]>
git.ipfire.org Git - thirdparty/suricata.git/log
Victor Julien [Thu, 13 Dec 2018 09:21:41 +0000 (10:21 +0100)]
detect/file-data: minor cleanups and clarifications
Victor Julien [Thu, 13 Dec 2018 09:07:58 +0000 (10:07 +0100)]
detect/http-server-body: code cleanup and test cleanups
Victor Julien [Thu, 13 Dec 2018 06:59:20 +0000 (07:59 +0100)]
detect/http-client-body: code cleanups and test cleanups
Victor Julien [Tue, 11 Dec 2018 09:01:31 +0000 (10:01 +0100)]
detect: add http.header.raw sticky buffer keyword
Add parsing tests as well.
Victor Julien [Tue, 11 Dec 2018 06:26:22 +0000 (07:26 +0100)]
detect/http_raw_header: move tests into tests/
Victor Julien [Thu, 29 Nov 2018 07:31:06 +0000 (08:31 +0100)]
detect/http_raw_header: use inspect v2 api
Victor Julien [Thu, 29 Nov 2018 06:08:12 +0000 (07:08 +0100)]
detect/http_raw_header: minor code cleanups
Victor Julien [Wed, 28 Nov 2018 09:04:54 +0000 (10:04 +0100)]
detect: add http.header sticky buffer keyword
Victor Julien [Wed, 28 Nov 2018 08:34:25 +0000 (09:34 +0100)]
detect/http_header: convert parsing tests to use helper
Victor Julien [Wed, 28 Nov 2018 07:53:41 +0000 (08:53 +0100)]
detect/http_header: move tests into tests/
Victor Julien [Tue, 27 Nov 2018 13:42:34 +0000 (14:42 +0100)]
detect/http_header: inspect v2 api
Victor Julien [Tue, 27 Nov 2018 15:09:14 +0000 (16:09 +0100)]
detect/http_header: test cleanups
Victor Julien [Tue, 27 Nov 2018 13:39:58 +0000 (14:39 +0100)]
detect/http_header: remove unused func args
Victor Julien [Tue, 27 Nov 2018 11:02:56 +0000 (12:02 +0100)]
detect: add http.cookie sticky buffer keyword
Victor Julien [Tue, 27 Nov 2018 10:53:21 +0000 (11:53 +0100)]
detect/http_cookie: move tests into tests/
Victor Julien [Tue, 27 Nov 2018 10:43:24 +0000 (11:43 +0100)]
detect/http_cookie: switch to inspect v2 api
Victor Julien [Tue, 27 Nov 2018 10:18:14 +0000 (11:18 +0100)]
detect/http_cookie: minor cleanups
Victor Julien [Tue, 27 Nov 2018 09:50:51 +0000 (10:50 +0100)]
detect/http_user_agent: set alternative and info flags
Victor Julien [Mon, 26 Nov 2018 12:34:16 +0000 (13:34 +0100)]
detect: add http.stat_code sticky buffer keyword
Victor Julien [Mon, 26 Nov 2018 12:13:59 +0000 (13:13 +0100)]
detect/http_stat_code: move tests into tests/
Victor Julien [Mon, 26 Nov 2018 12:02:12 +0000 (13:02 +0100)]
detect/http_stat_code: use inspect v2 api
Victor Julien [Mon, 26 Nov 2018 11:55:16 +0000 (12:55 +0100)]
detect/http_stat_code: minor code cleanups
Victor Julien [Mon, 26 Nov 2018 11:23:42 +0000 (12:23 +0100)]
detect: add http.stat_msg sticky buffer keyword
Victor Julien [Mon, 26 Nov 2018 11:06:55 +0000 (12:06 +0100)]
detect/http_stat_msg: move tests to tests/
Victor Julien [Mon, 26 Nov 2018 10:38:35 +0000 (11:38 +0100)]
detect/http_stat_msg: switch to inspect v2
Victor Julien [Mon, 26 Nov 2018 10:17:53 +0000 (11:17 +0100)]
detect/http_stat_msg: minor code cleanups
Victor Julien [Sun, 25 Nov 2018 17:33:01 +0000 (18:33 +0100)]
detect: add http.host.raw sticky buffer
Victor Julien [Sun, 25 Nov 2018 17:24:12 +0000 (18:24 +0100)]
detect/http_raw_host: move raw into regular host logic
Victor Julien [Sun, 25 Nov 2018 16:33:08 +0000 (17:33 +0100)]
detect/http_host: move tests into tests/
Victor Julien [Sun, 25 Nov 2018 16:20:58 +0000 (17:20 +0100)]
detect/http_raw_host: use inspect v2 api
Victor Julien [Sun, 25 Nov 2018 15:54:50 +0000 (16:54 +0100)]
detect/http_raw_host: minor cleanups
Victor Julien [Sun, 25 Nov 2018 15:44:54 +0000 (16:44 +0100)]
detect/http_method: add http.method sticky buffer
Victor Julien [Sun, 25 Nov 2018 15:40:49 +0000 (16:40 +0100)]
detect/http_method: move all tests into tests/
Victor Julien [Sun, 25 Nov 2018 15:31:05 +0000 (16:31 +0100)]
detect/http_method: use inspect v2 api
Victor Julien [Sun, 25 Nov 2018 15:26:51 +0000 (16:26 +0100)]
detect/http_method: minor cleanups
Victor Julien [Sun, 25 Nov 2018 11:05:24 +0000 (12:05 +0100)]
detect/http: add http.uri.raw sticky buffer keyword
Victor Julien [Sun, 25 Nov 2018 10:53:15 +0000 (11:53 +0100)]
detect/http_raw_uri: code reorganization
Move registration into http_uri logic, move tests into the other uri
tests. Switch to v2 mpm/inspect APIs.
