aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,329 Commits
8 Branches
163 Tags
184 MiB
main-7.0.x
main-8.0.x
main
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd776d72711'
${ noResults }
Commit Graph

10221 Commits (d776d72711800168cda5d62a7cc4669abda379be)

Author SHA1 Message Date
KevinWang cbd03c7ea4 output/redis: Fix possible segv 4 years ago
Juliana Fajardini ff976df704 stream-tcp-reassemble: fix typo, updt copyright yr 4 years ago
Juliana Fajardini 613f9b2f5a stream-tcp-reassemble: fix ConfGetBool unc'kd call 4 years ago
Juliana Fajardini 2e0d76e6e7 stream-tcp: fix typos, update copyright year 4 years ago
Juliana Fajardini 4839088359 stream-tcp: fix ConfGetBool unchecked call 4 years ago
Juliana Fajardini 7198355324 util-napatech: fix typos, update copyright year 4 years ago
Juliana Fajardini fbade25848 util-napatech: fix ConfGetBool unchecked call 4 years ago
Juliana Fajardini 09ea412614 util-debug: fix unchecked ConfGetBool call 4 years ago
Shivani Bhardwaj 8fd47cb84c smtp: fix clang fmt 4 years ago
Shivani Bhardwaj 58ac9b0f38 nfs: Add rust registration function 
Get rid of the C glue code and move registration completely to Rust.
 4 years ago
Shivani Bhardwaj de50ac631e nfs: Change fn sign as per rust registration requirement 
Registering parsers in Rust requires signatures to be a certain way and
compatible with C. Change signatures of all the functions.
Probe fn has also been changed to return AppProto as required by the new
fn signature.
 4 years ago
Shivani Bhardwaj e5c948df87 smb: Add rust registration function 
Get rid of the C glue code and move registration completely to Rust.
 4 years ago
Shivani Bhardwaj 6420df84b7 smb: Change fn sign as per rust registration requirement 
Registering parsers in Rust requires signatures to be a certain way and
compatible with C. Change signatures of all the functions.
 4 years ago
Jason Ish 222e55847c flow: provide flags accessor function 
Add an accessor function for flow flags. To be used by Rust where
the flow struct is an opaque data type.
 4 years ago
Victor Julien 843c4b20da stream: check if ACK packet is outdated 
Outdated packets are ACK packets w/o data that have an ACK value
lower than our last_ack and also don't have an SACK records that
are new.

This can happen when some packets come in later than others (possibly
due to different paths taken).
 4 years ago
Victor Julien b7a79978ac stream/sack: clean up includes 4 years ago
Victor Julien 8eccd02c94 stream/sack: minor debug improvements 4 years ago
Victor Julien 35c2a02eb8 stream: minor debug additions 4 years ago
Victor Julien b08a7b9a66 stream: update memcaps in code to match config 4 years ago
Philippe Antoine f77b027ada app-layer/pd: review bailout conditions 
To take TCP window into account
And to actually bail out if we received too much data
where the limit is configured by stream.reassembly.depth
 4 years ago
Victor Julien 7a114e506a app-layer/pd: only consider actual available data 
For size limit checks consider only available data at the stream start
and before any GAPS.

The old check would consider too much data if there were temporary gaps,
like when a data packet was in-window but (far) ahead of the expected
segment.
 4 years ago
Victor Julien be1baa8cab streaming/buffer: account sbb data size 
When tracking data track the size of the blocks so that in case
of gaps we can still know how much data we hold.
 4 years ago
Juliana Fajardini b8499de498 detect/iprep: convert to FAIL/PASS API 4 years ago
Shivani Bhardwaj a17da8374a counters: only print alerts if stats are enabled 4 years ago
Juliana Fajardini b24fb5781b detect: fix typos and update copyright year 4 years ago
Juliana Fajardini a15fada727 detect: fix bug where rule without sid is accepted 
Before, if Suricata parsed a rule without a 'sid' option, instead of
failing that rule, the rule was parsed and attributed a sid 0.
Changes to:
detect-parse:
- add logic to filter out rules without sid;
- change unittest which didn't have a sid, but used to pass.
detect-sid: add unittest for rules without sid or with sid: 0
 4 years ago
Philippe Antoine 0eefd90a93 fuzz: only build fuzz_sigpcap_aware if asked 
With the other fuzz targets, and do not build it if fuzzpcap
is available but we did not want to build the fuzz targets
 4 years ago
Eric Leblond 2c8c043185 stream/tcp: limit ACK validation 
Only limit ACK value validation for packet where the ACK bit is
set.
 4 years ago
Eric Leblond 556570f7dd stream/tcp: don't reject on bad ack 
Not using a packet for the streaming analysis when a non zero
ACK value and ACK bit was unset was leading to evasion as it was
possible to start a session with a SYN packet with a non zero ACK
value to see the full TCP stream to escape all stream and application
layer detection.

