aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,160 Commits
8 Branches
165 Tags
231 MiB
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd4dd18eb85'
${ noResults }
Commit Graph

3839 Commits (d4dd18eb85841ba944957597ddf33ca268cd112d)

Author SHA1 Message Date
Anoop Saldanha ab1f8afbc3 Removed Signature->order_id and replaced it with Signature->num. 13 years ago
Anoop Saldanha 43d1229dfa 1. Fix assignment of signums, which affected how we used read 
sigs(priority wise) inside staging.

   Previously we would assign signums before sig ordering, and hence the
   order didn't actually reflect the order of the sig in the
   sig_list(assuming sig reordering changed the sig_list).  Staging would
   use the old sig_nums to decide the priority of sigs.
2. Fix sig ordering for flowvar, flowbits, flowint, pktvar sigs.   We have
   introduced a new priority to treat sigs with set + read as lower
   priority compared to set only sigs.
3. Previously we treated sigs with a "priority(keyword)" > another sig's
   priority, as a sig with greater priority than the later.  We have
   reversed it.  Now the sig priority ordering is 1,2,.etc.  Updated
   sigordering unittests to reflect the same.
 13 years ago
Anoop Saldanha 9219079e1a Allow protocols to have both app layer keywords, as well as transaction 
based ones.

Our general logic and assumption is protocols either support one of the
above and not have both.
 13 years ago
Anoop Saldanha a490176c8a More lock fixes for the transaction update. Issues reported by Coverity. 13 years ago
Anoop Saldanha 7cf4042337 Fix luajit compilation failure introduced by the transaction update. 
Fix coverity lock issues reported by transaction update as well.
 13 years ago
Anoop Saldanha d4d18e3136 Transaction engine redesigned. 
Improved accuracy, improved performance.  Performance improvement
noticeable with http heavy traffic and ruleset.

A lot of other cosmetic changes carried out as well.  Wrappers introduced
for a lot of app layer functions.

Failing dce unittests disabled.  Will be reintroduced in the updated dce
engine.

Cross transaction matching taken care of.  FPs emanating from these
matches have now disappeared.  Double inspection of transactions taken
care of as well.
 13 years ago
Anoop Saldanha 6dcde9d7e9 hsbd mpm and packet mpm share same mpm ctx id. 
This is a bug emanating from we having a var reference for hsbd mpm,
but failing to initialize it, and we default to using the packet mpm.
 13 years ago
Ken Steele 93e7304117 Preserve PKT_ALLOC flag inside PACKET_RECYCLE(). 
The PKT_ALLOC flag was being cleared by PACKET_RECYCLE(), which could
then result in a packet being pushed back to the Packet ring buffer
incorrectly.
 13 years ago
Ken Steele 699d9e01f1 Move memset() out of PACKET_INITIALIZE() 
The memset() inside PACKET_INITIALIZE() is redundant in some cases and
it is cleaner to do as part of the memory allocation. This simplifies
changes for integrating Tilera mPIPE support because the size of memory
cleared in that case is different from SIZE_OF_PACKET.

For the cases where Packets are directly allocated and then call
PACKET_INITIALIZE() without memset() first, this patch adds memset() calls.

A further change would use GetPacketFromAlloc() directly.
 13 years ago
Victor Julien 724ad9e8e7 Detect L1 cache line size at build time. Fall back to 64 bytes if detection failed. 13 years ago
Victor Julien 53fe756798 NFQ: convert batchcount related yaml errors to warnings. 13 years ago
Eric Leblond 703e5848e4 nfq: add errno display when verdict fail 
In case of error, errno is set by sendmsg which is called by
nfnetlink and which is called by libnetfilter_queue. This patch
displays the string expression of errno if verdict has failed.
 13 years ago
Florian Westphal 8da02115c9 nfq: add support for batch verdicts 
Normally, there is one verdict per packet, i.e., we receive a packet,
process it, and then tell the kernel what to do with that packet (eg.
DROP or ACCEPT).

recv(), packet id x
send verdict v, packet id x
recv(), packet id x+1
send verdict v, packet id x+1
[..]
recv(), packet id x+n
send verdict v, packet id x+n

An alternative is to process several packets from the queue, and then send
a batch-verdict.

recv(), packet id x
recv(), packet id x+1
[..]
recv(), packet id x+n
send batch verdict v, packet id x+n

A batch verdict affects all previous packets (packet_id <= x+n),
we thus only need to remember the last packet_id seen.

Caveats:
- can't modify payload
- verdict is applied to all packets
- nfmark (if set) will be set for all packets
- increases latency (packets remain queued by the kernel
  until batch verdict is sent).

To solve this, we only defer verdict for up to 20 packets and
send pending batch-verdict immediately if:
- no packets are currently queue
- current packet should be dropped
- current packet has different nfmark
- payload of packet was modified

This patch adds a configurable batch verdict support for workers runmode.
The batch verdicts are turned off by default.

Problem is that batch verdicts only work with kernels >= 3.1, i.e.
using newer libnetfilter_queue with an old kernel means non-working
suricata. So the functionnality has to be disabled by default.
 13 years ago
Florian Westphal 6678c9feb9 nfq: avoid extra copy when running in workers mode 
currently, the packet payload recv()d from the nfqueue netlink
socket is copied into a new packet buffer.

