Commit Graph

5094 Commits (cf4db4793160ad3d9fe10fda4b14ae0a9bb2048f)
 

Author SHA1 Message Date
Victor Julien 0bbec75764 nflog: fix typo rising->raising 12 years ago
Victor Julien 0857a60fce nflog: improve error handling on NOBUFS
Don't fall through to handle_packet on any NOBUFS condition. Make
sure we catch all NOBUFS.
12 years ago
Giuseppe Longo 4d72911e17 This patch adds the fields into PacketVars struct to setup a packet from a nflog message 12 years ago
Giuseppe Longo 4dda018ede Adds nflog option 12 years ago
Giuseppe Longo 0368d5e4a4 Declare a wrapper to parse group option for nflog 12 years ago
Giuseppe Longo c35432b265 Implements NFLOG runmode 12 years ago
Giuseppe Longo 2ad8a8e111 Bootstraping NFLOG capture mode 12 years ago
Giuseppe Longo 0162e7e809 Adds nflog error code 12 years ago
Giuseppe Longo d213d89981 Updating the Tmm Id for declaration of nflog capture mode 12 years ago
Giuseppe Longo 62aaae24fd Adds a configuration example for nflog support in suricata.yaml 12 years ago
Giuseppe Longo 4851568a41 Checks if libnetfilter_log is found on the system
and enable it if it's specified.
12 years ago
Victor Julien db563ed4b0 tls: check SSL3/TLS version per record
Set event if SSL3/TLS record isn't within the acceptable range.
12 years ago
Victor Julien 8ddcf6a816 dns: add tests for TXT response parsing
Add valid and invalid examples.
12 years ago
Victor Julien bddb2c3bdc dns json: log TXT response data
Log TXT data in the rdata field.
12 years ago
Victor Julien 683d2d64e9 dns: parse and store TXT responses
This way the TXT data can be logged by the loggers.

Ticket #1158
12 years ago
Victor Julien 174a50554a Update Changelog for 2.0.1 12 years ago
Victor Julien 7e8f80b390 Update Changelog for 2.0.1rc1 changes 12 years ago
Victor Julien 8ba8c0bf6f json output: don't set 'unknown' for missing data
Instead of setting 'unknown' or '<unknown>' just pass NULL to json_*
function, which results in omitting the data.
12 years ago
Tom DeCanio 11ca25ddca eve-log: swap ip/port pairs in dns answers 12 years ago
Victor Julien d4215fca84 http-json: fix coverity warning
*** CID 1211009:  Bad bit shift operation  (BAD_SHIFT)
/src/output-json-http.c: 265 in JsonHttpLogJSON()
259         /* log custom fields if configured */
260         if (http_ctx->fields != 0)
261         {
262             HttpField f;
263             for (f = HTTP_FIELD_ACCEPT; f < HTTP_FIELD_SIZE; f++)
264             {
>>>     CID 1211009:  Bad bit shift operation  (BAD_SHIFT)
>>>     In expression "1 << f", left shifting by more than 31 bits has undefined behavior.  The shift amount, "f", is as much as 46.
265                 if ((http_ctx->fields & (1<<f)) != 0)
266                 {
267                     /* prevent logging a field twice if extended logging is
268                        enabled */
269                     if (((http_ctx->flags & LOG_HTTP_EXTENDED) == 0) ||
270                         ((http_ctx->flags & LOG_HTTP_EXTENDED) !=

________________________________________________________________________________________________________
*** CID 1211010:  Bad bit shift operation  (BAD_SHIFT)
/src/output-json-http.c: 492 in OutputHttpLogInitSub()
486                         {
487                             if ((strcmp(http_fields[f].config_field,
488                                        field->val) == 0) ||
489                                 (strcasecmp(http_fields[f].htp_field,
490                                             field->val) == 0))
491                             {
>>>     CID 1211010:  Bad bit shift operation  (BAD_SHIFT)
>>>     In expression "1 << f", left shifting by more than 31 bits has undefined behavior.  The shift amount, "f", is as much as 46.
492                                 http_ctx->fields |= (1<<f);
493                                 break;
494                             }
495                         }
496                     }
497                 }
12 years ago
Victor Julien 5cdd9b460a unix-socket: reset logging api's properly
Lack of proper reset lead to logs not being written after the first
pcap had been processed.
12 years ago
Victor Julien fd56acd4b3 stream: cleanup
StreamTcpSetDisableRawReassemblyFlag() has the same effect as
AppLayerParserTriggerRawStreamReassembly in that it will force the
raw reassembly to flush out asap. So it is redundant to call both.
12 years ago
Victor Julien 3543150f42 stream: implement raw reassembly stop api
Implement StreamTcpSetDisableRawReassemblyFlag() which stops raw
reassembly for _NEW_ segments in a stream direction.

