aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,160 Commits
8 Branches
165 Tags
231 MiB
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd4dd18eb85'
${ noResults }
Commit Graph

3839 Commits (d4dd18eb85841ba944957597ddf33ca268cd112d)

Author SHA1 Message Date
Eric Leblond 78b5812ae6 unix runmode: add 'pcap-current' command 
This command outputs the currently processed file name or 'None'
if no file is currently processed.
 13 years ago
Eric Leblond fc7e6c4a3d unix socket: implement command-list command 13 years ago
Eric Leblond 346d5662b5 cuda: fix invalid use of sizeof 13 years ago
Anoop Saldanha 71609229cc sigorder cleaned up. 13 years ago
Eric Leblond 21dda8674d Fix build with old pcap library. 
Pcap snaplen related modification broke compilation of Suricata for
system having old pcap library. This patch fixes the issue and allow
old pcap library to honour the snaplen value.
 13 years ago
Eric Leblond 6d225378e4 Workaround function missing in libhtp include 
As reported in bug #688, htp_config_set_path_decode_u_encoding
function is not included in libhtp header before 0.3.0. Result
is that suricata compilation fail with an external htp library.
The following patch detect the issue and adds the missing
declaration.
 13 years ago
Anoop Saldanha 66f3c37016 code cleanup + unittests added against http_host and http_raw_host keywords, 
against various combinations of hostname in uri and host header.
 13 years ago
Anoop Saldanha 3511f91bba Add support for the new keyword - http_raw_host header. 
The corresponding pcre modifier would be 'Z'.
 13 years ago
Anoop Saldanha c4ce19a1be Add support for a new keyword to inspect http_host header. 
The corresponding content keyword would now be - http_host.
The corresponding pcre modifier would be W.
 13 years ago
Matt Keeler ebccb9ffcd Added host buffer allowance and stream configuration for Napatech 3GD 
Added a napatech section in the yaml configuration.
	hba - host buffer allowance
	use-all-streams - whether all streams should be used
	streams - list of stream numbers to use when use-all-streams is no

The source-napatech.* files were modified to support the host buffer allowance configuration.
The runmode-napatech.c file was modified to support both the host buffer allowance configuration and stream configuration

Signed-off-by: Matt Keeler <mk@npulsetech.com>
 13 years ago
Anoop Saldanha 0c24a8a92f fix(more like a feature update) for bug #708. 
Add support for flowint based sig ordering.
 13 years ago
Eric Leblond 2f0927fe9b pcap: add snaplen YAML variable 
This patch introduces 'snaplen' a new YAML variable in the pcap section.
It can be set per-interface to force pcap capture snaplen. If not set
it defaults to interface MTU if MTU can be known via a ioctl call and to
full capture if not.
 13 years ago
Eric Leblond e14a817fbd pfring: delete unused define. 13 years ago
Eric Leblond 786cbb1244 log-pcap: don't limit snaplen. 13 years ago
Eric Leblond e8aa66a44c pcap: add 'promisc' YAML configuration variable 
This patch adds a promisc variable to pcap configuration. It is
used to decided if interface is switched to promiscuous mode.
 13 years ago
Eric Leblond 1aaa828b63 pcap: set snaplen to MTU if available. 
Main objective of this patch is to use a dynamic snaplen to avoid
to truncate packet at the currently fixed snaplen.

It set snaplen to MTU length if the MTU can be retrieved. If not, it
does not set the snaplen which results in using a 65535 snaplen.

libpcap is trying to use mmaped capture and setup the ring by using buffer_size
as the total memory. It also use "rounded" snaplen as frame size. So if we set
snaplen to MTU when available we are optimal regarding the building of the ring.
 13 years ago
Victor Julien cc51eec59d Use new libhtp query string normalization. Bug #739. 13 years ago
Eric Leblond 2732faf05c teredo: update protocol decoding. 
This patch fixes an error in pointer arythmetic and add some
comments to increase maintanability of the code. It also
simplify the decoding code as a careful RFC reading indicate
that if we discard packet containing an authentication field,
it is only possible to have a single origin indication field.
 13 years ago
Eric Leblond 8d7b9703af Fix latest build-info modification 
The creation of build-info.h should have been made in build
directory and not in source directory. This should fix changes
introduced in #738.
 13 years ago
Eric Leblond 84f50ba49f build-info: use printf instead of SCLogInfo 
This change results in a more readable and reusable output.
 13 years ago
Eric Leblond 668113af77 add configure summary to build-info output 13 years ago
Eric Leblond f5ba8eb6db suricata: add information to build-info 
This patch adds information about luajit and jansson to the
output of --build-info command. This should fix #696.
 13 years ago
Anoop Saldanha 5fe9394d07 bug #737. Display a more apt error message when wrong argument's supplied to 
reference keyword.
 13 years ago
Jake Gionet 1ac8938787 Adding support for Feature #667 13 years ago
Victor Julien d0c1410cf5 Fix sig grouping bug when certain sigs are mixed. Add tests. 13 years ago
Victor Julien afb2d4eddf Fix stateful inspection not always inspecting at stream end. 13 years ago
Anoop Saldanha f59ce70c17 fix for #694. 
Invalidate any address/port vars in the conf that uses a sequence
without quotes.
 13 years ago
Anoop Saldanha 51868f17ae unittest to show the seg fault from bug_694 13 years ago
Anoop Saldanha 34a9c047fc updated to fix unix shutdown sequence 
Should fix crashes occuring from unix mode shutdown/cleanup phase.
 13 years ago
Ignacio Sanchez d771e08156 Adds support for the geoip keyword 
Adds support for match-on conditions (src, dst, any, both)
Uses GEOIP_MEMORY_CACHE for performance reasons
Adds support for negation and multiple countries in the same rule

