Commit Graph

4783 Commits (suricata-2.0.8)

Author SHA1 Message Date
Victor Julien 771bdd04ef Bug 1329: error out on invalid rule protocol
Due to a logic error in AppLayerProtoDetectGetProtoByName invalid
protocols would not be detected as such. Instead of ALPROTO_UNKNOWN
ALPROTO_MAX was returned.

Bug #1329
11 years ago
Eric Leblond 605e3cc14c unix-manager: fix cppcheck errors
This patch fixes the following errors:
 [src/unix-manager.c:306]: (error) Memory pointed to by 'client' is freed twice.
 [src/unix-manager.c:313]: (error) Memory pointed to by 'client' is freed twice.
 [src/unix-manager.c:323]: (error) Memory pointed to by 'client' is freed twice.
 [src/unix-manager.c:334]: (error) Memory pointed to by 'client' is freed twice.

Unix manager was treating the packet after closing the socket if message was
too long.
11 years ago
Victor Julien 41e3bbefbb stream: don't send EOF to AppLayer too soon
Sending EOF too soon results in the AppLayer cleaning up prematurely.
11 years ago
Ken Steele 4b37224145 Correct flow memory usage bookkeeping error
Fix bug 1321 where flow_memuse was incremented more on allocation than
free.
11 years ago
Victor Julien 2c9ce634a9 http: don't crash when normalizing uri on low memory 11 years ago
Victor Julien 4eff27c108 defrag: don't crash when out of memory
Handle memory allocation errors in defrag better. Could lead to
crashes if malloc errors happened.
11 years ago
Victor Julien dbd8c6e604 pcre: fix var capture for non relative matches
Var capture setup depended on the match being relative due to a logic
error.
11 years ago
Christophe M 3f5c34ae35 Fix to output a JSON buffer to an Unix domain socket.
Create the JSON buffer and write to it like regular file.

Upper function SCConfLogOpenGeneric already handle it properly.

Closes issue #1246.
11 years ago
Ken Steele ba13b2d5d1 Make suricata_ctl_flags be volatile
The global variable suricata_ctl_flags needs to volatile, otherwise the
compiler might not cause the variable to be read every time because it
doesn't know other threads might write the variable.

This was causing Suricata to not exit under some conditions.
11 years ago
Victor Julien a8c30df638 stream/async: improve handling of syn/ack pickup
If we picked up the ssn with a syn/ack, we don't need to make more
assumptions about sack and wscale after that.
11 years ago
Victor Julien 64d6ee53f8 stream/async: fix session setup issues
For these 2 cases:

1. Missing SYN:
-> syn <= missing
<- syn/ack
-> ack
-> data

2. Missing SYN and 3whs ACK:
-> syn <= missing
<- syn/ack
-> ack <= missing
-> data

Fix session pickup. The next_win settings weren't correctly set, so that
packets were rejected.

Bug 1190.
11 years ago
Victor Julien aa38f10967 stream: improve tracking with pkt loss in async
If 3whs SYN/ACK and ACK are missing we can still pick up the session if
in async-oneside mode.

-> syn
<- syn/ack <= missing
-> ack     <= missing
-> data

Bug 1190.
11 years ago
Victor Julien b659508d0f stream: improve bad window update detection
Ignore more valid ACKs in FIN shutdown phase.

Improve heuristic for window shrinking in case of packet loss.
11 years ago
Victor Julien 012f36562d stream: fix 'bad window update' false positive
ACK packets completing a valid FIN shutdown could be flagged as
'bad window update' if they would shrink the window.

This patch detects this case before doing the bad window update
check.
11 years ago
Tom DeCanio 08a04a0a15 sanity check tcp SACK edges prior to recording. Attempt to avoid Cisco ASA
tcp randomization issue with it not properly writing sequence numbers in SACK.
11 years ago
Victor Julien 5b394cab31 stream: improve handling of 3whs packet loss
If the 3whs ACK and some data after this is lost, we would get stuck
in the 'SYN_RECV' state, where from there each packet might be
considered invalid.

This patch improves the handling of this case.
11 years ago
Victor Julien 407ff92f58 stream: fix ssh/ssl logging on tcp session reuse
TCP session reuse wouldn't unset FLOW_NO_APPLAYER_INSPECTION.
11 years ago
Victor Julien 9e6acc50a9 ssh.softwareversion: allow more characters
The keyword would not allow matching on "OpenSSH_5.5p1 Debian-6+squeeze5"
as the + and space characters were not allowed.

