aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,623 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '57d7783402'
${ noResults }
Commit Graph

3623 Commits (57d7783402eb52c839c4d8270c16cccc4aae0b53)
 

Author SHA1 Message Date
Eric Leblond 6303b5d987 SC_LOG_ERROR is not an error. 13 years ago
Eric Leblond d51dd6a30e Fix warning about unused return of SC_ATOMIC func. 13 years ago
Eric Leblond c4f9d0e0e1 Fix invalid usage of operator. 13 years ago
Eric Leblond 7af9fd7735 freebsd: fix warning about redeclaration. 13 years ago
Eric Leblond 4d2305c0a8 freebsd: fix warning 13 years ago
Eric Leblond 6d55446655 ipfw: avoid critical error for broadcast 
In some setup, suricata may receive broadcast packets and the call
to sendto may fail if the wrong interface is choosen by kernel.
This patch change the error treatment to avoid to leave when
this problem occurs.
 13 years ago
Eric Leblond 41cb365a39 ipfw: add missing include 13 years ago
Eric Leblond ec2445702c autotools: fix default path for magic file. 13 years ago
Eric Leblond e168824d80 freebsd: fix function usage. 
The unlock function was not correctly used in error treatment.
 13 years ago
Jason Ish ea020e2be6 Do not trim the FCS, pcaps converted to ERF will have have an FCS. 13 years ago
Eric Leblond 4a1a008009 af-packet: fix looping in ring buffer. 
A crash can occurs in the following conditions:
 * Suricata running in other mode than "workers"
 * Kernel fill in the ring buffer
Under this conditions, it is possible that the capture thread reads
a packet that has not yet released by one of the treatment threads
because there is no modification done on the ring buffer entry when
a packet is read. Doing, this it access to memory which can be
released to the kernel and modified. This results in a kind of memory
corruption.

This bug has only been seen recently and this has to be linked with the
read speed improvement recently made in AF_PACKET support.

The patch fixes the issue by modifying the tp_status bitmask in the
ring buffer. It sets the TP_STATUS_USER_BUSY flag when it is confirmed
that the packet will be treated. And at the start of the read, it exits
from the reading loop (returning to poll) when it reaches a packet with
the flag set. As tp_status is set to 0 during packet release the flag
is destroyed when releasing the packet.

Regarding concurrency, we've got a sequence of modification. The
capture thread read the packet and set the flag, then it passes the
queue and the packet get processed by other threads. The change on
tp_status are thus made at different time.