Bug fixes

Changed to take flow direction from rule, if present

Comments addressed. Unit tests added.
 13 years ago
Eric Leblond 6dfd106139 conf: add unittest for WithDefault functions. 13 years ago
Eric Leblond f59c63c457 pcap: add support for 'default' interface 13 years ago
Eric Leblond feabe6e9a2 pfring: add support for 'default' interface 13 years ago
Eric Leblond 4ae27756b0 af-packet: add support for 'default' interface 
This patch adds support for 'default' interface which is used to get
parameter values when per-interface is not defined.
 13 years ago
Eric Leblond 0bddf4f02f conf: introduce WithDefault function 
This patch introduces a new set of functions to the ConfGetChildValue
family. They permit to look under a default node if looking under
base node as failed. This will be used to access to default parameters
for a data type (for instance, first usage will be interface).
 13 years ago
Eric Leblond 6b81430bcb pcap-file: don't kill engine in unix socket mode 
This patch updates the cleaning code to avoid to exit from suricata
in unix socket mode when a invalid pcap is given.
 13 years ago
Jamie Strandboge bc04090bc9 suppress: DETECT_SUPPRESS_REGEX should support IPv6 addresses too. Bug #697. 13 years ago
Victor Julien 80ed1ba008 file md5: print filename and line number on md5 parse errors. Bug #693. 13 years ago
Nikolay Denev 9480559c65 preserve the existing error code order 
restore SC_WARN_IPFW_SETSOCKOPT
move SC_ERR_IPFW_SETSOCKOPT at the end of the enum
 13 years ago
Nikolay Denev 894ad21be5 setsockopt() failures are already fatal, 
so treat them as such and print error instead of warning.
 13 years ago
Nikolay Denev 29b69fb026 set SO_BROADCAST on the divert socket so that broadcast 
packets can be reinjected.
 13 years ago
Victor Julien 6783463eee Fix ftpbounce address calc failing on PPC64 13 years ago
Victor Julien 0c84a7a2a9 Use _mm_free for memory allocated by _mm_alloc. Bug 703. Minor compiler warning fixes. 13 years ago
Victor Julien 34d063adea Fix double definition of CPU_* macro's for Darwin/OSX. Bug 701. 13 years ago
Victor Julien f0578c474e Fix byte order detection on Mac OS X/Darwin. Bug 700. 13 years ago
Victor Julien 5f4c52801e Fix protocol check for IP-only (#689). 13 years ago
Victor Julien 1eed3f2233 ipv6: add event for ipv6 packet with icmpv4 header 13 years ago
Anoop Saldanha 53c023342c fix for 653. 
break out of afp readring loop if shutdown is initiated.
 13 years ago
Victor Julien a55ff64a1b Use GET_PKT_LEN and GET_PKT_DATA macro's 13 years ago
Eric Leblond e690b3bbc9 magic: freebsd magic return differently 
FreeBSD don't return "Microsoft Office Document" but
"OLE 2 Compound Document". This patch takes this into account.
 13 years ago
Anoop Saldanha a30a1e5950 fix for bug 675. 
Fix icmpv6-csum to send the right length to calculate the csum.
 13 years ago
Anoop Saldanha af92c2fa4b Unittest to show the issue we have with 674 - csum-icmpv6 sends 
wrong length for csum calculation)
 13 years ago
Victor Julien 150b0c5ae0 ipv6: add option to detect HOP/DST headers with only padding. Detect unknown DST/HOP opts. 13 years ago
Victor Julien ba367dad3c icmpv6: fix payload handling 13 years ago
Victor Julien 538a941486 decoder events: fix bug causing some rules not to be inspected if the decoder completed with warnings 13 years ago
Victor Julien f5cd7c6a92 decode events: add debug statement 13 years ago
Victor Julien 82769a1b37 profiling: fix missing profile names 13 years ago
Victor Julien 72443a0d62 unified2: append open instead of trucate open so that in case we rotate within a second we don't overwrite files. Instead we violate the limit. 13 years ago
Victor Julien 298d21372b flow: only BUG_ON use_cnt in flows when compiled with debug-validation 13 years ago
Anoop Saldanha b22a0cffbb cleanup flowtimeout threadvars retrieval + 
throw back pseudo pkt back to packetpool inside flow timeout.
 13 years ago
Victor Julien abecef5d82 stream: send eof to app layer from stream end pkt if necessary 13 years ago
Ludovico Cavedon ac8b087717 Wait until both sides close the TCP connection before initiating cleanup 13 years ago
Eric Leblond 2accda78a1 unix runmode: fix error handling. 
If 'output-dir' argument was not given it was possible to reach a
possibly problematic condition.
 13 years ago
Eric Leblond 1fd47cfb96 Remove useless code. 13 years ago
Eric Leblond b3d4285982 fix logic error in sanity check 13 years ago
Eric Leblond 9c47ada771 Add removal safe TAILQ iterator. 
TAILQ_FOREACH macro was not safe for element removal as it was
accessing the next element in case of a free. This patch is inspired
by Linux list handling and provide a new macro TAILQ_FOREACH_SAFE.
This macro is removal safe and only differs by a last argument being
a temporaty pointer to an element.
 13 years ago
Eric Leblond 06751ecd75 prelude: don't build string objet for NULL string 
prelude_string_set_ref don't like when it is called with a NULL
parameter. This patch adds check for NULL value. This is formally
good as there is no use of a NULL description.
 13 years ago
Jason Ish 005f7a2399 Feature 638: Display DAG drop counts on exit; add DAG packet and drop stats to live stats. 13 years ago
Ludovico Cavedon b617c9c3f2 Fix length check on user-agent header 13 years ago
Ludovico Cavedon 5dd0a1d917 Add User-Agent header content to file metadata 13 years ago
Anoop Saldanha 34d5aadcb8 warn users that we don't support content strings whose length's > 255. 13 years ago
Ludovico Cavedon 2f4c9198a6 Initialize flow_manager_mutex 13 years ago
Anoop Saldanha 464ed95f71 fix for bug #526. 
Insert pseudo packet under low load conditions to complete rule swap.
This is necessary when we use autofp active packets where most packets
would be sent to the first queue under low load conditions.
 13 years ago
Victor Julien 389c48f222 Fix detection of spin locks supported. Clean up how we handle falling back to mutex if spinlocks aren't supported. 13 years ago
Eric Leblond df3d10865a host: suppress double memory clear 
HostFree() is calling HostClearMemory() so calling HostClearMemory()
before HostFree() is useless.
 13 years ago
Eric Leblond 12fd60b545 unix-socket: cleanup host table instead of destroying it 
This patch should fix the bug #637. Between pcap files, it uses a
new function HostCleanup() to clear tag and threshold on host with
an IP regputation. An other consequence of this modification is
that Host init and shutdown are now init and shutdown unconditionaly.
 13 years ago
Eric Leblond d9eaa0d340 host: don't destroy reference counter 
The reference counter should not be destroyed in HostClearMemory()
as the host can be reused directly (without going through Init
function).
 13 years ago
Eric Leblond ca1a70a04b pfring: fix build failure 13 years ago
Anoop Saldanha b1ce94babe Temporary fix for bug #599. 
Treat sigs with negated addresses as non ip-only.