This addresses CVE-2021-35063.

Fixes: fa692df37 ("stream: reject broken ACK packets")

Ticket: #4504.
 4 years ago
Eric Leblond 0d81173d6e stream/tcp: update ack handling logic 
Only update the ack value of a session for regular packets when
the ACK bit is set.
 4 years ago
Victor Julien d8d1fbe443 detect/files: fix buffer tracking with multiple files 4 years ago
Victor Julien 3c1cc1e345 mqtt: move sub/unsub limits into app-layer config 4 years ago
Sascha Steinbiss 4c0ef73bf2 detect/mqtt: add topic inspection limit 
We add a new 'mqtt.(un)subscribe-topic-match-limit' option
to allow a user to specify the maximum number of topics in
a MQTT SUBSCRIBE or UNSUBSCRIBE message to be evaluated
in detection.
 4 years ago
Philippe Antoine 33fa7ab596 smtp: null terminate before calling strtoul 
by copying in a temporary buffer
as is done in ByteExtractString
 4 years ago
Philippe Antoine 4d2f9cc8a0 swf: right input length for decompression 4 years ago
Philippe Antoine 7d0a39412b detect: use u32 for InspectionBufferMultipleForList 
So that we do not have an endless loop casting index to
u16 and having more than 65536 buffers in one transaction

Changes for all protocols, even ones where it is impossible
to have such a pattern, so as to avoid bad pattern copy/paste
in the future
 4 years ago
Victor Julien e611adf3dc detect: set event if max inspect buffers exceeded 
If a parser exceeds 1024 buffers we stop processing them and
set a detect event instead. This is to avoid parser bugs as well as
crafted bad traffic leading to resources starvation due to excessive
loops.
 4 years ago
Victor Julien 3dc50322db detect: fix multi inspect buffer issue; clean up 
Fix multi inspect buffer API causing cleanup logic in the single
inspect buffer paths. This could lead to a buffer overrun in the
"to clear" logic.

Multi buffers now use InspectionBufferSetupMulti instead of
InspectionBuffer. This is enforced by a check in debug validation.

Simplify the multi inspect buffer setup code and update the callers.
 4 years ago
Victor Julien 23d7beb458 detect: reformat events table 4 years ago
Philippe Antoine 0c948142b9 enip: improve probing parser 
Strict length for register sessions
NOP command must have options=0
 4 years ago
Philippe Antoine 8bf6530540 config: fix null dereference in MacSetRegisterFlowStorage 
Crash happens with
--set outputs.eve-json.types.files.force-magic=yes
 4 years ago
Victor Julien 86e600dab8 unittests: optimize RunmodeIsUnittests() 4 years ago
Victor Julien 4ecde6efb0 stream: packet to stream flags macro 4 years ago
Victor Julien beb6b1e0d1 packets: more detailed entry debug for detect/stream 4 years ago
Jeff Lucovsky 61fa748e9d decode/vxlan: Delay var init until needed 
This commit modifies the var initialization slightly until after
integrity checks have been performed.
 4 years ago
Jeff Lucovsky 415db83d2d general/typo: Correct typo 4 years ago
Jeff Lucovsky 83067e5a55 decode: Eliminate NULL pkt checks 
This commit removes the NULL pkt check that each decoder performs as
this is a "can't happen" case.
 4 years ago
Mats Klepsland 2a326421aa thresholds: Fix buffer overflow in threshold context 
th_entry is resized using ThresholdHashRealloc() every time a rule with
a threshold using by_rule tracking is added. The problem is that this is
done before the rules are reordered, so occasionally a rule with by_rule
tracking gets a higher signature number (after reordering) than the
number of th_entries allocated, causing Suricata to crash.

This commit fixes this by allocating th_entries after all the rules are
loaded and reordered.

Backtrace from core dump:

  Program terminated with signal SIGSEGV, Segmentation fault.

