Commit Graph

5108 Commits (be448aef22f51a80f725a41624093e6e0f365387)
 

Author SHA1 Message Date
Pierre Chifflier d476c654ee TLS: add detection for malicious heartbeats (AKA heartbleed)
The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not
check the payload length correctly, resulting in a copy of at most 64k
of memory from the server (ref: CVE-2014-0160).
This patch adds support for decoding heartbeat messages (if not
encrypted), and checking several parts (type, length and padding).
When an anomaly is detected, a TLS event is raised.
12 years ago
Victor Julien ab503873ca erf-file: clean up decode thread local storage
Clean up the thread local data the decode portion of ERF users.

Bug #978
12 years ago
Victor Julien 6da8652a77 endace-dag: clean up decode thread local storage
Clean up the thread local data the decode portion of DAG uses.

Bug #978
12 years ago
Victor Julien 09ebbe08df mpipe: clean up decode thread local storage
Clean up the thread local data the decode portion of mpipe uses.

Bug #978
12 years ago
Victor Julien 8c16fede08 ipfw: clean up decode thread local storage
Clean up the thread local data the decode portion of ipfw uses.

Bug #978
12 years ago
Victor Julien 10c791c937 napatech: clean up decode thread local storage
Clean up the thread local data the decode portion of napatech uses.

Bug #978
12 years ago
Victor Julien c3e193e786 pcap: clean up decode thread local storage
Clean up the thread local data the decode portion of pcap uses.

Bug #978
12 years ago
Victor Julien 900fc6fdc7 pfring: clean up decode thread local storage
Clean up the thread local data the decode portion of pfring uses.

Bug #978
12 years ago
Victor Julien a8b1af3369 nfq: clean up decode thread local storage
Clean up the thread local data the decode portion of nfq uses.

Bug #978
12 years ago
Victor Julien 2864f9eef9 af-packet: clean up decode thread local storage
Clean up the thread local data of the decode part of afpacket.

Bug #978
12 years ago
Victor Julien c8d2a1e417 drmemory: remove bug 978 suppression
Bug is fixed, so suppression is no longer needed.

Bug #978.
12 years ago
Victor Julien bb2e9af40f pcap-file: clean up decode thread local storage
Clean up the thread local data the decode portion of pcap-file use.

Bug #978.
12 years ago
Victor Julien d26ceb2356 decode: introduce DecodeThreadVarsFree
As a mirror of DecodeThreadVarsAlloc, DecodeThreadVarsFree is used
to free the memory that DecodeThreadVarsAlloc alloc'd, including
AppLayer storage.
12 years ago
Victor Julien 552558894c app-layer: cleanups
Clean up AppLayerParserThreadCtxAlloc and AppLayerParserThreadCtxFree.
Both used confusing variables in loops, with the wrong types.
12 years ago
Jason Ish 7e268bd4d4 Force pidfile creation of --pidfile.
A pidfile can be useful when not in daemon mode, for example
when running under a process supervisor.
12 years ago
Tom DeCanio 4085f08602 json: somewhere along the way IP/port pairs had gotten swapped in
http and ssh eve logs
12 years ago
Ken Steele 0011e01e05 Change configure to allow statically linking libpcre.
Statically linking libpcre requires using -lpthread, which is added
when building Suricata, but not while checking for libpcre in configure.
12 years ago
Victor Julien b9227ad20c tls: no event on 'new session ticket' in handshake
Don't set an event on encountering a 'new session ticket' (4) record
in the TLS handshake.
12 years ago
Victor Julien 1195f882b9 ipv6: add support for PAD1
Support PAD1 in IPv6 HOP options header and DST options header.
12 years ago
Victor Julien 7539372db7 icmpv6: add multicast types
Only add them to check if the code is 0 and to make sure the default
case doesn't set an 'unknown type' event.
12 years ago
Victor Julien eb3a9d3076 TLS: register patterns for tls-alerts
Register patterns for when server has an alert as the first message.
12 years ago
Victor Julien a96446d39e detect state: fix indent
AMATCH block was indented too far.
12 years ago
Victor Julien 6c8ca76942 detect state: remove alproto check for AMATCH
Not all AMATCHes set a alproto.
12 years ago
Victor Julien c9436a6aef Fix app-layer-protocol FP on multi TX flow
In case of multiple transactions, the stored AMATCH list would not have
been reset, but it would still be reconsidered. Even though none would
match, the engine would still conclude that the rule matched.
12 years ago
Victor Julien bc70fc0f79 Update Changelog for 2.0 release 12 years ago
Eric Leblond 9e03550230 tls: fix problem with tls.store keyword
Pierre Chifflier pointed out that a rule like:
 alert tls any any -> any any (msg:"TLS store"; tls.issuerdn:!"C=FR"; tls.store;)
was alerting but not storing the certificate. If the filter was
removed:
 alert tls any any -> any any (msg:"TLS store"; tls.store;)
then tls.store is working as expected.

