aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,416 Commits
7 Branches
155 Tags
194 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '93298e91c7'
${ noResults }
Commit Graph

7416 Commits (93298e91c77ac86c2098e7f0a53a830957271063)
 

Author SHA1 Message Date
Mats Klepsland ea5696812f detect: add tls_cert_notbefore and tls_cert_notafter keywords 
Detection plugin for TLS certificate fields notBefore and notAfter.

Supports equal to, less than, greater than, and range operations
for both keywords. Dates can be represented as either ISO 8601 or
epoch (Unix time).

Examples:
alert tls [...] tls_cert_notafter:1445852105; [...]
alert tls [...] tls_cert_notbefore:<2015-10-22T23:59:59; [...]
alert tls [...] tls_cert_notbefore:>2015-10-22; [...]
alert tls [...] tls_cert_notafter:2000-10-22<>2020-05-15; [...]
 9 years ago
Mats Klepsland c49cb05399 util-time: add function to parse a date string based on patterns 
Add function SCStringPatternToTime to parse a date string based on an
array of pattern strings.
 9 years ago
Mats Klepsland bfd16dc74e app-layer-ssl: add validity dates from certificate 
Parsing of certificate validity dates to get notBefore and notAfter
fields.
 9 years ago
Mats Klepsland 6c1c53b5a1 util-time: add function to convert tm to time_t 
Add function SCMkTimeUtc to convert broken-down time to Unix epoch in UTC.
 9 years ago
Mats Klepsland 03cda74b95 util-decode-der: decode GeneralizedTime 
Decode ASN.1 element type GeneralizedTime in DER-encoded
structures.
 9 years ago
Mats Klepsland b914861692 app-layer-ssl: use new unit test macros 9 years ago
Mats Klepsland 12356d1fca detect-ssl-version: use new unit test macros 9 years ago
Mats Klepsland 1503ac97a6 detect-tls-version: use new unit test macros 9 years ago
Mats Klepsland d9e2cde585 detect-tls-sni: use new unit test macros 9 years ago
Mats Klepsland 8e77d0c312 detect: fix faulty tls_sni unittests 9 years ago
Mats Klepsland 9d23ad9d25 tls: fix faulty unittests 9 years ago
Mats Klepsland b74f3fd978 coverty: fix CID 1361873 9 years ago
Mats Klepsland 7c36b11a84 rules: add rule for HANDSHAKE_INVALID_LENGTH event 9 years ago
Mats Klepsland c36595eb35 tls: set event if input buffer overflows 
Set HANDSHAKE_INVALID_LENGTH event if input buffer overflows while
decoding client_hello/server_hello.
 9 years ago
Mats Klepsland 1f7b813080 app-layer-tls: add name to authors 9 years ago
Mats Klepsland 12da0e8681 tls: add function for decoding client_hello 
Add function TLSDecodeHandshakeHello() to enable using the same code
for decoding both client_hello and server_hello.
 9 years ago
Jason Ish 04da43d65d rule parsing: check for balanced double quotes 
If a rule option value starts with a double quote, ensure it
ends with a double quote, exclusive of white space which gets
trimmed anyways.

Catches errors like 'filemagic:"picture" sid:5555555;' reporting
that a missing semicolon may be the error.
 9 years ago
Victor Julien 48b3cb0492 unittests: fix tests 9 years ago
Victor Julien 6530c3d0d8 unittests: replace SCMutex* calls by FLOWLOCK_* 9 years ago
Victor Julien 682459d640 file: remove dead code 9 years ago
Victor Julien 70c16f50e7 flow-manager: optimize hash walking 
Until now the flow manager would walk the entire flow hash table on an
interval. It would thus touch all flows, leading to a lot of memory
and cache pressure. In scenario's where the number of tracked flows run
into the hundreds on thousands, and the memory used can run into many
hundreds of megabytes or even gigabytes, this would lead to serious
performance degradation.

This patch introduces a new approach. A timestamp per flow bucket
(hash row) is maintained by the flow manager. It holds the timestamp
of the earliest possible timeout of a flow in the list. The hash walk
skips rows with timestamps beyond the current time.

As the timestamp depends on the flows in the hash row's list, and on
the 'state' of each flow in the list, any addition of a flow or
changing of a flow's state invalidates the timestamp. The flow manager
then has to walk the list again to set a new timestamp.

A utility function FlowUpdateState is introduced to change Flow states,
taking care of the bucket timestamp invalidation while at it.

Empty flow buckets use a special value so that we don't have to take
the flow bucket lock to find out the bucket is empty.

