Commit Graph

12329 Commits (d776d72711800168cda5d62a7cc4669abda379be)
 

Author SHA1 Message Date
Jason Ish d4554ec6bb misc: include queue.h before other headers
At least on FreeBSD, some other include is including "sys/queue.h"
which results in FreeBSDs /usr/include/sys/queue.h being picked
up and setting __SYS_QUEUE_H__ so our queue.h is not picked up.

But the FreeBSD queue.h does not have the CIRCLEQ definitions. To
fix just include our queue.h first, which also sets __SYS_QUEUE_H__
preventing the system one from being picked up.
5 years ago
Jason Ish c7f44447c9 dns: remove flood protection purging
It doesn't look like flood protection is required with the
stateless parser anymore. It actually can get in the way of TCP
DNS when a large number of requests end-up in the same segment
where a TX can get purged before it has a chance to go through
the normal TX life-cycle.
5 years ago
Jason Ish afaa18c5ad tx: fix unidir tx cleanup
A unidirection protocol parser should only have its transactions
marked as "skipped" if it is skipped in both the TS and TC
directions, otherwise unidir transactions are always considered
skipped and the cleanup will never updates its minimum id.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4437
5 years ago
Jeff Lucovsky fc7a443c3f general: Typo cleanup 5 years ago
Jeff Lucovsky 2c0485ae15 detect/address: Improve support for large addrs
This commit improves support for large address variables. Without this
commit, address size was fixed at 8196 or less. This commit permits
larger sized address variables.
5 years ago
Shivani Bhardwaj 089972fd31 applayer: fix test data for a valid DCERPC pkt 5 years ago
Shivani Bhardwaj c663ac6ddd dcerpc/tcp: improve detection
Lately, some of the TLS data was misdetected as DCERPC/TCP because of
the pattern |05 00|. Add more checks in DCERPC probe function to ensure
that it is in fact DCERPC/TCP.
5 years ago
Andreas Herz a5f36eccf1 doc: add documentation for rawbytes keyword 5 years ago
Andreas Herz d62616f805 detect-rawbytes: add rawbytes doc help output 5 years ago
Andreas Herz 37789d9189 detect-rawbytes: update to new clang format 5 years ago
Jason Ish 06f58650d6 eve: refactor OutputJsonBuilderBuffer to take context
All callers of OutputJsonBuilderBuffer are now calling it
using fields from an OutputJsonThreadCtx, so just pass
a pointer to the thread context now.
5 years ago
Jason Ish 08eee26d27 eve: convert many loggers to use generate thread context
- mqtt
- dnp3
- smtp
- ike
- dns
- alert
- tls
- anomaly
- drop
- file
- http
- http2
- templates
- dhcp

The idea is to factor out the commom code for setting
up the output file objects, which is repetitive, and
often done wrong when it comes to threading.
5 years ago
Jason Ish 013becf569 eve: reset buffer in OutputJsonBuilderBuffer
Reset the buffer here so each caller doesn't need to do it.
5 years ago
Jason Ish c890f9db63 eve: factor thread context creation/free for reuse 5 years ago
Jason Ish 702f3b3c73 eve: remove duplicate call to LogFileEnsureExists
Remove duplicate call to LogFileEnsureExists in the generic
eve thread init function.
5 years ago
Eric Leblond 23b1607d69 github-ci: add ebpf build
Use Debian 10 to build eBPF.
5 years ago
Eric Leblond d477d3a878 util/ebpf: fix deprecation warning
The function bpf_program__title has been deprecated in favor of
bpf_program__section_name.
5 years ago
Eric Leblond b9351339a2 ebpf: fix gre encapsulation in xdp_lb
The xdp_lb was not handling correctly the GRE load balancing
and it was not supporting the GRE + ERSPAN that is used by
some aggregator devices.
5 years ago
Juliana Fajardini eb4c71fdd6 ippair/bit: fix formatting 5 years ago
Juliana Fajardini e7c1c3c374 ebpf/util: change flow storage to new 'id' type 5 years ago
Juliana Fajardini 3b1a653467 device/storage: use dedicated 'id' type
- Wrap the id in a new LiveDevStorageId struct, to avoid id
 confusion with other storage API calls.
- Formatting fixes by clang.
5 years ago
Juliana Fajardini 68b8b3d63e detect/engine-tag: fix typo 5 years ago
Juliana Fajardini b807059c34 host/storage: use dedicated 'id' type
- Wrap the id in a HostStorageId struct to avoid id confusion
with other storage API calls.
- Fix formatting with clang script.
5 years ago
Juliana Fajardini cf516de587 ippair/storage: use dedicated 'id' type
- Wrap the id in a new IPPairStorageId struct, to avoid id
confusion with other storage API calls.
- Formatting fixes by clang.
5 years ago
Jeff Lucovsky aa9ad56a5b output/log: Removed pcie (Tilera) log vestiges
This commit removes the last remnants of the Tilera log output mechanism
(unsupported since 5.0.x).
5 years ago
Jeff Lucovsky 38ae21a196 output/log: Ensure files closed in threaded mode
This commit ensures that file objects are closed in threaded mode.
5 years ago
Victor Julien bc667a4a93 flow/storage: use dedicated 'id' type
Wrap the id in a new FlowStorageId struct to avoid id confusion with other
storage API calls.
5 years ago
Philippe Antoine d2d0e0adc9 rust: remove exported unused functions 5 years ago
Victor Julien 4b3be24506 app-layer/expectation: clean up storage id logic 5 years ago
Philippe Antoine 68d6922e3c ftp: fixes leak with duplicate expectation 5 years ago
Philippe Antoine cd8c2ef994 fuzz: use stream.midstream=true 5 years ago
Philippe Antoine e9b76a0e66 fuzz: specify protocol with fuzz target name
cf https://redmine.openinfosecfoundation.org/issues/4125

