]>
git.ipfire.org Git - thirdparty/suricata.git/log
DIALLO David [Mon, 15 Dec 2014 16:53:34 +0000 (17:53 +0100)]
fix Cygwin build fails: array subscript has type char
DIALLO David [Mon, 15 Dec 2014 16:37:04 +0000 (17:37 +0100)]
Add a warning in Modbus section of YAML file to remind user to modify stream depth (unlimited)
DIALLO David [Mon, 15 Dec 2014 15:51:11 +0000 (16:51 +0100)]
Update AppLayerProtoDetectPrintProbingParsers with Modbus protocol
DIALLO David [Mon, 15 Dec 2014 15:45:39 +0000 (16:45 +0100)]
fix CID
1257762 : Logically dead code(DEADCODE)
Eric Leblond [Fri, 12 Dec 2014 09:10:46 +0000 (10:10 +0100)]
suricatasc: exit with error if command returns NOK
Eric Leblond [Thu, 11 Dec 2014 19:01:59 +0000 (20:01 +0100)]
suricatasc: now python 2 and 3 compatible
Update code to support both python 2 and python 3.
Victor Julien [Thu, 11 Dec 2014 13:49:17 +0000 (14:49 +0100)]
unix-socket: allow socked in custom locations
Allow the socket to be set in any location. This allows for easy
setting up of a socket as a non-root user.
Victor Julien [Thu, 11 Dec 2014 13:21:45 +0000 (14:21 +0100)]
unix-socket: fix restart/shutdown cycle
When cleaning up after a pcap was processed, the stats api was cleaned
up before the stats threads were killed, leading to a BUG_ON triggering.
Ken Steele [Wed, 3 Dec 2014 21:42:01 +0000 (16:42 -0500)]
Fix indentation
Ken Steele [Wed, 3 Dec 2014 20:55:22 +0000 (15:55 -0500)]
Fix memory leak in ac-tile
Incorrectly reallocing the goto table after it was freed by calling
SCACTileReallocState() when really only want to realloc the output table.
This was causing a large goto table to be allocated and never used or
freed.
Ken Steele [Wed, 3 Dec 2014 20:35:38 +0000 (15:35 -0500)]
Clean up memory leaks in ac-tile code
Free some memory at exit that was not getting freed.
Change pid_pat_list to store copy of case-strings in the same block
of memory as the array of pointers.
Ken Steele [Wed, 5 Nov 2014 16:43:40 +0000 (11:43 -0500)]
Make bad copy-mode be an error in runmode-tile.
Victor Julien [Fri, 5 Dec 2014 13:32:56 +0000 (14:32 +0100)]
Bug 1329: error out on invalid rule protocol
Due to a logic error in AppLayerProtoDetectGetProtoByName invalid
protocols would not be detected as such. Instead of ALPROTO_UNKNOWN
ALPROTO_MAX was returned.
Bug #1329
Eric Leblond [Mon, 8 Dec 2014 13:49:16 +0000 (14:49 +0100)]
unix-manager: fix cppcheck errors
This patch fixes the following errors:
[src/unix-manager.c:306]: (error) Memory pointed to by 'client' is freed twice.
[src/unix-manager.c:313]: (error) Memory pointed to by 'client' is freed twice.
[src/unix-manager.c:323]: (error) Memory pointed to by 'client' is freed twice.
[src/unix-manager.c:334]: (error) Memory pointed to by 'client' is freed twice.
Unix manager was treating the packet after closing the socket if message was
too long.
Victor Julien [Wed, 10 Dec 2014 16:31:57 +0000 (17:31 +0100)]
stream: don't send EOF to AppLayer too soon
Sending EOF too soon results in the AppLayer cleaning up prematurely.
Victor Julien [Thu, 20 Nov 2014 13:31:34 +0000 (14:31 +0100)]
ipv6: check for MLD messages with HL not 1
MLD messages should have a hop limit of 1 only. All others are invalid.
Written at MLD talk of Enno Rey, Antonios Atlasis & Jayson Salazar during
Deepsec 2014.
