]> git.ipfire.org Git - thirdparty/suricata.git/log
thirdparty/suricata.git
10 years agofix Cygwin build fails: array subscript has type char 1258/head
DIALLO David [Mon, 15 Dec 2014 16:53:34 +0000 (17:53 +0100)] 
fix Cygwin build fails: array subscript has type char

10 years agoAdd a warning in Modbus section of YAML file to remind user to modify stream depth...
DIALLO David [Mon, 15 Dec 2014 16:37:04 +0000 (17:37 +0100)] 
Add a warning in Modbus section of YAML file to remind user to modify stream depth (unlimited)

10 years agoUpdate AppLayerProtoDetectPrintProbingParsers with Modbus protocol
DIALLO David [Mon, 15 Dec 2014 15:51:11 +0000 (16:51 +0100)] 
Update AppLayerProtoDetectPrintProbingParsers with Modbus protocol

10 years agofix CID 1257762: Logically dead code(DEADCODE)
DIALLO David [Mon, 15 Dec 2014 15:45:39 +0000 (16:45 +0100)] 
fix CID 1257762:  Logically dead code(DEADCODE)

10 years agosuricatasc: exit with error if command returns NOK 1252/head
Eric Leblond [Fri, 12 Dec 2014 09:10:46 +0000 (10:10 +0100)] 
suricatasc: exit with error if command returns NOK

10 years agosuricatasc: now python 2 and 3 compatible
Eric Leblond [Thu, 11 Dec 2014 19:01:59 +0000 (20:01 +0100)] 
suricatasc: now python 2 and 3 compatible

Update code to support both python 2 and python 3.

10 years agounix-socket: allow socked in custom locations
Victor Julien [Thu, 11 Dec 2014 13:49:17 +0000 (14:49 +0100)] 
unix-socket: allow socked in custom locations

Allow the socket to be set in any location. This allows for easy
setting up of a socket as a non-root user.

10 years agounix-socket: fix restart/shutdown cycle
Victor Julien [Thu, 11 Dec 2014 13:21:45 +0000 (14:21 +0100)] 
unix-socket: fix restart/shutdown cycle

When cleaning up after a pcap was processed, the stats api was cleaned
up before the stats threads were killed, leading to a BUG_ON triggering.

10 years agoFix indentation 1250/head
Ken Steele [Wed, 3 Dec 2014 21:42:01 +0000 (16:42 -0500)] 
Fix indentation

10 years agoFix memory leak in ac-tile
Ken Steele [Wed, 3 Dec 2014 20:55:22 +0000 (15:55 -0500)] 
Fix memory leak in ac-tile

Incorrectly reallocing the goto table after it was freed by calling
SCACTileReallocState() when really only want to realloc the output table.
This was causing a large goto table to be allocated and never used or
freed.

10 years agoClean up memory leaks in ac-tile code
Ken Steele [Wed, 3 Dec 2014 20:35:38 +0000 (15:35 -0500)] 
Clean up memory leaks in ac-tile code

Free some memory at exit that was not getting freed.

Change pid_pat_list to store copy of case-strings in the same block
of memory as the array of pointers.

10 years agoMake bad copy-mode be an error in runmode-tile.
Ken Steele [Wed, 5 Nov 2014 16:43:40 +0000 (11:43 -0500)] 
Make bad copy-mode be an error in runmode-tile.

10 years agoBug 1329: error out on invalid rule protocol
Victor Julien [Fri, 5 Dec 2014 13:32:56 +0000 (14:32 +0100)] 
Bug 1329: error out on invalid rule protocol

Due to a logic error in AppLayerProtoDetectGetProtoByName invalid
protocols would not be detected as such. Instead of ALPROTO_UNKNOWN
ALPROTO_MAX was returned.

Bug #1329

10 years agounix-manager: fix cppcheck errors
Eric Leblond [Mon, 8 Dec 2014 13:49:16 +0000 (14:49 +0100)] 
unix-manager: fix cppcheck errors

This patch fixes the following errors:
 [src/unix-manager.c:306]: (error) Memory pointed to by 'client' is freed twice.
 [src/unix-manager.c:313]: (error) Memory pointed to by 'client' is freed twice.
 [src/unix-manager.c:323]: (error) Memory pointed to by 'client' is freed twice.
 [src/unix-manager.c:334]: (error) Memory pointed to by 'client' is freed twice.

Unix manager was treating the packet after closing the socket if message was
too long.

