aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,652 Commits
7 Branches
161 Tags
173 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'suricata-3.2.1'
${ noResults }
Commit Graph

6911 Commits (suricata-3.2.1)

Author SHA1 Message Date
Victor Julien dab51144af asn1: modernize test 9 years ago
Victor Julien 613174e9ce yaml: fix tests for -Wshadow 9 years ago
Victor Julien 968813b655 dnp3: fix test for -Wshadow 9 years ago
Victor Julien bb2d8a7133 runmodes: fix -Wshadow warnings 9 years ago
Victor Julien 8c1d157cd2 mpm ac-bs: fix -Wshadow warnings 9 years ago
Victor Julien 0d6d8e01c8 threads: fix -Wshadow warnings 9 years ago
Victor Julien cd04da673b commandline: fix -Wshadow warnings 9 years ago
Victor Julien 69ee2f0eb9 nfq: fix -Wshadow warnings 
Rename globals to make sure it's clear they are globals.
 9 years ago
Victor Julien 65d2443ccd reputation: fix -Wshadow warnings 9 years ago
Victor Julien d893bc55e0 eve-flow: fix -Wshadow warning 9 years ago
Victor Julien 9477fd4628 eve-file: fix -Wshadow warnings 9 years ago
Victor Julien ed0918bc35 ippair: fix -Wshadow warning 9 years ago
Victor Julien 5f786b5cd7 host: fix -Wshadow warning 9 years ago
Victor Julien 0c3b89356e flow: fix -Wshadow warning 9 years ago
Victor Julien 70452f67a4 within: fix -Wshadow warning 9 years ago
Victor Julien 47c4a8cd28 prefilter: fix -Wshadow warnings 9 years ago
Victor Julien f2f0f84cca detect: fix -Wshadow warning 9 years ago
Victor Julien 070a6caaf3 app engines: fix -Wshadow warning 9 years ago
Victor Julien 691fae6520 address: fix -Wshadow warning 9 years ago
Victor Julien 34b030b45f distance: fix -Wshadow warning 9 years ago
Victor Julien d50b4b8471 content: fix -Wshadow warning 9 years ago
Victor Julien 02df79f67b mem: fix SCStrdup -Wshadow warning 9 years ago
Victor Julien f97e857c02 dns: fix -Wshadow warnings 9 years ago
Victor Julien 6a971a5a02 app-layer-proto-detect: fix -Wshadow warning 9 years ago
Victor Julien 287fd83796 dnp3: fix coverity CID 1374300 9 years ago
Victor Julien 8915f2de38 flow: suppress coverity CID 400600 9 years ago
Victor Julien edcc8e7ec9 stat: suppress CID 1293508 and 1312013 9 years ago
Victor Julien 7021959689 nfq: suppress CID 1374302 and 1374303 9 years ago
Victor Julien da6bf0c1b6 host-info: coverity 1298890 9 years ago
Victor Julien 9904b3f348 ttl: coverity 400560 + minor cleanups 9 years ago
Victor Julien d30f7f6b48 tos: coverity 400559 9 years ago
Victor Julien ad8f9f9334 ssl-state: coverity 400558 9 years ago
Jason Ish c91974e24a issue 1961: depth: fail if numeric value has trailing text 
Catches the case where the depth is not terminated with a
semicolon (eg: "depth:17 classtype:trojan-activity") which
is usually a sign the rule has a missing semi-colon.
 9 years ago
Jason Ish a1eca40611 log-pcap.c: cleanup scan-build warning 
Don't initialize value to a value that is never used.
 9 years ago
Jason Ish 553f7ec290 log-pcap.c: fix resource leak found by coverity 
Goto the failure label instead of returning which will allow the open
directory to get cleaned up.

