Commit Graph

3006 Commits (70b795e20a399ce2f7522d6b77a3afea5dc2ee27)

Author SHA1 Message Date
Anoop Saldanha 6392202872 restructure log pcap to use a different setup, which is resilient to thread failure/restarts 15 years ago
Anoop Saldanha fd21b83f3e don't return TM failure on failing to remove log file 15 years ago
Anoop Saldanha 4bc907414b init every new pf instance in log pcap 15 years ago
Victor Julien cfd4d07dd0 host: convert host hash to use lookup3.c 15 years ago
Victor Julien c10370907a flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution. 15 years ago
Victor Julien 20c08ca47b hash: add lookup3.c by Bob Jenkins
Found here:
http://burtleburtle.net/bob/hash/doobs.html
http://burtleburtle.net/bob/c/lookup3.c

From the file header:

lookup3.c, by Bob Jenkins, May 2006, Public Domain.

These are functions for producing 32-bit hashes for hash table lookup.
hashword(), hashlittle(), hashlittle2(), hashbig(), mix(), and final()
are externally useful functions.  Routines to test the hash are included
if SELF_TEST is defined.  You can use this free for any purpose.  It's in
the public domain.  It has no warranty.
15 years ago
Victor Julien 19a7e7f395 flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default. 15 years ago
Xavier Lange fea5e68a7b Include conf_test in special cases for unset RUNMODE 15 years ago
Xavier Lange 1d774dae61 Make conf_test local. Simplify if/else to if. 15 years ago
Xavier Lange 1ae10b9a42 Do not spawn threads for conf test 15 years ago
Xavier Lange eaacc5d0fe Added conf_test flag and behavior 15 years ago
Victor Julien 22349f863b file magic: don't disable inspecting magic for both directions if files in only one direction don't need magic. 15 years ago
Victor Julien f4b542d703 Enforce memcap limit before allocating hash table in host and flow engines. 15 years ago
Victor Julien bd66a4bba9 Fix typo in spm prototype declaration. 15 years ago
Anoop Saldanha 4d192a6881 update all spm algos to use 16 bit pattern lengths. Should compress a lot of tables 15 years ago
Victor Julien 8d1fe9f2fa Make 'autofp' the default runmode. Increase default max-pending-packets to 1024. Move some advanced and uncommonly changed settings down in the stock suricata.yaml. Closes #433. 15 years ago
Eileen Donlon da633d490b fix misleading comment 15 years ago
Eileen Donlon 793478a832 reject rules with invalid hex digits in content 15 years ago
Eileen Donlon f2e85ab9ee reject rules with an invalid ttl range 15 years ago
Victor Julien 4157d9408d Various small flow and host table fixes. 15 years ago
Victor Julien 18e81b7ba9 Bail out early if we're in http tunnel mode. 15 years ago
Victor Julien 0788656ef7 Silence ac-gfbs debug message. 15 years ago
Victor Julien da3c5bf84d Minor error message cleanups 15 years ago
Victor Julien fa22a26366 profiling: fix lock profiling int print issue. 15 years ago
Victor Julien 3b79dac2b7 flow: fix atomic var not being initialized and destroyed. 15 years ago
Victor Julien 60dbd34f93 Fix bug in app layer event handling causing http event rules to fail loading. 15 years ago
Victor Julien 40ed10ab38 Minor flowq updates. 15 years ago