Ken Steele [Wed, 19 Nov 2014 18:48:41 +0000 (13:48 -0500)]
Correct flow memory usage bookkeeping error
Fix bug 1321 where flow_memuse was incremented more on allocation than
free.
Victor Julien [Thu, 20 Nov 2014 13:18:03 +0000 (14:18 +0100)]
Bug 977: -T / --init-errors-fatal to process all rules
Have -T / --init-errors-fatal process all rules so that it's easier
to debug problems in ruleset. Otherwise it can be a lengthy fix, test
error cycle if multiple rules have issues.
Convert empty rulefile error into a warning.
Bug #977
Victor Julien [Fri, 5 Dec 2014 09:17:15 +0000 (10:17 +0100)]
afpacket: only check offloading once per iface
Instead of once per thread per iface.
Victor Julien [Fri, 5 Dec 2014 09:16:48 +0000 (10:16 +0100)]
ioctl: make all string args const pointers
Victor Julien [Wed, 3 Dec 2014 15:08:19 +0000 (16:08 +0100)]
http: don't crash when normalizing uri on low memory
Victor Julien [Wed, 3 Dec 2014 15:07:00 +0000 (16:07 +0100)]
defrag: don't crash when out of memory
Handle memory allocation errors in defrag better. Could lead to
crashes if malloc errors happened.
Eric Leblond [Thu, 4 Dec 2014 16:58:25 +0000 (17:58 +0100)]
af-packet: no more threads than RSS queues
If we manage to read the number of RSS queues from an interface,
this means that the optimal number of capture threads is equal
to the minimum of this number and of the number of cores on the
system.
This patch implements this logic thanks to the newly introduced
function GetIfaceRSSQueuesNum.
Eric Leblond [Thu, 4 Dec 2014 17:11:22 +0000 (18:11 +0100)]
util-ioctl: add message in case of failure
Eric Leblond [Thu, 4 Dec 2014 16:49:31 +0000 (17:49 +0100)]
util-ioctl: Add function to get number of RSS queues on iface
The number of RSS queues can be fetched via a standard ioctl which
is independant of hardware.
Victor Julien [Thu, 4 Dec 2014 16:01:02 +0000 (17:01 +0100)]
af-packet: threads: auto, default to workers
Add a new default value for the 'threads:' setting in af-packet: "auto".
This will create as many capture threads as there are cores.
Default runmode of af-packet to workers.
Victor Julien [Thu, 4 Dec 2014 15:46:51 +0000 (16:46 +0100)]
Runmode: handle value 'auto'
Auto now selects the default runmode for the capture method.
Victor Julien [Thu, 4 Dec 2014 15:42:55 +0000 (16:42 +0100)]
threading: remove '1slot' functions
No longer in use after the 'auto' runmode removal.
All runmodes now use either varslot or pktacqloop support.
Victor Julien [Thu, 4 Dec 2014 15:39:13 +0000 (16:39 +0100)]
Runmodes: remove 'auto' runmodes
Remove 'auto' runmodes from all capture methods. It wasn't reliable
enough, as it didn't enforce inspection order of packets.
Victor Julien [Wed, 3 Dec 2014 12:22:46 +0000 (13:22 +0100)]
log-stats: expand membuffer if necessary
Many threads could lead to a membuffer size requirement bigger than
64k. So use the expansion call to grow the buffer as needed.
Victor Julien [Wed, 3 Dec 2014 12:09:15 +0000 (13:09 +0100)]
MemBuffer: add expansion call
For some of the buffer users it's hard to predict how big the data
will be. In the stats.log case this depends on chosen runmode and
number of threads.
To deal with this case a 'MemBufferExpand' call is added. This realloc's
the buffer.
Victor Julien [Tue, 4 Nov 2014 08:17:10 +0000 (09:17 +0100)]
stats: expose stats to Lua output
Register with type 'stats':
function init (args)
local needs = {}
needs["type"] = "stats"
return needs
end
The stats are passed as an array of tables:
{ 1, { name=<name>, tmname=<tm_name>, value=<value>, pvalue=<pvalue>}}
{ 2, { name=<name>, tmname=<tm_name>, value=<value>, pvalue=<pvalue>}}
etc
Name is the counter name (e.g. decoder.invalid), tm_name is the thread name
(e.g. AFPacketeth05), value is current value, and pvalue is the value of the
last time the script was invoked.
