[Oisf-devel] [COMMIT] OISF annotated tag, suricata-1.2beta1, created. suricata-1.2beta1
noreply at openinfosecfoundation.org
noreply at openinfosecfoundation.org
Mon Dec 19 18:43:50 UTC 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".
The annotated tag, suricata-1.2beta1 has been created
at b8dafd9964fa487fed36670c82d3f58f11a3d4e8 (tag)
tagging fbe7ba411e20d6682d32f89ea792ada28d60efe7 (commit)
tagged by Victor Julien
on Mon Dec 19 19:42:42 2011 +0100
- Log -----------------------------------------------------------------
Tag 1.2beta1 release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEABECAAYFAk7vhcQACgkQiSMBBAuniMcG3gCeKoMdIxfh9L1hu3dRJRW7nTeP
WIgAniCbpjf+83JDeYaEN8DgQq9ubWzN
=3J/i
-----END PGP SIGNATURE-----
Anoop Saldanha (451):
Changes added for the Performance Counter API
perf_task_bugs_fixex_v1
perf task bugs fixed v2
perf task bugs fixed v3
Implements counters for the decode module
improve the threading api for the ids
additional support for type qualifier for the stats api
new registration functions for the stats api, with local thread storage for counter ids
checksum calculation functions for ipv4, tcp, udpv4, icmpv4
checksum calculation functions for icmpv6, udp over ipv6 and tcp over ipv6
Added support for the csum-<protocol> rules keyword to the detection engine. Keywords added are ipv4-csum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum
threading improvements. Replaced the use of slot(2/3) with varslot. Improve error handling in slot functions. Additional helper functions for thread creation
Fixed the Perf API startup issue
Order the signatures based on certain rule parameters like actions, flowbits, flowvar, pktvar, priority etc
Implementation of the logging module
Update for the logging module and symbol renaming
Logging module optimization changes
Radix Tree structure for the engine
Radix Tree modifications
Some code refactoring
Some refactoring of the code, error handling done
fix for the test bug in the logging module
Added a NULL check inside ConfGet()
Fix for the broken test from logging module
Unittests and style fix for detect-engine-siggroup.[ch]
Host OS Table API. Modifications also make to the radix tree to handle netblocks
Updated doxygen comment for host os function
Added comments to the the Host OS API test
change the netmask to uint8_t for the ip handling part of the radix tree and also use 255 instead of -1 to indicate the absence of a netblock
Support host os flavour retrieval functions with raw network addresses
Support vars lookup from conf file. Current patch support address and port group vars lookup
Support for negated content
Support fast_pattern modifier keyword for content
Fixes for the fast-pattern tests and a couple of other minor changes
Support to get the last sigmatch of a particular type. To be used for content and its modifiers
modifications to PatternMatchPreprarePopulateMpm to fasten fast_pattern processing
refactoring perf stats code
stats upgrade. Added interval counters to the decoder module
Updates for counters time based patch
adapted counters to use util-time.[ch]
todo comment update for address and port parsing
Bug fix for fast_pattern - bug #8
Fix for handling negated content "\!CONTENT"
Fix for Unified Alert Test Bug #14
detect-engine-address.[ch] refactoring
fix for unclear error messages bug 15
double port/address negation is parsed incorrectly
Support for Classtype keyword and Classification Config file
Modify the classification config tests to use the buffer than a temp file and also fix an invalid free
dce_iface, dce_opnum, dce_stub_data keyword support
Change error log messags to debug ones in the log modules
check for the existance of default logging directory
Radix Tree fixes/updates
logging module bug 6 fix
fix for bug #47
refactoring, tests for address engine ipv4
engine address ipv6 refactored
AddressCutNot fix for address engine ipv6
cuda interface
mpm b2g cuda support added
valgrind fixes for b2g cuda mpm
handle the cuda cleanup at shutdown. should get rid of any errors from the call to SigGroupCleanup
Changed the way cuda dispatcher passes back results. Now each detection thread has it's own queue to which the dispatcher can pump packets back to the detect thread. Also, with cuda enabled and a non-cuda mpm being used, we won't create a dispatcher and instead call the b2g scan/search funtions directly instead of using the dispatcher.