  #0  0x000000000051b381 in ThresholdHandlePacket (p=p@entry=0x7fb0080f3960, lookup_tsh=0x51, new_tsh=new_tsh@entry=0x7fb016c316e0, td=td@entry=0x14adedf0, sid=9800979, gid=1, pa=0x7fb0080f3b18)
      at detect-engine-threshold.c:415
  415>----                if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {

Bug #4503.
 4 years ago
Mats Klepsland f47e4375b3 thresholds: syntax fixes 
Fix syntax of if statement in SigGetThresholdTypeIter()
 4 years ago
Mats Klepsland b0b4fab794 thresholds: remove unneeded function argument 
Remove packet pointer from SigGetThresholdTypeIter() as it is
unused.
 4 years ago
Jeff Lucovsky 02fe026046 output: Fix possible null deref 
This commit corrects an issue uncovered by Coverity. See the redmine
issue for details: https://redmine.openinfosecfoundation.org/issues/4495
 4 years ago
Philippe Antoine d00b755b64 http2: only mimic http1 request if there is one 
That may not be the case in midstream/async configurations
 4 years ago
Jason Ish 70b21df756 makefile: don't include the whole test/ directory 
Including the whole directory results in .deps files ending up
in the distribution archive which shouldn't be there. Instead
we have to list all the test sources individually.
 4 years ago
Shivani Bhardwaj 581cb6223d dcerpc/udp: Add rust registration function 
Get rid of the C glue code and move registration completely to Rust.
 4 years ago
Shivani Bhardwaj bac69af7e4 dcerpc: Add rust registration function 
Get rid of the C glue code and move registration completely to Rust.
 4 years ago
Shivani Bhardwaj a0a09a102b dcerpc: Change fn sign as per rust registration requirement 
Registering parsers in Rust requires signatures to be a certain way and
compatible with C. Change signatures of all the functions.
 4 years ago
Jason Ish 65809be8ec suricata-plugin.h: don't include autoconf.h 
It is not required here and just creates double inclusion in some
scenarios.
 4 years ago
Philippe Antoine 999327ba1f http2: http.cookie keyword now works for HTTP2 5 years ago
Philippe Antoine df039555bc http2: http.host.raw keyword now works for HTTP2 5 years ago
Philippe Antoine 1e82d0b3c8 http2: http.method keyword now works for HTTP2 5 years ago
Philippe Antoine 017e39d8fd http2: makes all HTTP1 header keywords work 5 years ago
Philippe Antoine 2cadddda89 http2: there is no status msg in HTTP2 
so we revert its detection, mistaken with the status code
 5 years ago
Philippe Antoine 1e96272576 http2: http.stat_code keyword now works for HTTP2 5 years ago
Jeff Lucovsky e77e8dbe18 proto: Remove dependency on /etc/protocols 
This commit eliminates the dependency on /etc/protocols and equivalent
on other platforms by using a static table of IANA assigned protocol
values (names, description).
 5 years ago
Jason Ish 587c326d73 yaml: treat some unquoted values as null (per spec) 
Per the YAML spec, the following values when present unquoted
should be equivalent to null:
- ~
- NULL
- Null
- null
 5 years ago
Jeff Lucovsky 7fa98cde4d output/redis: Redis threaded output changes 5 years ago
Jeff Lucovsky 1defca3c34 output/plugin: Support threaded output plugins 5 years ago
Jeff Lucovsky 05836a4452 output/plugin: API changes for threaded support 
This commit extends the interface to better support file output plugins.
 5 years ago
Simon Dugas a8a51dc004 modbus: add eve logging 5 years ago
Simon Dugas 8342641477 modbus: move tests from c to rust 
Move tests in a seperate commit so that we can use the previous one for
regression testing. This also gets rid of the temporary glue that made
the C tests work with the rust implementation.
 5 years ago
Simon Dugas a458a94dca modbus: move from C to rust 
Adds a new rust modbus app layer parser and detection module.

Moves the C module to rust but leaves the test cases in place to
regression test the new rust module.
 5 years ago
Simon Dugas 7c99fe3689 modbus: fix app-layer test cases 
invalidFunctionCode: make protocol id valid since we are only testing
the function code here.

readCoilsErrorRsp: changed to different invalid response code.

ModbusParserTest10: wrong length was passed to AppLayerParserParse.