This fix exposes bug #608, which results in 2 failed unittest which
have now been disabled by this commit.  Would be reenabled when we
have #608 fix in.
 13 years ago
Anoop Saldanha fdc666f732 unittest to show failure for bug #599. 13 years ago
Victor Julien 9f519e95a2 http: add event for libhtp detection of request port not matching tcp port. 13 years ago
Victor Julien 3ab1458abf pcap: fix windows commandline mangling win device string 13 years ago
Victor Julien a698a7600d clang: fix warnings when debug is enabled 13 years ago
Victor Julien 40bbf96f22 reputation: don't give error if config is missing/commented out 13 years ago
Victor Julien 0f42f0e890 Minor fixes 13 years ago
Eric Leblond 6b3ebc810d unix runmode: improve JSON handling 
The jansson function with new in their name take care of ref
counting. The this patch fixes a memory leak.
 13 years ago
Eric Leblond 195b144daa unix-manager: fix error and JSON handling 13 years ago
Eric Leblond a05113a2b1 unix-manager: memory handling fixes. 
This patch adds unlikey() for memory error handling and fixes a few
error cases.
 13 years ago
Eric Leblond 028a37f6e7 unix runmode: use unlikely for memory error 13 years ago
Eric Leblond 547c55114e unix runmode: fix FIXME 13 years ago
Eric Leblond f38b8fe4eb unix runmode: fix JSON mem handling 
json_decref was not correctly used through the code. This patch
fixes it.
 13 years ago
Eric Leblond 13237b8af2 unix manager: add static 13 years ago
Eric Leblond 936c36d5f1 Disable 'reload-rules' command. 13 years ago
Eric Leblond d5457ad70e unix-manager: doc and whitespace fixes 13 years ago
Eric Leblond af16c418b7 unix-socket: fix build when jansson not present 13 years ago
Eric Leblond ef64648cf8 unix-command: add drop counter to iface-stat message 13 years ago
Eric Leblond 8d0260b27e Add atomic counter for iface drop. 13 years ago
Eric Leblond cc71c993f4 unix-command: add iface information command. 
This patch adds two commands to unix-command. 'iface-list' displays
the list of interface which are sniffed by Suricata and 'iface-stat'
display the available statistics for a single interface. For now,
this is the number of packets and the number of invalid checksums.
 13 years ago
Eric Leblond c78e112e3e af-packet: update runmode copyright date. 13 years ago
Eric Leblond 6f0a851087 unix-manager: fix error treatment in accept phase 13 years ago
Eric Leblond f2a17f47d3 unix-manager: implement multi client support 
This patch implements the support of multiple clients connected
at once to the unix socket.
 13 years ago
Eric Leblond a9cb8ce89f affinity: avoid to init structure twice 
In unix socket mode, suricata was doing multiple init of the
structure. This was not needed and caused a memory leak in
mutex creation.
 13 years ago
Eric Leblond 93f801b3a9 pcap-file: update affinity setting code 
The affinity setting code was using the old API. This patch updates
to the new API and also adds a call to RunModeInitiaze() which was
missing in Single running mode.
 13 years ago
Eric Leblond cfd80e7063 unix-mode: fix return of pcap-file command 13 years ago
Eric Leblond f8921d8a28 unix-socket: introduce API to add commands and tasks 
This patch transforms the unix socket into a flexible system to
add commands (triggered by user) and taks (run periodically).
It introduces two functions UnixManagerRegisterCommand and
UnixManagerRegisterBackroundTask to registed commands and tasks.

Other part of Suricata can then declare a new command via a simple
call of the function. In the case of a command the caller is
responsible of building the answer message using Jansson API. The
sending of the message is made by unix manager code.
 13 years ago
Eric Leblond 20a8b9dbe5 unix-manager: add unix command socket and associated script 
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
 * Client connects to the socket
 * It sends a version message: { "version": "$VERSION_ID" }
 * Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.

The format of command is the following:
 {
   "command": "pcap-file",
   "arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
 }
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
 {
   "return": "OK|NOK",
   "message": JSON_OBJECT or information string
 }

A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code.  The first command line argument of suricatasc is
used to specify the socket to connect to.

Configuration of the feature is made in the YAML under the 'unix-command'
section:
  unix-command:
    enabled: yes
    filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.

A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.

To start this mode, Suricata must be started with the --unix-socket
 option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.

THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.

This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.

Two other commands exists to get info on the remaining tasks:
 * pcap-file-number: return the number of files in the waiting queue
 * pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
 {
  'count': 2,
  'files': ['file1.pcap', 'file2.pcap']
 }
 13 years ago
Eric Leblond 6be63bdc4f tm-threads: add TM_ECODE_DONE state 
This patch adds a nex return state which can be used by threads
to warn that a task has been done. In this case, suricata does not
leave.
 13 years ago
Eric Leblond 412482f6b1 filestore: create file store directory if needed 
This patch modifies the file store system to have it create the
file store directory if needed. It dos not create the full
directory tree as the parent directory must have already been
created.
 13 years ago
Eric Leblond 7b1d346c22 counters: management cpu set was set twice 
Setting the management CPU set on perf threads is already done in
the TmThreadCreateMgmtThread() function used to create the threads.
 13 years ago
Eric Leblond 84f2645e3e pcap-file: free thread var at deinit. 13 years ago
Eric Leblond 28b4bed141 tm-threads: fix potential access to NULL pointer. 13 years ago
Eric Leblond 1b26660ac4 counter: defensive set to NULL in free. 13 years ago
Eric Leblond 09b79cb5bf stream-tcp: fix double call to debug print function 13 years ago
Last G 8ae11f73b2 Added parentheses to fix Eclipse static code analysis 
Fixed bug in action priority (REJECT_DST had lowest prio)
 13 years ago
Last G e236351c52 Fixed missing "|" in "||" operation 13 years ago
Last G edcb8fdb87 Added parenthesis for right operation order 13 years ago
Last G 8bb9c3af35 Added return value to non-void function with "forever"-loop to fit 
Eclipse static code analysis
 13 years ago
Eric Leblond 40891223e9 list-keyword: detect non built keyword 
This patch update the glafs list to be able to indicate that a
flag is not supported. This information is used by list-keyword to
display information to the user.
 13 years ago
Eric Leblond 8f13694988 luajit: no link with HTTP when not build. 
Even when not built-in, luajit is not linked with HTTP.
 13 years ago
Eric Leblond 6842545331 Add documentation url in list-keyword output. 
The output of the list-keyword is modified to include the url to
the keyword documentation when this is available. All documented
keywords should have their link set.

