aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,389 Commits
8 Branches
154 Tags
168 MiB
dependabot/github_actions/github/codeql-action-3.26.13
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e416b2cdfb'
${ noResults }
Commit Graph

4389 Commits (e416b2cdfbd28cb6ea6946f1040ac49838f5a34c)
 

Author SHA1 Message Date
Anoop Saldanha 836bad85a4 Reset app layer processed flag for segments that have been sent for proto 
detection, but we failed to figure out the proto.

Updated a unittest to reflect the above change.
 11 years ago
Anoop Saldanha 87edd2ade9 Inside PP parser, we were using the return value from DetectPortParse as 
the ip_proto value,  which is wrong.  We have fixed this now.
 11 years ago
Anoop Saldanha 73be9d3ef7 Update ssl parser protocol detection pattern strings. 11 years ago
Victor Julien 1d18155a16 XFF: use per alert tx id 
Use the tx id stored for each alert to find the correct XFF address
to add to the extra-data field.

In overwrite mode we still only grab the first available XFF addr,
as this address is set in the header preceeding the individual alerts.

Issue #904.
 11 years ago
Victor Julien e7df53b136 Display TX id in alert debuglog. 11 years ago
Victor Julien edeeb7ed44 Store TX id with alerts 
When generating an alert and storing it in the packet, store the tx_id
as well. This way the output modules can log the tx_id and access the
proper tx for logging.

Issue #904.
 11 years ago
Victor Julien 51c2e1eaf6 htp: for apache and apache_2_2 personalities, that are no longer supported by libhtp, fall back to apache_2 with a warning. 11 years ago
Victor Julien 958938bf01 Bug 640: add more tests to validate that issue is fixed 11 years ago
Eric Leblond 2be194d03f suricata: add -v[v] option to increase verbosity 
This patch adds a -v option to suricata. It increases the log level
defined in the YAML.
 11 years ago
Eric Leblond 4a4600539d suricata: info message after log init 
This patch moves version display after log init so we can have an
homogeneous display.
 11 years ago
Eric Leblond fdc1757e34 suricata: reorder start 
Initalizing output just after configuration file parsing allow to
log almost all messages accordingly to configuration.
 11 years ago
Eric Leblond 7bcacc712a log: change default log level to notice 
This patch updates the log level of meaningful start messages to
notice. It also sets the default log level to notice.
 11 years ago
Victor Julien c1190545cf Revert change in queue handler wait logic. Bug #988. 11 years ago
Victor Julien 8d6bca72f7 Improve 'host-mode' info message 11 years ago
Victor Julien 57abba2e64 Coverity 1100842: add missing return statement 11 years ago
Victor Julien afaa10b37d Coverity 1100843: remove unnecessary check 11 years ago
Victor Julien cb15000387 http: add new events for invalid host header and host part of uri 11 years ago
Victor Julien 43b39d333f http: fix some decoder events 
Some events we retrieved from error messages are flag now, so check
those. Not all can be converted though. These are no longer set:

HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE
HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT

Part of Bug #982.
 11 years ago
Victor Julien 85f13c4e28 http: update http rules 11 years ago
Victor Julien 636791751e http: fix field too long events 11 years ago
Victor Julien 5d10bafdba http: don't call HTPHandleWarning before HTPHandleError as the latter handles warnings and errors. 11 years ago
Victor Julien 129b6a65ca http: add test for HTTP_DECODER_EVENT_UNKNOWN_ERROR event as a result of a too long request 11 years ago
Eric Leblond 2c50e41153 reject: try to fail more gracefully 
In the case of reject both, a failure in sending one way do not lead to
abort the reset procedure.
 11 years ago
Eric Leblond 10b05a6361 reject: clean respond-reject code. 11 years ago
Eric Leblond 6f1cf9728e reject: delete debug line 11 years ago
Eric Leblond f05efeb46f Add reject for IPv6 
With this patch reject is now available in IPv6.
 11 years ago
Eric Leblond 64cd49da31 configure: accept libnet 1.1 and 1.2. 11 years ago
Eric Leblond 5f224f87d1 reject: update computation of seq and ack 
We have follow TCP RFC (http://tools.ietf.org/html/rfc793#section-3.4).
There is two cases depending on wether the original packet contains a
ACK.
If packet has no ACK, the RST seq number is 0 and the ACK is built the
standard way.
If packet has a ACK, the seq of the RST packet is equal to the ACK of
incoming packet and the ACK is build using packet sequence number and
size of the data.

Regarding standard Ack number, it is computed using seq number of captured
packet added to packet length. Finally 1 is added so we respect the
RFC:
    If the ACK control bit is set this field contains the value of the
    next sequence number the sender of the segment is expecting to
    receive.  Once a connection is established this is always sent.

With this patch we have some correct results. With the following rule:
    reject ssh any any -> 192.168.56.3 any (msg:"no SSH  way"; sid:3; rev:1;)
ssh connection to 192.168.56.3 is correctly resetted on client side.