Fixes:

*** CID 1394675:  Resource leaks  (RESOURCE_LEAK)
/src/log-pcap.c: 615 in PcapLogInitRingBuffer()
609                  * failure as the file might just not be a pcap log file. */
610                 continue;
611             }
612
613             PcapFileName *pf = SCCalloc(sizeof(*pf), 1);
614             if (unlikely(pf == NULL)) {
>>>     CID 1394675:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "dir" going out of scope leaks the storage it points to.
615                 return TM_ECODE_FAILED;
616             }
617             char path[PATH_MAX];
618             snprintf(path, PATH_MAX - 1, "%s/%s", pattern, entry->d_name);
619             if ((pf->filename = SCStrdup(path)) == NULL) {
620                 goto fail;

This also means that pf can be NULL which should clear up CID
1394676 (REVERSE_INULL).
 9 years ago
Jason Ish bbb93e487e pcap-log: seed ring buffer on start up 
On start, look for existing pcap log files and add them to
the ring buffer. This makes pcap-log self maintaining over
restarts removing the need for external tools to clear
orphaned files.
 9 years ago
Eric Leblond a2e2f50fb9 documentation: fix list keywords URLs 
Update URLs in keyword definition to point to sphinx documentation.
 9 years ago
Jason Ish fffdc6e3fd logging: hook the application log file into rotation 9 years ago
Jason Ish 73a1d04779 logging: open application log file in append mode 
It was being open in read/write mode, which was likely
a mistake with append mode being the intention.
 9 years ago
Jason Ish 666fecc579 dns: accept a data length of 0 without marking as malformed 
Addresses issue:
https://redmine.openinfosecfoundation.org/issues/1924
 9 years ago
Jason Ish d5eca41a71 ipfw: disable more code to suppress compiler warnings 
Disabled code lead to unused variable warnings, so disable the
variable code as well.
 9 years ago
Jason Ish 2b874abada compiler warnings: fix compiler warnings in format strings 9 years ago
Victor Julien 3f8ee2afd3 detect-lua: unify on using 'lua' name vs 'luajit' 9 years ago
Victor Julien 0366d47608 luajit: remove unused instance counter 9 years ago
Victor Julien 3da7dad514 lua: luajit improvements 
Luajit has a strange memory requirement, it's 'states' need to be in the
first 2G of the process' memory.

This patch improves the pool approach by moving it to the front of the
start up.

A new config option 'luajit.states' is added to control how many states
are preallocated. It defaults to 128.

Add a warning when more states are used then preallocated. This may fail
if flow/stream/detect engines use a lot of memory. Add hint at exit that
gives the max states in use if it's higher than the default.
 9 years ago
Victor Julien 064c070db7 pcap-file: minor cleanup 9 years ago
Victor Julien 238163bc8d ENIP: disable parser if no config found 9 years ago
Victor Julien 080a2f0cfb DNP3: disable in case of no dnp3 config 9 years ago
Jason Ish 65bf06975c dnp3: fix coverity checks; return value not checked 9 years ago
Victor Julien 1f670837ac detect: add missing break (CID 1374301) 9 years ago
Victor Julien c0f25bddaf eve: make payload printing in alerts more robust 9 years ago
Victor Julien 39a23d8d1b flowint: allow / in name 9 years ago
Victor Julien 56ff853e73 hostbits: test fixes 9 years ago
Victor Julien 8831e5b375 pkt-var: const name 9 years ago
Victor Julien 5dc9c1b874 DNP3: minor cleanup 9 years ago
Victor Julien 7cf231c7ec DNP3: don't leak memory on dnp3_obj parsing 9 years ago
Jason Ish f0de1d04a9 DNP3: Use directional logging. 
Instead of waiting for a transaction complete, log the
request as soon as it is completes which will give it a
more accurate timestamp.
 9 years ago
Jason Ish f70badeb0e DNP3: --afl-dnp3 entry point 9 years ago
Jason Ish a59f31a99f DNP3: Lua detect support. 
Adds support for access the DNP3 transaction in Lua rules.
 9 years ago
Jason Ish 44a69f6355 DNP3: Log DNP3 info with DNP3 alert. 9 years ago
Jason Ish 1c3f373543 DNP3: Log DNP3 transactions. 9 years ago
Jason Ish 1a31bded4a DNP3: dnp3_data, dnp3_func, dnp3_ind, dnp3_obj rule keywords 9 years ago
Jason Ish bbaa79b80e DNP3: Application layer decoder. 
Decodes TCP DNP3 and raises some DNP3 decoder alerts.
 9 years ago
Jason Ish da40714cb1 common: define json_boolean when not defined 
Older versions of jansson in current use don't have this
macro defined.
 9 years ago
fooinha f6c0abaae7 eve: check redis reply in non pipeline mode 
We may lose the reply if disconnection happens.
Reconnection is needed.
 9 years ago
Victor Julien 2758f82515 flowvar: cleanups 9 years ago
Jason Ish 9d271e9a71 fast-pattern: fix tls_sni 
Use all 38 arguments in call to SigMatchGetLastSMFromLists