This is required because the recv-buffer space used is tied
to the current thread, but a packet may be handed off to other
threads, and the recv-buffer can be re-used while the packet
is handled by another thread.

However, in worker runmode, the packet will always be handled
by the current thread, and the recv-buffer will only be reused
after the entire packet processing stack is done with the packet.

Thus, in worker runmode, we can avoid the copy and assign
the packet data area directly.
 13 years ago
Victor Julien b68d566c44 alert-debuglog: cleanup TCP check 13 years ago
Victor Julien 4b3166b193 unified2: more udp fixes 13 years ago
Victor Julien bc3f941acb profiling: enabled app layer profiling for UDP app layer modules 13 years ago
Victor Julien 782aa5adae prelude: only call stream callback for TCP 13 years ago
Victor Julien b54a19937f unified2: only call stream callback for TCP 13 years ago
Victor Julien 00948882e7 Suppress warnings when StreamSegmentForEach is called for UDP or SCTP, unless debug is compiled in. 13 years ago
Victor Julien 3b68a9d1c6 UDP: inspection app layer state as soon as we have it. 13 years ago
Victor Julien f15d97b916 Bug 780 unittests, showing no problem. 13 years ago
Victor Julien b6995f7664 Bug 794: stream SACK list needs to respect memcap 13 years ago
Victor Julien a4fca88ba7 stream: default 'random' setting when running unittests is disabled, so that test results are predictable. 13 years ago
Eric Leblond 9b235b3d9e streaming: randomize chunk size 
By randomizing chunk size around the choosen value, it is possible
to escape some evasion technics that are using the fact they know
chunk size to split the attack at the correct place.
This patch activates randomization by default and set the random
interval to chunk size value +- 10%.
 13 years ago
Victor Julien 6ba52230ed Update DetectContentDataParse to reflect the actual data types content uses. 13 years ago
Victor Julien 3ad497e74f Remove filemagic debug statement 13 years ago
Victor Julien 19511cda97 Remove obsolete DetectParseContentString function, it has been replaced by DetectContentDataParse 13 years ago
Victor Julien 4d4f8fd358 file: make fileext, filename and filemagic use the same rule parsing function as others. This has as a side effect that we enforce doubly qouted values now. 13 years ago
Victor Julien 8023007fbd flowvar: cleanup keyword argument parsing. Should also address Coverity 400655. 13 years ago
Victor Julien 07b751b0df Coverity 1005134: fix minor memory leak on flowvar rule setup errors. 13 years ago
Victor Julien e45f683c19 Coverity 1005133: fix unlikely case where malformed pcre statement in rule would lead to null-deref. 13 years ago
Victor Julien 4c6463f378 stream: handle extra different SYN/ACK 
Until now, when processing the TCP 3 way handshake (3whs), retransmissions
of SYN/ACKs are silently accepted, unless they are different somehow. If
the SEQ or ACK values are different they are considered wrong and events
are set. The stream events rules will match on this.

In some cases, this is wrong. If the client missed the SYN/ACK, the server
may send a different one with a different SEQ. This commit deals with this.

As it is impossible to predict which one the client will accept, each is
added to a list. Then on receiving the final ACK from the 3whs, the list
is checked and the state is updated according to the queued SYN/ACK.
 13 years ago
Victor Julien 00a691fc1b flowvar: clean up properly on signature clean up. 13 years ago
Victor Julien 70e2adeb01 flowvar: add unittests for #802. 13 years ago
Victor Julien 4cd736fcc9 flowvar: fix deadlock with http buffers 
Bug #802

Flowvars are set from pcre, and lock the flow when being set. However
when HTTP buffers were inspected, flow was already locked: deadlock.

This patch introduces a post-match list in the detection engine thread
ctx, where store candidates are kept. Then a post-match function is used
to finalize the storing if the rule matches.

Solves the deadlock and brings the handling of flowvars more in line
with flowbits and flowints.
 13 years ago
Victor Julien 4c2e6a8402 flowvars: update funcs to accept u16 id 
All id's are u16, but flowvar functions would only accept u8.

Minor cleanups.
 13 years ago
Victor Julien ffffe6c10e profiling: add formatted totals, percents to packet stats 13 years ago
Victor Julien 4165de4771 Minor SigValidate cleanup 13 years ago
Anoop Saldanha 0d7305dfc7 Update the way we handle http_host keywords. 
Previously we would have forced all users to use nocase with http_host
keywords(since the hostname buffer is lowercase).

