aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,298 Commits
8 Branches
154 Tags
167 MiB
dependabot/github_actions/github/codeql-action-3.26.13
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '57ed5dfd32'
${ noResults }
Commit Graph

4298 Commits (57ed5dfd32d6bdf40d49a480cebb6c5a2e8aaaae)
 

Author SHA1 Message Date
Victor Julien 07b751b0df Coverity 1005134: fix minor memory leak on flowvar rule setup errors. 12 years ago
Victor Julien e45f683c19 Coverity 1005133: fix unlikely case where malformed pcre statement in rule would lead to null-deref. 12 years ago
Victor Julien 4c6463f378 stream: handle extra different SYN/ACK 
Until now, when processing the TCP 3 way handshake (3whs), retransmissions
of SYN/ACKs are silently accepted, unless they are different somehow. If
the SEQ or ACK values are different they are considered wrong and events
are set. The stream events rules will match on this.

In some cases, this is wrong. If the client missed the SYN/ACK, the server
may send a different one with a different SEQ. This commit deals with this.

As it is impossible to predict which one the client will accept, each is
added to a list. Then on receiving the final ACK from the 3whs, the list
is checked and the state is updated according to the queued SYN/ACK.
 12 years ago
Victor Julien 00a691fc1b flowvar: clean up properly on signature clean up. 12 years ago
Victor Julien 70e2adeb01 flowvar: add unittests for #802. 12 years ago
Victor Julien 4cd736fcc9 flowvar: fix deadlock with http buffers 
Bug #802

Flowvars are set from pcre, and lock the flow when being set. However
when HTTP buffers were inspected, flow was already locked: deadlock.

This patch introduces a post-match list in the detection engine thread
ctx, where store candidates are kept. Then a post-match function is used
to finalize the storing if the rule matches.

Solves the deadlock and brings the handling of flowvars more in line
with flowbits and flowints.
 12 years ago
Victor Julien 4c2e6a8402 flowvars: update funcs to accept u16 id 
All id's are u16, but flowvar functions would only accept u8.

Minor cleanups.
 12 years ago
Victor Julien ffffe6c10e profiling: add formatted totals, percents to packet stats 12 years ago
Victor Julien 4165de4771 Minor SigValidate cleanup 12 years ago
Anoop Saldanha 0d7305dfc7 Update the way we handle http_host keywords. 
Previously we would have forced all users to use nocase with http_host
keywords(since the hostname buffer is lowercase).

