aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
13,230 Commits
8 Branches
163 Tags
184 MiB
main-7.0.x
main-8.0.x
main
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b0298dd046'
${ noResults }
Commit Graph

10773 Commits (b0298dd0468f150229f9021ebe9c438bc2b7cecf)

Author SHA1 Message Date
Philippe Antoine 717e51b7cf defrag: fix integer warnings 
Ticket: #4516
 3 years ago
Philippe Antoine 2d761810db rust: cbindgen first verifies existing bindings 
So as not to recompile every C file inclusing rust.h
 3 years ago
Philippe Antoine ced96a8aad detect: parsing avoiding infinite loop 
by comparing size_t to strlen result
Instead of uint16_t which would loop

Ticket: #5310
 3 years ago
Philippe Antoine 875eb58fb0 file: use functions on fd to avoid toctou 
Ticket: #5308
 3 years ago
Philippe Antoine ecb8dd4de0 util: check for unsigned overflow in rohash 
To make CodeQL happy
 3 years ago
Jason Ish adda8801d8 conf: remove ConfGetValue 
All uses of ConfGetValue are satisfied by ConfGet
 3 years ago
Philippe Antoine 5bd19135b0 util: remove malloc from streaming buffer config 
as it is unused
 3 years ago
Victor Julien ebf0629615 log-pcap: remove tunnel locks 
The tunnel lock mutex only "protects" the tunnel synchronization,
not the packet data, length or datalink fields.
 3 years ago
Victor Julien e7ab96c389 nflog: fix datalink compile issue 3 years ago
Juliana Fajardini 43d28f251f util/action: convert unittests to FAIL/PASS API 
Task #5371
 3 years ago
Juliana Fajardini 9b9b6aa2ce util/action: unittests clean-up (to sv tests) 
Removing all unittests that work better as suricata-verify tests.

Task #5371
 3 years ago
Victor Julien 4ed6c928aa unittest: minor helper cleanup 3 years ago
Victor Julien 41b5364511 detect/parse: cleanup test 3 years ago
Victor Julien a437dde739 detect: parsing test cleanups/improvements 3 years ago
Victor Julien e738b10e23 host-os-info: add test to show mixed ipv4/ipv6 3 years ago
Victor Julien f3d887310c rule/vars: clean up tests 3 years ago
Victor Julien 1b65af2867 detect/iponly: minor code cleanup 3 years ago
Victor Julien beecc1890f detect/iponly: include postmatch in determination 3 years ago
Victor Julien 4b097460c2 detect/iponly: simplify handling of 'any' parsing 3 years ago
Victor Julien ffef10c5d7 detect: address parsing variable rename to match code style 3 years ago
Victor Julien 51ef6f4e3a detect/iponly: remove unused code 3 years ago
Victor Julien f4f63ebff8 stream: add packet header outside of lock 3 years ago
Victor Julien 419920288c log/pcap: open handles outside of lock 3 years ago
Scott Jordan c751c45850 log/pcap: add buffer timeout 
Set timeout for pcap log so that packets do not sit
in buffer. Set default to one second.
 3 years ago
Scott Jordan 2bf3172dd1 stream: memcap tracking for TcpSegment alloc 3 years ago
Eric Leblond 47a5e6356d log/pcap: handle case of multiple link types 3 years ago
Eric Leblond 2c2fc6cd91 flow: set datalink for pseudo packet 
Set pseudo packet datalink to the global one. This fixes the case
where the pcap handle is open with information coming from a
pseudo packet. Without this, we did end up in most cases with
an Ethernet packet being written in a Raw pcap.
 3 years ago
Eric Leblond 1c2fba57f8 suricata: introduce global linktype 
As Suricata is not supporting pcap-ng we have to stick with one single
datalink type for the capture if ever we want to do pcap logging.
Assuming this, this patch introduces a function to set the link
type globally. This will be used with pcap conditional logging
to get the logging of TCP segments with the correct link type.
 3 years ago
Eric Leblond 584136ecb7 log/pcap: log segments for pseudo packets 3 years ago
Eric Leblond 8f0ef48e82 log/pcap: fix conditional pcap in tag mode 
We were missing the first packet when using condition pcap logging
in tag mode as it was not tagged. As a result we were not getting
the stream data triggering the alert in the pcap file.
 3 years ago
Eric Leblond 9f4d59b3f7 detect/tag: add a tag for first packet 
We may need to know that a packet has been tagged but is the
first one (and thus is not tagged).
 3 years ago
Scott Jordan 6cfc3343e7 log/pcap: dump segments of both sides of tcp session. 
This patch updates tcp segment dumping to dump segments
from both sides of the session in order when capturing
alerts and tags.
 3 years ago
Eric Leblond faab853685 log/pcap and eve/alert: get pcap filename to support multi mode 
This patch adds a function to get the current pcap file name that
will be used to current packet. This patch also  updates EVE
alerts to add pcap output filename when pcap capture is done in
multi or normal mode.
 3 years ago
Eric Leblond 2317fd83ef log/pcap: fix typo in error message 3 years ago
Eric Leblond 3908166f91 stream: count realloc in memcap 
TCP memory cap was not taking into account the memory that can
be used by realloc of Packet headers in TCP segments.
 3 years ago
Eric Leblond 0f14c55e52 log/pcap: update copyright date 3 years ago
Eric Leblond 58ef7bcdee log/pcap: introduce tag as logging condition 
This patch adds the tag as logging condition. If this option is
used all tagged packets are written to the pcap.
 3 years ago
Eric Leblond 626fce0712 log/pcap: fix some indentation and white spaces 3 years ago
Eric Leblond cc04eef007 log/pcap: add support for tunnel logging 
In alert mode, we need to write the root packet to the pcap
file instead of the packet that did trigger the alert.
 3 years ago
Eric Leblond e7b1c52c1c log/pcap: add existing stream logging 
This patch update the alert mode of pcap logging.