We now error out on sigs that has nocase set with http_host set.  Also if
the http_host pattern or http_host pcre has an uppercase character set, we
invalidate such sigs.  Unittests also updated to reflect the above change.
 13 years ago
Victor Julien 9ea4d36f7a Minor reshuffling of Signature struct. 13 years ago
Victor Julien eb11280888 Use define instead of magic number for pmq's per detect thread 13 years ago
Victor Julien 0fa38c13d1 detection engine: consolidate thread setup 
DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did
pretty much the same thing, except for a counters registration. As can be
predicted with code duplication like this, things got out of sync. To make
sure this doesn't happen again, I created a helper function that does the
heavy lifting in this function.
 13 years ago
Victor Julien 73158fea33 Fix PmqSetup calls in Liveswap thread init. Func was out of sync with normal thread init. 13 years ago
Victor Julien b8078742c3 stream: intro function for SYN/ACK state update 
As the TCP SSN state can be updated from several points in the state
machine on accepting a SYN/ACK, move the update logic into a separate
function.
 13 years ago
Victor Julien 28ea129d9b stream: remove unused 'pause' feature 13 years ago
Victor Julien ea8b6078d8 stream: zero ts is a per stream flag 
Ssn flag STREAMTCP_FLAG_ZERO_TIMESTAMP was used in stream only. Due to
it's value it did not conflict with a real stream flag. Renamed it to
STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP.
 13 years ago
Victor Julien 374187bf65 stream: don't use ssn timestamp flag in stream 
The STREAMTCP_FLAG_TIMESTAMP flag is a ssn flag, however it was used in
the stream flag field. As it has the same value as
STREAMTCP_STREAM_FLAG_DEPTH_REACHED it's possible that stream reassembly
got confused by the timestamp.
 13 years ago
Victor Julien 40a5ce8f5f Change logic of SCErrorToString causing any missing entries to result in a compiler warning. 13 years ago
Anoop Saldanha 71ffed5128 Handle the case of pcre combined with a relative content, where pcre has the 
set to match from start of line and we discontinue matching on not finding
match.
 13 years ago
Anoop Saldanha aa363a8144 unittest to display #784. 13 years ago
Eric Leblond 26b7af1483 Don't try to sniff 'default' interface 
Whan running suricata via 'suricata --af-packet', the list of interfaces
was containing the 'default' interface and sniffing it was attempted.
This was not wanted.
 13 years ago
Eric Leblond 539de3f5ea bpf filter: use SCLogError instead of fprintf 13 years ago
Eric Leblond b7e78d33b1 af-packet: warn about BPF filter consequence in IPS mode 
This patch add a message to warn user about the impact of using a
BPF filter in IPS mode.
 13 years ago
Eric Leblond dfbb31df8a Exit if bpf is used in IPS mode 13 years ago
Victor Julien ce99a07582 After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^. 13 years ago
Anoop Saldanha 8bf034e8c4 Live rule swap logs added to report SigLoadSignatures() failure. Also set 
thread_closed flag on exit for live swap thread.
 13 years ago
Anoop Saldanha a3212f6a0f Minor fixes against the last set of patches for #564, 565, 581 + fp automation. 
Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's
definition from inside the function where it's used to the global namespace,
as requested on #suricata.

Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup.

Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId().

Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
 13 years ago
Anoop Saldanha 6de8b1ed53 fix for #564. 
Get rid of the hash table, and use a single-one_time_alloc'ed array for
pattern id assignment.
 13 years ago
Anoop Saldanha f58c6589b4 We now print content flags in engine fp analyzer. 13 years ago
Anoop Saldanha e77fd1c883 We now assign ids to fp patterns only. Rest of them don't need one. 13 years ago
Anoop Saldanha 4c6efa2d40 Update content id assignment. 
All fp id assignment now happens in one go.
Also noticing a slight perf increase, probably emanating from improved cache
perf.
Removed irrelevant unittests as well.
 13 years ago
Anoop Saldanha 60be1751d5 Figure out sig fp during validation stage, instead of staging stage. 13 years ago
Anoop Saldanha 45ff67a2e0 Enable a conf option to enable/disable legacy keywords. 
Currently, uricontent is declared a legacy keyword, and is enabled by default.
 13 years ago
Anoop Saldanha 601836d831 Fast pattern setup now configurable in our code. 
You can either enable/disable fp for a particular type + set priority.
 13 years ago
Anoop Saldanha c63317d02e Detect sm_list rearranged for performance reasons. 13 years ago
Anoop Saldanha f8ae53ac02 Further customize content modifier buffer registration. 
Allow modifier setups functions to have CustomCallbacks to enable their
internal conditions.
 13 years ago
Anoop Saldanha a304a98d1d http_* setup unified. 13 years ago
Anoop Saldanha 434bdca9e2 uricontent simplified to use the existing content + http_uri infrastructure. 13 years ago
Anoop Saldanha 0b5d277254 code cleanup for all content based keywords. 13 years ago
Anoop Saldanha 51dcf19817 turn dce_stub_data into a sticky buffer. 13 years ago
Anoop Saldanha a308d718ae Allow the use of relative without the presence of a related previous keyword. 13 years ago
Victor Julien 4845631335 tcp stream: don't move to LAST_ACK on toserver resent of FIN 13 years ago
Victor Julien 3163243a55 Coverity 989710 and 989711: small recourse leaks in filemd5 parsing code. 13 years ago
Anoop Saldanha 12e4105dc3 fix for #770. 
Invalidate sigs with negative depth.
 13 years ago
Anoop Saldanha d041b98d95 fix for #771. 
Fix /etc/protocols parsing.  Remove trailing newspace stored under some cases.
 13 years ago
Victor Julien 37c80ea508 If an IP-only pass rule matches, set the no inspect flag for that flow. Bug #718. 13 years ago
Anoop Saldanha 75130f9702 fix for #769. 
Packet inserted by live swap flagged as pseudo packet.
 13 years ago
Victor Julien 274641abc2 Fix valgrind error/warning in ip reputation parsing code 13 years ago
Anoop Saldanha c6ec23ca87 fix for #758. Add redmine wiki link and desc for icmp-id keyword. 13 years ago
Victor Julien eeb439c1a3 Open 2.0 dev branch 13 years ago
Victor Julien b66af2c2ed nfq: add missing error string 13 years ago
Eric Leblond 7ec820d3ab Fix potential Null deref. 13 years ago
Victor Julien 8924d7598d Fix potential iprep file parsing issue (2). 13 years ago
Victor Julien 754ae8a1be Fix potential iprep file parsing issue. 13 years ago
Victor Julien 1b363ecb1d Fix test AddressTestParse36 on Big Endian systems 13 years ago
Anoop Saldanha 0febe5a410 fix for #760. 
If udpv4 csum isn't calculated, udpv4-csum detection shouldn't run on the
csum.
 13 years ago
Anoop Saldanha ce7d78dd69 fix for #725. 
Update trec_len, trec_pos to 32 bits from 16 bits.
Handle handshakes that are fragmented across records.
 13 years ago
Anoop Saldanha c6d50764e5 temporarily patched smb + dcerpc parsers for direction demaraction. 13 years ago
Eric Leblond 5b067e1abb pcap-file: treat the case of unsupported pcap link 
In unix socket mode, Suricata was stopping processing pcap files
when a pcap file with an unsupported datalink was treated. This
patch updates error handling to allow Suricata to treat other
pcap files.
 13 years ago
Eric Leblond 350d761961 af-packet: leave reading loop at each turn 
The idea of this patch is to be sure to leave the ring reading loop
enough to be able to sync counters. This should fix #706.
 13 years ago
Eric Leblond df0e7af8f2 unix-manager: fix thread killing function 
The name of the thread was not searched in the correct family.

