Eric Leblond [Mon, 14 Dec 2015 14:18:07 +0000 (15:18 +0100)]
suricata: can't use -l and unix socket runmode
It is not possible to use simultaneously -l and unix socket
runmode because setting the log directory make it final so
not modifable by other call.
It is a implementation limitation but it does not make sense
to set logging directory to have it overwritten by the first
directory specified 'by pcap-file'. So it seems correct to
only trigger an error if this both options are used at the same
time.
Eric Leblond [Mon, 14 Dec 2015 13:02:20 +0000 (14:02 +0100)]
unix-manager: fix race condition
Under high load it is possible that the thread is not yet started
and that we register a command at the same time. As a consequence,
the commands list is not yet initialized and we have a segfault.
This patch moves the initialization in the ThreadInit function to
be sure the commands list is available when needed.
Victor Julien [Wed, 16 Dec 2015 09:45:05 +0000 (10:45 +0100)]
icmpv4: improve dest unreachable logic
When a ICMPv4 destination unreachable packet contains an embedded packet
this packet is parsed. When it's found to be invalid, the whole ICMP
packet is tagged as invalid.
In some cases the unreachable packet would still be used.
This patch fixes this by checking the packet is invalid flag as well
in the ICMPV4_DEST_UNREACH_IS_VALID macro.
Victor Julien [Thu, 10 Dec 2015 08:58:52 +0000 (09:58 +0100)]
ips/drop-log: fix crash on logging drops
When logging drops for fragmented UDP packets, triggered by detection
in the reassembled packet, a missing check could lead to access of the
packets UDP header pointer when it was NULL.
Eric Leblond [Thu, 3 Dec 2015 11:07:03 +0000 (12:07 +0100)]
output-json: add app_proto key in root
By adding the key in the root of *flow and fileinfo events it
will be possible to get all events for one application layer by
using a 'event_type:proto OR app_proto:proto' filter. This will
permit to the analyst to get a good view of events related to
one protocol.
Maurizio Abba [Mon, 16 Nov 2015 12:14:24 +0000 (12:14 +0000)]
app-layer-smtp: support for multiline response
Multiline response support is provided but not enforced. This patch
allow parsing multiline response when a reply is processed
Aaron Campbell [Mon, 2 Nov 2015 19:19:12 +0000 (15:19 -0400)]
Fix out-of-bounds memory access in DNS TXT record parser.
The datalen variable is declared unsigned. If txtlen and datalen are equal,
datalen will first be reduced to 0, and then the datalen-- line will cause its
value to wrap to 65535. This will cause the loop to continue much longer than
intended, and eventually may crash on an out-of-bounds *tdata dereference.
Jason Ish [Wed, 14 Oct 2015 19:37:45 +0000 (13:37 -0600)]
util-base64: strict mode - all characters must be valid
Introduce a strict mode to base64 decode. If strict,
the function will fail when invalid input data is seen.
If not strict, what has been decoded will be returned.
This is in support of adding a Snort compatible base64_decode
rule option that uses whatever data can be decoded as a length
of data to decode is optional.
Victor Julien [Mon, 23 Nov 2015 08:56:51 +0000 (09:56 +0100)]
json: fix malformed output
Even though the json output callback is called with a null terminated
string, it's not useable directly. The size parameter to the callback
might be a lot smaller than the string size. Libjansson gives the size
up to the first point that needs escaping.
Eric Leblond [Tue, 17 Nov 2015 08:56:55 +0000 (09:56 +0100)]
config: don't use hardcoded path
It is better to use a transformation to define the default
directory of output message instead of using an hardcoded value.
Same apply to the directory for the pid file.
Eric Leblond [Mon, 16 Nov 2015 16:53:04 +0000 (17:53 +0100)]
suricata: clean dump-config output
When user asks for a configuration dump, it is useless to display
the version and CPU info. Also initializing the log system conduct
to overwrite the some log files and in particular suricata.log and
this is annoying as a command should not interfere with a running
daemon.
cardigliano [Thu, 22 Oct 2015 09:55:57 +0000 (11:55 +0200)]
pfring pkt acq: keep running on 'pfring_set_cluster' failure when cluster is not required
Suricata creates a pfring cluster with a default ID = 1 when not explicitly configured,
unless the device has prefix 'dna' or 'zc'. Since pf_ring also supports other cards
implementing kernel-bypass (cluster not supported), this is preventing those cards from
running on top of this module. This patch stops suricata on 'pfring_set_cluster' failure
only when error code != PF_RING_ERROR_NOT_SUPPORTED or cluster ID has not been explicitly
configured.
