Commit Graph

8623 Commits (474fc60671d90c2fe6f960cef7e9ef50848071df)
 

Author SHA1 Message Date
Victor Julien 45c5030ff0 rust/file: change return type for FileOpenFileWithId
Make it int so we can easily check it in Rust. No consumer used the
File pointer that was returned before anyway.
8 years ago
Victor Julien 288ddc95ac rust/core: comment cleanup 8 years ago
Jason Ish 4a89d939fc .gitignore: only ignore *.yaml in root directory 8 years ago
Alexander Gozman cba41207b3 af_packet: bug #2422.
This commit fixes a leak of mmap'ed ring buffer that was not
unmaped when a socket was closed. In addition, the leak could
break an inline channel on certain configurations.

Also slightly changed AFPCreateSocket():
1. If an interface is not up, it does not try to apply any
   settings to a socket. This reduces a number of error messages
   while an interface is down.
2. Interface is considered active if both IFF_UP and IFF_RUNNING
   are present.
8 years ago
Danny Browning 790ef2701a runmode-unix-socket: interrupt as commanded (2413)
https://redmine.openinfosecfoundation.org/issues/2413

Once interrupt occurs, reset the interrupt flag so that future runs are
not immediately interrupted.
8 years ago
Pascal Delalande 63b9b9e9aa unix-socket: socket permission update
So far, the suricata socket suricata-command.socket has the rights
 rw-r----- suricata:user.
When suricata is used with restricted access, an other application
(suricatasc like) that needs to access to the command socket also
with restricted access can not write to the socket since it is not
the owner (e.g suricata within container, with an hardened value
for umask and hardened rights for users).

The socket should be set as rw-rw----. Use chmod instead of fchmod
and set it after the socket creation.
8 years ago
Danny Browning 0813f08075 suricatasc: pcap-file-continuous (2412)
https://redmine.openinfosecfoundation.org/issues/2412

Suricatasc is not supporting pcap-file processing in continuous mode.
Register a new command pcap-file-continuous in the unix manager to work
with suricatasc. Add defaulted arguments for pcap-file to support
backwards compatibility.
8 years ago
Martin Natano 18f64e0d21 app-layer-htp, stream-tcp: prevent modulo bias in RandomGetWrap()
RAND_MAX is not guaranteed to be a divisor of ULONG_MAX, so take the
necessary precautions to get unbiased random numbers. Although the
bias might be negligible, it's not advisable to rely on it.
8 years ago
Victor Julien 2e4305f504 detect: minor cleanup 8 years ago
Maurizio Abba 1bdf325a9a signal: use centralized pthread_sigmask for signals
according to its man page, sigprocmask has undefined behavior in
multithreaded environments. Instead of explictly blocking the handling
of SIGUSR2 in every thread, direct block handling SIGUSR2 before
creating the threads and enable again the handling of this signal
afterwards. In this way, only the main thread will be able to manage
this signal properly.
8 years ago
Victor Julien 990e53222e threshold: minor cleanups 8 years ago
Ruslan Usmanov fb87d21ec7 rate_filter: by_rule fixed triggering algorithm
Fixes issue #2258

Program was triggering rate_filter by_rule earlier than needed
and generally behaved like a threshold.
8 years ago
Victor Julien d588237235 detect/content: implement endswith 8 years ago
Victor Julien 07738af868 detect/content: introduce startswith modifier
Add startswith modifier to simplify matching patterns at the start
of a buffer.

Instead of:
    content:"abc"; depth:3;
This enables:
    content:"abc"; startswith;

Especially with longer patterns this makes the intention of the rule
more clear and eases writing the rules.

Internally it's simply a shorthand for 'depth:<pattern len>;'.