Reported-by: iswalker <mail2cissp@gmail.com>
 13 years ago
Eric Leblond 31c03d38b9 unix socket: add 'dump-counters' command 
This patch adds a 'dump-counters' command which answer an output of
all performance counter.
 13 years ago
Eric Leblond 5722d8846a unix socket: add 'help' as alias to 'command-list' 13 years ago
Eric Leblond 84322fa556 unix socket: add 'conf-get' command 
This patch adds a 'conf-get' command which get the configuration
value from suricata. Argument of the command is the name of the
variable to fetch.
The command syntax is the following:
{
 "command": "conf-get",
 "arguments": { "variable":value}
}
 13 years ago
Eric Leblond c961056ed8 unix socket: add 'capture-mode' command 
This patch displays what capture mode is used.
 13 years ago
Eric Leblond 74a9fc4b66 Add function to display current capture mode 
This patch adds a function to display the capture mode.
 13 years ago
Eric Leblond 2f30485f7b unix socket: add 'runnning-mode' command 
This command displays the active running mode ('autofp' for
example).
 13 years ago
Eric Leblond f4faff6ff9 unix socket: add 'uptime' command 
This command displays the nuber of second since the start of
Suricata.
 13 years ago
Eric Leblond c6b38ebf67 unix socket: add 'version' command 13 years ago
Eric Leblond 78b5812ae6 unix runmode: add 'pcap-current' command 
This command outputs the currently processed file name or 'None'
if no file is currently processed.
 13 years ago
Eric Leblond fc7e6c4a3d unix socket: implement command-list command 13 years ago
Eric Leblond 346d5662b5 cuda: fix invalid use of sizeof 13 years ago
Anoop Saldanha 71609229cc sigorder cleaned up. 13 years ago
Eric Leblond 21dda8674d Fix build with old pcap library. 
Pcap snaplen related modification broke compilation of Suricata for
system having old pcap library. This patch fixes the issue and allow
old pcap library to honour the snaplen value.
 13 years ago
Eric Leblond 6d225378e4 Workaround function missing in libhtp include 
As reported in bug #688, htp_config_set_path_decode_u_encoding
function is not included in libhtp header before 0.3.0. Result
is that suricata compilation fail with an external htp library.
The following patch detect the issue and adds the missing
declaration.
 13 years ago
Anoop Saldanha 66f3c37016 code cleanup + unittests added against http_host and http_raw_host keywords, 
against various combinations of hostname in uri and host header.
 13 years ago
Anoop Saldanha 3511f91bba Add support for the new keyword - http_raw_host header. 
The corresponding pcre modifier would be 'Z'.
 13 years ago
Anoop Saldanha c4ce19a1be Add support for a new keyword to inspect http_host header. 
The corresponding content keyword would now be - http_host.
The corresponding pcre modifier would be W.
 13 years ago
Matt Keeler ebccb9ffcd Added host buffer allowance and stream configuration for Napatech 3GD 
Added a napatech section in the yaml configuration.
	hba - host buffer allowance
	use-all-streams - whether all streams should be used
	streams - list of stream numbers to use when use-all-streams is no

The source-napatech.* files were modified to support the host buffer allowance configuration.
The runmode-napatech.c file was modified to support both the host buffer allowance configuration and stream configuration

Signed-off-by: Matt Keeler <mk@npulsetech.com>
 13 years ago
Anoop Saldanha 0c24a8a92f fix(more like a feature update) for bug #708. 
Add support for flowint based sig ordering.
 13 years ago
Eric Leblond 2f0927fe9b pcap: add snaplen YAML variable 
This patch introduces 'snaplen' a new YAML variable in the pcap section.
It can be set per-interface to force pcap capture snaplen. If not set
it defaults to interface MTU if MTU can be known via a ioctl call and to
full capture if not.
 13 years ago
Eric Leblond e14a817fbd pfring: delete unused define. 13 years ago
Eric Leblond 786cbb1244 log-pcap: don't limit snaplen. 13 years ago
Eric Leblond e8aa66a44c pcap: add 'promisc' YAML configuration variable 
This patch adds a promisc variable to pcap configuration. It is
used to decided if interface is switched to promiscuous mode.
 13 years ago
Eric Leblond 1aaa828b63 pcap: set snaplen to MTU if available. 
Main objective of this patch is to use a dynamic snaplen to avoid
to truncate packet at the currently fixed snaplen.

