aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,467 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3887f8d1f3'
${ noResults }
Commit Graph

10467 Commits (3887f8d1f3d2816b3f46fb48560f9de57ae66314)
 

Author SHA1 Message Date
Jason Ish 3887f8d1f3 github-actions: builds for our tier one linux distributions 
Example of using GitHub actions to perform builds across
CentOS, Ubuntu, Debian and the latest Fedora.
 5 years ago
Jeff Lucovsky 218a5c4345 mpm: Fix typos and spelling errors 5 years ago
Jeff Lucovsky aef24bee96 detect: Fix spelling errors 5 years ago
Jeff Lucovsky f318a46d34 detect: Improve handling of variable values 
When one of offset/depth/distance is from a variable, adjust the depth
by the offset as is done with scalar values at parse time.
 5 years ago
Jeff Lucovsky db8527e7b3 detect/mpm: Improved handling of variable values 
This commit removes the offset and depth if either of these values are
dependent upon a byte-extract operation.
 5 years ago
Victor Julien 94982ae690 http: split request/response tx id handling 
When HTTP pipelining was in use, the transaction id used for events
and files could be off. If the request side was several requests ahead
of the responses, it would use the HtpState::transaction_cnt for events
and files, even though that is only incremented on complete requests.

Split request and response tx id tracking. The response is still handled
by the HtpState::transaction_cnt, but the request side is now handled by
its own logic.
 5 years ago
Victor Julien b82e71b95e files: remove FILE_USE_TRACKID flag 
Once it was optional but as it no longer is it is no longer useful.

Remove it.
 5 years ago
Victor Julien f9155aa121 files: simplify pruning logic 
Since ebcc4db84a the flow worker runs
file pruning after parsing, detection and loging. This means we can
simplify the pruning logic. If a file is in state >= CLOSED, we can
prune it. Detection and outputs will have had a final chance to
process it.

Remove the calls to the pruning code from Rust. They are no longer
needed.
 5 years ago
Victor Julien ab471c3054 app-layer: don't consider tx flags if not registered 
If a protocol does not support TxDetectFlags, don't try to use them.

The consequence of trying to use them was that a TX would never be
considered done, and it would never be freed. This would lead to excessive
memory use and performance problems due to walking an ever increasing
list.
 5 years ago
Eric Leblond 54d3620662 source-pcap-file: honor bpf filter on command line 
When a BPF filter is given on the command line when reading a
pcap file, the BPF filter is not honored.

The regression has been introduced in:

commit 3ab9120821
Author: Dana Helwig <dana.helwig@protectwise.com>
Date:   Thu Apr 27 11:17:16 2017 -0600

    source-pcap-file: Pcap Directory Mode (Feature #2222)

Reported-By: Tim Colin <tcolin@et.esiea.fr>
 5 years ago
Eric Leblond 860f43753c source-pcap-file: fix memory leak on pcap filter 5 years ago
Philippe Antoine 20e06f45c0 util: removes warning about double conversion 
From clang 10 :
implicit conversion from 'unsigned long' to 'double' changes value
from 18446744073709551615 to 18446744073709551616
 5 years ago
Victor Julien 502a8b5fb3 detect: fix inspection buffer for packet engines 
Fix buffers not being reset per inspection round for packet engines.

Bug #3341.
 5 years ago
Victor Julien 58b9a2dc21 threading: add debug validation for stale packets 5 years ago
Victor Julien fe9aeed0f0 threading: fix shutdown race condition 
A BUG_ON statement would seemingly randomly trigger during the threading
shutdown logic. After a packet thread reached the THV_RUNNING_DONE state,
it would sometimes still receive flow timeout packets which would then
remain unprocessed.

1 main:   TmThreadDisableReceiveThreads(); <- stop capturing packets
2 worker: -> TmThreadTimeoutLoop (THV_FLOW_LOOP) phase starts
3 main:   FlowForceReassembly();           <- inject packets from flow engine
4 main:   TmThreadDisablePacketThreads();  <- then disable packet threads
5 main:   -> checks if 'worker' is ready processing packets
6 main:   -> sends THV_KILL to worker
7 worker: breaks out of TmThreadTimeoutLoop and changes to THV_RUNNING_DONE.

Part of the problem was with (5) above. When checking if the worker was
already done with its work, TmThreadDisablePacketThreads would not consider
the injected flow timeout packets. The second part of the problem was with (7),
where the worker checked if it was ready with the TmThreadTimeoutLoop in a
thread unsafe way.

As a result TmThreadDisablePacketThreads would not wait long enough for the
worker(s) to finish its work and move the threads to the THV_RUNNING_DONE
phase by issuing the THV_KILL command.

When waiting for packet processing threads to process all in-flight packets,
also consider the 'stream_pq'. This will have received the flow timeout
packets.

