Commit Graph

8997 Commits (3a017f61b0a1f5e7f69321c2fb7b06a17f4b57c3)
 

Author SHA1 Message Date
Victor Julien 9f13365222 output/json: make log direction explicit
Introduce enum OutputJsonLogDirection to make logging direction
explicit.
8 years ago
Victor Julien 44c4008f77 output/json: clean up CreateJSONHeader calls 8 years ago
Jason Ish 1115eb52eb travis: redirect unittest output to file in all builds
On error, print the last 500 lines of output then exit 1.

Shoud allow us to see why a build fail on the debug tests,
when the error was burried in an output file we weren't
making visible.
8 years ago
Victor Julien 053022931c rust/json: add array_append_string 8 years ago
Victor Julien 73fac478a2 rust/dns: fix nom verbose error mode 8 years ago
Brandon Sterne a01a229b37 doc: use standard spelling of daemon 8 years ago
Danny Browning 4b897c9060 source-pcap-file: Directory mode may miss files (bug #2394)
https://redmine.openinfosecfoundation.org/issues/2394

Certain parameters of delay and poll interval could cause newly added
files in a directory to be missed. Cleaned up how time is handled for
files in a directory and fix which time is used for future directory
traversals. Add a mutex to make sure processing time is not optimized
away.
8 years ago
Eric Leblond cd98d7ddcc ebpf: remove vlan_hdr alignement
If we align the vlan_hdr then we increase its size and the parsing
of packets with VLAN tag is broken.
8 years ago
Jesper Dangaard Brouer 39754a976a epf: improving the ebpf makefile
The current ebpf/Makefile.am have the problem that clang compile
errors still result in an ELF .bpf output file.  This is obviously
problematic as the problem is first seen runtime when loading
the bpf-prog.  This is caused by the uses of a pipe from
clang to llc.

To address this problem, split up the clang and llc invocations
up into two separate commands, to get proper reaction based on
the compiler exit code. The clang compiler is used as a
frontend (+ optimizer) and instructed (via -S -emit-llvm) to
generate LLVM IR (Intermediate Representation) with suffix .ll.
The LLVM llc command is used as a compiler backend taking IR and
producing BPF machine bytecode, and storing this into a ELF
object.  In the last step the IR .ll suffix code it removed.

The official documentation of the IR language:
 http://llvm.org/docs/LangRef.html

Also fix the previous make portability warning:
 '%-style pattern rules are a GNU make extension'
I instead use some static pattern rules:
 https://www.gnu.org/software/make/manual/html_node/Static-Usage.html

Signed-off-by: Jesper Dangaard Brouer <netoptimizer@brouer.com>
8 years ago
Jesper Dangaard Brouer 3f4c7efa72 ebpf: compile with clang -target bpf
Enable compiling eBPF programs with clang -target bpf.

This is mostly to workaround a bug in libbpf, where clang > ver 4.0.0
generates some ELF sections (.eh_frame) when -target bpf is NOT specified,
and libbpf fails loading such files.

Notice libbpf is provided by the kernel, and in kernel v4.16 the library
will contain the needed function for attaching to the XDP hook.

Kernel commit 949abbe88436 ("libbpf: add function to setup XDP")
 https://git.kernel.org/torvalds/c/949abbe88436

The library fix has reached kernel v4.16 but the workaround for Suricata
is interesting anyway in case people use a kernel v4.15.

Signed-off-by: Jesper Dangaard Brouer <netoptimizer@brouer.com>
8 years ago
Jesper Dangaard Brouer 7906c521cd ebpf: take clang -target bpf include issue of stdint.h into account
This patch prepares code before enabling the clang -target bpf.

The clang compiler does not like #include <stdint.h> when
using '-target bpf' it will fail with:

 fatal error: 'gnu/stubs-32.h' file not found

This is because using clang -target bpf, then clang will have '__bpf__'
defined instead of '__x86_64__' hence the gnu/stubs-32.h include
attempt as /usr/include/gnu/stubs.h contains, on x86_64:

  #if !defined __x86_64__
  # include <gnu/stubs-32.h>
  #endif
  #if defined __x86_64__ && defined __LP64__
  # include <gnu/stubs-64.h>
  #endif
  #if defined __x86_64__ && defined __ILP32__
  # include <gnu/stubs-x32.h>
  #endif

This can be worked around by installing the 32-bit version of
glibc-devel.i686 on your distribution.