pack all the packet pattern scan and search packet setup for cuda into a function inside util-cuda-handlers.[ch]
Added cuda logs for the engine, which shows device info and memory usage
Updated cuda device information logs with some minor formatting changes
Some more formating changes for cuda startup device info logs
Fix for bug 50. Make timebased counters more accurate
fix for bug 113
support for http_client_body keyword
Enable flag in http_client_body for http request body callback
adapt b2g cuda code for the mpm architecture change
fix for bug 114
Add the mpm b2g cuda kernel file into the codebase
added x86_64 for the b2g cuda code
compiled and added a 64 bit version of the cuda b2g kernel
fix for bug 115
fix for bug 108
support nocase and negation for http_cookie
Fix globalinit memset for trans_q
wrap multi line macros in do while
dce rpc stub data held in separate buffers for request and response pdus
dce stub content keywords support using dcepayload.c support for all dce related content keywords
changes to the dce parser stub data processed var. changed to stub data fresh var to indicate if the stub is fresh or not
dce tests to check SigMatchSignatures()'s working against new dce transactions
Reset the flags used during stateful detection in ContinueDetection(). Made the tests more descriptive as well
allow counters clubbing for detect TM
add pcre with U modifiers to the umatch sigmatch list. fix for bug 155
in case of duplicate signatures used the one with the latest revision
byte test and byte jump update dce matching option
content handling changes in detect-engine-payload.c for multiple relative matches
multiple relative content matches changes for detect-engine-dcepayload.c and detect-engine-uri.c like how we did for detect-engine-payload.c
fixes the offset case for content matches + a case not handled by the prevous fix for multiple relative content matches. fix for payload.c dcepayload.c and uri.c
batching of packets support for cuda b2g mpm. Supported for both 32 and 64 bit platforms
fix signature parsing to how snort does it for content based keywords along with dce_stub_data
unittests for dce_stub_data content based singature parsing + fixes
fixes for dce_stub_data and content data sig parsing + more unittests
todo list for cuda-packet-batcher
fix creating a static array of length 0 in SigMatchGetLastSMFromLists - clang fix
add --list-cuda-cards option to list the cuda cards on the system. Add conf parameter to select the cuda device to use. Also change the threshhold limit to 2.4k packets to buffer
fix false positives for a negated content case
fix relative contents with a negated content for detect-engine-(uri|dcepayload).c like how we did for detect-engine-payload.c
implement relative pcre matching in detect-engine-(payload|uri|dcepayload).c. Also fix within/distance handling of RELATIVE_NEXT flag for uricontent
fix setting the right value for parsed bytes in case of fragmented BIND dce PDUs
make detection engine use dce alstate(if present), on seeing smb traffic
fix seg fault due to premature cleanup/double cleanup for byte(jump|test), isdataat, on seeing no previous relative keywords
Fix seg fault while running cuda tests. Don't set the alarm while running unittests, inside cuda-packet-batcher.c. Will result in a seg while the sig handler for ALRM in invoked
some minor modifications to the b2g cuda tests
make pcre respect discontinue_matching flag in content matching functions
fix indentation in DCERPCParser
support fragmented puds in dce + unittest
do not reset dce stub buffer, if we are dealing with fragmented pdus(holds good only for first frag request pdus)
parse fragmented dce rpc headers correctly. Also some other minor fixes
fix mem leak in tailq that holds dce uuids
fix endless loop in dce parser. fix parsing error of secondaryaddrlen for bindack
fix 206. Keep a count of uuids that don't belong to the first frag. Change dce_iface to match against uuids based on any_frag setting
fix endless loop. Change dce parser to accept ctx ids that always start with a ctx with a 0 ctx id
temporary fix for dcerpc so that we don't loop endlessly, till we cover all cases with fragged pdus
clang fix - some minor fixes for unittests
fix NULL indirection while parsing dce sigs - clang fix
fix null dereference in detect parse test - clang fix
fix indentation in DCERPCParser
fix mem leak in tailq that holds dce uuids
some additional indentation changes in DCERPCParser
support fragmented pdus in dce + unittest
Flag if we see a fragged pdu. Do not reset dce stub buffer, if we are dealing with fragmented pdus(holds good only for first frag request pdus). Also reset the dce state vars on seeing an invalid PDU. Some minor fixes with respect to endianess as well.
