aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,234 Commits
7 Branches
155 Tags
195 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c68fbfcfe6'
${ noResults }
Commit Graph

10234 Commits (c68fbfcfe690934e370f90a4f3e04872a1878c37)
 

Author SHA1 Message Date
Eric Leblond 9206b30fe1 af-packet: better accounting and error handling 
This patch improves the bypass error handling add adds more counters
to the interface so it is possible to get a view on success and
failure of insertion in the eBPF maps via the `iface-bypassed-stat`
command.
 6 years ago
Eric Leblond aeb2bd3aa1 util-ebpf: optimization on flow storage queries 6 years ago
Eric Leblond 288f335aa5 util-ebpf: simplify free function 
First key can't be null.
 6 years ago
Eric Leblond f4abe2f9c0 util-ebpf: set livedev in flow 
This will fix the accounting for pinned maps as the livedev field
of Flow is used to do the accounting of bypass flows.
 6 years ago
Eric Leblond 98e7d9d1c0 util-device: introduce bypassed stats sub function 6 years ago
Eric Leblond f29a4b8bee flow-manager: move bypass timeout to a inline func 6 years ago
Eric Leblond 89e8cb50ed util-ebpf: case is not possible so remove warning 6 years ago
Eric Leblond 8c97998cb9 bypass: implement iface-bypassed-stat for callback 6 years ago
Eric Leblond 51ab06256a bypass: account callback method in stats 6 years ago
Eric Leblond f78e5ba1e1 bypass: restore interface counter 6 years ago
Eric Leblond d119845d98 bypass: compress flow keys structure 6 years ago
Eric Leblond 69d2c8eb75 ebpf: get rid of hash in map value 6 years ago
Eric Leblond b07bda7a7b bypass: new callback stragegy 
This patch introduces and uses a new bypass strategy
based on a callback. EBPF bypass implementation is
updated to use this new strategy.

Once the flow manager detect that a flow should be timeouted,
it asks the capture method if it has seen packets in the interval.
If it is the case the lastts of the flow is updated and the timeout
is postponed.
 6 years ago
Eric Leblond fcae1c18de af-packet: improve error handling for some hw 
Some cards seems to return EAGAIN when there is no more place in
the hash table.
 6 years ago
Eric Leblond 0bfbb4a889 bypass: fix accounting 
The flow bypass stats is computed at every pass so the accounting
needs to be done at each pass. This patch fixes the accounting
in the flow_bypassed counters.
 6 years ago
Eric Leblond 44566e5a24 ebpf: only display that file is loaded if we do it 6 years ago
Eric Leblond 5e62ae6d28 af-packet: avoid error flooding when bypass fails 6 years ago
Eric Leblond af6daceeda util-ebpf: more useful error message 
At the time of the writing, libbpf output useful error message
on strdout only and errno is not really interesting. So let's
tell user to look at stdout.
 6 years ago
Eric Leblond 833d9ef7e1 ebpf: don't use nexthdr to build hash 
As pointed by Victor Julien, it is not a good idea to use the
nexthdr value, as init key for the hash as it could contain some
other headers and can be changed for a session.
 6 years ago
Eric Leblond 0f64c25b73 util-ebpf: improve code readability 
As pointed by Victor Julien, the pkts_cnt usage was quite confusing
so functions are now returning a bool.
 6 years ago
Eric Leblond a8f35cc30e util-ebpf: discard flow if no Flow storage 6 years ago
Eric Leblond dbf3606169 doc: document flow event_type 6 years ago
Eric Leblond efb648aa24 util-ebpf: fix ebpf bypass 
Fix endian order in eBPF bypass. It has to be updated after the
bypassed flows handling change.
 6 years ago
Eric Leblond f8aa9ee986 bypass: fix wait time at exit 
The loop on bypassed flow maps can take a few seconds on heavily
loaded system causing Suricata to not honor a stop before a few
seconds.

This patch adds the code needed to detect the need to exit from
the check loop.
 6 years ago
Eric Leblond a277f2eb0c af-packet: fix use after free on config 
ASAN did find that afp config was used after free. This was in
fact done in the Flow bypass manager hence this patch.
 6 years ago
Eric Leblond fc2f2fa7d3 bypass: allow bypass for packet without flow 
For capture method that have their own flow structure (not maintained
by Suricata), it can make sense to bypass a packet even if there is
no Flow in Suricata.

