aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,473 Commits
8 Branches
154 Tags
166 MiB
dependabot/github_actions/github/codeql-action-3.26.13
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a7a77e32ca'
${ noResults }
Commit Graph

4473 Commits (a7a77e32cac298a64c6c2ea5d30d4dc37ef3f5bc)
 

Author SHA1 Message Date
Victor Julien a7a77e32ca Convert classtype keyword to pcre_copy_substring 11 years ago
Victor Julien 4dd605ae3b Convert reference keyword to pcre_copy_substring 11 years ago
Victor Julien 3f8947ff3d app layer: set event if proto detect disabled for a stream, but we see data anyway. 11 years ago
Victor Julien 7074ca373b proto detection: add limit for one sided sessions 
If a session only has data in one direction, like ftp data sessions,
protocol detection will only run in one direction. This led to a
situation where reassembly would hold all the segments as proto
detection was never flagged as complete.

This patch introduces a limit for protocol detection in this case.
If the limit is reached, detection will give up.
 11 years ago
Victor Julien abccbe13f3 stream: add size debug code 11 years ago
Victor Julien daedb6c557 stream: wait for protocol detection to complete 
Wait for protocol detection to complete before removing segments
from the list.
 11 years ago
Eric Leblond 0460b194b1 decode: clean DecodeThreadVars counter 
Speed counters are not compute anymore and can be removed from the
structure definition.
 11 years ago
Eric Leblond 1bdc39fe9b cmdline: add -k to specify checksum validation 
This patch adds a '-k' option to suricata to be able to specify
the checksum validation to use. If '-k all' is used, checksum
validation is forced. If '-k none' is used, no checksum validation
is made.

Message output in case of detection of a pcap file with a probable
cheksum issue has been updated to indicate that '-k' is a solution.
 11 years ago
Eric Leblond 8b5be26f49 pcap-file: add checksum-checks configuration variable 
This patch adds support for checksum-checks in the pcap-file running
mode. This is the same functionnality as the one already existing for
live interface.

It can be setup in the YAML:
  pcap-file:
    checksum-checks: auto

A message is displayed for small pcap to warn that invalid checksum
rate is big on the pcap file and that checksum-check could
be set to no.
 11 years ago
Eric Leblond b2c58b8d14 Set packet invalid flag during decoding. 
This patch set a new value in pkt->flag to signal that a packet is
invalid during decoding. The patch has been obtained via a coccinelle
transformation.
 11 years ago
Eric Leblond 3088b6ac34 Add invalid pkt counter. 
This patch adds and increments a invalid packet counter. It
does this by introducing PacketDecodeFinalize function

This function is incrementing the invalid counter and is also
signalling the packet to CUDA.
 11 years ago
Victor Julien 92568c3857 Fix parsing of 'custom' detect grouping values 
Also, add error checking

Bug 892
 11 years ago
Victor Julien ffe4a302a1 vars: optimize layout to reduce size requirements of flowbits and other vars 11 years ago
Victor Julien 3e604b8703 pcre: parsing cleanup 
Remove all flags indicating the buffer type. They were only used
at parse time.

Because of this the DetectPcreData_ structure could shrink to 32
bytes.
 11 years ago
Victor Julien ab22385083 stream: minor clean up of TcpSession structure 11 years ago
Victor Julien 866b3a1c5d content: reorder DetectContentData member, shrinking the struct from 64 to 48 bytes. 11 years ago
Victor Julien 277fb61c1d defrag: clean up 
Rename PacketDefragPktFinishSetup to PacketDefragPktSetupParent to
better refect it's function.
 11 years ago
Eric Leblond 3fdf52239d defrag: don't modify packet if defrag fails 
If defrag fails dur to an invalid decoding, we are not modifying
the origin packet anymore.
 11 years ago
Eric Leblond c611b258a5 decode: PacketTunnelPktSetup replaces PacketPseudoPktSetup 
This patch replaces PacketPseudoPktSetup by a better named
PacketTunnelPktSetup function which is also in charge of doing
the decoding of the tunneled packet.
This allow to clean the code. But it also fixes an issue.
Previously, if the DecodeTunnel function was failling (cause of
an invalid packet mainly), the result was that the original packet
to be considered as a tunnel packet (and not inspected by payload
detection).
 11 years ago
Eric Leblond d4b7ecfbe3 decode: update API to return error 
In some cases, the decoding is not possible and some really invalid
packet can be created. This is in particular the case of tunnel. In
that case, it is more interesting to forget about the tunneled
packet and only consider the original packet.