fix endianness handling for bindacksecondaryaddrlen
modify the dce parser to accept context ids that start with a non-zero value
indentation fix in DCERPCParseBINDCTXItem, following changes from the previous patch
if malformed pdus push the bytesprocessed beyond frag_length, that's a sure endless loop. Avoid it, by reseting the dce state on seeing this
add internal ids to uuids. Use these internal ids to match uuids from bind and bind_ack. Create a new uuid list to hold all accepted uuids. Modifications to dce-iface to accomodate these changes as well + unittests
for now ignore pdus with auth verifier. We will get back to this in the coming iteration
throw out malformed pdus, that result the parser having parsed the required data, but we still havne't thit the frag length limit for the parser
changed the endianness comparison to & for dcerpc pdus
fix opnum parsing for fragmented request dce pdus
temporary fix, in case we still have any corner cases remaining in dce parser
fix bytetest segv from bug 237
fix bytejump segv from bug 237
accept tcp packets with syn+urg+push
fix csum handling for tcp/dup
fix for bug 227. For negated contents that have been added to mpm we might have pmq.pattern_id_array_cnt as 0. We can't ignore inspecting sigs if this is 0, in case the content added is negated
support for fast_pattern only and fast_pattern:offset,length. Also support the new option for engine-analysis
invalidate sigs with content/uricontent strings ", "boo, boo" + fix parsing content strings of the format content: !\"boom\";"
throw out contents/uricnotents with invalid hex assembly
aho-corasick for the cpu. We have 2 versions of ac. The first MPM_AC uses the delta table and the secone one MPM_AC_GFBS uses the goto-failure table
add comments and todos for ac and ac-gfbs
fix ac, ac-gfbs to support new changes to util-mpm.h + remove some junk code
suricata.yaml conf update to support single mpm context distribution over multiple sghs + code to parse this conf
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
respect content flags in hash compare function during staging. For example, we would end up ignoring a nocase version of a duplicate content from another sig in the same sgh
fix hash generation in b2g and ac addpattern. Brings down the no of patterns added from close to a million to a couple of thousands
fix ac nocase handling
fix hash bug in ac-gfbs. Should reduce the no of patterns added for single context ac-gfbs from a million to a couple of thousands. Also support no case handling. \todo support insertion of final state presence into goto_table and failure table state transitions
selecting auto for detect-engine.sgh_mpm_context now uses single if the mpm is ac, full otherwise
update todos for ac. Cleanup some memory as well.
change default value for detect-engine.sgh_mpm_context to auto
support cases for ac, where we have a single pattern in 2 different sigs, but one that is case-senstive and the other not. Also remove duplicate pids from the output_table
hash fix in staging to differentiate nocase duplicate patterns from case-senstive ones
provide separate ids for content, uricontent, http_(client_body_data|cookie|header|method|uri), when they share the same pattern
Print out file name for fast_pattern engine_analysis. Also add some info logs
add missing sig_app_layer flags for dce sigs
code cleanup in detect-reference.c
Support for reference.config file
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
find an optimal value for detect-engine:inspection-recursion_limit + unittest
change the default recursion limit in the code to 3000, the value which we currently have in the conf file. Also change print modifier for printing timeval
if sgh-mpm-context is not available in conf, alias the auto case inside the engine
Fix fast_pattern tests that always showed success, irrespective of test results
add support for sigs with uricontent fast_pattern
fix some dce opnum/stub tests that would have shown success always irrespective of test results
replace all sm lists (match, pmatch, dmatch, umatch, amatch, tmatch) with an array Signature->sm_lists[]. Replace all Signature->match instances in the engine with Signature->sm_lists[DETECT_SM_LIST_MATCH]
replace all Signature->pmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_PMATCH]
replace all Signature->umatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_UMATCH]
replace all Signature->amatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_AMATCH]
replace all Signature->dmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_DMATCH]
replace all Signature->tmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_TMATCH]
Change the struct members uricontent and uricontent_len in DetectUricontentData to content and content_len. Make replacements everywhere else in the codebase to accomodate these changes
use a single populatempm() function to add the right content for mpm
Use new flags to indicate uricontent has a mpm set
remove populate_mpm_flags from inside PatternMatchPreparePopulateMpm()
fix code after fresh rebase. change some pmatch and amatch lists to sm_lists[] format
completely remove populate_mpm_flags. Some indentation changes. Also disable support to avoid double checks inside payload inspection for patterns added to mpm. Also add support to MpmFactory to reclaim a mpm_ctx
add support for http_uri; content fast_patterns
unifying content structure - uricontent now uses DetectContentData
unifying content structure - http_client_body now uses DetectContentData
unifying content structure - http_cookie now uses DetectContentData
unifying content structure - http_method now uses DetectContentData
unifying content structure - http_header now uses DetectContentData
unifying content structure - http_stat_msg now uses DetectContentData
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
support relative modifiers for http_client_body. Introduce body processing engine in detect-engine-hcbd.[ch]
fix fp when content is negated and also added to mpm
make changes for uri mpm, when uricontent is negated and also is the fp and we ignore checking it once again in engine-uri.c
set content_uri_mpm flag for uri content to prevent double check inside inspection code
set content_packet_mpm and content_stream_mpm flag for content to prevent double check inside inspection code
Add unittests for checking content flags. Fix indentation in PopulateMpmAddPatternToMpm(). Also fix DETECT_CONTENT_IS_SINGLE
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
remove support for skipping reinspecting fast pattern contents once again during packet payload inspection. Also make some changes to our detection engine
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
fix compilation issues with debug enabled.
