Commit Graph

9429 Commits (932c2a7ec5e75451a813c7a70281a9df762e9ab7)
 

Author SHA1 Message Date
Victor Julien 932c2a7ec5 eve: fix missing decoder-events in stats
In the eve log the decoder events are added as optional counters. This
behaviour is enabled by default. However, lots of the counters are
missing, as the names colide with other counters.

E.g.

decoder.ipv6 counts ipv6 packets
decoder.ipv6.unknown_next_header counts how often an unknown next
    header is encountered.

In this example 'ipv6' would be both a json integer and a json object.
It appears that jansson favours the first that is generated, so the
event counters are mostly missing.

This patch registers them as 'decoder.events.<event>' instead. As
these names are generated on the fly, a hash table to contain the
allocated strings was added as well.
7 years ago
Victor Julien 0f1fc1f0c8 hash: move string hash funcs into util files 7 years ago
Victor Julien c140505bec decoder: add gre over ipv6 support 7 years ago
Victor Julien 8709a20d94 af-packet: minor code cleanups 7 years ago
Victor Julien c99dc5a7bf af-packet: re-enable sync for tpacket v2
Synchronize start was disabled for v2 when v3 was introduced, without
a reason being given.

Re-enable as v2 will otherwise also start reading packets before the
other threads are set up. This will lead to hashing issues.

Part of bug #2788.
7 years ago
Victor Julien cebbe06f70 af-packet: fix sync start for tpacket v3
The tpacket-v3 implementation of the synchonize start logic would
not correctly consider the timestamp parameter, leading to threads
starting before synchronization between threads was complete.

Bug #2788
7 years ago
Alexander Gozman 03af3e1ed8 nfqueue: inject fake packet on timeout
Fixes nfqueue and delayed-detect.

On systems with small amount of traffic (or with no traffic at all)
nfqueue with 'delayed-detect' enabled hanged in 'workers' mode.

Bug #2362.
7 years ago
Pascal Delalande f2dca46382 doc: fix minor typo 7 years ago
Eric Leblond a51d1f7c46 lua: add lua dir with example to make dist 7 years ago
Eric Leblond 2b72dfaf01 coccinelle: add missing tests to make dist 7 years ago
Eric Leblond 0e3b1eba86 util-binsearch: remove the files 7 years ago
Eric Leblond 7a121d9b4c doc: add _static dir to make dist 7 years ago
Eric Leblond 97da91dc5e ebpf: include files in make dist 7 years ago
Victor Julien b51e4a3959 changelog: update for 4.1.2 release 7 years ago
Victor Julien 8b570c0293 smb: improve request/response mapping
Only use ssn_id and msg_id for mapping a response to a request.

By not using the tree_id it can always be included in the tx.hdr which
means it can be logged properly in case of IOCTL and DCERPC.
7 years ago
Travis Green 6f5eb487a1 doc: add missing and fix 404 for --list-keywords 7 years ago
Travis Green c2adb9e669 doc: added tos keyword
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2583
7 years ago
Philippe Antoine 7fca771ef4 Fixes other affected tests for smtp pipelining
Either checking state has pipelining
Or removing pipelining from input
7 years ago
Philippe Antoine 447c1042f4 smtp: improve pipelining support
Fixes #1863
7 years ago
Victor Julien 8357ef3f8f proto/detect: workaround dns misdetected as dcerpc
The DCERPC UDP detection would misfire on DNS with transaction
ID 0x0400. This would happen as the protocol detection engine
gives preference to pattern based detection over probing parsers for
performance reasons.

This hack/workaround fixes this specific case by still running the
probing parser if DCERPC has been detected on UDP. The probing
parser result will take precedence.

Bug #2736.
7 years ago
Victor Julien 11f3659f64 teredo: be stricter on what to consider valid teredo
Invalid Teredo can lead to valid DNS traffic (or other UDP traffic)
being misdetected as Teredo. This leads to false negatives in the
UDP payload inspection.

Make the teredo code only consider a packet teredo if the encapsulated
data was decoded without any 'invalid' events being set.

