aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,096 Commits
8 Branches
163 Tags
186 MiB
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4922cd2d36'
${ noResults }
Commit Graph

425 Commits (4922cd2d3699a2dcb472adee7569894105f14083)

Author SHA1 Message Date
Eric Leblond 3dceca70ee suricata: move some code into PostConfLoadedSetup 
All functions before daemonization are initialisation functions and thus the
call can be moved in PostConfLoadedSetup.
 12 years ago
Victor Julien a84c502e50 Add SSE support to --build-info 12 years ago
Victor Julien 25636597af Fix live rule reload confusing delayed detect 
Fixes bug 1023 and the previous attempt to fix it.
 12 years ago
Victor Julien 5906eeb8c8 detect: don't do rule reload during delayed detect 
When both rule reloads and delayed detect are enabled, make sure we don't
trigger a reload during delayed detect initialization.

Bug #1023.
 12 years ago
Victor Julien 97bfcac444 profiling: introduce per keyword profiling 
Initial version of per keyword profiling. Prints stats about
how ofter a keyword was checked and what the costs were.
 12 years ago
Victor Julien 7ebd1e6433 Counters: fix delayed-detect counter registration 
Make sure we register the detect.alerts counter before packet runtime starts
even in delayed detect mode. The registration of new counters at packet
runtime is not supported by the counters api and might lead to crashes as there
is no proper locking to allow for this operation.

This changes how delayed detect works a bit. Now we call the ThreadInit
callback twice. The first call will only register the counter. The 2nd call
will do all the other setup. This way the counter is registered before the
counters api starts operating in the packet runtime.

Fixes the segv reported in ticket #1018.
 12 years ago
Anoop Saldanha 619414c59e Add a /* fall through */ comment for all switch case fall throughs. 
This should server as a message to coverity that the fall through is
intentional.
 12 years ago
Victor Julien 37669bfdd2 threshold: register threshold host storage. Related to bug #991 12 years ago
Victor Julien 74d8d95f83 Don't initialize threshold before rules on delayed detect. Bug #999. 12 years ago
Eric Leblond 2be194d03f suricata: add -v[v] option to increase verbosity 
This patch adds a -v option to suricata. It increases the log level
defined in the YAML.
 12 years ago
Eric Leblond 4a4600539d suricata: info message after log init 
This patch moves version display after log init so we can have an
homogeneous display.
 12 years ago
Eric Leblond fdc1757e34 suricata: reorder start 
Initalizing output just after configuration file parsing allow to
log almost all messages accordingly to configuration.
 12 years ago
Eric Leblond 7bcacc712a log: change default log level to notice 
This patch updates the log level of meaningful start messages to
notice. It also sets the default log level to notice.
 12 years ago
Victor Julien 8d6bca72f7 Improve 'host-mode' info message 12 years ago
Eric Leblond 6cf7da30e2 Introduce host-mode. 
This variable can be used to indicate to suricata that the host
running is running as a router or is in sniffing only mode.
This will used at least to determine which interfaces are used to
send reject message.
 12 years ago
Victor Julien 468a8e1ca3 Properly cleanup NSS ctx 12 years ago
Victor Julien eedd4329da Change ParseSize api to not leak memory and only setup pcre once. 12 years ago
Victor Julien 397a55457d Add sanity checks for command line argument handling 
Coverity 1075221.