Was preventing fast_pattern from being applied to tls_sni:
https://redmine.openinfosecfoundation.org/issues/1936
 9 years ago
Jason Ish 7d734edca8 dns: use new unittest macros 9 years ago
Jason Ish a8f6fb0f78 dns: support back to back requests without a response 
Address the issue where a DNS response would not be logged when
the traffic is like:
- Request 1
- Request 2
- Response 1
- Response 2
which can happen on dual stack machines where the request for A
and AAAA are sent out at the same time on the same UDP "session".

A "window" is used to set the maximum number of outstanding
responses before considering the olders lost.
 9 years ago
Jason Ish 64cc91a569 tcp dns: unit test for multi-request buffer 9 years ago
Jason Ish 2d4df19401 tcp dns: fix advancement to next request in buffer 
The advancement through the buffer was not taking into account
the size of the length field resulting in the second request
being detected as bad data.
 9 years ago
Victor Julien db1c47cb6e multi-tenant: make less verbose 9 years ago
Victor Julien 51bb1f0d77 multi-tenants: fix minor memleak 9 years ago
Victor Julien 059b25b564 detect: suppress debug message for reloads 9 years ago
Victor Julien 321fb6463e vars: small cleanups 9 years ago
Victor Julien e4b2729399 nfq: support bypass for rebuilt fragment packets 9 years ago
Victor Julien 629fa30345 nfq_set_mask: set mark on root pkt for tunnels 9 years ago
Eric Leblond d8acf3542d source-nfq: document bypass function 9 years ago
Eric Leblond e0000eb58d source-nfq: fix tunnel mark callback algorithm 
In case of a tunnel packet, adding a mark to the root packet will have
for consequence to bypass all the flows that are hosted in this tunnel.
This is not the attended behavior and as initial fix let's simply warn
suricata that bypass for NFQ is not possible for this kind of packets.

This patch also fixes a segfault. The root packet was accessed even if it is
NULL causing a NULL dereference:

ASAN:SIGSEGV
=================================================================
==24408==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x00000076f948 bp 0x7f435c000240 sp 0x7f435c000220 T5)
ASAN:SIGSEGV
==24408==AddressSanitizer: while reporting a bug found another one. Ignoring.
    #0 0x76f947 in NFQBypassCallback /home/victor/dev/suricata/src/source-nfq.c:510
    #1 0x4d0f02 in PacketBypassCallback /home/victor/dev/suricata/src/decode.c:395
    #2 0x7b8a95 in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4661
    #3 0x7b9ddd in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:4913
    #4 0x68fa50 in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:194
    #5 0x7f0abd in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:128
    #6 0x7f2958 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:585
    #7 0x7f436368e6f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #8 0x7f4362802b5c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/victor/dev/suricata/src/source-nfq.c:510 NFQBypassCallback
Thread T5 (W#04) created by T0 (Suricata-Main) here:
    #0 0x7f4364ff2253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x7f9c48 in TmThreadSpawn /home/victor/dev/suricata/src/tm-threads.c:1843
    #2 0x8da7c0 in RunModeSetIPSAutoFp /home/victor/dev/suricata/src/util-runmodes.c:519
    #3 0x73e3ff in RunModeIpsNFQAutoFp /home/victor/dev/suricata/src/runmode-nfq.c:74
    #4 0x7503fa in RunModeDispatch /home/victor/dev/suricata/src/runmodes.c:382
    #5 0x7e5cb3 in main /home/victor/dev/suricata/src/suricata.c:2547
    #6 0x7f436271c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
 9 years ago
Victor Julien 397c541c09 detect: fix multi-tenant loaders 9 years ago
Victor Julien 7e54ee7d0e flow-timeout: fix memory errors on flow bypass 
For flow bypass, the flow timeout handling is triggered which may
create up to 3 pseudo packets that hold a reference to the flow.
However, in the bypass case the code signaled to the timeout logic
that the flow can be freed unconditionally by returning 1. This
lead to packets going through the engine with a pointer to a now
freed/recycled flow.