10 years agostream: don't send EOF to AppLayer too soon 1247/head
Victor Julien [Wed, 10 Dec 2014 16:31:57 +0000 (17:31 +0100)] 
stream: don't send EOF to AppLayer too soon

Sending EOF too soon results in the AppLayer cleaning up prematurely.

10 years agoipv6: check for MLD messages with HL not 1 1239/head
Victor Julien [Thu, 20 Nov 2014 13:31:34 +0000 (14:31 +0100)] 
ipv6: check for MLD messages with HL not 1

MLD messages should have a hop limit of 1 only. All others are invalid.

Written at MLD talk of Enno Rey, Antonios Atlasis & Jayson Salazar during
Deepsec 2014.

10 years agoCorrect flow memory usage bookkeeping error
Ken Steele [Wed, 19 Nov 2014 18:48:41 +0000 (13:48 -0500)] 
Correct flow memory usage bookkeeping error

Fix bug 1321 where flow_memuse was incremented more on allocation than
free.

10 years agoBug 977: -T / --init-errors-fatal to process all rules
Victor Julien [Thu, 20 Nov 2014 13:18:03 +0000 (14:18 +0100)] 
Bug 977: -T / --init-errors-fatal to process all rules

Have -T / --init-errors-fatal process all rules so that it's easier
to debug problems in ruleset. Otherwise it can be a lengthy fix, test
error cycle if multiple rules have issues.

Convert empty rulefile error into a warning.

Bug #977

10 years agoafpacket: only check offloading once per iface
Victor Julien [Fri, 5 Dec 2014 09:17:15 +0000 (10:17 +0100)] 
afpacket: only check offloading once per iface

Instead of once per thread per iface.

10 years agoioctl: make all string args const pointers
Victor Julien [Fri, 5 Dec 2014 09:16:48 +0000 (10:16 +0100)] 
ioctl: make all string args const pointers

10 years agohttp: don't crash when normalizing uri on low memory
Victor Julien [Wed, 3 Dec 2014 15:08:19 +0000 (16:08 +0100)] 
http: don't crash when normalizing uri on low memory

10 years agodefrag: don't crash when out of memory
Victor Julien [Wed, 3 Dec 2014 15:07:00 +0000 (16:07 +0100)] 
defrag: don't crash when out of memory

Handle memory allocation errors in defrag better. Could lead to
crashes if malloc errors happened.

10 years agoaf-packet: no more threads than RSS queues 1238/head
Eric Leblond [Thu, 4 Dec 2014 16:58:25 +0000 (17:58 +0100)] 
af-packet: no more threads than RSS queues

If we manage to read the number of RSS queues from an interface,
this means that the optimal number of capture threads is equal
to the minimum of this number and of the number of cores on the
system.

This patch implements this logic thanks to the newly introduced
function GetIfaceRSSQueuesNum.

10 years agoutil-ioctl: add message in case of failure
Eric Leblond [Thu, 4 Dec 2014 17:11:22 +0000 (18:11 +0100)] 
util-ioctl: add message in case of failure

10 years agoutil-ioctl: Add function to get number of RSS queues on iface
Eric Leblond [Thu, 4 Dec 2014 16:49:31 +0000 (17:49 +0100)] 
util-ioctl: Add function to get number of RSS queues on iface

The number of RSS queues can be fetched via a standard ioctl which
is independant of hardware.

10 years agoaf-packet: threads: auto, default to workers 1237/head
Victor Julien [Thu, 4 Dec 2014 16:01:02 +0000 (17:01 +0100)] 
af-packet: threads: auto, default to workers

Add a new default value for the 'threads:' setting in af-packet: "auto".
This will create as many capture threads as there are cores.

Default runmode of af-packet to workers.

10 years agoRunmode: handle value 'auto'
Victor Julien [Thu, 4 Dec 2014 15:46:51 +0000 (16:46 +0100)] 
Runmode: handle value 'auto'

Auto now selects the default runmode for the capture method.

10 years agothreading: remove '1slot' functions
Victor Julien [Thu, 4 Dec 2014 15:42:55 +0000 (16:42 +0100)] 
threading: remove '1slot' functions

No longer in use after the 'auto' runmode removal.

All runmodes now use either varslot or pktacqloop support.

10 years agoRunmodes: remove 'auto' runmodes
Victor Julien [Thu, 4 Dec 2014 15:39:13 +0000 (16:39 +0100)] 
Runmodes: remove 'auto' runmodes

Remove 'auto' runmodes from all capture methods. It wasn't reliable
enough, as it didn't enforce inspection order of packets.