detect-http-header.c cleanup before we start working on it
make client body buffer limit configurable. Also some minor changes
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
fix fast pattern unittests
support fast pattern for http raw header. Also support relative modifiers for http raw header
Add the makefile.am addition that I forgot to add in the previous commit for http_raw_header
allow sigs for http client body of the form content:one; content:two; distance:0; http_client_body;
allow sigs for http uri of the form content:one; content:two; distance:0; http_uri;
allow sigs for http uri of the form content:one; content:two; distance:0; http_[raw_]header;
modify detection engine to carry out uri mpm run before build match array if alproto is http and if sgh has atleast one sig with uri mpm set
modify detection engine to carry out hcbd mpm run before build match array if alproto is http and if sgh has atleast one sig with hcbd mpm set
modify detection engine to run hhd mpm before building the match array
fix lock issue with mpms inspecting http state for body, header
modify detection engine to run hrhd mpm before building the match array
cleanup/remove dead code
comment out hrhd flags that we were using previously. Also remove the de_mpm_ based flags inside detect.h used by uri|hcbd|hhd|hrhd mpms. indentation fix as well
don't buffer raw headers. Retrieve them individually from htp_state during mpm stage and content valiadation stage
support relative pcre for client body. All pcre processing for client body moved to hcbd engine
support relative pcre for http header. All pcre processing for http header moved to hhd engine
support /D option for pcre - http raw header. Also support relative pcre for http raw header. All pcre processing for http header moved to hrhd engine
enable write combined memory for cuda mpm. Some other minor cleanup
make cuda mpm parameters configurable
updated cuda todos. Please look at cuda-packet-batcher.c to have a look at the new todos
wrap cuda based util-mpm.c tests in __SC_CUDA_SUPPORT__ ifdef
renintroduce g_u8_lowercase_table for b2g cuda
fix live runmode decode TM for cuda
add some header files that we missed while rebasing
adapt fast pattern engine analysis to reflect the new changes made to your mpm design
always read config.h header file first
fix sig ordering bugs. Flowvars and pktvars user type retrieval should be from pmatch list, as well as from match list. Also fix lousy unit tests
fix mem leak in http_ engines
fix leak for accepted uuid list in dcerpc state
support isdataat negation. Also fix addiing isdataat to appropriate lists
fast pattern support for http_method. Also support relative modifiers
fast pattern support for http_cookie. Also support relative modifiers
fix case sensitive bug in ac
Use normal memcmp in ac. Improves perf
minor indentation changes
fix detect-ssl-version.c unittests to accomodate new changes
sslv23 support with ssl2 record format with version set to 3.0
dcerpc parser todo update
tls/ssl parser modifications/fixes. We now have just one file doing all the ssl parsing stuff, i.e. app-layer-tls.[ch], instead of app-layer-ssl.[ch] and app-layer-tls.[ch]
disabled sslv23 proto detection which we enabled previously. Although this is right, need to test a couple of things
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
delete files app-layer-tls.[ch]
some naming changes in ssl parser and ssl related keywords
update ssl parser test. Some minor indentation changes
support for ssl_state keyword added
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
fix ipv4 defrag + fix recursion level in defrag pseudo packet
move pcap live runmode into its own file runmode-pcap.[ch]
move pcap file runmode into its own file runmode-pcap-file.[ch]
move pfring runmode into its own file runmode-pfring.[ch]
move nfq runmode into its own file runmode-nfq.[ch]
move ipfw runmode into its own file runmode-ipfw.[ch]
move erf file runmode into its own file runmode-erf-file.[ch]
move erf dag runmode into its own file runmode-erf-dag.[ch]
naming changes for runmodes
modify runmodes to take all arguments from the conf API
fix coding indentation + neaten runmode code