It is used only by TLS/SSL now, to flag the streams as encrypted.
Existing segments will still be reassembled and inspected, while
new segments won't be. This allows for pattern based inspection
of the TLS handshake.

Like is the case with completely disabled 'raw' reassembly, the
logic is that the segments are flagged as completed for 'raw' right
away. So they are not considered in raw reassembly anymore.

As no new segments will be considered, the chunk limit check will
return true on the next call.
12 years ago
Victor Julien b2184f936e stream: unify segment discard handling
Have a single function StreamTcpReturnSegmentCheck determine if a
segment is ready to be removed from the stream.

Handle FLOW_NOPAYLOAD_INSPECT in raw reassembly.
12 years ago
Victor Julien ad355c3c0a app-layer: improve no payload inspect flag
If setting APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD, trigger raw
reassembly.
12 years ago
Victor Julien f0bdb009ed tls/heartbleed: fix test
Now that we continue to track ssl/tls after the handshake, we need
to fix tests that checked for the cutoff flags.
12 years ago
Victor Julien 31655aef7e tls/heartbleed: improve encrypted logic
Don't assume that if the type field isn't 01 or 02 it's an encrypted
heartbeat. Instead, use our knowledge of the SSL state.
12 years ago
Victor Julien fdbd9b3f25 tls/heartbleed: formatting fixes 12 years ago
Victor Julien c5f43785f1 tls/heartbleed: add rule for invalid encrypted hb
Add rule to tls-events.rules to match on the invalid encrypted
heartbeat.
12 years ago
Will Metcalf 26169ad8c5 Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction 12 years ago
Victor Julien 0564a8da3c detect: add more defensive checks for flow handling
Don't unconditionally deref f->alparser in detection through
DeStateFlowHasInspectableState(). In very rare cases it can
be NULL.
12 years ago
Victor Julien 2002067fb1 http-json: init 'fields' to 0 before setting it
httplog_ctx->fields would not be initialized before setting flags in
it:

Scanbuild:
output-json-http.c:491:46: warning: The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage
                            http_ctx->fields |= (1<<f);
                            ~~~~~~~~~~~~~~~~ ^
1 warning generated.

Drmemory:
~~27874~~ Error #1: UNINITIALIZED READ: reading register eax
~~27874~~ # 0 JsonHttpLogJSON                       [/home/buildbot/qa/buildbot/donkey/drmemory/Suricata/src/output-json-http.c:260]
~~27874~~ # 1 JsonHttpLogger                        [/home/buildbot/qa/buildbot/donkey/drmemory/Suricata/src/output-json-http.c:375]

Just memset the whole structure right after initialition.
12 years ago
Tom DeCanio 7df9b283f1 json: address custom output capability to http eve log review comments 12 years ago
Tom DeCanio 4838b9bf4f json: add custom output capability to http eve log 12 years ago
Eric Leblond 6fbb9551bd doxygen: add source browser 12 years ago
Victor Julien 9abf595122 rohash: fix potential bad shift
Fix issue detected byCoverity:

*** CID 1197756:  Bad bit shift operation  (BAD_SHIFT)
/src/util-rohash.c: 74 in ROHashInit()
68         }
69         if (hash_bits < 4 || hash_bits > 32) {
70             SCLogError(SC_ERR_HASH_TABLE_INIT, "invalid hash_bits setting, valid range is 4-32");
71             return NULL;
72         }
73
>>>     CID 1197756:  Bad bit shift operation  (BAD_SHIFT)
>>>     In expression "1U << hash_bits", left shifting by more than 31 bits has undefined behavior.  The shift amount, "hash_bits", is as much as 32.
74         uint32_t size = hashsize(hash_bits) * sizeof(ROHashTableOffsets);
75
76         ROHashTable *table = SCMalloc(sizeof(ROHashTable) + size);
77         if (unlikely(table == NULL)) {
78             SCLogError(SC_ERR_HASH_TABLE_INIT, "failed to alloc memory");
79             return NULL;

This was only a potential issue as ROHashInit was only called with
hash_bits 16 in the code.

