Commit Graph

8581 Commits (b9cf49e933d8216e31136ec4b64fc46653d6d729)
 

Author SHA1 Message Date
Victor Julien 17c4623975 thresholds: simplify config parsing 8 years ago
Victor Julien 2a237bdfca detect: make glob.h optional
glob.h is not available on MinGW.

Simply use the input on the rule list as a literal pattern.
8 years ago
Victor Julien e1d1a7f2ac detect: fix flow bypass flag handling 8 years ago
Victor Julien ddd3c0b1df detect/analyzer: formatting fixup 8 years ago
Victor Julien e86c3f0a40 detect: constify rule group lookup 8 years ago
Victor Julien a9ee041984 detect: minor profiling cleanup 8 years ago
Victor Julien 26abf5337c detect/mpm: minor cleanup: remove unused function arg 8 years ago
Victor Julien 03274051cf detect-state: minor cleanups 8 years ago
Victor Julien c79b9cb317 detect: constify address match functions 8 years ago
Victor Julien 63291d0f01 detect: style cleanup 8 years ago
Victor Julien 64aec6aaea app-layer: minor cleanup 8 years ago
Victor Julien 66530c6179 app-layer: cleanup: use true bool type for 'logger' 8 years ago
Victor Julien 3fc875955e app-layer: minor cleanups and optimizations
Use flow protomap instead of dynamically converting the ip proto in
each call.

Use const for vars where possible.
8 years ago
Victor Julien 6bea6edec1 stream: minor debug addition 8 years ago
Victor Julien ecfdd57ef8 detect: minor cleanups 8 years ago
Victor Julien 1b08615a1e detect: minor comment cleanup 8 years ago
Victor Julien ac57bd8149 detect: run buffer setup callback before validate 8 years ago
Victor Julien bb65a48edd rust: require at least libc 0.2.33
Required to be higher than 0.2.24 for IPPROTO_UDP. Upgraded to latest
version.
8 years ago
Pierre Chifflier 83808bbdad rust/ntp: convert parser to new registration method
Converting the NTP parser to the new registration method is a simple,
3-steps process:
- change the extern functions to use generic input parameters (functions
  in all parsers must share common types to be generic) and cast them
- declare the Parser structure
- remove the C code and call the registration function
8 years ago
Pierre Chifflier 0b07bdf5d9 rust: generate declaration for extern unsafe funcs 8 years ago
Pierre Chifflier e7c0a53cbf rust/applayer: add registration iface for parsers
Add Rust support for the common interface to declare and register all
parsers.

Add a common structure definition to contain all required elements
required for registering a parser, similar to the C interface.
This also reduces the risk of incorrectly registering a parser: the
compiler prevents omitting required functions from the structure, and
functions (even if external) are type-checked. Optional functions are
explicitly marked.
8 years ago
Pierre Chifflier 3edc76533c applayer: add registration interface for parsers
Add a common structure definition to contain all required elements
required for registering a parser.
This also reduces the risk of incorrectly registering a parser: the
compiler will type-check functions.

The registration function allows factorization of the code. It can be
used to register parsers, but is not mandatory.

If extra registration code (for functions not in the structure)
it is still possible by calling the C functions after the registration.
8 years ago
Pierre Chifflier 862abd2fe4 applayer: add StringToAppProto
Add StringToAppProto to map a protocol name to a AppProto.

Exposing this function is required to let parsers discover their
AppProto identifier constant dynamically.
For example, a parser can request this value, and use it for
registration without knowing the value.
8 years ago
Pierre Chifflier 7c8bdfd3dd applayer: add typedef for Parsing functions 8 years ago
Victor Julien 6ce45bcf38 pfring: various build issues
pfring.h brings a different version of likely/unlikely that gives
warnings. So make sure we include our own before.

Make sure pfring.h isn't included globally due to apparent redefinition
of pthread_rwlock_t.
8 years ago
Alfredo Cardigliano b6baafb3e3 pfring: hw bypass support
This patch adds support for hw bypass by enabling flow offload in the network
card (when supported) and implementing the BypassPacketsFlow callback.
Hw bypass support is disabled by default, and can be enabled by setting
"bypass: yes" in the pfring interface configuration section in suricata.yaml.
8 years ago
Pascal Delalande ac18ef01c2 NSM: add TTL fields for netflow log 8 years ago
Eric Leblond 7ac6e0afb3 netflow: fix ttl logic
Use a per direction TTL min and max so we can log different values
seen in the two half flows.

Signed-off-by: Eric Leblond <eric@regit.org>
8 years ago
Giuseppe Longo 2e5422df8e netflow: log ttl fields
Netflow entry collects the minimum and maximum
time to live during the life of the incoming flow.

This adds those field to a netflow event.

