]> git.ipfire.org Git - thirdparty/suricata.git/log
thirdparty/suricata.git
6 years agodetect/file-data: minor cleanups and clarifications
Victor Julien [Thu, 13 Dec 2018 09:21:41 +0000 (10:21 +0100)] 
detect/file-data: minor cleanups and clarifications

6 years agodetect/http-server-body: code cleanup and test cleanups
Victor Julien [Thu, 13 Dec 2018 09:07:58 +0000 (10:07 +0100)] 
detect/http-server-body: code cleanup and test cleanups

6 years agodetect/http-client-body: code cleanups and test cleanups
Victor Julien [Thu, 13 Dec 2018 06:59:20 +0000 (07:59 +0100)] 
detect/http-client-body: code cleanups and test cleanups

6 years agodetect: add http.header.raw sticky buffer keyword
Victor Julien [Tue, 11 Dec 2018 09:01:31 +0000 (10:01 +0100)] 
detect: add http.header.raw sticky buffer keyword

Add parsing tests as well.

6 years agodetect/http_raw_header: move tests into tests/
Victor Julien [Tue, 11 Dec 2018 06:26:22 +0000 (07:26 +0100)] 
detect/http_raw_header: move tests into tests/

6 years agodetect/http_raw_header: use inspect v2 api
Victor Julien [Thu, 29 Nov 2018 07:31:06 +0000 (08:31 +0100)] 
detect/http_raw_header: use inspect v2 api

6 years agodetect/http_raw_header: minor code cleanups
Victor Julien [Thu, 29 Nov 2018 06:08:12 +0000 (07:08 +0100)] 
detect/http_raw_header: minor code cleanups

6 years agodetect: add http.header sticky buffer keyword
Victor Julien [Wed, 28 Nov 2018 09:04:54 +0000 (10:04 +0100)] 
detect: add http.header sticky buffer keyword

6 years agodetect/http_header: convert parsing tests to use helper
Victor Julien [Wed, 28 Nov 2018 08:34:25 +0000 (09:34 +0100)] 
detect/http_header: convert parsing tests to use helper

6 years agodetect/http_header: move tests into tests/
Victor Julien [Wed, 28 Nov 2018 07:53:41 +0000 (08:53 +0100)] 
detect/http_header: move tests into tests/

6 years agodetect/http_header: inspect v2 api
Victor Julien [Tue, 27 Nov 2018 13:42:34 +0000 (14:42 +0100)] 
detect/http_header: inspect v2 api

6 years agodetect/http_header: test cleanups
Victor Julien [Tue, 27 Nov 2018 15:09:14 +0000 (16:09 +0100)] 
detect/http_header: test cleanups

6 years agodetect/http_header: remove unused func args
Victor Julien [Tue, 27 Nov 2018 13:39:58 +0000 (14:39 +0100)] 
detect/http_header: remove unused func args

6 years agodetect: add http.cookie sticky buffer keyword
Victor Julien [Tue, 27 Nov 2018 11:02:56 +0000 (12:02 +0100)] 
detect: add http.cookie sticky buffer keyword

6 years agodetect/http_cookie: move tests into tests/
Victor Julien [Tue, 27 Nov 2018 10:53:21 +0000 (11:53 +0100)] 
detect/http_cookie: move tests into tests/

6 years agodetect/http_cookie: switch to inspect v2 api
Victor Julien [Tue, 27 Nov 2018 10:43:24 +0000 (11:43 +0100)] 
detect/http_cookie: switch to inspect v2 api

6 years agodetect/http_cookie: minor cleanups
Victor Julien [Tue, 27 Nov 2018 10:18:14 +0000 (11:18 +0100)] 
detect/http_cookie: minor cleanups

6 years agodetect/http_user_agent: set alternative and info flags
Victor Julien [Tue, 27 Nov 2018 09:50:51 +0000 (10:50 +0100)] 
detect/http_user_agent: set alternative and info flags

6 years agodetect: add http.stat_code sticky buffer keyword
Victor Julien [Mon, 26 Nov 2018 12:34:16 +0000 (13:34 +0100)] 
detect: add http.stat_code sticky buffer keyword