ModbusParserTest11: allocate the entire buffer.
 5 years ago
Jason Ish 488d5fb342 unix-socket: reset to ready state on startup 
As part of commit ea15282f47,
some initialization was moved to happen even in unix socket mode,
however, this initialization does setup some loggers that can only have
one instance enabled (anomaly, drop, file-store).

This will cause these loggers to error out on the first pcap, but work
on subsequent runs of the pcap as some deinitialization is done after
each pcap.

This fix just runs the post pcap-file deinitialization routine to
reset some of the initialization done on startup, like is done after
running each pcap in unix socket mode.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4225

Additionally this prevents alerts from being logged two times
on the first run of a pcap through the unix socket:

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4434
 5 years ago
Jeff Lucovsky 0f0cb5169f decode/vntag: Add VNTag decoder logic 5 years ago
Jeff Lucovsky 596d760833 tests/vntag: VNTAG decoder unittests 5 years ago
Jeff Lucovsky 713bace44f decode/vntag: VNTAG 802.1Qbh decoder 5 years ago
Jeff Lucovsky b944e636a8 decode/stats: VNTAG stats 5 years ago
Jeff Lucovsky 1ddad0a0d6 decode/events: VNTAG decoder events 5 years ago
Jeff Lucovsky 049afde3a2 decode: Add ethertype for VNTAG 5 years ago
Luke Coughlan 7fb56a9075 flow/bypass: Properly set the ICMP emergency-bypassed value 
Currently the ICMP emergency-bypassed value defined in suricata.conf is
overwriting the UDP value rather than correctly setting it for ICMP.
This commit corrects this bug so that the ICMP value can be set as
expected.
 5 years ago
Jeff Lucovsky 1eeb96696b general: Cleanup bool usage 5 years ago
Jason Ish d4554ec6bb misc: include queue.h before other headers 
At least on FreeBSD, some other include is including "sys/queue.h"
which results in FreeBSDs /usr/include/sys/queue.h being picked
up and setting __SYS_QUEUE_H__ so our queue.h is not picked up.

But the FreeBSD queue.h does not have the CIRCLEQ definitions. To
fix just include our queue.h first, which also sets __SYS_QUEUE_H__
preventing the system one from being picked up.
 5 years ago
Jason Ish afaa18c5ad tx: fix unidir tx cleanup 
A unidirection protocol parser should only have its transactions
marked as "skipped" if it is skipped in both the TS and TC
directions, otherwise unidir transactions are always considered
skipped and the cleanup will never updates its minimum id.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4437
 5 years ago
Jeff Lucovsky fc7a443c3f general: Typo cleanup 5 years ago
Jeff Lucovsky 2c0485ae15 detect/address: Improve support for large addrs 
This commit improves support for large address variables. Without this
commit, address size was fixed at 8196 or less. This commit permits
larger sized address variables.
 5 years ago
Shivani Bhardwaj 089972fd31 applayer: fix test data for a valid DCERPC pkt 5 years ago
Andreas Herz d62616f805 detect-rawbytes: add rawbytes doc help output 5 years ago
Andreas Herz 37789d9189 detect-rawbytes: update to new clang format 5 years ago
Jason Ish 06f58650d6 eve: refactor OutputJsonBuilderBuffer to take context 
All callers of OutputJsonBuilderBuffer are now calling it
using fields from an OutputJsonThreadCtx, so just pass
a pointer to the thread context now.
 5 years ago
Jason Ish 08eee26d27 eve: convert many loggers to use generate thread context 
- mqtt
- dnp3
- smtp
- ike
- dns
- alert
- tls
- anomaly
- drop
- file
- http
- http2
- templates
- dhcp

