Commit Graph

7093 Commits (3366571eebc70183325f173c324ad24872c0b173)
 

Author SHA1 Message Date
Jason Ish 3366571eeb doc: rule lua scripting 9 years ago
Jason Ish 1e6df87ecb doc: rule lua scripting 9 years ago
Jason Ish 62e0f6a3e3 doc: thresholding 9 years ago
Jason Ish b3b5e333e4 doc: file-keywords 9 years ago
Jason Ish 5537c0f63c doc: flowint 9 years ago
Jason Ish 5f9d265fdf doc: flow-keywords 9 years ago
Jason Ish 0c602c5f19 doc: pcre 9 years ago
Jason Ish 7c36361aac doc: helper tool to convert from wiki to sphinx 9 years ago
Jason Ish 3f2b1277d1 doc: header-keywords 9 years ago
Jason Ish 33e96c5087 doc: fast-pattern 9 years ago
Jason Ish a464573230 doc: payload-keywords 9 years ago
Jason Ish 6d7c0e8274 docs: sample of sphinx docs 9 years ago
Jason Ish 1f4725fcab detect-tls: make check on fingerprint directional 9 years ago
Jason Ish 44c846f2f8 tls-json: make tls events direction sensitive
Previously the src/dest ips in TLS events would differ between
IDS and IPS modes. Make the header creation direction sensitive
so they are identical in both modes.
9 years ago
Mats Klepsland c0f93503b7 util-decode-der-get: fix coverity warning
*** CID 1373380:  Control flow issues  (DEADCODE)
/src/util-decode-der-get.c: 126 in UtctimeToTime()
120         year = strtol(yy, NULL, 10);
121         if (year >= 50)
122             snprintf(buf, sizeof(buf), "%i%s", 19, utctime);
123         else if (year < 50)
124             snprintf(buf, sizeof(buf), "%i%s", 20, utctime);
125         else
>>>     CID 1373380:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "goto error;".
126             goto error;
127
128         time = GentimeToTime(buf);
129         if (time == -1)
130             goto error;
131
9 years ago
Victor Julien d6f051cdf9 http: removed unused flags 9 years ago
Eric Leblond a194dfbd5b app-layer: tx counter implementation
This patch adds a transaction counter for application layers
supporting it. Analysis is done after the parsing by the
different application layers.

This result in new data in the stats output, that looks like:
```
    "app-layer": {
      "tx": {
        "dns_udp": 21433,
        "http": 12766,
        "smtp": 0,
        "dns_tcp": 0
      }
    },
```
9 years ago
Giuseppe Longo 675fa56497 app-layer: add ThreadVars to AppLayerParserParse
To be able to add a transaction counter we will need a ThreadVars
in the AppLayerParserParse function.
This function is massively used in unittests
and this result in an long commit.
9 years ago
Giuseppe Longo 5908dd0804 app-layer: add flow counters
This adds per flow counters for all
supported protocols.

This results in new data in stats output that looks like:
```
    "app-layer": {
      "flow": {
        "http": 9310,
        "ftp": 0,
        "smtp": 0,
        "tls": 71,
        "ssh": 0,
        "imap": 0,
        "msn": 0,
        "smb": 170,
        "dcerpc_udp": 0,
        "dns_udp": 870,
        "dcerpc_tcp": 2,
        "dns_tcp": 0
      },
    },
```
9 years ago
Eric Leblond 398489e6df stream: fix depth reached detection
When a segment only partially fit in streaming depth, the stream
depth reached flag was not set resulting in a continuous
inspection of the rest of the session.

By setting the stream depth reached flag when the segment partially
fit we avoid to reenter the code and we don't take anymore a code
path resulting in the flag not to be set.
9 years ago
Mats Klepsland dc8e0b3cf2 detect: add detect engine for tls validity keywords
Add detect engine for tls validity keywords (tls_cert_notbefore and
tls_cert_notafter).
9 years ago
Mats Klepsland d91664d67a detect-dns: move DetectEngineInspectGenericList to detect-engine.c
Move DetectEngineInspectGenericList from detect-engine-dns.c to
detect-engine.c to enable it to be used other places as well.
9 years ago
Mats Klepsland cad638697d lua: add lua functions for certificate validity dates
Add functions TlsGetCertNotBefore and TLSGetCertNotAfter to get notBefore
and notAfter fields from TLS certificate in lua scripts.
9 years ago
Mats Klepsland 67ea821521 util-lua: add (wrapper) function to push integer to lua scripts 9 years ago
Mats Klepsland ee24949065 log-tls: add notBefore and notAfter fields to extended output
Add notBefore and NotAfter fields from TLS certificate to extended tls
log output.
9 years ago
Mats Klepsland 5b230bbce5 output-json-tls: add notBefore and notAfter fields to extended output
Add notBefore and notAfter fields from TLS certificate to extended JSON
output.
9 years ago
Mats Klepsland ac4e308140 util-time: add function to create a UTC time string
Add function CreateUtcIsoTimeString to create a UTC time string.
9 years ago
Mats Klepsland ea5696812f detect: add tls_cert_notbefore and tls_cert_notafter keywords
Detection plugin for TLS certificate fields notBefore and notAfter.

Supports equal to, less than, greater than, and range operations
for both keywords. Dates can be represented as either ISO 8601 or
epoch (Unix time).