Victor Julien [Mon, 3 Nov 2014 12:30:14 +0000 (13:30 +0100)]
output streaming: cleanup at runmode destruction
Victor Julien [Mon, 3 Nov 2014 12:00:26 +0000 (13:00 +0100)]
stats: disable stats if no loggers are enabled
Victor Julien [Tue, 4 Nov 2014 09:34:28 +0000 (10:34 +0100)]
stats: initialize after outputs
Initialize stats after outputs so that we can check if we need to
initialize the stats api at all.
Victor Julien [Mon, 3 Nov 2014 11:27:09 +0000 (12:27 +0100)]
stats: introduce global config
As the stats api calls the loggers at a global interval, the global
interval should be configured globally.
# global stats configuration
stats:
enabled: yes
# The interval field (in seconds) controls at what interval
# the loggers are invoked.
interval: 8
If this config isn't found, the old config will be supported.
Victor Julien [Fri, 31 Oct 2014 22:37:04 +0000 (23:37 +0100)]
Introduce stats log API, convert existing output
Convert regular 'stats.log' output to this new API.
In addition to the current stats value, also give the last value. This
makes it easy to display the difference.
Victor Julien [Mon, 1 Dec 2014 09:36:52 +0000 (10:36 +0100)]
pcre: fix var capture for non relative matches
Var capture setup depended on the match being relative due to a logic
error.
Giuseppe Longo [Wed, 5 Nov 2014 11:16:18 +0000 (12:16 +0100)]
pfring: fixes memleaks
This fixes some memory leaks
Bug #1184
Victor Julien [Sat, 15 Nov 2014 15:46:21 +0000 (16:46 +0100)]
lua: in streaming api, indicate open/close
The SCStreamingBuffer call now also returns two booleans:
data, data_open, data_close = SCStreamingBuffer()
The first indicates this is the first data of this type for this
TCP session or HTTP transaction.
The second indicates this is the last data.
Ticket #1317.
Ken Steele [Mon, 10 Nov 2014 20:07:34 +0000 (15:07 -0500)]
Update copyright year in detect-flowbits files.
Ken Steele [Mon, 10 Nov 2014 20:01:36 +0000 (15:01 -0500)]
DetectFlowintData - remove unused idx in TargetVar.
The idx inside TargetVar inside DetectFlowintData is never used, so remove
it.
Ken Steele [Mon, 10 Nov 2014 19:48:29 +0000 (14:48 -0500)]
Fix bug in DetectFlowintParse() - Assigning to both parts of a Union
sfd->target.value was always being set, even if the targettype was
not FLOWINT_TARGET_VAL. This would cause the tvar to be overwritten
with garbage data.
Ken Steele [Mon, 10 Nov 2014 19:46:11 +0000 (14:46 -0500)]
Don't write target.tvar.idx in DetectFlowintParse
Match functions should not be writing to the SigMatch context. So just use
a local variable instead.
Ken Steele [Fri, 7 Nov 2014 16:33:38 +0000 (11:33 -0500)]
Remove an unused define COUNTER_DETECT_ALERTS
The only place this exists in the code is when it is defined.
Ken Steele [Fri, 7 Nov 2014 15:50:23 +0000 (10:50 -0500)]
Coding style cleanup in detect-modbus files.
Ken Steele [Wed, 5 Nov 2014 20:07:06 +0000 (15:07 -0500)]
Correct size increase in SigGroupHeadStore()
The code was increasing the size of the allocated memory by 16, but
only increasing the stored size by 10. Now uses one variable for both
places.
DIALLO David [Tue, 22 Jul 2014 07:49:58 +0000 (09:49 +0200)]
Detect-engine: Add Modbus detection engine
Management of Modbus Tx
Based on DNS source code.
Signed-off-by: David DIALLO <diallo@et.esia.fr>
DIALLO David [Thu, 14 Aug 2014 14:53:30 +0000 (16:53 +0200)]
Detect: Add Modbus keyword management
Add the modbus.function and subfunction) keywords for public function match in rules (Modbus layer).