This patch adds support for them.
11 years ago
Jason Ish b6f9809403 Bug 1230: Check all SigMatch lists for a named byte_extract variable. 11 years ago
Jason Ish a333f02347 Bug 1230: Simple test case demonstrating failure. 11 years ago
Ken Steele 27182f7f65 Fix compiler warning about uninitialized variable in mpipe. 11 years ago
Victor Julien 7c621d53bb tile: silence harmless cc warnings 11 years ago
Victor Julien 3c4e3381bb tcp session reuse: reset detect state
Reset the detect state on TCP session reuse. We reset the app layer,
so we need to reset the stateful detection as well.
11 years ago
Victor Julien 00325be458 detect state: always lock de_state_m
Always lock the de_state_m on access, also at flow recycle or
cleanup.
11 years ago
Victor Julien 382cb7c8af filestore: fix parsing bug
Filestore keyword can have options or no options, and the parser
was enforcing the NOOPT flag too strictly.

Bug #1288
11 years ago
Victor Julien cd03c00297 ssh: convert error message to debug statement
Don't print errors based on traffic issues.
11 years ago
Eric Leblond 8ec28dea16 app-layer-ssh: fix banner parser
Carefully crafted SSH banner could result in parser error.

CVE 2014-6603

Signed-off-by: Eric Leblond <eric@regit.org>
Reported-By: Steffen Bauch
11 years ago
Victor Julien 48499b1739 ipv6: RH extension header parsing issue
A logic error in the IPv6 Routing header parsing caused accidental
updating of the original packet buffer. The calculated extension
header lenght was set to the length field of the routing header,
causing it to be wrong.

This has 2 consequences:

1. defrag failure. As the now modified payload was used in defrag,
the decoding of the reassembled packet now contained a broken length
field for the routing header. This would lead to decoding failure.

The potential here is evasion, although it would trigger:
[1:2200014:1] SURICATA IPv6 truncated extension header

2. in IPS mode, especially the AF_PACKET mode, the modified and now
broken packet would be transmitted on the wire. It's likely that
end hosts and/or routers would reject this packet.

NFQ based IPS mode would be less affected, as it 'verdicts' based on
the packet handle. In case of replacing the packet (replace keyword
or stream normalization) it could broadcast the bad packet.

Additionally, the RH Type 0 address parsing was also broken. It too
would modify the original packet. As the result of this code was not
used anywhere else in the engine, this code is now disabled.

Reported-By: Rafael Schaefer <rschaefer@ernw.de>
11 years ago
Victor Julien a3bd19e18a af-packet: check pointers before use 11 years ago
Eric Leblond e9821accc8 af-packet: force suricata in IPS mode when needed
AF_PACKET is not setting the engine mode to IPS when some
interfaces are peered and use IPS mode. This is due to the
fact, it is possible to peer 2 interfaces and run an IPS on
them and have a third one that is running in normal IDS mode.

In fact this choice is the bad one as unwanted side effect is
that there is no drop log and that stream inline is not used.

To fix that, this patch puts suricata in IPS mode as soon as
there is two interfaces in IPS mode. And it displays a error
message to warn user that the accuracy of detection on IDS only
interfaces will be low.
11 years ago
Victor Julien 5279c2472d rule parser: set flag for optionless keywords
If a keyword doesn't have an argument, it should set the SIGMATCH_NOOPT
flag so the parser knows.
11 years ago
Victor Julien a065c8d94c rule parser: fix crashing on malformed options
Fix crashing on malformed rule options like 'rev;1;'.

Bug 1254.
11 years ago
Victor Julien 0b559b0f2f lua: fix http.request_line
The request line scripts were added to the AMATCH list. However, there
is not AppLayerMatch function defined for lua scripts. So scripts
would not run.

This patch adds the request line scripts to the normal 'MATCH' list.

Bug #1273.
11 years ago
Victor Julien 239a96d5d7 tls: fix a tls.fingerprint issue in debug mode
Print proper variable so we don't NULL-deref.