It set snaplen to MTU length if the MTU can be retrieved. If not, it
does not set the snaplen which results in using a 65535 snaplen.

libpcap is trying to use mmaped capture and setup the ring by using buffer_size
as the total memory. It also use "rounded" snaplen as frame size. So if we set
snaplen to MTU when available we are optimal regarding the building of the ring.
 13 years ago
Victor Julien cc51eec59d Use new libhtp query string normalization. Bug #739. 13 years ago
Eric Leblond 2732faf05c teredo: update protocol decoding. 
This patch fixes an error in pointer arythmetic and add some
comments to increase maintanability of the code. It also
simplify the decoding code as a careful RFC reading indicate
that if we discard packet containing an authentication field,
it is only possible to have a single origin indication field.
 13 years ago
Eric Leblond 8d7b9703af Fix latest build-info modification 
The creation of build-info.h should have been made in build
directory and not in source directory. This should fix changes
introduced in #738.
 13 years ago
Eric Leblond 84f50ba49f build-info: use printf instead of SCLogInfo 
This change results in a more readable and reusable output.
 13 years ago
Eric Leblond 668113af77 add configure summary to build-info output 13 years ago
Eric Leblond f5ba8eb6db suricata: add information to build-info 
This patch adds information about luajit and jansson to the
output of --build-info command. This should fix #696.
 13 years ago
Anoop Saldanha 5fe9394d07 bug #737. Display a more apt error message when wrong argument's supplied to 
reference keyword.
 13 years ago
Jake Gionet 1ac8938787 Adding support for Feature #667 13 years ago
Victor Julien d0c1410cf5 Fix sig grouping bug when certain sigs are mixed. Add tests. 13 years ago
Victor Julien afb2d4eddf Fix stateful inspection not always inspecting at stream end. 13 years ago
Anoop Saldanha f59ce70c17 fix for #694. 
Invalidate any address/port vars in the conf that uses a sequence
without quotes.
 13 years ago
Anoop Saldanha 51868f17ae unittest to show the seg fault from bug_694 13 years ago
Anoop Saldanha 34a9c047fc updated to fix unix shutdown sequence 
Should fix crashes occuring from unix mode shutdown/cleanup phase.
 13 years ago
Ignacio Sanchez d771e08156 Adds support for the geoip keyword 
Adds support for match-on conditions (src, dst, any, both)
Uses GEOIP_MEMORY_CACHE for performance reasons
Adds support for negation and multiple countries in the same rule