list-keyword can be used with an optional value:
 no option or short: display list of keywords
 csv: display a csv output on info an all keywords
 all: display a human readable output of keywords info
 $KWD: display the info about one keyword.
 13 years ago
Eric Leblond fa900a9f6b suricata: add information about BPF filter usage 13 years ago
Eric Leblond 7e14fe62f5 suricata: add '-V' info to usage message. 13 years ago
Eric Leblond fd3a1346e4 suricata: add build-info command to usage message. 13 years ago
Eric Leblond 4e0f5b7f02 suricata: don't display msg in list-keyword mode. 
In list-keywords and list-app-layer mode, suricata now only
displays the messages linked with the feature. This allow users
to redirect the output and easily work on it. For exemple, the
csv output will be easily imported into a spreadsheet.
 13 years ago
Eric Leblond 5e4552fdcd suricata: update list-keyword command 
This patch update the list-keyword command. Without any option,
the previous behavior is conserved. If 'all' is used as option,
suricata print a csv formatted output of keyword information:
	name;features;description
If a keyword name is used as argument, suricata print a readable
message:
tls.subject
Features: state inspecting
Description: Match TLS/SSL certificate Subject field
 13 years ago
Eric Leblond 86709f5e9d rule analyser: display message for invalid signatures 13 years ago
Eric Leblond c7cfbb71c9 engine-analyzer: fix typo in message 13 years ago
Eric Leblond cd42e6a3ef Listing of app layers does not depend on unittests 13 years ago
Eric Leblond 42ace54137 list-keywords: fix when not using default install 
As we don't parse the YAML file when listing of keywords is asked,
suricata make a test on existence of the build-default directory.
So with a non standard (working) install (even a single configure
without option lead to a failure), the keyword listing fails
because the default logging directory does not exist.
 13 years ago
Eric Leblond b0471fb8e4 rule analyser: add msg if rule is ipv4 or ipv6 only 13 years ago
Victor Julien 83bfe3810b reputation: report error if host table memcap reached. Work around compilation failure with atomic fallback code. 13 years ago
Victor Julien 18535e6ef9 Host: ignore usecnt add/sub result. Expose HostPrintStats. 13 years ago
Victor Julien e30b1bfe64 Simple IP reputation implementation 13 years ago
Victor Julien 9140aa6ac5 cygwin supports the thread cpu affinity code now 13 years ago
Victor Julien b20bfa04ef clang warning squashing 13 years ago
Victor Julien 84bad6db77 Silence compiler warnings found by clang 13 years ago
Victor Julien b63c2eda6a build: more cygwin cleanups 13 years ago
Victor Julien dc465b92e5 Fix use of byte swap function 13 years ago
Victor Julien 506c144c60 build: reshuffle including headers to fix build on cygwin 13 years ago
Anoop Saldanha e1cabae0f4 fix uninit var usage in hhd 13 years ago
Eric Leblond 4726e02afb logging: add warning if no output module is selected 
If no daemon compatible logging module is selected, a message is
displayed to avoid the user to look like mad for messages.
 13 years ago
Eric Leblond 9f4da93a4b suricata: don't exit if pidfile can't be created 13 years ago
Eric Leblond e148b2b82a suricata: display PID file name in case of error. 13 years ago
Victor Julien 93bdaa49d8 byte_jump: when from_beginning option is used, the number of bytes to convert should not be used in the jump. Bug 627. 13 years ago
Eric Leblond 7854c84972 pcap: add capture counters in stats.log. 
This patch adds three counters to stats.log:
    capture.kernel_packets    | RxPcapwlan0               | 4218
    capture.kernel_drops      | RxPcapwlan0               | 0
    capture.kernel_ifdrops    | RxPcapwlan0               | 0
This patch meant to fix bug #625.
 13 years ago
Victor Julien bcaec1e963 pkt-data: don't compile unittest unless unittests are enabled 13 years ago
Victor Julien 472e061c6d build: more checking for includes 13 years ago
Victor Julien 2a42f554b1 build cleanup, build source files in alphabetical order 13 years ago
Victor Julien 042d0c6ee8 build cleanups 13 years ago
Victor Julien 5a6c8c0f01 minor misc changes: update htp ver, add htp ver to --build-info, clean up 13 years ago
Xavier Lange 234922f3c6 Keyword pkt_data 13 years ago
Eric Leblond b9a2f91a76 napatech: treat malloc error 13 years ago
Eric Leblond a1d1abfc05 suricata: add daemon-directory config variable 
It is now possible to use the 'daemon-directory' configuration
variable to specify the working directory of suricata in daemon
mode. This will permit to specify the place for core and other
related files.
 13 years ago
Eric Leblond 3061452c5e suricata: avoid concurrent run in daemon mode 
This patch creates a pid file per default and use it to avoid to be
able to run two Suricata. Separate pid file have to be provided to
be able to do it.
 13 years ago
Eric Leblond 24d10de8af suricata: change dir to / in daemon mode. 
By changing directory to /, we will not block the directory where
suricata has been started.
 13 years ago
Matt Keeler 37e3de8425 Refactor Napatech 3GD to just Napatech as Suricata is only going to support 3GD. 
Signed-off-by: Matt Keeler <mk@npulsetech.com>
 13 years ago
Matt Keeler 5786a32d0f Remove Napatech 2GD support 
Removed the Napatech 2GD support

runmode-napatech-3gd.c had an include from runmode-napatech.h which was erroneous and has been removed as well.

Signed-off-by: Matt Keeler <mk@npulsetech.com>
 13 years ago
Victor Julien 57d7783402 Remove unnecessary debug message 13 years ago
Victor Julien 829238e49c OpenBSD 5.2 build fixes, Unit test fix. 13 years ago
Eric Leblond fc9e0df33b suricata: add run-as.user and run-as.group yaml var 
This patch update the YAML to be able to specify the user or the
group to run Suricata as:
 run-as:
   user: suri
   group: suri
 13 years ago
Eric Leblond 961eda2108 pcap: ref config according to threads count 13 years ago
Victor Julien b645425331 Silence compiler warning if napatech3 support is disabled 13 years ago
Matt Keeler 844e4dba11 Napatech 3GD Support 
For use with Network Cards from Napatech utilizing the 3GD driver/api.

    - Implemented new run modes in runmode-napatech-3gd.*
    - Implemented capture/decode threads in source-napatech-3gd.*
    - Integrated the new run modes and source into the build infrastructure.

    New configure switches
    --enabled-napatech-3gd : Turns on the NT 3GD support
    --with-napatech-3gd-includes : The directory containing the NT 3GD header files
    --with-napatech-3gd-libraries : The directory containing the NT 3GD libraries to link against.

    New CLI switch
    --napatech-3gd : Uses the Napatech 3GD run mode

    Runmodes Supported:
    - auto
    - autofp
    - workers

    Notes:
    - tested with 1 Gbps sustained traffic (no drops)

Signed-off-by: Matt Keeler <mk@npulsetech.com>
 13 years ago
Anoop Saldanha b8164b8797 fix wrong record hdr len check in ssl parser 13 years ago
Victor Julien d1573a366d Fix GetUsed functions for Host, Flow and Defrag. 13 years ago
Eric Leblond 4542cd0eec ipfw: suppress non loop receive function 13 years ago
Eric Leblond e3a38810b6 nfq: suppress non loop receive function 13 years ago
Victor Julien 966c731e73 flow: fix crash when flow engine under extreme stress, and unable to force free any existing flow 13 years ago
Victor Julien da7f1d22cc http: don't assume http tx to have header alloc'd. Can happen in OOM conditions. Bug #587. 13 years ago
Victor Julien 18ecd4b287 Don't use SCStrdup in SCLogMessage as we call it on OOM condition, leading to endless recursion. SCStrdup failure calling SCLogMessage... 13 years ago
Victor Julien 70bc9e2494 filestore: fix logic flag in continued stateful detection 13 years ago
Eric Leblond 8957113550 pf-ring: fix build 13 years ago
Victor Julien d386606b80 Remove pcre jit warning. Bug #579. 13 years ago
Eric Leblond d3195b0f70 pf_ring: don't set cluster for DNA interface. 13 years ago
Anoop Saldanha 7a7cd6999e feature #558. 
Print FP info in rule analysis + other cleanup.
 13 years ago
Victor Julien a3f963f630 filestore: fix a case where a matching non-filestore sig could trigger the store of a partially matching filestore sig. 13 years ago
Victor Julien 3156407746 http: fix client and server body sometimes being inspected in wrong order 13 years ago
Eric Leblond b12967534a stream.inline: add 'auto' mode 
stream.inline YAML configuration variable now support the 'auto' value.
In this case, inline mode is activated for IPS running mode (NFQ and
IPFW) and is deactivated for IDS mode. This patch should fix bug #592.
 13 years ago
Eric Leblond b26ec60398 af-packet: fix possible infinite loop. 
If no packet arrives to a capture thread, it is possible that the
AFPReadLoop() function goes into an infinite loop. This could cause
suricata to hang at exit on non busy system.
This patch adds a counter to detect when Suricata start looping in
the ring to stop when it reaches this point.
 13 years ago
Eric Leblond e8a4a4c47c af-packet: dump counter every seconds. 
This patch updates to kernel counters handling to be almost sure to
update at least once per second.
 13 years ago
Eric Leblond 3acdd4da1d pf-ring: add counter for kernel drop and packets 
This patch adds a counter for kernel drop and packets by using the
same strategy as the one used in af-packet.
 13 years ago
Victor Julien 80d62b59ec Fix drop (and other actions) not being applied to thresholded packets. Bug #613. 13 years ago
Anoop Saldanha bca1b7c52a change default mpm to ac. Also default sgh-mpm-context is full. 13 years ago
Victor Julien fd6df00684 Bug 585: use per detect thread libmagic ctx 13 years ago
Victor Julien ea6fcb355b magic: add test showing payload resulting in libmagic invalid read as reported by valgrind. 13 years ago
Anoop Saldanha fdab6f2ab1 fix flow deadlock issue in detection engine state introduced by tx api. 
Issue discovered by coverity.
 13 years ago
Eric Leblond 00b95c69c0 suricata: list-keywords does not depend on unittest 13 years ago
Victor Julien 83ffd1f743 luajit: suppress compiler warning 13 years ago
Anoop Saldanha 2ab62920aa fix segv in hcbd and hsbd buffering. 
Increase bufffers_list_len, only we open up a space for a new tx.
 13 years ago
Anoop Saldanha b359bc03a9 unittest to reveal a bug/segv in our hsbd buffering code. 13 years ago
Victor Julien 4fab8ea6d6 http: fix http header reassembly bug causing some headers to be left out of the inspected buffer 13 years ago
Victor Julien 5cd46433d3 http: now that htp_state has a cfg reference, use it for body limits 13 years ago
Victor Julien 2763a61213 http: allow configuration of request and response body inspection limits. Issue #560. 13 years ago
Anoop Saldanha b99f9fe890 New app inspection engine introduced. Moved existing inspecting engines to use it. 13 years ago
Anoop Saldanha 7b4eac3e8d Change all inspect callbacks to accept TV and a tx_id param. 13 years ago
Anoop Saldanha 10a6e6a3eb Engine cleanup. Remove all old engine inspection and mpm functions. 13 years ago
Anoop Saldanha b0e20a486c update client/server/http_header to use a different form of 
buffering/buffer_retrieval.

