Commit Graph

11985 Commits (6853bf98fb7f79d197abd95b84a0f596e6f38494)
 

Author SHA1 Message Date
Jason Ish 6853bf98fb dns: only register a single logger
DNS no longer requires a logger to be registered for to-client and
to-server directions. This has not been required with the stateless
design of the Rust DNS parser.
5 years ago
Victor Julien b1fee90392 output/tx: add warning to avoid future bugs 5 years ago
Victor Julien 3cc3df2172 output/tx: move eof checks out of logging loop 5 years ago
Victor Julien b05bd058e9 app-layer: minor code cleanups 5 years ago
Victor Julien 1098e3b7c6 app-layer: remove conditional logic around API calls
Remove logic that suggested some API calls could be conditional,
even though Suricata wouldn't even start up if they weren't
registered.
5 years ago
Jason Ish 4d5d7b4bd3 eve/netflow: use generic json context 5 years ago
Jason Ish a68d50608b eve/flow: use generic json context 5 years ago
Jason Ish 67c4621bdb eve/ftp: use generic json context
The FTP logger contained no extra data in its context so the
generic json context can be used.
5 years ago
Jason Ish 2d78afe4b0 eve: refactor CreateEveHeaderWithTx to include common options 5 years ago
Jason Ish 06ba611667 eve cleanup: remove duplicate/redundant code
The first change was to have CreateEveHeader add the common options
as this was left out in a few loggers. While update all the loggers
that use CreateEveHeader, remove redundant code, in particular
from loggers that don't need to use their own context but
can use the generic one.
5 years ago
Jason Ish 64330498f8 eve/mqtt: fix mqtt logging with threaded eve
Mqtt was not setting up a per-thread file context for logging
in threaded mode, leading a crash when used in threaded mode.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4404
5 years ago
Jeff Lucovsky dd8eeb6353 general: Correct typos 5 years ago
Jeff Lucovsky 11ec61d0b4 thresholds: Improve validation of threshold.config
This commit improves the handling of threshold.config. When used with
"-T", a non-zero return code occurs when the file cannot be validated.

To maintain legacy behavior, when "-T" is not used and threshold.config
contains one or more invalid lines, Suricata continues execution.
5 years ago
Jeff Lucovsky cb03455c04 error: Add code for threshold config validation
This commit adds a new warning code for threshold config file validation
failures.
5 years ago
Eric Leblond a73b5f0ea5 eve/ike: restore common option logging 5 years ago
Philippe Antoine 2997be6707 sslv2: precise detection pattern with probing parser 5 years ago
Philippe Antoine e8415f249b fuzz: adds structure aware target
so as not to fuzz libpcap
and generate structure aware signatures
5 years ago
Philippe Antoine 0105d4f017 rust: bump bitflags dependency version
So that lexical-core, needed by nom, and using bitflags
is used with version 0.7.5 instead of version 0.7.0
which fixed the fact that BITS is now a reserved keyword
in nightly version
5 years ago
Philippe Antoine cb150e97d0 kerberos: fix probing parser tag condition
according to the comment
5 years ago
Jason Ish abb3cc85d5 install: better warning on install-full and don't fail
If suricata-update is not available on "make install-full", don't
exit 1, instead give the reason why its not installed, but still
succeed the install.
5 years ago
Victor Julien ae29804a28 github-ci: add libnet to ubuntu-20-04-cov-sv builder 5 years ago
Victor Julien 398ebf9345 eve/drop: use highest priority drop
When adding the alert to a drop record make sure the add the highest
priority.

It would until now add all drops from high to low prio, effectively
overwriting the record each time.

Ticket #4397
5 years ago
Victor Julien 6cf44fc839 detect/alert: apply pd only actions to flow
Ticket #4394
5 years ago
Victor Julien 6c594d29db detect/alert: minor code refactor
Use a simpler reject check and move logic into util func.
5 years ago
Victor Julien fbcdd2ec26 detect/iponly: don't check & set flow flags twice
Per flow IP-only flags are checked and set by IP-only engine, so
no need to set/check them per alert.
5 years ago
Victor Julien 55a0e29c8e eve/ike: gracefully handle renamed output config 5 years ago
frank honza ab59ef0d79 ikev1: add documentation for ikev1 5 years ago
Sascha Steinbiss 37940180a8 ikev1: add metadata to alerts 5 years ago
Sascha Steinbiss e2dbdd7fd5 ikev1: add ikev1 parser 5 years ago
frank honza ecdf9f6b0b ikev1: rename ikev2 to common ike
Renaming was done with shell commands, git mv for moving the files and content like
find -iname '*.c' | xargs sed -i 's/ikev1/ike/g' respecting the different mixes of upper/lower case.
5 years ago
frank honza ab6171c429 detect: added support for protocol-aliases 5 years ago
frank honza e9494ddd8f util: add function converting u8-array into a hex-String 5 years ago
frank honza b80cdae1df detect: add comparison-mode LTE/GTE for Detect(U32/u8)Data 5 years ago
Victor Julien c3075cba42 detect/analyzer: fix mpm display on payload only rules 5 years ago
Victor Julien 9dd1444f44 detect: suppress error message for pcre only rules 5 years ago
Victor Julien b55b327db1 detect/analyzer: suggest modern keywords 5 years ago
Victor Julien 57f7612ffd detect/analyzer: fix json output for warnings/notes 5 years ago
Victor Julien 018b9a0a8c detect/asn1: minor cleanups 5 years ago
Victor Julien 8b8cc697d5 detect/http-server-body: clean up test 5 years ago
Victor Julien 68f8b2f40f detect/icmp: reject invalid rules for icode/itype 5 years ago
Victor Julien 7d6835958b detect/prefilter: fix null ptr deref on invalid rule
A bad rule 'icode:<0; prefilter;' would trigger a null ptr deref
in ApplyToU8Hash.

Bug #4375.
5 years ago
Victor Julien e964643088 detect/state: fix reset bug
Fix issue where after a reset the now empty list elements are not
reused and the values may not be valid for the current detect
engine anymore.

Introduce a 'current' (cur) pointer that points to the store element
currently being filled. This way existing stores will be reused.

If 'cur' is NULL and 'head' is not NULL it means we need to use
'tail' to append a new store.
5 years ago
Victor Julien f766139159 detect/state: test to show reset bug 5 years ago
Victor Julien a808474d38 detect/state: minor code cleanup 5 years ago
Jason Ish 0aed5e188b filestore: fix global counter init in unix socket mode
Move initialization of filestore global counter to PreRunInit,
so they get registered during program initialization, or as
required in unix-socket mode, initialized for each file run.

Fixes Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4216
5 years ago
Philippe Antoine 8307010255 smb: relax probing parser to handle first NBSS message
cf dcerpc-udp S-V test :
First message is Message Type: Session request (0x81)
Second message is SMB
5 years ago
Philippe Antoine 660e9e489b protodetect: only run ProbingParserTc if STREAM_TOCLIENT 5 years ago
Philippe Antoine 52ea3fc7ac fuzz: more precise assertion for protocol detection
Only in the cases of stream start is the assertion valable.
Otherwise, it can only be best effort.
5 years ago
Philippe Antoine 1b6e81cd72 smb: probing parser for start and midstream
The probing parser is more strict at the start of the stream
5 years ago
Philippe Antoine 9dc5258a21 smb: split probing function for code style
Introduces rs_smb_probe_tcp_midstream
5 years ago