This was linked with fact that logging is only done once for a SSL
state. So without filter, once we have the info we can log and we
run the storage. But when there is a filter, we log and then there
is a filter analysis and alerting. And as logging as already be done
we don't enter in the logging function and there is no storage.

This patch forces the entrance in the log function when there is a
request for TLS storage. And it adds an exit in the logging function
to only do the storage part if the TLS state has already being logged.
12 years ago
Victor Julien 03091dfbda Update Changelog for 2.0rc3 release 12 years ago
Victor Julien c07427c643 yaml: remove rbn, add tls
Remove rbn rule files from default rule list. The files are empty
causing a warning.

Add tls-event.rules to the default list.
12 years ago
Victor Julien 806844d852 af-packet: fix init sync with no traffic
Previously the sync code would depend on traffic to complete. This
patch adds poll support and can complete the setup if the poll timeout
is reached as well.

Part of bug #1130.
12 years ago
Eric Leblond 238ff23111 af-packet: move packet fanout code
The sooner is the better for that caode as these means we will get
all sockets binded to fanout group as fast as possible.
12 years ago
Eric Leblond 919377d4a5 af-packet: synchronize reading start
This patch is updating af-packet to discard packets that have been
sent to a socket before all socket in a fanout group have been setup.
Without this, there is no way to assure that all packets for a single
flow will be treated by the same thread.

Tests have been done on a system with an ixgbe network card. When using
'cluster_flow' load balancing and disactivating receive hash on the iface:
 ethtool -K IFACE rxhash off
then suricata is behaving as expected and all packets for a single flow
are treated by the same thread.

For some unknown reason, this is not the case when using cluster_cpu. It
seems that in that case the load balancing is not perfect on the card side.

The rxhash offloading has a direct impact on the cluster_flow load balancing
because load balancing is done by using a generic hash key attached to
each skb. This hash can be computed by the network card or can be
computed by the kernel. In the xase of a ixgbe network card, it seems there
is some issue with the hash key for TCP. This explains why it is necessary to
remove the rxhash offloading to have a correct behavior. This could also
explain why cluster_cpu is currently failing because the card is using the
same hash key computation to do the RSS queues load balancing.
12 years ago
Victor Julien 70efc66e33 fast-log: restore logging of Drop/wDrop
Restore drop print logic. Probably got lost in large refactoring round
introducing log APIs.

Bug #1138.
12 years ago
Victor Julien 1af39d55cf detect: allow alias registration for rule keywords
This allows for registering a keyword under another name while keeping
the old name active and supported.

Do this for 'luajit', which can now also be used as just 'lua'.
12 years ago
Victor Julien 010a334e1a json alert: fix action
It would give 'Pass' as an action when the rule is set to 'alert'.
12 years ago
Victor Julien e04b5f0dca eve-http: register with app-layer api
The HTTP module of Eve didn't register itself with the app-layer
for HTTP. This meant that if no other HTTP logger was active, the
HTTP logging in Eve wouldn't work.

This patch makes the HTTP Eve module register itself correctly.

Bug #1133.
12 years ago
Victor Julien 5d96ea570f eve-file: set event_type to fileinfo
To remain constistent with the other logs, set the event type to
the same name as the structure containing the defails. In this
case fileinfo.

Part of bug #1127.
12 years ago
Victor Julien 305da0248d eve-files: file -> fileinfo
Due to what appears to be an issue in logstash, the 'file' part of
the file event types was masked by a field that logstash-forwarder
added itself.

