aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,160 Commits
8 Branches
165 Tags
231 MiB
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd4dd18eb85'
${ noResults }
Commit Graph

3839 Commits (d4dd18eb85841ba944957597ddf33ca268cd112d)

Author SHA1 Message Date
Eric Leblond c0c59fbd17 decode: factorize macro code 
PACKET_* are now wrapper to the newly introduced PACKET_SET_ACTION
macro.
 13 years ago
Eric Leblond 3f107fa130 decode: Packet action start with PACKET 
Rename all Packet action macro to have them prefixed by PACKET.
 13 years ago
Anoop Saldanha 3304c91c91 Don't let geoip match on pseudo packets. 13 years ago
Anoop Saldanha 1fb4aae993 Coverity 1038523: Fix using cuda buffer slice that has been returned to the pool. 13 years ago
Victor Julien 51cdd464a6 stream: detect keep-alive and keep-alive ACK 13 years ago
Victor Julien 03c3ff5632 stream: fix typo in function name 13 years ago
Eric Leblond 4c6595f437 Coverity 1038106: fix FP out-of-bond access 
A cast during the reading of a configuration variable was invalid
because a 16 bit integer was cast to a 32 bit integer. The called
function is only setting the pointer value to 1 or 0 so there is
no real issue there.
 13 years ago
Eric Leblond 7df156ef50 Coverity: 1038139 suppress sanity check 
The sanity check was really useless as the NULL value is checked in
the code flow.
 13 years ago
Eric Leblond 75cd1f6096 Coverity 1038515: check function return 
This is more cosmetic than useful but it is cleaner anyway.
 13 years ago
Anoop Saldanha b4e750068f Cuda make distcheck fix for cuda-ptxdump.h 13 years ago
Anoop Saldanha 7d46d59cdd Coverity 1038522: fix memset inside cuda code. Wrong size specified to memset. 13 years ago
Victor Julien d6fcd07a31 Coverity 1038085: remove 'default' statement in SCErrorToString. This way a warning will be given if an error is defined w/o updating this function. 13 years ago
Victor Julien e2444f0ed5 Coverity 1038092 & 1038093: remove dead code 13 years ago
Victor Julien 0902c7f3aa Coverity 1038518: fix wrong error check 13 years ago
Victor Julien db1dad8cc6 Coverity 1038124: memory leak on 'seq' keyword parsing failure 13 years ago
Victor Julien b2e962da03 Coverity 1038123: memory leak on 'flowint' keyword parsing failure 13 years ago
Victor Julien 5c5b2f98dd Coverity 1038116 & 1038117: memory leaks on 'app-layer-event' keyword parsing failure 13 years ago
Victor Julien 778851626c Coverity 1038115: memory leak on 'ack' keyword parsing failure 13 years ago
Victor Julien 98dbf3e62c Coverity 1038113: possibly out of bounds read 13 years ago
Anoop Saldanha 602c91ed41 Minor cosmetic changes to the cuda code. 
Moved a couple of functions to more cuda relevant files;
Re-structured some data types.
 13 years ago
Anoop Saldanha c9f076def3 Modified CudaBufferCullCompletedSlices. 
Allow readers specify max size of data they want to read.
 13 years ago
Anoop Saldanha 70cb4d30eb Add a usleep to CudaBuffer culling process. Would lead to a situation where the thread wouldn't care to yield to others." 13 years ago
Anoop Saldanha 17c763f855 Version 1 of AC Cuda. 13 years ago
Anoop Saldanha 2de59fc235 Version 1 of CudaBuffer API. Introduced to buffer data to the gpu. 
This version allows async writes to a buffer by threads.  Allows only
sequential reads though.
 13 years ago
Anoop Saldanha 557cab3dc9 We call packet and stream mpm as late as possible now. Won't affect the working of the engine. 
The rationale behind this is, if we have pkt buffered to the gpu, we'd want
to delay processing the pkt as much as possible.
 13 years ago
Anoop Saldanha d2063d98ad pool now uses a queue kinda behaviour when getting/inserting data through poolbuckets. 13 years ago
Anoop Saldanha f4c719b83a code refactoring. Call mpmprefilter slightly later than where it's called atm 13 years ago
Anoop Saldanha b787da5643 Remove all cuda related code in the engine except for the cuda api wrappers 13 years ago
Anoop Saldanha e2a6cfb6a6 update cuda API wrappers 13 years ago
Eric Leblond d8ce2b1ca4 unix-socket: fix OSX build 
MSG_NOSIGNAL is not defined on macOSX and SO_NOSIGPIPE is used
instead.
 13 years ago
Eric Leblond a35c367942 action handling: use macro for test. 
Use test macro instead of direct access to action field.

