Commit Graph

12090 Commits (2a326421aa29154ebfaada3888974a634feb5f56)
 

Author SHA1 Message Date
Mats Klepsland 2a326421aa thresholds: Fix buffer overflow in threshold context
th_entry is resized using ThresholdHashRealloc() every time a rule with
a threshold using by_rule tracking is added. The problem is that this is
done before the rules are reordered, so occasionally a rule with by_rule
tracking gets a higher signature number (after reordering) than the
number of th_entries allocated, causing Suricata to crash.

This commit fixes this by allocating th_entries after all the rules are
loaded and reordered.

Backtrace from core dump:

  Program terminated with signal SIGSEGV, Segmentation fault.

  #0  0x000000000051b381 in ThresholdHandlePacket (p=p@entry=0x7fb0080f3960, lookup_tsh=0x51, new_tsh=new_tsh@entry=0x7fb016c316e0, td=td@entry=0x14adedf0, sid=9800979, gid=1, pa=0x7fb0080f3b18)
      at detect-engine-threshold.c:415
  415>----                if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {

Bug #4503.
4 years ago
Mats Klepsland f47e4375b3 thresholds: syntax fixes
Fix syntax of if statement in SigGetThresholdTypeIter()
4 years ago
Mats Klepsland b0b4fab794 thresholds: remove unneeded function argument
Remove packet pointer from SigGetThresholdTypeIter() as it is
unused.
4 years ago
Juliana Fajardini 6b8b58f98a doc/eve: common fields and alert updates
- update examples for both
- change app_proto from alert field to common field, as
  per JsonBuilder's changes.
4 years ago
Juliana Fajardini eacf933edf doc/eve: fix typos 4 years ago
Jeff Lucovsky 02fe026046 output: Fix possible null deref
This commit corrects an issue uncovered by Coverity. See the redmine
issue for details: https://redmine.openinfosecfoundation.org/issues/4495
4 years ago
Philippe Antoine d00b755b64 http2: only mimic http1 request if there is one
That may not be the case in midstream/async configurations
4 years ago
Jason Ish 70b21df756 makefile: don't include the whole test/ directory
Including the whole directory results in .deps files ending up
in the distribution archive which shouldn't be there. Instead
we have to list all the test sources individually.
4 years ago
Jeff Lucovsky aa8871a5be rust/default: Enable Default usage 4 years ago
Jeff Lucovsky 6028ca7827 nfs: Rework constructs to use Self/Default 4 years ago
Jeff Lucovsky aafb0a60b7 dhcp: Rework constructs to use Self/Default 4 years ago
Jeff Lucovsky 1ef0bd580b dcerpc: Rework constructs to use Self/Default 4 years ago
Jeff Lucovsky 00167121dc dns: Rework constructs to use Self/Default 4 years ago
Jeff Lucovsky 02dccb1529 smb: Rework constructs to use Self/Default
This commit modifies the constructors to use Self and/or
Default::default() when feasible
4 years ago
Jeff Lucovsky f502f21f9e rust/default: Enable Default usage in SMB 4 years ago
Philippe Antoine 95f225e8fb doc: update sphinx api to use add_css_file
instead of deprecated add_stylesheet
4 years ago
Shivani Bhardwaj 581cb6223d dcerpc/udp: Add rust registration function
Get rid of the C glue code and move registration completely to Rust.
4 years ago
Shivani Bhardwaj d7007424bd dcerpc/udp: Change fn sign as per rust registration requirement
Registering parsers in Rust requires signatures to be a certain way and
compatible with C. Change signatures of all the functions.
4 years ago
Shivani Bhardwaj bac69af7e4 dcerpc: Add rust registration function
Get rid of the C glue code and move registration completely to Rust.
4 years ago
Shivani Bhardwaj a0a09a102b dcerpc: Change fn sign as per rust registration requirement
Registering parsers in Rust requires signatures to be a certain way and
compatible with C. Change signatures of all the functions.
4 years ago
Shivani Bhardwaj dee972b863 rust/core: Make AppProto type u16 4 years ago
Shivani Bhardwaj d66ad96f0d applayer/rust: add extern AppLayerProtoDetectPMRegisterPatternCSwPP 4 years ago
Victor Julien 533c6ff274 github: work around rustc mingw issue
https://github.com/msys2/MINGW-packages/issues/8732#issuecomment-845079799
4 years ago
Jason Ish 65809be8ec suricata-plugin.h: don't include autoconf.h
It is not required here and just creates double inclusion in some
scenarios.
4 years ago
Victor Julien d7c3ecb6f9 http2: remove dead code 5 years ago
Philippe Antoine b3c502d572 http2: remove assertion which can be wrong
Brotli decoder stops consuming input it it reaches the
end of its input
5 years ago
Simon Dugas c2720fc2fb modbus: fix quantity and count calculation
The [Modbus Spec S6.11](https://modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf)
clearly states that the `count = quantity / 8` and not the other way
around. This is fixed in sawp-0.5.0.
5 years ago
Philippe Antoine 999327ba1f http2: http.cookie keyword now works for HTTP2 5 years ago
Philippe Antoine df039555bc http2: http.host.raw keyword now works for HTTP2 5 years ago
Philippe Antoine 1e82d0b3c8 http2: http.method keyword now works for HTTP2 5 years ago
Philippe Antoine 017e39d8fd http2: makes all HTTP1 header keywords work 5 years ago
Philippe Antoine 2cadddda89 http2: there is no status msg in HTTP2
so we revert its detection, mistaken with the status code
5 years ago
Philippe Antoine 1e96272576 http2: http.stat_code keyword now works for HTTP2 5 years ago
Jeff Lucovsky fcd1ae3bf1 doc: Protocol name/case change for upgrade doc
This commit adds a one-liner to the upgrade document for 7.0 stating
that protocol names/values are now builtin to Suricata and that names
and their casing may change.
5 years ago
Jeff Lucovsky e77e8dbe18 proto: Remove dependency on /etc/protocols
This commit eliminates the dependency on /etc/protocols and equivalent
on other platforms by using a static table of IANA assigned protocol
values (names, description).
5 years ago
Jason Ish def636383e github-ci: enable hiredis on fedora 33 build 5 years ago
Jason Ish 587c326d73 yaml: treat some unquoted values as null (per spec)
Per the YAML spec, the following values when present unquoted
should be equivalent to null:
- ~
- NULL
- Null
- null
5 years ago
Jeff Lucovsky 7fa98cde4d output/redis: Redis threaded output changes 5 years ago
Jeff Lucovsky 8867dcf403 config/plugin: Add template for plugins 5 years ago
Jeff Lucovsky 1defca3c34 output/plugin: Support threaded output plugins 5 years ago
Jeff Lucovsky 05836a4452 output/plugin: API changes for threaded support
This commit extends the interface to better support file output plugins.
5 years ago
Simon Dugas 0ed62e93ec doc/modbus: add eve logging documentation 5 years ago
Simon Dugas a8a51dc004 modbus: add eve logging 5 years ago
Simon Dugas 8342641477 modbus: move tests from c to rust
Move tests in a seperate commit so that we can use the previous one for
regression testing. This also gets rid of the temporary glue that made
the C tests work with the rust implementation.
5 years ago
Simon Dugas a458a94dca modbus: move from C to rust
Adds a new rust modbus app layer parser and detection module.