Bug #1279.
11 years ago
Eric Leblond 83577b5f0e source-nfq: fix display of next queue
Suricata was displaying an invalid queue number as the value is
shift at the moment of its assignement.
11 years ago
bmeeks8 928194d6f7 Bug fix: IPv6 addresses in negated range and IPv6 string into radix tree.
I found three somewhat serious IPv6 address bugs within the Suricata 2.0.x source code. Two are in the source module "detect-engine-address.c", and the third is in "util-radix-tree.c".

The first bug occurs within the function DetectAddressParse2(). When parsing an address string and a negated block is encountered (such as when parsing !$HOME_NET, for example), any corresponding IPv6 addresses were not getting added to the Group Heads in the DetectAddressList. Only IPv4 addresses were being added.

I discovered another bug related to IPv6 address ranges in the Signature Match Address Array comparison code for IPv6 addresses. The function DetectAddressMatchIPv6() walks a signature's source or destination match address list comparing each to the current packet's corresponding address value. The match address list consists of value pairs representing a lower and upper IP address range. If the packet's address is within that range (including equal to either the lower or upper bound), then a signature match flag is returned.

The original test of each signature match address to the packet was performed using a set of four compounded AND comparisons looking at each of the four 32-bit blocks that comprise an IPv6 address. The problem with the old comparison is that if ANY of the four 32-bit blocks failed the test, then a "no-match" was returned. This is incorrect. If one or more of the more significant 32-bit blocks met the condition, then it is a match no matter if some of the less significant 32-bit blocks did not meet the condition. Consider this example where Packet represents the packet address being checked, and Target represents the upper bound of a match address pair. We are testing if Packet is less than Target.

Packet -- 2001:0470 : 1f07:00e2 : 1988:01f1 : d468:27ab
Target -- 2001:0470 : 1f07:00e2 : a48c:2e52 : d121:101e

In this example the Packet's address is less than the target and it should give a match. However, the old code would compare each 32-bit block (shown spaced out above for clarity) and logically AND the result with the next least significant block comparison. If any of the four blocks failed the comparison, that kicked out the whole address. The flaw is illustrated above. The first two blocks are 2001:0470 and 1f07:00e2 and yield TRUE; the next less significant block is 1988:01f1 and a48c:2e52, and also yields TRUE (that is, Packet is less than Target); but the last block compare is FALSE (d468:27ab is not less than d121:101e). That last block is the least significant block, though, so its FALSE determination should not invalidate a TRUE from any of the more significant blocks. However, in the previous code using the compound logical AND block, that last least significant block would invalidate the tests done with the more significant blocks.

The other bug I found for IPv6 occurs when trying to parse and insert an IPv6 address into a Radix Tree using the function SCRadixAddKeyIPV6String(). The test for min and max values for an IPv6 CIDR mask incorrectly tests the upper limit as 32 when it should be 128 for an IPv6 address. I think this perhaps is an old copy-paste error if the IPv6 version of this function was initially copied from the corresponding IPv4 version directly above it in the code. Without this patch, the function will return null when you attempt to add an IPv6 network whose CIDR mask is larger than 32 (for example, the popular /64 mask will cause the function to return the NULL error condition).

(amended by Victor Julien)
11 years ago
Victor Julien ba7e5aac88 stream: detect and filter out bad window updates
Reported in bug 1238 is an issue where stream reassembly can be
disrupted.

A packet that was in-window, but otherwise unexpected set the
window to a really low value, causing the next *expected* packet
to be considered out of window. This lead to missing data in the
stream reassembly.

The packet was unexpected in various ways:
- it would ack unseen traffic
- it's sequence number would not match the expected next_seq
- set a really low window, while not being a proper window update

Detection however, it greatly hampered by the fact that in case of
packet loss, quite similar packets come in. Alerting in this case
is unwanted. Ignoring/skipping packets in this case as well.

The logic used in this patch is as follows. If:

- the packet is not a window update AND
- packet seq > next_seq AND
- packet acq > next_seq (packet acks unseen data) AND
- packet shrinks window more than it's own data size
THEN set event and skip the packet in the stream engine.

So in case of a segment with no data, any window shrinking is rejected.