Bug fixes

Changed to take flow direction from rule, if present

Comments addressed. Unit tests added.
 13 years ago
Eric Leblond 6dfd106139 conf: add unittest for WithDefault functions. 13 years ago
Eric Leblond f59c63c457 pcap: add support for 'default' interface 13 years ago
Eric Leblond feabe6e9a2 pfring: add support for 'default' interface 13 years ago
Eric Leblond 4ae27756b0 af-packet: add support for 'default' interface 
This patch adds support for 'default' interface which is used to get
parameter values when per-interface is not defined.
 13 years ago
Eric Leblond 0bddf4f02f conf: introduce WithDefault function 
This patch introduces a new set of functions to the ConfGetChildValue
family. They permit to look under a default node if looking under
base node as failed. This will be used to access to default parameters
for a data type (for instance, first usage will be interface).
 13 years ago
Eric Leblond 6b81430bcb pcap-file: don't kill engine in unix socket mode 
This patch updates the cleaning code to avoid to exit from suricata
in unix socket mode when a invalid pcap is given.
 13 years ago
Jamie Strandboge bc04090bc9 suppress: DETECT_SUPPRESS_REGEX should support IPv6 addresses too. Bug #697. 13 years ago
Victor Julien 80ed1ba008 file md5: print filename and line number on md5 parse errors. Bug #693. 13 years ago
Nikolay Denev 9480559c65 preserve the existing error code order 
restore SC_WARN_IPFW_SETSOCKOPT
move SC_ERR_IPFW_SETSOCKOPT at the end of the enum
 13 years ago
Nikolay Denev 894ad21be5 setsockopt() failures are already fatal, 
so treat them as such and print error instead of warning.
 13 years ago
Nikolay Denev 29b69fb026 set SO_BROADCAST on the divert socket so that broadcast 
packets can be reinjected.
 13 years ago
Victor Julien 6783463eee Fix ftpbounce address calc failing on PPC64 13 years ago
Victor Julien 0c84a7a2a9 Use _mm_free for memory allocated by _mm_alloc. Bug 703. Minor compiler warning fixes. 13 years ago
Victor Julien 34d063adea Fix double definition of CPU_* macro's for Darwin/OSX. Bug 701. 13 years ago
Victor Julien f0578c474e Fix byte order detection on Mac OS X/Darwin. Bug 700. 13 years ago
Victor Julien 5f4c52801e Fix protocol check for IP-only (#689). 13 years ago
Victor Julien 1eed3f2233 ipv6: add event for ipv6 packet with icmpv4 header 13 years ago
Anoop Saldanha 53c023342c fix for 653. 
break out of afp readring loop if shutdown is initiated.
 13 years ago
Victor Julien a55ff64a1b Use GET_PKT_LEN and GET_PKT_DATA macro's 13 years ago
Eric Leblond e690b3bbc9 magic: freebsd magic return differently 
FreeBSD don't return "Microsoft Office Document" but
"OLE 2 Compound Document". This patch takes this into account.
 13 years ago
Anoop Saldanha a30a1e5950 fix for bug 675. 
Fix icmpv6-csum to send the right length to calculate the csum.
 13 years ago
Anoop Saldanha af92c2fa4b Unittest to show the issue we have with 674 - csum-icmpv6 sends 
wrong length for csum calculation)
 13 years ago
Victor Julien 150b0c5ae0 ipv6: add option to detect HOP/DST headers with only padding. Detect unknown DST/HOP opts. 13 years ago
Victor Julien ba367dad3c icmpv6: fix payload handling 13 years ago
Victor Julien 538a941486 decoder events: fix bug causing some rules not to be inspected if the decoder completed with warnings 13 years ago
Victor Julien f5cd7c6a92 decode events: add debug statement 13 years ago
Victor Julien 82769a1b37 profiling: fix missing profile names 13 years ago
Victor Julien 72443a0d62 unified2: append open instead of trucate open so that in case we rotate within a second we don't overwrite files. Instead we violate the limit. 13 years ago
Victor Julien 298d21372b flow: only BUG_ON use_cnt in flows when compiled with debug-validation 13 years ago
Anoop Saldanha b22a0cffbb cleanup flowtimeout threadvars retrieval + 
throw back pseudo pkt back to packetpool inside flow timeout.
 13 years ago
Victor Julien abecef5d82 stream: send eof to app layer from stream end pkt if necessary 13 years ago
Ludovico Cavedon ac8b087717 Wait until both sides close the TCP connection before initiating cleanup 13 years ago
Eric Leblond 2accda78a1 unix runmode: fix error handling. 
If 'output-dir' argument was not given it was possible to reach a
possibly problematic condition.
 13 years ago
Eric Leblond 1fd47cfb96 Remove useless code. 13 years ago
Eric Leblond b3d4285982 fix logic error in sanity check 13 years ago
Eric Leblond 9c47ada771 Add removal safe TAILQ iterator. 
TAILQ_FOREACH macro was not safe for element removal as it was
accessing the next element in case of a free. This patch is inspired
by Linux list handling and provide a new macro TAILQ_FOREACH_SAFE.
This macro is removal safe and only differs by a last argument being
a temporaty pointer to an element.
 13 years ago
Eric Leblond 06751ecd75 prelude: don't build string objet for NULL string 
prelude_string_set_ref don't like when it is called with a NULL
parameter. This patch adds check for NULL value. This is formally
good as there is no use of a NULL description.
 13 years ago
Jason Ish 005f7a2399 Feature 638: Display DAG drop counts on exit; add DAG packet and drop stats to live stats. 13 years ago
Ludovico Cavedon b617c9c3f2 Fix length check on user-agent header 13 years ago
Ludovico Cavedon 5dd0a1d917 Add User-Agent header content to file metadata 13 years ago
Anoop Saldanha 34d5aadcb8 warn users that we don't support content strings whose length's > 255. 13 years ago
Ludovico Cavedon 2f4c9198a6 Initialize flow_manager_mutex 13 years ago
Anoop Saldanha 464ed95f71 fix for bug #526. 
Insert pseudo packet under low load conditions to complete rule swap.
This is necessary when we use autofp active packets where most packets
would be sent to the first queue under low load conditions.
 13 years ago
Victor Julien 389c48f222 Fix detection of spin locks supported. Clean up how we handle falling back to mutex if spinlocks aren't supported. 13 years ago
Eric Leblond df3d10865a host: suppress double memory clear 
HostFree() is calling HostClearMemory() so calling HostClearMemory()
before HostFree() is useless.
 13 years ago
Eric Leblond 12fd60b545 unix-socket: cleanup host table instead of destroying it 
This patch should fix the bug #637. Between pcap files, it uses a
new function HostCleanup() to clear tag and threshold on host with
an IP regputation. An other consequence of this modification is
that Host init and shutdown are now init and shutdown unconditionaly.
 13 years ago
Eric Leblond d9eaa0d340 host: don't destroy reference counter 
The reference counter should not be destroyed in HostClearMemory()
as the host can be reused directly (without going through Init
function).
 13 years ago
Eric Leblond ca1a70a04b pfring: fix build failure 13 years ago
Anoop Saldanha b1ce94babe Temporary fix for bug #599. 
Treat sigs with negated addresses as non ip-only.