10 years agolog-stats: expand membuffer if necessary 1234/head
Victor Julien [Wed, 3 Dec 2014 12:22:46 +0000 (13:22 +0100)] 
log-stats: expand membuffer if necessary

Many threads could lead to a membuffer size requirement bigger than
64k. So use the expansion call to grow the buffer as needed.

10 years agoMemBuffer: add expansion call
Victor Julien [Wed, 3 Dec 2014 12:09:15 +0000 (13:09 +0100)] 
MemBuffer: add expansion call

For some of the buffer users it's hard to predict how big the data
will be. In the stats.log case this depends on chosen runmode and
number of threads.

To deal with this case a 'MemBufferExpand' call is added. This realloc's
the buffer.

10 years agostats: expose stats to Lua output
Victor Julien [Tue, 4 Nov 2014 08:17:10 +0000 (09:17 +0100)] 
stats: expose stats to Lua output

Register with type 'stats':

    function init (args)
        local needs = {}
        needs["type"] = "stats"
        return needs
    end

The stats are passed as an array of tables:

    { 1, { name=<name>, tmname=<tm_name>, value=<value>, pvalue=<pvalue>}}
    { 2, { name=<name>, tmname=<tm_name>, value=<value>, pvalue=<pvalue>}}
    etc

Name is the counter name (e.g. decoder.invalid), tm_name is the thread name
(e.g. AFPacketeth05), value is current value, and pvalue is the value of the
last time the script was invoked.

10 years agooutput streaming: cleanup at runmode destruction
Victor Julien [Mon, 3 Nov 2014 12:30:14 +0000 (13:30 +0100)] 
output streaming: cleanup at runmode destruction

10 years agostats: disable stats if no loggers are enabled
Victor Julien [Mon, 3 Nov 2014 12:00:26 +0000 (13:00 +0100)] 
stats: disable stats if no loggers are enabled

10 years agostats: initialize after outputs
Victor Julien [Tue, 4 Nov 2014 09:34:28 +0000 (10:34 +0100)] 
stats: initialize after outputs

Initialize stats after outputs so that we can check if we need to
initialize the stats api at all.

10 years agostats: introduce global config
Victor Julien [Mon, 3 Nov 2014 11:27:09 +0000 (12:27 +0100)] 
stats: introduce global config

As the stats api calls the loggers at a global interval, the global
interval should be configured globally.

 # global stats configuration
 stats:
   enabled: yes
   # The interval field (in seconds) controls at what interval
   # the loggers are invoked.
   interval: 8

If this config isn't found, the old config will be supported.

10 years agoIntroduce stats log API, convert existing output
Victor Julien [Fri, 31 Oct 2014 22:37:04 +0000 (23:37 +0100)] 
Introduce stats log API, convert existing output

Convert regular 'stats.log' output to this new API.

In addition to the current stats value, also give the last value. This
makes it easy to display the difference.

10 years agopcre: fix var capture for non relative matches 1231/head
Victor Julien [Mon, 1 Dec 2014 09:36:52 +0000 (10:36 +0100)] 
pcre: fix var capture for non relative matches

Var capture setup depended on the match being relative due to a logic
error.

10 years agopfring: fixes memleaks 1229/head
Giuseppe Longo [Wed, 5 Nov 2014 11:16:18 +0000 (12:16 +0100)] 
pfring: fixes memleaks

This fixes some memory leaks
Bug #1184

10 years agolua: in streaming api, indicate open/close
Victor Julien [Sat, 15 Nov 2014 15:46:21 +0000 (16:46 +0100)] 
lua:  in streaming api, indicate open/close

The SCStreamingBuffer call now also returns two booleans:
    data, data_open, data_close = SCStreamingBuffer()

The first indicates this is the first data of this type for this
TCP session or HTTP transaction.

The second indicates this is the last data.

Ticket #1317.

10 years agoUpdate copyright year in detect-flowbits files.
Ken Steele [Mon, 10 Nov 2014 20:07:34 +0000 (15:07 -0500)] 
Update copyright year in detect-flowbits files.

10 years agoDetectFlowintData - remove unused idx in TargetVar.
Ken Steele [Mon, 10 Nov 2014 20:01:36 +0000 (15:01 -0500)] 
DetectFlowintData - remove unused idx in TargetVar.