Bug #1238.
11 years ago
Victor Julien c6e83d92d7 ipv6: fix dst/hop header option parsing
The extension header option parsing used a uint8_t internally. However
much bigger option sizes are valid.
11 years ago
Victor Julien facacc0d1c defrag: use 'struct timeval' for timeout tracking
Until now the time out handling in defrag was done using a single
uint32_t that tracked seconds. This lead to corner cases, where
defrag trackers could be timed out a little too early.
11 years ago
Victor Julien 0f67fac523 ipv6: set event on unsupported nh
If a next header / protocol is encountered that we can't handle (yet)
set an event. Disabled the rule by default.

    decode-event:ipv6.unknown_next_header;
11 years ago
Victor Julien ae9be33bf7 ipv6: more robust ipv6 exthdr handling
Skip past Shim6, HIP and Mobility header.

Detect data after 'none' header.
    decode-event:ipv6.data_after_none_header;
11 years ago
Victor Julien df8048f8e8 ipv6: detect frag header reserved field non-zero
Frag Header length field is reserved, and should be set to 0.

    decode-event:ipv6.fh_non_zero_reserved_field;
11 years ago
Victor Julien a0fcead75e ipv6: make exthdr parsing more robust
Improve data length checks. Detect PadN option with 0 length.
11 years ago
Victor Julien 9e949b7999 ipv6: set flag on type 0 routing header
Type 0 Routing headers are deprecated per RFC 5095.

This patch sets an decode event flag that can be matched on through:
    decode-event:ipv6.rh_type_0;
11 years ago
Victor Julien 930d092edb ipv6 defrag: fix unfragmentable exthdr handling
Fix or rather implement handling of unfragmentable exthdrs in ipv6.
The exthdr(s) appearing before the frag header were copied into the
reassembled packet correctly, however the stripping of the frag header
did not work correctly.

Example:
The common case is a frag header directly after the ipv6 header:

[ipv6 header]->[frag header]->[icmpv6 (part1)]
[ipv6 header]->[frag header]->[icmpv6 (part2)]

This would result in:
[ipv6 header]->[icmpv6]

The ipv6 headers 'next header' setting would be updated to point to
whatever the frag header was pointing to.

This would also happen when is this case:

[ipv6 header]->[hop header]->[frag header]->[icmpv6 (part1)]
[ipv6 header]->[hop header]->[frag header]->[icmpv6 (part2)]

The result would be:
[ipv6 header]->[hop header]->[icmpv6]

However, here too the ipv6 header would have been updated to point
to what the frag header pointed at. So it would consider the hop header
as if it was an ICMPv6 header, or whatever the frag header pointed at.

The result is that packets would not be correctly parsed, and thus this
issue can lead to evasion.

This patch implements handling of the unfragmentable part. In the first
segment that is stored in the list for reassembly, this patch detects
unfragmentable headers and updates it to have the last unfragmentable
header point to the layer after the frag header.

Also, the ipv6 headers 'next hdr' is only updated if no unfragmentable
headers are used. If they are used, the original value is correct.

Reported-By: Rafael Schaefer <rschaefer@ernw.de>

Bug #1244.
11 years ago
Victor Julien e6cc778806 magic: disable tests depending on magic version
Some tests depend on specific results by specific magic versions.
Disable these.
11 years ago
sxhlinux c30faa17a3 Update app-layer-htp.c
When keyword "boundary=" doesn't exist in the http_header, the value of r is 0 and this condition shouldn't return 0 instead 1;
11 years ago
Victor Julien 2646edc129 Profiling: fix compilation on CentOS5
Bug #1207
11 years ago
Victor Julien f232fdc0c9 htp: init memuse atomics
In case of the spinlocked fallback code the lock was uninitialized.
11 years ago
Victor Julien f06e5f3c73 ethtool: add missing include necessary for CentOS5 11 years ago
Alexander Gozman 405baa3cb2 Fix compile-time error on old kernels and ethtool.h 11 years ago
sxhlinux 546ae9737b Update log-file.c
test whether tx_ud is NULL
11 years ago
Ken Steele f2e777e3a5 Fix lowercase table initialization (bug 1221)
The for loop needed to check for < 256, not < 255.
11 years ago
Victor Julien 27eb0f450a defrag: fix timeout setting when config is missing
When the config is missing, DefragPolicyGetHostTimeout will default
to returning -1. This will effectively set no timeout at all, leading
to defrag trackers being freed too early.
11 years ago
Eric Leblond 97ca02f0c5 defrag: fix reconstruction
This patch is fixing an issue in defragmentation code. The
insertion of a fragment in the list of fragments is done with
respect to the offset of the fragment. But the code was using
the original offset of the fragment and not the one of the
new reconstructed fragment (which can be different in the
case of overlapping segment where the left part is trimmed).