This patch fixes the logic by removing the special bypass case,
which seemed redundant anyway. Effectively reverts 68d9677.

Bug #1928.
 9 years ago
Victor Julien d1d618a668 flow-manager: cleanups and comment improvements 9 years ago
Victor Julien 368d5d931c flow-timeout: don't leak flow reference in error path 9 years ago
Victor Julien e072e70ea6 alert: fix rate_filter issues 
Fix rate_filter issues: if action was modified it wouldn't be logged
in EVE. To address this pass the PacketAlert structure to the threshold
code so it can flag the PacketAlert as modified. Use this in logging.

Update API to use const where possible. Fix a timout issue that this
uncovered.
 9 years ago
Jason Ish dcdf160ab2 conf: cleanup compiler warning (unintialized vars) 9 years ago
Jason Ish 8f56c23468 detect-flow: no_frag and only_frag keyword support 
Support flow:no_frag and flow:only_frag keywords from Snort.
 9 years ago
Jason Ish f81619a13e defrag: set flag on packets reassembled from fragments 
Set the PKT_REBUILT_FRAGMENT on packets that are re-assembled
from fragments.
 9 years ago
Jason Ish 571f56cfcf detect-flow: support flow:not_established 9 years ago
Jason Ish dc762cd44d detect-flow: use new unit test macros 9 years ago
Duarte Silva 6948b2332a file-hashing: Fixed line parsing code 9 years ago
Victor Julien 449c93e062 detect-app-layer-protocol: improve rule validation 
Also add tests for PD-only conditions
 9 years ago
Victor Julien 0ed119068d detect-app-layer-protocol: implement prefilter 
Introduce 'Protocol detection'-only rules. These rules will only be
fully evaluated when the protocol detection completed. To allow
mixing of the app-layer-protocol keyword with other types of matches
the keyword can also inspect the flow's app-protos per packet.

Implement prefilter for the 'PD-only' rules.
 9 years ago
Victor Julien 8094b2b12e detect-app-layer-protocol: convert to pkt match 9 years ago
Victor Julien c28d9d0538 eve: print app_proto_ts/app_proto_tc 9 years ago
Victor Julien dbb3a12b32 logging: return string for ALPROTO_FAILED 9 years ago
Victor Julien 93298e91c7 app-layer counters: count failed protocol detect 9 years ago
Victor Julien 3b98feef01 proto-detect: clean up UDP handling 
Set FAILED instead of using a flow flag. Flag packets in both
sides when detection is done. Detection is only done in one
direction.
 9 years ago
Victor Julien 90bf2b5a32 proto detect: improve error case handling 
Improve flags logic, update tests.
 9 years ago
Victor Julien e955cf3366 detect-app-layer-protocol: improve error handling 
Redo tests.
 9 years ago
Victor Julien 9560e8b5b2 proto-detect: update mismatch handling 
Improve protocol mismatch handling. Preserve both protos. Use otherdir
if already sent to parser, use toclient otherwise.
 9 years ago
Victor Julien 7d7ec78cc3 app-layer-protocol: improve detection 
Add negated matches to match list instead of amatch.

Allow matching on 'failed'.

Introduce per packet flags for proto detection. Flags are used to
only inspect once per direction. Flag packet on PD-failure too.
 9 years ago
Victor Julien ac2cf526f1 proto detect: remove flow data tracking 
The Flow::data_al_so_far was used for tracking data already
parsed when protocol for the current direction wasn't known yet. As
this behaviour has changed the tracking can be removed.
 9 years ago
Victor Julien d7c828bcb0 proto detect: update behavior on partial detection 
When the current direction doesn't get a protocol detection, but the
opposing direction did, previously we would send the current data to
the parser. Then when we'd be invoked again (until the protocol
detection finally failed) we'd get the same data + the new data. To
make sure we'd not send the same data to the parser again, the flow
kept track of how much was already sent to the app-layer using
data_al_so_far.

