Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Console View


Categories: default personal
Legend:   Passed Failed Warnings Failed Again Running Exception Offline No data

default personal
f6e3755b5c43...
Victor Julien
lua: extend SCFlowAppLayerProto
Change SCFlowAppLayerProto to return 5 values:
<alproto> <alproto_ts> <alproto_tc> <alproto_orig> <alproto_expect>:

alproto: detected protocol
alproto_ts: detected protocol in toserver direction
alproto_tc: detected protocol in toclient direction
alproto_orig: pre-change/upgrade protocol
alproto_expected: expected protocol in change/upgrade

Orig and expect are used when changing and upgrading protocols. In a
SMTP STARTTLS case, orig would normally be set to "smtp" and expect
to "tls".
f18c976a8ed1...
Victor Julien
flow: counters for total number of flows
flow.tcp
flow.udp
flow.icmpv4
flow.icmpv6
ea99099c646c...
Victor Julien
isdataat: add test for leading space
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
e8800b1893b4...
Mats Klepsland
app-layer-smtp: add STARTTLS support
d9908216d8d5...
Victor Julien
connect/starttls: handle detection corner cases
When switching protocol from http to tls the following corner case
was observed:

pkt 6, TC "200 connection established"
pkt 7, TS acks pkt 6 + adds "client hello"
pkt 8 TC, acks pkt 7
pkt 8 is where normally the detect on the 200 connection established
      would run however before detection runs the app-layer is called
      and it resets the state

So the issue is missed detection on the last data in the original
protocol before the switch.

Another case was:

TS ->    STARTTLS
TC ->    Ack "STARTTLS data"
        220
TS ->    Ack "220 data"
        Client Hello

In IDS mode, this made a rule that wanted to look at content:"STARTTLS"
in combination with the protocol SMTP 'alert smtp ... content:"STARTTLS";'
impossible. By the time the content would match, the protocol was already
switched.

This patch fixes this case by creating a 'Detect/Log Flush' packet in
both directions. This will force final inspection and logging of the
pre-upgrade protocol (SMTP in this example) before doing the final
switch.
cd97fa80f19b...
Victor Julien
file: fix pruning for parallel files
Allow pruning of random files, not just list head.
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
c7ddbbc586c7...
Jason Ish
dns: fix log filtering
Previously only a subset of the records could be selected
in custom. Now allow any to be selected.
c513896786bb...
Victor Julien
bug 2113: unix-socket start up race
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
c4c93872f8d0...
Victor Julien
file: introduce per file 'track id'
Some protocols transfer multiple files in parallel. To support this add
a 'track id' to the API. This track id is set by the protocol parser. It
will use this id to indicate what file in the FileContainer it wants to
act on.
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
b8d13f354b0b...
Mats Klepsland
app-layer: support changing flow alproto
Support changing the application level protocol for a flow. This is
needed by STARTTLS and HTTP CONNECT to switch from the original
alproto to tls.

This commit allows a flag to be set 'FLOW_CHANGE_PROTO', which
triggers a new protocol detection on the next packet for a flow.
b6c2b7052b18...
Mats Klepsland
app-layer-htp: add HTTP CONNECT support
afedd5c6df60...
Victor Julien
file: fix storing parallel files
When looping available files 'flags' misuse would lead to all files
being closed after the first close.

This patch separates per file and per call flags.
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
ae99e08396fc...
Victor Julien
file: update loops to account for parallel files
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
ac7cf48a9898...
Jason Ish
dnp3: in template, include files own headers
To deal with -Wmissing-prototypes as added in
ab1200fbd7fd4d3e0fe097fab3b3bcfefaba7e2e

Note: Change was already applied to source files, this just
updates the generation.
a8d0ae460c4b...
David Wharton
doc: removing (replaced) snort-compatibility.rst
snort-compatibility.rst replaced by differences-from-snort.rst
9c071d172479...
Victor Julien
eve.flow: log original and expected app_protocols
Log protocols if they are available.
9b1f74409bcb...
Victor Julien
magic: fix compile warnings
944ab48b203f...
Victor Julien
file: clarify file store id name
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
8a53d49e8161...
David Wharton
doc: replacing snort-compatibility link
The snort-compatibility.rst document is being replaced by
differences-from-snort.rst. This commit updates the link.
893f868b4282...
Victor Julien
proto-detect: add debug output
88177694fdf7...
Victor Julien
nfq: don't try to verdict detect/log flush pkts
8127730f0095...
Victor Julien
bug 2113: fix live modes
8125f78f5f40...
Mats Klepsland
app-layer-ftp: detect FTP alproto when using AUTH TLS
Try to detect FTP using the patterns '220 (' and 'FEAT', since 'USER '
and 'PASS ' are not sent in cleartext when using AUTH TLS.
74aa65073b01...
Mats Klepsland
output-json-tls: log 'from_proto' field
Log the original application level protocol when protocol have been
changed because of STARTTLS, HTTP CONNECT or similar.
72c757433aab...
Mats Klepsland
app-layer: add decoder event for missing TLS after STARTTLS
6f42ae91c7f3...
Victor Julien
app-layer: protocol change API
Add API calls to upgrade to TLS or to request a protocol change
without a specific protocol expectation.

If the HTTP CONNECT session includes a port on the url, use that to
look up the probing parser during protocol detection. Solves a
missed detection of a SSLv2 session that upgrades to TLSv1. SSLv2
relies on the probing parser which is limited to certain ports.

In case of STARTTLS in SMTP and FTP, the port is hardcoded to 443.

A new event APPLAYER_UNEXPECTED_PROTOCOL is set if there was a
mismatch.
6bc7c64794c3...
David Wharton
doc: overhaul of the snort-compatibility document
This is intended to replace the existing 'snort-compatibility.rst'
document.
Based on "The Suricata Rule Writing Guide for The Snort Expert"
2016 SuriCon talk.
6142e88ed558...
Victor Julien
nflog: compiler warning fix
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
5c01b4093127...
Victor Julien
tests: update tests for app-layer changes
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
5b56d324c4e7...
Victor Julien
app-layer: optimize many-tx case
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
4697330b7372...
Victor Julien
doc: flowints formatting cleanup
4459b8878277...
Victor Julien
output: tx logging optimizations
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
4217c6839add...
Victor Julien
stream: single GAP check
Move all GAP checks into CheckGap. Remove seg_list based check.
Also remove seg_list == NULL check to make sure the Gap check is
done on an empty list as well.

Improve next_seq < last_ack check, but add data beyond gap check.
3ff5dc3653fe...
Victor Julien
nfq: remove obsolete and broken netfilterforwin support
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
39183f7a8eb6...
Victor Julien
doc: fix doc links for http keywords
3148ff34b6d7...
Victor Julien
app-layer API optimizations and cleanups
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
312ad9e3ad35...
Victor Julien
pfring: compiler warning fixes
11b9e6fdab8a...
Mats Klepsland
app-layer-ftp: add STARTTLS support
1062a9213b87...
Victor Julien
file-store: small cleanup
  • gt4-pcap-tests: '/suriqa-buildbot/sid-pcap-qa-tools/regression_script.sh /suriqa-buildbot/ ...' failed -  stdio
0af562d4c8c3...
Victor Julien
doc: move parts out of snort difference doc
Move generic keyword descriptions to the keyword documentation.