6 years agodetect/http_stat_code: move tests into tests/
Victor Julien [Mon, 26 Nov 2018 12:13:59 +0000 (13:13 +0100)] 
detect/http_stat_code: move tests into tests/

6 years agodetect/http_stat_code: use inspect v2 api
Victor Julien [Mon, 26 Nov 2018 12:02:12 +0000 (13:02 +0100)] 
detect/http_stat_code: use inspect v2 api

6 years agodetect/http_stat_code: minor code cleanups
Victor Julien [Mon, 26 Nov 2018 11:55:16 +0000 (12:55 +0100)] 
detect/http_stat_code: minor code cleanups

6 years agodetect: add http.stat_msg sticky buffer keyword
Victor Julien [Mon, 26 Nov 2018 11:23:42 +0000 (12:23 +0100)] 
detect: add http.stat_msg sticky buffer keyword

6 years agodetect/http_stat_msg: move tests to tests/
Victor Julien [Mon, 26 Nov 2018 11:06:55 +0000 (12:06 +0100)] 
detect/http_stat_msg: move tests to tests/

6 years agodetect/http_stat_msg: switch to inspect v2
Victor Julien [Mon, 26 Nov 2018 10:38:35 +0000 (11:38 +0100)] 
detect/http_stat_msg: switch to inspect v2

6 years agodetect/http_stat_msg: minor code cleanups
Victor Julien [Mon, 26 Nov 2018 10:17:53 +0000 (11:17 +0100)] 
detect/http_stat_msg: minor code cleanups

6 years agodetect: add http.host.raw sticky buffer
Victor Julien [Sun, 25 Nov 2018 17:33:01 +0000 (18:33 +0100)] 
detect: add http.host.raw sticky buffer

6 years agodetect/http_raw_host: move raw into regular host logic
Victor Julien [Sun, 25 Nov 2018 17:24:12 +0000 (18:24 +0100)] 
detect/http_raw_host: move raw into regular host logic

6 years agodetect/http_host: move tests into tests/
Victor Julien [Sun, 25 Nov 2018 16:33:08 +0000 (17:33 +0100)] 
detect/http_host: move tests into tests/

6 years agodetect/http_raw_host: use inspect v2 api
Victor Julien [Sun, 25 Nov 2018 16:20:58 +0000 (17:20 +0100)] 
detect/http_raw_host: use inspect v2 api

6 years agodetect/http_raw_host: minor cleanups
Victor Julien [Sun, 25 Nov 2018 15:54:50 +0000 (16:54 +0100)] 
detect/http_raw_host: minor cleanups

6 years agodetect/http_method: add http.method sticky buffer
Victor Julien [Sun, 25 Nov 2018 15:44:54 +0000 (16:44 +0100)] 
detect/http_method: add http.method sticky buffer

6 years agodetect/http_method: move all tests into tests/
Victor Julien [Sun, 25 Nov 2018 15:40:49 +0000 (16:40 +0100)] 
detect/http_method: move all tests into tests/

6 years agodetect/http_method: use inspect v2 api
Victor Julien [Sun, 25 Nov 2018 15:31:05 +0000 (16:31 +0100)] 
detect/http_method: use inspect v2 api

6 years agodetect/http_method: minor cleanups
Victor Julien [Sun, 25 Nov 2018 15:26:51 +0000 (16:26 +0100)] 
detect/http_method: minor cleanups

6 years agodetect/http: add http.uri.raw sticky buffer keyword
Victor Julien [Sun, 25 Nov 2018 11:05:24 +0000 (12:05 +0100)] 
detect/http: add http.uri.raw sticky buffer keyword

6 years agodetect/http_raw_uri: code reorganization
Victor Julien [Sun, 25 Nov 2018 10:53:15 +0000 (11:53 +0100)] 
detect/http_raw_uri: code reorganization

Move registration into http_uri logic, move tests into the other uri
tests. Switch to v2 mpm/inspect APIs.

