Ken Steele [Mon, 11 Nov 2013 18:11:39 +0000 (13:11 -0500)]
Fix pfring so that zero-copy mode can work.
Detect when default_packet_size is zero, which enables zero-copy mode for
pfring and in that case, do what AF Packet does and set pkt_ext pointer to
the data and set PKT_ZERO_COPY flag.
Ken Steele [Mon, 11 Nov 2013 16:58:31 +0000 (11:58 -0500)]
Remove pkt variable from Packet structure.
The uint8_t *pkt in the Packet structure always points to the memory
immediately following the Packet structure. It is better to simply
calculate that value every time than store the 8 byte pointer.
Ken Steele [Wed, 13 Nov 2013 19:16:21 +0000 (14:16 -0500)]
Split AC-Tile MPM context into Search and Initialization structures.
Some of the fields in the SCACTileCtx struct are only used to create the MPM,
but are not needed to search the MPM. Create a new structure to contain just
the data needed by AC Search. After creating the MPM, copy the data into the
new structure and then free the memory only needed during initialization.
This reduces the size of the AC-Tile MPM context from 1360 bytes down to 296
bytes.
Ken Steele [Fri, 22 Nov 2013 20:53:12 +0000 (15:53 -0500)]
Add more suricata.yaml configuration options for mPIPE.
Add two new mPIPE load-balancing configuration options in suricata.yaml.
1) "sticky" which keep sending flows to one CPU, but if that queue is full,
don't drop the packet, move the flow to the least loaded queue.
2) Round-robin, which always picks the least full input queue for each
packet.
Allow configuring the number of packets in the input queue (iqueue) in
suricata.yaml.
For the mPipe.buckets configuration, which must be a power of 2, round
up to the next power of two, rather than report an error.
Added mpipe.min-buckets, which defaults to 256, so if the requested number
of buckets can't be allocated, Suricata will keep dividing by 2 until either
it succeeds in allocating buckets, or reaches the minimum number of buckets
and fails.
Ken Steele [Sun, 17 Nov 2013 14:43:00 +0000 (09:43 -0500)]
Use pflow variable in place of p->flow to prevent reloading.
In SigMatchSignatures, the value p->flow doens't change, but GCC can't
figure that out, so it reloads p->flow many times during the function.
When p->flow is loaded into the variable pflow once at the start of the
function, the compile then doesn't need to reload it.
Ken Steele [Fri, 22 Nov 2013 17:54:32 +0000 (12:54 -0500)]
Check for compiler for -march=native support
Check all compilers to see if they support the -march=native flags, rather
than assuming gcc 4.2 or later does. Tile GCC doesn't currently support it,
so not checking break Tile compiles.
Eric Leblond [Mon, 9 Dec 2013 17:18:30 +0000 (18:18 +0100)]
coccinelle: add option to continue on errors
When a script has been updated or introduced, it is interesting to
detect all errors at once. With this patch it is now possible to
do so by using:
NOT_TERMINAL=1 CONCURRENCY_LEVEL=12 qa/coccinelle/run_check.sh
Victor Julien [Mon, 9 Dec 2013 18:02:42 +0000 (19:02 +0100)]
htp: minor cleanup to silence cppcheck warning
[src/app-layer-htp.c:1967] -> [src/app-layer-htp.c:1978]: (warning) \
Possible null pointer dereference: tx - otherwise it is redundant \
to check it against null.
Victor Julien [Mon, 9 Dec 2013 11:12:01 +0000 (12:12 +0100)]
pcap: fix stats dump logic
pcap has a callback function that is called for each packet. Once a
second, it's meant to 'dump stats'. However, the timing logic was
broken, so it would actually dump stats for each packet.
By moving the stats second timer into the thread vars, next calls of
the callback will be able to use the stored time.
Victor Julien [Tue, 3 Dec 2013 13:28:09 +0000 (14:28 +0100)]
flow timeout cleanup and fix
Flow timeout code worked by luck when checking if a flow still needed
reassembly for app layer inspection or logging. It would check for a
part of raw reassembly (smsg list) to determine if detection was
needed. In this case it would also process app layer cleanup,
including logging.
Introduced AppLayerTransactionGetActive which returns the lowest tx_id
in a direction that still needs some work.
