Commit Graph

5060 Commits (8a77e6bc8e6677b2bdf7205891073b9bfb7055ef)
 

Author SHA1 Message Date
Victor Julien 8a77e6bc8e Fix Coverity 1220097
*** CID 1220097:  Missing unlock  (LOCK)
/src/log-file.c: 160 in LogFileWriteJsonRecord()
154             }
155         }
156
157         /* Bail early if no file pointer to write to (in the unlikely
158          * event file rotation failed. */
159         if (aft->file_ctx->fp == NULL) {
>>>     CID 1220097:  Missing unlock  (LOCK)
>>>     Returning without unlocking "aft->file_ctx->fp_mutex".
160             return;
161         }
162
163         FILE *fp = aft->file_ctx->fp;
164         char timebuf[64];
165         AppProto alproto = FlowGetAppProtocol(p->flow);
12 years ago
Jason Ish fc2014ab40 Unregister for file rotation notification when a context is
de-initialized.  Required for unix-socket mode where
contexts come and go.
12 years ago
Jason Ish e1b97fed70 Add signal based file rotation for:
- alert debug log
- fast log
- stats log
- dns log
- drop log
- file log
- http log
- tls log
- eve/json log
12 years ago
Jason Ish 0a33e73417 Add macros for access to the underlying buffer and offset.
Useful for using passing the buffer through to another writer
such as LogFileCtx.
12 years ago
Jason Ish c1b6894ce3 Add a rotation flag to LogFileCtx which loggers can use to register
for log rotation.  Have the LogFileCtx handle the log rotation.
12 years ago
Jason Ish 698a0f7f48 Registration for SIGHUP notification - for loggers interested
in file rotation on SIGHUP.
12 years ago
Victor Julien 25cbf36d40 lua/luajit: use HAVE_LUA mostly
Only use HAVE_LUAJIT if things are done differently from HAVE_LUA,
like in the states pool.
12 years ago
Victor Julien 7396237c2a lua: deal with FreeBSD and OpenBSD
FreeBSD pkg-config lua-5.1.pc, lib liblua-5.1.so
OpenBSD pkg-config lua51.pc, lib liblua5.1.so

Default (linux) pkg-config: lua5.1.pc, lib liblua5.1.so
12 years ago
Victor Julien e366c62cf0 lua: support regular lua C library
Not all systems have luajit or a need for luajit. For low bandwidth
and offline support regular lua may be sufficient.
12 years ago
Victor Julien a7118a4ff3 profiling: use wider columns in keyword output
Use wider columns in keyword output so that even on high end sensors
the stats tables remain readable.
12 years ago
Noam Meltzer e873443adb fix regression in 'make distclean' due to commit cd305c3a
the files under scripts/suricatasc/src are actual sources and should not
be cleaned
12 years ago
jeka dc1599e0dc bugfix in debug mode:
removed function calls from SCReturnX macros
12 years ago
Victor Julien 0765bcc73e nflog: set socket timeout
Set socket timeout so that we can exit if there is no traffic.

It would hang after the SIGINT signal, until packets arived.
12 years ago
Victor Julien 26c0915375 nflog: warn if buffer-size is larger than max-size
If buffer-size is larger than max size, give a warning and adjust
buffer-size to max-size.
12 years ago
Victor Julien 462f9de134 dns: unify type to string logging utility
Both DNS loggers had their own CreateTypeString. This patch unifies
them.
12 years ago
Victor Julien 5e87257845 dns: add names for common types
Add names for SRV, NAPTR, DS, RRSIG, NSEC, NSEC3 types.
12 years ago
Victor Julien 0bbec75764 nflog: fix typo rising->raising 12 years ago
Victor Julien 0857a60fce nflog: improve error handling on NOBUFS
Don't fall through to handle_packet on any NOBUFS condition. Make
sure we catch all NOBUFS.
12 years ago
Giuseppe Longo 4d72911e17 This patch adds the fields into PacketVars struct to setup a packet from a nflog message 12 years ago
Giuseppe Longo 4dda018ede Adds nflog option 12 years ago
Giuseppe Longo 0368d5e4a4 Declare a wrapper to parse group option for nflog 12 years ago
Giuseppe Longo c35432b265 Implements NFLOG runmode 12 years ago
Giuseppe Longo 2ad8a8e111 Bootstraping NFLOG capture mode 12 years ago
Giuseppe Longo 0162e7e809 Adds nflog error code 12 years ago
Giuseppe Longo d213d89981 Updating the Tmm Id for declaration of nflog capture mode 12 years ago
Giuseppe Longo 62aaae24fd Adds a configuration example for nflog support in suricata.yaml 12 years ago
Giuseppe Longo 4851568a41 Checks if libnetfilter_log is found on the system
and enable it if it's specified.
12 years ago
Victor Julien db563ed4b0 tls: check SSL3/TLS version per record
Set event if SSL3/TLS record isn't within the acceptable range.
12 years ago
Victor Julien 8ddcf6a816 dns: add tests for TXT response parsing
Add valid and invalid examples.
12 years ago
Victor Julien bddb2c3bdc dns json: log TXT response data
Log TXT data in the rdata field.
12 years ago
Victor Julien 683d2d64e9 dns: parse and store TXT responses
This way the TXT data can be logged by the loggers.

