089: error check fseek call 12 years ago
Victor Julien 4827a4dcef Coverity 400477: pcre_get_substring retval 
Add missing return code check to pcre_get_substring call.
 12 years ago
Victor Julien 790866656b Coverity 1038129 fix 
Don't leak memory on malloc error in b2gm mpm implementation.
 12 years ago
Victor Julien 33919559d0 Fix memory leak on invalid luajit signature. Coverity 1038520. 12 years ago
Victor Julien 51c6a333d9 geoip: never try to store more locations than possible (Coverity 1038517) 12 years ago
Victor Julien 3cf3b485f2 Coverity 1038138 fix 
Clean up parsing code to suppress Coverity:
Dereference before null check (REVERSE_INULL)

Proper checking was already done.
 12 years ago
Victor Julien 27ea4232fe Coverity 1038134 fix 
Cleaned up error check. "ipdup" can only be non-NULL there, so remove check
that confused coverity.
 12 years ago
Victor Julien ecd5c7573b Coverity 1038135 fix 
Small cleanup in the error handling. The extra null check confused
Coverity.
 12 years ago
Victor Julien 38b6103ff5 Coverity 1038133 fix 
Clean up parsing code to suppress Coverity:
Dereference before null check (REVERSE_INULL)

Proper checking was already done.
 12 years ago
Ken Steele 50f859e9f2 Move SIMD implementations out of detect.c 
Move SIMD the implementations of SigMatchSignaturesBuildMatchArray()
for SSE3 and Tile out of detect.c to reduce the size of the file.

Also moved SIMD unit tests to detect-simd.c
 12 years ago