Currently, if the user provides --enable-libmagic or
--disable-libmagic, libmagic will be disabled because $enableval is not
used to know if the user provided --enable or --disable
Most of the options have this issue so fix them all by using $enableval
Fixes:
- https://redmine.openinfosecfoundation.org/issues/2797
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
This is to prevent suricata-update from being installed if it
would otherwise be installed based on in being bundled, and
its dependencies being available.
Warn the user that Suricata-Update will not be installed if it
is bundled, but python-yaml is missing (this will also cover
the case where Python is missing).
Add "Install suricata-update" to the build summary. For consistency,
relable "Suricatasc install" as "Install suricatasc".
Remove 'experimental' label for Rust, and enable it by default if
rustc and cargo (and libjansson) are available.
Add rustc and cargo versions to the build-info.
If the data file can't be found in the default location, which
normally is 'default-rule-path', try to see if it can be found
in the path of the rule file that references it.
This makes QA much easier.
Move the rule file configuration down near the bottom of the
configuration file under advanced settings. With the bundling
of Suricata-Update, any rule file configuration within
suricata.yaml could be considered advanced.
Add extra comments to the yaml to make it more clear which was
enabled at installation time.
Enables IPS functionality on Windows using the open-source
(LGPLv3/GPLv2) WinDivert driver and API.
From https://www.reqrypt.org/windivert-doc.html : "WinDivert is a
user-mode capture/sniffing/modification/blocking/re-injection package
for Windows Vista, Windows Server 2008, Windows 7, and Windows 8.
WinDivert can be used to implement user-mode packet filters, packet
sniffers, firewalls, NAT, VPNs, tunneling applications, etc., without
the need to write kernel-mode code."
- adds `--windivert [filter string]` and `--windivert-forward [filter
string]` command-line options to enable WinDivert IPS mode.
`--windivert[-forward] true` will open a filter for all traffic. See
https://www.reqrypt.org/windivert-doc.html#filter_language for more
information.
Limitation: currently limited to `autofp` runmode.
Additionally:
- `tmm_modules` now zeroed during `RegisterAllModules`
- fixed Windows Vista+ `inet_ntop` call in `PrintInet`
- fixed `GetRandom` bug (nonexistent keys) on fresh Windows installs
- fixed `RandomGetClock` building on Windows builds
- Added WMI queries for MTU
Autoconf/automake and python setup.py don't play that well
together with out of tree builds.
Makes suricatasc not an autoconf input file, instead use the
defaults module that is already being created.
In the case of an out of tree build, copy the generated defaults.py
to the build directory manually.
Introduces the option 'outputs.pcap-log.compression' which can be set
to 'none' or 'lz4', plus options to set the compression level and to
enable checksums. SCFmemopen is used to make pcap_dump() write to a
buffer which is then compressed using liblz4.
If suricata-update is bundled, set the default-rule-dir
to lib/suricata/rules under the $localstatedir
For now use 2 rule-files section that are renamed depending
on if suricata-update is bundled or not.
Common /usr/share/suricata/rules or /usr/local/share/suricata/rules.
The rules provided by the distribution are installed here as part
of the Suricata install process so will always be installed, even
without the use of install-rules.
Will be built and installed as part of the Python code used
for suricatactl, which is intended to be the generic place
for all Python utility code that gets installed with Suricata.
No change to suricatasc code.
Don't treat 'external' parsers as more experimental. All parsers
depend on crates to some extend, and all have C glue code. So the
distinction doesn't really make sense.
Let user chose to disable libnss and libnspr support even if these
libraries are installed in the system. Default remains to enable when
libraries are found and disable parameter were not used
This patch introduces the ebpf cluster mode. This mode is using
an extended BPF function that is loaded into the kernel and
provide the load balancing.
An example of cluster function is provided in the ebpf
subdirectory and provide ippair load balancing function.
This is a function which uses the same method as
the one used in autofp ippair to provide a symetrical
load balancing based on IP addresses.
A simple filter example allowing to drop IPv6 is added to the
source.
This patch also prepares the infrastructure to be able to load
and use map inside eBPF files. This will be used later for flow
bypass.
Use a new directory, Python to host the Suricata python modules.
One entry point is suricatactl, a control script for
miscalleneous tasks. Currently onl filestore pruning
is implemented.
Add option to put Rust code in non-'--release' mode, preserving
debug symbols.
Until now Suricata would have to be compiled with --enable-debug for
this.
This patch adds support for hw bypass by enabling flow offload in the network
card (when supported) and implementing the BypassPacketsFlow callback.
Hw bypass support is disabled by default, and can be enabled by setting
"bypass: yes" in the pfring interface configuration section in suricata.yaml.
Fabrice Fontaine
Victor Julien
Eric Leblond
Jason Ish
Hilko Bengen
jason taylor
Jacob Masen-Smith
Max Fillinger
Renato Botelho
Andreas Herz
Giuseppe Longo
Alfredo Cardigliano