This patch has been obtained by using the following
spatch file:

  @@
  Packet *p;
  expression E;
  @@

  - p->action & E
  + TEST_PACKET_ACTION(p, E)
 13 years ago
Eric Leblond efaa9a7302 action handling: define and use macros 
The action field in Packet structure should not be accessed
directly as the tunneled packet needs to update the root packet
and not the initial packet.

This patch is fixing issue #819 where suricata was not able to
drop fragmented packets in AF_PACKET IPS mode. It also fixes
drop capability for tunneled packets.
 13 years ago
Anoop Saldanha 429b5cec10 Fix magic unittets. 
Fix segv, when magic_load() fails due to the non-availability of default
magic files.
 13 years ago
Anoop Saldanha 058e9278c5 Fix wrong casting of htp pointer. Fixed it back to (HTPState *) inside 
htp utility functions.
 13 years ago
Anoop Saldanha 21f9cc3a39 discontinue matching on buffer if urilen returns a match failure. 13 years ago
Victor Julien 56c6dd9bb2 bytetest: add unittest showing missed detection 
Tests recursive and relative negative byte_test matching.
 13 years ago
Anoop Saldanha c3d98f9640 Fix the bug specified in the previous commit. 
Bug emanates from byte_test, byte_jump and byte_extract keyword being
unable to handle negative offsets when the inspection pointer is at the
end of the buffer.
 13 years ago
Anoop Saldanha bd6896bee1 Unit-tests exposing a bug in byte_test, byte_jump and byte_extract. 
Bug emanates from all the keywords being unable to handle negative offsets
when the inspection pointer is at the end of the buffer.
 13 years ago
Victor Julien 0fbfaadd53 bytetest: fix debug messages not printing negative offset correctly 13 years ago
Anoop Saldanha ff222b51e7 Http trailer headers unittests added. 13 years ago
Anoop Saldanha ab4b15c2e7 fix for #788. 
Now depth is kept in mind when we inspect chunks in client/server body.
This takes care of FPs originating from inspecting subsequent chunks that
match with depth, but shouldn't.
 13 years ago
Victor Julien f29e5459e6 luajit/flowint: add ScFlowintIncr & ScFlowintDecr 
Add flowint lua functions for incrementing and decrementing flowints.

First use creates the var and inits to 0. So a call:

    a = ScFlowintIncr(0)

Results in a == 1.

If the var reached UINT_MAX (2^32), it's not further incremented. If the
var reaches 0 it's not decremented further.

Calling ScFlowintDecr on a uninitialized var will init it to 0.

Example script:

    function init (args)
        local needs = {}
        needs["http.request_headers"] = tostring(true)
        needs["flowint"] = {"cnt_incr"}
        return needs
    end

    function match(args)
        a = ScFlowintIncr(0);
        if a == 23 then
            return 1
        end

        return 0
    end
    return 0

This script matches the 23rd time it's invoked on a flow.
 13 years ago
Victor Julien f312486c6e flowvar/luajit: make 'sets' real time. Needed for cross HTTP-header matching. 13 years ago
Victor Julien 72f6bc2aed luajit: add flowint support 
Expose ScFlowintGet and ScFlowintSet functions to luajit. These set
flowints in real time, regardless of rule and/or script match.

Example:

function init (args)
    local needs = {}
    needs["http.request_headers"] = tostring(true)
    needs["flowint"] = {"cnt"}
    return needs
end

function match(args)
    a = ScFlowintGet(0);
    if a then
        ScFlowintSet(0, a + 1)
    else
        ScFlowintSet(0, 1)
    end

    a = ScFlowintGet(0);
    if a == 23 then
        return 1
    end

    return 0
end

return 0

Script's init call first registers "cnt" at id 0, then 0 is used to use
this var.
 13 years ago
Victor Julien c3c3cd76e5 flowvar/flowint: split set functions into normal and NoLock version, where the latter won't lock the flow. 13 years ago
Victor Julien 57d3cd97f3 flowvar/flowint: make local function static 13 years ago
Victor Julien 6e18ed0489 luajit flowvar support 
This patch adds flowvar support to luajit. It does so by exposing two special
C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
 13 years ago
Ken Steele 9d677ea006 Clear the PKT_ALLOC flag when storing Packets into the Packet pool. 
The PKT_ALLOC flag is set by PacketGetFromAlloc(), which needs to be
cleared for Packets in the Packet Pool, so clear the flag here.
 13 years ago
Ken Steele 9c7b411a5d More PacketGetFromMalloc() to allocate packets. 13 years ago
Ken Steele 394f99e32c Use PacketGetfromAlloc() for packet allocation instead of SCMalloc. 
Only changed in one file for testing.
 13 years ago
Anoop Saldanha ab1f8afbc3 Removed Signature->order_id and replaced it with Signature->num. 13 years ago
Anoop Saldanha 43d1229dfa 1. Fix assignment of signums, which affected how we used read 
sigs(priority wise) inside staging.