Anoop Saldanha 7115fa3e72 Introduce the address hash based flow q handler 15 years ago
Anoop Saldanha 5ffb050ada Adapt flow tmqh counters to be atomic vars. Remove support for active flows q handler. Introduce SC_ATOMIC_SET 15 years ago
Anoop Saldanha 3faed5fe79 Support freeing flow q handler out ctx. Adapt unittests to use the same 15 years ago
Anoop Saldanha d01589c9d8 neaten flow q handler code 15 years ago
Anoop Saldanha 0fa14292c0 Enable unittests for flow q handler 15 years ago
Anoop Saldanha 4e417b72b5 support flow q handler schedulers active_flows and active_packets. Support new yaml option autofp_scheduler. Support for printing q handler stats as well 15 years ago
Anoop Saldanha e252048900 support for custom flow qhandlers - round robin support added 15 years ago
Pierre Chifflier d866f38982 TLS: add variable to store the error code in the decoder
Use a variable to store the decoding error code if required, and remove
the calls to SCLogInfo and SCLogDebug.
15 years ago
Pierre Chifflier 218b5d3ba0 TLS app layer: misc fixes, reorder some fields to same memory 15 years ago
Pierre Chifflier 3df341dbeb Add TLS decode events 15 years ago
Pierre Chifflier 71fa4a5285 TLS: replace SigMatchAppendAppLayer with SigMatchAppendSMToList 15 years ago
Eric Leblond a9bb17e097 tls-handshake: add sanity checks. 15 years ago
Eric Leblond 01c7e5bde6 tls-handshake: Add some missing free in error handling.
When DecodeAsn1BuildValue function fails, it may be necessary to
do some clean-up in the calling functions.
15 years ago
Eric Leblond 480db00fd7 tls-handshake: DecodeAsn1BuildValue should return -1 for error
This patch modifies DecodeAsn1BuildValue to have it return -1 when
there is a too big number of bytes announced in the ASN.1 message.
15 years ago
Eric Leblond 8f885ce810 TLS parser: add sanity checks on loop
It was possible in some loop to read data placed after the buffer
resulting in invalid/unpredictable value. This patch fixes two of
this issues.
15 years ago
Eric Leblond d1c56e810b TLS parser: add sanity check 15 years ago
Eric Leblond cb1a75fc9e TLS parser: modify OCTETSTRING
This patch does on over allocation of 1 for the OCTETSTRING
to be able to add a 0 at the end. This will then
allow us to use the string in printf.
15 years ago
Pierre Chifflier 5a65a17f00 TLS parser: add handing of UTF8STRING
Some certificate contains UTF8STRING which is a subset of
OCTETSTRING. This patch adds support for this type of string.
15 years ago
Pierre Chifflier 6c2c6cffac TLS keywords: fix match regex (remove extra space) 15 years ago
Pierre Chifflier 8457ce3b11 TLS app layer: rewrite decoder to handle multiple messages in records
Since we now parse the content of the TLS messages, we need to handle
the case multiple messages are shipped in a single TLS record, and
taking care of the multiple levels of fragmentation (message, record,
and TCP).
Additionally, fix a bug where the parser state was not reset after an
empty record.
15 years ago
Pierre Chifflier 4bb5e2a79d TLS app layer: fix number of bytes processed on SERVER_CERTIFICATE message.
Change the function to return the number of bytes processed, and fix a bug
where the input buffer was wrong.

Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
15 years ago
Eric Leblond 38c213cb84 tls app layer: add missing free
issuerdn was not freed at exit.
15 years ago
Eric Leblond fce2437dc2 tls app layer: handle negation on subject and issuerdn.
This patch adds negation support for tls.subject and tls.issuerdn
matches.
15 years ago
Eric Leblond ad0e05a112 TLS app layer: Add tls.issuerdn keyword. 15 years ago
Eric Leblond afba81bb27 decode ASN.1: Factorize value reading
This patch factorizes the reading of integer value and fix some
indentation. By convention, a value of 0xffffffff is returned
if the size of the integer is too big. In this case, the hexadecimal
value (which is also read) must be used.
15 years ago
Pierre Chifflier 53e5421a24 TLS handshake: get TLS ciphersuite and compression
Decode the SERVER_HELLO message to extract the ciphersuite and compression
chosen by the server.

Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
15 years ago
Pierre Chifflier 4be65fd016 TLS handshake: decode the SERVER_CERTIFICATE message
Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the
certificates and keep the subject name.
Add the tls.subject keyword for substring match in rules (TLS layer).

Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
15 years ago
Pierre Chifflier f77fcdb3e8 Add ASN.1 parser for X509 certificates (in DER format)
Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
15 years ago
Victor Julien 0b3f6c464a Make list-app-layer-protos option name match the help explanation. Make sure it works w/o passing a config. 15 years ago
Anoop Saldanha 109662450d Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs 15 years ago
Anoop Saldanha 7511fa67cd Add BUG_ON to avoid overruning AppLayerDetectDirection map array 15 years ago
Eileen Donlon 9376967e65 reject rules with duplicate content modifiers
reject rules that have multiple depths, offsets, distances, fast_patterns, nocases, or rawbytes for the same content.
15 years ago
Eileen Donlon 0bb4ff34b8 added null checks for init_hash to all ac mpms 15 years ago
Eileen Donlon 617edf469c reject http_client_body with inconsistent flow dir
reject http_client_body with flow: to_client or from_server
15 years ago
Victor Julien feff6f7705 Clean up error message. 15 years ago
Eileen Donlon 85c364da09 disallow-use-of-configuration-file-with-unittests 15 years ago
Victor Julien d908e707d7 profiling: add per lock location profiling
Add profiling per lock location in the code. Accounts how often a
lock is requested, how often it was contended, the max number of
ticks spent waiting for it, avg number of ticks waiting for it and
the total ticks for that location.

Added a new configure flag --enable-profiling-locks to enable this
feature.
15 years ago
Victor Julien 41e9dba20b Profile pcap file callback. 15 years ago
Victor Julien ff8755af5c Make sure stream debug code is only used in debug mode. 15 years ago
Victor Julien 9696902b68 Small http.log improvement: bail out early if there is nothing to log. Make output locking more fine grained. 15 years ago
Victor Julien e581ec7dff Fix 2 compilation issues. 15 years ago
Victor Julien c0a2cbd478 Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling. 15 years ago
Victor Julien a05df345de Introduce host table, make tag use it
Add a host table similar to the flow table. A hash using fine grained
locking. Flow manager for now takes care of book keeping / garbage
collecting.

