Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Console View

Categories: default personal
Legend:   Passed Failed Warnings Failed Again Running Exception Offline No data

default personal
Victor Julien
mpm/ac-ks: apply offset/depth
Giuseppe Longo
unix-manager: add "ruleset-reload-rules" command
This add a new command the new naming convention.

The (old) command "reload-rules" is kept for
backward compatibility
Giuseppe Longo
unix-manager: block live reload when -s/-S is specified
Currently, when live reload is executed through
unix-socket, suri prints in the console the following
error message:
"Live rule reload not possible if -s or -S option used at runtime."

Instead, prints "done" in unix socket,
when the live reload is not executed.
Danny Browning
source-pcap-file: Fix coverity findings (Bug #2356)

Address issues found by coverity for resource leaks and use after free.
Eric Leblond
unix-socket: add ruleset-reload-nonblocking command
Add a non blocking function to reload rules. It will be useful
for remote system management to avoid to block them waiting the
reload. And as we now have a last-reload command we can get the
status of the current reload.
Andreas Herz
detect-engine: add missing mutex unlock
Pascal Delalande
dns: store flags for logging for TCP
Wolfgang Hotwagner
conf: Memory-leak in DetectAddressTestConfVars
There is a memory-leak in DetectAddressTestConfVars. If the programm takes the "goto error"-path, the pointers gh and ghn will not be freed. This commit fixes bug #2345. Here is the ASAN-output:

ERROR: LeakSanitizer: detected memory leaks

Direct leak of 24 byte(s) in 1 object(s) allocated from:
0 0x7f4347cb1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
1 0x55fe1fc8dcfc in DetectAddressHeadInit /root/suricata-1/src/detect-engine-address.c:1534
2 0x55fe1fc8c50a in DetectAddressTestConfVars /root/suricata-1/src/detect-engine-address.c:1306
3 0x55fe1ff356bd in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2696
4 0x55fe1ff365eb in main /root/suricata-1/src/suricata.c:2884
5 0x7f43443892b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

Direct leak of 24 byte(s) in 1 object(s) allocated from:
0 0x7f4347cb1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
1 0x55fe1fc8dcfc in DetectAddressHeadInit /root/suricata-1/src/detect-engine-address.c:1534
2 0x55fe1fc8c524 in DetectAddressTestConfVars /root/suricata-1/src/detect-engine-address.c:1310
3 0x55fe1ff356bd in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2696
4 0x55fe1ff365eb in main /root/suricata-1/src/suricata.c:2884
5 0x7f43443892b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: 48 byte(s) leaked in 2 allocation(s).
Wolfgang Hotwagner
conf: NULL-pointer dereference in ConfUnixSocketIsEnable
The value for the configuration-option "unix-command.enabled" is not properly checked in ConfUnixSocketIsEnable. This causes a NULL-pointer dereference in strcmp. This commit fixes bug #2346. The ASAN-output looks like:

ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f03b69737cc bp 0x7ffcef322c10 sp 0x7ffcef322390 T0)
0 0x7f03b69737cb (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x447cb)
1 0x5617a76d3f55 in ConfUnixSocketIsEnable /root/suricata-1/src/util-conf.c:104
2 0x5617a741b6e7 in DetectEngineMultiTenantSetup /root/suricata-1/src/detect-engine.c:2447
3 0x5617a769e0c3 in PostConfLoadedDetectSetup /root/suricata-1/src/suricata.c:2527
4 0x5617a76a0424 in main /root/suricata-1/src/suricata.c:2887
5 0x7f03b30c82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
6 0x5617a72411a9 in _start (/usr/local/bin/suricata+0xc51a9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x447cb
Victor Julien
detect: move keyword registration into own file
Victor Julien
mpm/ac: add depth/offset support
Victor Julien
doc: initial suricata-update page
Victor Julien
detect: content limits propagation
Propagate inspection limits from anchered keywords to the rest of
a rule.


content:"A"; depth:1; is anchored, it can only match in the first byte

content:"A"; depth:1; content:"BC"; distance:0; within:2;
"BC" can only be in the 2nd and 3rd byte of the payload. So effectively
it has an implicite offset of 1 and an implicit depth of 3.

content:"A"; depth:1; content:"BC"; distance:0; can assume offset:1; for
the 2nd content.

content:"A"; depth:1; pcre:"/B/R"; content:"C"; distance:0; can assume
at least offset:1; for content "C". We can't analyzer the pcre pattern
(yet), so we assume it matches with 0 bytes.

