Commit Graph

12379 Commits (314ec77f88325a4e8989e898991b9af493cad3dc)
 

Author SHA1 Message Date
Jason Ish e92cb36bb8 krb5: use derived app-layer event 4 years ago
Jason Ish 92561837f8 ntp: use derived app-layer event 4 years ago
Jason Ish 1f71fb2cde rfb: register None for get_event_info/get_event_info_by_id
Implementations are not required if they're just going to return
-1. We allow None to be registered for that.
4 years ago
Jason Ish 4fd6aa866f sip: use derived app-layer event 4 years ago
Jason Ish 18448f6ed6 snmp: use derived app-layer event 4 years ago
Jason Ish bb094b17db ssh: use derived app-layer event 4 years ago
Jason Ish 9c3f06d9b5 dhcp: use derived app-layer event 4 years ago
Jason Ish b9f10ba22f smb: use derived get_event_info/get_event_info_by_id 4 years ago
Jason Ish 8eac5fc221 mqtt: derive AppLayerEvent for MQTTEvent 4 years ago
Jason Ish 6ed827a4ef dns: use derive macro for DNSEvent 4 years ago
Jason Ish 9221f1d9d5 applayerevent: derive get_event_info and get_event_info_by_id
Add generation of wrapper functions for get_event_info
and get_event_info_by_id to the derive macro. Eliminates
the need for the wrapper method to be created by the parser
author.
4 years ago
Jason Ish 0fa7b5c2a2 rust/applayer: provide generic event info functions
Provide generic functions for get_event_info and
get_event_info_by_id. These functions can be used by any app-layer
event enum that implements AppLayerEvent.

Unfortunately the parser registration cannot use these functions
directly as generic functions cannot be #[no_mangle]. So they
do need small extern "C" wrappers around them.
4 years ago
Jason Ish 27d1ee98ce rust: derive crate: for custom derives
Currently has one derive, AppLayerEvent to be used like:

  #[derive(AppLayerEvent)]
  pub enum DNSEvent {
      MalformedData,
      NotRequest,
      NotResponse,
      ZFlagSet,
  }

Code will be generated to:
- Convert enum to a c type string
- Convert string to enum variant
- Convert id to enum variant
4 years ago
Jason Ish dbea7d636f rust/applayer: define AppLayerEvent trait
The derive macro will implement this trait for app-layer
event enums.
4 years ago
Victor Julien cd40fcdea7 macset: adjust test to pass after fix 4 years ago
Philippe Antoine 7fa3e8df61 ci: dummy git configuration for rebase 4 years ago
Eric Leblond 328bdf2c61 macset: fix memory size check 4 years ago
Eric Leblond d7468c55ca flow: be sure to check hash till the end 4 years ago
Eric Leblond e531530a67 flow: add comment on flow handling 4 years ago
Eric Leblond c1bffa9545 stream: increase memcap on memory errors 4 years ago
Eric Leblond 0e70958e67 util/streaming: improve error handling
It differentiates memory error than regular ones.
4 years ago
Eric Leblond cce7e4f4cb flow: fix a debug assert
As the FlowBypassedTimeout function is interacting with the capture
method it is possible that the return changes between the call that
did trigger the timeout and the actual state (ie if packets arrive
in between the two calls). So we should not use the call to
FlowBypassedTimeout in the assert.
4 years ago
Eric Leblond 9c89bc80d0 flow: document FlowBypassedTimeout
Main point is to document it is interacting with the capture
layer.
4 years ago
Eric Leblond 9a4ef6b8fc flow: more accurate flow counters
Don't increment the flow timeout counter for flows that are not
really timeout (as use_cnt is non zero). And also don't take into
account bypassed flows in the counter for flow timeout in use.
4 years ago
Victor Julien c51042e093 flow/worker: handle timeout edge case
In the flow worker timeout path it is assumed that we can hand off
flows to the recycler after processing, implying that `Flow::use_cnt` is 0.
However, there was a case where this assumption was incorrect.

When during flow timeout handling the last processed data would trigger a
protocol upgrade, two additional pseudo packets would be created that were
then pushed all the way through the engine packet paths. This would mean
they both took a flow reference and would hold that until after the flow
was handed off to the recycler. Thread safety implementation would make
sure this didn't lead to crashes.

This patch handles this case returning these packets to the pool from
the timeout handling.
4 years ago
Victor Julien c5556b5dd9 flow/worker: set proper end flag 4 years ago
Victor Julien 61f6fe037d flow/manager: set proper end flag 4 years ago
Philippe Antoine bbbb816ed6 detect: debug validation for list ids overflows 4 years ago
Victor Julien 86681c9d7c detect: move init only array to init data 4 years ago
Victor Julien 22dfcc928c detect/analyzer: use rule style pretty print for patterns 4 years ago
Victor Julien 5703aec44e detect/content: generalize pattern pretty printing 4 years ago
Victor Julien e7a74348d7 detect/profile: add support for tx inspection
Add 'inspect_type' "packet" and "tx" for the two record types. Add more metadata
when available.
4 years ago
Victor Julien a2e37522bb detect/analyze: dump patterns facility
Dump all patterns to `patterns.json`, with the pattern, a total count (`cnt`),
count of how many times this pattern is the mpm (`mpm`) and some of the flags.

Patterns are listed per buffer. So payload, http_uri, etc.
4 years ago
Victor Julien 84872ecc54 detect/content: add some more dsize tests 4 years ago
Victor Julien af104dd223 detect/dsize: set depth flag when applying dsize as depth 4 years ago
Victor Julien 36d3c3cb8e detect/analyzer: count mpm with depth, endswith 4 years ago
Victor Julien de4addbc48 detect/analyzer: show payload separately in group dumping 4 years ago
Victor Julien ef89643107 detect/analyzer: add icmp to rule group output 4 years ago
Victor Julien f49c181ceb detect/analyzer: display per rule prefilter details 4 years ago
Victor Julien 16ea200846 detect/analyzer: count prefilter per rule group 4 years ago
Victor Julien 1c5842df12 detect/analyzer: add per rule mpm block to rules.json 4 years ago
Victor Julien 3660b8f829 detect/analyzer: support buffer names in sgh dump 4 years ago
Victor Julien 0ee7159d1d flow: determine packet direction once per packet 4 years ago
Victor Julien 4c7eb64411 decode: convert 'action' macros to inline funcs
Make sure most common branch is handled first to assist branch
prediction.

Macros still play a small role to please our 'action' cocci check.
4 years ago
Victor Julien 2d1580233e detect/mpm: turn factory array into list 4 years ago
Victor Julien b48ccb8d1f detect/stream: don't run mpm on packet if stream is available 4 years ago
myr463 755124763d doc: escape dot in pcre 4 years ago
Michael Smith a64783b3e2 unix-socket: Avoid spurious logs on close
Avoid spurious logs when suricatasc closes connection.

Use SCLogDebug for control connection EOF, and SCLogError for an error.

As Chandan Chowdhury described in redmine 3685. This makes the logging
consistent with the older `if (client->version <= UNIX_PROTO_V1)` block
about 20 lines above, and avoids polluting the logs with
`Unix socket: lost connection with client`.
4 years ago
Philippe Antoine 3e81d20a71 ci: rebase specified s-v pr
So that CI does not fail, if suricata PR got upgraded in a new
version, but S-V PR did not get upgraded, and S-V changed
in master
4 years ago
Philippe Antoine 44bd3169eb dnp3: regenerate object decoding code
Ticket: #4558
So as to avoid intra-structure overflow
4 years ago