list runmodes. Allow specification of runmode id from cof file. Also allow for command line override
fixed runmode name changes that was missed in the previous changes to the runmode api
modify runmode api to accept conf runmode paramter as a char string, instead of an interger id
support for http_raw_uri keyword + mpm engine
disable mpm pattern's retest skipping in detection engine for uri, hcbd, hmd, hrhd, hhd, hmd, hcd
move pseudo packet creation outside defragreassemble loop
Add C and E flags to flags keyword. We still support 1 and 2 for backward compatibility
push all proto detection code into their respective app parser register functions for every alproto
Removed FLOW_AL_STREAM_START, EOF and GAP flags. We don't need these. Just use STREAM_* flags
Removed FLOW_AL_PROTO_UNKNOWN. We don't need this flag
Removed FLOW_AL_PROTO_DETECT_DONE. Replaced it with FLOW_ALPROTO_DETECT_DONE, stored it in Flow->flags
Removed FLOW_AL_STREAM_TOSERVER and FLOW_AL_STREAM_TOCLIENT. Use STREAM_TOSERVER and STREAM_TOCLIENT instead
Removed FLOW_AL_NO_APPLAYER_INSPECTION. Moved it as FLOW_NO_APPLAYER_INSPECTION in Flow->flags. Turned Flow->flags into uint32_t and removed Flow->alflags
Add support for port based probing parsers for alproto detection
code indentation changes in app-layer-smb.c
Added probing parser for nbss/smb on port 139
indentation changes in app-layer-smb.c
fix bounds checking in smb probing parser
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
coverity - logging system buffer overrun fix
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
byte_extract support for isdataat added
minor fixes in endianness handling in dcerpc and dce detection engine
smtp parser support
Have separate parser vars in smtp to hold dynamic buffers for parsing fragmented lines
add flowbits:set; only sigs to be treated as ip only
fix var name parsing in byte_extract
coverity fix - 1.1beta branch - add some comments to indicate false positives by coverity for future reference - mainly comments for switch statement fall through
coverity fix for counters api
Unify the use of slots to a single struct for threading API. Remove separate slot append functions for 1slot and varslot
code cleanup in tm-threads.c
Fix code that allows the engine to restart threads that have exited on failure
Minor changes to move function calls that kills threads + frees resources to the clean up phase right to the end of main thread
fastlog print updates. combine the io write
fastlog print updates for ipv6. combine the io write
fix compliation warnings from runmode-af-packet.c
support post pq packet processing in var slot
fix local var usage for slot in tm-threads.c
update TmThreadsSlotProcessPkt with better error handling + post pq processing
introduce inline function version of TmThreadsSlotProcessPkt macro. Retain the macro as well
Introduce master-slave synchronization support for ThreadVars
- Updated all runmodes to use synchronization points, right before each thread(slot function) tries to de-init the thread. - Main thread now first disables receive thread(s) before it kills receive and rest of the threads.
- All threads also check to see if their inq is cleared before they shutdown.
Single thread kill also checks if inq is cleared before shutting down
We now inspect timed out streams + streams not processed as yet, at engine shutdown
Packet inspection keywords modified to not inspect pseudo packet
Shutdown flow timeout reassembly now supports ipv6
Slot structure now holds the TV it belongs to
update conditional in shutdown forced reassembly to check for flows that required flow reassemly
Move time elapsed right after we finish all packet processing
support for forced stream reassembly for to be pruned flows
Cleanup flow.c before further changes
update flow pruning - v1
update flow pruning - v2
update flow pruning - v3
update flow pruning - v4
update flow pruning - v5
move flow incr cnt while we actually create the pseudo packet in forced reassembly
fix usage of htons to htonl in creation of pseudo packet
signal the post pq if possible, whenever pseudo packets are injected into engine flow. Also carry out post pq processing irrespective of packet retrieval from the flow.