Regarding the value of the flag, the patch uses the last bit of
tp_status to avoid be impacting by a change in kernel. I will
propose a patch to have TP_STATUS_USER_BUSY included in kernel
as this is a generic issue for multithreading application using
AF_PACKET mechanism.
 13 years ago
Victor Julien 0d55950840 luajit: add http.uri and http.request_line buffers. 13 years ago
Victor Julien 597b6db8f2 luajit: fix filtering payload or pkt when not available yet 13 years ago
Victor Julien 69186cda12 luajit: force scripts to have 'init' function that returns a table of 'needs' such as packet or payload. 13 years ago
Victor Julien fca70730a9 Update changelog for 1.4beta1 13 years ago
Eric Leblond cd8d215724 pool: improve error handling 
Error handling during Pool creation was not perfect as a PoolBucket
could leak.
 13 years ago
Victor Julien 829d975d63 Make sure defrag pool sizes are not initialized to 0, see #540. 13 years ago
Eric Leblond 01d3c14449 tls: fix error handling 
Handling of error case was correct as pointed out by Coverity
717439.
 13 years ago
Eric Leblond 41c72a537a tls: avoid double close. 
This should fix issue 717441 reported by Coverity.
 13 years ago
Eric Leblond 4e6a4c65f6 defrag: be sure to output NULL tracker 
Coverity 720337 pointed out a use after free. We can't be dependent
to HashListTableAdd outputting a NULL tracker.
 13 years ago
Eric Leblond a7afa845a6 Fix coverity warnings 718636 and 718635 
The result of the swap was not checked.
 13 years ago
Eric Leblond d3824bd1ab defrag: fix potential use after free. 
Coverity pointed out that PoolReturn is almost like free and detected
a use after free when accessing to tracker->af (issue 720339).
This patch fixes this by storing the value in a local variable.
 13 years ago
Eric Leblond 90052609ee defrag: avoid to run cleaning repetitively 13 years ago
Eric Leblond b2691cbe88 af-packet: handle possible exit of capture loop. 
If a capture loop does exit, the thread needs to start without
synchronization with the other threads. This patch fixes this
by resetting the turn count on the peerslist structure and
adding a test on this condition in the wait function.
 13 years ago
Eric Leblond 4d8f70c613 af-packet: fix kernel offset issue 
It seems that, in some case, there is a read waiting but the
offset in the ring buffer is not correct and Suricata need to
walk the ring to find the correct place and make the read.
 13 years ago
Eric Leblond ee6ba09948 af-packet: fix emergency mode 
This patch fixes emergency mode by setting the variable even if we
have a non kernel checksum check. It also does a call to
AFPDUmpCounters() as it seems to improve thing to do it ASAP.
 13 years ago
Eric Leblond 6040016347 af-packet: implement late open 
This patch implements "late open". On high performance system, it
is needed to create the AF_PACKET just before reading to avoid
overflow. Socket creation has to be done with respect to the order
of thread creation to respect affinity settings.
This patch adds a counter to AFPPeer to be ale to synchronize the
initial socket creation.
 13 years ago
Eric Leblond 3bea3b39df af-packet: improve logged messages. 13 years ago
Eric Leblond 13f13b6d7e af-packet: rework socket transition phase. 
Suricata was not able to start cleanly in AF_PACKET with default
suricata.yaml file if there was no eth1 on the system. This patch
fixes this issue and rework the socket transition phase to fix
some serious issues (file descriptor leak) found when fixing this
problem.
Every 20 seconds it displays a message to the user to warn him about
the interface not being accessible:
  [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
 13 years ago
Eric Leblond 0f2b34068c af-packet: ring mode is not optionnal in AFPReadFromRing 13 years ago
Victor Julien 355e981775 Fix 'no effect' check in timestamp print logic. Coverity 717437. 13 years ago
Victor Julien 886a4f2850 Check response headers in custom http logging before using them. Coverity 717436. 13 years ago
Eric Leblond 5ffe7e21c3 decode: use pointer inside packet area as param 
DecodeTeredo, DecodeIPv6InIPv6 and DecodeIPv4inIPv6 were calling
DecodeTunnel with packet being a pseudo packet and data being
data from initial packet:
        DecodeTunnel(tv, dtv, tp, start, blen,
                     pq, IPPROTO_IPV6);
In decoding functions, arithmetic was done on pkt to set some values?
It was resulting in field of packet  pointing outside of the scope of
packet data.
This patch switch to what has been done in DecodeGre(), I mean:
        DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp),
                     GET_PKT_LEN(tp), pq, IPPROTO_IP);
Data buffer is then relative to the packet and the arithmetic is
correct.
 13 years ago
Eric Leblond 073b251df7 affinity: drop capability after setting thread prio 
Setting thread priority can require privilege if a low nice value
has to be set up.
 13 years ago
Eric Leblond d1569337a7 affinity: add call to setup function in threads 
Threads created through TMThreadSpawn need to call the affinity
function by themselves.
 13 years ago
Eric Leblond 0eeccb4b17 affinity: tag management threads as such 
The management threads were not tagged for CPU affinity and thus
the setting was not applied.
 13 years ago
Eric Leblond efc3faaa0a affinity: add log message 13 years ago
Victor Julien eb5dbc305f Add threshold.config example to EXTRA_DIST as well. 13 years ago
Eric Leblond 95cd8bf67e Add threshold.config file. 
This patch adds an example file and modify Makefile to have it
installed by 'make install-conf' command.
 13 years ago
Victor Julien c9cc137de5 Add --enable-luajit option to configure 13 years ago
Eric Leblond a48d6cb207 erf: fix logical operator usage. 13 years ago
Victor Julien 2026a68697 Implement logic of luajit keyword to match on full packet data and/or payload. 13 years ago
Victor Julien ba3260ed38 Thread local ctx for detection keywords 
Some detection keywords need thread local ctx storage. Example is the
filemagic keyword that has a ctx that is modified with each call. That
is not thread safe. This functionality allows registration of thread
local ctxs so that each detect thread works on it's own copy.
 13 years ago
Victor Julien f58e828c5e luajit: stub detection keyword 13 years ago
Victor Julien 5b2fbfb123 luajit: tell build sys about it 13 years ago
Eric Leblond b0a2aefc78 af-packet: fix build on systems without AF_PACKET 13 years ago
Eric Leblond 84e0d76406 doxygen: generate doc for acquisition modules 
This patch sets some define to generate doc for the acquisition
modules. It also suppress the doc generation for unittests which
was polluting the output.
 13 years ago
Eric Leblond bfd6dea38f pool: update doxygen documentation. 13 years ago
Eric Leblond fa079c1da0 pool: realize a block allocation for preallocated item. 
This patch required a evolution of Pool API as it is needed to
proceed to alloc or init separetely. The PoolInit has been changed
with a new Init function parameter.
 13 years ago
Eric Leblond cd76c7e5fb pool: alloc a single area for all PoolBuckets 
As we know the number and the size of PoolBucket, we can simply
allocate a single memory zone.
 13 years ago