Victor Julien [Sun, 25 Nov 2018 10:43:10 +0000 (11:43 +0100)]
detect/http_raw_uri: small cleanups
Victor Julien [Sun, 25 Nov 2018 10:39:28 +0000 (11:39 +0100)]
detect/http-uri: move tests into tests/
Victor Julien [Mon, 26 Nov 2018 14:25:04 +0000 (15:25 +0100)]
detect: add http.uri sticky buffer keyword
Victor Julien [Sat, 24 Nov 2018 11:06:43 +0000 (12:06 +0100)]
detect: add http.host sticky buffer
Victor Julien [Fri, 23 Nov 2018 15:36:04 +0000 (16:36 +0100)]
detect/http-hh: code cleanups
Victor Julien [Mon, 26 Nov 2018 10:01:03 +0000 (11:01 +0100)]
detect/http_user_agent: move tests into tests/
Victor Julien [Sat, 24 Nov 2018 10:16:26 +0000 (11:16 +0100)]
detect: add http.user_agent sticky buffer
Victor Julien [Fri, 23 Nov 2018 15:31:07 +0000 (16:31 +0100)]
detect/http-ua: remove dead code
Victor Julien [Fri, 23 Nov 2018 15:28:40 +0000 (16:28 +0100)]
detect/http-ua: test cleanups
Victor Julien [Tue, 27 Nov 2018 09:49:37 +0000 (10:49 +0100)]
detect: add verbosity of --list-keywords
Add indicators of content modifier or sticky buffer, and also
allow registering an alternative to a keyword.
Victor Julien [Tue, 27 Nov 2018 09:03:48 +0000 (10:03 +0100)]
detect: switch keyword flags u16
Victor Julien [Thu, 22 Nov 2018 11:57:32 +0000 (12:57 +0100)]
detect/transform: add to_sha1 keyword
Victor Julien [Thu, 22 Nov 2018 11:44:34 +0000 (12:44 +0100)]
detect/transform: add to_md5 keyword
Victor Julien [Wed, 28 Nov 2018 08:33:56 +0000 (09:33 +0100)]
unittests: add signature parse test helper
Victor Julien [Mon, 17 Dec 2018 15:59:09 +0000 (16:59 +0100)]
Open 5.0.0-dev branch
Victor Julien [Tue, 29 Jan 2019 10:40:57 +0000 (11:40 +0100)]
log/stats: fix formatting of long decoder events
Victor Julien [Mon, 28 Jan 2019 15:55:59 +0000 (16:55 +0100)]
userguide: improve stats logging documentation
Jingyu Yang [Mon, 24 Dec 2018 08:22:42 +0000 (16:22 +0800)]
source-pcap:set PktAcqBreakLoop as pcap_breakloop
Victor Julien [Fri, 18 Jan 2019 14:03:39 +0000 (15:03 +0100)]
stream: fix false negative on bad RST
If a bad RST was received the stream inspection would not happen
for that packet, but it would still move the 'raw progress' tracker
forward. Following good packets would then fail to detect anything
before the 'raw progress' position.