The idx inside TargetVar inside DetectFlowintData is never used, so remove
it.

10 years agoFix bug in DetectFlowintParse() - Assigning to both parts of a Union
Ken Steele [Mon, 10 Nov 2014 19:48:29 +0000 (14:48 -0500)] 
Fix bug in DetectFlowintParse() - Assigning to both parts of a Union

sfd->target.value was always being set, even if the targettype was
not FLOWINT_TARGET_VAL. This would cause the tvar to be overwritten
with garbage data.

10 years agoDon't write target.tvar.idx in DetectFlowintParse
Ken Steele [Mon, 10 Nov 2014 19:46:11 +0000 (14:46 -0500)] 
Don't write target.tvar.idx in DetectFlowintParse

Match functions should not be writing to the SigMatch context. So just use
a local variable instead.

10 years agoRemove an unused define COUNTER_DETECT_ALERTS
Ken Steele [Fri, 7 Nov 2014 16:33:38 +0000 (11:33 -0500)] 
Remove an unused define COUNTER_DETECT_ALERTS

The only place this exists in the code is when it is defined.

10 years agoCoding style cleanup in detect-modbus files.
Ken Steele [Fri, 7 Nov 2014 15:50:23 +0000 (10:50 -0500)] 
Coding style cleanup in detect-modbus files.

10 years agoCorrect size increase in SigGroupHeadStore()
Ken Steele [Wed, 5 Nov 2014 20:07:06 +0000 (15:07 -0500)] 
Correct size increase in SigGroupHeadStore()

The code was increasing the size of the allocated memory by 16, but
only increasing the stored size by 10. Now uses one variable for both
places.

10 years agoDetect-engine: Add Modbus detection engine
DIALLO David [Tue, 22 Jul 2014 07:49:58 +0000 (09:49 +0200)] 
Detect-engine: Add Modbus detection engine

Management of Modbus Tx

Based on DNS source code.

Signed-off-by: David DIALLO <diallo@et.esia.fr>
10 years agoDetect: Add Modbus keyword management
DIALLO David [Thu, 14 Aug 2014 14:53:30 +0000 (16:53 +0200)] 
Detect: Add Modbus keyword management

Add the modbus.function and subfunction) keywords for public function match in rules (Modbus layer).
Matching based on code function, and if necessary, sub-function code
or based on category (assigned, unassigned, public, user or reserved)
and negation is permitted.

Add the modbus.access keyword for read/write Modbus function match in rules (Modbus layer).
Matching based on access type (read or write),
and/or function type (discretes, coils, input or holding)
and, if necessary, read or write address access,
and, if necessary, value to write.
For address and value matching, "<", ">" and "<>" is permitted.

Based on TLS source code and file size source code (address and value matching).

Signed-off-by: David DIALLO <diallo@et.esia.fr>
10 years agoApp-layer: Add Modbus protocol parser
DIALLO David [Wed, 23 Jul 2014 09:12:59 +0000 (11:12 +0200)] 
App-layer: Add Modbus protocol parser

Decode Modbus request and response messages, and extracts
MODBUS Application Protocol header and the code function.

In case of read/write function, extracts message contents
(read/write address, quantity, count, data to write).

Links request and response messages in a transaction according to
Transaction Identifier (transaction management based on DNS source code).

MODBUS Messaging on TCP/IP Implementation Guide V1.0b
(http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf)
MODBUS Application Protocol Specification V1.1b3
(http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf)

Based on DNS source code.

Signed-off-by: David DIALLO <diallo@et.esia.fr>
10 years agoUpdate Changelog for 2.1beta2 release suricata-2.1beta2
Victor Julien [Thu, 6 Nov 2014 09:39:53 +0000 (10:39 +0100)] 
Update Changelog for 2.1beta2 release

10 years agoFix to output a JSON buffer to an Unix domain socket.
Christophe M [Tue, 29 Jul 2014 14:20:34 +0000 (16:20 +0200)] 
Fix to output a JSON buffer to an Unix domain socket.

Create the JSON buffer and write to it like regular file.

Upper function SCConfLogOpenGeneric already handle it properly.

Closes issue #1246.

