43c5b949d2
cygwin: fix lua configure
...
Fix lua configure for cygwin. Tested with lua 5.1.5.
11 years ago
cc54250cf9
Fix live reload segv when startup isn't complete
...
If a live reload signal was given before the engine was fully started
up (e.g. pcap file thread waiting for a disk to spin up), a segv could
occur.
This patch only enables live reloads after the threads have been
started up completely.
11 years ago
2c20c9d409
Fix Coverity 1220098 and 1220099
...
*** CID 1220098: Missing unlock (LOCK)
/src/log-droplog.c: 195 in LogDropLogNetFilter()
189 SCMutexLock(&dlt->file_ctx->fp_mutex);
190
191 if (dlt->file_ctx->rotation_flag) {
192 dlt->file_ctx->rotation_flag = 0;
193 if (SCConfLogReopen(dlt->file_ctx) != 0) {
194 /* Rotation failed, error already logged. */
>>> CID 1220098: Missing unlock (LOCK)
>>> Returning without unlocking "dlt->file_ctx->fp_mutex".
195 return TM_ECODE_FAILED;
196 }
197 }
198
199 if (dlt->file_ctx == NULL) {
200 return TM_ECODE_FAILED;
*** CID 1220099: Dereference before null check (REVERSE_INULL)
/src/log-droplog.c: 199 in LogDropLogNetFilter()
193 if (SCConfLogReopen(dlt->file_ctx) != 0) {
194 /* Rotation failed, error already logged. */
195 return TM_ECODE_FAILED;
196 }
197 }
198
>>> CID 1220099: Dereference before null check (REVERSE_INULL)
>>> Null-checking "dlt->file_ctx" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
199 if (dlt->file_ctx == NULL) {
200 return TM_ECODE_FAILED;
201 }
202
203 char srcip[46] = "";
204 char dstip[46] = "";
11 years ago
8a77e6bc8e
Fix Coverity 1220097
...
*** CID 1220097: Missing unlock (LOCK)
/src/log-file.c: 160 in LogFileWriteJsonRecord()
154 }
155 }
156
157 /* Bail early if no file pointer to write to (in the unlikely
158 * event file rotation failed. */
159 if (aft->file_ctx->fp == NULL) {
>>> CID 1220097: Missing unlock (LOCK)
>>> Returning without unlocking "aft->file_ctx->fp_mutex".
160 return;
161 }
162
163 FILE *fp = aft->file_ctx->fp;
164 char timebuf[64];
165 AppProto alproto = FlowGetAppProtocol(p->flow);
11 years ago
fc2014ab40
Unregister for file rotation notification when a context is
...
de-initialized. Required for unix-socket mode where
contexts come and go.
11 years ago
e1b97fed70
Add signal based file rotation for:
...
- alert debug log
- fast log
- stats log
- dns log
- drop log
- file log
- http log
- tls log
- eve/json log
11 years ago
0a33e73417
Add macros for access to the underlying buffer and offset.
...
Useful for using passing the buffer through to another writer
such as LogFileCtx.
11 years ago
c1b6894ce3
Add a rotation flag to LogFileCtx which loggers can use to register
...
for log rotation. Have the LogFileCtx handle the log rotation.
11 years ago
698a0f7f48
Registration for SIGHUP notification - for loggers interested
...
in file rotation on SIGHUP.
11 years ago
25cbf36d40
lua/luajit: use HAVE_LUA mostly
...
Only use HAVE_LUAJIT if things are done differently from HAVE_LUA,
like in the states pool.
11 years ago
7396237c2a
lua: deal with FreeBSD and OpenBSD
...
FreeBSD pkg-config lua-5.1.pc, lib liblua-5.1.so
OpenBSD pkg-config lua51.pc, lib liblua5.1.so
Default (linux) pkg-config: lua5.1.pc, lib liblua5.1.so
11 years ago
e366c62cf0
lua: support regular lua C library
...
Not all systems have luajit or a need for luajit. For low bandwidth
and offline support regular lua may be sufficient.
11 years ago
a7118a4ff3
profiling: use wider columns in keyword output
...
Use wider columns in keyword output so that even on high end sensors
the stats tables remain readable.
11 years ago
e873443adb
fix regression in 'make distclean' due to commit cd305c3a
...
the files under scripts/suricatasc/src are actual sources and should not
be cleaned
11 years ago
dc1599e0dc
bugfix in debug mode:
...
removed function calls from SCReturnX macros
11 years ago
0765bcc73e
nflog: set socket timeout
...
Set socket timeout so that we can exit if there is no traffic.
It would hang after the SIGINT signal, until packets arived.
11 years ago
26c0915375
nflog: warn if buffer-size is larger than max-size
...
If buffer-size is larger than max size, give a warning and adjust
buffer-size to max-size.
11 years ago
462f9de134
dns: unify type to string logging utility
...
Both DNS loggers had their own CreateTypeString. This patch unifies
them.
11 years ago
5e87257845
dns: add names for common types
...
Add names for SRV, NAPTR, DS, RRSIG, NSEC, NSEC3 types.
11 years ago
0bbec75764
nflog: fix typo rising->raising
11 years ago
0857a60fce
nflog: improve error handling on NOBUFS
...
Don't fall through to handle_packet on any NOBUFS condition. Make
sure we catch all NOBUFS.
