When running with sgh-mpm-context: full, many more MPMs are created
(16K) and many are small. If they have less than 128 states, they only
need 1 byte for the next state instead of 2 bytes, cutting the size of
the next-state table in half. This reduces total memory usage.
Since that makes 3 different state sizes (1, 2 and 4 bytes), rather
than going from 2 copies of the code to create the MPM to 3, I
factored out the code that fills the next-state table into three
functions so that all the other code could be the same.
The search function is now parameterize for 8-bit and 16-bit state
sizes and alphabet sizes 8, 16, 32, 64, 128 and 256.
Live device counter was in fact the number of packets seen by suricata
and not the total number of packet reported by pfring. This patch fixes
this by using counter provided by kernel instead.
Pfring kernel counter is per socket and is not cleared after read.
So to get the number of packet on the interface we can add the new
value for this thread and add it to the interface counter.
Live device counter was in fact the number of packets seen by suricata
and not the total number of packet reported by kernel. This patch fixes
this by using counter provided by kernel instead.
The counter is Clear On Read, so by adding the value fetch at each call
and earch sockets we get the number of packets and drops for the
interface.
- Seems to be a regression introduced in the commit
796bfab231 (fix was already done in commit
ee0b21652b)
- Doesn't happen with htplib v0.5.6, but it does in the latest, v0.5.9
For AppLayerThreadCtx, AppLayerParserState, AppLayerParserThreadCtx
and AppLayerProtoDetectThreadCtx, use opaque pointers instead of
void pointers.
AppLayerParserState is declared in flow.h as it's part of the Flow
structure.
AppLayerThreadCtx is declared in decode.h, as it's part of the
DecodeThreadVars structure.
A number of unittests would lead to clang build errors because
of unsafe det_ctx ptr usage. This patch fixes these and inits
det_ctx to NULL in the other detect tests.
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
of the archaic features we use in the app layer. We will reintroduce this
parser shortly. Also do note that keywords that rely on the ssh parser
would now be disabled.
Coverity 1139544
If strdup would fail, 'node' was freed but it wasn't set to NULL. The
code then returned node. The caller would not detect there was an error
and use the freed pointer.
If we use SCRealloc like:
x = SCRealloc(x, ...)
then in case of failure we are loosing the original pointer value
and the memory is lost and can not be free.
This test just check for this construction and output an error if
it finds it.
By moving FlowReference() out of FlowGetFlowFromHash() and into the one
function that calls it, all the flow functions take const Packet * instead
of Packet *.
A ptr to local var is stored in the radix tree currently,
this patch permits to alloc space to store host timeout
and thus also free it when data is removed.
defrag-config.c: In function 'DefragParseParameters':
defrag-config.c:105: warning: passing argument 2 of 'DefragPolicyAddHostInfo' from incompatible pointer type
make[3]: *** [defrag-config.o] Error 1
This would only happen in memory failure conditions.
util-decode-der.c:634:27: warning: Potential leak of memory pointed to by 'child'
return (Asn1Generic *)node;
stream-tcp-reassemble.c:2569:17: warning: Value stored to 'seg' is never read
seg = seg->next;
^ ~~~~~~~~~
stream-tcp-reassemble.c:2587:17: warning: Value stored to 'seg' is never read
seg = seg->next;
Ken Steele
Eric Leblond
Duarte Silva
Victor Julien
Anoop Saldanha
Giuseppe Longo