Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Console View

Categories: default personal
Legend:   Passed Failed Warnings Failed Again Running Exception Offline No data

default personal
Victor Julien
output/filedata: call loggers on both directions
Ruslan Usmanov
rate_filter: by_rule fixed triggering algorithm
Fixes issue #2258

Program was triggering rate_filter by_rule earlier than needed
and generally behaved like a threshold.
Victor Julien
output/file: run file loggers in both directions
This avoids the wait for injected packets when file is already ready
to be logged.
Victor Julien
dns: support detect flags
Victor Julien
app-layer: detect flags API calls
Add API meant to replace the MpmIDs API. It uses a u64 for each direction
in a tx to keep track of 2 things:

1. is inspection done?
2. which prefilter engines (like mpm) are already completed
Victor Julien
detect/content: implement endswith
Victor Julien
ssl/tls: use DetectFlags API
Victor Julien
filestore: minor cleanups and warning fixes
Victor Julien
detect/prefilter: redo profiling
Jason Ish
filestore (old): register global stat in init func
This doesn't need to be registered from suricata.c. And moving
it to the init function makes sure its only registered if
the logger is actually enabled.
Alexander Gozman
af_packet: bug #2422.
This commit fixes a leak of mmap'ed ring buffer that was not
unmaped when a socket was closed. In addition, the leak could
break an inline channel on certain configurations.

Also slightly changed AFPCreateSocket():
1. If an interface is not up, it does not try to apply any
  settings to a socket. This reduces a number of error messages
  while an interface is down.
2. Interface is considered active if both IFF_UP and IFF_RUNNING
  are present.
Victor Julien
detect: rewrite of the detect engine
Use per tx detect_flags to track prefilter. Detect flags are used for 2
1. marking tx as fully inspected
2. tracking already run prefilter (incl mpm) engines

This supercedes the MpmIDs API for directionless tracking
of the prefilter engines.

When we have no SGH we have to flag the txs that are 'complete'
as inspected as well.

Special handling for the stream engine:

If a rule mixes TX inspection and STREAM inspection, we can encounter
the case where the rule is evaluated against multiple transactions
during a single inspection run. As the stream data is exactly the same
for each of those runs, it's wasteful to rerun inspection of the stream
portion of the rule.

This patch enables caching of the stream 'inspect engine' result in
the local 'RuleMatchCandidateTx' array. This is valid only during the
live of a single inspection run.

Remove stateful inspection from 'mask' (SignatureMask). The mask wasn't
used in most cases for those rules anyway, as there we rely on the
prefilter. Add a alproto check to catch the remaining cases.

When building the active non-mpm/non-prefilter list check not just
the mask, but also the alproto. This especially helps stateful rules
with negated mpm.

Simplify AppLayerParserHasDecoderEvents usage in detection to only
return true if protocol detection events are set. Other detection is done
in inspect engines.

Move rule group lookup and handling into it's own function. Handle
'post lookup' tasks immediately, instead of after the first detect
run. The tasks were independent of the initial detection.

Many cleanups and much refactoring.
Jason Ish
filestore: only allow one filestore to be enabled
There is probably not too much bad about enabling both, but
open file counts can get messy with both enabled. And v1
should be schedule for deprecation soon enough.
Jason Ish
filestore2: warn once for file errors
Track each type of error warning and only log it once. Also create
a new stat, file_store.fs_errors to count each file system type
error (open, rename, unlink).

Also remove exit stats, they are of limited value.
Victor Julien
threshold: minor cleanups
Victor Julien
rust/dns: implement detect_flags API
Victor Julien
detect/fast-pattern: use registered buffers for check
Victor Julien
rust/nfs: add support for detect_flags API
Victor Julien
app-layer: improve async and out of order txs
Free txs that are done out of order if we can. Some protocol
implementations have transactions running in parallel, where it is
possible that a tx that started later finishes earlier than other
transactions. Support freeing those.

Also improve handling on asynchronious transactions. If transactions
are unreplied, e.g. in the dns flood case, the parser may at some
point free transactions on it's own. Handle this case in
the app-layer engine so that the various tracking id's (inspect, log,
and 'min') are updated accordingly.

