aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,256 Commits
8 Branches
165 Tags
216 MiB
main
main-8.0.x
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd801c3e588'
${ noResults }
Commit Graph

156 Commits (d801c3e58868abb3f3778b084d39238e0d6ff17f)

Author SHA1 Message Date
Eileen Donlon 1a46d7a53a fix more invalid content unittests 
fix invalid unittests with mixed relative and non-relative content modifiers and other issues; DetectContentParse19 still contains some failing dce_stub tests which are commented out.
 14 years ago
Victor Julien cdba2f50d1 Various fixes and improvements based on feedback by Coverity analyzer. 14 years ago
Anoop Saldanha 1acb7cdc7d All http_server_body modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_SERVER_BODY 14 years ago
Anoop Saldanha 6cab663bf0 code cleanup - replace SigMatchAppendPayload with SigMatchAppendSMToList 14 years ago
Anoop Saldanha ab35b98f76 code cleanup - remove DetectContentGetLastPattern. Replace it with SigMatchGetLastSMFromLists 14 years ago
Anoop Saldanha d85ab5ab1f code cleanup - remove DetectContentFindNextApplicableSM 14 years ago
Anoop Saldanha 802350f65a code cleanup - remove DetectContentHasPrevSMPattern 14 years ago
Anoop Saldanha 9652c3672d code cleanup - remove SigMatchGetLastPattern 14 years ago
Anoop Saldanha dcb2afb02f Use sm_list to differentiate between different content types while retrieving pattern ids instead of sm_type 14 years ago
Victor Julien 07e560b137 file-data: initial file_data support 
Support file_data for: content, pcre (relative), byte_test, byte_jump,
byte_extract, isdataat.

File_data support is handled at signature parsing time, all matches
occurring after the file_data in the rule are converted to http_server_body
matches.

Content matches relative to the file_data are converted. Within to depth,
distance to offset. Relative to the start of the body buffer.
 14 years ago
Anoop Saldanha 7433d92dd2 undo this commit - 
commit eff08f93d8
Author: Anoop Saldanha <poonaatsoc@gmail.com>
Date:   Thu Nov 3 14:31:24 2011 +0530

    update failing unittest to reflect the mpm design update

Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
 14 years ago
Anoop Saldanha eff08f93d8 update failing unittest to reflect the mpm design update 14 years ago
Anoop Saldanha ed3b44b3b5 fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords 14 years ago
Eric Leblond a85dc9b0e2 Add support for replace keyword. 
This patch adds support for the replace keyword. It is used with
content to change selected part of the payload. The major point
with this patch is that having a replace keyword made necessary
to avoid all stream level check because we need to access to the
could-be-modified packet payload.

One of the main difficulty is to handle complex signature. If there is
other content check, we must do the substitution when we're sure all
match are valid. The patch adds an attribute to the thread context
variable to be able to deal with recursivity of the match function.

Replace is only activated in IPS mode and apply only to raw match.
 14 years ago
Eric Leblond 49adc264bc Don't print message after SCMalloc failure. 
This patch generated via coccinelle is getting rid of logging
message after a SCMalloc failure. They were useless as SCMalloc
already displays a message.
 15 years ago
Eric Leblond 1db4aadd16 Supress usage of Packet declaration in tests. 
For convenience, a massive usage of 'Packet p;' declaration has
been done in the tests function. Although this was completely
legal, this is not possible anymore because of the new Packet
allocation structure. This massive patch modifies all suricata
files to use a SCMalloc allocated pointer to Packet instead.