Tag subsystem now uses this for host based tagging instead of the
global tag hash table. Because the latter used a global lock and the
new code uses very fine grained locking this patch should improve
scalability.
15 years ago
Victor Julien db24258acf Undo changes from 88b8f15663. Atomic stack implementation had a-b-a problem. 15 years ago
Victor Julien 88b8f15663 Add atomic stack implementation. Convert flow spare queue to use this stack. Remove now unused flow-queue code. 15 years ago
Victor Julien 979edf0b97 Add way to profile mutex/spin locks per thread module. 15 years ago
Victor Julien fddaca6e8b Implement stream memcap enforcements using atomics instead of spinlocked counters. 15 years ago
Victor Julien d72b82fae0 Misc fixes. 15 years ago
Victor Julien 8448333bdd Remove trailing zero's from some counters output. 15 years ago
Victor Julien 0150e66ede flow engine: improve scalability
Major redesign of the flow engine. Remove the flow queues that turned
out to be major choke points when using many threads. Flow manager now
walks the hash table directly. Simplify the way we get a new flow in
case of emergency.
15 years ago
Victor Julien da5087a0c0 Fix broken unittest. 15 years ago
Eileen Donlon aae7ea5e67 add null checks to fix bugs in StreamTcpTest23 15 years ago
Eileen Donlon 1a46d7a53a fix more invalid content unittests
fix invalid unittests with mixed relative and non-relative content modifiers and other issues; DetectContentParse19 still contains some failing dce_stub tests which are commented out.
15 years ago
Eileen Donlon 9b2bd9280a fix invalid unittests with mixed content modifiers
Fixed some unittests that were incorrectly mixing relative and non-relative content modifiers.
15 years ago
Eileen Donlon 0bcbd23343 reject mixed relative and non-relative keywords
reject signatures using relative and non-relative positional keywords for the same content (depth or offset with distance or within)
15 years ago
Eileen Donlon 0b09416a48 reject invalid combinations of pcre modifiers
don't allow /B with normalized buffers, and don't mix modifiers for normalized and raw buffers
15 years ago
Victor Julien 8350fdd9be Do not assume the include dir for nss to be nss. On F16 it's nss3. 15 years ago
Victor Julien 705417434b Fix json output typo. 15 years ago
Victor Julien fe9258f0fb Fix issue discovered by Anoop. Passing u32 ptr to a size_t can caused badness. 15 years ago
Victor Julien 6019ae3dcb Fix minor memleak in case af-packet init fails. 15 years ago
Victor Julien 385f1dcd25 Fix UTHBuildFlow setup using wrong address. 15 years ago
Victor Julien e3935a2af2 Improve http filename parsing. 15 years ago
Victor Julien e237841a8e Fix compilation with profiling enabled. Minor unittest fixes. 15 years ago
Victor Julien de5c1d1491 Fix minor fgetc issue. 15 years ago
Victor Julien 0d6f33a15b Move PACKET_RECYCLE outside of flow lock in FlowForceReassemblyForQ as it confuses static code checkers. 15 years ago
Victor Julien e21d8cdf01 file extract: improve multipart parsing and set events on some error conditions. 15 years ago
Victor Julien bfb3f1b7cf flow: Refactor how FlowPrune deals with forced timeouts, improving locking logic. 15 years ago
Victor Julien 372ab9c433 Another batch of minor fixed for issues found by Coverity. 15 years ago
Victor Julien 11bdf4838f Various improvements to error handling found by Coverity. 15 years ago
Anoop Saldanha d6af843860 code cleanup 15 years ago
Victor Julien cdba2f50d1 Various fixes and improvements based on feedback by Coverity analyzer. 15 years ago
Victor Julien 4b2d94a841 Add line number to warning about mangled yaml parameters. Limit number of warnings to 10. 15 years ago
Nikolay Denev fb05edeeee Convert underscores to dashes in thread affinity type names. 15 years ago
Nikolay Denev 7fce226bb8 Fix some warning message still using underscored config vars. 15 years ago
Nikolay Denev 139768dd58 Do not use underscored config vars internally. 15 years ago
Nikolay Denev 6819ec8b54 Remove the underscored "sguil_base_dir" compatibility option. 15 years ago
Nikolay Denev 32e898f2e3 Convert config entries using underscores to dashes and emit deprecation warnings. 15 years ago
Victor Julien 2197f1a625 file-inspection: split 'file' output module into file-store and file-log. Store stores files. Log logs json records. 15 years ago
Victor Julien 8b1333a277 Add more flow lock assertions to the debug validation code. 15 years ago
Victor Julien 5ba41c7890 Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked. 15 years ago
Victor Julien 28d88746e4 Fix compiler warning and silence complaining unittests. 15 years ago
Victor Julien 860971eca0 Misc afpacket changes. 15 years ago
Victor Julien 8e48a2edfd Fix NULL dereference in PacketPatternSearchWithStreamCtx code. 15 years ago
Eric Leblond 34b3f19465 af-packet: Implement zero copy
This patch adds support for zero copy to AF_PACKET running mode.