shutdown stream reassembly now avoids looking at flows that have already been processed by flow mgr reassembly
Avoid possiblity of potential engine idling from consumption of all packetpool packets - v1
update flow pruning - v6
Remove the macro for pktacqloop which is now replaced by an inline function
fix - we need to set direction flags for reassembly pseudo packet. Also reset local flags for every flow that is force reassembled in ForQ
always keep queue locked till we exit flowprune. Should prevent potential threading issues
packet queue len member is now 32 bit unsigned from the previous 16 bit unsigned. Should take care of the overflow for now
modify post_pq packet handling.
cleanup flow code and pseudo packet creation function
Introduce another solution to solve stream timeout shutdown issue using thread flags. No more MSSyncPts
Remove all code introduced earlier concerned with ms sync points
Introduce a new wrapper macro that wait loops till the flag(s) in question have been set
rename pseudo packet creation function. Shift the check for forced reassembly necessity on a session/direction to an inline function in the stream api
Now flow hash section can force reassemble flows as well
flow mgr code doesn't have to bother on immediately exiting on seeing a suricata_ctl flag set
Rewrite forced reassembly v2 using while loop instead of goto
Indentation fixes
Code cleanup. All code to kill flow manager thread under one function now.
Merge thread kill functions. Merge slot's tm_id with the one used by packet profiling. Remove some junk unused code from ms sync pts. Timeout setup cleanup as well. packet q dbg_maxlen now u32 var.
Add new flags var to tm module. TMs can now set flags to identify special properties. Also use these to identify receive TMs
shutdown timeout reassembly shouldn't check timeout flag set or not on flow
fix failing unittest
refix failing unittest
Remove the unnecessary unittest runmode check to get the test working. Modify tests to get it working around this
some more code cleanup + comments added
Rearrange flow manager functions into flow-manager.[ch]. Some other minor changes/updates
fix http http transaction id update. Update transactions as soon as we receive a callback on new request
fix mpm segv. Use sgh flags to check if the sgh has packet or stream mpm set or not
Replace all mallocs with SCMallocs
Replace all strdup with SCStrdup
Replace all frees with SCFrees
Replace all reallocs with SCReallocs
for shutdown reassembly properly init the reassembly packet using PACKET_RECYCLE
refactor flow timeout code. fix ipv6 address assignment for pseudo pkt.
fix timestamps for pseudo packets created during FFR - bug 337
fix compiler warning for printf format
update ac to behave the same way irrespective of the state count. Should improve performance. Also fix unittests to accomodate these changes
fix ac unittest
remove trailing whitespace from conf file
update broken stats.log. Use pktacqloop funcs in pcap-file, pfring, pcap-live, af-pkt to sync counters - bug #343
introduce SCPerfSyncCounters/SCPerfSyncCounters macro to synchronize counters
app layer probing parser updates
fix probing parser flag usage during protocol detection
probing parser updated to always accept u32 buflens. Update all probing parser functions to accomodate this change
introduce bitmasks instead of alproto_masks for use by the probing parser. Remove all alproto_masks we had previouslys for PP
fix ipproto keyword negation case - bug #340
cleanup ipproto code
rewrite all ipproto keyword tests
support multiple ipprotos in the same sig + unittest
more unittests for ipproto with multiple nots + some fixes
IPProto now doesn't accept sigs, which has both < and >, with < value being less than > value. Update affected unittests to reflect the change
fix threading bug. Main thread's restart TV code waiting on a failed TV. Now main thread sets the de_init flag before waiting on the failed thread. Thanks to Eric Leblond for reporting it
fix threading issue in debug log. locked mutex isn't freed before returning. fixed
updates to http tx id vars. FFR now flags the app layer session for EOF when creating a pseudo packet for a flow
Provide a function to set the app layer tx eof flag. Use this in FFR code instead of diretly setting the flag. This cleans up the API as well
http logging module should log all txs in the list and not just the last complete tx available on EOF
fix inspect id update bug. This should prevent unnecessary FPs for pipelined requests
if app layer inspection is disabled, immediately set the eof flag
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
change rev field in Signature to u32 and use strotoul to extract the value. Cleanup some dead code/comments
support bdat smtp keyword - bug #347
Remove broken dsize_sm in SigMatch used by dsize in detection engine
fix dsize sigs handling. We can't use more than 2 dsizes in the same sig
packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same
fix broken unittests