   Previously we would assign signums before sig ordering, and hence the
   order didn't actually reflect the order of the sig in the
   sig_list(assuming sig reordering changed the sig_list).  Staging would
   use the old sig_nums to decide the priority of sigs.
2. Fix sig ordering for flowvar, flowbits, flowint, pktvar sigs.   We have
   introduced a new priority to treat sigs with set + read as lower
   priority compared to set only sigs.
3. Previously we treated sigs with a "priority(keyword)" > another sig's
   priority, as a sig with greater priority than the later.  We have
   reversed it.  Now the sig priority ordering is 1,2,.etc.  Updated
   sigordering unittests to reflect the same.
 13 years ago
Anoop Saldanha 9219079e1a Allow protocols to have both app layer keywords, as well as transaction 
based ones.

Our general logic and assumption is protocols either support one of the
above and not have both.
 13 years ago
Anoop Saldanha a490176c8a More lock fixes for the transaction update. Issues reported by Coverity. 13 years ago
Anoop Saldanha 7cf4042337 Fix luajit compilation failure introduced by the transaction update. 
Fix coverity lock issues reported by transaction update as well.
 13 years ago
Anoop Saldanha d4d18e3136 Transaction engine redesigned. 
Improved accuracy, improved performance.  Performance improvement
noticeable with http heavy traffic and ruleset.

A lot of other cosmetic changes carried out as well.  Wrappers introduced
for a lot of app layer functions.

Failing dce unittests disabled.  Will be reintroduced in the updated dce
engine.

Cross transaction matching taken care of.  FPs emanating from these
matches have now disappeared.  Double inspection of transactions taken
care of as well.
 13 years ago
Anoop Saldanha 6dcde9d7e9 hsbd mpm and packet mpm share same mpm ctx id. 
This is a bug emanating from we having a var reference for hsbd mpm,
but failing to initialize it, and we default to using the packet mpm.
 13 years ago
Ken Steele 93e7304117 Preserve PKT_ALLOC flag inside PACKET_RECYCLE(). 
The PKT_ALLOC flag was being cleared by PACKET_RECYCLE(), which could
then result in a packet being pushed back to the Packet ring buffer
incorrectly.
 13 years ago
Ken Steele 699d9e01f1 Move memset() out of PACKET_INITIALIZE() 
The memset() inside PACKET_INITIALIZE() is redundant in some cases and
it is cleaner to do as part of the memory allocation. This simplifies
changes for integrating Tilera mPIPE support because the size of memory
cleared in that case is different from SIZE_OF_PACKET.

For the cases where Packets are directly allocated and then call
PACKET_INITIALIZE() without memset() first, this patch adds memset() calls.

A further change would use GetPacketFromAlloc() directly.
 13 years ago
Victor Julien 724ad9e8e7 Detect L1 cache line size at build time. Fall back to 64 bytes if detection failed. 13 years ago
Victor Julien 53fe756798 NFQ: convert batchcount related yaml errors to warnings. 13 years ago
Eric Leblond 703e5848e4 nfq: add errno display when verdict fail 
In case of error, errno is set by sendmsg which is called by
nfnetlink and which is called by libnetfilter_queue. This patch
displays the string expression of errno if verdict has failed.
 13 years ago
Florian Westphal 8da02115c9 nfq: add support for batch verdicts 
Normally, there is one verdict per packet, i.e., we receive a packet,
process it, and then tell the kernel what to do with that packet (eg.
DROP or ACCEPT).

recv(), packet id x
send verdict v, packet id x
recv(), packet id x+1
send verdict v, packet id x+1
[..]
recv(), packet id x+n
send verdict v, packet id x+n

An alternative is to process several packets from the queue, and then send
a batch-verdict.

recv(), packet id x
recv(), packet id x+1
[..]
recv(), packet id x+n
send batch verdict v, packet id x+n

A batch verdict affects all previous packets (packet_id <= x+n),
we thus only need to remember the last packet_id seen.

Caveats:
- can't modify payload
- verdict is applied to all packets
- nfmark (if set) will be set for all packets
- increases latency (packets remain queued by the kernel
  until batch verdict is sent).