This requires to use the 'worker' mode which is the only one where
the threading architecture is simple enough to permit this without
heavy modification.
15 years ago
Eric Leblond 3593cb051e decode: add PacketSetData funtion
This patch adds a function which can be used to set the payload
of a packet when a zero copy mode is used.
15 years ago
Eric Leblond 49b7b00fcf af-packet: mmap support
This patch adds mmap support for af-packet. Suricata now makes
use of the ring buffer feature of AF_PACKET if 'use-mmap' variable
is set to yes on an interface.
15 years ago
Victor Julien 3702a33ae9 file-inspection: support POST requests that do not use multipart. 15 years ago
Victor Julien 64827e3864 file-inspection: use filename= value from Content-Disposition where available to determine the filename in GET requests. 15 years ago
Victor Julien 6585cb89d3 Fix UtilMiscParseSizeStringTest01 unittest on 32 bit. 15 years ago
Anoop Saldanha 35435f3284 All http_http_stat_code modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_STAT_CODE. Also remove dummy match/free functions for stat code and stat msg 15 years ago
Anoop Saldanha 507e1b66e0 All http_http_stat_msg modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_STAT_MSG 15 years ago
Anoop Saldanha 059ee217ff All http_http_raw_uri modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_RAW_URI 15 years ago
Anoop Saldanha b1a0d35106 All http_http_cookie modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_COOKIE 15 years ago
Anoop Saldanha 49bdad9345 All http_http_method modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_METHOD 15 years ago
Anoop Saldanha 97d8fc9cba All http_http_raw_header modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_RAW_HEADER 15 years ago
Anoop Saldanha 97308674ee All http_http_header modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_HEADER 15 years ago
Anoop Saldanha 1acb7cdc7d All http_server_body modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_SERVER_BODY 15 years ago
Anoop Saldanha a5b46e727c All http_client_body modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_CLIENT_BODY 15 years ago
Anoop Saldanha 4810ee9c5f All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns 15 years ago
Anoop Saldanha 93d7a6e671 code cleanup. Remove unused functions 15 years ago
Anoop Saldanha eb07c345b8 code cleanup - replace SigMatchAppendThreshold with SigMatchAppendSMToList 15 years ago
Anoop Saldanha dd7e710f35 code cleanup - replace SigMatchAppendPostMatch with SigMatchAppendSMToList 15 years ago
Anoop Saldanha a4638fb0ad code cleanup - replace SigMatchAppendPacket with SigMatchAppendSMToList 15 years ago
Anoop Saldanha ff38d42bf1 code cleanup - replace SigMatchAppendTag with SigMatchAppendSMToList 15 years ago
Anoop Saldanha ac68c3f893 code cleanup - replace SigMatchAppendDcePayload with SigMatchAppendSMToList 15 years ago
Anoop Saldanha 6cab663bf0 code cleanup - replace SigMatchAppendPayload with SigMatchAppendSMToList 15 years ago
Anoop Saldanha c4cb37b8da code cleanup - replace SigMatchAppendUricontent with SigMatchAppendSMToList 15 years ago
Anoop Saldanha c9af50ea0c code cleanup - replace SigMatchAppendAppLayer with SigMatchAppendSMToList 15 years ago
Anoop Saldanha bbb9f35f26 code cleanup - replace SigMatchGetLastSM with SigMatchGetLastSMFromLists 15 years ago
Anoop Saldanha ab35b98f76 code cleanup - remove DetectContentGetLastPattern. Replace it with SigMatchGetLastSMFromLists 15 years ago
Anoop Saldanha d85ab5ab1f code cleanup - remove DetectContentFindNextApplicableSM 15 years ago
Anoop Saldanha 802350f65a code cleanup - remove DetectContentHasPrevSMPattern 15 years ago
Anoop Saldanha 9652c3672d code cleanup - remove SigMatchGetLastPattern 15 years ago
Anoop Saldanha e851804c92 code cleanup - remove DetectUricontentGetLastPattern 15 years ago
Anoop Saldanha dcb2afb02f Use sm_list to differentiate between different content types while retrieving pattern ids instead of sm_type 15 years ago
Anoop Saldanha 83d9439877 DetectPatternGetId() cleanup. Remove separate search element creation for uricontent. We don't need this now since we have unified content structures for content and uricontent 15 years ago
Victor Julien 154af56b45 Add a print function specially for json output that escapes all characters json requires to be escaped. 15 years ago
Victor Julien 740ee3e7ab Add referer header to .meta and json file logs. 15 years ago
Victor Julien 337f7861a4 Make sure that if not built against libnss, we still compile. Only no md5 for you then\! 15 years ago
Victor Julien 6752ccae2a Add line based log file to log-file module that logs each stored file's meta data in json records. 15 years ago
Victor Julien 12e8ce6545 In PrintRawUriFp, consider " unprintable. 15 years ago
Victor Julien 69b3df96fb Initial on the fly MD5 calculation for extracted files using libnss. 15 years ago
Anoop Saldanha 2f7717a1a7 delete detect-recursive.[ch] 15 years ago