Matching based on code function, and if necessary, sub-function code
or based on category (assigned, unassigned, public, user or reserved)
and negation is permitted.
Add the modbus.access keyword for read/write Modbus function match in rules (Modbus layer).
Matching based on access type (read or write),
and/or function type (discretes, coils, input or holding)
and, if necessary, read or write address access,
and, if necessary, value to write.
For address and value matching, "<", ">" and "<>" is permitted.
Based on TLS source code and file size source code (address and value matching).
Signed-off-by: David DIALLO <diallo@et.esia.fr>
DIALLO David [Wed, 23 Jul 2014 09:12:59 +0000 (11:12 +0200)]
App-layer: Add Modbus protocol parser
Decode Modbus request and response messages, and extracts
MODBUS Application Protocol header and the code function.
In case of read/write function, extracts message contents
(read/write address, quantity, count, data to write).
Links request and response messages in a transaction according to
Transaction Identifier (transaction management based on DNS source code).
MODBUS Messaging on TCP/IP Implementation Guide V1.0b
(http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf)
MODBUS Application Protocol Specification V1.1b3
(http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf)
Based on DNS source code.
Signed-off-by: David DIALLO <diallo@et.esia.fr>
Victor Julien [Thu, 6 Nov 2014 09:39:53 +0000 (10:39 +0100)]
Update Changelog for 2.1beta2 release
Christophe M [Tue, 29 Jul 2014 14:20:34 +0000 (16:20 +0200)]
Fix to output a JSON buffer to an Unix domain socket.
Create the JSON buffer and write to it like regular file.
Upper function SCConfLogOpenGeneric already handle it properly.
Closes issue #1246.
Victor Julien [Fri, 31 Oct 2014 13:56:14 +0000 (14:56 +0100)]
Fix Coverity issue in SMTP output
** CID
1250327 : Uninitialized pointer read (UNINIT)
/src/output-json-email-common.c: 117 in JsonEmailLogJson()
/src/output-json-email-common.c: 139 in JsonEmailLogJson()
Victor Julien [Fri, 31 Oct 2014 13:53:38 +0000 (14:53 +0100)]
smtp: don't create a new tx for rset/quit
A tx is considered complete after the data command completed. However,
this would lead to RSET and QUIT commands setting up a new tx.
This patch simply adds a check that refuses to setup a new tx when these
commands are encountered after the data portion is complete.
Victor Julien [Fri, 31 Oct 2014 12:41:39 +0000 (13:41 +0100)]
filestore: fix crash if keyword setup fails
SigMatch would be added to list, then the alproto check failed, leading
to freeing of sm. But as it was still in the list, the list now contained
a dangling pointer.
Victor Julien [Thu, 30 Oct 2014 17:23:15 +0000 (18:23 +0100)]
mime: fix output issues
When multiple email addresses were in the 'to' field, sometimes
they would be logged as "\r\n \"Name\" <email>".
The \r\n was added by GetFullValue in the mime decoder, for unknown
reasons. Disabling this seems to have no drawbacks.
Victor Julien [Tue, 28 Oct 2014 19:03:32 +0000 (20:03 +0100)]
mime: fix compiler warning
Victor Julien [Tue, 28 Oct 2014 17:56:28 +0000 (18:56 +0100)]
mime: improve error checking
Victor Julien [Tue, 28 Oct 2014 17:26:38 +0000 (18:26 +0100)]
smtp: fix SMTPParserTest14 on 32bit
Victor Julien [Tue, 28 Oct 2014 17:25:33 +0000 (18:25 +0100)]
smtp: improve ProcessDataChunk error checking
Victor Julien [Tue, 28 Oct 2014 16:45:52 +0000 (17:45 +0100)]
smtp: expand tx use
Instead of just using TX for mime decoding, it is now also used for
tracking decoder events.
Victor Julien [Tue, 28 Oct 2014 09:45:21 +0000 (10:45 +0100)]
output-filedata: close files even w/o data
If there is no data chunk but the file is closed/truncated anyway,
logging is still required.
