Victor Julien [Fri, 17 Jul 2015 19:05:14 +0000 (21:05 +0200)]
detect: fix pass transaction handling
If a flow was 'pass'd, it means that no packet of it will flow be handled
by the detection engine. A side effect of this was that the per flow
inspect_id would never be moved forward. This in turn lead to a situation
where transactions wouldn't be freed.
This patch addresses this case by incrementing the inspect_id anyway for
the pass case.
Victor Julien [Thu, 16 Jul 2015 14:43:19 +0000 (16:43 +0200)]
app-layer: disruption flags
Stream GAPs and stream reassembly depth are tracked per direction. In
many cases they will happen in one direction, but not in the other.
Example:
HTTP requests a generally smaller than responses. So on the response
side we may hit the depth limit, but not on the request side.
The asynchronious 'disruption' has a side effect in the transaction
engine. The 'progress' tracking would never mark such transactions
as complete, and thus some inspection and logging wouldn't happen
until the very last moment: when EOF's are passed around.
Especially in proxy environments with _very_ many transactions in a
single TCP connection, this could lead to serious resource issues. The
EOF handling would suddenly have to handle thousands or more
transactions. These transactions would have been stored for a long time.
This patch introduces the concept of disruption flags. Flags passed to
the tx progress logic that are and indication of disruptions in the
traffic or the traffic handling. The idea is that the progress is
marked as complete on disruption, even if a tx is not complete. This
allows the detection and logging engines to process the tx after which
it can be cleaned up.
Victor Julien [Wed, 15 Jul 2015 07:53:39 +0000 (09:53 +0200)]
Sync alversion/appversion types
The app layer state 'version' field is incremented with each update
to the state. It is used by the detection engine to see if the current
version of the state has already been inspected. Since app layer and
detect always run closely together there is no need for a big number
here. The detect code really only checks for equal/not-equal, so wrap
arounds are not an issue.
Victor Julien [Thu, 16 Jul 2015 10:49:38 +0000 (12:49 +0200)]
flow/stream: xfer noinspect flags to pseudo pkts
Set noinspection flags for payloads and packets on flow and stream
pseudo packets. Without these, the pseudo packets could trigger
inspection even though this was disabled for a flow.
Eric Leblond [Fri, 19 Jun 2015 10:13:31 +0000 (12:13 +0200)]
af-packet: implement rollover option
This patch implements the rollover option in af_packet capture.
This should heavily minimize the packet drops as well as the
maximum bandwidth treated for a single flow.
The option has been deactivated by default but it is activated in
the af_packet default section. This ensure there is no change for
old users using an existing YAML. And new users will benefit from
the change.
This option is available since Linux 3.10. An analysis of af_packet
kernel code shows that setting the flag in all cases should not
cause any trouble for older kernel.
Eric Leblond [Fri, 19 Jun 2015 10:08:53 +0000 (12:08 +0200)]
af-packet: implement new load balancing modes
This patch implements the fanout load balancing modes available
in kernel 4.0. The more interesting is cluster_qm that does the
load balancing based on the RSS queues. So if the network card
is doing a flow based load balancing then a given socket will
receive all packets of a flow indepently of the CPU affinity.
Eric Leblond [Fri, 19 Jun 2015 10:05:05 +0000 (12:05 +0200)]
af-packet: sync header with latest features
Sync the replacement define with the latest Linux code.
This patch also updates the detection part in configure.ac
to do a declaration of all fields if the newest features are
not present.
netmap: support non-equal count of Rx and Tx rings on interface.
Netmap does not guarantees that NIC will have equal number of transmit and receive rings.
Use unlikely for error treatment in alert-prelude.c
When handling error cases on creation of a new idmef field, we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc.
Victor Julien [Fri, 10 Jul 2015 10:19:57 +0000 (12:19 +0200)]
introduce fatal error macro's
Add 'FatalError' and 'FatalErrorConditonal' that will take the same
args as SCLogError.
FatalError logs the error using SCLogError and then exits with return
code EXIT_FAILURE.
FatalErrorOnInit does the same only during init and with
--init-errors-fatal enabled, otherwise it just calls SCLogWarning. So
then the macro returns to the caller.
Eric Leblond [Wed, 15 Jul 2015 20:21:07 +0000 (22:21 +0200)]
tls-store: avoid log flooding
In case we can't write in the certs directory, this is possible
we flood the log for each TLS session or even worse each TLS
packet. So this patch puts a limit in the number of logged
messages related to file creation.
Eric Leblond [Tue, 14 Jul 2015 20:35:32 +0000 (22:35 +0200)]
tls-store: backward compatibility
This patch implements backward compatibility in suricata.yaml
file. In case the new 'tls-store' output is not present in the
YAML we have to use the value defined in 'tls-log'.