For AF_PACKET it does not make sense as the eBPF map entry will
be destroyed as soon as it will be checked by the flow bypass
manager. Thus we shortcut the bypass function if ever no Flow is
attached to the packet.

This path also removes reference to Flow in the bypass functions
for AF_PACKET. It was not necessary and we possibly could benefit
of it if ever we change the bypass algorithm.
 6 years ago
Eric Leblond 285768c59e ebpf: fix bypass filter vlan 6 years ago
Eric Leblond 8a11581ac8 doc: update ebpf doc following bypass_filter change 6 years ago
Eric Leblond 853d832de7 ebpf: complete vlan support for ebpf bypass filter 6 years ago
Eric Leblond 253c011c70 doc: update for latest xdp_filter.c change 6 years ago
Eric Leblond 6ab1cbcb8e bypass: use flow storage for bypass counter 
There is a synchronization issue occuring when a flow is
added to the eBPF bypass maps. The flow can have packets
in the ring buffer that have already passed the eBPF stage.
By consequences, they are not accounted in the eBPF counter
but are accounted by Suricata flow engine.

This was causing counters to be completely wrong. This code
fixes the issue by avoiding the counter change in invalid
case.

To avoid adding 4 64bits integers to the Flow structure for the
bypass accounting, we use instead a FlowStorage. This limits the
memory usage to the size of a pointer.
 6 years ago
Eric Leblond 640bc937b4 ebpf: add vlan tracking option to xdp_filter 
If vlan is not use for tracking in Suricata this result in vlan not
being used in the flow key in Suricata and we need to adjust that
in the XDP filter to avoid any problem.
 6 years ago
Eric Leblond 34b8583f35 ebpf: tls encrypted bypass in xdp_filter 
Tests have shown that when we bypass encrypted traffic a non
neglicteable amount of encrypted  packets of the session are already in the
capture ring buffer. Result is that Suricata is doing unnecessary
work on these packets.

These packets can be identified via the first bytes of their payloads
so we can bypass them directly in the XDP code. This is done here
for application data packets on port 443 and for TLS 1.2.
 6 years ago
Eric Leblond d2d3a5a92a ebpf: fix UDP bypass in xdp_filter 6 years ago
Eric Leblond 98b68e87eb ebpf: fix typo in xdp_filter.c comment 6 years ago
Eric Leblond 4e6add7faa bypass: generalize iface bypass stats 
Introduce functions in util-device.c to be able to manage the
flow bypassed count stats.
 6 years ago
Eric Leblond 7e8f4b70f0 ebpf: add comment for some define in XDP filter 6 years ago
Eric Leblond 455d78728e ebpf: remove useless var in xdp_filter 6 years ago
Eric Leblond 258e90be76 util-ebpf: change flow accounting logic 
Update the flow counters during the life of a bypassed flow
instead of just accounting at the end of it.
 6 years ago
Eric Leblond 3026e9a80d util-ebpf: better error handling 6 years ago
Eric Leblond 2ffd3ad2b7 util-ebpf: better error handling of map unlink 6 years ago
Eric Leblond b952b32a26 util-ebpf: rename field 'unlink' to avoid confusion 6 years ago
Eric Leblond edf2db4e30 af-packet: improve warning message 6 years ago
Eric Leblond 567b5ee1bc af-packet: rename option 'no-percpu-hash' 6 years ago
Eric Leblond 0f6b1297a9 af-packet: warn when XDP is not supported 6 years ago
Eric Leblond b1c9b39435 af-packet: remove question from code 6 years ago
Eric Leblond 1992093c88 flow-bypass: rename variables 6 years ago
Eric Leblond d239e0f2d5 flow-hash: doc and code cleaning 6 years ago
Eric Leblond b736344975 flow-bypass: clock_gettime error handling 
Only reason clock_gettime could fail is a permission so let's
error and leave the flow bypass manager if it is the case.

Also let's suppress the error message if ever the error appear in
the middle of a run (which is unlikely).
 6 years ago
Eric Leblond 4129938c21 util-ebpf: log level fixes and code cleaning 6 years ago