This patch has been done using coccinelle (http://coccinelle.lip6.fr)
which is a semantic patching tool. This ensures that things like call
to SCFree() should have not been forget because the semantic patch
explicitly forces the call to SCFree(p) before each return. With this
patch all unittests are running fine with a small and a big default
packet size.
 15 years ago
Eric Leblond dd038c1906 Modify files to avoid direct pckt payload access 
This patch implements the needed modification of payload access
in a Packet structure to support the abstraction introduced by
the extended data system.
 15 years ago
Victor Julien 014f62247a Another batch of clang fixes. Nothing really serious. Includes a couple of fixes for broken fixes from yesterday. 15 years ago
Anoop Saldanha 3d2f81d978 replace all Signature->dmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_DMATCH] 15 years ago
Anoop Saldanha e0476242c6 replace all Signature->umatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_UMATCH] 15 years ago
Anoop Saldanha e54358a9e1 replace all Signature->pmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_PMATCH] 15 years ago
Anoop Saldanha 82fd581b64 replace all sm lists (match, pmatch, dmatch, umatch, amatch, tmatch) with an array Signature->sm_lists[]. Replace all Signature->match instances in the engine with Signature->sm_lists[DETECT_SM_LIST_MATCH] 15 years ago
Anoop Saldanha 0c5b82d891 provide separate ids for content, uricontent, http_(client_body_data|cookie|header|method|uri), when they share the same pattern 15 years ago
Anoop Saldanha b8f5a6a4fc throw out contents/uricnotents with invalid hex assembly 15 years ago
Anoop Saldanha 850f44022f invalidate sigs with content/uricontent strings ", "boo, boo" + fix parsing content strings of the format content: !\"boom\";" 15 years ago
Victor Julien fc248ca7a1 Many small performance updates. 15 years ago
Pablo Rincon 76af1b049b Make malloc errors on initialization stage a fatal error, resulting on a exit() call 15 years ago
Victor Julien 1071a53210 Fix unittests after ip_proto keyword change. 16 years ago
Pablo Rincon 34bb107f2c Fix for bug 207 (depth/offset not correctly updated on certain cases) 16 years ago
Anoop Saldanha ce8d27425d fix signature parsing to how snort does it for content based keywords along with dce_stub_data 16 years ago
Victor Julien 37442a8a84 Prefilter signatures before fully scanning them. 16 years ago
Anoop Saldanha 015385c6bd changes to the dce parser stub data processed var. changed to stub data fresh var to indicate if the stub is fresh or not 16 years ago
Anoop Saldanha 45ea0d914e dce stub content keywords support using dcepayload.c support for all dce related content keywords 16 years ago
Gurvinder Singh cda664a8c4 memroy leaks fixes in detection module, app layer and counters 16 years ago
William Metcalf 2eef905c07 GPL and Copyright header updates. 16 years ago
Gerardo Iglesias Galvan 9f4fae5b1a Fix inconsistent use of dynamic memory allocation 16 years ago
Victor Julien 7a427ec7f4 Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach. 16 years ago
Gurvinder Singh 3721037de5 unittests for bug 134&139 and some typo correction 16 years ago
William Metcalf ce01927515 Import of GPLv2 Header 050410 16 years ago
Gurvinder Singh 69a4fee757 fixed the API and logic error reported by clang tool 16 years ago
Pablo Rincon 227fe516a0 Adding Boyer Moore context to content patterns, should speed up the search 16 years ago
Victor Julien ced401b554 Update http_client_body code to recent changes. 16 years ago
Anoop Saldanha 97d49d8f5e support for http_client_body keyword 16 years ago
Pablo Rincon c7350a8ac6 Fixing some naming convention issues and incorrect error messages 16 years ago
Pablo Rincon b708d7f65d Adding Uricontent inspection with spm. Modifiers for uricontent are now supported 16 years ago
Anoop Saldanha c54b91ed94 fix for bug 113 16 years ago
Victor Julien c1a19bcd6b Fix compilation of new detect-filter code, fix ip-only compatibility of detect-filter code. 16 years ago
Victor Julien 80dc4f1dbe Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 16 years ago
Victor Julien 1e01fd613c Remove all references to the scan phase from the pattern matchers and it's api. 16 years ago
Victor Julien dd846c9b0e Remove all search code from the pattern matchers, cleanup mpm api, remove unused http code, more cleanups. 16 years ago
Victor Julien 8b30226914 Detection keyword cleanup 16 years ago
Victor Julien b259e362cd Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now. 16 years ago
Victor Julien bef70a04ce First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase. 16 years ago
Victor Julien 50e41817a7 Share content id's between identical patterns. 16 years ago
Pablo Rincon 25a3a5c6d8 Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks. 16 years ago
Gerardo Iglesias Galvan ba6d807a6e Improve information about errors on signature failure 16 years ago
William Metcalf 811f2f605d small fix for ! inside of content match 16 years ago
Victor Julien 0d34990d7f Add OpenBSD's strlcpy and strlcat and replace all strcat/strcpy/strncat/strncpy by those calls. 16 years ago
Steve Grubb 60ad9d29c5 Memory leak cleanup in detectors 
Hello,

I ran the code through an analysis program and found several leaks that
should be cleaned up.

*In src/detect-engine-address-ipv4.c at line 472, the test for ag == NULL
will never be true since that is the loop entry test.
*In src/detect-engine-port.c at line 1133, the test for p == NULL will
never be true since that is the loop entry test.
*In src/detect-engine-mpm.c at line 263 is a return without freeing
fast_pattern
*In src/detect-ack.c at line 80 and 85, data catches the return from malloc.
One of them should be deleted.
*In src/detect-seq.c at line 81 and 86, data catches the return from malloc.
One of them should be deleted.
*In src/detect-content.c at line 749, many of the paths that lead to the error
exit still has temp pointing to allocated memory. To clean this up, temp
should be set to NULL if not immediately assigning and new value.
*In src/detect-uricontent.c at line 319, both cd and str needto be freed. At
lines 344, str needs to be freed. And at line 347 str and temp need to be
freed.
*In src/detect-flowbits.c at line 231 and 235, str was not being freed. cd was
not being freed at line 235.
*In src/detect-flowvar.c at line 127, str was not being freed. At line 194, cd
and str were not being freed.
*In src/detect-flowint.c at line 277, sfd was not being freed. At line 315, str
was not being freed.
*In src/detect-pktvar.c at line 121, str was not being freed. At line 188, str
and cd was not being freed.
*In src/detect-pcre.c at line 389, there is an extra free of "re" that should
be deleted.
*In src/detect-depth.c at line 42 & 48, str has not been freed.
*In src/detect-distance.c at line 49 and 55, str has not been freed
*In src/detect-offset.c at line 45, str has not been freed.