Now it happens per tx, based on tx id.  Also notice a perf improvement with
this.
 13 years ago
Victor Julien e1321f9ae6 stream: change how retransmissions are handled and detected. 13 years ago
Victor Julien b621ed8423 stream: fix retransmission on closewait being considered out of window 13 years ago
Victor Julien a25629b250 stream: detect retransmissions on timewait state 13 years ago
Victor Julien 6326390120 stream: accept ack with next_seq + 1 on last_ack state 13 years ago
Victor Julien bc37cb6b8e stream: detect retransmissions on closewait and finwait2 states 13 years ago
Victor Julien 305ed3f23b stream: don't flag zero window probe packets as out of window. Bug #604. 13 years ago
Victor Julien 13e60c0040 stream: detect keep-alive packets so we don't consider those invalid 13 years ago
Victor Julien 9094eb4783 stream: ignore ack value if ack flag is not set. Add stream.pkt_broken_ack event for when ack value is not 0 and ack flag not set. 13 years ago
Victor Julien a5d9442c2d stream: handle retransmission of lost data packet on TIME_WAIT state 13 years ago
Victor Julien 037d67cc66 stream: go from FIN_WAIT_1 to CLOSING on simultaneous close. 13 years ago
Victor Julien 6544475670 stream: don't reject RST as response to SYN because of ACK 13 years ago
Victor Julien 6f76ac176d stream: add option to match on overlapping data 
Set event on overlapping data segments that have different data.

Add stream-events option stream-event:reassembly_overlap_different_data and
add an example rule.

Issue 603.
 13 years ago
Victor Julien d68fd54a76 Fix/suppress a couple of harmless compiler warnings. 13 years ago
Anoop Saldanha 870a98b528 Remove dead comment about flow reference api duplicate 13 years ago
Anoop Saldanha f08497d1e4 Move Flow Reference/Dereferene api from flow-util.h to flow.h. 
Remove duplicate FlowDeReference from decode.h
 13 years ago
Anoop Saldanha 67981d1c5c Update suricata to use FlowReference/FlowDeReference for the ones left out 
from last update.
 13 years ago
Victor Julien 72782e5a6a profiling: fix rule profiling output sometimes missing sid,rev,gid. Bug #576. 13 years ago
Victor Julien 10a11b750d Add dsize check to prefilter stage 
Many sigs with dsize have a weak fast_pattern. Those patterns
are likely to match. By filtering on dsize early, we safe a lot
of cycles later.
 13 years ago
Victor Julien 45cbef0735 For signatures with the dsize option set depth on any content match in that sig. 13 years ago
Victor Julien 4464657ca2 remove reference to non-existing file from Makefile.am 13 years ago
Victor Julien a01130d2ed packet src: move pkt_src field up in the structure to fix in an existing hole (found with pahole -C Packet_ src/.libs/suricata). 13 years ago
Anoop Saldanha b33986c887 Add a packet src for every packet generated inside suricata. 13 years ago
Eric Leblond 19756488ab nfq: close the queue when leaving acquisition. 
This patch adds a call to close the queue when the acquisition
loop is ending. This way the incoming packets will be accepted
during all the shutdown phase (if the queue-bypass option of
NFQUEUE is used). At the same time the currently processed packets
will be dropped but the time scale are different: suricata will
drop 20 ms of packets and the shutdown can take 0.5 seconds.

Patch based on an idea of Victor Julien.
 13 years ago
Victor Julien 75cddabd8a fast_pattern: don't consider http_method, http_stat_code and http_stat_msg when automatically giving preference to a HTTP pattern over a stream pattern. 13 years ago
Eric Leblond 928ade1d04 pf-ring: suppress unused variable. 13 years ago
Eric Leblond c3b9a5e97f pf-ring: add missing header. 13 years ago
Eric Leblond 7731cef782 pf-ring: protect definition of (un)likely 
This patch makes (un)likely declared if and only if they are not
declared before.
 13 years ago
Anoop Saldanha fd977601b6 fix for bug #574. 
More of a temporary solution to prevent any possible FPs.  Disable content
inspection bypass for mpm patterns.
 13 years ago
Anoop Saldanha 51c9955c79 fix for bug #577. 
If a pattern has matched on mpm, don't re-inspect it later, subject to certain
conditions met by the pattern - namely, not negated, right chop, no replacet
attached to it.
 13 years ago
Victor Julien aa4ae98d37 http: fix multipart parsing leading to missing chunks of files in file extraction. 13 years ago
Anoop Saldanha 028c6c1782 Make available custom features of libhtp. 
The power of libhtp customisation now available to users.