Next, free txs much more aggressively. Instead of freeing old txs
at the app-layer parsing stage, free all complete txs at the end
of the flow-worker. This frees txs much sooner in many cases.
Danny Browning
runmode-unix-socket: interrupt as commanded (2413)

Once interrupt occurs, reset the interrupt flag so that future runs are
not immediately interrupted.
Victor Julien
smtp: implement DetectFlags API
Pascal Delalande
unix-socket: socket permission update
So far, the suricata socket suricata-command.socket has the rights
rw-r----- suricata:user.
When suricata is used with restricted access, an other application
(suricatasc like) that needs to access to the command socket also
with restricted access can not write to the socket since it is not
the owner (e.g suricata within container, with an hardened value
for umask and hardened rights for users).

The socket should be set as rw-rw----. Use chmod instead of fchmod
and set it after the socket creation.
Victor Julien
app-layer: warn that MpmIDs API is no longer used
Remove implementation.
Victor Julien
detect: bypass merge sort call if possible
Jason Ish
doc: document file-store v2
Victor Julien
flowbits: analyze and dump to json
Analyze flowbits to find which bits are only checked.

Track whether they are set and checked on the same level of 'statefulness'
for later used.

Dump flowbits to json including the sids that set/check etc the bit.
Victor Julien
detect/flowbits: apply state knowledge
When stateless rules are depending on a flowbit being set by a stateful
rule, the inspection order is almost certainly wrong.

Switch stateless rules depending on stateful rules to being stateful.
This is used to turn 'TCP stream' inspecting rules (which are stateless
unless mixed with stateful keywords) into stateful rules.
Jason Ish
suricatasc: don't use find -delete
For when -delete isn't supported by find. Instead use
-print0 with xargs -0.
Victor Julien
detect/prefilter: show prefilter engine id space
Victor Julien
detect/profiling: postpone setup
Do this to allow for including of runtime buffer registrations.
Victor Julien
detect: minor cleanup
Victor Julien
detect/state: clean up old code
Victor Julien
detect: fix multiple files per tx inspect
Fix the inspection of multiple files in a single TX, where new files
may be added to the TX after inspection started.

Assign the hard coded id DE_STATE_FLAG_FILE_INSPECT to the file
inspect engine.

Make sure that sigs that do file inspection and don't match on the
current file always store a detailed state. This state will include

When the app-layer indicates a new file is available, for each sig
that has the DE_STATE_FLAG_FILE_INSPECT flag set, reset part of the
state so that the sig is evaluated again.
Victor Julien
ssh: implement DetectFlags API
Maurizio Abba
signal: use centralized pthread_sigmask for signals
according to its man page, sigprocmask has undefined behavior in
multithreaded environments. Instead of explictly blocking the handling
of SIGUSR2 in every thread, direct block handling SIGUSR2 before
creating the threads and enable again the handling of this signal
afterwards. In this way, only the main thread will be able to manage
this signal properly.
Martin Natano
app-layer-htp, stream-tcp: prevent modulo bias in RandomGetWrap()
RAND_MAX is not guaranteed to be a divisor of ULONG_MAX, so take the
necessary precautions to get unbiased random numbers. Although the
bias might be negligible, it's not advisable to rely on it.
Victor Julien
detect: profiling update for new detect code
Danny Browning
suricatasc: pcap-file-continuous (2412)

Suricatasc is not supporting pcap-file processing in continuous mode.
Register a new command pcap-file-continuous in the unix manager to work
with suricatasc. Add defaulted arguments for pcap-file to support
backwards compatibility.
Victor Julien
detect/content: introduce startswith modifier
Add startswith modifier to simplify matching patterns at the start
of a buffer.

Instead of:
    content:"abc"; depth:3;
This enables:
    content:"abc"; startswith;

Especially with longer patterns this makes the intention of the rule
more clear and eases writing the rules.

Internally it's simply a shorthand for 'depth:<pattern len>;'.

Ticket https://redmine.openinfosecfoundation.org/issues/742
Victor Julien
http: move from MpmIDs to DetectFlags API