But the BPF programs does not really need to include stdint.h,
if converting:
  uint64_t -> __u64
  uint32_t -> __u32
  uint16_t -> __u16
  uint8_t  -> __u8

This patch does this type syntax conversion.

The build of a ebpf files had an issue for system like Debian
because they don't have a asm/types.h in the include path if the
architecture is not defined which is the case due to target bpf.

This results in:

 clang-5.0 -Wall -Iinclude -O2 \
         -D__KERNEL__ -D__ASM_SYSREG_H \
         -target bpf -S -emit-llvm vlan_filter.c -o vlan_filter.ll
 In file included from vlan_filter.c:19:
 In file included from include/linux/bpf.h:11:
 /usr/include/linux/types.h:5:10: fatal error: 'asm/types.h' file not
 found
 #include <asm/types.h>
          ^~~~~~~~~~~~~
 1 error generated.
 Makefile:523: recipe for target 'vlan_filter.bpf' failed

This patch fixes the issue by adding a include path setting the
architecture to the one of the builder.

Signed-off-by: Jesper Dangaard Brouer <netoptimizer@brouer.com>
Sidned-off-by: Eric Leblond <eric@regit.org>
8 years ago
Victor Julien ffc847db01 file: fix files not getting pruned
When the filedata logger is enabled (file extraction), but a file is not
stored due to no rules matching to force this, the file would never be
freed.

This was caused by a check in the file pruning logic that only freed a
file when the FILE_STORED flag was set. However files can also have the
FILE_NOSTORE flag set which indicates that a file won't be stored.

This patch makes sure that both conditions lead to file pruning.
8 years ago
Victor Julien 9423f6149f stream: inform app layer of depth reached 8 years ago
Victor Julien 7078b4e8e4 flash: code cleanups 8 years ago
Victor Julien e251c45d3d detect/bsize: tests for http_request_line 8 years ago
Victor Julien 4d1fa4aaf9 detect: bsize keyword
Allows matching on stickybuffers. Like dsize, it allows matching on
exact values, greater than and less than, and ranges.

For streaming buffers, such as HTTP bodies, the final size of the
body is only known at the end of the transaction.
8 years ago
Victor Julien 709b3bc1e4 rule analyzer: simple rules to json dumper 8 years ago
Victor Julien d14e51a4aa detect/content: pass START/END flags to inspection 8 years ago
Victor Julien c8bd489aa1 detect: set implied flow direction based on keywords 8 years ago
Victor Julien 82ffba20f4 detect/dns_query: move to API v2. Supports transforms. 8 years ago
Victor Julien 7823ef721f file_data: update to API v2
As we can have multiple files per TX we use the multi inspect
buffer support.

By using this API file_data supports transforms.

Redo part of the flash decompression as a hard coded built-in sort
of transform.
8 years ago
Victor Julien 483ffc103c detect/http_request_line: convert to inspect api v2 8 years ago
Victor Julien 7f97fc40d5 detect/transform: initial to_sha256 implementation
Takes input buffer and replaces it with hash value for that buffer.
Hash value is in raw bytes.
8 years ago
Victor Julien 016d65fdf8 detect/transform: initial compress_whitespace implementation 8 years ago
Victor Julien 38ed6cd050 detect/transform: initial strip_whitespace implementation 8 years ago
Victor Julien d64785274e detect/prefilter: move hash into detect engine ctx 8 years ago
Victor Julien 91296d1eec detect/prefilter: add de_ctx to registration 8 years ago
Victor Julien efbd901385 detect: move mpm engines into detect engine ctx
This allows safe registration at runtime.
8 years ago
Victor Julien ad16925bc9 detect/inspect engines: copy to detect engine ctx
Register rule-time engines in the detect engine. This is necessary
now that rule parsing can create new buffers.
8 years ago
Victor Julien 0de86211c6 detect: register dynamic buffers into de_ctx
Register buffers that are created during rule parsing. Currently
this means an existing buffer with one or more transformations.
8 years ago
Victor Julien 313661451d content inspection: support transforms
Make sure content is applied to the transformed version of a buffer.