But this is not perfect. If we have the following rule:
    reject tcp any any -> 192.168.56.3 22 (msg:"no way"; sid:2; rev:1;)
then the connection is not resetted on a standard ethernet network. But
if we introduce 20ms delay on packets, then it is correctly resetted.
This is explained when looking at the network trace. The reset is sent
as answer to the SYN packet and it is emitted after the SYN ACK from
server because the exchange is really fast. So this is discarded by the
client OS which has already seen a ACK for the same sequence number.

This should fix #895.
 11 years ago
Eric Leblond 4e15cf2245 reject: fix typo 11 years ago
Eric Leblond efc12b24ae reject: use host-mode to set interface 
This patch update reject code to send the packet on the interface
it comes from when 'host-mode' is set to 'sniffer-only'. When
'host-mode' is set to 'router', the reject packet is sent via
the routing interface.

This should fix #957.
 11 years ago
Eric Leblond 9bbd2a103d reject: reindent and code cleaning 
Reindent file and use some switch instead of if else if.
 11 years ago
Eric Leblond 6cf7da30e2 Introduce host-mode. 
This variable can be used to indicate to suricata that the host
running is running as a router or is in sniffing only mode.
This will used at least to determine which interfaces are used to
send reject message.
 11 years ago
Victor Julien d8cb821875 locks: clean up locks declarations 
Split threads.h into several files, where each of these files defines
all lock types and macro's.

threads.h defines the normal case
threads-debug.h defines the debug variants
threads-profile.h defines the lock profiling variants

Finally, threads-arch-tile.h moves the Tilera specifics out
 11 years ago
Eric Leblond 0a1ca02b3b coccinelle: implement parallel check 
This patch is an implementation of parallel check of files. It uses
GNU parallel to run multiple spatch at once.
The concurrency level is set via the CONCURRENCY_LEVEL environment
variable.
 11 years ago
Anoop Saldanha c5cd3562d0 Stateful detection inspection continuation API call should update per 
signature's Sigmatch entry as well.
 11 years ago
Victor Julien 7f0cc97f5b Thresholding: move parsing code into separate func 11 years ago
Victor Julien 8ce38ac8fe Split Thresholds and Suppression 
Thresholds and suppression can be handled independently. Suppression
only suppresses output, and is not related to Threshold state tracking.

This simplifies mixing suppression and thresholding rules.

Part of the Bug #425 effort.
 11 years ago
Ken Steele 592d48aab7 Use Spin locks on Tile 
On Tile, replace pthread_mutex_locks with queued spin locks (ticket
locks) for dataplane processing code. This is safe when running on
dataplane cores with one thread per core. The condition variables are
no-ops when the thread is spinning anyway.

For control plane threads, unix-manager, stats-logs, thread startup,
use pthread_mutex_locks. For these locks replaced SCMutex with SCCtrlMutex
and SCCond with SCCtrlCond.
 11 years ago
Victor Julien 2f4e11b1ca Fix compiler warning 
app-layer-parser.c: In function ‘AppLayerPPTestData’:
app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable]
     int dir = 0;
         ^
 11 years ago
Ken Steele 85a51638c9 Improve Signature sorting speed 
Changed the signature sorting code to use a a single merge sort instead
of the multiple pass sorting that was being used. This reduces startup
time on Tile by a factor of 3.

Also replace the user array of pointers to ints with a simpler array of
ints.
 11 years ago
Victor Julien 5c08b2296f DNS: copy only the length of the hardcoded string, not the length of the destination buffer. 11 years ago
Anoop Saldanha 57ed5dfd32 Fix return value from DetectProtoParse() which is used by probing 
parser.
 11 years ago
Anoop Saldanha ac65784cbc Fix coverity scan defect #1099714. 
Sending back uninitialized variable in DetectParseProto().
 11 years ago
Anoop Saldanha e383cc27cd Fix a leak in probing parsers. We were freeing just the head of the list, 
instead of all the members.
 11 years ago
Anoop Saldanha 980934d670 Fix a leak in app layer parser proto code. Free the proto signatures 
allocated internally for PM parser.
 11 years ago
Anoop Saldanha fc82614025 Fix mem leak in b2g. 11 years ago
Anoop Saldanha 06db1e4cb8 Remove unused vars alp_content_module_handle and proto_map from 
struct AlpProtoDetectCtx.
 11 years ago
Anoop Saldanha 558f5705eb Remove the unused flow flags - FLOW_TS_PM_PP_ALPROTO_DETECT_DONE and 
FLOW_TC_PM_PP_ALPROTO_DETECT_DONE.
 11 years ago
Anoop Saldanha 36220b689b Reset some flow flags when port numbers are re-used and we re-use the 
flow as a part of a new session.
 11 years ago
Anoop Saldanha af1df7a89d Remove the smtp parser restriction that it accepts data only in to client 
direction first.
 11 years ago