Bug #1170.
12 years ago
Eric Leblond 1992a22769 af-packet: exit in case of a fatal error
During socket creation all error cases were leading to suricata to
retry the opening of capture. This patch updates this behavior to
have fatal and recoverable error case. In case of a fatal error,
suricata is leaving cleanly.
12 years ago
Jason Ish d28879f1a2 DAG: Pull some raw values out into defines. 12 years ago
Jason Ish 8ab962df7c DAG: Consistent code style. 12 years ago
Jason Ish c00ec5f4fc DAG: Sync dag packet and drop counts to live device on exit for better exit
logging.
12 years ago
Victor Julien 4d6cc1dbc6 json-file: improve error handling
If the functions getting uri, etc fail. Return "unknown" instead of
NULL pointer. This improves consistency.
12 years ago
Victor Julien 2d25f12cda json-file: check pointer before using
A check was missing to see if ht_ud was not null before using the
pointer. This should be rare, but it can happen.

Reported-by: Will Metcalf
12 years ago
Victor Julien d8481cb7cd stream: improve retransmission handling
Improve retransmission handling in the CLOSE_WAIT state.

Bug #1180.
12 years ago
Victor Julien 4929c840cd stream: update GAP detection
Change GAP detection logic. If we encounter missing data before
last_ack, we know we have missed data. The receiving host has ack'd
it already, so a retransmission of the missing data is highly
unlikely.
12 years ago
Victor Julien 5db228b9f6 stream: fix raw reassembly flag issue
AppLayer reassembly correctly only flags a segment as done when it's
completely used in reassembly. Raw reassembly could flag a partially
used segment as complete as well. In this case the segment could be
discarded early. Further reassembly would miss data, leading to a
gap. Due to this, up to 'window size' bytes worth of segments could
remain in the session for a long time, leading to memory resource
pressure.

This patch sets the flag correctly.
12 years ago
Victor Julien 539bf57a65 stream: improve StreamTcpPruneSession
Check if a segment is done for the app-layer using
StreamTcpAppLayerSegmentProcessed instead of the flag directly so the
gap case works better.
12 years ago
Victor Julien 3fa818d087 stream: flags cleanup
Stream flags are 16bit, but notation is still 8bit. Clean this up to
avoid confusion.
12 years ago
Victor Julien 1bd189a076 protocol detection: handle very unbalanced case
Some traffic is very unbalanced. For example a 4 bytes request
followed by 12mb of response data. If the 4 bytes don't lead to
the protocol being detected, then app layer processing won't
start, but it will not give up either. It will just wait for more
data. This leads to piling up data on the opposite side.

Observed:

TS: 4 bytes. PP failed (bit set), PM has not given up (bit not set).
    This makes sense as max_depth is not yet reached.

TC: 12mb. PP and PM failed (bits set).

As ts-PM never gives up, we never consider proto detect complete,
so all segments in either direction are still kept in the session.

This patch adds a cutoff for this case:
- IF for TS we have PP bit set, PM not set, AND
- we have TC both bits set, AND
- proto is unknown, AND
- TC data is 100k already, THEN
- give up on protocol detection.

The same for the opposite direction.
12 years ago
Victor Julien ed46fd715d stream: improve midstream reassembly gap detection
The reassembly gap detection makes use of the window. However, in
midstream mode the window size we use is unreliable, as we have to
assume window scaling is in place. This patch improves midstream
handling of those cases.
12 years ago
Victor Julien 165f129c61 stream: detect data gap at stream start
In midstream mode we may encounter a case where the data we is beyond
the isn, but below last_ack. This means we're missing some data, that
is already acked so it won't be retransmitted. Therefore, we can
conclude it's a data gap.
12 years ago