Commit Graph

4542 Commits (300b739b1fdc579ef05d265ed9fce0d52c1786ab)
 

Author SHA1 Message Date
Victor Julien 67989e7e4e rule parsing: reduce mallocs and clean up
Reduce mallocs during rule parsing. Also, no longer recursively
call the option parse function.
12 years ago
Victor Julien 2ce8895f0a address and port: reduce memory allocs 12 years ago
Jason Ish 06f4fe8e0c Remove the single line if statements. 12 years ago
Jason Ish 8625c9eba8 Support for configuration include files. 12 years ago
Victor Julien e7f6107e79 signature address parsing improvements and tests
Fix sigatures not supporting [10.0.0.0/24, !10.1.1.1] notation when
used directly in a rule instead of through a variable.

Add tests for Bugs #815 and #920.
12 years ago
Victor Julien 614133b4ca valgrind: add suppression file 12 years ago
Victor Julien 3521c37d4a http: use body limit in inspection
When inspecting HTTP bodies there are several limits involved.
In this patch the reaching of the body limit will trigger body
inspection.

Without this, the body would only be inspected when inspection
limits "request-body-minimal-inspect-size" or
"response-body-minimal-inspect-size" were reached. If the body
limit was smaller than this value, the body would only be
inspected at the end of the tx or stream.
12 years ago
Victor Julien 493d531ae8 Fix using uninitialized memory (Bug #994) 12 years ago
Eric Leblond 9bbcc8671e util-ioctl: ioctl error should be a warning 12 years ago
Eric Leblond 286258df86 pcap: add warning about GRO and LRO usage
Use the new GetIfaceOffloading function to display a warning message
if pcap capture is used on Linux with GRO or LRO activated. This is
helpful for kernel after 2.6.31 were pcap will use mmaped capture.
TPACKET_V2 is used and this limit the size of the packet resulting
in truncated packets when merged packets are received.
12 years ago
Eric Leblond 2855ee5aef af-packet: add warning message if LRO or GRO are set
This patch query the network interface to detect if LRO or GRO are
used in mmap TPACKET_V2 mode.
12 years ago
Eric Leblond fcc8759561 util-ioctl: add GRO/LRO detection capabilities
This patch adds a new function GetIfaceOffloading which return 0
if LRO and GRO are not set on a interface and 1 if not the case.
12 years ago
Eric Leblond 008ed41cb4 util-ioctl: minor code cleaning.
Fix author e-mail and simplify an indentation.
12 years ago
Eric Leblond 853732210e pfring: improve error reporting at device opening
This patch improves the error message displayed if pfring_open fails.
12 years ago
Victor Julien 5330b1cae1 detect: don't consider smsgs for no inspect flag
When the PKT_NOPAYLOAD_INSPECTION flag is set, don't apply it to smsgs.
This way we can still inspect the outstanding smsgs.

The PKT_NOPAYLOAD_INSPECTION is set for encrypted traffic, and is combined
with disabling stream reassembly. So we only inspect the smsgs up to the
point of the disable detection point.
12 years ago
Victor Julien ab7677638e stream: improve raw reassembly
When checking the reassembly limit for raw reassembly, consider the
STREAMTCP_STREAM_FLAG_NOREASSEMBLY a trigger immediately. We won't
process any more segments in the reassembly engine anyway.
12 years ago
Victor Julien e392c0a4ce Fix autofp flow queue handler optimization 12 years ago
Victor Julien 480fddd189 build-info: add a nicer way of printing atomics support 12 years ago
Victor Julien ce120d4927 flow: aligned flow balance structures (used by autofp) to CLS to reduce false sharing 12 years ago
Victor Julien fb4967912c http: add meta-field-limit option
The meta-field-option allows for setting the hard limit of request
and response fields in HTTP. In requests this applies to the request
line and headers, not the body. In responses, this applies to the
response line and headers, not the body.

Libhtp uses a default limit of 18k. If this is reached an event is
raised.