Eric Leblond [Tue, 14 Jul 2015 19:22:31 +0000 (21:22 +0200)]
tls-store: now a separate module
An design error was made when doing the TLS storage module which
has been made dependant of the TLS logging. At the time there was
only one TLS logging module but there is now two different ones.
By putting the TLS store module in a separate module, we can now
use EVE output and TLS store at the same time.
Alexander Gozman [Tue, 16 Jun 2015 15:12:01 +0000 (18:12 +0300)]
suricatasc: remove "u" prefix when printing JSON output.
If we want to parse suricatasc's output, python's unicode prefix
should be removed to make JSON parsers happy.
Zopieux [Thu, 18 Jun 2015 09:26:53 +0000 (11:26 +0200)]
stream_size operator comparison (fix issue #1488)
`DetectStreamSizeParse` was first checking if mode[0] is '<', which is true for both '<' and '<=', thus '<=' (and resp. '>=') is never matched. This patch does the `strcmp` to '<=' (resp. '>=') within the if block of '<' (resp. '>') to fix #1488.
Giuseppe Longo [Fri, 15 May 2015 09:05:29 +0000 (11:05 +0200)]
file_data: check for signature alproto and flow
Currently the following rule can't be loaded:
alert tcp any any -> any 25 (msg:"SMTP file_data test"; flow:to_server,established; file_data; content:"abc";sid:1;)
and produces the error output:
"Can't use file_data with flow:to_server or from_client with http or smtp."
This checks if the alproto is not http in a signature,
so permits to use flow keyword also.
Victor Julien [Fri, 19 Jun 2015 10:42:57 +0000 (12:42 +0200)]
file_data smtp: fix minor coverity warning
CID 1298891: Null pointer dereferences (REVERSE_INULL)
Null-checking "curr_file" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
Victor Julien [Thu, 11 Jun 2015 10:39:53 +0000 (12:39 +0200)]
app-layer: improve EOF handling
On receiving TCP end of stream packets (e.g. RST, but also sometimes FIN
packets), in some cases the AppLayer parser would not be notified. This
could happen in IDS mode, but would especially be an issue in IPS mode.
This patch changes the logic of the AppLayer API to handle this. When no
new data is available, and the stream ends, the AppLayer API now gets
called with a NULL/0 input, but with the EOF flag set.
This allows the AppLayer parser to call it's final routines still in the
context of a real packet.
Victor Julien [Wed, 3 Jun 2015 10:11:22 +0000 (12:11 +0200)]
flow timeout: prevent dead locks
The flow timeout mechanism called both from the flow manager at run time
and at shutdown creates pseudo packets. For this it has it's own packet
pool, which can be depleted if the timeout logic is faster than the packet
processing threads. In this case the flow timeout would enter a wait loop.
The problem however, is that this wait loop would happen while keeping a
flow locked. This could lead to a race condition when the packet thread(s)
are waiting for the lock that the flow manager has.
This patch introduces a new packet pool call 'PacketPoolWaitForN', meant
to make sure that the thread's packet pool has at least N available
packets. The flow timeout paths use this to make sure enough packets are
available *before* grabbing the flow lock. If there aren't enough packets
available yet, the wait happens before the lock as well.
This still means the wait can happen while the flow hash row is locked, so
we do make sure some more packets are available when entering that. But
perhaps in the future we need a more precise logic there as well.
Giuseppe Longo [Mon, 11 May 2015 17:48:32 +0000 (19:48 +0200)]
hsbd: inspect buffer depending on the engine mode
Currently, data is buffered up to response-body-minimal size
and response-body-inspect-window before being inspected.
With this, in IPS mode, inspect data as it comes in up.
The sliding window concept is used here,
some data chunks are copied into the window (buffer)
then it's inspected.
Victor Julien [Wed, 10 Jun 2015 13:22:12 +0000 (15:22 +0200)]
suppress: add track by_either mode
So far suppress rules would apply to src or dst addresses of a packet.
This meant that if a ip would need to suppressed both as src and as dst,
2 suppress rules would be needed.
This patch introduces track by_either, which means that the ip(s) in the
suppress rule are tested against both the packets source and dest ip's.
If either of them is on the suppress list, the alert is suppressed.
Victor Julien [Wed, 10 Jun 2015 12:20:21 +0000 (14:20 +0200)]
suppress: support ip-lists
Ticket: 1137
Support supplying a list of IP's to the suppress keyword. Variables from
the address-groups and negation is supported. The same logic (and code) is
used that is also used in parting the IP portions of regular detection
rules.
projects / thirdparty / suricata.git / log