This patch changes the behaviour. Instead of sending the data for
the current direction right away, we only do this when protocol
detection is complete. This way we won't have to track anything.
 9 years ago
Victor Julien 6022fa44a5 proto detect: TCP cleanup 
Split function into multiple smaller ones.
 9 years ago
Victor Julien 8347aa01fa app-layer: clean up counters registration 9 years ago
Victor Julien b789d2ae3d tls: change 'no-reassemble' option to default off 
This option was broken so there should be no visible change to
actual deployments.
 9 years ago
Thomas Andrejak c17402fdcb prelude: add IPv6 support 9 years ago
Thomas Andrejak dcce225102 prelude: add missing TCP header to additional data 9 years ago
Thomas Andrejak e33060cee0 prelude: coding style, it's better to use macro 9 years ago
Thomas Andrejak b1c1699699 prelude: Add other actions than just ACTION_DROP when packet drop 9 years ago
Thomas Andrejak 4d4a3d0b8f prelude: Add log when failed to create assessment or impact object 9 years ago
Thomas Andrejak 18c9312380 Add macro for TCP and UDP header access 9 years ago
Eric Leblond 4eca40ac34 app-layer-tls: stop detection if no reassembly 
It no-reassembly is asked in TLS conf then we can stop inspection
after handshake and cause bypass to be triggered on the flow.
 9 years ago
Eric Leblond 69e1ff7ba7 stream-tcp: bypass encrypted when both side ready 
Suricata should not completely bypass a flow before both end of it
have reached the stream depth or have reached a certain state.
Justification is that suricata need the ACK to treat the other side
so we can't really decide to cut only one side.
 9 years ago
Nicolas Thill e95e6ccded lua: add an SCPacketTimestamp function 
The SCPacketTimestamp function returns packet timestamps as 2 real
numbers (seconds & microseconds).

Example:

  local sec, usec = SCPacketTimestamp()

Signed-off-by: Nicolas Thill <ntl@p1sec.com>
 9 years ago
Victor Julien f4b165de94 file: register filedata loggers before file 
This fixes the issue that 'stored' remained false even if the file
was stored.

Reported-by: Chris Wakelin
 9 years ago
Victor Julien 43aed70976 detect: during detection sgh is read only so turn into const 9 years ago
Victor Julien 0e31124609 detect: add util func for post-inspect tasks on first sgh 9 years ago
Victor Julien d3fb4de1b5 detect: move file flags update into it's own function 9 years ago
Victor Julien 664f9aa906 flow: use BIT_U32 for flags 9 years ago
Victor Julien c81aaeda7b flow: move file flags into their own variable 
Move FLOW_FILE_* flags into Flow::file_flags. Rename them to
FLOWFILE_* so non updated code will break.
 9 years ago
Jason Ish 3fab684f97 logging: don't log that json is disabled in each logger 
A warning log is already emitted if eve-log is enabled in the
configuration but json support is not built so the logger
registration functions can be silent.
 9 years ago
Jason Ish 0bce4b5534 macOS: thread return value affects newer macOS as well 
ALl OS X/macOS versions since 10.10 return EDEADLK here instead
of EBUSY. Assume they will moving forward as well.
 9 years ago
Victor Julien f867bb61e6 http: fix memory leak in error path 9 years ago
Victor Julien 40af9aad02 streaming: improve error handling 
When memory allocations happened in HTTP body and general file
tracking, malloc/realloc errors (most likely in the form of memcap
reached conditions) could lead to an endless loop in the buffer
grow logic.

This patch implements proper error handling for all Append/Insert
functions for the streaming API, and it explicitly enables compiler
warnings if the results are ignored.
 9 years ago
Victor Julien 879c3d8ad7 detect: fix scan-build 0-size alloc warnings 9 years ago
Jason Ish 09c3e1dd8a pcap-log: cleanup allocations at exit 
Particularly in multi-mode, allocations made for each thread were
not being cleaned.