Bug #1871.
 5 years ago
Victor Julien 825173a2ba threading: fix flow timeout loop race 5 years ago
Victor Julien 56354afd41 threading: improve thread queues checking by dumping more info 5 years ago
Victor Julien 0a809bf577 packet: set unique pkt_src 'flush' packets 
Set unique type for capture timeout and for detect reload flush
to assist in debugging.
 5 years ago
Victor Julien 6bc7636826 stream: remove unused code 
Remove now unused 'pkt_src' type as well.

Remove related unittests.
 5 years ago
Victor Julien 1633744fcb nfq: remove unused queue handler type 5 years ago
Victor Julien ab01cbe345 log-pcap: remove stale comments 5 years ago
Victor Julien 6de025bb12 alert-syslog: remove stale comments 5 years ago
Jeff Lucovsky 90c2e3561c Add general purpose `ARRAY_SIZE` macro 
This commit adds `ARRAY_SIZE` as an helper for determining the number of
elements in an initialized array. The calculation is the same but the
macro provides a convenient shortcut. The implementation was borrowed
from the kernel sources.
 5 years ago
Jeff Lucovsky ae198add6d detect/analyzer: Refactor engine analysis code 
This commit changes the analysis code to be table driven to better
identify the rule elements covered by the analysis.
 5 years ago
Philippe Antoine 6e63c957ff signature: Fixes memory leak in parsing app layer event 5 years ago
Jason Ish fccbd36d37 dns: log addresses in flow direction, not packet 
Ticket #3340.
https://redmine.openinfosecfoundation.org/issues/3340
 5 years ago
Victor Julien 0824b04134 filestore: don't assume flow is TCP 
Filestore can be used by UDP based protocols as well. NFSv2 is one
that Suricata supports.

Bug #3277.
 5 years ago
Victor Julien 2a55afbd89 decode/pppoe: fix potential crash in debug statement 5 years ago
Victor Julien 51ad701d8e version: starting work on 5.0.1 5 years ago
Victor Julien 2ab7fb4b41 version: automate and cleanup ver handling 
Create a single function to return the version string, to avoid lots
of ifdefs in multiple places.

Make the version determine the 'release' status. If the version from
autoconf has '-dev' in the name, it is not a release. If it hasn't
it is considered a release version.
 5 years ago
Victor Julien 51ec980e80 dataset: fix string length handling in hash 5 years ago
Eric Leblond 1721da91ef dataset: fix hash computation 5 years ago
Victor Julien 64a789bbf6 nfq: clear memory of queue before using it 
Avoids using uninitialized memory. Show showed itself
in nonsense values in counters, and in nfq_handle_packet
errors that were likely the result of passing uninitialized
memory to the nfq API.

Bug 3263.
Bug 3120.

Fixes: b2a6c60dee ("source-nfq: increase maximum queues number to 65535")
 5 years ago
Victor Julien 2fd1174a56 nfq: micro optimization 5 years ago
Victor Julien 9d6087f7d6 nfq: don't warn on 'handle_packet' error 
NFQ can generate warnings/errors with a delay. After Suricata has
succesfully passed a verdict to the kernel, there are still things
that can go wrong for that verdict. This is then passed to the
queue through a netlink error message, which leads to nfq_handle_packet
returning an error code.

Suppress the warning. Also remove the errno/strerror use as
nfq_handle_packet does not set the errno.

Thanks to Florian Westphal.

Bug 3120.
 5 years ago
Victor Julien f8acad7fca nfq: code cleanups 5 years ago
Alexander Gozman f280e66f84 nfq: check for EAGAIN after recv() call in NFQRecvPkt() 5 years ago
Victor Julien 4cc90e9a4c nfq: minor code cleanups 5 years ago
Victor Julien 01cea2ec89 datasets: suppress noisy debug statement 5 years ago
Victor Julien 505b2dd256 log-pcap: don't print (null) for compression method 5 years ago
Victor Julien fb26268c6b tcp: don't set event on empty SACK opt 
TCP_OPT_INVALID_LEN was set if the opt len was 2. While useless
an empty SACK is not uncommon.

Seen on an iOS device talking to an Apple server.

Bug #3254.
 5 years ago
Victor Julien aae76a84cd suricata: use version from autoconf 5 years ago
Eric Leblond 9ef2f81ee7 doc/userguide: fix typo 5 years ago
Eric Leblond 821d590f5b doc/userguide: fix base64 example 
Add a sticky buffer example and fix the content modifier one.
 5 years ago
Eric Leblond 2d11e9394c detect-base64: fix url in list keywords commands 5 years ago
Pascal Delalande 8e6a2bd42e doc: removal of disable-rust and path typo for suricatasc 5 years ago
Jason Ish 6eada54fc8 eve/dns: don't log warning if dns log version not set 
If the DNS log version is not set, we default to v2. This should
not be warning, but better logged at the config level.

A warning will still be logged if the value is set but is not
1 or 2.
 5 years ago
Philippe Antoine 989a6461b0 signature: leak fix in DetectAddressParse2 5 years ago
Philippe Antoine c1e41632c1 config: use logging instead of stderr 5 years ago
Wesley van der Ree bf1b65558b mpls: Allow MPLS after vlan. 
Fixes #2771
 5 years ago