register-tenant:
Loads a new YAML, does basic validation.
Loads a new detection engine
Loads rules
Add new de_ctx to master store and stores tenant id in the de_ctx so
we can look it up by tenant id later.
unregister-tenant:
Gets the de_ctx, moves it to the freelist
Removes config
Introduce DetectEngineGetByTenantId, which gets a reference to the
detect engine by tenant id.
Victor Julien [Fri, 17 Jul 2015 19:05:14 +0000 (21:05 +0200)]
detect: fix pass transaction handling
If a flow was 'pass'd, it means that no packet of it will flow be handled
by the detection engine. A side effect of this was that the per flow
inspect_id would never be moved forward. This in turn lead to a situation
where transactions wouldn't be freed.
This patch addresses this case by incrementing the inspect_id anyway for
the pass case.
Victor Julien [Thu, 16 Jul 2015 14:43:19 +0000 (16:43 +0200)]
app-layer: disruption flags
Stream GAPs and stream reassembly depth are tracked per direction. In
many cases they will happen in one direction, but not in the other.
Example:
HTTP requests a generally smaller than responses. So on the response
side we may hit the depth limit, but not on the request side.
The asynchronious 'disruption' has a side effect in the transaction
engine. The 'progress' tracking would never mark such transactions
as complete, and thus some inspection and logging wouldn't happen
until the very last moment: when EOF's are passed around.
Especially in proxy environments with _very_ many transactions in a
single TCP connection, this could lead to serious resource issues. The
EOF handling would suddenly have to handle thousands or more
transactions. These transactions would have been stored for a long time.
This patch introduces the concept of disruption flags. Flags passed to
the tx progress logic that are and indication of disruptions in the
traffic or the traffic handling. The idea is that the progress is
marked as complete on disruption, even if a tx is not complete. This
allows the detection and logging engines to process the tx after which
it can be cleaned up.
Victor Julien [Wed, 15 Jul 2015 07:53:39 +0000 (09:53 +0200)]
Sync alversion/appversion types
The app layer state 'version' field is incremented with each update
to the state. It is used by the detection engine to see if the current
version of the state has already been inspected. Since app layer and
detect always run closely together there is no need for a big number
here. The detect code really only checks for equal/not-equal, so wrap
arounds are not an issue.
Victor Julien [Thu, 16 Jul 2015 10:49:38 +0000 (12:49 +0200)]
flow/stream: xfer noinspect flags to pseudo pkts
Set noinspection flags for payloads and packets on flow and stream
pseudo packets. Without these, the pseudo packets could trigger
inspection even though this was disabled for a flow.
Eric Leblond [Fri, 19 Jun 2015 10:13:31 +0000 (12:13 +0200)]
af-packet: implement rollover option
This patch implements the rollover option in af_packet capture.
This should heavily minimize the packet drops as well as the
maximum bandwidth treated for a single flow.
The option has been deactivated by default but it is activated in
the af_packet default section. This ensure there is no change for
old users using an existing YAML. And new users will benefit from
the change.
This option is available since Linux 3.10. An analysis of af_packet
kernel code shows that setting the flag in all cases should not
cause any trouble for older kernel.
Eric Leblond [Fri, 19 Jun 2015 10:08:53 +0000 (12:08 +0200)]
af-packet: implement new load balancing modes
This patch implements the fanout load balancing modes available
in kernel 4.0. The more interesting is cluster_qm that does the
load balancing based on the RSS queues. So if the network card
is doing a flow based load balancing then a given socket will
receive all packets of a flow indepently of the CPU affinity.
Eric Leblond [Fri, 19 Jun 2015 10:05:05 +0000 (12:05 +0200)]
af-packet: sync header with latest features
Sync the replacement define with the latest Linux code.
This patch also updates the detection part in configure.ac
to do a declaration of all fields if the newest features are
not present.
netmap: support non-equal count of Rx and Tx rings on interface.
Netmap does not guarantees that NIC will have equal number of transmit and receive rings.
Use unlikely for error treatment in alert-prelude.c
When handling error cases on creation of a new idmef field, we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc.
Victor Julien [Fri, 10 Jul 2015 10:19:57 +0000 (12:19 +0200)]
introduce fatal error macro's
Add 'FatalError' and 'FatalErrorConditonal' that will take the same
args as SCLogError.
FatalError logs the error using SCLogError and then exits with return
code EXIT_FAILURE.
FatalErrorOnInit does the same only during init and with
--init-errors-fatal enabled, otherwise it just calls SCLogWarning. So
then the macro returns to the caller.
Eric Leblond [Wed, 15 Jul 2015 20:21:07 +0000 (22:21 +0200)]
tls-store: avoid log flooding
In case we can't write in the certs directory, this is possible
we flood the log for each TLS session or even worse each TLS
packet. So this patch puts a limit in the number of logged
messages related to file creation.
Eric Leblond [Tue, 14 Jul 2015 20:35:32 +0000 (22:35 +0200)]
tls-store: backward compatibility
This patch implements backward compatibility in suricata.yaml
file. In case the new 'tls-store' output is not present in the
YAML we have to use the value defined in 'tls-log'.
Eric Leblond [Tue, 14 Jul 2015 19:22:31 +0000 (21:22 +0200)]
tls-store: now a separate module
An design error was made when doing the TLS storage module which
has been made dependant of the TLS logging. At the time there was
only one TLS logging module but there is now two different ones.
By putting the TLS store module in a separate module, we can now
use EVE output and TLS store at the same time.
Alexander Gozman [Tue, 16 Jun 2015 15:12:01 +0000 (18:12 +0300)]
suricatasc: remove "u" prefix when printing JSON output.
If we want to parse suricatasc's output, python's unicode prefix
should be removed to make JSON parsers happy.
Zopieux [Thu, 18 Jun 2015 09:26:53 +0000 (11:26 +0200)]
stream_size operator comparison (fix issue #1488)
`DetectStreamSizeParse` was first checking if mode[0] is '<', which is true for both '<' and '<=', thus '<=' (and resp. '>=') is never matched. This patch does the `strcmp` to '<=' (resp. '>=') within the if block of '<' (resp. '>') to fix #1488.
Giuseppe Longo [Fri, 15 May 2015 09:05:29 +0000 (11:05 +0200)]
file_data: check for signature alproto and flow
Currently the following rule can't be loaded:
alert tcp any any -> any 25 (msg:"SMTP file_data test"; flow:to_server,established; file_data; content:"abc";sid:1;)
and produces the error output:
"Can't use file_data with flow:to_server or from_client with http or smtp."
This checks if the alproto is not http in a signature,
so permits to use flow keyword also.
Victor Julien [Fri, 19 Jun 2015 10:42:57 +0000 (12:42 +0200)]
file_data smtp: fix minor coverity warning
CID 1298891: Null pointer dereferences (REVERSE_INULL)
Null-checking "curr_file" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
Victor Julien [Thu, 11 Jun 2015 10:39:53 +0000 (12:39 +0200)]
app-layer: improve EOF handling
On receiving TCP end of stream packets (e.g. RST, but also sometimes FIN
packets), in some cases the AppLayer parser would not be notified. This
could happen in IDS mode, but would especially be an issue in IPS mode.
This patch changes the logic of the AppLayer API to handle this. When no
new data is available, and the stream ends, the AppLayer API now gets
called with a NULL/0 input, but with the EOF flag set.
This allows the AppLayer parser to call it's final routines still in the
context of a real packet.
projects / people / ms / suricata.git / log