Signed-off-by: Eric Leblond <eric@regit.org>
8 years ago
Mats Klepsland 9556d4fef3 doc: add documentation for tls_cert_fingerprint keyword 8 years ago
Mats Klepsland 5e6b8c47df detect: add (mpm) keyword tls_cert_fingerprint
Reimplement keyword to match on SHA-1 fingerprint of TLS
certificate as a mpm keyword.

alert tls any any -> any (msg:"TLS cert fingerprint test";
       tls_cert_fingerprint;
       content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18";
       sid:12345;)
8 years ago
Mats Klepsland 6ab5d42c92 unittests: initialize NSS in unittests runmode
Initialize NSS in unittests runmode when Suricata is compiled with
libnss. Otherwise, calculating SHA-1 sums for TLS fingerprints
will fail.
8 years ago
Victor Julien e60bfc78c1 Open 4.1 development branch 8 years ago
Danny Browning 89b656d8ee unix socket: don't loose events when offline
https://redmine.openinfosecfoundation.org/issues/2215

Fixes issue with events being dropped since socket was non-blocking for
offline run modes.

Add a method for determining offline from run mode. Make sure SCInstance
offline is set correctly. Use current run mode to set socket flags.
8 years ago
Alexander Gozman 63e1371c8b syslog: treat SC_LOG_PERF messages as LOG_DEBUG
SCLogMapLogLevelToSyslogLevel(): treat SC_LOG_PERF messages as LOG_DEBUG

Previously, when logging to syslog, perf events had a default EMERG priority,
which could be a bit confusing.
8 years ago
Wolfgang Hotwagner cb70d85c69 conf: fix NULL-pointer dereference in CoredumpLoadConfig
An empty value for coredump.max-dump in the config-file leads to a segfault because of a NULL-pointer dereference in CoredumpLoadConfig().

Here is a configuration example:

coredump.max-dump: []

This lets suricata crash with a segfault:

ASAN-output:
==9412==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f22e851aa28 bp 0x7ffd90006fc0 sp 0x7ffd90006740 T0)
    0 0x7f22e851aa27 in strcasecmp (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x51a27)
    1 0x5608a7ec0108 in CoredumpLoadConfig /root/suricata-1/src/util-coredump-config.c:52
    2 0x5608a7e8bb22 in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2752
    3 0x5608a7e8c577 in main /root/suricata-1/src/suricata.c:2892
    4 0x7f22e4c622b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    5 0x5608a7a30c59 in _start (/usr/local/bin/suricata+0xc4c59)

Bug #2276
8 years ago
Wolfgang Hotwagner 094632730e conf: fix NULL-pointer dereference in ConfGetInt
If there are empty values in the config-file where integer values are expected, strtoimax in the ConfGetInt-function will segfault because of NULL-pointer dereference.

Here is a configuration example:

pcre.match-limit: []

This will let suricata crash with a segfault.
ASAN-output:

ASAN:DEADLYSIGNAL =================================================================
16951ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa690e3ccc5 bp 0x000000000000 sp 0x7ffd0d770ad0 T0)
0 0x7fa690e3ccc4 (/lib/x86_64-linux-gnu/libc.so.6+0x36cc4)
1 0x7fa6946a6534 in strtoimax (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x44534)
2 0x55e0aeba6499 in ConfGetInt /root/suricata-1/src/conf.c:390
3 0x55e0aed2545d in DetectPcreRegister /root/suricata-1/src/detect-pcre.c:99
4 0x55e0aec1b4ce in SigTableSetup /root/suricata-1/src/detect.c:3783
5 0x55e0aeeed58d in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2690
6 0x55e0aeeee4f2 in main /root/suricata-1/src/suricata.c:2892
7 0x7fa690e262b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
8 0x55e0aea92d39 in _start (/usr/local/bin/suricata+0xc7d39)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x36cc4)

This commit fixes Ticket #2275
8 years ago
Wolfgang Hotwagner 2e27a5df6b conf: fix NULL-pointer dereference in ParseSizeString
If someone accidently writes invalid characters in some parts of the suricata.yaml-configfile, the size-parameter of the ParseSizeString-function becomes NULL and gets dereferenced. Suricata crashes with SEGV. This commit fixes Ticket #2274

The following config value leads to a Segfault:
app-layer.protocols.smtp.inspected-tracker.content-inspect-window: *4096
8 years ago
jason taylor f3fea60bae updated links to suricata.readthedocs.io
Signed-off-by: jason taylor <jtfas90@gmail.com>
8 years ago
Victor Julien 664f826f8d detect/dns: fix misdetection on dns_query on udp
If 'raw' content patterns were used in a dns_query rule, the raw
patterns would only be evaluated for TCP, but not for UDP.

This patch adds the inspection for UDP as well.

Bug #2263.
8 years ago
Peter Manev 7d032e26f1 valgrind: suppressions for NIC offloading calls 8 years ago
Victor Julien ceec247db1 detect/profile: minor fixes 8 years ago
Victor Julien 8fc82408b7 install: use up to date url for 'make install-full' 8 years ago
Jason Ish 749fa014d1 travis: allow rust-stable build to fail 8 years ago
Jason Ish 303238586c travis: rust 1.21.0 build 8 years ago
Jason Ish 288d2ce3e9 travis: do make distcheck on Rust 1.15.0 build 8 years ago
Victor Julien 0f65257a50 detect: don't register http_*_line twice 8 years ago
Victor Julien 65ac1f8224 detect: test for byte_extract/isdataat large values 8 years ago
Victor Julien 77c39b20f8 detect: handle very large byte_extract'ed values in isdataat 8 years ago
Victor Julien 2413b81d10 detect: add unittest for byte_extract/isdataat 8 years ago