Ticket 986.
12 years ago
Victor Julien 2ec57c36b4 SSE 4.2 memcmp: don't read beyond var boundary
In the SSE 4.2 SCMemcmpLowercase implementation, there would be a
_mm_load_si128 of a 2 byte array. However, _mm_load_si128 loads
16 bytes, causing it to read beyond the var. I don't think this lead
to crashes, as it was a static var, but clangs ASAN complained about
it.
12 years ago
Ken Steele d3c6913e28 Reduce the size of Packet structure
Share memory space for IPV4Vars and (IPV6Vars, IPV6ExtHdrs), since a
packet can only be either IPv4 or IPv6, but not both.

Share memory for TCPVars, UDPVars, ICMPV4Vars and ICMPV6Vars, since a
packet can only be only of these.

Then move other structure members around to remove holes reported by pahole.

This reduces the size of the Packet structure from 2944 bytes (46 cachelines)
down to 1976 (31 cachelines), a 33% reduction.
12 years ago
Victor Julien a8b971c710 http: strip 'proxy' part of http_uri
Strip the 'proxy' parts from the normalized uri as inspected by http_uri,
urilen, pcre /U and others.

  In a request line like:
    GET http://suricata-ids.org/blah/ HTTP/1.1
  the normalized URI will now be:
    /blah/

This doesn't affect http_raw_uri. So matching the hostname, etc is still
possible through this keyword.

Additionally, a new per HTTP 'personality' option was added to change
this behavior: "uri-include-all":

  uri-include-all: <true|false>
    Include all parts of the URI. By default the
    'scheme', username/password, hostname and port
    are excluded. Setting this option to true adds
    all of them to the normalized uri as inspected
    by http_uri, urilen, pcre with /U and the other
    keywords that inspect the normalized uri.
    Note that this does not affect http_raw_uri.

So adding uri-include-all:true to all personalities in the yaml will
restore the old default behavior.

Ticket 1008.
12 years ago
Ken Steele de6cbb01c8 Allocate mPIPE packet ingress queue in each worker thread.
Move the allocation of the mPipe ingress queue from a loop over
the number of workers in the main init function to being done inside
each worker thread. This allows allocating the memory locally on the
worker's CPU without needing to figure out ahead of time where that thread
will be running. This fixes one case of static mapping of workers to CPUs.

Use __thread to hold the queue rather than a global tables of queues.
12 years ago
Ken Steele 601c7c8e3c Cleanup Tile build for -Werror
Just the changes needed for the Tile architecture to compile cleanly with
-Werror.
12 years ago
Ken Steele f16b339fc4 Rename checksums to level3_comp_csum and level4_comp_csum.
This will also sharing even more memory in the Packet_ structure.
12 years ago
Eric Leblond 3dceca70ee suricata: move some code into PostConfLoadedSetup
All functions before daemonization are initialisation functions and thus the
call can be moved in PostConfLoadedSetup.
12 years ago
Victor Julien c89f03fc1e Remove mkinstalldirs (bug #1041) 12 years ago
Victor Julien a84c502e50 Add SSE support to --build-info 12 years ago
Victor Julien 49a54713da memcmp: don't use SSE intrinsics if less that 16 bytes are available in SSE_4_2 version. 12 years ago
Victor Julien 8ffa30dd88 profiling: don't init rule profiling ctx if rule profiling is disabled 12 years ago
Victor Julien 660636c5bc profiling: when config is missing, keyword profiling is disabled 12 years ago
Victor Julien 2982408155 pcap: register counters for old pcap versions as well 12 years ago
Victor Julien 9a42f621f5 Fix pcre_study error check
pcre_study returning NULL is not necessarily an error, from the man page
pcre_study(3):

  "If the function returns NULL, either it could not find any additional
   information, or there was an error. You can tell the difference by
   looking at the error value. It is NULL in first case."

Older libpcre versions would return NULL, causing errors.
12 years ago
Ken Steele c6a8d0ab6b Share Packet checksum values for TCP, UDP, IPv6. ICMPv4 and ICMPv6
Keep a separate checksum for IPV4, since a packet can have both an IPV4
checksum and a TCPV4 checksum, or IPV4 and UDPV4 checksum.