This fix exposes bug #608, which results in 2 failed unittest which
have now been disabled by this commit.  Would be reenabled when we
have #608 fix in.
 13 years ago
Anoop Saldanha fdc666f732 unittest to show failure for bug #599. 13 years ago
Victor Julien 9f519e95a2 http: add event for libhtp detection of request port not matching tcp port. 13 years ago
Victor Julien 3ab1458abf pcap: fix windows commandline mangling win device string 13 years ago
Victor Julien a698a7600d clang: fix warnings when debug is enabled 13 years ago
Victor Julien 40bbf96f22 reputation: don't give error if config is missing/commented out 13 years ago
Victor Julien 0f42f0e890 Minor fixes 13 years ago
Eric Leblond 6b3ebc810d unix runmode: improve JSON handling 
The jansson function with new in their name take care of ref
counting. The this patch fixes a memory leak.
 13 years ago
Eric Leblond 195b144daa unix-manager: fix error and JSON handling 13 years ago
Eric Leblond a05113a2b1 unix-manager: memory handling fixes. 
This patch adds unlikey() for memory error handling and fixes a few
error cases.
 13 years ago
Eric Leblond 028a37f6e7 unix runmode: use unlikely for memory error 13 years ago
Eric Leblond 547c55114e unix runmode: fix FIXME 13 years ago
Eric Leblond f38b8fe4eb unix runmode: fix JSON mem handling 
json_decref was not correctly used through the code. This patch
fixes it.
 13 years ago
Eric Leblond 13237b8af2 unix manager: add static 13 years ago
Eric Leblond 936c36d5f1 Disable 'reload-rules' command. 13 years ago
Eric Leblond d5457ad70e unix-manager: doc and whitespace fixes 13 years ago
Eric Leblond af16c418b7 unix-socket: fix build when jansson not present 13 years ago
Eric Leblond ef64648cf8 unix-command: add drop counter to iface-stat message 13 years ago
Eric Leblond 8d0260b27e Add atomic counter for iface drop. 13 years ago
Eric Leblond cc71c993f4 unix-command: add iface information command. 
This patch adds two commands to unix-command. 'iface-list' displays
the list of interface which are sniffed by Suricata and 'iface-stat'
display the available statistics for a single interface. For now,
this is the number of packets and the number of invalid checksums.
 13 years ago
Eric Leblond c78e112e3e af-packet: update runmode copyright date. 13 years ago
Eric Leblond 6f0a851087 unix-manager: fix error treatment in accept phase 13 years ago
Eric Leblond f2a17f47d3 unix-manager: implement multi client support 
This patch implements the support of multiple clients connected
at once to the unix socket.
 13 years ago
Eric Leblond a9cb8ce89f affinity: avoid to init structure twice 
In unix socket mode, suricata was doing multiple init of the
structure. This was not needed and caused a memory leak in
mutex creation.
 13 years ago
Eric Leblond 93f801b3a9 pcap-file: update affinity setting code 
The affinity setting code was using the old API. This patch updates
to the new API and also adds a call to RunModeInitiaze() which was
missing in Single running mode.
 13 years ago
Eric Leblond cfd80e7063 unix-mode: fix return of pcap-file command 13 years ago
Eric Leblond f8921d8a28 unix-socket: introduce API to add commands and tasks 
This patch transforms the unix socket into a flexible system to
add commands (triggered by user) and taks (run periodically).
It introduces two functions UnixManagerRegisterCommand and
UnixManagerRegisterBackroundTask to registed commands and tasks.

Other part of Suricata can then declare a new command via a simple
call of the function. In the case of a command the caller is
responsible of building the answer message using Jansson API. The
sending of the message is made by unix manager code.
 13 years ago
Eric Leblond 20a8b9dbe5 unix-manager: add unix command socket and associated script 
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
 * Client connects to the socket
 * It sends a version message: { "version": "$VERSION_ID" }
 * Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.

The format of command is the following:
 {
   "command": "pcap-file",
   "arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
 }
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
 {
   "return": "OK|NOK",
   "message": JSON_OBJECT or information string
 }

A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code.  The first command line argument of suricatasc is
used to specify the socket to connect to.

Configuration of the feature is made in the YAML under the 'unix-command'
section:
  unix-command:
    enabled: yes
    filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.

A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.

To start this mode, Suricata must be started with the --unix-socket
 option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.

THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.

This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.

Two other commands exists to get info on the remaining tasks:
 * pcap-file-number: return the number of files in the waiting queue
 * pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
 {
  'count': 2,
  'files': ['file1.pcap', 'file2.pcap']
 }
 13 years ago
Eric Leblond 6be63bdc4f tm-threads: add TM_ECODE_DONE state 
This patch adds a nex return state which can be used by threads
to warn that a task has been done. In this case, suricata does not
leave.
 13 years ago
Eric Leblond 412482f6b1 filestore: create file store directory if needed 
This patch modifies the file store system to have it create the
file store directory if needed. It dos not create the full
directory tree as the parent directory must have already been
created.
 13 years ago
Eric Leblond 7b1d346c22 counters: management cpu set was set twice 
Setting the management CPU set on perf threads is already done in
the TmThreadCreateMgmtThread() function used to create the threads.
 13 years ago
Eric Leblond 84f2645e3e pcap-file: free thread var at deinit. 13 years ago
Eric Leblond 28b4bed141 tm-threads: fix potential access to NULL pointer. 13 years ago
Eric Leblond 1b26660ac4 counter: defensive set to NULL in free. 13 years ago
Eric Leblond 09b79cb5bf stream-tcp: fix double call to debug print function 13 years ago
Last G 8ae11f73b2 Added parentheses to fix Eclipse static code analysis 
Fixed bug in action priority (REJECT_DST had lowest prio)
 13 years ago
Last G e236351c52 Fixed missing "|" in "||" operation 13 years ago
Last G edcb8fdb87 Added parenthesis for right operation order 13 years ago
Last G 8bb9c3af35 Added return value to non-void function with "forever"-loop to fit 
Eclipse static code analysis
 13 years ago
Eric Leblond 40891223e9 list-keyword: detect non built keyword 
This patch update the glafs list to be able to indicate that a
flag is not supported. This information is used by list-keyword to
display information to the user.
 13 years ago
Eric Leblond 8f13694988 luajit: no link with HTTP when not build. 
Even when not built-in, luajit is not linked with HTTP.
 13 years ago
Eric Leblond 6842545331 Add documentation url in list-keyword output. 
The output of the list-keyword is modified to include the url to
the keyword documentation when this is available. All documented
keywords should have their link set.