It uses the packet header data added to the TCP segments
to build packets corresponding to the acked data that did trigger
the alert. It then write it to the pcap file before starting to
dump all packet for the flow that did alert.
 3 years ago
Eric Leblond b416a4455c stream: conditionally add packet header to segment 
This patch optionally adds packet header to the TCP segment
and update the for each segment function by changing the
callback.

This patch is based on the work by Scott Jordan <scottfgjordan@gmail.com>
 3 years ago
Eric Leblond 435557ee7f detect: add flag when packet is first with alert 
We add a flag to packet to be able to know if this packet was the
first one to get alerts on the flow.
 3 years ago
Eric Leblond 412ca5d64c log/pcap: add PcapWrite function 
It will be used later when multiple writing operations will be
necessary.
 3 years ago
Eric Leblond 4cab5e5262 log/pcap: conditional logging 
Add an option to only write to pcap packets with alerts and flow
that have alerted.
 3 years ago
Jason Ish 3ea6572e22 rules: use primary default-rule-path if set on command line 
When reloading rules, respect `--set default-rule-path=...` from the
command line if set.

Previously the rule reload would always take the default-rule-path from
the configuration file, even if overrided on the command line.

Issue: #1911
 3 years ago
Juliana Fajardini 28ac75b505 detect/alert: directly increment alerts.discarded 
In the unlikely case of AlertQueueExpand failure, we were incrementing
the discarded alerts stats in AlertQueueAppend via the Packet member in the
DetectEngineThreadCtx, which may not be initialized yet.

Bug #5353
 3 years ago
Philippe Antoine 3051f7f23f protodetect: use both directions over UDP 
As is already done for TCP

Ticket: #2757
 3 years ago
Philippe Antoine edd163252d protodetect: be more tolerant 
Do not mask protocols on both directions with only first packet

For instance :
When the first packet is no valid DNS but on port 53 (a junk request)
second packet (error response from server) does not get checked for DNS
as first packet bit masked away DNS for both directions

Ticket: #2757
 3 years ago
Arne Welzel b6407c4253 stacktrace-on-signal: Use kill(getpid(), sig_num) 
kill(0, ...) re-raises the signal to every processes in the process
group which may impact unrelated processes.