6 years agodetect/http_raw_uri: small cleanups
Victor Julien [Sun, 25 Nov 2018 10:43:10 +0000 (11:43 +0100)] 
detect/http_raw_uri: small cleanups

6 years agodetect/http-uri: move tests into tests/
Victor Julien [Sun, 25 Nov 2018 10:39:28 +0000 (11:39 +0100)] 
detect/http-uri: move tests into tests/

6 years agodetect: add http.uri sticky buffer keyword
Victor Julien [Mon, 26 Nov 2018 14:25:04 +0000 (15:25 +0100)] 
detect: add http.uri sticky buffer keyword

6 years agodetect: add http.host sticky buffer
Victor Julien [Sat, 24 Nov 2018 11:06:43 +0000 (12:06 +0100)] 
detect: add http.host sticky buffer

6 years agodetect/http-hh: code cleanups
Victor Julien [Fri, 23 Nov 2018 15:36:04 +0000 (16:36 +0100)] 
detect/http-hh: code cleanups

6 years agodetect/http_user_agent: move tests into tests/
Victor Julien [Mon, 26 Nov 2018 10:01:03 +0000 (11:01 +0100)] 
detect/http_user_agent: move tests into tests/

6 years agodetect: add http.user_agent sticky buffer
Victor Julien [Sat, 24 Nov 2018 10:16:26 +0000 (11:16 +0100)] 
detect: add http.user_agent sticky buffer

6 years agodetect/http-ua: remove dead code
Victor Julien [Fri, 23 Nov 2018 15:31:07 +0000 (16:31 +0100)] 
detect/http-ua: remove dead code

6 years agodetect/http-ua: test cleanups
Victor Julien [Fri, 23 Nov 2018 15:28:40 +0000 (16:28 +0100)] 
detect/http-ua: test cleanups

6 years agodetect: add verbosity of --list-keywords
Victor Julien [Tue, 27 Nov 2018 09:49:37 +0000 (10:49 +0100)] 
detect: add verbosity of --list-keywords

Add indicators of content modifier or sticky buffer, and also
allow registering an alternative to a keyword.

6 years agodetect: switch keyword flags u16
Victor Julien [Tue, 27 Nov 2018 09:03:48 +0000 (10:03 +0100)] 
detect: switch keyword flags u16

6 years agodetect/transform: add to_sha1 keyword
Victor Julien [Thu, 22 Nov 2018 11:57:32 +0000 (12:57 +0100)] 
detect/transform: add to_sha1 keyword

6 years agodetect/transform: add to_md5 keyword
Victor Julien [Thu, 22 Nov 2018 11:44:34 +0000 (12:44 +0100)] 
detect/transform: add to_md5 keyword

6 years agounittests: add signature parse test helper
Victor Julien [Wed, 28 Nov 2018 08:33:56 +0000 (09:33 +0100)] 
unittests: add signature parse test helper

6 years agoOpen 5.0.0-dev branch
Victor Julien [Mon, 17 Dec 2018 15:59:09 +0000 (16:59 +0100)] 
Open 5.0.0-dev branch

6 years agolog/stats: fix formatting of long decoder events
Victor Julien [Tue, 29 Jan 2019 10:40:57 +0000 (11:40 +0100)] 
log/stats: fix formatting of long decoder events

6 years agouserguide: improve stats logging documentation
Victor Julien [Mon, 28 Jan 2019 15:55:59 +0000 (16:55 +0100)] 
userguide: improve stats logging documentation

6 years agosource-pcap:set PktAcqBreakLoop as pcap_breakloop 3625/head
Jingyu Yang [Mon, 24 Dec 2018 08:22:42 +0000 (16:22 +0800)] 
source-pcap:set PktAcqBreakLoop as pcap_breakloop

6 years agostream: fix false negative on bad RST
Victor Julien [Fri, 18 Jan 2019 14:03:39 +0000 (15:03 +0100)] 
stream: fix false negative on bad RST

If a bad RST was received the stream inspection would not happen
for that packet, but it would still move the 'raw progress' tracker
forward. Following good packets would then fail to detect anything
before the 'raw progress' position.