The idea is to factor out the commom code for setting
up the output file objects, which is repetitive, and
often done wrong when it comes to threading.
 5 years ago
Jason Ish 013becf569 eve: reset buffer in OutputJsonBuilderBuffer 
Reset the buffer here so each caller doesn't need to do it.
 5 years ago
Jason Ish c890f9db63 eve: factor thread context creation/free for reuse 5 years ago
Jason Ish 702f3b3c73 eve: remove duplicate call to LogFileEnsureExists 
Remove duplicate call to LogFileEnsureExists in the generic
eve thread init function.
 5 years ago
Eric Leblond d477d3a878 util/ebpf: fix deprecation warning 
The function bpf_program__title has been deprecated in favor of
bpf_program__section_name.
 5 years ago
Juliana Fajardini eb4c71fdd6 ippair/bit: fix formatting 5 years ago
Juliana Fajardini e7c1c3c374 ebpf/util: change flow storage to new 'id' type 5 years ago
Juliana Fajardini 3b1a653467 device/storage: use dedicated 'id' type 
- Wrap the id in a new LiveDevStorageId struct, to avoid id
 confusion with other storage API calls.
- Formatting fixes by clang.
 5 years ago
Juliana Fajardini 68b8b3d63e detect/engine-tag: fix typo 5 years ago
Juliana Fajardini b807059c34 host/storage: use dedicated 'id' type 
- Wrap the id in a HostStorageId struct to avoid id confusion
with other storage API calls.
- Fix formatting with clang script.
 5 years ago
Juliana Fajardini cf516de587 ippair/storage: use dedicated 'id' type 
- Wrap the id in a new IPPairStorageId struct, to avoid id
confusion with other storage API calls.
- Formatting fixes by clang.
 5 years ago
Jeff Lucovsky aa9ad56a5b output/log: Removed pcie (Tilera) log vestiges 
This commit removes the last remnants of the Tilera log output mechanism
(unsupported since 5.0.x).
 5 years ago
Jeff Lucovsky 38ae21a196 output/log: Ensure files closed in threaded mode 
This commit ensures that file objects are closed in threaded mode.
 5 years ago
Victor Julien bc667a4a93 flow/storage: use dedicated 'id' type 
Wrap the id in a new FlowStorageId struct to avoid id confusion with other
storage API calls.
 5 years ago
Victor Julien 4b3be24506 app-layer/expectation: clean up storage id logic 5 years ago
Philippe Antoine 68d6922e3c ftp: fixes leak with duplicate expectation 5 years ago
Philippe Antoine cd8c2ef994 fuzz: use stream.midstream=true 5 years ago
Philippe Antoine e9b76a0e66 fuzz: specify protocol with fuzz target name 
cf https://redmine.openinfosecfoundation.org/issues/4125

This allows fuzz_applayerparser_parse to fuzz one specific
app-layer protocol based on the binary name, as is done
with the environment variable FUZZ_APPLAYER
That is if we rename/copy to fuzz_applayerparser_parse_smb,
it will fuzz only SMB protocol
This way, we can easily produce different fuzz targets for
each protocol in oss-fuzz
 5 years ago
Jeff Lucovsky 2893b04ab0 general: Typo cleanup 5 years ago
Jeff Lucovsky 02ceac8b8d detect/threshold: Improve threshold.config perf 
This commit improves performance when parsing threshold.config by
removing a loop-invariant to create a one-time object with the parsed
address(es).

Then, as needed, copies of this object are made as the suppression
rule(s) are processed.
 5 years ago
Jeff Lucovsky e873632a28 detect/threshold: Function to deep-copy thresh obj 
This commit adds a function to make a deep copy of a DetectThresholdData
object.

The function is used when parsing threshold.config items to make a
one-time object and then add copies as needed.
 5 years ago
Jeff Lucovsky 11f9cc6524 detect/address: Expose DetectAddressCopy function 5 years ago
Jeff Lucovsky ef62761e8c threshold-config: Improve support for big IP lists 5 years ago
Juliana Fajardini c6a35d09b7 templates: fix typos 
- *template*files[ch][rs]: fix typos
- scripts/setup-app-layer: fix typos
 5 years ago
Jason Ish 877e5214b8 logging: removed unused logger IDs 
- pre-json dns logger
- unified2
- pre-json drop logger
 5 years ago
Jason Ish 6853bf98fb dns: only register a single logger 
DNS no longer requires a logger to be registered for to-client and
to-server directions. This has not been required with the stateless
design of the Rust DNS parser.
 5 years ago
Victor Julien b1fee90392 output/tx: add warning to avoid future bugs 5 years ago
Victor Julien 3cc3df2172 output/tx: move eof checks out of logging loop 5 years ago
Victor Julien b05bd058e9 app-layer: minor code cleanups 5 years ago
Victor Julien 1098e3b7c6 app-layer: remove conditional logic around API calls 
Remove logic that suggested some API calls could be conditional,
even though Suricata wouldn't even start up if they weren't
registered.
 5 years ago
Jason Ish 4d5d7b4bd3 eve/netflow: use generic json context 5 years ago
Jason Ish a68d50608b eve/flow: use generic json context 5 years ago
Jason Ish 67c4621bdb eve/ftp: use generic json context 
The FTP logger contained no extra data in its context so the
generic json context can be used.
 5 years ago
Jason Ish 2d78afe4b0 eve: refactor CreateEveHeaderWithTx to include common options 5 years ago
Jason Ish 06ba611667 eve cleanup: remove duplicate/redundant code 
The first change was to have CreateEveHeader add the common options
as this was left out in a few loggers. While update all the loggers
that use CreateEveHeader, remove redundant code, in particular
from loggers that don't need to use their own context but
can use the generic one.
 5 years ago
Jason Ish 64330498f8 eve/mqtt: fix mqtt logging with threaded eve 
Mqtt was not setting up a per-thread file context for logging
in threaded mode, leading a crash when used in threaded mode.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4404
 5 years ago
Jeff Lucovsky dd8eeb6353 general: Correct typos 5 years ago
Jeff Lucovsky 11ec61d0b4 thresholds: Improve validation of threshold.config 
This commit improves the handling of threshold.config. When used with
"-T", a non-zero return code occurs when the file cannot be validated.