Normally getopt_long should cover this case, but can't hurt to
add in some extra checks.
 12 years ago
Victor Julien 38aaae1fd7 IsRuleReloadSet() shouldn't return an uninitialized value 12 years ago
Victor Julien ff668c2030 Fix Tile compile 12 years ago
Eric Leblond 20ca270dc3 fix pf_ring build 12 years ago
Eric Leblond 2a46f0dae4 suricata: rename SuriInstance to SCInstance. 12 years ago
Eric Leblond 9b422f3a8c suricata: suppress Suri prefix 
Suppress Suri prefix in internal function name.
 12 years ago
Eric Leblond 18ced653c3 Use a typedef for SuriInstance. 12 years ago
Eric Leblond 2d77e53f2c Add offline flag to SuriInstance and some refactoring 12 years ago
Eric Leblond 34abd818dd Prefix util-conf function with Config 12 years ago
Eric Leblond 7242cb30e7 Move CreateLowercaseTable to GLobalInits 12 years ago
Eric Leblond 02e9851315 Generic code don't need ifdef 12 years ago
Eric Leblond 8c00a963aa Use function for delayed detect setup. 12 years ago
Eric Leblond 4296e5f29e Add functions for elapsed time computation. 12 years ago
Eric Leblond 9d1d08c7a4 Factorize Signature loading 12 years ago
Eric Leblond 20c5683b60 Use function for daemonification and signal handler 12 years ago
Eric Leblond 90aaf55201 set rule_reload as part of SuriInstance 12 years ago
Eric Leblond bb19ce1847 SetBPfString is part of command line parsing 12 years ago
Eric Leblond 1a6983ee19 suricata: use function to print version 12 years ago
Eric Leblond 4f789dbe84 Add function for internal running mode 12 years ago
Eric Leblond d3cb043001 suricata: windows specific in one function 12 years ago
Eric Leblond 4401c048ba Running mode is set earlier so out earlier 12 years ago
Eric Leblond 40a25112a0 kill remaining run_mode usage 12 years ago
Eric Leblond 75fa1e20d7 engine analysis is a running mode 12 years ago
Eric Leblond c0d5ee77f9 get (almost) rid of run_mode variable. 12 years ago
Eric Leblond 80542816cd add internal running mode 12 years ago
Eric Leblond e07fdb20a8 Add SuriInstance structure 
To be able to split code in functions in main, we need to pass
information about the current running Suricata to functions.
For that we create a structure to store suricata run parameters.

In this patch it allows to separate command line parsing and to
treat internal running mode in a switch just after command line
parsing.
 12 years ago
Eric Leblond 325462d396 Export IsRuleReloadSet and use it. 12 years ago
Eric Leblond 8e68b357c7 Suppress Suri prefix. 12 years ago
Eric Leblond 42011e2d32 suricata: function for lowercase table creation 12 years ago
Eric Leblond 132bebb2b2 Simplify code by removing comment 12 years ago
Eric Leblond 07ef1f9837 suricata: add wrapper for interface listing 12 years ago
Eric Leblond 2be7c8aea8 Add util-conf for config util 12 years ago
Eric Leblond 27752818c2 suricata: add some wrapper for config file handling 12 years ago
Eric Leblond b2fa4edd36 move unittest out of suricata.c 12 years ago
Eric Leblond 9a0bf0956b suricata: list cuda cards in separate function 12 years ago
Eric Leblond bed48e3a54 suricata: separate keyword and app layer listing code 
The list-keyword and app-layer listing code was spread over all the
init code. This patch introduces a separate file to store non standard
running mode like these ones.
 12 years ago
Victor Julien c08b395c2c Init storage api at start up 12 years ago
Victor Julien 0d2a6e515e Add Host specific wrapper to StorageRegister() 12 years ago
Victor Julien 022c0e466e Initial storage api work 12 years ago
Ken Steele 316190c6b9 Add TILE-Gx mPIPE packet processing support. 
The TILE-Gx processor includes a packet processing engine, called
mPIPE, that can deliver packets directly into user space memory. It
handles buffer allocation and load balancing (either static 5-tuple
hashing, or dynamic flow affinity hashing are used here). The new
packet source code is in source-mpipe.c and source-mpipe.h

A new Tile runmode is added that configures the Suricata pipelines in
worker mode, where each thread does the entire packet processing
pipeline.  It scales across all the Gx chips sizes of 9, 16, 36 or 72
cores. The new runmode is in runmode-tile.c and runmode-tile.h

The configure script detects the TILE-Gx architecture and defines
HAVE_MPIPE, which is then used to conditionally enable the code to
support mPIPE packet processing. Suricata runs on TILE-Gx even without
mPIPE support enabled.

The Suricata Packet structures are allocated by the mPIPE hardware by
allocating the Suricata Packet structure immediatley before the mPIPE
packet buffer and then pushing the mPIPE packet buffer pointer onto
the mPIPE buffer stack.  This way, mPIPE writes the packet data into
the buffer, returns the mPIPE packet buffer pointer, which is then
converted into a Suricata Packet pointer for processing inside
Suricata. When the Packet is freed, the buffer is returned to mPIPE's
buffer stack, by setting ReleasePacket to an mPIPE release specific
function.

The code checks for the largest Huge page available in Linux when
Suricata is started. TILE-Gx supports Huge pages sizes of 16MB, 64MB,
256MB, 1GB and 4GB. Suricata then divides one of those page into
packet buffers for mPIPE.

The code is not yet optimized for high performance. Performance
improvements will follow shortly.

The code was originally written by Tom Decanio and then further
modified by Tilera.