This case could lead to some evasion techniques by causing
Suricata to analyse a different payload.
11 years ago
Eric Leblond 09fd7060ec unix socket: fix valgrind issue
This patch fixes the following issue reported by valgrind:
 31 errors in context 1 of 1:
 Conditional jump or move depends on uninitialised value(s)
    at 0x8AB2F8: UnixSocketPcapFilesCheck (runmode-unix-socket.c:279)
    by 0x97725D: UnixCommandBackgroundTasks (unix-manager.c:368)
    by 0x97BC52: UnixManagerThread (unix-manager.c:884)
    by 0x6155F6D: start_thread (pthread_create.c:311)
    by 0x6E3A9CC: clone (clone.S:113)

The running field in PcapCommand was not initialized.
11 years ago
Eric Leblond a33d1e28e9 unix-manager: fix crash when client disconnect
This patch fixes an issue in unix socket handling. It is possible
that a socket did disconnect when analysing a command and because
the data treatment is done in a loop on clients this was leading
to a update of the list of clients during the loop. So we need
in fact to use TAILQ_FOREACH_SAFE instead of TAILQ_FOREACH.

Reported-by: Luigi Sandon <luigi.sandon@gmail.com>
Fix-suggested-by: Luigi Sandon <luigi.sandon@gmail.com>
11 years ago
Ken Steele 6ebc20f6d8 Rework Tile CPU affinity setting to handle non-contiguous sets of CPUs.
It is possible to have a non-contiguous CPU set, which was not being
handled correctly on the TILE architecture.

Added a "rank" field in the ThreadVar to store the worker's rank separately
from the cpu for this case.
11 years ago
Mats Klepsland 1f3fbbc992 Fix bug #1206
PF_RING ZC uses clusters in the same way as PF_RING DNA. Therefore,
this bug can be fixed as it was fixed for DNA (bug #598).
11 years ago
Victor Julien 896b61452c htp: make htp state handling function more robust
Also, fix wrong cast that worked only by luck.
11 years ago
Victor Julien eff85aba5e http: remove BUG_ON(1) statement
Remove BUG_ON(1) statement that was a leftover from debugging.

Bug #1189
Bug #1212
11 years ago
Alessandro Guido 13448aca1c Fix issue #1214
When applying wildcard thresholds (with sid = 0 and/or gid = 0) it's wrong
to exit on the first signature already having an event filter. Indeed,
doing so results in the theshold not being applied to all subsequent
signatures. Change the code in order to skip signatures with event
filters instead of breaking out of the loop.
11 years ago
Victor Julien 9de536efdb Bug 1098: improve invalid pcre/R handling
When not using a file_data or similar 'sticky buffer', a pcre/R option
needs a content in the same buffer.
11 years ago
Giuseppe Longo 8db3f214f0 nflog: fix memory leaks
This fixes the following memory leaks:

[src/source-nflog.c:222]: (error) Memory leak: ntv
[src/source-nflog.c:236]: (error) Memory leak: ntv
[src/source-nflog.c:253]: (error) Memory leak: ntv
[src/source-nflog.c:258]: (error) Memory leak: ntv
11 years ago
Victor Julien cc54250cf9 Fix live reload segv when startup isn't complete
If a live reload signal was given before the engine was fully started
up (e.g. pcap file thread waiting for a disk to spin up), a segv could
occur.

This patch only enables live reloads after the threads have been
started up completely.
11 years ago
Victor Julien 2c20c9d409 Fix Coverity 1220098 and 1220099
*** CID 1220098:  Missing unlock  (LOCK)
/src/log-droplog.c: 195 in LogDropLogNetFilter()
189         SCMutexLock(&dlt->file_ctx->fp_mutex);
190
191         if (dlt->file_ctx->rotation_flag) {
192             dlt->file_ctx->rotation_flag  = 0;
193             if (SCConfLogReopen(dlt->file_ctx) != 0) {
194                 /* Rotation failed, error already logged. */
>>>     CID 1220098:  Missing unlock  (LOCK)
>>>     Returning without unlocking "dlt->file_ctx->fp_mutex".
195                 return TM_ECODE_FAILED;
196             }
197         }
198
199         if (dlt->file_ctx == NULL) {
200             return TM_ECODE_FAILED;

