Set flags by default:
-Wmissing-prototypes
-Wmissing-declarations
-Wstrict-prototypes
-Wwrite-strings
-Wcast-align
-Wbad-function-cast
-Wformat-security
-Wno-format-nonliteral
-Wmissing-format-attribute
-funsigned-char
Fix minor compiler warnings for these new flags on gcc and clang.
Cppcheck 1.72 gives a warning on the following code pattern:
char blah[32] = "";
snprintf(blah, sizeof(blah), "something");
The warning is:
(error) Buffer is accessed out of bounds.
While this appears to be a FP, in most cases the initialization to ""
was unnecessary as the snprintf statement immediately follows the
variable declaration.
Make threshold loading prefix aware, so it can be part of tenant
configuration.
If the setting is missing from the tenant, the global setting is tried
and if that too is missing, the global default is used.
Note: currently per host thresholds are tracked globally and NOT per
tenant.
So far suppress rules would apply to src or dst addresses of a packet.
This meant that if a ip would need to suppressed both as src and as dst,
2 suppress rules would be needed.
This patch introduces track by_either, which means that the ip(s) in the
suppress rule are tested against both the packets source and dest ip's.
If either of them is on the suppress list, the alert is suppressed.
Ticket: 1137
Support supplying a list of IP's to the suppress keyword. Variables from
the address-groups and negation is supported. The same logic (and code) is
used that is also used in parting the IP portions of regular detection
rules.
When applying wildcard thresholds (with sid = 0 and/or gid = 0) it's wrong
to exit on the first signature already having an event filter. Indeed,
doing so results in the theshold not being applied to all subsequent
signatures. Change the code in order to skip signatures with event
filters instead of breaking out of the loop.
This patch is a result of applying the following coccinelle
transformation to suricata sources:
@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc|SCMallocAligned|SCRealloc)";
@@
x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
Thresholds and suppression can be handled independently. Suppression
only suppresses output, and is not related to Threshold state tracking.
This simplifies mixing suppression and thresholding rules.
Part of the Bug #425 effort.
Use test macro instead of direct access to action field.
This patch has been obtained by using the following
spatch file:
@@
Packet *p;
expression E;
@@
- p->action & E
+ TEST_PACKET_ACTION(p, E)
Allow threshold.conf to override rule thresholds in the following
cases:
- threshold.config rule uses threshold or event_filter AND
- threshold.config rule applies to a single signature (so no
gid 0 or sid 0)
Confirmed to work with both threshold and detection_filter rule
keywords.
Part of bug #425.
When handling error case on SCMallog, SCCalloc or SCStrdup
we are in an unlikely case. This patch adds the unlikely()
expression to indicate this to gcc.
This patch has been obtained via coccinelle. The transformation
is the following:
@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)";
@@
x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
Victor Julien
Ruslan Usmanov
Andreas Herz
Jason Ish
Ken Steele
Alessandro Guido
Eric Leblond
Jamie Strandboge
Anoop Saldanha