FlowForceReassemblyNeedReassmbly now uses it to determine if the
applayer still needs work.
Converted FlowForceReassemblyForHash to use the checking function
FlowForceReassemblyNeedReassmbly as well, so that checking if a flow
needs work is now unified.
Victor Julien [Thu, 28 Nov 2013 18:02:14 +0000 (19:02 +0100)]
stream: add option to disable raw reassembly
Raw reassembly is used only by the detection engine. For users only
caring about logging it's a significant overhead, both in cpu and
memory usage.
The option is called 'raw' and lives under the stream.reassembly
options.
stream:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
raw: false # <- new option
Eric Leblond [Thu, 5 Dec 2013 23:35:36 +0000 (00:35 +0100)]
erf-dag: fix typo in header guard
Spotted out by clang:
source-erf-dag.h|25 col 9| warning: '__SOURCE_ERR_DAG_H__'
is used as a header guard here, followed by #define of a different macro
[-Wheader-guard]
Eric Leblond [Thu, 5 Dec 2013 13:34:22 +0000 (14:34 +0100)]
yaml: remove no more present files
emerging-virus.rules is not present anymore in ET ruleset downloaded
by 'make install-rules'. This patch removes it from the list to avoid
an error message.
Jason Ish [Wed, 4 Dec 2013 15:10:44 +0000 (09:10 -0600)]
When setting final configuration nodes, set the whole tree as final.
Prevents benign log message of parent nodes of final values being
redefined (which ends up having no affect as the final nodes
are protected from being removed).
Eric Leblond [Wed, 4 Dec 2013 09:43:17 +0000 (10:43 +0100)]
decode: fix failure in layered tunnel
If we have multiple layer of tunnel, the decoding of initial
Packet will recurse in DecodeTunnel function called in
PacketTunnelPktSetup. If we are not setting the pseudo
packet root before calling DecodeTunnel (as done in previous
code), then the tunnel root will no be correct for the lower
layer packets. This result in an counter problem and a suricata
failure after some time.
Victor Julien [Tue, 5 Nov 2013 13:41:45 +0000 (14:41 +0100)]
proto detection: add limit for one sided sessions
If a session only has data in one direction, like ftp data sessions,
protocol detection will only run in one direction. This led to a
situation where reassembly would hold all the segments as proto
detection was never flagged as complete.
This patch introduces a limit for protocol detection in this case.
If the limit is reached, detection will give up.
Eric Leblond [Wed, 27 Nov 2013 12:22:42 +0000 (13:22 +0100)]
cmdline: add -k to specify checksum validation
This patch adds a '-k' option to suricata to be able to specify
the checksum validation to use. If '-k all' is used, checksum
validation is forced. If '-k none' is used, no checksum validation
is made.
Message output in case of detection of a pcap file with a probable
cheksum issue has been updated to indicate that '-k' is a solution.
This patch adds support for checksum-checks in the pcap-file running
mode. This is the same functionnality as the one already existing for
live interface.
It can be setup in the YAML:
pcap-file:
checksum-checks: auto
A message is displayed for small pcap to warn that invalid checksum
rate is big on the pcap file and that checksum-check could
be set to no.
Eric Leblond [Tue, 19 Feb 2013 13:53:52 +0000 (14:53 +0100)]
Set packet invalid flag during decoding.
This patch set a new value in pkt->flag to signal that a packet is
invalid during decoding. The patch has been obtained via a coccinelle
transformation.
This patch replaces PacketPseudoPktSetup by a better named
PacketTunnelPktSetup function which is also in charge of doing
the decoding of the tunneled packet.
This allow to clean the code. But it also fixes an issue.
Previously, if the DecodeTunnel function was failling (cause of
an invalid packet mainly), the result was that the original packet
to be considered as a tunnel packet (and not inspected by payload
detection).
Eric Leblond [Wed, 27 Nov 2013 17:53:52 +0000 (18:53 +0100)]
decode: update API to return error
In some cases, the decoding is not possible and some really invalid
packet can be created. This is in particular the case of tunnel. In
that case, it is more interesting to forget about the tunneled
packet and only consider the original packet.
DecodeTunnel function is maked as warn_unused_result because it is
meaningful for the decoder to know if the underlying data were not
correct. And in this case, only focus detection on the content.
projects / thirdparty / suricata.git / log
