Eric Leblond [Fri, 9 Nov 2012 14:57:52 +0000 (15:57 +0100)]
coccinelle: improve run_check
This patch adds two features to run_check.sh, it is now posssible
to specify a list of files to check:
./run_check.sh ../../src/suricata.c ../../src/detect.c
It is also possible to ask a review of the files modified by a commit.
To so simply put the SHA1 as argument
./run_check.sh HEAD
./run_check 6af7d5f
It is also possible to check all the files for an arbitrary range:
./run_check.sh origin/master..buildbot-fixes
Last improvement of this patch is to get a real error message in case
of problem as 2 is not redirected anymore to /dev/null.
Eric Leblond [Fri, 5 Oct 2012 07:46:18 +0000 (09:46 +0200)]
suricata: add daemon-directory config variable
It is now possible to use the 'daemon-directory' configuration
variable to specify the working directory of suricata in daemon
mode. This will permit to specify the place for core and other
related files.
Eric Leblond [Fri, 5 Oct 2012 07:35:48 +0000 (09:35 +0200)]
suricata: avoid concurrent run in daemon mode
This patch creates a pid file per default and use it to avoid to be
able to run two Suricata. Separate pid file have to be provided to
be able to do it.
Eric Leblond [Thu, 8 Nov 2012 22:39:20 +0000 (23:39 +0100)]
configure: improve march=native detection
clang is supposed to support march=native but if the CPU is too
recent for clang, this can cause an invalid detection of arch and
result in a incapability of clang to compile any binary.
This patch updates the test to try a compilation with march=native
when clang is the used compiler.
Eric Leblond [Thu, 8 Nov 2012 21:09:22 +0000 (22:09 +0100)]
configure: differentiate gcc and clang options
The version checking was made similarly for clang and gcc. This
patch modifies this to check on compiler name. This way we can
avoid to set march=native which is not supported by clang on
some system.
At the same time, this fix the annoying warning about no-fp-tree
being unsupported by clang.
Matt Keeler [Thu, 4 Oct 2012 16:34:00 +0000 (12:34 -0400)]
Napatech 3GD Support
For use with Network Cards from Napatech utilizing the 3GD driver/api.
- Implemented new run modes in runmode-napatech-3gd.*
- Implemented capture/decode threads in source-napatech-3gd.*
- Integrated the new run modes and source into the build infrastructure.
New configure switches
--enabled-napatech-3gd : Turns on the NT 3GD support
--with-napatech-3gd-includes : The directory containing the NT 3GD header files
--with-napatech-3gd-libraries : The directory containing the NT 3GD libraries to link against.
New CLI switch
--napatech-3gd : Uses the Napatech 3GD run mode
Runmodes Supported:
- auto
- autofp
- workers
Notes:
- tested with 1 Gbps sustained traffic (no drops)
Eric Leblond [Tue, 30 Oct 2012 06:46:42 +0000 (07:46 +0100)]
stream.inline: add 'auto' mode
stream.inline YAML configuration variable now support the 'auto' value.
In this case, inline mode is activated for IPS running mode (NFQ and
IPFW) and is deactivated for IDS mode. This patch should fix bug #592.
Eric Leblond [Sun, 14 Oct 2012 17:24:22 +0000 (19:24 +0200)]
af-packet: fix possible infinite loop.
If no packet arrives to a capture thread, it is possible that the
AFPReadLoop() function goes into an infinite loop. This could cause
suricata to hang at exit on non busy system.
This patch adds a counter to detect when Suricata start looping in
the ring to stop when it reaches this point.
Victor Julien [Fri, 12 Oct 2012 14:40:43 +0000 (16:40 +0200)]
libhtp: don't use internal iterator
It violates thread safety. #601.
Suricata assures thread safety on the flow level for HTTP tracking. Part of the flow is (in case of HTTP) libhtp's htp_connp_t state. At startup the libhtp glue layer, app-layer-htp initializes as many htp_cfg_t instances as there are libhtp server configurations in the yaml. At HTTP session start, we look up the proper htp_cfg_t based on the server ip and pass it to htp_connp_create. A ptr to the relevant htp_cfg_t is part of the htp_connp_t. The htp_cfg_t contains "hooks". The are registered based on yaml config at init time.
The hooks have lists of type list_t. The list is run with a built in iterator. The iterator is reset at the start of each "hook_run_all". Since multiple flows share the same htp_cfg_t flow A can reset the iterator while flow B is using it. The flow lock has no effect as flows share the htp_cfg_t.
This has been observed in real traffic. hook_response_body_data was run on the same data multiple times, leading to corrupt extracted files.
Eric Leblond [Thu, 4 Oct 2012 09:06:33 +0000 (11:06 +0200)]
nfq: close the queue when leaving acquisition.
This patch adds a call to close the queue when the acquisition
loop is ending. This way the incoming packets will be accepted
during all the shutdown phase (if the queue-bypass option of
NFQUEUE is used). At the same time the currently processed packets
will be dropped but the time scale are different: suricata will
drop 20 ms of packets and the shutdown can take 0.5 seconds.
Victor Julien [Thu, 4 Oct 2012 09:48:42 +0000 (11:48 +0200)]
fast_pattern: don't consider http_method, http_stat_code and http_stat_msg when automatically giving preference to a HTTP pattern over a stream pattern.
Anoop Saldanha [Tue, 2 Oct 2012 15:43:35 +0000 (21:13 +0530)]
fix for bug #577.
If a pattern has matched on mpm, don't re-inspect it later, subject to certain
conditions met by the pattern - namely, not negated, right chop, no replacet
attached to it.
In FFRv2, dereference flow from a packet using the new reference/dereference
util macros. This allows the decr use_cnt for flow and reseting the flow
pointer to NULL for the pseudo pkt to happen simultaneously, in case there we
fail to retrieve a pseudo_packet and have to return the already obtained
pseudo packets, back to the packetpool.
projects / thirdparty / suricata.git / log