DecodeTunnel function is maked as warn_unused_result because it is
meaningful for the decoder to know if the underlying data were not
correct. And in this case, only focus detection on the content.
 11 years ago
Victor Julien 0b0e9340dc rule setup: cleanup 
Remove rule preparation logic that ran, but it's results were not
used.
 11 years ago
Victor Julien 2be6829986 Convert dsize keyword parsing to use pcre_copy_substring 11 years ago
Victor Julien dcc75acdec Convert pcre keyword parsing to use pcre_copy_substring 11 years ago
Victor Julien 1f69da80bf rule parser: convert to use pcre_copy_string 11 years ago
Victor Julien d397ed94c5 detect: use macro for max rule size 11 years ago
Victor Julien 9d35855a95 Convert flowbits keyword parsing to use pcre_copy_substring 11 years ago
Victor Julien beab8d401c Convert flow keyword parsing to use pcre_copy_substring 11 years ago
Victor Julien 223fedb8fe Convert ParseSizeString to use pcre_copy_substring 11 years ago
Victor Julien 3f4ce6dadd rule parser: don't use uninitialized value 11 years ago
Giuseppe Longo f03278d132 feature #417: add support for configuration per host timeout value 11 years ago
Victor Julien 54610cb4a4 rule parsing cleanups 
Clean up usage of array of pointers to the various parts of a rule.
 11 years ago
Victor Julien 67989e7e4e rule parsing: reduce mallocs and clean up 
Reduce mallocs during rule parsing. Also, no longer recursively
call the option parse function.
 11 years ago
Victor Julien 2ce8895f0a address and port: reduce memory allocs 11 years ago
Jason Ish 06f4fe8e0c Remove the single line if statements. 11 years ago
Jason Ish 8625c9eba8 Support for configuration include files. 11 years ago
Victor Julien e7f6107e79 signature address parsing improvements and tests 
Fix sigatures not supporting [10.0.0.0/24, !10.1.1.1] notation when
used directly in a rule instead of through a variable.

Add tests for Bugs #815 and #920.
 11 years ago
Victor Julien 614133b4ca valgrind: add suppression file 11 years ago
Victor Julien 3521c37d4a http: use body limit in inspection 
When inspecting HTTP bodies there are several limits involved.
In this patch the reaching of the body limit will trigger body
inspection.

Without this, the body would only be inspected when inspection
limits "request-body-minimal-inspect-size" or
"response-body-minimal-inspect-size" were reached. If the body
limit was smaller than this value, the body would only be
inspected at the end of the tx or stream.
 11 years ago
Victor Julien 493d531ae8 Fix using uninitialized memory (Bug #994) 11 years ago
Eric Leblond 9bbcc8671e util-ioctl: ioctl error should be a warning 11 years ago
Eric Leblond 286258df86 pcap: add warning about GRO and LRO usage 
Use the new GetIfaceOffloading function to display a warning message
if pcap capture is used on Linux with GRO or LRO activated. This is
helpful for kernel after 2.6.31 were pcap will use mmaped capture.
TPACKET_V2 is used and this limit the size of the packet resulting
in truncated packets when merged packets are received.
 11 years ago
Eric Leblond 2855ee5aef af-packet: add warning message if LRO or GRO are set 
This patch query the network interface to detect if LRO or GRO are
used in mmap TPACKET_V2 mode.
 11 years ago
Eric Leblond fcc8759561 util-ioctl: add GRO/LRO detection capabilities 
This patch adds a new function GetIfaceOffloading which return 0
if LRO and GRO are not set on a interface and 1 if not the case.
 11 years ago
Eric Leblond 008ed41cb4 util-ioctl: minor code cleaning. 
Fix author e-mail and simplify an indentation.
 11 years ago
Eric Leblond 853732210e pfring: improve error reporting at device opening 
This patch improves the error message displayed if pfring_open fails.
 11 years ago
Victor Julien 5330b1cae1 detect: don't consider smsgs for no inspect flag 
When the PKT_NOPAYLOAD_INSPECTION flag is set, don't apply it to smsgs.
This way we can still inspect the outstanding smsgs.

The PKT_NOPAYLOAD_INSPECTION is set for encrypted traffic, and is combined
with disabling stream reassembly. So we only inspect the smsgs up to the
point of the disable detection point.
 11 years ago
Victor Julien ab7677638e stream: improve raw reassembly 
When checking the reassembly limit for raw reassembly, consider the
STREAMTCP_STREAM_FLAG_NOREASSEMBLY a trigger immediately. We won't
process any more segments in the reassembly engine anyway.
 11 years ago
Victor Julien e392c0a4ce Fix autofp flow queue handler optimization 11 years ago
Victor Julien 480fddd189 build-info: add a nicer way of printing atomics support 11 years ago
Victor Julien ce120d4927 flow: aligned flow balance structures (used by autofp) to CLS to reduce false sharing 11 years ago