list-keyword can be used with an optional value:
 no option or short: display list of keywords
 csv: display a csv output on info an all keywords
 all: display a human readable output of keywords info
 $KWD: display the info about one keyword.
 13 years ago
Eric Leblond fa900a9f6b suricata: add information about BPF filter usage 13 years ago
Eric Leblond 7e14fe62f5 suricata: add '-V' info to usage message. 13 years ago
Eric Leblond fd3a1346e4 suricata: add build-info command to usage message. 13 years ago
Eric Leblond 4e0f5b7f02 suricata: don't display msg in list-keyword mode. 
In list-keywords and list-app-layer mode, suricata now only
displays the messages linked with the feature. This allow users
to redirect the output and easily work on it. For exemple, the
csv output will be easily imported into a spreadsheet.
 13 years ago
Eric Leblond 5e4552fdcd suricata: update list-keyword command 
This patch update the list-keyword command. Without any option,
the previous behavior is conserved. If 'all' is used as option,
suricata print a csv formatted output of keyword information:
	name;features;description
If a keyword name is used as argument, suricata print a readable
message:
tls.subject
Features: state inspecting
Description: Match TLS/SSL certificate Subject field
 13 years ago
Eric Leblond 86709f5e9d rule analyser: display message for invalid signatures 13 years ago
Eric Leblond c7cfbb71c9 engine-analyzer: fix typo in message 13 years ago
Eric Leblond cd42e6a3ef Listing of app layers does not depend on unittests 13 years ago
Eric Leblond 42ace54137 list-keywords: fix when not using default install 
As we don't parse the YAML file when listing of keywords is asked,
suricata make a test on existence of the build-default directory.
So with a non standard (working) install (even a single configure
without option lead to a failure), the keyword listing fails
because the default logging directory does not exist.
 13 years ago
Eric Leblond b0471fb8e4 rule analyser: add msg if rule is ipv4 or ipv6 only 13 years ago
Victor Julien 83bfe3810b reputation: report error if host table memcap reached. Work around compilation failure with atomic fallback code. 13 years ago
Victor Julien 18535e6ef9 Host: ignore usecnt add/sub result. Expose HostPrintStats. 13 years ago
Victor Julien e30b1bfe64 Simple IP reputation implementation 13 years ago
Victor Julien 9140aa6ac5 cygwin supports the thread cpu affinity code now 13 years ago
Victor Julien b20bfa04ef clang warning squashing 13 years ago
Victor Julien 84bad6db77 Silence compiler warnings found by clang 13 years ago
Victor Julien b63c2eda6a build: more cygwin cleanups 13 years ago
Victor Julien dc465b92e5 Fix use of byte swap function 13 years ago
Victor Julien 506c144c60 build: reshuffle including headers to fix build on cygwin 13 years ago
Anoop Saldanha e1cabae0f4 fix uninit var usage in hhd 13 years ago
Eric Leblond 4726e02afb logging: add warning if no output module is selected 
If no daemon compatible logging module is selected, a message is
displayed to avoid the user to look like mad for messages.
 13 years ago
Eric Leblond 9f4da93a4b suricata: don't exit if pidfile can't be created 13 years ago
Eric Leblond e148b2b82a suricata: display PID file name in case of error. 13 years ago
Victor Julien 93bdaa49d8 byte_jump: when from_beginning option is used, the number of bytes to convert should not be used in the jump. Bug 627. 13 years ago
Eric Leblond 7854c84972 pcap: add capture counters in stats.log. 
This patch adds three counters to stats.log:
    capture.kernel_packets    | RxPcapwlan0               | 4218
    capture.kernel_drops      | RxPcapwlan0               | 0
    capture.kernel_ifdrops    | RxPcapwlan0               | 0
This patch meant to fix bug #625.
 13 years ago
Victor Julien bcaec1e963 pkt-data: don't compile unittest unless unittests are enabled 13 years ago
Victor Julien 472e061c6d build: more checking for includes 13 years ago
Victor Julien 2a42f554b1 build cleanup, build source files in alphabetical order 13 years ago
Victor Julien 042d0c6ee8 build cleanups 13 years ago
Victor Julien 5a6c8c0f01 minor misc changes: update htp ver, add htp ver to --build-info, clean up 13 years ago