To solve this, we only defer verdict for up to 20 packets and
send pending batch-verdict immediately if:
- no packets are currently queue
- current packet should be dropped
- current packet has different nfmark
- payload of packet was modified

This patch adds a configurable batch verdict support for workers runmode.
The batch verdicts are turned off by default.

Problem is that batch verdicts only work with kernels >= 3.1, i.e.
using newer libnetfilter_queue with an old kernel means non-working
suricata. So the functionnality has to be disabled by default.
 13 years ago
Florian Westphal 6678c9feb9 nfq: avoid extra copy when running in workers mode 
currently, the packet payload recv()d from the nfqueue netlink
socket is copied into a new packet buffer.

This is required because the recv-buffer space used is tied
to the current thread, but a packet may be handed off to other
threads, and the recv-buffer can be re-used while the packet
is handled by another thread.

However, in worker runmode, the packet will always be handled
by the current thread, and the recv-buffer will only be reused
after the entire packet processing stack is done with the packet.

Thus, in worker runmode, we can avoid the copy and assign
the packet data area directly.
 13 years ago
Victor Julien b68d566c44 alert-debuglog: cleanup TCP check 13 years ago
Victor Julien 4b3166b193 unified2: more udp fixes 13 years ago
Victor Julien bc3f941acb profiling: enabled app layer profiling for UDP app layer modules 13 years ago
Victor Julien 782aa5adae prelude: only call stream callback for TCP 13 years ago
Victor Julien b54a19937f unified2: only call stream callback for TCP 13 years ago
Victor Julien 00948882e7 Suppress warnings when StreamSegmentForEach is called for UDP or SCTP, unless debug is compiled in. 13 years ago
Victor Julien 3b68a9d1c6 UDP: inspection app layer state as soon as we have it. 13 years ago
Victor Julien f15d97b916 Bug 780 unittests, showing no problem. 13 years ago
Victor Julien b6995f7664 Bug 794: stream SACK list needs to respect memcap 13 years ago
Victor Julien a4fca88ba7 stream: default 'random' setting when running unittests is disabled, so that test results are predictable. 13 years ago
Eric Leblond 9b235b3d9e streaming: randomize chunk size 
By randomizing chunk size around the choosen value, it is possible
to escape some evasion technics that are using the fact they know
chunk size to split the attack at the correct place.
This patch activates randomization by default and set the random
interval to chunk size value +- 10%.
 13 years ago
Victor Julien 6ba52230ed Update DetectContentDataParse to reflect the actual data types content uses. 13 years ago
Victor Julien 3ad497e74f Remove filemagic debug statement 13 years ago
Victor Julien 19511cda97 Remove obsolete DetectParseContentString function, it has been replaced by DetectContentDataParse 13 years ago
Victor Julien 4d4f8fd358 file: make fileext, filename and filemagic use the same rule parsing function as others. This has as a side effect that we enforce doubly qouted values now. 13 years ago
Victor Julien 8023007fbd flowvar: cleanup keyword argument parsing. Should also address Coverity 400655. 13 years ago
Victor Julien 07b751b0df Coverity 1005134: fix minor memory leak on flowvar rule setup errors. 13 years ago
Victor Julien e45f683c19 Coverity 1005133: fix unlikely case where malformed pcre statement in rule would lead to null-deref. 13 years ago
Victor Julien 4c6463f378 stream: handle extra different SYN/ACK 
Until now, when processing the TCP 3 way handshake (3whs), retransmissions
of SYN/ACKs are silently accepted, unless they are different somehow. If
the SEQ or ACK values are different they are considered wrong and events
are set. The stream events rules will match on this.

In some cases, this is wrong. If the client missed the SYN/ACK, the server
may send a different one with a different SEQ. This commit deals with this.

As it is impossible to predict which one the client will accept, each is
added to a list. Then on receiving the final ACK from the 3whs, the list
is checked and the state is updated according to the queued SYN/ACK.
 13 years ago
Victor Julien 00a691fc1b flowvar: clean up properly on signature clean up. 13 years ago
Victor Julien 70e2adeb01 flowvar: add unittests for #802. 13 years ago
Victor Julien 4cd736fcc9 flowvar: fix deadlock with http buffers 
Bug #802

Flowvars are set from pcre, and lock the flow when being set. However
when HTTP buffers were inspected, flow was already locked: deadlock.

This patch introduces a post-match list in the detection engine thread
ctx, where store candidates are kept. Then a post-match function is used
to finalize the storing if the rule matches.