Options available -

path-backslash-separators: yes
path-compress-separators: yes
path-control-char-handling: none
path-convert-utf8: yes
path-decode-separators: yes
path-decode-u-encoding: yes
path-invalid-encoding-handling: preserve_percent
path-invalid-utf8-handling: none
path-nul-encoded-handling: none
path-nul-raw-handling: none
set-path-replacement-char: ?
set-path-unicode-mapping: bestfit

You can use this for your libhtp customisation.  Options explained in our
wiki.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Advanced_libhtp_customization
 13 years ago
Anoop Saldanha 340542c44e refactor htpconfigure() 13 years ago
Victor Julien 33b0b07107 bug #572: make sure we use profiling fallback for all architectures except x86_64 and i386. 13 years ago
Victor Julien 50da0e80d5 Fix flow keyword compilation failure. 13 years ago
Anoop Saldanha 3d74fa964a Update all flow referencing to use the new FlowReference and FlowDeReference 
macros.
 13 years ago
Anoop Saldanha 6c68f86b8c fix for bug #557. 
In FFRv2, dereference flow from a packet using the new reference/dereference
util macros.  This allows the decr use_cnt for flow and reseting the flow
pointer to NULL for the pseudo pkt to happen simultaneously, in case there we
fail to retrieve a pseudo_packet and have to return the already obtained
pseudo packets, back to the packetpool.
 13 years ago
Anoop Saldanha 88e89d6302 Introduce utility flow macros to help referencing/dereferencing flows. 13 years ago
Anoop Saldanha 4d501778e9 fix for bug #557. 
Reset hhd buffers list len if we exit before allocating the buffer.
 13 years ago
Anoop Saldanha 855726f372 fix for bug #575. 
If sig has no_stream set, don't mask it as requiring flow.  Should get rid of
FNs any.
 13 years ago
Victor Julien 1598425a40 detect: properly store a stateful match if it happens at the start of inspection 13 years ago
Victor Julien c3f4f8d46a Dead code cleanup. Coverity 728047, 728048, 728049. 13 years ago
Victor Julien ee5d6fdb6f profiling: fix some profiling info missing from output 13 years ago
Eric Leblond ffbbff9d6c tm-thread: detect thread death 
When a thread is dead at init the THV_INIT_DONE flag is not set
and the spawn function can freeze (see bug #553 for an example).
In this case THV_RUNNING_DONE is set and we can also check on this
state for leaving the function. This should fix #bug553
 13 years ago
Anoop Saldanha 4e3b206f7b fix http server/client body handling. Update body status based on tx state. 13 years ago
Victor Julien 82fc61770b threshold: allow threshold.config to override rule 
Allow threshold.conf to override rule thresholds in the following
cases:

- threshold.config rule uses threshold or event_filter AND
- threshold.config rule applies to a single signature (so no
  gid 0 or sid 0)

Confirmed to work with both threshold and detection_filter rule
keywords.

Part of bug #425.
 13 years ago
Victor Julien a0c43a8a1c Minor parsing cleanups in detect-engine options. 13 years ago
Eric Leblond 9f13572843 Fix indentation of win32 files. 13 years ago
Eric Leblond 710d237724 Add missing sctrdup test 13 years ago
Eric Leblond e176be6fcc Use unlikely for error treatment. 
When handling error case on SCMallog, SCCalloc or SCStrdup
we are in an unlikely case. This patch adds the unlikely()
expression to indicate this to gcc.

This patch has been obtained via coccinelle. The transformation
is the following:

@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)";
@@

x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
 13 years ago
Eric Leblond d292004880 Add some missing checks of SCStrdup return. 13 years ago
Eric Leblond 655577cbbc Add some missing checks of SCMalloc return. 13 years ago
Victor Julien d8667448c1 threshold: allow suppression for sigs with threshold set. Part of #425. 13 years ago
Anoop Saldanha f9a6c890d4 fix for #529 
Respect pcre's anchor during content inspection.
 13 years ago
Anoop Saldanha 19e8f82f25 Unittest to display #bug 529. pcre anchor not respected 13 years ago
Anoop Saldanha b0b4052860 detect-pcre.c cleanup. Delete old pcre functions that we no longer use. 13 years ago
Eric Leblond 680e941a8f af-packet: clean APFPacketVar before release. 
This patch resets the AFPPacketVar linked to a Packet in the release
function to avoid any side effect when the packet is reused. To do
so a new AFPV_CLEANUP macro has been introduced.
 13 years ago
Eric Leblond 775f379e2b decode: clean release function 13 years ago
Anoop Saldanha 21f92c0a89 Give priority to non stream content over stream content when selecting fast 
pattern.
 13 years ago
Victor Julien a08a0e9161 Minor output cleanup 13 years ago
Victor Julien abc3f903f9 Fix defrag compilation warning. 13 years ago
Victor Julien 525367113a Fix compilation if luajit is disabled. 13 years ago
Victor Julien d1abd552e9 luajit: correct offset passed to script for lua's array idx starting at 1. Add http.response_headers and http.response_headers.raw buffers. 13 years ago
Victor Julien 20d2db085e reintroduce pool free func for cases where block alloc is not used. 13 years ago
Victor Julien 98484ffdcc luajit: prealloc lua states to increases chances of alloc success. Luajit requires them to be in memory <2GB. 13 years ago
Victor Julien f962e3de29 pool: only alloc one large block if it will actually be used. 13 years ago
Victor Julien 6f7e527e92 luajit: fix crash at shutdown / rule reload if lua script didn't properly init. 13 years ago
Eric Leblond 8192f6ce8c Add missing include in flow-manager 
DefragTimeoutHash was not declared before being used.
 13 years ago
Victor Julien 44b7d5551a luajit: fix crash if luaL_newstate fails 13 years ago
Victor Julien b29971bc92 luajit: buffer selection fixes 13 years ago
Victor Julien fcc21ae4cc http: fix multipart parsing bug 13 years ago
Victor Julien 8f337a3904 stream: never resend reassembled data to app layer. 13 years ago
Victor Julien 9a4b612126 app layer events: prefilter sigs that need an event 13 years ago
Victor Julien 575c87aeba engine events: prefilter sigs that need a event 13 years ago
Eric Leblond 5f12b23469 af-packet: little code cleaning 
This patch cleans the code were two almost identical treatment on
the packet we're made. It may be linked by a merge error I've done
or to a simple mistake on my side.
 13 years ago
Eric Leblond 0581a23f3c af-packet: fix IPS mode 
There was an inversion in code resulting as all sockets being seen
as non IPS mode when doing the peering. This resulted in a crash at
first packet because it has no peer.
 13 years ago
Eric Leblond 566674ae4a Fix logic operator. 
Previous patches on the same subject did not fixed this error as it
was undetected because the code was not compiled on my setup.
 13 years ago
Victor Julien 7a044a99ee Defrag engine 
Big rewrite of defrag engine to make it more scalable and fix some
locking logic flaws.