Moves the C module to rust but leaves the test cases in place to
regression test the new rust module.
5 years ago
Simon Dugas 7c99fe3689 modbus: fix app-layer test cases
invalidFunctionCode: make protocol id valid since we are only testing
the function code here.

readCoilsErrorRsp: changed to different invalid response code.

ModbusParserTest10: wrong length was passed to AppLayerParserParse.

ModbusParserTest11: allocate the entire buffer.
5 years ago
Simon Dugas f629321de0 ci: update known rust version
Update RUST_VERSION_KNOWN to the latest stable known to succeed. Also
updates the documentation to avoid confusion around the use of this
variable.
5 years ago
Victor Julien 28548b072b travis: remove ci file as we switched to github-ci 5 years ago
frank honza f83d51d0cb ike: set event for multiple server proposals 5 years ago
Jason Ish 488d5fb342 unix-socket: reset to ready state on startup
As part of commit ea15282f47,
some initialization was moved to happen even in unix socket mode,
however, this initialization does setup some loggers that can only have
one instance enabled (anomaly, drop, file-store).

This will cause these loggers to error out on the first pcap, but work
on subsequent runs of the pcap as some deinitialization is done after
each pcap.

This fix just runs the post pcap-file deinitialization routine to
reset some of the initialization done on startup, like is done after
running each pcap in unix socket mode.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4225

Additionally this prevents alerts from being logged two times
on the first run of a pcap through the unix socket:

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4434
5 years ago