Solves the deadlock and brings the handling of flowvars more in line
with flowbits and flowints.
 13 years ago
Victor Julien 4c2e6a8402 flowvars: update funcs to accept u16 id 
All id's are u16, but flowvar functions would only accept u8.

Minor cleanups.
 13 years ago
Victor Julien ffffe6c10e profiling: add formatted totals, percents to packet stats 13 years ago
Victor Julien 4165de4771 Minor SigValidate cleanup 13 years ago
Anoop Saldanha 0d7305dfc7 Update the way we handle http_host keywords. 
Previously we would have forced all users to use nocase with http_host
keywords(since the hostname buffer is lowercase).

We now error out on sigs that has nocase set with http_host set.  Also if
the http_host pattern or http_host pcre has an uppercase character set, we
invalidate such sigs.  Unittests also updated to reflect the above change.
 13 years ago
Victor Julien 9ea4d36f7a Minor reshuffling of Signature struct. 13 years ago
Victor Julien eb11280888 Use define instead of magic number for pmq's per detect thread 13 years ago
Victor Julien 0fa38c13d1 detection engine: consolidate thread setup 
DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did
pretty much the same thing, except for a counters registration. As can be
predicted with code duplication like this, things got out of sync. To make
sure this doesn't happen again, I created a helper function that does the
heavy lifting in this function.
 13 years ago
Victor Julien 73158fea33 Fix PmqSetup calls in Liveswap thread init. Func was out of sync with normal thread init. 13 years ago
Victor Julien b8078742c3 stream: intro function for SYN/ACK state update 
As the TCP SSN state can be updated from several points in the state
machine on accepting a SYN/ACK, move the update logic into a separate
function.
 13 years ago
Victor Julien 28ea129d9b stream: remove unused 'pause' feature 13 years ago
Victor Julien ea8b6078d8 stream: zero ts is a per stream flag 
Ssn flag STREAMTCP_FLAG_ZERO_TIMESTAMP was used in stream only. Due to
it's value it did not conflict with a real stream flag. Renamed it to
STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP.
 13 years ago
Victor Julien 374187bf65 stream: don't use ssn timestamp flag in stream 
The STREAMTCP_FLAG_TIMESTAMP flag is a ssn flag, however it was used in
the stream flag field. As it has the same value as
STREAMTCP_STREAM_FLAG_DEPTH_REACHED it's possible that stream reassembly
got confused by the timestamp.
 13 years ago
Victor Julien 40a5ce8f5f Change logic of SCErrorToString causing any missing entries to result in a compiler warning. 13 years ago
Anoop Saldanha 71ffed5128 Handle the case of pcre combined with a relative content, where pcre has the 
set to match from start of line and we discontinue matching on not finding
match.
 13 years ago
Anoop Saldanha aa363a8144 unittest to display #784. 13 years ago
Eric Leblond 26b7af1483 Don't try to sniff 'default' interface 
Whan running suricata via 'suricata --af-packet', the list of interfaces
was containing the 'default' interface and sniffing it was attempted.
This was not wanted.
 13 years ago
Eric Leblond 539de3f5ea bpf filter: use SCLogError instead of fprintf 13 years ago
Eric Leblond b7e78d33b1 af-packet: warn about BPF filter consequence in IPS mode 
This patch add a message to warn user about the impact of using a
BPF filter in IPS mode.
 13 years ago
Eric Leblond dfbb31df8a Exit if bpf is used in IPS mode 13 years ago
Victor Julien ce99a07582 After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^. 13 years ago
Anoop Saldanha 8bf034e8c4 Live rule swap logs added to report SigLoadSignatures() failure. Also set 
thread_closed flag on exit for live swap thread.
 13 years ago
Anoop Saldanha a3212f6a0f Minor fixes against the last set of patches for #564, 565, 581 + fp automation. 
Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's
definition from inside the function where it's used to the global namespace,
as requested on #suricata.

Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup.

Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId().

Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
 13 years ago
Anoop Saldanha 6de8b1ed53 fix for #564. 
Get rid of the hash table, and use a single-one_time_alloc'ed array for
pattern id assignment.
 13 years ago
Anoop Saldanha f58c6589b4 We now print content flags in engine fp analyzer. 13 years ago
Anoop Saldanha e77fd1c883 We now assign ids to fp patterns only. Rest of them don't need one. 13 years ago
Anoop Saldanha 4c6efa2d40 Update content id assignment. 
All fp id assignment now happens in one go.
Also noticing a slight perf increase, probably emanating from improved cache
perf.
Removed irrelevant unittests as well.
 13 years ago
Anoop Saldanha 60be1751d5 Figure out sig fp during validation stage, instead of staging stage. 13 years ago
Anoop Saldanha 45ff67a2e0 Enable a conf option to enable/disable legacy keywords. 
Currently, uricontent is declared a legacy keyword, and is enabled by default.
 13 years ago
Anoop Saldanha 601836d831 Fast pattern setup now configurable in our code. 
You can either enable/disable fp for a particular type + set priority.
 13 years ago
Anoop Saldanha c63317d02e Detect sm_list rearranged for performance reasons. 13 years ago
Anoop Saldanha f8ae53ac02 Further customize content modifier buffer registration. 
Allow modifier setups functions to have CustomCallbacks to enable their
internal conditions.
 13 years ago
Anoop Saldanha a304a98d1d http_* setup unified. 13 years ago
Anoop Saldanha 434bdca9e2 uricontent simplified to use the existing content + http_uri infrastructure. 13 years ago
Anoop Saldanha 0b5d277254 code cleanup for all content based keywords. 13 years ago
Anoop Saldanha 51dcf19817 turn dce_stub_data into a sticky buffer. 13 years ago
Anoop Saldanha a308d718ae Allow the use of relative without the presence of a related previous keyword. 13 years ago
Victor Julien 4845631335 tcp stream: don't move to LAST_ACK on toserver resent of FIN 13 years ago
Victor Julien 3163243a55 Coverity 989710 and 989711: small recourse leaks in filemd5 parsing code. 13 years ago
Anoop Saldanha 12e4105dc3 fix for #770. 
Invalidate sigs with negative depth.
 13 years ago
Anoop Saldanha d041b98d95 fix for #771. 
Fix /etc/protocols parsing.  Remove trailing newspace stored under some cases.
 13 years ago
Victor Julien 37c80ea508 If an IP-only pass rule matches, set the no inspect flag for that flow. Bug #718. 13 years ago
Anoop Saldanha 75130f9702 fix for #769. 
Packet inserted by live swap flagged as pseudo packet.
 13 years ago
Victor Julien 274641abc2 Fix valgrind error/warning in ip reputation parsing code 13 years ago
Anoop Saldanha c6ec23ca87 fix for #758. Add redmine wiki link and desc for icmp-id keyword. 13 years ago
Victor Julien eeb439c1a3 Open 2.0 dev branch 13 years ago
Victor Julien b66af2c2ed nfq: add missing error string 13 years ago
Eric Leblond 7ec820d3ab Fix potential Null deref. 13 years ago
Victor Julien 8924d7598d Fix potential iprep file parsing issue (2). 13 years ago
Victor Julien 754ae8a1be Fix potential iprep file parsing issue. 13 years ago
Victor Julien 1b363ecb1d Fix test AddressTestParse36 on Big Endian systems 13 years ago
Anoop Saldanha 0febe5a410 fix for #760. 
If udpv4 csum isn't calculated, udpv4-csum detection shouldn't run on the
csum.
 13 years ago
Anoop Saldanha ce7d78dd69 fix for #725. 
Update trec_len, trec_pos to 32 bits from 16 bits.
Handle handshakes that are fragmented across records.
 13 years ago
Anoop Saldanha c6d50764e5 temporarily patched smb + dcerpc parsers for direction demaraction. 13 years ago
Eric Leblond 5b067e1abb pcap-file: treat the case of unsupported pcap link 
In unix socket mode, Suricata was stopping processing pcap files
when a pcap file with an unsupported datalink was treated. This
patch updates error handling to allow Suricata to treat other
pcap files.
 13 years ago
Eric Leblond 350d761961 af-packet: leave reading loop at each turn 
The idea of this patch is to be sure to leave the ring reading loop
enough to be able to sync counters. This should fix #706.
 13 years ago
Eric Leblond df0e7af8f2 unix-manager: fix thread killing function 
The name of the thread was not searched in the correct family.