We now error out on sigs that has nocase set with http_host set.  Also if
the http_host pattern or http_host pcre has an uppercase character set, we
invalidate such sigs.  Unittests also updated to reflect the above change.
 12 years ago
Victor Julien 9ea4d36f7a Minor reshuffling of Signature struct. 12 years ago
Victor Julien eb11280888 Use define instead of magic number for pmq's per detect thread 12 years ago
Victor Julien 0fa38c13d1 detection engine: consolidate thread setup 
DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did
pretty much the same thing, except for a counters registration. As can be
predicted with code duplication like this, things got out of sync. To make
sure this doesn't happen again, I created a helper function that does the
heavy lifting in this function.
 12 years ago
Victor Julien 73158fea33 Fix PmqSetup calls in Liveswap thread init. Func was out of sync with normal thread init. 12 years ago
Anoop Saldanha 4e7adec750 Update comment in yaml to indicate size limit for the following vars - 
stream.reassembly.toserver-chunk-size and stream.reassembly.toclient-chunk-size
 12 years ago
Eric Leblond c9d90e6596 coccinelle: add tcp flag check 
The different TCP related structures have all a flags field and its
value must match the type of structure. This patch adds a check
alerting on invalid value usage.
 12 years ago
Victor Julien b8078742c3 stream: intro function for SYN/ACK state update 
As the TCP SSN state can be updated from several points in the state
machine on accepting a SYN/ACK, move the update logic into a separate
function.
 12 years ago
Victor Julien 28ea129d9b stream: remove unused 'pause' feature 12 years ago
Victor Julien ea8b6078d8 stream: zero ts is a per stream flag 
Ssn flag STREAMTCP_FLAG_ZERO_TIMESTAMP was used in stream only. Due to
it's value it did not conflict with a real stream flag. Renamed it to
STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP.
 12 years ago
Victor Julien 374187bf65 stream: don't use ssn timestamp flag in stream 
The STREAMTCP_FLAG_TIMESTAMP flag is a ssn flag, however it was used in
the stream flag field. As it has the same value as
STREAMTCP_STREAM_FLAG_DEPTH_REACHED it's possible that stream reassembly
got confused by the timestamp.
 12 years ago
Victor Julien 40a5ce8f5f Change logic of SCErrorToString causing any missing entries to result in a compiler warning. 12 years ago
Anoop Saldanha 71ffed5128 Handle the case of pcre combined with a relative content, where pcre has the 
set to match from start of line and we discontinue matching on not finding
match.
 12 years ago
Anoop Saldanha aa363a8144 unittest to display #784. 12 years ago
Eric Leblond 26b7af1483 Don't try to sniff 'default' interface 
Whan running suricata via 'suricata --af-packet', the list of interfaces
was containing the 'default' interface and sniffing it was attempted.
This was not wanted.
 12 years ago
Eric Leblond 539de3f5ea bpf filter: use SCLogError instead of fprintf 12 years ago
Eric Leblond b7e78d33b1 af-packet: warn about BPF filter consequence in IPS mode 
This patch add a message to warn user about the impact of using a
BPF filter in IPS mode.
 12 years ago
Eric Leblond dfbb31df8a Exit if bpf is used in IPS mode 12 years ago
Eric Leblond 6913109bf3 configure: use correct syntax for help string 12 years ago
Eric Leblond 7d706563ef configure: add --enable-unix-socket flag 
This new flag allows the user to force unix socket build or to
disallow it completely. Default which is test is maintained.
 12 years ago
Eric Leblond 0470c0f678 jansson: change function test to be sure of version 12 years ago
Victor Julien 106e38d20b Update version number of bundled htp to 0.2.12, so it matches the non-bundled version. 12 years ago
Victor Julien ce99a07582 After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^. 12 years ago
Anoop Saldanha 8bf034e8c4 Live rule swap logs added to report SigLoadSignatures() failure. Also set 
thread_closed flag on exit for live swap thread.
 12 years ago
Anoop Saldanha a3212f6a0f Minor fixes against the last set of patches for #564, 565, 581 + fp automation. 
Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's
definition from inside the function where it's used to the global namespace,
as requested on #suricata.

Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup.

Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId().

Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
 12 years ago
Anoop Saldanha 6de8b1ed53 fix for #564. 
Get rid of the hash table, and use a single-one_time_alloc'ed array for
pattern id assignment.
 12 years ago
Anoop Saldanha f58c6589b4 We now print content flags in engine fp analyzer. 12 years ago
Anoop Saldanha e77fd1c883 We now assign ids to fp patterns only. Rest of them don't need one. 12 years ago
Anoop Saldanha 4c6efa2d40 Update content id assignment. 
All fp id assignment now happens in one go.
Also noticing a slight perf increase, probably emanating from improved cache
perf.
Removed irrelevant unittests as well.
 12 years ago
Anoop Saldanha 60be1751d5 Figure out sig fp during validation stage, instead of staging stage. 12 years ago
Anoop Saldanha 45ff67a2e0 Enable a conf option to enable/disable legacy keywords. 
Currently, uricontent is declared a legacy keyword, and is enabled by default.
 12 years ago
Anoop Saldanha 601836d831 Fast pattern setup now configurable in our code. 
You can either enable/disable fp for a particular type + set priority.
 12 years ago
Anoop Saldanha c63317d02e Detect sm_list rearranged for performance reasons. 12 years ago
Anoop Saldanha f8ae53ac02 Further customize content modifier buffer registration. 
Allow modifier setups functions to have CustomCallbacks to enable their
internal conditions.
 12 years ago
Anoop Saldanha a304a98d1d http_* setup unified. 12 years ago
Anoop Saldanha 434bdca9e2 uricontent simplified to use the existing content + http_uri infrastructure. 12 years ago
Anoop Saldanha 0b5d277254 code cleanup for all content based keywords. 12 years ago
Anoop Saldanha 51dcf19817 turn dce_stub_data into a sticky buffer. 12 years ago
Anoop Saldanha a308d718ae Allow the use of relative without the presence of a related previous keyword. 12 years ago
Victor Julien 4845631335 tcp stream: don't move to LAST_ACK on toserver resent of FIN 12 years ago
Victor Julien 3163243a55 Coverity 989710 and 989711: small recourse leaks in filemd5 parsing code. 12 years ago