Examples:
alert tls [...] tls_cert_notafter:1445852105; [...]
alert tls [...] tls_cert_notbefore:<2015-10-22T23:59:59; [...]
alert tls [...] tls_cert_notbefore:>2015-10-22; [...]
alert tls [...] tls_cert_notafter:2000-10-22<>2020-05-15; [...]
9 years ago
Mats Klepsland c49cb05399 util-time: add function to parse a date string based on patterns
Add function SCStringPatternToTime to parse a date string based on an
array of pattern strings.
9 years ago
Mats Klepsland bfd16dc74e app-layer-ssl: add validity dates from certificate
Parsing of certificate validity dates to get notBefore and notAfter
fields.
9 years ago
Mats Klepsland 6c1c53b5a1 util-time: add function to convert tm to time_t
Add function SCMkTimeUtc to convert broken-down time to Unix epoch in UTC.
9 years ago
Mats Klepsland 03cda74b95 util-decode-der: decode GeneralizedTime
Decode ASN.1 element type GeneralizedTime in DER-encoded
structures.
9 years ago
Mats Klepsland b914861692 app-layer-ssl: use new unit test macros 9 years ago
Mats Klepsland 12356d1fca detect-ssl-version: use new unit test macros 9 years ago
Mats Klepsland 1503ac97a6 detect-tls-version: use new unit test macros 9 years ago
Mats Klepsland d9e2cde585 detect-tls-sni: use new unit test macros 9 years ago
Mats Klepsland 8e77d0c312 detect: fix faulty tls_sni unittests 9 years ago
Mats Klepsland 9d23ad9d25 tls: fix faulty unittests 9 years ago
Mats Klepsland b74f3fd978 coverty: fix CID 1361873 9 years ago
Mats Klepsland 7c36b11a84 rules: add rule for HANDSHAKE_INVALID_LENGTH event 9 years ago
Mats Klepsland c36595eb35 tls: set event if input buffer overflows
Set HANDSHAKE_INVALID_LENGTH event if input buffer overflows while
decoding client_hello/server_hello.
9 years ago
Mats Klepsland 1f7b813080 app-layer-tls: add name to authors 9 years ago
Mats Klepsland 12da0e8681 tls: add function for decoding client_hello
Add function TLSDecodeHandshakeHello() to enable using the same code
for decoding both client_hello and server_hello.
9 years ago
Jason Ish 04da43d65d rule parsing: check for balanced double quotes
If a rule option value starts with a double quote, ensure it
ends with a double quote, exclusive of white space which gets
trimmed anyways.

Catches errors like 'filemagic:"picture" sid:5555555;' reporting
that a missing semicolon may be the error.
9 years ago
Victor Julien 48b3cb0492 unittests: fix tests 9 years ago
Victor Julien 6530c3d0d8 unittests: replace SCMutex* calls by FLOWLOCK_* 9 years ago
Victor Julien 682459d640 file: remove dead code 9 years ago
Victor Julien 70c16f50e7 flow-manager: optimize hash walking
Until now the flow manager would walk the entire flow hash table on an
interval. It would thus touch all flows, leading to a lot of memory
and cache pressure. In scenario's where the number of tracked flows run
into the hundreds on thousands, and the memory used can run into many
hundreds of megabytes or even gigabytes, this would lead to serious
performance degradation.

This patch introduces a new approach. A timestamp per flow bucket
(hash row) is maintained by the flow manager. It holds the timestamp
of the earliest possible timeout of a flow in the list. The hash walk
skips rows with timestamps beyond the current time.

As the timestamp depends on the flows in the hash row's list, and on
the 'state' of each flow in the list, any addition of a flow or
changing of a flow's state invalidates the timestamp. The flow manager
then has to walk the list again to set a new timestamp.

A utility function FlowUpdateState is introduced to change Flow states,
taking care of the bucket timestamp invalidation while at it.

Empty flow buckets use a special value so that we don't have to take
the flow bucket lock to find out the bucket is empty.

This patch also adds more performance counters:

flow_mgr.flows_checked         | Total    | 929
flow_mgr.flows_notimeout       | Total    | 391
flow_mgr.flows_timeout         | Total    | 538
flow_mgr.flows_removed         | Total    | 277
flow_mgr.flows_timeout_inuse   | Total    | 261
flow_mgr.rows_checked          | Total    | 1000000
flow_mgr.rows_skipped          | Total    | 998835
flow_mgr.rows_empty            | Total    | 290
flow_mgr.rows_maxlen           | Total    | 2

flow_mgr.flows_checked: number of flows checked for timeout in the
                        last pass
flow_mgr.flows_notimeout: number of flows out of flow_mgr.flows_checked
                        that didn't time out
flow_mgr.flows_timeout: number of out of flow_mgr.flows_checked that
                        did reach the time out
flow_mgr.flows_removed: number of flows out of flow_mgr.flows_timeout
                        that were really removed
flow_mgr.flows_timeout_inuse: number of flows out of flow_mgr.flows_timeout
                        that were still in use or needed work

flow_mgr.rows_checked: hash table rows checked
flow_mgr.rows_skipped: hash table rows skipped because non of the flows
                        would time out anyway

The counters below are only relating to rows that were not skipped.

flow_mgr.rows_empty:   empty hash rows
flow_mgr.rows_maxlen:  max number of flows per hash row. Best to keep low,
                        so increase hash-size if needed.
flow_mgr.rows_busy:    row skipped because it was locked by another thread
9 years ago
Victor Julien aee1f0bb99 flow: simplify timeout logic
Instead of a single big FlowProto array containing timeouts separately
for normal and emergency cases, plus the 'Free' pointer for the
protoctx, split up these arrays.

An array made of FlowProtoTimeout for just the normal timeouts and an
mirror of that for emergency timeouts are used through a pointer that
will be set at init and by swapped by the emergency logic. It's swapped
back when the emergency is over.

The free funcs are moved to their own array.

This simplifies the timeout lookup code and shrinks the data that is
commonly used.
9 years ago
Victor Julien 96427cf371 flow: remove dead code 9 years ago