There is no need to try to set erroneous BPF filter again and again. Such attempts
lead to constant mmap() calls without corresponding munmap() when 'use-mmap' is enabled.
This adds a new redis mode rpush. Also more consistent config keywords orientated at the redis command: lpush and publish.
Keeping list and channel config keywords for backwards compatibility
Decoding client certificate overwrites the validity dates from the
server certificate, so we therefore don't decode it, since we don't
do anything with it (right now) anyway.
Fixes Bug #2050
added util-napatech module which contains implementation threads
for processing statistics. And modified source-napatech and
runmode-napatech to instantiate the threads.
napatech: Implementation of packet counters
napatech: implementation of statistics counters
napatech: Implementation of packet counters.
napatech: added util-napatech module
napatech: added utils-napatech module.
added include declaration and napatech specific structure when HAVE_NAPATECH
is defined.
Added util-napatech module to project.
Stub data buffer could grow without limit depending on traffic.
This patch improves the handling. It honors the 'last frag' setting
and implements a hard limit of 1MB per buffer.
Bug #2186
The reason the stream engine can't easily decide to bypass streams
is that there can be non-stream dependent rules that wouldn't match
if bypassing is done too aggressively.
However, if there is no detection engine, there is no reason to hold
back. In this case we can bypass as soon as the stream engine is done
with a session.
This patch turn on code optimization on BPF filter building by
libpcap. This allow to reduce the size of the BPF bytecode and
thus increase the size of BPF filter supported by Suricata.
Reported-by: Martijn van Oosterhout
Rules can contain conflicting statements and lead to a unmatchable rule.
2 examples are rejected by this patch:
1. dsize < content
2. dsize < content@offset
Bug #2187
As the DNS probe just uses the query portion of a response, don't
require there to be as many bytes as specified in the TCP DNS
header. This can occur in large responses where probe is called
without all the data.
Fixes the cases where the app proto is recorded as failed.
Fixes issue:
https://redmine.openinfosecfoundation.org/issues/2169
GCC7 said:
CC util-radix-tree.o
In file included from util-debug-filters.h:29:0,
from util-debug.h:34,
from suricata-common.h:421,
from util-radix-tree.c:26:
util-radix-tree.c: In function ‘SCRadixAddKey’:
util-mem.h:177:12: error: argument 1 range [18446744071562067968, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Werror=alloc-size-larger-than=]
ptrmem = malloc((a)); \
~~~~~~~^~~~~~~~~~~~~
util-radix-tree.c:749:42: note: in expansion of macro ‘SCMalloc’
if ( (inter_node->netmasks = SCMalloc((node->netmask_cnt - i) *
^~~~~~~~
In file included from suricata-common.h:69:0,
from util-radix-tree.c:26:
/usr/include/stdlib.h:443:14: note: in a call to allocation function ‘malloc’ declared here
extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur;
^~~~~~
scan-build said:
util-radix-tree.c:749:42: warning: Call to 'malloc' has an allocation size of 0 bytes
if ( (inter_node->netmasks = SCMalloc((node->netmask_cnt - i) *
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-mem.h:177:14: note: expanded from macro 'SCMalloc'
ptrmem = malloc((a)); \
^~~~~~~~~~~
1 warning generated.
Example:
util-runmodes.c: In function ‘RunModeSetIPSAutoFp’:
util-runmodes.c:496:40: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
snprintf(qname, sizeof(qname), "pickup%d", thread+1);
^~~~~~~~~~
util-runmodes.c:496:9: note: ‘snprintf’ output between 8 and 17 bytes into a destination of size16
snprintf(qname, sizeof(qname), "pickup%d", thread+1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solved by reducing 'thread' to a uint16_t and limiting the max
thread count to 1024.
Victor Julien
Alexander Gozman
Julian
Mats Klepsland
Pierre Chifflier
Phil Young
Andreas Herz
jason taylor
Eric Leblond
Jason Ish
Sebastian Garcia