Concretely, in our CI pipeline, a segfaulting Suricata process killed
the test driver.
 4 years ago
Victor Julien 91b54f180d stream/segtree: improve docs, error handling 4 years ago
Victor Julien 5c76f787f9 streaming/buffer: add debug validation for 'impossible' condition 4 years ago
Victor Julien 79f0f2fde4 app-layer: make registration structure more compact 4 years ago
Victor Julien a57010d72d htp: minor format string fixes 4 years ago
Victor Julien 24d231315b datasets: constify some function args 4 years ago
Victor Julien 3444aec724 time: reduce scope of static string 4 years ago
Victor Julien 80124152c6 threshold: constify detect engine arg 4 years ago
Victor Julien 18e4e032db thash: reduce scope for var; suggested by cppcheck 4 years ago
Victor Julien 55de18c675 spm: constify badchars; suggested by cppcheck 4 years ago
Victor Julien 99f212bc8c radix: small cppcheck suggested cleanup 4 years ago
Victor Julien 750fed2101 packetpool: minor cleanup 4 years ago
Victor Julien 7b592076ff stream: minor code cleanups suggested by cppcheck 4 years ago
Victor Julien 65f54024d3 defrag: minor code cleanups suggested by cppcheck 4 years ago
Victor Julien 404face284 output/flow: no double var init 4 years ago
Victor Julien f9a5ceb0d8 smtp: minor code cleanup 4 years ago
Victor Julien a5df176956 app-layer: minor code cleanups suggested by cppcheck 4 years ago
Victor Julien 4403e7fe8e app-layer/expectation: reduce scope and init vars 4 years ago
Victor Julien 6c3222dee6 ftp: code clarifications 
src/app-layer-ftp.c:945:49: style: Parameter 'ftp_state' can be declared with const [constParameter]
static FTPTransaction *FTPGetOldestTx(FtpState *ftp_state, FTPTransaction *starttx)
                                                ^
 4 years ago
Victor Julien d484d0b45b util/byte: minor cleanup 4 years ago
Victor Julien 1957c46efc threads: remove usused code; wrap in guards 4 years ago
Victor Julien e593dda356 threads: remove unused function 4 years ago
Victor Julien b55c8909c3 unittests: wrap unittest registration in guards 4 years ago
Victor Julien 905050a053 app-layer/profiling: hide profiling code behind guards 4 years ago
Victor Julien 93050c26b3 app-layer/events: remove unused function 4 years ago
Victor Julien 893ba84c0e output/frames: fix eof var overwrite 4 years ago
Victor Julien 1282b179cc stream/reassembly: reduce scope of variable 4 years ago
Victor Julien 3f375fd444 stream/buffer: remove redundant check 4 years ago
Victor Julien 002b335b4a decode/checksums: constify pointer args 4 years ago
Victor Julien 350be6cbac detect/state: address cppcheck warnings 
src/detect-engine-state.c:127:91: style: Suspicious calculation. Please use parentheses to clarify the code. The code ''a&b?c:d'' should be written as either ''(a&b)?c:d'' or ''a&(b?c:d)''. [clarifyCalculation]
    DetectEngineStateDirection *dir_state = &state->dir_state[direction & STREAM_TOSERVER ? 0 : 1];
                                                                                          ^
src/detect-engine-state.c:194:53: style: Suspicious calculation. Please use parentheses to clarify the code. The code ''a&b?c:d'' should be written as either ''(a&b)?c:d'' or ''a&(b?c:d)''. [clarifyCalculation]
    de_state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].filestore_cnt += file_no_match;
                                                    ^
src/detect-engine-state.c:201:57: style: Suspicious calculation. Please use parentheses to clarify the code. The code ''a&b?c:d'' should be written as either ''(a&b)?c:d'' or ''a&(b?c:d)''. [clarifyCalculation]
    if (de_state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].filestore_cnt == sgh->filestore_cnt)
                                                        ^
 4 years ago
Victor Julien 4feb0529a4 detect/file: minor code cleanup 
Reduce scope where possible. Suggested by cppcheck.
 4 years ago
Victor Julien a535cc5a25 runmodes: fix more warnings 4 years ago
Victor Julien f0479987ff memcmp: no-simd no case loop can scan forward 4 years ago
Victor Julien 0fc7ba45aa memcmp: use SCMEMCMP_BYTES everywhere; general cleanups 4 years ago
Victor Julien 87c5d69437 memcmp: work around GCC 12+ 'blend' issues 
Since GCC 12 the memcmp code using `_mm_blendv_epi8` failed to work.
Inspection of the disassembled objects suggests that it simply omits
the instruction on systems that are not AVX512 capable. On AVX512
it does replace it with VPCMPB logic that appears to work.

Luckily our use of blend is actually uncessary. A simple AND is sufficient.

Bug: #5312.
 4 years ago
Victor Julien ca97ed4436 memcmp: remove unreachable code from memcmp simd 
cppcheck:

src/util-memcmp.h:281:18: warning: Identical condition 'len-offset<16', second condition is always false [identicalConditionAfterEarlyExit]
        if (diff < 16) {
                 ^
src/util-memcmp.h:280:24: note: 'diff' is assigned value 'len-offset' here.
        int diff = len - offset;
                       ^
src/util-memcmp.h:269:33: note: If condition 'len-offset<16' is true, the function will return/exit
        if (likely(len - offset < 16)) {
                                ^
src/util-memcmp.h:281:18: note: Testing identical condition 'len-offset<16'
        if (diff < 16) {
                 ^
src/util-memcmp.h:344:18: warning: Identical condition 'len-offset<16', second condition is always false [identicalConditionAfterEarlyExit]
        if (diff < 16) {
                 ^
src/util-memcmp.h:343:24: note: 'diff' is assigned value 'len-offset' here.
        int diff = len - offset;
                       ^
src/util-memcmp.h:318:33: note: If condition 'len-offset<16' is true, the function will return/exit
        if (likely(len - offset < 16)) {
                                ^
src/util-memcmp.h:344:18: note: Testing identical condition 'len-offset<16'
        if (diff < 16) {
                 ^
src/util-memcmp.h:171:18: warning: Identical condition 'len-offset<16', second condition is always false [identicalConditionAfterEarlyExit]
        if (diff < 16) {
                 ^
src/util-memcmp.h:170:24: note: 'diff' is assigned value 'len-offset' here.
        int diff = len - offset;
                       ^
src/util-memcmp.h:159:33: note: If condition 'len-offset<16' is true, the function will return/exit
        if (likely(len - offset < 16)) {
                                ^
src/util-memcmp.h:171:18: note: Testing identical condition 'len-offset<16'
        if (diff < 16) {
                 ^
src/util-memcmp.h:233:18: warning: Identical condition 'len-offset<16', second condition is always false [identicalConditionAfterEarlyExit]
        if (diff < 16) {
                 ^
src/util-memcmp.h:232:24: note: 'diff' is assigned value 'len-offset' here.
        int diff = len - offset;
                       ^
src/util-memcmp.h:208:33: note: If condition 'len-offset<16' is true, the function will return/exit
        if (likely(len - offset < 16)) {
                                ^
src/util-memcmp.h:233:18: note: Testing identical condition 'len-offset<16'
        if (diff < 16) {
                 ^
 4 years ago
Victor Julien 9bdf18a3b0 detect/iponly: fix debug compiler warning 4 years ago
Victor Julien 07bf921451 ftp-data: fix direction for active mode commands 
Set correct direction for PORT mode, where the server connects
to the client.

The direction is not also strictly enforced. No data in the wrong
direction will be accepted to setup the file or to be added to the
file after setup.

This also fixes files getting closed twice.

Adds some general cleanups.

Bug: #3542.
 4 years ago
Philippe Antoine 94bcba4ea3 template: convert GetTx to SCLogDebug 
as it is especially verbose for fuzzing
 4 years ago
Philippe Antoine 73ed780095 decode: fix integer warnings 
Ticket: 4516
 4 years ago
Jason Ish 9645285dff ftp: truncate first segment if over max length 
The first segment was not limited to the configured maximum line length
allowing it to be up to 65k. This could result in the next input length
being negative, which while handled properly by the code, did trigger a
debug validation assertion.

The fix is to be consistent and apply the limit to the first segment as
well, which does ensure the input_len could never be less than 0.

Ticket #5281
 4 years ago
Jason Ish d712a8b29d eve/dns: remove dns v1 logging 
Removal of DNS v1 logging was scheduled to be removed in May 2022.

Ticket: #4157
 4 years ago
Juliana Fajardini 192360aa05 detect: update copyright years 4 years ago
Juliana Fajardini 29b5f68bf0 assorted: fix low hanging typos 4 years ago
Juliana Fajardini 877b32c1e4 detect/stats: log out total of suppressed alerts 
Related to
Task #4943
Task #5179
 4 years ago
Juliana Fajardini 8616c90fe7 detect/stats: log out total of discarded alerts 
Add a counter to our stats log with the total of alerts that have been
discarded due to packet alert queue overflow.

Task #5179
 4 years ago
Juliana Fajardini 9b275d3878 detect/alert: move apply-action-flow code to func 
Trying to clean PacketAlertFinalize a bit more.
 4 years ago
Juliana Fajardini e4e688a9b0 detect/alert: remove unused functions 
Since we now only copy the PacketAlerts to the Packet's queue after
processing them, we no longer do packet alert appending from
detect-engine-alert, nor do we remove PacketAlerts from the queue (if
they're discarded by overflow or thresholding, they're not copied to the
final alert queue).

Task #4943
 4 years ago
Juliana Fajardini 185b43edff detect/alert: preprocess then append alert queue 
Do all alert queue processing before actually appending
the PacketAlerts to the Packet's alert queue.

Task #4943
 4 years ago
Juliana Fajardini a85340b1ab detect/alert: use tx id in alert if frame has it 
Task #4943
 4 years ago
Juliana Fajardini aa547a8de3 detect/engine: use alert queue from det_ctx 
Task #4943
 4 years ago
Juliana Fajardini 88805f03ee detect/alert: add infra for new alert queue 
Initial work to bring part of the alert queue processing to
DetectEngineThreadCtx.

Task #4943
 4 years ago