Victor Julien [Fri, 23 Oct 2015 16:29:10 +0000 (18:29 +0200)]
threading: avoid autofp deadlock
When there are many threads and/or the packet pool (max-pending-packets) is
small, a potential dead lock exists between the packet pool return pool
logic and the capture threads. The autofp workers together can have all the
packets in their return pools, while the capture thread(s) are waiting at an
empty pool. A race between the worker threads and the capture thread, where
the latter signals the former, is lost by the capture thread. Now everyone
is waiting.
To avoid this scenario, this patch makes the previously hardcoded 'return
pool' threshold dynamic based on the number of threads and the packet pool
size.
It sets the threshold to the max pending packets value, divided by the number
of lister threads. The max value hasn't changed. Normally, in the autofp
runmode these are the stream/detect/log worker threads.
The max_pending_return_packets value needs to stay below the packet pool size
of the 'producers' (normally pkt capture threads but also flow timeout
injection) to avoid the deadlock.
As it's quite impossible at this time to learn how many threads will be
created before starting the runmodes, and thus spawning the threads and
already initializing the packet pools, this code sets a global variable
after runmode setup, but before the threads are 'unpaused'.
cardigliano [Wed, 21 Oct 2015 23:43:41 +0000 (01:43 +0200)]
pfring pkt acq: capture loop optimisation
For each packet the capture module checks whether it is time to dump stats calling
TimeGet(). TimeGet() is an expensive function using gettimeofday() or SCSpinLock()
which affect performance. Since gettimeofday() is already called for setting packet
timestamp, it is more efficient to use the packet timestamp directly.
cardigliano [Wed, 21 Oct 2015 23:26:54 +0000 (01:26 +0200)]
pfring pkt acq: use zero-copy recv in workers runmode
This patch removes packet copy when suricata is running in workers runmode,
packet copy is not needed in this case since packets are processed in sequence.
Eric Leblond [Thu, 17 Sep 2015 08:28:08 +0000 (10:28 +0200)]
util-logopenfile: move sensor_name to filectx
We will now output the sensor name independantly of the output
method if it is set in the YAML file. In the case of redis we are
using the hostname value if unset.
Eric Leblond [Mon, 25 May 2015 17:38:28 +0000 (19:38 +0200)]
util-logopenfile: reconnect handling
This patch implements reconnection handling for the redis output.
A reconnect limitation has been implemented with a limitation of
one connection per second.
Eric Leblond [Sun, 24 May 2015 19:52:56 +0000 (21:52 +0200)]
util-logopenfile: implement redis pipelining
This patch implements redis pipelining. This consist in contacting
the redis server every N events to minimize the number of TCP
exchange. This is optional and setup via the configuration file.
Eric Leblond [Sun, 24 May 2015 16:07:20 +0000 (18:07 +0200)]
util-logopenfile: introduce SCConfLogOpenRedis
Introduce a function to realize the parsing and config file and
opening of connection to the database. Only used by output-json
for now it will be usable by other logging modules.
Eric Leblond [Sun, 24 May 2015 15:43:51 +0000 (17:43 +0200)]
util-logopenfile: add write function
Introduce a function LogFileWrite that will handle the writing with
respect of the type defined in the configuration. This is used in
this patch to remove the write complexity from output-json.
Eric Leblond [Sat, 23 May 2015 14:59:16 +0000 (16:59 +0200)]
output-json: add sensor-name config variable
When using redis output, we are loosing the host key (added by
logstash or logstash-forwarder) and we can't find anymore what
Suricata did cause the alert.
This patch is adding this key during message generation using the
'sensor-name' variable or the hostname is 'sensor-name' is not
defined.
Giuseppe Longo [Mon, 12 Oct 2015 09:39:36 +0000 (11:39 +0200)]
decode: add flow memcap counter
This adds a counter indicating how many times
the flow max memcap has been reached
Since there is no always a reference to FlowManagerThreadData,
the counter is put in DecodeThreadVars.
Currently when there is no counter increase in one call of FlowGetNew
because we don't have tv or dtv at the time of the call.
The following is a snippet of the generated EVE entry:
"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7085248}