Ticket https://redmine.openinfosecfoundation.org/issues/742
8 years ago
Victor Julien 5e65d79be0 detect: bypass merge sort call if possible 8 years ago
Victor Julien 11cb84ad35 detect: profiling update for new detect code 8 years ago
Victor Julien cf2feeecf4 detect/prefilter: redo profiling 8 years ago
Victor Julien 31648913e6 detect/profiling: postpone setup
Do this to allow for including of runtime buffer registrations.
8 years ago
Victor Julien 9182756891 detect/fast-pattern: use registered buffers for check 8 years ago
Victor Julien fdbcf948c1 output/filedata: call loggers on both directions 8 years ago
Victor Julien f75df19c35 output/file: run file loggers in both directions
This avoids the wait for injected packets when file is already ready
to be logged.
8 years ago
Victor Julien 2b8f34a1b5 detect/state: clean up old code 8 years ago
Victor Julien 1df00749df detect: fix multiple files per tx inspect
Fix the inspection of multiple files in a single TX, where new files
may be added to the TX after inspection started.

Assign the hard coded id DE_STATE_FLAG_FILE_INSPECT to the file
inspect engine.

Make sure that sigs that do file inspection and don't match on the
current file always store a detailed state. This state will include
the DE_STATE_FLAG_FILE_INSPECT flag.

When the app-layer indicates a new file is available, for each sig
that has the DE_STATE_FLAG_FILE_INSPECT flag set, reset part of the
state so that the sig is evaluated again.
8 years ago
Victor Julien 7a96d18f36 app-layer: improve async and out of order txs
Free txs that are done out of order if we can. Some protocol
implementations have transactions running in parallel, where it is
possible that a tx that started later finishes earlier than other
transactions. Support freeing those.

Also improve handling on asynchronious transactions. If transactions
are unreplied, e.g. in the dns flood case, the parser may at some
point free transactions on it's own. Handle this case in
the app-layer engine so that the various tracking id's (inspect, log,
and 'min') are updated accordingly.

Next, free txs much more aggressively. Instead of freeing old txs
at the app-layer parsing stage, free all complete txs at the end
of the flow-worker. This frees txs much sooner in many cases.
8 years ago
Victor Julien 3d9ade9c35 detect/prefilter: show prefilter engine id space 8 years ago
Victor Julien 5f890296b5 app-layer: warn that MpmIDs API is no longer used
Remove implementation.
8 years ago
Victor Julien 4be73fac5e detect/flowbits: apply state knowledge
When stateless rules are depending on a flowbit being set by a stateful
rule, the inspection order is almost certainly wrong.

Switch stateless rules depending on stateful rules to being stateful.
This is used to turn 'TCP stream' inspecting rules (which are stateless
unless mixed with stateful keywords) into stateful rules.
8 years ago
Victor Julien af51e0f5a1 detect: rewrite of the detect engine
Use per tx detect_flags to track prefilter. Detect flags are used for 2
things:
1. marking tx as fully inspected
2. tracking already run prefilter (incl mpm) engines

This supercedes the MpmIDs API for directionless tracking
of the prefilter engines.

When we have no SGH we have to flag the txs that are 'complete'
as inspected as well.

Special handling for the stream engine:

If a rule mixes TX inspection and STREAM inspection, we can encounter
the case where the rule is evaluated against multiple transactions
during a single inspection run. As the stream data is exactly the same
for each of those runs, it's wasteful to rerun inspection of the stream
portion of the rule.

This patch enables caching of the stream 'inspect engine' result in
the local 'RuleMatchCandidateTx' array. This is valid only during the
live of a single inspection run.

Remove stateful inspection from 'mask' (SignatureMask). The mask wasn't
used in most cases for those rules anyway, as there we rely on the
prefilter. Add a alproto check to catch the remaining cases.

When building the active non-mpm/non-prefilter list check not just
the mask, but also the alproto. This especially helps stateful rules
with negated mpm.

Simplify AppLayerParserHasDecoderEvents usage in detection to only
return true if protocol detection events are set. Other detection is done
in inspect engines.

Move rule group lookup and handling into it's own function. Handle
'post lookup' tasks immediately, instead of after the first detect
run. The tasks were independent of the initial detection.