This allows fuzz_applayerparser_parse to fuzz one specific
app-layer protocol based on the binary name, as is done
with the environment variable FUZZ_APPLAYER
That is if we rename/copy to fuzz_applayerparser_parse_smb,
it will fuzz only SMB protocol
This way, we can easily produce different fuzz targets for
each protocol in oss-fuzz
5 years ago
Philippe Antoine 6da9a37285 rdp: correctly returns incomplete in parse_tc
Adding the already consumed bytes
In case an incomplete tls handshake is handled with/after
a refular rdp t123_tpkt
5 years ago
Philippe Antoine 3de0123ffb http2: adds check about dynamic headers table size 5 years ago
Andreas Herz c93073c246 rules: add newer rule files to makefile for release tarball 5 years ago
Jeff Lucovsky 2893b04ab0 general: Typo cleanup 5 years ago
Jeff Lucovsky 02ceac8b8d detect/threshold: Improve threshold.config perf
This commit improves performance when parsing threshold.config by
removing a loop-invariant to create a one-time object with the parsed
address(es).

Then, as needed, copies of this object are made as the suppression
rule(s) are processed.
5 years ago
Jeff Lucovsky e873632a28 detect/threshold: Function to deep-copy thresh obj
This commit adds a function to make a deep copy of a DetectThresholdData
object.

The function is used when parsing threshold.config items to make a
one-time object and then add copies as needed.
5 years ago
Jeff Lucovsky 11f9cc6524 detect/address: Expose DetectAddressCopy function 5 years ago
Philippe Antoine 1ca4f041bb http2: pass data through when decompression fails
as is done for HTTP1
5 years ago
Jeff Lucovsky ef62761e8c threshold-config: Improve support for big IP lists 5 years ago
Juliana Fajardini c6a35d09b7 templates: fix typos
- *template*files[ch][rs]: fix typos
- scripts/setup-app-layer: fix typos
5 years ago
Juliana Fajardini 4748826dc7 scripts/setup-app-layer: fix Makefile.am patch
adjust lines for patching /src/Makefile.am, as current generated
Makefile wasn't building Suricata.
Add suggestion to run "./configure" before running "make".
Add --logger and --parser options to examples.
5 years ago
Jason Ish 877e5214b8 logging: removed unused logger IDs
- pre-json dns logger
- unified2
- pre-json drop logger
5 years ago
Jason Ish 6853bf98fb dns: only register a single logger
DNS no longer requires a logger to be registered for to-client and
to-server directions. This has not been required with the stateless
design of the Rust DNS parser.
5 years ago
Victor Julien b1fee90392 output/tx: add warning to avoid future bugs 5 years ago
Victor Julien 3cc3df2172 output/tx: move eof checks out of logging loop 5 years ago
Victor Julien b05bd058e9 app-layer: minor code cleanups 5 years ago
Victor Julien 1098e3b7c6 app-layer: remove conditional logic around API calls
Remove logic that suggested some API calls could be conditional,
even though Suricata wouldn't even start up if they weren't
registered.
5 years ago
Jason Ish 4d5d7b4bd3 eve/netflow: use generic json context 5 years ago