10 years agoFix Coverity issue in SMTP output 1196/head
Victor Julien [Fri, 31 Oct 2014 13:56:14 +0000 (14:56 +0100)] 
Fix Coverity issue in SMTP output

** CID 1250327:  Uninitialized pointer read  (UNINIT)
/src/output-json-email-common.c: 117 in JsonEmailLogJson()
/src/output-json-email-common.c: 139 in JsonEmailLogJson()

10 years agosmtp: don't create a new tx for rset/quit
Victor Julien [Fri, 31 Oct 2014 13:53:38 +0000 (14:53 +0100)] 
smtp: don't create a new tx for rset/quit

A tx is considered complete after the data command completed. However,
this would lead to RSET and QUIT commands setting up a new tx.

This patch simply adds a check that refuses to setup a new tx when these
commands are encountered after the data portion is complete.

10 years agofilestore: fix crash if keyword setup fails
Victor Julien [Fri, 31 Oct 2014 12:41:39 +0000 (13:41 +0100)] 
filestore: fix crash if keyword setup fails

SigMatch would be added to list, then the alproto check failed, leading
to freeing of sm. But as it was still in the list, the list now contained
a dangling pointer.

10 years agomime: fix output issues 1195/head
Victor Julien [Thu, 30 Oct 2014 17:23:15 +0000 (18:23 +0100)] 
mime: fix output issues

When multiple email addresses were in the 'to' field, sometimes
they would be logged as "\r\n \"Name\" <email>".

The \r\n was added by GetFullValue in the mime decoder, for unknown
reasons. Disabling this seems to have no drawbacks.

10 years agomime: fix compiler warning
Victor Julien [Tue, 28 Oct 2014 19:03:32 +0000 (20:03 +0100)] 
mime: fix compiler warning

10 years agomime: improve error checking
Victor Julien [Tue, 28 Oct 2014 17:56:28 +0000 (18:56 +0100)] 
mime: improve error checking

10 years agosmtp: fix SMTPParserTest14 on 32bit
Victor Julien [Tue, 28 Oct 2014 17:26:38 +0000 (18:26 +0100)] 
smtp: fix SMTPParserTest14 on 32bit

10 years agosmtp: improve ProcessDataChunk error checking
Victor Julien [Tue, 28 Oct 2014 17:25:33 +0000 (18:25 +0100)] 
smtp: improve ProcessDataChunk error checking

10 years agosmtp: expand tx use
Victor Julien [Tue, 28 Oct 2014 16:45:52 +0000 (17:45 +0100)] 
smtp: expand tx use

Instead of just using TX for mime decoding, it is now also used for
tracking decoder events.

10 years agooutput-filedata: close files even w/o data
Victor Julien [Tue, 28 Oct 2014 09:45:21 +0000 (10:45 +0100)] 
output-filedata: close files even w/o data

If there is no data chunk but the file is closed/truncated anyway,
logging is still required.

10 years agosmtp: register file truncate callback
Victor Julien [Tue, 28 Oct 2014 09:41:32 +0000 (10:41 +0100)] 
smtp: register file truncate callback

Tag files as truncated from this callback so storing/logging displays
the correct info.

10 years agosmtp: convert logger to tx logger
Victor Julien [Mon, 27 Oct 2014 22:59:49 +0000 (23:59 +0100)] 
smtp: convert logger to tx logger

Move from packet logger to tx logger.

10 years agosmtp: add file inspection engine
Victor Julien [Mon, 27 Oct 2014 22:59:11 +0000 (23:59 +0100)] 
smtp: add file inspection engine

Fix file inspection engine.

TODO: test

10 years agosmtp: make TX aware
Victor Julien [Mon, 27 Oct 2014 22:57:56 +0000 (23:57 +0100)] 
smtp: make TX aware

Store mime decoding context per transaction. For this the parser
creates a TX when the mime body decoding starts.

10 years agomime: redo PrintChars using PrintRawDataFp
Victor Julien [Mon, 27 Oct 2014 15:14:09 +0000 (16:14 +0100)] 
mime: redo PrintChars using PrintRawDataFp

10 years agodecode mime: refactor & cleanup
Victor Julien [Mon, 27 Oct 2014 08:18:31 +0000 (09:18 +0100)] 
decode mime: refactor & cleanup

Partly to work around cppchecks:
[src/util-decode-mime.c:1085]: (error) Memory leak: url

10 years agomime: rename mime-decode.[ch] to util-decode-mime.[ch]
Victor Julien [Sat, 25 Oct 2014 15:44:57 +0000 (17:44 +0200)] 
mime: rename mime-decode.[ch] to util-decode-mime.[ch]