Reported-by: iswalker <mail2cissp@gmail.com>
 13 years ago
Eric Leblond 31c03d38b9 unix socket: add 'dump-counters' command 
This patch adds a 'dump-counters' command which answer an output of
all performance counter.
 13 years ago
Eric Leblond 5722d8846a unix socket: add 'help' as alias to 'command-list' 13 years ago
Eric Leblond 84322fa556 unix socket: add 'conf-get' command 
This patch adds a 'conf-get' command which get the configuration
value from suricata. Argument of the command is the name of the
variable to fetch.
The command syntax is the following:
{
 "command": "conf-get",
 "arguments": { "variable":value}
}
 13 years ago
Eric Leblond c961056ed8 unix socket: add 'capture-mode' command 
This patch displays what capture mode is used.
 13 years ago
Eric Leblond 74a9fc4b66 Add function to display current capture mode 
This patch adds a function to display the capture mode.
 13 years ago
Eric Leblond 2f30485f7b unix socket: add 'runnning-mode' command 
This command displays the active running mode ('autofp' for
example).
 13 years ago
Eric Leblond f4faff6ff9 unix socket: add 'uptime' command 
This command displays the nuber of second since the start of
Suricata.
 13 years ago
Eric Leblond c6b38ebf67 unix socket: add 'version' command 13 years ago
Eric Leblond 78b5812ae6 unix runmode: add 'pcap-current' command 
This command outputs the currently processed file name or 'None'
if no file is currently processed.
 13 years ago
Eric Leblond fc7e6c4a3d unix socket: implement command-list command 13 years ago
Eric Leblond 346d5662b5 cuda: fix invalid use of sizeof 13 years ago
Anoop Saldanha 71609229cc sigorder cleaned up. 13 years ago
Eric Leblond 21dda8674d Fix build with old pcap library. 
Pcap snaplen related modification broke compilation of Suricata for
system having old pcap library. This patch fixes the issue and allow
old pcap library to honour the snaplen value.
 13 years ago
Eric Leblond 6d225378e4 Workaround function missing in libhtp include 
As reported in bug #688, htp_config_set_path_decode_u_encoding
function is not included in libhtp header before 0.3.0. Result
is that suricata compilation fail with an external htp library.
The following patch detect the issue and adds the missing
declaration.
 13 years ago
Anoop Saldanha 66f3c37016 code cleanup + unittests added against http_host and http_raw_host keywords, 
against various combinations of hostname in uri and host header.
 13 years ago
Anoop Saldanha 3511f91bba Add support for the new keyword - http_raw_host header. 
The corresponding pcre modifier would be 'Z'.
 13 years ago
Anoop Saldanha c4ce19a1be Add support for a new keyword to inspect http_host header. 
The corresponding content keyword would now be - http_host.
The corresponding pcre modifier would be W.
 13 years ago
Matt Keeler ebccb9ffcd Added host buffer allowance and stream configuration for Napatech 3GD 
Added a napatech section in the yaml configuration.
	hba - host buffer allowance
	use-all-streams - whether all streams should be used
	streams - list of stream numbers to use when use-all-streams is no

The source-napatech.* files were modified to support the host buffer allowance configuration.
The runmode-napatech.c file was modified to support both the host buffer allowance configuration and stream configuration

Signed-off-by: Matt Keeler <mk@npulsetech.com>
 13 years ago
Anoop Saldanha 0c24a8a92f fix(more like a feature update) for bug #708. 
Add support for flowint based sig ordering.
 13 years ago
Eric Leblond 2f0927fe9b pcap: add snaplen YAML variable 
This patch introduces 'snaplen' a new YAML variable in the pcap section.
It can be set per-interface to force pcap capture snaplen. If not set
it defaults to interface MTU if MTU can be known via a ioctl call and to
full capture if not.
 13 years ago
Eric Leblond e14a817fbd pfring: delete unused define. 13 years ago
Eric Leblond 786cbb1244 log-pcap: don't limit snaplen. 13 years ago
Eric Leblond e8aa66a44c pcap: add 'promisc' YAML configuration variable 
This patch adds a promisc variable to pcap configuration. It is
used to decided if interface is switched to promiscuous mode.
 13 years ago
Eric Leblond 1aaa828b63 pcap: set snaplen to MTU if available. 
Main objective of this patch is to use a dynamic snaplen to avoid
to truncate packet at the currently fixed snaplen.

It set snaplen to MTU length if the MTU can be retrieved. If not, it
does not set the snaplen which results in using a 65535 snaplen.