Bug #2736.
7 years ago
Victor Julien e30212c5d8 detect: fix crash during startup with malformed yaml
detect-engine:
  custom-values:
    toclient-groups: 200
    toserver-groups: 200

Bug #2745
7 years ago
Victor Julien 9dd925a46a userguide/install: add rust, python-yaml to ubuntu 7 years ago
Victor Julien 4c8f6b2246 offloading: on bsd, disable rxcsum and v6 variants 7 years ago
Victor Julien fa6b73d1c9 offloading: don't set multiple times per interface
This could happen with netmap igb0->igb0^ IPS mode.
7 years ago
Victor Julien d1fa4a35eb changelog: update for 4.1.1 7 years ago
Victor Julien ad1945aae4 detect: fix content inspection flags
Fix generic inspect function content inspection flags so that
streaming buffers work correctly.
7 years ago
Victor Julien 394e115036 detect/rawbytes: improve error message plus do minor cleanups 7 years ago
Victor Julien f336ba3217 detect/file-data: fix enabling http body tracking 7 years ago
Pierre Chifflier 3eade88bd8 Krb5: make TCP probing function less strict, messages can be fragmented 7 years ago
Victor Julien 3eec088d31 detect/parse: error out on unused sticky buffers 7 years ago
Victor Julien b36e921cf9 detect/prefilter: add closing debug return statement 7 years ago
Victor Julien 1dd81f7346 yaml: add missing eve pcap-file comment 7 years ago
Victor Julien 3a057c5f54 capture: fix mtu plus sign names for non-netmap
Bug #2502.
7 years ago
Victor Julien 31f81429c2 stats: more accurate interval handling
In the stats loop sleep for a time period more closely matching
the stats.interval setting. Fix an off by one that would make
the loop wake up ~1 second early.

Bug #2716
7 years ago
Jason Ish c1238af3e0 check-setup: fix script names for .sh to .py 7 years ago
Jason Ish 56af22803b travis: update rust version to 1.24.1 and 1.31.0.
1.24.1 is now the oldest version we test support for. All major
distributions appear to be at this version or new.

With the release of 1.31.0 just out, test that as the most
recent version.
7 years ago
Jason Ish d03a5be118 dns json v2 (C) - log rrtype in response
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2723
7 years ago
Jason Ish b7083bc3a8 rust/dns/v2 - log rrtype in response
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2723
7 years ago
Jason Ish b7a58680db dns/rust - if let Some over options instead of loop.
Except in one case where the loop makes more sense for easy break
out.

Also remove one line of non-conforming debug logging.
7 years ago
Jason Ish 4163d5c360 rust/dns/lua - fix call convention to match C.
Also, when requesting the query, if the request doesn't exist,
return the query from the response. This makes it behave
more like C implementation.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2730
7 years ago
Jason Ish 87250da0fc rust/dns: add v1 dns logging
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2704
7 years ago
Victor Julien 9d36182b74 unix: fix deadlock in unix runmode on many cores
Same issue as in 7f8795c756, with the
solution now also applied to the unix socket runmode.

Bug #2734
7 years ago
Victor Julien 8d2883f3fa output/tx: fix multi-instance logger output
Fix transactions not being logged after the first tx logger had
logged.
7 years ago
Victor Julien 0e40231189 app-layer: improve transaction cleanup handling
The app layers with a custom iterator would skip a tx if during
the ..Cleanup() pass a transaction was removed.

Address this by storing the current index instead of the next
index. Also pass in the next "min_tx_id" to be incremented from
the last TX. Update loops to do this increment.

Also make sure that the min_id is properly updated if the last
TX is removed when out of order.

Finally add a SMB unittest to test this.

Reported by: Ilya Bakhtin
7 years ago
Victor Julien d34e41068f app-layer: fix tx tracking updates in tx cleanup
Fix min_id not getting updated in all cases.

Reported by: Ilya Bakhtin
7 years ago
Victor Julien e62e4bdc49 app-layer: add debug statements to tx cleanup logic 7 years ago
Victor Julien 37203c98a1 unittests/app-layer: add helper to get app tx trackers 7 years ago
jason taylor fc395eb2c5 userguide: updated hyperscan version reference
Signed-off-by: jason taylor <jtfas90@gmail.com>
7 years ago
Travis Green 3539ae3041 Updated link for Prelude SIEM
Updated link for Prelude SIEM to https://www.prelude-siem.org/
7 years ago