ASAN reports no leaks now on exit.
 9 years ago
Victor Julien f80ce51ddf unix-socket: don't try to change permissions on BSD 
On BSD using fchmod on a socket is not supported and will result
in EINVAL.
 9 years ago
Victor Julien 96c28b2995 bug 1353: don't cut off last char of unix path 9 years ago
Victor Julien 4a190e07a6 pcre: disable JIT if RWX pages not supported 9 years ago
Victor Julien 46f5f4cff8 util: add facility to check for RWX page support 
Some code won't work well when the OS doesn't allow RWX pages. This
page introduces a check for runtime evaluation of the OS' policy on
this.

Thanks to Shawn Webb from HardenedBSD for suggesting this solution.
 9 years ago
Victor Julien a3a1757472 flow-mgr: fix bypass counter registration 9 years ago
Victor Julien 595c20ddf4 der: fix asan/valgrind errors in time parsing 9 years ago
Victor Julien 7e4df3a1d1 tls-validity: fix memory handling 9 years ago
Mats Klepsland 10d827639e detect-tls-cert-validity: clean up unit tests 
Remove locks, unnecessary function calls and conditional statements.
 9 years ago
Mats Klepsland 1fea52dd8a detect: add keyword tls_cert_valid 
Add keyword to check if TLS certificate is valid.
 9 years ago
Mats Klepsland f7e0083269 detect-cert-validity: fix typos 9 years ago
Mats Klepsland f22c9d9781 detect: add keyword tls_cert_expired 
Add keyword to check if TLS certificate is expired.
 9 years ago
Mats Klepsland 07d2312d96 detect-tls-validity: use flags for modes 
Use flags for modes to support using multiple modes at the same time.
 9 years ago
Giuseppe Longo 3f214b506a file-store: add depth setting 
When a rules match and fired filestore we may want
to increase the stream reassembly depth for this specific.

This add the 'depth' setting in file-store config,
which permits to specify how much data we want to reassemble
into a stream.
 9 years ago
Giuseppe Longo 4751677e24 app-layer: use StreamTcpSetReassemblyDepth 
This calls StreamTcpSetReassemblyDepth to set the stream depth
specified for the protocol.
 9 years ago
Giuseppe Longo 9ab1194f68 modbus: set stream depth 
Some protocol like modbus requires
a infinite stream depth because session
are kept open and we want to analyze everything.

Since we have a stream reassembly depth per stream,
we can also set a stream reassembly depth per proto.
 9 years ago
Giuseppe Longo b160c49e9e app-layer-parser: add stream depth 
This permits to set a stream depth value for each
app-layer.

By default, the stream depth specified for tcp is set,
then it's possible to specify a own value into the app-layer
module with a proper API.
 9 years ago
Eric Leblond a63c6b320e stream: per TcpStream reassembly depth 9 years ago
Victor Julien 960ebb2822 enip: fix scan-build warnings 
detect-cipservice.c:161:29: warning: Assigned value is garbage or undefined
    cipserviced->cipservice = input[0];
                            ^ ~~~~~~~~
detect-cipservice.c:162:27: warning: Assigned value is garbage or undefined
    cipserviced->cipclass = input[1];
                          ^ ~~~~~~~~
detect-cipservice.c:163:31: warning: Assigned value is garbage or undefined
    cipserviced->cipattribute = input[2];
                              ^ ~~~~~~~~
3 warnings generated.
 9 years ago
Victor Julien 80c3aedbfc enip: parsing and tests cleanup 9 years ago
Victor Julien 72b5da4313 enip/cip: improve output & style 
Remove printf, remove \n from SCLogDebug. Add SCLogError for
rule parsing issues.

Fix various style issues
 9 years ago
Victor Julien 6b1c21b115 enip/cip: register inspect engines 9 years ago
kwong a3ffebd835 Adding SCADA EtherNet/IP and CIP protocol support 
Add support for the ENIP/CIP Industrial protocol

This is an app layer implementation which uses the "enip" protocol
and "cip_service" and "enip_command" keywords

Implements AFL entry points
 9 years ago
Victor Julien d9811e58b6 http_header: don't separately inspect trailer yet 
Currently the regular 'Header' inspection code will run each time
after the HTTP progress moved beyond 'headers'. This will include
the trailers if there are any.

Leave the code in place as this model will change in the not too
distant future.
 9 years ago