Commit Graph

8854 Commits (43b5234055f3ed69d53fe8486a1cf01aac1cc198)

Author SHA1 Message Date
Victor Julien 43b5234055 detect/priority: use global define for default prio 7 years ago
Victor Julien 954c43daf4 detect/classtype: allow undefined classtypes
Effect of classification on Suricata's working is minimal. Impact
of adding undefined classtypes is large: rules will fail to load
completely. This also leads multiple lines of log output per rule,
which in a large ruleset can lead to excessive output.

This patch changes the classtype keyword behavior. Instead of erroring
and invalidating a rule, we will merely warn.

The undefined classtype is then defined with a default priority,
so other rules using the classtype will not also warn. This way
there will be just a single warning per missing classtype.
7 years ago
Victor Julien 323a747f39 classtype: increase id size
Switch from u8 to u16 to allow for more classtypes.

Rename Signature::class to Signature::class_id to make it clear
it is an id.
7 years ago
Victor Julien ccf6c5a6ef classtype: small memory reduction
Reduce memory use by making sure SCClassConfClasstype
has a more optimal memory layout.
7 years ago
Victor Julien 26e2370f99 classtype: put UNITTESTS guards where appropriate 7 years ago
Victor Julien e104c3d913 classtype: reduce scope of functions 7 years ago
Victor Julien a37e09cbe0 detect/classtype: change duplicate classtype behavior
Detect duplicate instances and use the one with the highest
priority.

Use new priority flag to make the logic around explicit priority
sets easier to follow.

Minor code cleanups. Also clean up unittests.
7 years ago
Victor Julien c471d81f04 detect/priority: change duplicate priority behavior
Introduce Signature init_flag to indicate priority has been set.
This will be needed in a follow-up classtype update.

Detect duplicate priority instances in a keyword, and use the
highest priority in the rule. Do issue a warning in this case.
7 years ago
Victor Julien 828d2572f8 detect: use BIT_U32 macros for INIT flags 7 years ago
Victor Julien 3fd4e7bd05 detect/priority: minor cleanups 7 years ago
Victor Julien bfee28db5e detect/classtype: clean up error handling 7 years ago
Victor Julien 5e5761a29c detect/classtype: warn on duplicate classtype
Issue warning instead of erroring and invalidating the rule.

It's not a very serious issue, so don't error out.
7 years ago
Victor Julien 282e1c2520 detect/classtype: fix parsing error checking 7 years ago
Jason Ish 2d0b3d7320 detect/test: update test for file prune changes
As the file prune is now moved to the flow worker, the file
prune is run later, meaning the first file has not yet
been pruned from the file container list.

Adjust test to look for a second file, and check the
flags on that file.

For commit addressing bug 2490.
7 years ago
Jason Ish ebcc4db84a file extraction: always prune files after detect
If a keyword like filemd5 was being used without a filestore,
or a file output enabled, it would be pruned before detection
had a chance to match.

Consolidate file pruning to the end of the flow worker so files
are available for detection even when a file output is not
enabled.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2490
7 years ago
Victor Julien c7e4433fe9 afl/decode: fix stats related memleak reports 7 years ago
Shivani Bhardwaj 8940a9d326 afp: nicer error message in case of fanout failure
Use clearer message in case fanout is not supported or cluster_id is
already in use.

Closes redmine ticket #1940.
7 years ago
Shivani Bhardwaj ac55b21184 suricata: Check if default log dir is writable
At the startup, if the default log dir provided either by command line
options or suricat.yaml is not writable, the error comes quite later.
This patch makes suricata exit if there is such an error in the
beginning itself.

Closes redmine ticket #2386.
7 years ago
Victor Julien 6dca50a322 runmode: consider test mode a user mode 7 years ago
Victor Julien 914c5b7975 datasets: fix error handling 7 years ago
Victor Julien 1021465f23 datasets: improve and doc return codes 7 years ago
Jason Ish a2fcc304e7 dataset: fix return value check on isnotset
The dataset api returns -1 for not found.
7 years ago
Victor Julien c6cda99bcd thash: fix prealloc config setting 7 years ago
Victor Julien e264a0cee8 datasets: fix hash table config
Example:

datasets:
  ua-seen:
    type: string
    state: ua-seen.lst
    hash:
      hash-size: 100000
      prealloc: 1000
      memcap: 256mb
7 years ago
Victor Julien 9b64b6794b datasets: change config to map
Example:

datasets:
  ua-seen:
    type: string
    state: ua-seen.lst
  dns-sha256-seen:
    type: sha256
    state: dns-sha256-seen.lst
7 years ago
Jason Ish 342fa8ee26 magic/test: remove NULL as format string
Remove passing NULL as a format string parameter
in test. Convert to FAIL_IF_NULL.
7 years ago
Jason Ish 0b02539ea9 drop.log: log deprecation warning if used 7 years ago
Jason Ish bfacedfad1 unified2: log deprecation warning when used 7 years ago
Jason Ish 57b4259640 filestore(v1): deprecation log warning when enabled
Notify the user with a warning log that this feature is
deprecated and will be remove in v6 of Suricata.
7 years ago
Jeff Lucovsky 04ee27bcd2 log/anomaly: Remove event_no from alert 7 years ago
Victor Julien 9340769ad2 enip: fix compile warnings in gcc-8
In file included from suricata-common.h:471,
                 from app-layer-enip-common.c:27:
app-layer-enip-common.c: In function ‘DecodeCIPRequestPathPDU’:
util-debug.h:222:31: warning: ‘req_path_class8’ may be used uninitialized in this function [-Wmaybe-uninitialized]
             int _sc_log_ret = snprintf(_sc_log_msg, SC_LOG_MAX_LOG_MSG_LEN, __VA_ARGS__);   \
                               ^~~~~~~~
app-layer-enip-common.c:589:13: note: ‘req_path_class8’ was declared here
     uint8_t req_path_class8;
             ^~~~~~~~~~~~~~~
app-layer-enip-common.c:607:9: warning: ‘segment’ may be used uninitialized in this function [-Wmaybe-uninitialized]
         switch (segment)
         ^~~~~~
app-layer-enip-common.c: In function ‘DecodeCIPResponsePDU’:
app-layer-enip-common.c:773:13: warning: ‘service’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     service &= 0x7f; //strip off top bit to get service code.  Responses have first bit as 1
             ^~
app-layer-enip-common.c: In function ‘DecodeCIPRequestPDU’:
app-layer-enip-common.c:503:25: warning: ‘path_size’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     offset += path_size * sizeof(uint16_t); //move offset past pathsize
               ~~~~~~~~~~^~~~~~~~~~~~~~~~~~
app-layer-enip-common.c:506:5: warning: ‘service’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     switch (service)
     ^~~~~~

Bug #3139.
7 years ago
Victor Julien c769909dad eve/stats: update warning for new default behavior 7 years ago
Victor Julien 76e1836aed counters: improve handling missing global config
Improve warnings when eve.stats can't work because of the global config
missing or disabled.

Issue warning if global config is missing but stats are still enabled due
to the legacy stats.log.

Issue clearer warning when stats are disabled and unix socket dump-counters
command is issued.

Warnings include links to docs.

Bug #2465.
7 years ago
Victor Julien 2d381f93f3 stats: add global way to check if API is enabled 7 years ago
Victor Julien 5bfedf78fc posix: replace bzero with memset
bzero(3): The bzero() function is deprecated (marked as LEGACY in
POSIX.1-2001); use memset(3) in new programs.  POSIX.1-2008 removes
the specification of bzero().

Use memset instead.
7 years ago
Victor Julien 2da90a1cd8 posix: remove deprecated index/rindex calls
Replace index by strchr and rindex by strrchr.

index(3) states "POSIX.1-2008 removes the specifications of index() and
rindex(), recommending strchr(3) and strrchr(3) instead."

Add index/rindex to banned function check so they don't get reintroduced.

Bug #1443.
7 years ago
Victor Julien b82a0e2cad detect/port: more cleanups
Remove unused funcs. Minor style updates.
7 years ago
Victor Julien 8b0b301a15 detect/port: remove function only used in tests 7 years ago
Victor Julien ada0708e51 detect/port: unittest cleanups 7 years ago
Victor Julien 7864e8e7cc der/asn1: reduce max depth limit to 32
OpenSSL uses 30, so this seems a reasonable limit.

Set a smaller limit than before to reduce the resources spent on
specially crafted input designed to be maximally expensive.
7 years ago
Victor Julien 335ad2d8cc der/asn1: don't pass on more data than is specified
Set and Sequence parsers would pass on max available data instead
of the size of their object.

Malformed data could trigger massive recursion this way, leading
to spending much more resources than necessary.

Found using AFL.

Bug #3185.
7 years ago
Victor Julien 4ca83ca489 decode/ipv4: fix ts opt flags decoding
Field is at data+1 offset, not +3. Also makes sure we always stay
within checked data bounds.

Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3176.
7 years ago
Victor Julien 7bb3dfcfc8 decode/ipv4: unittest to show parsing issue 7 years ago
Victor Julien 922f4f7d78 ssl: fix bounds checking in version decoding
Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3169.
7 years ago
Jason Ish c8b49aee56 defrag: check minimum size of reassembled packet
Before re-assembling, check that the first fragment is large
enough to contain the IPv4 or IPv6 header to prevent
an out of bounds read (IPv4) or write (IPv6).

Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3171.
7 years ago
Victor Julien 229eccdd04 ssl: minor cleanups 7 years ago
Mats Klepsland 05f6f5481a tls-log: restructure code for writing to buffer
Restructure code to make it clearer that either 'basic', 'extended'
or 'custom' is being printed, by creating one function for each of
the possibilities.
7 years ago
Mats Klepsland 03c8b82bfe tls-log: quick code cleanup 7 years ago
Mats Klepsland a151fe2225 tls-log: remove a wrongful comment
The app-layer parser for TLS has been TX aware for quite some time.
Remove a comment that is stating that it is not.
7 years ago
Mats Klepsland 85536e8918 tls-log: fix so buffer is reset on custom logging
Move MemBufferReset() so it also works when using custom tls
logging. This avoids duplicate tls log entries.

Bug #3177
7 years ago