Since logstash-forwarder is an important part of the logstash stack,
this patch works around the issue by renaming our 'file' structure
to 'fileinfo', thus resolving the naming conflict.

Bug #1127
12 years ago
Victor Julien 3e7714aca2 eve-http: print <unknown> like in eve-files
When UA or Host are unknown, print <unknown> instead of <useragent
unknown> or <hostname unknown>.

Bug #1131.
12 years ago
Victor Julien c5041d35d5 Fix live reload
Fix memsets clearing out of bounds memory on live reload, causing
crashes and corrupted backtraces.

Bug #1128.
12 years ago
Victor Julien fdb1bd9668 pfring: call enable_ring after set_cluster
Move pfring_enable_ring to the start of ReceivePfringLoop() so that
it's guaranteed to be called after all threads have called
pfring_set_cluster first.

This is necessary because pfring will already make packets available
to thread N, while thread N+1 is still registering itself. This leads
to cases where the first packet(s) of a flow are processed by a
different thread in Suricata than the later ones.

This is a race condition only at start up. New flows after the pfring
initialization is complete will not be influenced by this.

Bug #1129.
12 years ago
Victor Julien 845cbcce90 Update ChangeLog for 2.0rc2 release 12 years ago
Victor Julien 4436526a05 yaml: comment out example config
Comment out htp settings that should only serve as an example.
12 years ago
Victor Julien 3fa4712ab6 yaml: increase default memcaps
Increase default flow and stream reassembly memcaps.
12 years ago
Victor Julien 60a79c8220 eve-log: enable in default config
In the default config, eve-log is now enabled by default. All loggers
except 'drop' are enabled.
12 years ago
Victor Julien a3020b5306 eve-log: output cleanup
Suppress debug messages and print in a nicer way which modules are
being enabled.
12 years ago
Victor Julien ed877c64d1 Bug 611: fix for iponly
Fix Bug 611 for ip-only rules as well. If 'alert ip' rule has ports,
don't match on protocols that don't have ports. Like ICMP.

Bug #611.
12 years ago
Eric Leblond 6c3c234ca5 output-json: update timestamp format
This patch updates the timestamp format used in eve loggin.
It uses a ISO 8601 comptatible string. This allow tools parsing
the output to easily detect adn/or use the timestamp.

In the EVE JSON output, the value of the timestamp key has been
changed to 'timestamp' (instead of 'time'). This allows tools
like Splunk to detect the timestamp and use it without configuration.

Logstash configuration is simple:

input {
   file {
      path => [ "/usr/local/var/log/suricata/eve.json" ]
      codec =>   json
      type => "suricata-log"
   }
}

filter {
   if [type] == "suricata-log" {
      date {
        match => [ "timestamp", "ISO8601" ]
      }
   }
}

In splunk, auto detection of the fle format is failling and it seems
you need to define a type to parse JSON in
$SPLUNK_DIR/etc/system/local/props.conf:

[suricata]
KV_MODE = json
NO_BINARY_CHECK = 1
TRUNCATE = 0

Then you can simply declare the log file in
$SPLUNK_DIR/etc/system/local/inputs.conf:

[monitor:///usr/local/var/log/suricata/eve.json]
sourcetype = suricata

In both cases the timestamp are correctly imported by
the tools.
12 years ago
Eric Leblond 1fa4233d67 pfring: get vlan id from header
PF_RING is delivering the packet with VLAN header stripped. This
patch updates the code to get the information from PF_RING extended
header information.

This patch uses the new function SCKernelVersionIsAtLeast to know
that we've got a old kernel that do not strip the VLAN header from
the message before sending it to userspace.
12 years ago
Victor Julien 0f70e8f225 OpenBSD: set correct magic path
For all 5.x OpenBSDs it seems the magic path is:
    /usr/local/share/misc/magic.mgc
12 years ago
Eric Leblond cf30adcedc ipfw: fix build
Buildbot reported:
 runmode-ipfw.c: In function 'RunModeIpsIPFWAuto':
 runmode-ipfw.c:85: error: implicit declaration of function 'LiveDeviceHasNoStats'
12 years ago