*** CID 1220099:  Dereference before null check  (REVERSE_INULL)
/src/log-droplog.c: 199 in LogDropLogNetFilter()
193             if (SCConfLogReopen(dlt->file_ctx) != 0) {
194                 /* Rotation failed, error already logged. */
195                 return TM_ECODE_FAILED;
196             }
197         }
198
>>>     CID 1220099:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "dlt->file_ctx" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
199         if (dlt->file_ctx == NULL) {
200             return TM_ECODE_FAILED;
201         }
202
203         char srcip[46] = "";
204         char dstip[46] = "";
11 years ago
Victor Julien 8a77e6bc8e Fix Coverity 1220097
*** CID 1220097:  Missing unlock  (LOCK)
/src/log-file.c: 160 in LogFileWriteJsonRecord()
154             }
155         }
156
157         /* Bail early if no file pointer to write to (in the unlikely
158          * event file rotation failed. */
159         if (aft->file_ctx->fp == NULL) {
>>>     CID 1220097:  Missing unlock  (LOCK)
>>>     Returning without unlocking "aft->file_ctx->fp_mutex".
160             return;
161         }
162
163         FILE *fp = aft->file_ctx->fp;
164         char timebuf[64];
165         AppProto alproto = FlowGetAppProtocol(p->flow);
11 years ago
Jason Ish fc2014ab40 Unregister for file rotation notification when a context is
de-initialized.  Required for unix-socket mode where
contexts come and go.
11 years ago
Jason Ish e1b97fed70 Add signal based file rotation for:
- alert debug log
- fast log
- stats log
- dns log
- drop log
- file log
- http log
- tls log
- eve/json log
11 years ago
Jason Ish 0a33e73417 Add macros for access to the underlying buffer and offset.
Useful for using passing the buffer through to another writer
such as LogFileCtx.
11 years ago
Jason Ish c1b6894ce3 Add a rotation flag to LogFileCtx which loggers can use to register
for log rotation.  Have the LogFileCtx handle the log rotation.
11 years ago
Jason Ish 698a0f7f48 Registration for SIGHUP notification - for loggers interested
in file rotation on SIGHUP.
11 years ago
Victor Julien 25cbf36d40 lua/luajit: use HAVE_LUA mostly
Only use HAVE_LUAJIT if things are done differently from HAVE_LUA,
like in the states pool.
11 years ago
Victor Julien a7118a4ff3 profiling: use wider columns in keyword output
Use wider columns in keyword output so that even on high end sensors
the stats tables remain readable.
11 years ago
jeka dc1599e0dc bugfix in debug mode:
removed function calls from SCReturnX macros
11 years ago
Victor Julien 0765bcc73e nflog: set socket timeout
Set socket timeout so that we can exit if there is no traffic.

It would hang after the SIGINT signal, until packets arived.
11 years ago
Victor Julien 26c0915375 nflog: warn if buffer-size is larger than max-size
If buffer-size is larger than max size, give a warning and adjust
buffer-size to max-size.
11 years ago
Victor Julien 462f9de134 dns: unify type to string logging utility
Both DNS loggers had their own CreateTypeString. This patch unifies
them.
11 years ago
Victor Julien 5e87257845 dns: add names for common types
Add names for SRV, NAPTR, DS, RRSIG, NSEC, NSEC3 types.
11 years ago
Victor Julien 0bbec75764 nflog: fix typo rising->raising 11 years ago
Victor Julien 0857a60fce nflog: improve error handling on NOBUFS
Don't fall through to handle_packet on any NOBUFS condition. Make
sure we catch all NOBUFS.
11 years ago
Giuseppe Longo 4d72911e17 This patch adds the fields into PacketVars struct to setup a packet from a nflog message 11 years ago
Giuseppe Longo 4dda018ede Adds nflog option 11 years ago
Giuseppe Longo 0368d5e4a4 Declare a wrapper to parse group option for nflog 11 years ago
Giuseppe Longo c35432b265 Implements NFLOG runmode 11 years ago
Giuseppe Longo 2ad8a8e111 Bootstraping NFLOG capture mode 11 years ago
Giuseppe Longo 0162e7e809 Adds nflog error code 11 years ago
Giuseppe Longo d213d89981 Updating the Tmm Id for declaration of nflog capture mode 11 years ago
Victor Julien db563ed4b0 tls: check SSL3/TLS version per record
Set event if SSL3/TLS record isn't within the acceptable range.
11 years ago
Victor Julien 8ddcf6a816 dns: add tests for TXT response parsing
Add valid and invalid examples.
11 years ago
Victor Julien bddb2c3bdc dns json: log TXT response data
Log TXT data in the rdata field.
11 years ago
Victor Julien 683d2d64e9 dns: parse and store TXT responses
This way the TXT data can be logged by the loggers.