Victor Julien [Tue, 28 Oct 2014 09:41:32 +0000 (10:41 +0100)]
smtp: register file truncate callback
Tag files as truncated from this callback so storing/logging displays
the correct info.
Victor Julien [Mon, 27 Oct 2014 22:59:49 +0000 (23:59 +0100)]
smtp: convert logger to tx logger
Move from packet logger to tx logger.
Victor Julien [Mon, 27 Oct 2014 22:59:11 +0000 (23:59 +0100)]
smtp: add file inspection engine
Fix file inspection engine.
TODO: test
Victor Julien [Mon, 27 Oct 2014 22:57:56 +0000 (23:57 +0100)]
smtp: make TX aware
Store mime decoding context per transaction. For this the parser
creates a TX when the mime body decoding starts.
Victor Julien [Mon, 27 Oct 2014 15:14:09 +0000 (16:14 +0100)]
mime: redo PrintChars using PrintRawDataFp
Victor Julien [Mon, 27 Oct 2014 08:18:31 +0000 (09:18 +0100)]
decode mime: refactor & cleanup
Partly to work around cppchecks:
[src/util-decode-mime.c:1085]: (error) Memory leak: url
Victor Julien [Sat, 25 Oct 2014 15:44:57 +0000 (17:44 +0200)]
mime: rename mime-decode.[ch] to util-decode-mime.[ch]
Victor Julien [Sat, 25 Oct 2014 15:36:56 +0000 (17:36 +0200)]
mime: style updates
Victor Julien [Sat, 25 Oct 2014 15:30:09 +0000 (17:30 +0200)]
mime decode: reshuffle data structures to reduce structure sizes
Victor Julien [Sat, 25 Oct 2014 14:59:15 +0000 (16:59 +0200)]
output smtp: fix call
Victor Julien [Sat, 25 Oct 2014 14:46:01 +0000 (16:46 +0200)]
decode mime: clean up includes
Victor Julien [Sat, 25 Oct 2014 14:22:40 +0000 (16:22 +0200)]
mime decode: improve MimeDecParseLineTest01 and MimeDecParseLineTest02 tests
Victor Julien [Sat, 25 Oct 2014 14:16:54 +0000 (16:16 +0200)]
decode mime: fix scan-build issues
Victor Julien [Sat, 25 Oct 2014 13:25:46 +0000 (15:25 +0200)]
mime decode: fix memory leak
Victor Julien [Sat, 25 Oct 2014 13:22:30 +0000 (15:22 +0200)]
mime decode: remove unused url counter
Victor Julien [Sat, 25 Oct 2014 12:11:03 +0000 (14:11 +0200)]
output smtp: clean up memory at shutdown
Victor Julien [Sat, 25 Oct 2014 11:54:42 +0000 (13:54 +0200)]
Fix compiler warning
Victor Julien [Sat, 25 Oct 2014 07:40:35 +0000 (09:40 +0200)]
mime: refactor buffer use
Turn all buffers into uint8_t (from char) and no longer use the
string functions like strncpy/strncasecmp on them.
Store url and field names as lowercase, and also search/compare
them as lowercase. This allows us to use SCMemcmp.
Tom DeCanio [Thu, 9 Oct 2014 22:16:50 +0000 (15:16 -0700)]
smtp-mime: preinitialize base64 decoder space
Preinit with zeros.
Tom DeCanio [Thu, 9 Oct 2014 21:13:03 +0000 (14:13 -0700)]
mime-decode: clean up after MimeDecParseFullMsgTest01.
Tom DeCanio [Thu, 9 Oct 2014 19:52:30 +0000 (12:52 -0700)]
mime-decode: fix minor memory leak if Mime parser initialization were to fail.
Tom DeCanio [Thu, 9 Oct 2014 19:23:09 +0000 (12:23 -0700)]
mime-decode: remove "comparison between signed and unsigned integer expressions"
warnings
Tom DeCanio [Tue, 7 Oct 2014 22:44:06 +0000 (15:44 -0700)]
app-layer-smtp: move old smtp-mime section in suricata.yaml into
app-layer-protocols.smtp.mine section and update code to accomodate.