11 years ago
4d72911e17
This patch adds the fields into PacketVars struct to setup a packet from a nflog message
11 years ago
4dda018ede
Adds nflog option
11 years ago
0368d5e4a4
Declare a wrapper to parse group option for nflog
11 years ago
c35432b265
Implements NFLOG runmode
11 years ago
2ad8a8e111
Bootstraping NFLOG capture mode
11 years ago
0162e7e809
Adds nflog error code
11 years ago
d213d89981
Updating the Tmm Id for declaration of nflog capture mode
11 years ago
62aaae24fd
Adds a configuration example for nflog support in suricata.yaml
11 years ago
4851568a41
Checks if libnetfilter_log is found on the system
...
and enable it if it's specified.
11 years ago
db563ed4b0
tls: check SSL3/TLS version per record
...
Set event if SSL3/TLS record isn't within the acceptable range.
11 years ago
8ddcf6a816
dns: add tests for TXT response parsing
...
Add valid and invalid examples.
11 years ago
bddb2c3bdc
dns json: log TXT response data
...
Log TXT data in the rdata field.
11 years ago
683d2d64e9
dns: parse and store TXT responses
...
This way the TXT data can be logged by the loggers.
Ticket #1158
11 years ago
174a50554a
Update Changelog for 2.0.1
11 years ago
7e8f80b390
Update Changelog for 2.0.1rc1 changes
11 years ago
8ba8c0bf6f
json output: don't set 'unknown' for missing data
...
Instead of setting 'unknown' or '<unknown>' just pass NULL to json_*
function, which results in omitting the data.
11 years ago
11ca25ddca
eve-log: swap ip/port pairs in dns answers
11 years ago
d4215fca84
http-json: fix coverity warning
...
*** CID 1211009: Bad bit shift operation (BAD_SHIFT)
/src/output-json-http.c: 265 in JsonHttpLogJSON()
259 /* log custom fields if configured */
260 if (http_ctx->fields != 0)
261 {
262 HttpField f;
263 for (f = HTTP_FIELD_ACCEPT; f < HTTP_FIELD_SIZE; f++)
264 {
>>> CID 1211009: Bad bit shift operation (BAD_SHIFT)
>>> In expression "1 << f", left shifting by more than 31 bits has undefined behavior. The shift amount, "f", is as much as 46.
265 if ((http_ctx->fields & (1<<f)) != 0)
266 {
267 /* prevent logging a field twice if extended logging is
268 enabled */
269 if (((http_ctx->flags & LOG_HTTP_EXTENDED) == 0) ||
270 ((http_ctx->flags & LOG_HTTP_EXTENDED) !=
________________________________________________________________________________________________________
*** CID 1211010: Bad bit shift operation (BAD_SHIFT)
/src/output-json-http.c: 492 in OutputHttpLogInitSub()
486 {
487 if ((strcmp(http_fields[f].config_field,
488 field->val) == 0) ||
489 (strcasecmp(http_fields[f].htp_field,
490 field->val) == 0))
491 {
>>> CID 1211010: Bad bit shift operation (BAD_SHIFT)
>>> In expression "1 << f", left shifting by more than 31 bits has undefined behavior. The shift amount, "f", is as much as 46.
492 http_ctx->fields |= (1<<f);
493 break;
494 }
495 }
496 }
497 }
11 years ago
5cdd9b460a
unix-socket: reset logging api's properly
...
Lack of proper reset lead to logs not being written after the first
pcap had been processed.
11 years ago
fd56acd4b3
stream: cleanup
...
StreamTcpSetDisableRawReassemblyFlag() has the same effect as
AppLayerParserTriggerRawStreamReassembly in that it will force the
raw reassembly to flush out asap. So it is redundant to call both.
11 years ago
3543150f42
stream: implement raw reassembly stop api
...
Implement StreamTcpSetDisableRawReassemblyFlag() which stops raw
reassembly for _NEW_ segments in a stream direction.
It is used only by TLS/SSL now, to flag the streams as encrypted.
Existing segments will still be reassembled and inspected, while
new segments won't be. This allows for pattern based inspection
of the TLS handshake.
Like is the case with completely disabled 'raw' reassembly, the
logic is that the segments are flagged as completed for 'raw' right
away. So they are not considered in raw reassembly anymore.
As no new segments will be considered, the chunk limit check will
return true on the next call.
11 years ago
b2184f936e
stream: unify segment discard handling
...
Have a single function StreamTcpReturnSegmentCheck determine if a
segment is ready to be removed from the stream.
Handle FLOW_NOPAYLOAD_INSPECT in raw reassembly.
11 years ago
ad355c3c0a
app-layer: improve no payload inspect flag
...
If setting APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD, trigger raw
reassembly.
11 years ago
f0bdb009ed
tls/heartbleed: fix test
...
Now that we continue to track ssl/tls after the handshake, we need
to fix tests that checked for the cutoff flags.
11 years ago
31655aef7e
tls/heartbleed: improve encrypted logic
...
Don't assume that if the type field isn't 01 or 02 it's an encrypted
heartbeat. Instead, use our knowledge of the SSL state.
11 years ago
fdbd9b3f25
tls/heartbleed: formatting fixes
11 years ago
c5f43785f1
tls/heartbleed: add rule for invalid encrypted hb
...
Add rule to tls-events.rules to match on the invalid encrypted
heartbeat.
11 years ago
26169ad8c5
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
0564a8da3c
detect: add more defensive checks for flow handling
...
Don't unconditionally deref f->alparser in detection through
DeStateFlowHasInspectableState(). In very rare cases it can
be NULL.
11 years ago
Victor Julien
Jason Ish
Noam Meltzer
jeka
Giuseppe Longo
Tom DeCanio
Will Metcalf