Support content with its modifiers, and also isdataat, pcre, bytetest
and bytejump.
8 years ago
Victor Julien a499a44f7a detect: move buffer type map into detect ctx
Move previously global table into detect engine ctx. Now that we
can register buffers at rule loading time we need to take concurrency
into account.

Move DetectBufferType to detect.h and update DetectBufferCtx API calls
to include a detect engine ctx reference.
8 years ago
Victor Julien f6e5cb1db6 detect: prefilter/inspect API v2, with transforms
Introduce InspectionBuffer a structure for passing data between
prefilters, transforms and inspection engines.

At rule parsing time, we'll register new unique 'DetectBufferType's
for a 'parent' buffer (e.g. pure file_data) with its transformations.
Each unique combination of buffer with transformations gets it's
own buffer id.

Similarly, mpm registration and inspect engine registration will be
copied from the 'parent' (again, e.g. pure file_data) to the new id's.

The transforms are called from within the prefilter engines themselves.

Provide generic MPM matching and setup callbacks. Can be used by
keywords to avoid needless code duplication. Supports transformations.

Use unique name for profiling, to distinguish between pure buffers
and buffers with transformation.

Add new registration calls for mpm/prefilters and inspect engines.

Inspect engine api v2: Pass engine to itself. Add generic engine that
uses GetData callback and other registered settings.

The generic engine should be usable for every 'simple' case where
there is just a single non-streaming buffer. For example HTTP uri.

The v2 API assumes that registered MPM implements transformations.

Add util func to set new transform in rule and add util funcs for rule
parsing.
8 years ago
Victor Julien 765b7a6b66 detect: prep for dynamic smlists arrays in sigs
Initialize Signature::init_data::smlists like normal, but before use
expand them if needed.
8 years ago
Andreas Herz bdb886bd68 docs: remove many outdated and old install docs 8 years ago
Andreas Herz 2e8678a5ff docs: replace redmine links and enforce https on oisf urls 8 years ago
Jason Ish c411519605 app-layer: remove has events callback - not used 8 years ago
Jason Ish 23ceb2cc26 dnp3: regenerate object decoding code 8 years ago
Jason Ish f70e8d00ea dnp3-gen: require jinja2 v2.10 or later
Previous versions, but not all, have issues tracking
variables.
8 years ago
Philippe Antoine 6a6aa04f55 dnp3-gen: fix heap buffer overflow in generated code
Due to missing check before memcpy.
8 years ago
Victor Julien 261f15a146 der: fix recursion depth not being handled correctly
In a mix of sequences the 'depth reached' error would not
be fully propagated.

Found with AFL.
8 years ago
Victor Julien 7ac041b872 der: warn if null passed to decoders
Remove null checks for errcode.
8 years ago
Eric Leblond 356440b380 tm-threads: fix build warning in afl mode 8 years ago
Victor Julien 968ed663a8 detect: fix out of bounds write in detect thread space creation 8 years ago
David DIALLO 6c643d8975 modbus: duplicate alerts unaware of direction
Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction
because Modbus inspection engine is only performing in request (TOSERVER).

Detect Value keyword in read access rule. In read access, match on value
is not possible.

Update Modbus keyword documentation.
8 years ago
Pierre Chifflier 92b537d028 rust: update 'external' api for app layer changes
Remove unused HasTxDetectState function and remove state argument
from SetTxDetectState.

Update NTP code.
8 years ago
Jason Ish 8b74ac6ba0 conf/yaml: don't allow empty key values
When loading an empty file, libyaml will fire a single scalar
event causing us to create a key that contains an empty string.
We're not interested in this, so skip an empty scalar value
when expecting a key.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2418
8 years ago
Jason Ish 013c4e0aa0 metadata: fix parsing when not k/v
Allows for parsing metadata with mixed single word and key/val
pairs.
8 years ago
Victor Julien f815027cdf rust/dns: simplify tx freeing
Now that we no longer need the state when freeing a TX, we can simply
do cleanup from the Drop trait.
8 years ago
Victor Julien 7548944b49 app-layer: remove unused HasTxDetectState call
Also remove the now useless 'state' argument from the SetTxDetectState
calls. For those app-layer parsers that use a state == tx approach,
the state pointer is passed as tx.

Update app-layer parsers to remove the unused call and update the
modified call.
8 years ago