Some events we retrieved from error messages are flag now, so check
those. Not all can be converted though. These are no longer set:
HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE
HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT
Part of Bug #982.
We have follow TCP RFC (http://tools.ietf.org/html/rfc793#section-3.4).
There is two cases depending on wether the original packet contains a
ACK.
If packet has no ACK, the RST seq number is 0 and the ACK is built the
standard way.
If packet has a ACK, the seq of the RST packet is equal to the ACK of
incoming packet and the ACK is build using packet sequence number and
size of the data.
Regarding standard Ack number, it is computed using seq number of captured
packet added to packet length. Finally 1 is added so we respect the
RFC:
If the ACK control bit is set this field contains the value of the
next sequence number the sender of the segment is expecting to
receive. Once a connection is established this is always sent.
With this patch we have some correct results. With the following rule:
reject ssh any any -> 192.168.56.3 any (msg:"no SSH way"; sid:3; rev:1;)
ssh connection to 192.168.56.3 is correctly resetted on client side.
But this is not perfect. If we have the following rule:
reject tcp any any -> 192.168.56.3 22 (msg:"no way"; sid:2; rev:1;)
then the connection is not resetted on a standard ethernet network. But
if we introduce 20ms delay on packets, then it is correctly resetted.
This is explained when looking at the network trace. The reset is sent
as answer to the SYN packet and it is emitted after the SYN ACK from
server because the exchange is really fast. So this is discarded by the
client OS which has already seen a ACK for the same sequence number.
This should fix#895.
This patch update reject code to send the packet on the interface
it comes from when 'host-mode' is set to 'sniffer-only'. When
'host-mode' is set to 'router', the reject packet is sent via
the routing interface.
This should fix#957.
This variable can be used to indicate to suricata that the host
running is running as a router or is in sniffing only mode.
This will used at least to determine which interfaces are used to
send reject message.
Split threads.h into several files, where each of these files defines
all lock types and macro's.
threads.h defines the normal case
threads-debug.h defines the debug variants
threads-profile.h defines the lock profiling variants
Finally, threads-arch-tile.h moves the Tilera specifics out
This patch is an implementation of parallel check of files. It uses
GNU parallel to run multiple spatch at once.
The concurrency level is set via the CONCURRENCY_LEVEL environment
variable.
Thresholds and suppression can be handled independently. Suppression
only suppresses output, and is not related to Threshold state tracking.
This simplifies mixing suppression and thresholding rules.
Part of the Bug #425 effort.
On Tile, replace pthread_mutex_locks with queued spin locks (ticket
locks) for dataplane processing code. This is safe when running on
dataplane cores with one thread per core. The condition variables are
no-ops when the thread is spinning anyway.
For control plane threads, unix-manager, stats-logs, thread startup,
use pthread_mutex_locks. For these locks replaced SCMutex with SCCtrlMutex
and SCCond with SCCtrlCond.
app-layer-parser.c: In function ‘AppLayerPPTestData’:
app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable]
int dir = 0;
^
Changed the signature sorting code to use a a single merge sort instead
of the multiple pass sorting that was being used. This reduces startup
time on Tile by a factor of 3.
Also replace the user array of pointers to ints with a simpler array of
ints.
Removed a flag parameter introuced earlier to indicate the data
that is first acceptable by the parser. We now use a differently
named parameter to carry out the same activity.
The logic we use currently is if we have already sent some data to
a parser before we figure out we have a proto mismatch, we use the
proto from the first direction from which we have already sent the
data to the parser, else we stick to the the to client direction.
Now we can specify alproto, ip_proto combinations this way
alert dns (ip_proto:[tcp/udp];)
alert ip (app-layer-protocol:dns;)
alert ip (app-layer-protocol:dns; ip_proto:tcp;)
alert tcp (app-layer-protocol:dns:)
so on. Neater than using dnstcp/dnsudp.
This is related to feature #424.
Victor Julien
Eric Leblond
Anoop Saldanha
Ken Steele