Bug #2770
Reported-by: Alexey Vishnyakov
Victor Julien [Thu, 24 Jan 2019 11:23:37 +0000 (12:23 +0100)]
eve.stats: warn that output might miss decoder-events
Victor Julien [Thu, 24 Jan 2019 10:40:39 +0000 (11:40 +0100)]
eve.stats: make decoder event prefix configurable
Victor Julien [Wed, 23 Jan 2019 20:18:59 +0000 (21:18 +0100)]
eve: fix missing decoder-events in stats
In the eve log the decoder events are added as optional counters. This
behaviour is enabled by default. However, lots of the counters are
missing, as the names colide with other counters.
E.g.
decoder.ipv6 counts ipv6 packets
decoder.ipv6.unknown_next_header counts how often an unknown next
header is encountered.
In this example 'ipv6' would be both a json integer and a json object.
It appears that jansson favours the first that is generated, so the
event counters are mostly missing.
This patch registers them as 'decoder.events.<event>' instead. As
these names are generated on the fly, a hash table to contain the
allocated strings was added as well.
Victor Julien [Wed, 23 Jan 2019 21:02:25 +0000 (22:02 +0100)]
hash: move string hash funcs into util files
Victor Julien [Wed, 23 Jan 2019 20:17:56 +0000 (21:17 +0100)]
decoder: add gre over ipv6 support
Victor Julien [Tue, 22 Jan 2019 20:34:28 +0000 (21:34 +0100)]
af-packet: minor code cleanups
Victor Julien [Tue, 22 Jan 2019 20:28:40 +0000 (21:28 +0100)]
af-packet: re-enable sync for tpacket v2
Synchronize start was disabled for v2 when v3 was introduced, without
a reason being given.
Re-enable as v2 will otherwise also start reading packets before the
other threads are set up. This will lead to hashing issues.
Part of bug #2788.
Victor Julien [Tue, 22 Jan 2019 20:00:57 +0000 (21:00 +0100)]
af-packet: fix sync start for tpacket v3
The tpacket-v3 implementation of the synchonize start logic would
not correctly consider the timestamp parameter, leading to threads
starting before synchronization between threads was complete.
Bug #2788
Alexander Gozman [Fri, 21 Dec 2018 16:16:29 +0000 (16:16 +0000)]
nfqueue: inject fake packet on timeout
Fixes nfqueue and delayed-detect.
On systems with small amount of traffic (or with no traffic at all)
nfqueue with 'delayed-detect' enabled hanged in 'workers' mode.
Bug #2362.
Pascal Delalande [Wed, 9 Jan 2019 20:33:32 +0000 (21:33 +0100)]
doc: fix minor typo
Eric Leblond [Thu, 27 Dec 2018 22:02:47 +0000 (23:02 +0100)]
lua: add lua dir with example to make dist
Eric Leblond [Thu, 27 Dec 2018 22:01:43 +0000 (23:01 +0100)]
coccinelle: add missing tests to make dist
Eric Leblond [Thu, 27 Dec 2018 20:49:31 +0000 (21:49 +0100)]
util-binsearch: remove the files
Eric Leblond [Thu, 27 Dec 2018 20:44:09 +0000 (21:44 +0100)]
doc: add _static dir to make dist
Eric Leblond [Thu, 27 Dec 2018 13:19:46 +0000 (14:19 +0100)]
ebpf: include files in make dist
Victor Julien [Thu, 20 Dec 2018 17:57:46 +0000 (18:57 +0100)]
changelog: update for 4.1.2 release
Victor Julien [Thu, 20 Dec 2018 08:11:21 +0000 (09:11 +0100)]
smb: improve request/response mapping
Only use ssn_id and msg_id for mapping a response to a request.
By not using the tree_id it can always be included in the tx.hdr which
means it can be logged properly in case of IOCTL and DCERPC.
Travis Green [Thu, 20 Dec 2018 01:41:28 +0000 (18:41 -0700)]
doc: add missing and fix 404 for --list-keywords
Travis Green [Thu, 20 Dec 2018 00:45:11 +0000 (17:45 -0700)]
doc: added tos keyword
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2583
Philippe Antoine [Wed, 5 Dec 2018 09:22:18 +0000 (10:22 +0100)]
Fixes other affected tests for smtp pipelining
Either checking state has pipelining
Or removing pipelining from input
Philippe Antoine [Wed, 5 Dec 2018 08:31:56 +0000 (09:31 +0100)]
smtp: improve pipelining support
Fixes #1863
Victor Julien [Wed, 19 Dec 2018 10:49:42 +0000 (11:49 +0100)]
proto/detect: workaround dns misdetected as dcerpc
The DCERPC UDP detection would misfire on DNS with transaction
ID 0x0400. This would happen as the protocol detection engine
gives preference to pattern based detection over probing parsers for
performance reasons.