This will allow future sharing of more values.

Use PACKET_RESET_CHECKSUMS() in Unit Tests in place of setting the
individual checksum values.
12 years ago
Ken Steele 27caa8aea7 Add missing case for DNS_CONFIG
Found compiling with -Werror
12 years ago
Victor Julien 36bc8d5cd0 http & tls: fix transaction handling
When http and/or tls logging is disabled, the app layer would still
be flagged as logging. This caused transactions not to be freed until
the end of the flow as the logged tx id would never increment.

This fix postpones the setting of the app layer parser "logger"
flag to the point where we know the logger is enabled.
12 years ago
Victor Julien bee5ff172b dns: fix transaction handling
When logging is disabled, the app layer would still be flagged
as logging. This caused transactions not to be freed until the
end of the flow as the logged tx id would never increment.

This fix postpones the setting of the app layer parser "logger"
flag to the point where we know the logger is enabled.
12 years ago
Victor Julien 6730f3d5cc DNS: trigger logging for toserver dir when previous reply is lost. 12 years ago
Victor Julien 61cdd9be6b dns: detect case of request flooding
In the case where DNS requests are sent over the same flow w/o a
reply being received, we now set an event in the flow and refuse
to add more transactions to the state. This protects the DNS
handling from getting overloaded slowing down everything.

A new option to configure this behaviour was added:

app-layer:
  protocols:
    dnsudp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53
       request-flood: 750

The request-flood parameter can be 0 (disabling this feature) or a
positive integer. It defaults to 500.

This means that if 500 unreplied requests are seen in a row an event
is set. Rule 2240007 was added to dns-events.rules to match on this.
12 years ago
Ken Steele c1b9f0e1f4 Formatting and comment updates in flow files
Some reformatting to meet coding standards.

Added a few comments to make it more clear where p->flow gets set.
12 years ago
Victor Julien 72a147b6f1 detect: only inspect smsg for valid tcp packets
Packets that are rejected by the stream engine are not considered
part of an established tcp session. By allowing them to inspect
an smsg, some smsgs would not be properly inspected.
12 years ago
Ken Steele dfc2117e80 Add Unit test to check TCPv4 and IPV4 checksums together.
Copied SigTest26TCPV4Keyword and added check for invalid IPV4 checksums.
Created new SigTest26TCPV4AndIPV4Keyword test with a new packet with valid
IPV4 checksums.
12 years ago
Victor Julien 0c12ad6bd0 stream: fix sequence number on smsg
When multiple segments were put into a smsg, the seq would be updated
each time a segment was added. Because of this, the seq wasn't pointing
to the start of the data.

This caused some false negatives when the fast_pattern was in the raw
stream, but another part of the inspection was in the state. Because of
the wrong seq, the inspection of the smsg could be delayed. This in turn,
could make the inspection engine consider a TX inspected, even if it wasn't
fully yet.
12 years ago
Ken Steele 86c6861b40 Give Suricata priority to receive packets over Linux with mPIPE.
When installing the rules to tell mPIPE to send packet to Suricata,
give it a higher priority than the default used by Linux. This way if
Linux also tells mPIPE to send it packets, Suricata will get them
instead, as long as Suricata is running.
12 years ago
Victor Julien 9a7353e148 http: don't decode + to space by default
Libhtp decodes the + character in the query string to a space by default.
Suricata rules (e.g. etpro sid 2806767) are expecting to see the space in
the http_uri buffer.

Added an option per htp config to reenable this default behavior:

    query-plusspace-decode: yes

Bug #1035.
12 years ago
Victor Julien 25636597af Fix live rule reload confusing delayed detect
Fixes bug 1023 and the previous attempt to fix it.
12 years ago
Victor Julien 5906eeb8c8 detect: don't do rule reload during delayed detect
When both rule reloads and delayed detect are enabled, make sure we don't
trigger a reload during delayed detect initialization.

Bug #1023.
12 years ago
Victor Julien 7b687da726 profiling: add tracking of missing keywords 12 years ago
Victor Julien 5686c673ec profiling: per buffer profiling 12 years ago