Many cleanups and much refactoring.
8 years ago
Victor Julien 8cda2a4351 rust/nfs: add support for detect_flags API 8 years ago
Victor Julien edb9c59526 dns: support detect flags 8 years ago
Victor Julien 98eca55241 rust/dns: implement detect_flags API 8 years ago
Victor Julien 00b0a41b55 http: move from MpmIDs to DetectFlags API 8 years ago
Victor Julien d0f19891b4 ssl/tls: use DetectFlags API 8 years ago
Victor Julien 73b59bda53 smtp: implement DetectFlags API 8 years ago
Victor Julien 1bed6e9cae ssh: implement DetectFlags API 8 years ago
Victor Julien daeb8fd343 app-layer: detect flags API calls
Add API meant to replace the MpmIDs API. It uses a u64 for each direction
in a tx to keep track of 2 things:

1. is inspection done?
2. which prefilter engines (like mpm) are already completed
8 years ago
Victor Julien 51d429b3b1 flowbits: analyze and dump to json
Analyze flowbits to find which bits are only checked.

Track whether they are set and checked on the same level of 'statefulness'
for later used.

Dump flowbits to json including the sids that set/check etc the bit.
8 years ago
Victor Julien d05355db3d filestore: minor cleanups and warning fixes 8 years ago
Jason Ish 46d754044e suricatasc: don't use find -delete
For when -delete isn't supported by find. Instead use
-print0 with xargs -0.
8 years ago
Jason Ish 5420c0ab06 doc: document file-store v2 8 years ago
Jason Ish aa0760a8d5 filestore: only allow one filestore to be enabled
There is probably not too much bad about enabling both, but
open file counts can get messy with both enabled. And v1
should be schedule for deprecation soon enough.
8 years ago
Jason Ish cc35a5b81f filestore (old): register global stat in init func
This doesn't need to be registered from suricata.c. And moving
it to the init function makes sure its only registered if
the logger is actually enabled.
8 years ago
Jason Ish 9b1d268071 filestore2: warn once for file errors
Track each type of error warning and only log it once. Also create
a new stat, file_store.fs_errors to count each file system type
error (open, rename, unlink).

Also remove exit stats, they are of limited value.
8 years ago
Jason Ish 9456a3164d util-error: define SC_ERR_MAX 8 years ago
Jason Ish 50b5a3a56d suricatactl: a new python script for misc. tasks
Use a new directory, Python to host the Suricata python modules.
One entry point is suricatactl, a control script for
miscalleneous tasks. Currently onl filestore pruning
is implemented.
8 years ago
Jason Ish f7c3f30186 filestore v2: use fileinfo records as metadata
As fileinfo records are logged to the main eve log, disable
metadata by default. But when enabled, just use the fileinfo
record.

Metadata is stored in a file named:
  <sha256>.<seconds>.<file_id>.json

where the sha256 is the same as the file logged, the seconds
is the unix timestamp in seconds for the fileinfo record,
and the file_id is an atomically incremented integer per
Suricata instance.

This should allow for each occurrence of the same file to have
its own metadata file. But a collision is expected when running
Suricata repeatedly over the same pcap, as that would be the
exact same occurrence of a file.
8 years ago
Jason Ish f631e8cd90 file extract: force sha256 even if truncated
Even if a file is truncated, force the SHA256 if force sha256
is set to yes.

The new file store requires the sha256 regardless of the file
state if it is to be logged, as the filename is based on the
sha256.
8 years ago
Jason Ish 4a97315057 filestore v2 - initial version
Filestore v2 is starts as a copy of log-filestore with the
following changes.

- NSS is required as file names as based on the SHA256.
- Work/tmp files are stored in a temp. directory, then
  moved into a directory tree where the directory names
  are the first 2 characters of the hex SHA256.
- Removes the need for a waldo file or pid in the filenames.
8 years ago
Jason Ish dbdac73784 configure: check for utime.h and utime() 8 years ago
Jason Ish ccbe7401b6 output-json-file: let caller decide if file is stored
Mainly for the filestore module, which may have its own
knowledge of the file being stored before others.
8 years ago