This hack/workaround fixes this specific case by still running the
probing parser if DCERPC has been detected on UDP. The probing
parser result will take precedence.
Bug #2736.
Victor Julien [Wed, 19 Dec 2018 08:45:35 +0000 (09:45 +0100)]
teredo: be stricter on what to consider valid teredo
Invalid Teredo can lead to valid DNS traffic (or other UDP traffic)
being misdetected as Teredo. This leads to false negatives in the
UDP payload inspection.
Make the teredo code only consider a packet teredo if the encapsulated
data was decoded without any 'invalid' events being set.
Bug #2736.
Victor Julien [Tue, 18 Dec 2018 20:08:19 +0000 (21:08 +0100)]
detect: fix crash during startup with malformed yaml
detect-engine:
custom-values:
toclient-groups: 200
toserver-groups: 200
Bug #2745
Victor Julien [Tue, 18 Dec 2018 15:01:19 +0000 (16:01 +0100)]
userguide/install: add rust, python-yaml to ubuntu
Victor Julien [Sat, 15 Dec 2018 14:57:31 +0000 (15:57 +0100)]
offloading: on bsd, disable rxcsum and v6 variants
Victor Julien [Sat, 15 Dec 2018 14:20:39 +0000 (15:20 +0100)]
offloading: don't set multiple times per interface
This could happen with netmap igb0->igb0^ IPS mode.
Victor Julien [Mon, 17 Dec 2018 09:13:31 +0000 (10:13 +0100)]
changelog: update for 4.1.1
Victor Julien [Thu, 13 Dec 2018 10:23:03 +0000 (11:23 +0100)]
detect: fix content inspection flags
Fix generic inspect function content inspection flags so that
streaming buffers work correctly.
Victor Julien [Fri, 14 Dec 2018 09:22:39 +0000 (10:22 +0100)]
detect/rawbytes: improve error message plus do minor cleanups
Victor Julien [Thu, 13 Dec 2018 10:16:04 +0000 (11:16 +0100)]
detect/file-data: fix enabling http body tracking
Pierre Chifflier [Thu, 13 Dec 2018 19:30:29 +0000 (20:30 +0100)]
Krb5: make TCP probing function less strict, messages can be fragmented
Victor Julien [Wed, 28 Nov 2018 09:02:57 +0000 (10:02 +0100)]
detect/parse: error out on unused sticky buffers
Victor Julien [Tue, 27 Nov 2018 15:09:54 +0000 (16:09 +0100)]
detect/prefilter: add closing debug return statement
Victor Julien [Mon, 10 Dec 2018 20:24:38 +0000 (21:24 +0100)]
yaml: add missing eve pcap-file comment
Victor Julien [Mon, 10 Dec 2018 19:43:37 +0000 (20:43 +0100)]
capture: fix mtu plus sign names for non-netmap
Bug #2502.
Victor Julien [Sat, 8 Dec 2018 17:51:23 +0000 (18:51 +0100)]
stats: more accurate interval handling
In the stats loop sleep for a time period more closely matching
the stats.interval setting. Fix an off by one that would make
the loop wake up ~1 second early.
Bug #2716
Jason Ish [Fri, 7 Dec 2018 23:59:35 +0000 (17:59 -0600)]
check-setup: fix script names for .sh to .py
Jason Ish [Fri, 7 Dec 2018 16:42:40 +0000 (10:42 -0600)]
travis: update rust version to 1.24.1 and 1.31.0.
1.24.1 is now the oldest version we test support for. All major
distributions appear to be at this version or new.
With the release of 1.31.0 just out, test that as the most
recent version.
Jason Ish [Fri, 7 Dec 2018 15:26:31 +0000 (09:26 -0600)]
dns json v2 (C) - log rrtype in response
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2723
Jason Ish [Fri, 7 Dec 2018 15:25:56 +0000 (09:25 -0600)]
rust/dns/v2 - log rrtype in response
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2723
Jason Ish [Fri, 7 Dec 2018 15:08:16 +0000 (09:08 -0600)]
dns/rust - if let Some over options instead of loop.
Except in one case where the loop makes more sense for easy break
out.
Also remove one line of non-conforming debug logging.
Jason Ish [Thu, 6 Dec 2018 17:16:00 +0000 (11:16 -0600)]
rust/dns/lua - fix call convention to match C.
Also, when requesting the query, if the request doesn't exist,
return the query from the response. This makes it behave
more like C implementation.
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2730
Jason Ish [Mon, 3 Dec 2018 16:34:36 +0000 (10:34 -0600)]
rust/dns: add v1 dns logging
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2704