Add lots of test cases.
Victor Julien
output: don't deadlock on log reopen failure
If output log reopen fails, don't try to output the error. This would
lead to a deadlock as reopen was called from a SCLogMessage call. This
call already held the output lock.

Bug #2306.
Eric Leblond
doc: add ruleset commands available in unix socket
Victor Julien
qa: add more drmemory suppressions for hyperscan
Giuseppe Longo
unix-manager: print failed rules
This permits to print the invalid rules through
unix socket.

An example output is the following:

>>> show-failed-rules
        "filename": "/home/eric/git/oisf/benches/tls-store.rules",
        "line": 2,
        "rule": "alert ts any any -> any 334 (msg:\"Store TLS\"; tls.store; sid:2; rev:1;)"
        "filename": "/home/eric/git/oisf/benches/tls-store.rules",
        "line": 3,
        "rule": "alert ls any any -> any 334 (msg:\"Store TLS\"; tls.store; sid:3; rev:1;)"

The dump is limited to 20 entries to avoid to send a too big
message to the client that don't support it by default.
Victor Julien
detect: move grouping/building code into own file
Clean up main detect.c file by moving things related to rule
grouping out.
Victor Julien
detect: move rule loading into loader files
Giuseppe Longo
unix-socket: add commands to print engine stats
This permits to print engine stats through
unix socket.
Jason Ish
template scripts: fixup detect setup scripts
Update scripts to reflect recent changes in the detection files.
Andreas Herz
rule-reload: fix possible hangup with SIGUSR2
In some cases the rule reload could hang. The pending USR2 signals will
be recognized even with the <2 check. Also the SCLogWarning shouldn't be
used in the handler (see Warning about SCLog* API above in the code).
Danny Browning
suricata: pcap-file-continuous ignores other options (Bug #2253)

Command line option pcap-file-continuous was ignoring command line options
passed after its usage. Fixed bug, fixed formatting of help command
regarding pcap-file-continuous.
Wolfgang Hotwagner
conf: multiple NULL-pointer dereferences in FlowInitConfig
This commit fixes multiple NULL-pointer dereferences in FlowInitConfig after reading in config-values(flow.hash-size, flow.prealloc and flow.memcap) for flow. Here is a sample ASAN-output:

ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fea73456646 bp 0x7fffd70e1ba0 sp 0x7fffd70e1328 T0)
0 0x7fea73456645 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x80645)
1 0x7fea76c98eec (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3beec)
2 0x5643efb4c205 in FlowInitConfig /root/suricata-1/src/flow.c:455
3 0x5643efcd1751 in PreRunInit /root/suricata-1/src/suricata.c:2247
4 0x5643efcd49f4 in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2748
5 0x5643efcd5402 in main /root/suricata-1/src/suricata.c:2884
6 0x7fea733f62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
7 0x5643ef8761a9 in _start (/usr/local/bin/suricata+0xc51a9)

Ticketno: Bug #2349
Giuseppe Longo
json-stats: print engine stats
This adds the engine stats in stats event.
If multi-tenancy is enabled, it will add
stats for each tenant

The following is a snippet of the generated EVE entry:


Multi-tenancy enabled:

Andreas Herz
keyword-filesize: add units
Victor Julien
detect: move unittests into tests/
Victor Julien
prefilter/profile: validate end > start
Seen underflow issues on profiling on arm (gettimeofday based.
Victor Julien
configure: style fixup
Giuseppe Longo
detect-engine: add reload time/rules stats
This patch adds the following stats for
the detect engine:
- time of the last reload
- number of rules loaded
- number of rules failed
Victor Julien
mpm: add depth/offset support
Wolfgang Hotwagner
conf: use of NULL-pointer in DetectLoadCompleteSigPath
The "sig_file" argument of DetectLoadCompleteSigPath() is not checked for NULL-values. If this argument is NULL a SEGV occurs because of a dereferenced NULL-pointer in strlen in PathIsAbsolute. This commit fixes bug #2347. Here is the ASAN-output:

==17170==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd1afa00646 bp 0x7ffe8398e6d0 sp 0x7ffe8398de58 T0)
    0 0x7fd1afa00645 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x80645)
    1 0x7fd1b3242eec  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3beec)
    2 0x5561c8cddf7f in PathIsAbsolute /root/suricata-1/src/util-path.c:40
    3 0x5561c8cddfea in PathIsRelative /root/suricata-1/src/util-path.c:65
    4 0x5561c89275e4 in DetectLoadCompleteSigPath /root/suricata-1/src/detect.c:264
    5 0x5561c8929e75 in SigLoadSignatures /root/suricata-1/src/detect.c:486
    6 0x5561c8c0f2b3 in LoadSignatures /root/suricata-1/src/suricata.c:2419
    7 0x5561c8c1051d in PostConfLoadedDetectSetup /root/suricata-1/src/suricata.c:2550
    8 0x5561c8c12424 in main /root/suricata-1/src/suricata.c:2887
    9 0x7fd1af9a02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    10 0x5561c87b31a9 in _start (/usr/local/bin/suricata+0xc51a9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x80645) in strlen
Victor Julien
mpm/ac-ks: coding style fixes
Dana Helwig
source-pcap-file: Pcap Directory Mode (Feature #2222)

Pcap file mode that when passed a directory will process all files in
that directory. If --pcap-file-continuous or continuous option is passed
in json, the directory will be monitored  until the directory is
moved/deleted, suricata is interrupted, or the pcap-interrupt command
is used with unix command socket. Existing file implementation and new
directory implementation has moved from source-pcap-file into
pcap-file-helper and pcap-directory-helper.

Engine state will not reset between files.

Also satisfies:
* https://redmine.openinfosecfoundation.org/issues/2299
* https://redmine.openinfosecfoundation.org/issues/724
* https://redmine.openinfosecfoundation.org/issues/1476

Co-Authors: Dana Helwig <dana.helwig@protectwise.com> and
Danny Browning <danny.browning@protectwise.com>
Victor Julien
app-layer/counters: check counter id
Check counter id before updating a counter. In case of a disabled
parser with the protocol detection enable, the id can be 0. In
debug mode this would lead to a BUG_ON.
Giuseppe Longo
detect-engine: remove DONE state
Remove the DONE state to fix a problem with state not being
changed correctly when multiple reload were done. As DONE was
not really useful, we can remove it.
Giuseppe Longo
detect: save invalid rules
This keeps the invalid rules in string format into a list,
added in DetectEngineCtx.
Victor Julien
pcap-directory: fix double free in error path
Pascal Delalande
doc: update docs for DNS flags logging
Wolfgang Hotwagner
conf: multiple NULL-pointer dereferences in StreamTcpInitConfig
There are several NULL-pointer derefs in StreamTCPInitConfig. All of them happen because ConfGet returns 1 even if the value is NULL(due to misconfiguration for example).
This commit introduces a new function "ConfGetValue". It adds return values for NULL-pointer to ConfGet and could be used as a replacement for ConfGet.

Note: Simply modify ConfGet might not be a good idea, because there are some places where ConfGet should return 1 even if "value" is NULL. For example if ConfGet should get a Config-Leave in the yaml-hierarchy.

Bug: 2354