This patch also adds more performance counters:

flow_mgr.flows_checked         | Total    | 929
flow_mgr.flows_notimeout       | Total    | 391
flow_mgr.flows_timeout         | Total    | 538
flow_mgr.flows_removed         | Total    | 277
flow_mgr.flows_timeout_inuse   | Total    | 261
flow_mgr.rows_checked          | Total    | 1000000
flow_mgr.rows_skipped          | Total    | 998835
flow_mgr.rows_empty            | Total    | 290
flow_mgr.rows_maxlen           | Total    | 2

flow_mgr.flows_checked: number of flows checked for timeout in the
                        last pass
flow_mgr.flows_notimeout: number of flows out of flow_mgr.flows_checked
                        that didn't time out
flow_mgr.flows_timeout: number of out of flow_mgr.flows_checked that
                        did reach the time out
flow_mgr.flows_removed: number of flows out of flow_mgr.flows_timeout
                        that were really removed
flow_mgr.flows_timeout_inuse: number of flows out of flow_mgr.flows_timeout
                        that were still in use or needed work

flow_mgr.rows_checked: hash table rows checked
flow_mgr.rows_skipped: hash table rows skipped because non of the flows
                        would time out anyway

The counters below are only relating to rows that were not skipped.

flow_mgr.rows_empty:   empty hash rows
flow_mgr.rows_maxlen:  max number of flows per hash row. Best to keep low,
                        so increase hash-size if needed.
flow_mgr.rows_busy:    row skipped because it was locked by another thread
 9 years ago
Victor Julien aee1f0bb99 flow: simplify timeout logic 
Instead of a single big FlowProto array containing timeouts separately
for normal and emergency cases, plus the 'Free' pointer for the
protoctx, split up these arrays.

An array made of FlowProtoTimeout for just the normal timeouts and an
mirror of that for emergency timeouts are used through a pointer that
will be set at init and by swapped by the emergency logic. It's swapped
back when the emergency is over.

The free funcs are moved to their own array.

This simplifies the timeout lookup code and shrinks the data that is
commonly used.
 9 years ago
Victor Julien 96427cf371 flow: remove dead code 9 years ago
Victor Julien da8f3c987b offloading: make disabling offloading configurable 
Add a generic 'capture' section to the YAML:

  # general settings affecting packet capture
  capture:
    # disable NIC offloading. It's restored when Suricata exists.
    # Enabled by default
    #disable-offloading: false
    #
    # disable checksum validation. Same as setting '-k none' on the
    # commandline
    #checksum-validation: none
 9 years ago
Victor Julien 5e3b61cc65 offloading: reduce verbosity to 'perf' 9 years ago
Victor Julien 2b2984dae9 offloading: implement restoring settings for BSD 9 years ago
Victor Julien 499e27de14 offloading: restore settings on exit 9 years ago
Victor Julien 9d48720f9a af-packet: optionally disable offloading 9 years ago
Victor Julien 98092f63b5 offloading: Linux ethtool offloading support 9 years ago
Victor Julien bc370606fc pcap: optionally disable offloading 9 years ago
Victor Julien 723a14c0fe netmap: optionally disable offloading 9 years ago
Victor Julien 2780fba1d1 device: add global flag for disabling offloading 
Add global flag to disable offloading or just warn on it.
 9 years ago
Victor Julien 7004987670 offloading: preparation for disabling offload on BSD 
Add functions for setting IFCAP flags.
 9 years ago
Jason Ish 30c853a304 detect-ssl-state: use new unit test macros 9 years ago
Jason Ish 487cdda93d ssl: issue 1231 - support ssl state negation 
Snort compatible SSL state negation. Adds "," as a state
separator, but keeps "|" for compatibility with existing
Suricata rules.
 9 years ago
Jason Ish afc796a099 ssl: store current state separately from cumulative state 
The ssl_state keyword needs the current state, not the cumulative state
in order be compatible with Snort's implementation.
 9 years ago
Jason Ish 7ce196e3bf detect-pcre: use new unit test macros 9 years ago
Jason Ish 4cdcada397 pcre: fix missing quote in pcre unit test 9 years ago
Victor Julien f7481c4078 file-hashing: restore 'force-md5' 
We don't want to break existing setups.

Do issue a warning that a new option is available.
 9 years ago
Victor Julien 4426f3ff55 file: introduce common flags handling function 9 years ago
Victor Julien 2f5663dfe9 common: introduce BIT_U16 9 years ago
Duarte Silva 53ebe4c538 file-hashing: added configuration options and common parsing code 9 years ago
Duarte Silva 89eb935f73 file-hashing: added support for SHA-256 file hashing 9 years ago
Duarte Silva a6d928e269 file-hashing: added support for SHA-1 file hashing 9 years ago
Duarte Silva 188b382c46 file-hashing: common code added 
Moved and adapted code from detect-filemd5 to util-detect-file-hash,
generalised code to work with SHA-1 and SHA-256 and added necessary
flags and other constants.
 9 years ago
Mats Klepsland f1b550d973 tls: add unit tests for tls_cert_issuer 9 years ago
Mats Klepsland 20b41567d9 tls: add unit tests for tls_cert_subject 9 years ago
Mats Klepsland 4172c4c8ac tls: add (mpm) keyword tls_cert_subject 
This keyword is a replacement for tls.subject.
 9 years ago
Mats Klepsland 9b2717799c tls: add (mpm) keyword tls_cert_issuer 
This keyword is a replacement for tls.issuerdn.
 9 years ago
Victor Julien f1117ba2dc iponly: fix unittests 9 years ago