Tom DeCanio [Tue, 7 Oct 2014 22:23:15 +0000 (15:23 -0700)]
PR review comment. Use protocol to discern log type.
Tom DeCanio [Thu, 21 Aug 2014 19:34:06 +0000 (12:34 -0700)]
smtp: turn on smtp mime decoding and enable smtp eve logging.
Tom DeCanio [Thu, 14 Aug 2014 19:07:53 +0000 (12:07 -0700)]
eve-log: catch and log URLs in basic text emails without mime encapsulation.
expand pointer walk protection.
Tom DeCanio [Fri, 1 Aug 2014 20:27:33 +0000 (13:27 -0700)]
mime-decode: don't scan attachment's data for URLs.
move event pointer lookup inside extract_urls and protect pointer walk.
Tom DeCanio [Tue, 29 Jul 2014 01:25:13 +0000 (18:25 -0700)]
app-layer-smtp: fix Test14.
Was running one byte past end of buffer.
Declare Unit Test 14's data as static.
Eric Leblond [Mon, 28 Jul 2014 14:36:15 +0000 (16:36 +0200)]
smtp layer: fix unittests
Synchronize test 14 with the new application layer API and improve
debug messages.
Tom DeCanio [Wed, 2 Apr 2014 19:48:01 +0000 (12:48 -0700)]
eve-log: SMTP JSON logger
Tom DeCanio [Tue, 28 Jan 2014 23:33:26 +0000 (15:33 -0800)]
smtp-mime: add server reply codes returned from outlook server
David Abarbanel [Tue, 6 Nov 2012 14:45:36 +0000 (09:45 -0500)]
SMTP MIME Email Message decoder
Ken Steele [Wed, 29 Oct 2014 19:43:42 +0000 (15:43 -0400)]
Make suricata_ctl_flags be volatile
The global variable suricata_ctl_flags needs to volatile, otherwise the
compiler might not cause the variable to be read every time because it
doesn't know other threads might write the variable.
This was causing Suricata to not exit under some conditions.
Victor Julien [Thu, 30 Oct 2014 10:07:38 +0000 (11:07 +0100)]
stream/async: improve handling of syn/ack pickup
If we picked up the ssn with a syn/ack, we don't need to make more
assumptions about sack and wscale after that.
Victor Julien [Thu, 30 Oct 2014 09:16:40 +0000 (10:16 +0100)]
stream/async: fix session setup issues
For these 2 cases:
1. Missing SYN:
-> syn <= missing
<- syn/ack
-> ack
-> data
2. Missing SYN and 3whs ACK:
-> syn <= missing
<- syn/ack
-> ack <= missing
-> data
Fix session pickup. The next_win settings weren't correctly set, so that
packets were rejected.
Bug 1190.
Victor Julien [Sun, 26 Oct 2014 09:07:15 +0000 (10:07 +0100)]
stream: improve tracking with pkt loss in async
If 3whs SYN/ACK and ACK are missing we can still pick up the session if
in async-oneside mode.
-> syn
<- syn/ack <= missing
-> ack <= missing
-> data
Bug 1190.
Victor Julien [Sun, 26 Oct 2014 08:02:08 +0000 (09:02 +0100)]
iprep: cleanup ctx on shutdown
~~Dr.M~~ Error #1: LEAK 480 direct bytes 0x0aae7fc0-0x0aae81a0 + 0 indirect bytes
~~Dr.M~~ # 0 replace_malloc [/work/drmemory_package/common/alloc_replace.c:2373]
~~Dr.M~~ # 1 SRepInit [.../Suricata/src/reputation.c:594]
~~Dr.M~~ # 2 DetectEngineCtxInit [.../src/detect-engine.c:844]
~~Dr.M~~ # 3 main [.../Suricata/src/suricata.c:2230]
Ken Steele [Mon, 6 Oct 2014 15:40:58 +0000 (11:40 -0400)]
Make AppLayerProfiling functions inline
The entire body of these functions are protected by ifdef PROFILING.
If the functions are inlined, then this check removes the need for the
function entirely.
Previously, the empty function was still called, even when not built
for profiling. The functions showed as being 0.25% of total CPU time
without being built for profiling.