The patch below fixes these issues.

-Steve
 16 years ago
Victor Julien 4284276b11 Merge applayer detect function into normal match function. Should speed up detection. 16 years ago
Pablo Rincon b6a3395c08 Adding unittest helper functions for building generic packets, checking arrays of expected match results, perform generic tests, etc. Look at util-unittest-helper.c and detect-ipproto.c for references 16 years ago
Victor Julien fcabd1b2ba Fix typo. 16 years ago
Victor Julien b7bac14040 Fixup code to compile with -Wall -Werror -Wextra -Wno-unused-parameter compiler options. 16 years ago
Victor Julien 7b2610ba1f Fix extra spaces confusing content and uricontent. 16 years ago
Victor Julien 35e884f303 Make sure offset modifies depth. 16 years ago
Victor Julien 1d12de9500 DetectContentChunkMatchTest11 is no longer expected to fail. 16 years ago
Victor Julien 53041eeb67 Small cleanups. 16 years ago
Pablo Rincon 6f76ed6804 Match content fail when two contents are specified in the same rule and the last of them has length = 1 16 years ago
Victor Julien 8490208ba1 Fix bug fix 16 years ago
Victor Julien fa5dbaeb1d Fix segv when testing for sid 2002181 16 years ago
Victor Julien ecf86f9c23 Rename to Suricata. 16 years ago
Anoop Saldanha cd0de89bd4 Fix for handling negated content "\!CONTENT" 16 years ago
Victor Julien 2213ff933f Compile fix. 16 years ago
Brian Rectanus 44083b6505 Fixed warning in detect-content. 16 years ago
Victor Julien 50b2e381e0 Set the DETECT_CONTENT_WITHIN_NEXT and DETECT_CONTENT_DISTANCE_NEXT flags on content chunks if appropriate. 16 years ago
Victor Julien a004724aea Add some debugging code 16 years ago
Victor Julien dd232fcd6e Fix debug compilation 16 years ago
Anoop Saldanha 1c7ac13c25 Support for negated content 16 years ago
Victor Julien 0aaf603317 Fix another case where distance/within checks didn't fully work as expected. 16 years ago
Pablo Rincon ce3abca399 Adding some unittests (one of them dodoesn't work but should) 16 years ago
Pablo Rincon 84411f73c3 Commeting out a unittest. 16 years ago
Pablo Rincon 9a3c21fbf3 Updating real unittests. Small fix on TestWithinDistanceOffsetDepth to skip to the next DETECT_CONTENT SigMatch. Adding some checks on within/distance setups. 16 years ago
Pablo Rincon 7e4377224a Small fix at detect-parse.c, need to continue with MatchTest05 16 years ago
Pablo Rincon f233f9fa31 Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
Victor Julien 981ca859cb Fixes for distance and within content modifiers. 16 years ago
Victor Julien 951b4d5cf4 Fix within in some corner cases and add some more tests. 16 years ago
Gurvinder Singh a991ab0a19 added sigmatch payload flag 16 years ago
Breno Silva c43319c337 Regular expression for UnitTests 
Signed-off-by: Brian Rectanus <brectanu@gmail.com>
 16 years ago
Victor Julien 91bc83e5c6 More logging API usage changes. 16 years ago
Victor Julien 3a28171fbd Another round of logging api usage updates. 16 years ago
Victor Julien 0d0ffb9963 Reorganize header inclusions. 16 years ago
Pablo Rincon bdf119ade3 Adding window and isdataat keyword and some unittests 16 years ago
Victor Julien 1132ab635a Rename all pmt->det_ctx. 16 years ago
Victor Julien b9972a9d2c Cleanups 16 years ago
Victor Julien 4369816cdd Improvements to content keyword memory handling. 
First version of a simple pattern based L7 proto detection engine. Currently just works by matching a single pattern in the initial data. Implemented HTTP, SSL, MSN, JABBER, SMTP and a few more.

Couple of pattern matcher cleanups.
 16 years ago
Victor Julien 97854cf4bb Fixup some rule parser memleaks 16 years ago
Brian Rectanus fa5939ca91 64 bit cleanup part2 16 years ago
Victor Julien b7ad199c97 Fix broken test. Fix content keyword parsing not escaping properly. 17 years ago
William Metcalf ebd569ca4a Added unit tests to detect-content.c to show problems with escaped chars ; " \ : in snort rule lang 17 years ago
Victor Julien 657be002d1 Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping. 17 years ago