This code has been tested with Tilera's Multicore Developement
Environment (MDE) version 4.1.5. The TILEncore-Gx36 (PCIe card) and
TILEmpower-Gx (1U Rack mount).
 12 years ago
Victor Julien 055b422c28 Remove obsolete code: flow alert sid storage 12 years ago
Victor Julien 9faa4b740d Add --unittests-coverage option to list how many code modules have tests 12 years ago
Victor Julien fc7879322e Rename GetIfaceMaxPayloadSize to GetIfaceMaxPacketSize to reflect the actual function. 12 years ago
Anoop Saldanha cdaa13012a fix for #882. 
Refactor the code that initializes the cuda mpm environment.
 12 years ago
Anoop Saldanha f85a2dc84b fix for #875. 
Update configure.ac to check for either 0.5.5 and 0.5.x version of libhtp.
 12 years ago
Anoop Saldanha 48cf0585fb Suricata upgrade to libhtp 0.5.x. 
Remove the support for now unsupported personalities from libhtp -
TOMCAT_6_0, APACHE and APACHE_2_2.  We instead use the APACHE_2
personality.
 12 years ago
Victor Julien 33818c0272 DNS: fix CUDA build 13 years ago
Victor Julien 8e01cba85d DNS TCP and UDP parser and DNS response logger 13 years ago
Anoop Saldanha 602c91ed41 Minor cosmetic changes to the cuda code. 
Moved a couple of functions to more cuda relevant files;
Re-structured some data types.
 13 years ago
Anoop Saldanha 17c763f855 Version 1 of AC Cuda. 13 years ago
Anoop Saldanha b787da5643 Remove all cuda related code in the engine except for the cuda api wrappers 13 years ago
Victor Julien 724ad9e8e7 Detect L1 cache line size at build time. Fall back to 64 bytes if detection failed. 13 years ago
Eric Leblond 539de3f5ea bpf filter: use SCLogError instead of fprintf 13 years ago
Eric Leblond dfbb31df8a Exit if bpf is used in IPS mode 13 years ago
Eric Leblond 74a9fc4b66 Add function to display current capture mode 
This patch adds a function to display the capture mode.
 13 years ago
Anoop Saldanha 3511f91bba Add support for the new keyword - http_raw_host header. 
The corresponding pcre modifier would be 'Z'.
 13 years ago
Anoop Saldanha c4ce19a1be Add support for a new keyword to inspect http_host header. 
The corresponding content keyword would now be - http_host.
The corresponding pcre modifier would be W.
 13 years ago
Eric Leblond 84f50ba49f build-info: use printf instead of SCLogInfo 
This change results in a more readable and reusable output.
 13 years ago
Eric Leblond 668113af77 add configure summary to build-info output 13 years ago
Eric Leblond f5ba8eb6db suricata: add information to build-info 
This patch adds information about luajit and jansson to the
output of --build-info command. This should fix #696.
 13 years ago
Eric Leblond 12fd60b545 unix-socket: cleanup host table instead of destroying it 
This patch should fix the bug #637. Between pcap files, it uses a
new function HostCleanup() to clear tag and threshold on host with
an IP regputation. An other consequence of this modification is
that Host init and shutdown are now init and shutdown unconditionaly.
 13 years ago
Victor Julien 3ab1458abf pcap: fix windows commandline mangling win device string 13 years ago
Eric Leblond af16c418b7 unix-socket: fix build when jansson not present 13 years ago
Eric Leblond cc71c993f4 unix-command: add iface information command. 
This patch adds two commands to unix-command. 'iface-list' displays
the list of interface which are sniffed by Suricata and 'iface-stat'
display the available statistics for a single interface. For now,
this is the number of packets and the number of invalid checksums.
 13 years ago
Eric Leblond 20a8b9dbe5 unix-manager: add unix command socket and associated script 
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
 * Client connects to the socket
 * It sends a version message: { "version": "$VERSION_ID" }
 * Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.

The format of command is the following:
 {
   "command": "pcap-file",
   "arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
 }
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
 {
   "return": "OK|NOK",
   "message": JSON_OBJECT or information string
 }

A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code.  The first command line argument of suricatasc is
used to specify the socket to connect to.

Configuration of the feature is made in the YAML under the 'unix-command'
section:
  unix-command:
    enabled: yes
    filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.

A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.

To start this mode, Suricata must be started with the --unix-socket
 option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.

THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.

This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.