To maintain legacy behavior, when "-T" is not used and threshold.config
contains one or more invalid lines, Suricata continues execution.
 5 years ago
Jeff Lucovsky cb03455c04 error: Add code for threshold config validation 
This commit adds a new warning code for threshold config file validation
failures.
 5 years ago
Eric Leblond a73b5f0ea5 eve/ike: restore common option logging 5 years ago
Philippe Antoine 2997be6707 sslv2: precise detection pattern with probing parser 5 years ago
Philippe Antoine e8415f249b fuzz: adds structure aware target 
so as not to fuzz libpcap
and generate structure aware signatures
 5 years ago
Victor Julien 398ebf9345 eve/drop: use highest priority drop 
When adding the alert to a drop record make sure the add the highest
priority.

It would until now add all drops from high to low prio, effectively
overwriting the record each time.

Ticket #4397
 5 years ago
Victor Julien 6cf44fc839 detect/alert: apply pd only actions to flow 
Ticket #4394
 5 years ago
Victor Julien 6c594d29db detect/alert: minor code refactor 
Use a simpler reject check and move logic into util func.
 5 years ago
Victor Julien fbcdd2ec26 detect/iponly: don't check & set flow flags twice 
Per flow IP-only flags are checked and set by IP-only engine, so
no need to set/check them per alert.
 5 years ago
Victor Julien 55a0e29c8e eve/ike: gracefully handle renamed output config 5 years ago
Sascha Steinbiss 37940180a8 ikev1: add metadata to alerts 5 years ago
Sascha Steinbiss e2dbdd7fd5 ikev1: add ikev1 parser 5 years ago
frank honza ecdf9f6b0b ikev1: rename ikev2 to common ike 
Renaming was done with shell commands, git mv for moving the files and content like
find -iname '*.c' | xargs sed -i 's/ikev1/ike/g' respecting the different mixes of upper/lower case.
 5 years ago
frank honza ab6171c429 detect: added support for protocol-aliases 5 years ago
frank honza b80cdae1df detect: add comparison-mode LTE/GTE for Detect(U32/u8)Data 5 years ago
Victor Julien c3075cba42 detect/analyzer: fix mpm display on payload only rules 5 years ago
Victor Julien 9dd1444f44 detect: suppress error message for pcre only rules 5 years ago
Victor Julien b55b327db1 detect/analyzer: suggest modern keywords 5 years ago
Victor Julien 57f7612ffd detect/analyzer: fix json output for warnings/notes 5 years ago
Victor Julien 018b9a0a8c detect/asn1: minor cleanups 5 years ago
Victor Julien 8b8cc697d5 detect/http-server-body: clean up test 5 years ago
Victor Julien 68f8b2f40f detect/icmp: reject invalid rules for icode/itype 5 years ago
Victor Julien 7d6835958b detect/prefilter: fix null ptr deref on invalid rule 
A bad rule 'icode:<0; prefilter;' would trigger a null ptr deref
in ApplyToU8Hash.

Bug #4375.
 5 years ago
Victor Julien e964643088 detect/state: fix reset bug 
Fix issue where after a reset the now empty list elements are not
reused and the values may not be valid for the current detect
engine anymore.

Introduce a 'current' (cur) pointer that points to the store element
currently being filled. This way existing stores will be reused.

If 'cur' is NULL and 'head' is not NULL it means we need to use
'tail' to append a new store.
 5 years ago