Now uses a hash of trackers similar to Flow and Host hashes.
 13 years ago
Victor Julien c91c359692 profiling: fix build on older systems 13 years ago
Victor Julien 7babb35aeb profiling: remove obsolete unit test 13 years ago
Eric Leblond cdbc9be1c3 pf_ring: set cluster_id even if only one thread is used. 13 years ago
Victor Julien 1f92307517 profiling: minor cleanup 13 years ago
Victor Julien 3da3e3264c profiling: make sure counters are reset after a reload. 13 years ago
Victor Julien 2343ff8950 profiling: fix memory error in case of rule reload. 13 years ago
Victor Julien ec7e79c748 Rule profiling update 
- Remove usage of counters api.
- Store stats in detect engine thread ctx to remove locking
- Support rule reloads
 13 years ago
Victor Julien ba6f564296 luajit: add http.uri.raw, cookie, ua, headers, headers.raw buffers. 13 years ago
Eric Leblond 9c28cd40fd Fix build if luajit is not available. 13 years ago
Eric Leblond 937ba71491 defrag: don't return after a cleaning. 
This patch changes the policy of the timeout function by cleaning
every timeouted trackers.
Previous code was only freeing the first tracker and this was resulting
in calling the timeout function continuously. One of my previous patch
has modified the function to avoid to run it more than twice a second.
But as it was not taken into account the fact only the first tracker was
freed, the result was that a lot of tracker could not be allocated.
 13 years ago
Victor Julien b6834cb6b2 luajit: support http.request_body (http_client_body) and http.response_body (file_data/http_server_body). 13 years ago
Victor Julien 42646579a8 luajit: clean up initialization 13 years ago
Eric Leblond 619014a280 pool: rename Free function to Cleanup 
This patch renames Free functions to Cleanup as the free is made
by the pool system.
 13 years ago
Eric Leblond f241312a36 defrag: don't use message for repetitive error 
When nothing can be fetch from the pool, this can repeat frequently.
Thus displaying a message in the log will not help. This patch
uses a counter instead of a log message. As this is a sort of memcap
this is conformed to what is done for other issues of the same type.
 13 years ago
Eric Leblond 6303b5d987 SC_LOG_ERROR is not an error. 13 years ago
Eric Leblond d51dd6a30e Fix warning about unused return of SC_ATOMIC func. 13 years ago
Eric Leblond c4f9d0e0e1 Fix invalid usage of operator. 13 years ago
Eric Leblond 7af9fd7735 freebsd: fix warning about redeclaration. 13 years ago
Eric Leblond 4d2305c0a8 freebsd: fix warning 13 years ago
Eric Leblond 6d55446655 ipfw: avoid critical error for broadcast 
In some setup, suricata may receive broadcast packets and the call
to sendto may fail if the wrong interface is choosen by kernel.
This patch change the error treatment to avoid to leave when
this problem occurs.
 13 years ago
Eric Leblond 41cb365a39 ipfw: add missing include 13 years ago
Eric Leblond e168824d80 freebsd: fix function usage. 
The unlock function was not correctly used in error treatment.
 13 years ago
Jason Ish ea020e2be6 Do not trim the FCS, pcaps converted to ERF will have have an FCS. 13 years ago
Eric Leblond 4a1a008009 af-packet: fix looping in ring buffer. 
A crash can occurs in the following conditions:
 * Suricata running in other mode than "workers"
 * Kernel fill in the ring buffer
Under this conditions, it is possible that the capture thread reads
a packet that has not yet released by one of the treatment threads
because there is no modification done on the ring buffer entry when
a packet is read. Doing, this it access to memory which can be
released to the kernel and modified. This results in a kind of memory
corruption.

This bug has only been seen recently and this has to be linked with the
read speed improvement recently made in AF_PACKET support.

The patch fixes the issue by modifying the tp_status bitmask in the
ring buffer. It sets the TP_STATUS_USER_BUSY flag when it is confirmed
that the packet will be treated. And at the start of the read, it exits
from the reading loop (returning to poll) when it reaches a packet with
the flag set. As tp_status is set to 0 during packet release the flag
is destroyed when releasing the packet.

Regarding concurrency, we've got a sequence of modification. The
capture thread read the packet and set the flag, then it passes the
queue and the packet get processed by other threads. The change on
tp_status are thus made at different time.

Regarding the value of the flag, the patch uses the last bit of
tp_status to avoid be impacting by a change in kernel. I will
propose a patch to have TP_STATUS_USER_BUSY included in kernel
as this is a generic issue for multithreading application using
AF_PACKET mechanism.
 13 years ago
Victor Julien 0d55950840 luajit: add http.uri and http.request_line buffers. 13 years ago
Victor Julien 597b6db8f2 luajit: fix filtering payload or pkt when not available yet 13 years ago
Victor Julien 69186cda12 luajit: force scripts to have 'init' function that returns a table of 'needs' such as packet or payload. 13 years ago
Eric Leblond cd8d215724 pool: improve error handling 
Error handling during Pool creation was not perfect as a PoolBucket
could leak.
 13 years ago
Victor Julien 829d975d63 Make sure defrag pool sizes are not initialized to 0, see #540. 13 years ago
Eric Leblond 01d3c14449 tls: fix error handling 
Handling of error case was correct as pointed out by Coverity
717439.
 13 years ago
Eric Leblond 41c72a537a tls: avoid double close. 
This should fix issue 717441 reported by Coverity.
 13 years ago
Eric Leblond 4e6a4c65f6 defrag: be sure to output NULL tracker 
Coverity 720337 pointed out a use after free. We can't be dependent
to HashListTableAdd outputting a NULL tracker.
 13 years ago
Eric Leblond a7afa845a6 Fix coverity warnings 718636 and 718635 
The result of the swap was not checked.
 13 years ago
Eric Leblond d3824bd1ab defrag: fix potential use after free. 
Coverity pointed out that PoolReturn is almost like free and detected
a use after free when accessing to tracker->af (issue 720339).
This patch fixes this by storing the value in a local variable.
 13 years ago
Eric Leblond 90052609ee defrag: avoid to run cleaning repetitively 13 years ago
Eric Leblond b2691cbe88 af-packet: handle possible exit of capture loop. 
If a capture loop does exit, the thread needs to start without
synchronization with the other threads. This patch fixes this
by resetting the turn count on the peerslist structure and
adding a test on this condition in the wait function.
 13 years ago
Eric Leblond 4d8f70c613 af-packet: fix kernel offset issue 
It seems that, in some case, there is a read waiting but the
offset in the ring buffer is not correct and Suricata need to
walk the ring to find the correct place and make the read.
 13 years ago
Eric Leblond ee6ba09948 af-packet: fix emergency mode 
This patch fixes emergency mode by setting the variable even if we
have a non kernel checksum check. It also does a call to
AFPDUmpCounters() as it seems to improve thing to do it ASAP.
 13 years ago
Eric Leblond 6040016347 af-packet: implement late open 
This patch implements "late open". On high performance system, it
is needed to create the AF_PACKET just before reading to avoid
overflow. Socket creation has to be done with respect to the order
of thread creation to respect affinity settings.
This patch adds a counter to AFPPeer to be ale to synchronize the
initial socket creation.
 13 years ago
Eric Leblond 3bea3b39df af-packet: improve logged messages. 13 years ago
Eric Leblond 13f13b6d7e af-packet: rework socket transition phase. 
Suricata was not able to start cleanly in AF_PACKET with default
suricata.yaml file if there was no eth1 on the system. This patch
fixes this issue and rework the socket transition phase to fix
some serious issues (file descriptor leak) found when fixing this
problem.
Every 20 seconds it displays a message to the user to warn him about
the interface not being accessible:
  [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
 13 years ago
Eric Leblond 0f2b34068c af-packet: ring mode is not optionnal in AFPReadFromRing 13 years ago
Victor Julien 355e981775 Fix 'no effect' check in timestamp print logic. Coverity 717437. 13 years ago
Victor Julien 886a4f2850 Check response headers in custom http logging before using them. Coverity 717436. 13 years ago
Eric Leblond 5ffe7e21c3 decode: use pointer inside packet area as param 
DecodeTeredo, DecodeIPv6InIPv6 and DecodeIPv4inIPv6 were calling
DecodeTunnel with packet being a pseudo packet and data being
data from initial packet:
        DecodeTunnel(tv, dtv, tp, start, blen,
                     pq, IPPROTO_IPV6);
In decoding functions, arithmetic was done on pkt to set some values?
It was resulting in field of packet  pointing outside of the scope of
packet data.
This patch switch to what has been done in DecodeGre(), I mean:
        DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp),
                     GET_PKT_LEN(tp), pq, IPPROTO_IP);
Data buffer is then relative to the packet and the arithmetic is
correct.
 13 years ago
Eric Leblond 073b251df7 affinity: drop capability after setting thread prio 
Setting thread priority can require privilege if a low nice value
has to be set up.
 13 years ago
Eric Leblond d1569337a7 affinity: add call to setup function in threads 
Threads created through TMThreadSpawn need to call the affinity
function by themselves.
 13 years ago
Eric Leblond 0eeccb4b17 affinity: tag management threads as such 
The management threads were not tagged for CPU affinity and thus
the setting was not applied.
 13 years ago
Eric Leblond efc3faaa0a affinity: add log message 13 years ago
Eric Leblond a48d6cb207 erf: fix logical operator usage. 13 years ago
Victor Julien 2026a68697 Implement logic of luajit keyword to match on full packet data and/or payload. 13 years ago
Victor Julien ba3260ed38 Thread local ctx for detection keywords 
Some detection keywords need thread local ctx storage. Example is the
filemagic keyword that has a ctx that is modified with each call. That
is not thread safe. This functionality allows registration of thread
local ctxs so that each detect thread works on it's own copy.
 13 years ago
Victor Julien f58e828c5e luajit: stub detection keyword 13 years ago
Eric Leblond b0a2aefc78 af-packet: fix build on systems without AF_PACKET 13 years ago
Eric Leblond bfd6dea38f pool: update doxygen documentation. 13 years ago
Eric Leblond fa079c1da0 pool: realize a block allocation for preallocated item. 
This patch required a evolution of Pool API as it is needed to
proceed to alloc or init separetely. The PoolInit has been changed
with a new Init function parameter.
 13 years ago
Eric Leblond cd76c7e5fb pool: alloc a single area for all PoolBuckets 
As we know the number and the size of PoolBucket, we can simply
allocate a single memory zone.
 13 years ago
Eric Leblond b58ecd833a l3proto: add unit tests 
This patch adds a series of unit tests. First two check test the keyword
by checking packet on signatures using it. Last one adds is here to check
that there is no interaction of l3_proto and ip_proto.
 13 years ago
Eric Leblond 71b4257bc2 sig: add l3_proto keyword 
This patch adds a l3_proto keyword to the signature language. It
can be used to specify if the signature has to match on IPv4, IPv6
or both. For example, one can write:
  alert http any any -> any 22 (msg: "HTTP v6"; l3_proto:ip6; sid:14;)