Bug #2770

Reported-by: Alexey Vishnyakov
6 years agoeve.stats: warn that output might miss decoder-events
Victor Julien [Thu, 24 Jan 2019 11:23:37 +0000 (12:23 +0100)] 
eve.stats: warn that output might miss decoder-events

6 years agoeve.stats: make decoder event prefix configurable
Victor Julien [Thu, 24 Jan 2019 10:40:39 +0000 (11:40 +0100)] 
eve.stats: make decoder event prefix configurable

6 years agoeve: fix missing decoder-events in stats
Victor Julien [Wed, 23 Jan 2019 20:18:59 +0000 (21:18 +0100)] 
eve: fix missing decoder-events in stats

In the eve log the decoder events are added as optional counters. This
behaviour is enabled by default. However, lots of the counters are
missing, as the names colide with other counters.

E.g.

decoder.ipv6 counts ipv6 packets
decoder.ipv6.unknown_next_header counts how often an unknown next
    header is encountered.

In this example 'ipv6' would be both a json integer and a json object.
It appears that jansson favours the first that is generated, so the
event counters are mostly missing.

This patch registers them as 'decoder.events.<event>' instead. As
these names are generated on the fly, a hash table to contain the
allocated strings was added as well.

6 years agohash: move string hash funcs into util files
Victor Julien [Wed, 23 Jan 2019 21:02:25 +0000 (22:02 +0100)] 
hash: move string hash funcs into util files

6 years agodecoder: add gre over ipv6 support
Victor Julien [Wed, 23 Jan 2019 20:17:56 +0000 (21:17 +0100)] 
decoder: add gre over ipv6 support

6 years agoaf-packet: minor code cleanups 3621/head
Victor Julien [Tue, 22 Jan 2019 20:34:28 +0000 (21:34 +0100)] 
af-packet: minor code cleanups

6 years agoaf-packet: re-enable sync for tpacket v2
Victor Julien [Tue, 22 Jan 2019 20:28:40 +0000 (21:28 +0100)] 
af-packet: re-enable sync for tpacket v2

Synchronize start was disabled for v2 when v3 was introduced, without
a reason being given.

Re-enable as v2 will otherwise also start reading packets before the
other threads are set up. This will lead to hashing issues.

Part of bug #2788.

6 years agoaf-packet: fix sync start for tpacket v3
Victor Julien [Tue, 22 Jan 2019 20:00:57 +0000 (21:00 +0100)] 
af-packet: fix sync start for tpacket v3

The tpacket-v3 implementation of the synchonize start logic would
not correctly consider the timestamp parameter, leading to threads
starting before synchronization between threads was complete.

Bug #2788

6 years agonfqueue: inject fake packet on timeout
Alexander Gozman [Fri, 21 Dec 2018 16:16:29 +0000 (16:16 +0000)] 
nfqueue: inject fake packet on timeout

Fixes nfqueue and delayed-detect.

On systems with small amount of traffic (or with no traffic at all)
nfqueue with 'delayed-detect' enabled hanged in 'workers' mode.

Bug #2362.

6 years agodoc: fix minor typo
Pascal Delalande [Wed, 9 Jan 2019 20:33:32 +0000 (21:33 +0100)] 
doc: fix minor typo

6 years agolua: add lua dir with example to make dist 3602/head
Eric Leblond [Thu, 27 Dec 2018 22:02:47 +0000 (23:02 +0100)] 
lua: add lua dir with example to make dist

6 years agococcinelle: add missing tests to make dist
Eric Leblond [Thu, 27 Dec 2018 22:01:43 +0000 (23:01 +0100)] 
coccinelle: add missing tests to make dist

6 years agoutil-binsearch: remove the files
Eric Leblond [Thu, 27 Dec 2018 20:49:31 +0000 (21:49 +0100)] 
util-binsearch: remove the files

6 years agodoc: add _static dir to make dist
Eric Leblond [Thu, 27 Dec 2018 20:44:09 +0000 (21:44 +0100)] 
doc: add _static dir to make dist