10 years agomime: style updates
Victor Julien [Sat, 25 Oct 2014 15:36:56 +0000 (17:36 +0200)] 
mime: style updates

10 years agomime decode: reshuffle data structures to reduce structure sizes
Victor Julien [Sat, 25 Oct 2014 15:30:09 +0000 (17:30 +0200)] 
mime decode: reshuffle data structures to reduce structure sizes

10 years agooutput smtp: fix call
Victor Julien [Sat, 25 Oct 2014 14:59:15 +0000 (16:59 +0200)] 
output smtp: fix call

10 years agodecode mime: clean up includes
Victor Julien [Sat, 25 Oct 2014 14:46:01 +0000 (16:46 +0200)] 
decode mime: clean up includes

10 years agomime decode: improve MimeDecParseLineTest01 and MimeDecParseLineTest02 tests
Victor Julien [Sat, 25 Oct 2014 14:22:40 +0000 (16:22 +0200)] 
mime decode: improve MimeDecParseLineTest01 and MimeDecParseLineTest02 tests

10 years agodecode mime: fix scan-build issues
Victor Julien [Sat, 25 Oct 2014 14:16:54 +0000 (16:16 +0200)] 
decode mime: fix scan-build issues

10 years agomime decode: fix memory leak
Victor Julien [Sat, 25 Oct 2014 13:25:46 +0000 (15:25 +0200)] 
mime decode: fix memory leak

10 years agomime decode: remove unused url counter
Victor Julien [Sat, 25 Oct 2014 13:22:30 +0000 (15:22 +0200)] 
mime decode: remove unused url counter

10 years agooutput smtp: clean up memory at shutdown
Victor Julien [Sat, 25 Oct 2014 12:11:03 +0000 (14:11 +0200)] 
output smtp: clean up memory at shutdown

10 years agoFix compiler warning
Victor Julien [Sat, 25 Oct 2014 11:54:42 +0000 (13:54 +0200)] 
Fix compiler warning

10 years agomime: refactor buffer use
Victor Julien [Sat, 25 Oct 2014 07:40:35 +0000 (09:40 +0200)] 
mime: refactor buffer use

Turn all buffers into uint8_t (from char) and no longer use the
string functions like strncpy/strncasecmp on them.

Store url and field names as lowercase, and also search/compare
them as lowercase. This allows us to use SCMemcmp.

10 years agosmtp-mime: preinitialize base64 decoder space
Tom DeCanio [Thu, 9 Oct 2014 22:16:50 +0000 (15:16 -0700)] 
smtp-mime: preinitialize base64 decoder space

Preinit with zeros.

10 years agomime-decode: clean up after MimeDecParseFullMsgTest01.
Tom DeCanio [Thu, 9 Oct 2014 21:13:03 +0000 (14:13 -0700)] 
mime-decode: clean up after MimeDecParseFullMsgTest01.

10 years agomime-decode: fix minor memory leak if Mime parser initialization were to fail.
Tom DeCanio [Thu, 9 Oct 2014 19:52:30 +0000 (12:52 -0700)] 
mime-decode: fix minor memory leak if Mime parser initialization were to fail.

10 years agomime-decode: remove "comparison between signed and unsigned integer expressions"
Tom DeCanio [Thu, 9 Oct 2014 19:23:09 +0000 (12:23 -0700)] 
mime-decode: remove "comparison between signed and unsigned integer expressions"
warnings

10 years agoapp-layer-smtp: move old smtp-mime section in suricata.yaml into
Tom DeCanio [Tue, 7 Oct 2014 22:44:06 +0000 (15:44 -0700)] 
app-layer-smtp: move old smtp-mime section in suricata.yaml into
app-layer-protocols.smtp.mine section and update code to accomodate.

10 years agoPR review comment. Use protocol to discern log type.
Tom DeCanio [Tue, 7 Oct 2014 22:23:15 +0000 (15:23 -0700)] 
PR review comment.  Use protocol to discern log type.

10 years agosmtp: turn on smtp mime decoding and enable smtp eve logging.
Tom DeCanio [Thu, 21 Aug 2014 19:34:06 +0000 (12:34 -0700)] 
smtp: turn on smtp mime decoding and enable smtp eve logging.

10 years agoeve-log: catch and log URLs in basic text emails without mime encapsulation.
Tom DeCanio [Thu, 14 Aug 2014 19:07:53 +0000 (12:07 -0700)] 
eve-log: catch and log URLs in basic text emails without mime encapsulation.
         expand pointer walk protection.