Ticket #1158
12 years ago
Victor Julien 174a50554a Update Changelog for 2.0.1 12 years ago
Victor Julien 7e8f80b390 Update Changelog for 2.0.1rc1 changes 12 years ago
Victor Julien 8ba8c0bf6f json output: don't set 'unknown' for missing data
Instead of setting 'unknown' or '<unknown>' just pass NULL to json_*
function, which results in omitting the data.
12 years ago
Tom DeCanio 11ca25ddca eve-log: swap ip/port pairs in dns answers 12 years ago
Victor Julien d4215fca84 http-json: fix coverity warning
*** CID 1211009:  Bad bit shift operation  (BAD_SHIFT)
/src/output-json-http.c: 265 in JsonHttpLogJSON()
259         /* log custom fields if configured */
260         if (http_ctx->fields != 0)
261         {
262             HttpField f;
263             for (f = HTTP_FIELD_ACCEPT; f < HTTP_FIELD_SIZE; f++)
264             {
>>>     CID 1211009:  Bad bit shift operation  (BAD_SHIFT)
>>>     In expression "1 << f", left shifting by more than 31 bits has undefined behavior.  The shift amount, "f", is as much as 46.
265                 if ((http_ctx->fields & (1<<f)) != 0)
266                 {
267                     /* prevent logging a field twice if extended logging is
268                        enabled */
269                     if (((http_ctx->flags & LOG_HTTP_EXTENDED) == 0) ||
270                         ((http_ctx->flags & LOG_HTTP_EXTENDED) !=

________________________________________________________________________________________________________
*** CID 1211010:  Bad bit shift operation  (BAD_SHIFT)
/src/output-json-http.c: 492 in OutputHttpLogInitSub()
486                         {
487                             if ((strcmp(http_fields[f].config_field,
488                                        field->val) == 0) ||
489                                 (strcasecmp(http_fields[f].htp_field,
490                                             field->val) == 0))
491                             {
>>>     CID 1211010:  Bad bit shift operation  (BAD_SHIFT)
>>>     In expression "1 << f", left shifting by more than 31 bits has undefined behavior.  The shift amount, "f", is as much as 46.
492                                 http_ctx->fields |= (1<<f);
493                                 break;
494                             }
495                         }
496                     }
497                 }
12 years ago
Victor Julien 5cdd9b460a unix-socket: reset logging api's properly
Lack of proper reset lead to logs not being written after the first
pcap had been processed.
12 years ago
Victor Julien fd56acd4b3 stream: cleanup
StreamTcpSetDisableRawReassemblyFlag() has the same effect as
AppLayerParserTriggerRawStreamReassembly in that it will force the
raw reassembly to flush out asap. So it is redundant to call both.
12 years ago
Victor Julien 3543150f42 stream: implement raw reassembly stop api
Implement StreamTcpSetDisableRawReassemblyFlag() which stops raw
reassembly for _NEW_ segments in a stream direction.

It is used only by TLS/SSL now, to flag the streams as encrypted.
Existing segments will still be reassembled and inspected, while
new segments won't be. This allows for pattern based inspection
of the TLS handshake.

Like is the case with completely disabled 'raw' reassembly, the
logic is that the segments are flagged as completed for 'raw' right
away. So they are not considered in raw reassembly anymore.

As no new segments will be considered, the chunk limit check will
return true on the next call.
12 years ago
Victor Julien b2184f936e stream: unify segment discard handling
Have a single function StreamTcpReturnSegmentCheck determine if a
segment is ready to be removed from the stream.

Handle FLOW_NOPAYLOAD_INSPECT in raw reassembly.
12 years ago
Victor Julien ad355c3c0a app-layer: improve no payload inspect flag
If setting APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD, trigger raw
reassembly.
12 years ago
Victor Julien f0bdb009ed tls/heartbleed: fix test
Now that we continue to track ssl/tls after the handshake, we need
to fix tests that checked for the cutoff flags.
12 years ago
Victor Julien 31655aef7e tls/heartbleed: improve encrypted logic
Don't assume that if the type field isn't 01 or 02 it's an encrypted
heartbeat. Instead, use our knowledge of the SSL state.
12 years ago
Victor Julien fdbd9b3f25 tls/heartbleed: formatting fixes 12 years ago
Victor Julien c5f43785f1 tls/heartbleed: add rule for invalid encrypted hb
Add rule to tls-events.rules to match on the invalid encrypted
heartbeat.
12 years ago
Will Metcalf 26169ad8c5 Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction 12 years ago
Victor Julien 0564a8da3c detect: add more defensive checks for flow handling
Don't unconditionally deref f->alparser in detection through
DeStateFlowHasInspectableState(). In very rare cases it can
be NULL.
12 years ago
Victor Julien 2002067fb1 http-json: init 'fields' to 0 before setting it
httplog_ctx->fields would not be initialized before setting flags in
it:

Scanbuild:
output-json-http.c:491:46: warning: The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage
                            http_ctx->fields |= (1<<f);
                            ~~~~~~~~~~~~~~~~ ^
1 warning generated.

Drmemory:
~~27874~~ Error #1: UNINITIALIZED READ: reading register eax
~~27874~~ # 0 JsonHttpLogJSON                       [/home/buildbot/qa/buildbot/donkey/drmemory/Suricata/src/output-json-http.c:260]
~~27874~~ # 1 JsonHttpLogger                        [/home/buildbot/qa/buildbot/donkey/drmemory/Suricata/src/output-json-http.c:375]

Just memset the whole structure right after initialition.
12 years ago
Tom DeCanio 7df9b283f1 json: address custom output capability to http eve log review comments 12 years ago
Tom DeCanio 4838b9bf4f json: add custom output capability to http eve log 12 years ago