6 years agoebpf: include files in make dist 3601/head
Eric Leblond [Thu, 27 Dec 2018 13:19:46 +0000 (14:19 +0100)] 
ebpf: include files in make dist

6 years agochangelog: update for 4.1.2 release suricata-4.1.2
Victor Julien [Thu, 20 Dec 2018 17:57:46 +0000 (18:57 +0100)] 
changelog: update for 4.1.2 release

6 years agosmb: improve request/response mapping 3593/head
Victor Julien [Thu, 20 Dec 2018 08:11:21 +0000 (09:11 +0100)] 
smb: improve request/response mapping

Only use ssn_id and msg_id for mapping a response to a request.

By not using the tree_id it can always be included in the tx.hdr which
means it can be logged properly in case of IOCTL and DCERPC.

6 years agodoc: add missing and fix 404 for --list-keywords
Travis Green [Thu, 20 Dec 2018 01:41:28 +0000 (18:41 -0700)] 
doc: add missing and fix 404 for --list-keywords

6 years agodoc: added tos keyword
Travis Green [Thu, 20 Dec 2018 00:45:11 +0000 (17:45 -0700)] 
doc: added tos keyword

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2583

6 years agoFixes other affected tests for smtp pipelining 3590/head
Philippe Antoine [Wed, 5 Dec 2018 09:22:18 +0000 (10:22 +0100)] 
Fixes other affected tests for smtp pipelining

Either checking state has pipelining
Or removing pipelining from input

6 years agosmtp: improve pipelining support
Philippe Antoine [Wed, 5 Dec 2018 08:31:56 +0000 (09:31 +0100)] 
smtp: improve pipelining support

Fixes #1863

6 years agoproto/detect: workaround dns misdetected as dcerpc
Victor Julien [Wed, 19 Dec 2018 10:49:42 +0000 (11:49 +0100)] 
proto/detect: workaround dns misdetected as dcerpc

The DCERPC UDP detection would misfire on DNS with transaction
ID 0x0400. This would happen as the protocol detection engine
gives preference to pattern based detection over probing parsers for
performance reasons.

This hack/workaround fixes this specific case by still running the
probing parser if DCERPC has been detected on UDP. The probing
parser result will take precedence.

Bug #2736.

6 years agoteredo: be stricter on what to consider valid teredo
Victor Julien [Wed, 19 Dec 2018 08:45:35 +0000 (09:45 +0100)] 
teredo: be stricter on what to consider valid teredo

Invalid Teredo can lead to valid DNS traffic (or other UDP traffic)
being misdetected as Teredo. This leads to false negatives in the
UDP payload inspection.

Make the teredo code only consider a packet teredo if the encapsulated
data was decoded without any 'invalid' events being set.

Bug #2736.

6 years agodetect: fix crash during startup with malformed yaml
Victor Julien [Tue, 18 Dec 2018 20:08:19 +0000 (21:08 +0100)] 
detect: fix crash during startup with malformed yaml

detect-engine:
  custom-values:
    toclient-groups: 200
    toserver-groups: 200

Bug #2745

6 years agouserguide/install: add rust, python-yaml to ubuntu 3588/head
Victor Julien [Tue, 18 Dec 2018 15:01:19 +0000 (16:01 +0100)] 
userguide/install: add rust, python-yaml to ubuntu

6 years agooffloading: on bsd, disable rxcsum and v6 variants
Victor Julien [Sat, 15 Dec 2018 14:57:31 +0000 (15:57 +0100)] 
offloading: on bsd, disable rxcsum and v6 variants

6 years agooffloading: don't set multiple times per interface
Victor Julien [Sat, 15 Dec 2018 14:20:39 +0000 (15:20 +0100)] 
offloading: don't set multiple times per interface

This could happen with netmap igb0->igb0^ IPS mode.

6 years agochangelog: update for 4.1.1 suricata-4.1.1
Victor Julien [Mon, 17 Dec 2018 09:13:31 +0000 (10:13 +0100)] 
changelog: update for 4.1.1

6 years agodetect: fix content inspection flags 3584/head
Victor Julien [Thu, 13 Dec 2018 10:23:03 +0000 (11:23 +0100)] 
detect: fix content inspection flags

Fix generic inspect function content inspection flags so that
streaming buffers work correctly.