10 years agomime-decode: don't scan attachment's data for URLs.
Tom DeCanio [Fri, 1 Aug 2014 20:27:33 +0000 (13:27 -0700)] 
mime-decode: don't scan attachment's data for URLs.
move event pointer lookup inside extract_urls and protect pointer walk.

10 years agoapp-layer-smtp: fix Test14.
Tom DeCanio [Tue, 29 Jul 2014 01:25:13 +0000 (18:25 -0700)] 
app-layer-smtp: fix Test14.

Was running one byte past end of buffer.
Declare Unit Test 14's data as static.

10 years agosmtp layer: fix unittests
Eric Leblond [Mon, 28 Jul 2014 14:36:15 +0000 (16:36 +0200)] 
smtp layer: fix unittests

Synchronize test 14 with the new application layer API and improve
debug messages.

10 years agoeve-log: SMTP JSON logger
Tom DeCanio [Wed, 2 Apr 2014 19:48:01 +0000 (12:48 -0700)] 
eve-log: SMTP JSON logger

10 years agosmtp-mime: add server reply codes returned from outlook server
Tom DeCanio [Tue, 28 Jan 2014 23:33:26 +0000 (15:33 -0800)] 
smtp-mime: add server reply codes returned from outlook server

10 years agoSMTP MIME Email Message decoder
David Abarbanel [Tue, 6 Nov 2012 14:45:36 +0000 (09:45 -0500)] 
SMTP MIME Email Message decoder

10 years agoMake suricata_ctl_flags be volatile
Ken Steele [Wed, 29 Oct 2014 19:43:42 +0000 (15:43 -0400)] 
Make suricata_ctl_flags be volatile

The global variable suricata_ctl_flags needs to volatile, otherwise the
compiler might not cause the variable to be read every time because it
doesn't know other threads might write the variable.

This was causing Suricata to not exit under some conditions.

10 years agostream/async: improve handling of syn/ack pickup 1194/head
Victor Julien [Thu, 30 Oct 2014 10:07:38 +0000 (11:07 +0100)] 
stream/async: improve handling of syn/ack pickup

If we picked up the ssn with a syn/ack, we don't need to make more
assumptions about sack and wscale after that.

10 years agostream/async: fix session setup issues
Victor Julien [Thu, 30 Oct 2014 09:16:40 +0000 (10:16 +0100)] 
stream/async: fix session setup issues

For these 2 cases:

1. Missing SYN:
-> syn <= missing
<- syn/ack
-> ack
-> data

2. Missing SYN and 3whs ACK:
-> syn <= missing
<- syn/ack
-> ack <= missing
-> data

Fix session pickup. The next_win settings weren't correctly set, so that
packets were rejected.

Bug 1190.

10 years agostream: improve tracking with pkt loss in async 1191/head
Victor Julien [Sun, 26 Oct 2014 09:07:15 +0000 (10:07 +0100)] 
stream: improve tracking with pkt loss in async

If 3whs SYN/ACK and ACK are missing we can still pick up the session if
in async-oneside mode.

-> syn
<- syn/ack <= missing
-> ack     <= missing
-> data

Bug 1190.

10 years agoiprep: cleanup ctx on shutdown
Victor Julien [Sun, 26 Oct 2014 08:02:08 +0000 (09:02 +0100)] 
iprep: cleanup ctx on shutdown

~~Dr.M~~ Error #1: LEAK 480 direct bytes 0x0aae7fc0-0x0aae81a0 + 0 indirect bytes
~~Dr.M~~ # 0 replace_malloc                    [/work/drmemory_package/common/alloc_replace.c:2373]
~~Dr.M~~ # 1 SRepInit                          [.../Suricata/src/reputation.c:594]
~~Dr.M~~ # 2 DetectEngineCtxInit               [.../src/detect-engine.c:844]
~~Dr.M~~ # 3 main                              [.../Suricata/src/suricata.c:2230]

10 years agoMake AppLayerProfiling functions inline 1184/head
Ken Steele [Mon, 6 Oct 2014 15:40:58 +0000 (11:40 -0400)] 
Make AppLayerProfiling functions inline

The entire body of these functions are protected by ifdef PROFILING.
If the functions are inlined, then this check removes the need for the
function entirely.

Previously, the empty function was still called, even when not built
for profiling. The functions showed as being 0.25% of total CPU time
without being built for profiling.