Ticket #1158
11 years ago
Victor Julien 8ba8c0bf6f json output: don't set 'unknown' for missing data
Instead of setting 'unknown' or '<unknown>' just pass NULL to json_*
function, which results in omitting the data.
11 years ago
Tom DeCanio 11ca25ddca eve-log: swap ip/port pairs in dns answers 11 years ago
Victor Julien d4215fca84 http-json: fix coverity warning
*** CID 1211009:  Bad bit shift operation  (BAD_SHIFT)
/src/output-json-http.c: 265 in JsonHttpLogJSON()
259         /* log custom fields if configured */
260         if (http_ctx->fields != 0)
261         {
262             HttpField f;
263             for (f = HTTP_FIELD_ACCEPT; f < HTTP_FIELD_SIZE; f++)
264             {
>>>     CID 1211009:  Bad bit shift operation  (BAD_SHIFT)
>>>     In expression "1 << f", left shifting by more than 31 bits has undefined behavior.  The shift amount, "f", is as much as 46.
265                 if ((http_ctx->fields & (1<<f)) != 0)
266                 {
267                     /* prevent logging a field twice if extended logging is
268                        enabled */
269                     if (((http_ctx->flags & LOG_HTTP_EXTENDED) == 0) ||
270                         ((http_ctx->flags & LOG_HTTP_EXTENDED) !=

________________________________________________________________________________________________________
*** CID 1211010:  Bad bit shift operation  (BAD_SHIFT)
/src/output-json-http.c: 492 in OutputHttpLogInitSub()
486                         {
487                             if ((strcmp(http_fields[f].config_field,
488                                        field->val) == 0) ||
489                                 (strcasecmp(http_fields[f].htp_field,
490                                             field->val) == 0))
491                             {
>>>     CID 1211010:  Bad bit shift operation  (BAD_SHIFT)
>>>     In expression "1 << f", left shifting by more than 31 bits has undefined behavior.  The shift amount, "f", is as much as 46.
492                                 http_ctx->fields |= (1<<f);
493                                 break;
494                             }
495                         }
496                     }
497                 }
11 years ago
Victor Julien 5cdd9b460a unix-socket: reset logging api's properly
Lack of proper reset lead to logs not being written after the first
pcap had been processed.
11 years ago
Victor Julien fd56acd4b3 stream: cleanup
StreamTcpSetDisableRawReassemblyFlag() has the same effect as
AppLayerParserTriggerRawStreamReassembly in that it will force the
raw reassembly to flush out asap. So it is redundant to call both.
11 years ago
Victor Julien 3543150f42 stream: implement raw reassembly stop api
Implement StreamTcpSetDisableRawReassemblyFlag() which stops raw
reassembly for _NEW_ segments in a stream direction.

It is used only by TLS/SSL now, to flag the streams as encrypted.
Existing segments will still be reassembled and inspected, while
new segments won't be. This allows for pattern based inspection
of the TLS handshake.

Like is the case with completely disabled 'raw' reassembly, the
logic is that the segments are flagged as completed for 'raw' right
away. So they are not considered in raw reassembly anymore.

As no new segments will be considered, the chunk limit check will
return true on the next call.
11 years ago
Victor Julien b2184f936e stream: unify segment discard handling
Have a single function StreamTcpReturnSegmentCheck determine if a
segment is ready to be removed from the stream.

Handle FLOW_NOPAYLOAD_INSPECT in raw reassembly.
11 years ago
Victor Julien ad355c3c0a app-layer: improve no payload inspect flag
If setting APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD, trigger raw
reassembly.
11 years ago