6 years agodetect/rawbytes: improve error message plus do minor cleanups
Victor Julien [Fri, 14 Dec 2018 09:22:39 +0000 (10:22 +0100)] 
detect/rawbytes: improve error message plus do minor cleanups

6 years agodetect/file-data: fix enabling http body tracking
Victor Julien [Thu, 13 Dec 2018 10:16:04 +0000 (11:16 +0100)] 
detect/file-data: fix enabling http body tracking

6 years agoKrb5: make TCP probing function less strict, messages can be fragmented 3583/head
Pierre Chifflier [Thu, 13 Dec 2018 19:30:29 +0000 (20:30 +0100)] 
Krb5: make TCP probing function less strict, messages can be fragmented

6 years agodetect/parse: error out on unused sticky buffers 3580/head
Victor Julien [Wed, 28 Nov 2018 09:02:57 +0000 (10:02 +0100)] 
detect/parse: error out on unused sticky buffers

6 years agodetect/prefilter: add closing debug return statement
Victor Julien [Tue, 27 Nov 2018 15:09:54 +0000 (16:09 +0100)] 
detect/prefilter: add closing debug return statement

6 years agoyaml: add missing eve pcap-file comment
Victor Julien [Mon, 10 Dec 2018 20:24:38 +0000 (21:24 +0100)] 
yaml: add missing eve pcap-file comment

6 years agocapture: fix mtu plus sign names for non-netmap
Victor Julien [Mon, 10 Dec 2018 19:43:37 +0000 (20:43 +0100)] 
capture: fix mtu plus sign names for non-netmap

Bug #2502.

6 years agostats: more accurate interval handling 3577/head
Victor Julien [Sat, 8 Dec 2018 17:51:23 +0000 (18:51 +0100)] 
stats: more accurate interval handling

In the stats loop sleep for a time period more closely matching
the stats.interval setting. Fix an off by one that would make
the loop wake up ~1 second early.

Bug #2716

6 years agocheck-setup: fix script names for .sh to .py
Jason Ish [Fri, 7 Dec 2018 23:59:35 +0000 (17:59 -0600)] 
check-setup: fix script names for .sh to .py

6 years agotravis: update rust version to 1.24.1 and 1.31.0.
Jason Ish [Fri, 7 Dec 2018 16:42:40 +0000 (10:42 -0600)] 
travis: update rust version to 1.24.1 and 1.31.0.

1.24.1 is now the oldest version we test support for. All major
distributions appear to be at this version or new.

With the release of 1.31.0 just out, test that as the most
recent version.

6 years agodns json v2 (C) - log rrtype in response
Jason Ish [Fri, 7 Dec 2018 15:26:31 +0000 (09:26 -0600)] 
dns json v2 (C) - log rrtype in response

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2723

6 years agorust/dns/v2 - log rrtype in response
Jason Ish [Fri, 7 Dec 2018 15:25:56 +0000 (09:25 -0600)] 
rust/dns/v2 - log rrtype in response

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2723

6 years agodns/rust - if let Some over options instead of loop.
Jason Ish [Fri, 7 Dec 2018 15:08:16 +0000 (09:08 -0600)] 
dns/rust - if let Some over options instead of loop.

Except in one case where the loop makes more sense for easy break
out.

Also remove one line of non-conforming debug logging.

6 years agorust/dns/lua - fix call convention to match C.
Jason Ish [Thu, 6 Dec 2018 17:16:00 +0000 (11:16 -0600)] 
rust/dns/lua - fix call convention to match C.

Also, when requesting the query, if the request doesn't exist,
return the query from the response. This makes it behave
more like C implementation.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2730

6 years agorust/dns: add v1 dns logging
Jason Ish [Mon, 3 Dec 2018 16:34:36 +0000 (10:34 -0600)] 
rust/dns: add v1 dns logging

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2704