libpcap is trying to use mmaped capture and setup the ring by using buffer_size
as the total memory. It also use "rounded" snaplen as frame size. So if we set
snaplen to MTU when available we are optimal regarding the building of the ring.
 13 years ago
Victor Julien cc51eec59d Use new libhtp query string normalization. Bug #739. 13 years ago
Eric Leblond 2732faf05c teredo: update protocol decoding. 
This patch fixes an error in pointer arythmetic and add some
comments to increase maintanability of the code. It also
simplify the decoding code as a careful RFC reading indicate
that if we discard packet containing an authentication field,
it is only possible to have a single origin indication field.
 13 years ago
Eric Leblond 8d7b9703af Fix latest build-info modification 
The creation of build-info.h should have been made in build
directory and not in source directory. This should fix changes
introduced in #738.
 13 years ago
Eric Leblond 84f50ba49f build-info: use printf instead of SCLogInfo 
This change results in a more readable and reusable output.
 13 years ago
Eric Leblond 668113af77 add configure summary to build-info output 13 years ago
Eric Leblond f5ba8eb6db suricata: add information to build-info 
This patch adds information about luajit and jansson to the
output of --build-info command. This should fix #696.
 13 years ago
Anoop Saldanha 5fe9394d07 bug #737. Display a more apt error message when wrong argument's supplied to 
reference keyword.
 13 years ago
Jake Gionet 1ac8938787 Adding support for Feature #667 13 years ago
Victor Julien d0c1410cf5 Fix sig grouping bug when certain sigs are mixed. Add tests. 13 years ago
Victor Julien afb2d4eddf Fix stateful inspection not always inspecting at stream end. 13 years ago
Anoop Saldanha f59ce70c17 fix for #694. 
Invalidate any address/port vars in the conf that uses a sequence
without quotes.
 13 years ago
Anoop Saldanha 51868f17ae unittest to show the seg fault from bug_694 13 years ago
Anoop Saldanha 34a9c047fc updated to fix unix shutdown sequence 
Should fix crashes occuring from unix mode shutdown/cleanup phase.
 13 years ago
Ignacio Sanchez d771e08156 Adds support for the geoip keyword 
Adds support for match-on conditions (src, dst, any, both)
Uses GEOIP_MEMORY_CACHE for performance reasons
Adds support for negation and multiple countries in the same rule

Bug fixes

Changed to take flow direction from rule, if present

Comments addressed. Unit tests added.
 13 years ago
Eric Leblond 6dfd106139 conf: add unittest for WithDefault functions. 13 years ago
Eric Leblond f59c63c457 pcap: add support for 'default' interface 13 years ago
Eric Leblond feabe6e9a2 pfring: add support for 'default' interface 13 years ago
Eric Leblond 4ae27756b0 af-packet: add support for 'default' interface 
This patch adds support for 'default' interface which is used to get
parameter values when per-interface is not defined.
 13 years ago
Eric Leblond 0bddf4f02f conf: introduce WithDefault function 
This patch introduces a new set of functions to the ConfGetChildValue
family. They permit to look under a default node if looking under
base node as failed. This will be used to access to default parameters
for a data type (for instance, first usage will be interface).
 13 years ago
Eric Leblond 6b81430bcb pcap-file: don't kill engine in unix socket mode 
This patch updates the cleaning code to avoid to exit from suricata
in unix socket mode when a invalid pcap is given.
 13 years ago
Jamie Strandboge bc04090bc9 suppress: DETECT_SUPPRESS_REGEX should support IPv6 addresses too. Bug #697. 13 years ago
Victor Julien 80ed1ba008 file md5: print filename and line number on md5 parse errors. Bug #693. 13 years ago
Nikolay Denev 9480559c65 preserve the existing error code order 
restore SC_WARN_IPFW_SETSOCKOPT
move SC_ERR_IPFW_SETSOCKOPT at the end of the enum
 13 years ago
Nikolay Denev 894ad21be5 setsockopt() failures are already fatal, 
so treat them as such and print error instead of warning.
 13 years ago
Nikolay Denev 29b69fb026 set SO_BROADCAST on the divert socket so that broadcast 
packets can be reinjected.
 13 years ago
Victor Julien 6783463eee Fix ftpbounce address calc failing on PPC64 13 years ago
Victor Julien 0c84a7a2a9 Use _mm_free for memory allocated by _mm_alloc. Bug 703. Minor compiler warning fixes. 13 years ago
Victor Julien 34d063adea Fix double definition of CPU_* macro's for Darwin/OSX. Bug 701. 13 years ago
Victor Julien f0578c474e Fix byte order detection on Mac OS X/Darwin. Bug 700. 13 years ago
Victor Julien 5f4c52801e Fix protocol check for IP-only (#689). 13 years ago
Victor Julien 1eed3f2233 ipv6: add event for ipv6 packet with icmpv4 header 13 years ago
Anoop Saldanha 53c023342c fix for 653. 
break out of afp readring loop if shutdown is initiated.
 13 years ago
Victor Julien a55ff64a1b Use GET_PKT_LEN and GET_PKT_DATA macro's 13 years ago
Eric Leblond e690b3bbc9 magic: freebsd magic return differently 
FreeBSD don't return "Microsoft Office Document" but
"OLE 2 Compound Document". This patch takes this into account.
 13 years ago