Two other commands exists to get info on the remaining tasks:
 * pcap-file-number: return the number of files in the waiting queue
 * pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
 {
  'count': 2,
  'files': ['file1.pcap', 'file2.pcap']
 }
 13 years ago
Eric Leblond 6842545331 Add documentation url in list-keyword output. 
The output of the list-keyword is modified to include the url to
the keyword documentation when this is available. All documented
keywords should have their link set.

list-keyword can be used with an optional value:
 no option or short: display list of keywords
 csv: display a csv output on info an all keywords
 all: display a human readable output of keywords info
 $KWD: display the info about one keyword.
 13 years ago
Eric Leblond fa900a9f6b suricata: add information about BPF filter usage 13 years ago
Eric Leblond 7e14fe62f5 suricata: add '-V' info to usage message. 13 years ago
Eric Leblond fd3a1346e4 suricata: add build-info command to usage message. 13 years ago
Eric Leblond 4e0f5b7f02 suricata: don't display msg in list-keyword mode. 
In list-keywords and list-app-layer mode, suricata now only
displays the messages linked with the feature. This allow users
to redirect the output and easily work on it. For exemple, the
csv output will be easily imported into a spreadsheet.
 13 years ago
Eric Leblond 5e4552fdcd suricata: update list-keyword command 
This patch update the list-keyword command. Without any option,
the previous behavior is conserved. If 'all' is used as option,
suricata print a csv formatted output of keyword information:
	name;features;description
If a keyword name is used as argument, suricata print a readable
message:
tls.subject
Features: state inspecting
Description: Match TLS/SSL certificate Subject field
 13 years ago
Eric Leblond cd42e6a3ef Listing of app layers does not depend on unittests 13 years ago
Eric Leblond 42ace54137 list-keywords: fix when not using default install 
As we don't parse the YAML file when listing of keywords is asked,
suricata make a test on existence of the build-default directory.
So with a non standard (working) install (even a single configure
without option lead to a failure), the keyword listing fails
because the default logging directory does not exist.
 13 years ago
Victor Julien 84bad6db77 Silence compiler warnings found by clang 13 years ago
Eric Leblond 4726e02afb logging: add warning if no output module is selected 
If no daemon compatible logging module is selected, a message is
displayed to avoid the user to look like mad for messages.
 13 years ago
Eric Leblond 9f4da93a4b suricata: don't exit if pidfile can't be created 13 years ago
Victor Julien 472e061c6d build: more checking for includes 13 years ago
Victor Julien 5a6c8c0f01 minor misc changes: update htp ver, add htp ver to --build-info, clean up 13 years ago
Eric Leblond 3061452c5e suricata: avoid concurrent run in daemon mode 
This patch creates a pid file per default and use it to avoid to be
able to run two Suricata. Separate pid file have to be provided to
be able to do it.
 13 years ago
Matt Keeler 37e3de8425 Refactor Napatech 3GD to just Napatech as Suricata is only going to support 3GD. 
Signed-off-by: Matt Keeler <mk@npulsetech.com>
 13 years ago
Matt Keeler 5786a32d0f Remove Napatech 2GD support 
Removed the Napatech 2GD support

runmode-napatech-3gd.c had an include from runmode-napatech.h which was erroneous and has been removed as well.

Signed-off-by: Matt Keeler <mk@npulsetech.com>
 13 years ago
Eric Leblond fc9e0df33b suricata: add run-as.user and run-as.group yaml var 
This patch update the YAML to be able to specify the user or the
group to run Suricata as:
 run-as:
   user: suri
   group: suri
 13 years ago
Matt Keeler 844e4dba11 Napatech 3GD Support 
For use with Network Cards from Napatech utilizing the 3GD driver/api.

    - Implemented new run modes in runmode-napatech-3gd.*
    - Implemented capture/decode threads in source-napatech-3gd.*
    - Integrated the new run modes and source into the build infrastructure.

    New configure switches
    --enabled-napatech-3gd : Turns on the NT 3GD support
    --with-napatech-3gd-includes : The directory containing the NT 3GD header files
    --with-napatech-3gd-libraries : The directory containing the NT 3GD libraries to link against.

    New CLI switch
    --napatech-3gd : Uses the Napatech 3GD run mode

    Runmodes Supported:
    - auto
    - autofp
    - workers

    Notes:
    - tested with 1 Gbps sustained traffic (no drops)

Signed-off-by: Matt Keeler <mk@npulsetech.com>
 13 years ago