This should close #494.
 13 years ago
Eric Leblond fd7b6db22d sig: Add ipv6 and ipv4 to list of protocols 
With this patch it is possible to do:
 alert ipv6 any any -> any any
or
 alert ip4 any any -> any any
to match on IPv4 or IPv6 packets.
 13 years ago
Eric Leblond ac56b1bf24 af-packet: detect MTU mismatch and warn user 
If the MTU on the reception interface and the one on the transmission
interface are different, this will result in an error at transmission
when sending packet to the wire.
 13 years ago
Eric Leblond 27b5136bf2 af-packet: add optional emergency mode 
Flush all waiting packets to be in sync with kernel when drop
occurs. This mode can be activated by setting use-emergency-flush
to yes in the interface configuration.
 13 years ago
Eric Leblond ec76742caa af-packet: reorder socket operation. 
This patch moves raw socket binding at the end of init code to
avoid to have a flow of packets reaching the socket before we
start to read them.

The socket creation is now made in the loop function to avoid
any timing issue between init function and the call of the loop.
 13 years ago
Eric Leblond 1ea809520a af-packet: fix runmode name in logging function 13 years ago
Eric Leblond a645726262 af-packet: add doxygen comments 
This patch adds doxygen comments to newly introduced function and adds
module AF_PACKET doxygen module with a dedicated AFP peers module.
 13 years ago
Eric Leblond 662dccd8a5 af-packet: IPS and TAP feature 
This patch adds a new feature to AF_PACKET capture mode. It is now
possible to use AF_PACKET in IPS and TAP mode: all traffic received
on a interface will be forwarded (at the Ethernet level) to an other
interface. To do so, Suricata create a raw socket and sends the receive
packets to a interface designed in the configuration file.

This patch adds two variables to the configuration of af-packet
interface:
 copy-mode: ips or tap
 copy-iface: eth1 #the interface where packet are copied
If copy-mode is set to ips then the packet wth action DROP are not
copied to the destination interface. If copy-mode is set to tap,
all packets are copied to the destination interface.
Any other value of copy-mode results in the feature to be unused.
There is no default interface for copy-iface and the variable has
to be set for the ids or tap mode to work.

For now, this feature depends of the release data system. This
implies you need to activate the ring mode and zero copy. Basically
use-mmap has to be set to yes.

This patch adds a peering of AF_PACKET sockets from the thread on
one interface to the threads on another interface. Peering is
necessary as if we use an other socket the capture socket receives
all emitted packets. This is made using a new AFPPeer structure to
avoid direct interaction between AFPTreadVars.

There is currently a bug in Linux kernel (prior to 3.6) and it is
not possible to use multiple threads.

You need to setup two interfaces with equality on the threads
variable. copy-mode variable must be set on the two interfaces
and use-mmap must be set to activated.

A valid configuration for an IPS using eth0 and vboxnet1 interfaces
will look like:

af-packet:
  - interface: eth0
    threads: 1
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: vboxnet1
    buffer-size: 64535
    use-mmap: yes
  - interface: vboxnet1
    threads: 1
    cluster-id: 97
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: eth0
    buffer-size: 64535
    use-mmap: yes
 13 years ago
Eric Leblond 2011a3f87e capture: add data release mechanism 
This patch adds a data release mechanism. If the capture module
has a call to indicate that userland has finished with the data,
it is possible to use this system. The data will then be released
when the treatment of the packet is finished.

To do so the Packet structure has been modified:
+    TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *);
If ReleaseData is null, the function is called when the treatment
of the Packet is finished.
Thus it is sufficient for the capture module to code a function
wrapping the data release mechanism and to assign it to ReleaseData
field.

This patch also includes an implementation of this mechanism for
AF_PACKET.
 13 years ago
Eric Leblond 8879df8004 af-packet: improve mmaped running mode. 
The mmaped mode was using a too small ring buffer size which was
not able to handle burst of packets coming from the network. This
may explain the important packet loss rate observed by Edward
Fjellskål.
This patch increases the default value and adds a ring-size
variable which can be used to manually tune the value.
 13 years ago
Eric Leblond 9622704c8c af-packet: delete design comments 13 years ago
Victor Julien 5d27518bbd Make sure we never underflow len in DetectLoadSigFile 13 years ago
Eric Leblond e6e339aacf Add counters for IPv4 in IPv6 and IPv6 in IPv6 13 years ago
Victor Julien 250c4e9310 file: convert filesize to new FileMatch api. 13 years ago
Victor Julien f93c54136c stream/app layer: call new Truncate callback for data gap case as well. 13 years ago
Victor Julien 869109a6a0 stream/app layer: add Truncate app layer callback that is called if stream depth is reached. Use it to trunc open files in HTTP. 13 years ago
Victor Julien 8f71333e12 file: implement filesize keyword. #489. 13 years ago
Anoop Saldanha 970fdee204 detection engine port api unittests cleanup 13 years ago