update failing unittest to reflect the mpm design update
fix mpm bug on running stream mpm for packets not added to stream mpm
undo this commit -
fix detection code that handles cases when we use recursion(from recursive keyword)
fix unittests. fix replace unittests that allow alproto keywords with replace
Reintroduced optimized support for < 32k states for ac
fix indentation in ac code
remove debug prints added to ac code
updates to ac-gfbs search. Handle cases where we have a single entry for a state goto transition, just like how we handle for no entry for a particular state
indentation fixes for ac-gfbs
updates to ac-gfbs search. Optimize pointer de-referencing for frequently used pointers
updates to ac-gfbs search. Optimize pointer de-referencing for pid_pat_list
updates to ac-gfbs search. Use SCMemcmp instead of the custom pattern searching used
updates to ac-gfbs search. Remove unnecessary casting of pointers
updates to ac-gfbs search. Add new unittests + fix cases where we have 2 patterns that are same but one is CS and other CI + Use SCMemcmp for state < 65k instead of custom memcmp
updates to ac-gfbs search. Disable handling < 65k states separately. Now any state count would be given same treatment
updates to ac-gfbs search. Combine failure table along with mod goto table for better cache perf
updates to ac-gfbs search. Combine output presence with mod goto table
updates to ac-gfbs search. Introduce handling cases where state_count is < 32k
updates to ac-gfbs search. Remove unnecessary casting of pointers
fix for bug 375 - update radix test that wrongly uses memset and sizeof
FFR update-fix. Fix check where we decide whether we need to send pseudo pkt or not
enable toclient alproto detection. Detection all current alproto toclient PMP patterns
fix/updates to app layer proto detection
More updates to FFR code. Handle cases where we actually need to force stream reassembly and just have smsgs to be processsed by detection engine separately
Remove leftover imap and msn toclient alproto PM contents
minor code cleanup. remove commented out code
disable session reassembly for either/both the directions, only when we have established failed proto detection in both the directions
on failed alproto detection on both sides, only disable app layer inspection. No reassembly disabling for any direction
if flow has disabled app layer inspection, disable buffering the segments unnecessarily
enable toclient alproto detection for inline reassembly
if flow has disabled app layer inspection, disable buffering the segments unnecessarily in inline reassembly
Support for tos keyword added
fix smtp parser handling fragmented lines + add new unittests to check the same
smtp reply code mpm phase support added
update detection engine to compare flow alproto with sig_alproto, rather than sm alproto.
minor changes in smtp parser decoder wrt direction check loop + add missing ifdef unittests
introduce app layer local storage api support
app layer udp cleanup + update dcerpc udp todo
modify all relevant app layer API calls to accomodate passing parser local storage argument
add thread local storage support for smtp + remove pmq that was init/freed as part of smtp_state alloc to use the thread local data passed by the app layer engine
changes to accomodate master rebase
separate timers for flow mgr thread for normal and emerg mode. Signal flow mgr thread when in emerg mode
Accomodate pcap-file mode to signal flow mgr to wakeup when it exceeds a certain time interval. This let's the flow mgr keep in sync with pcap timestamp changes
flow manager code cleanup. Remove unused code + fix indentation. Remove unused vars
fix setting ipv4 header in pseudo packet
Move setting packet iponly flags from decode section to stream section
fix mapping of tcp states to flow_established and flow_closed. Improves accuracy
Remove unnecessary flow NULL check
fix setting pseudo packet from this commit:
fix broken unittest
bug 333 - support new Size Parsing API. Update various conf params inside the engine to use this API to parse sizes in the format xxx <-just the no represents bytes, xxxkb <- kilobytes, xxxmb <- megabytes, xxxgb <- gigabytes, where xxx is a \d+
Update yaml size params to use kb, mb, gb to indicate size, in place of raw bytes
Update size parsing API with new calls for returing u8, u16, u32 and u64 values. Make updates in the codebase to use these new calls
updates to accomodate master rebase
set default response body limit for specific http server conf
Changed my email address to anoopsaldanha at gmail dot com from my current one
fix ipv6 header setup in pseudo pkt creation
Changed my email address to anoopsaldanha at gmail.com from my current one - Should have been an amend over my previous commit, but that commit's pushed out
fix bug in size parsing API. Pass the string returned by pcre_get_substring and not the passed arg. Also use strtod. Solves usage issues on windows
Update ac-gfbs with some rearrangement. Increased performance from 4-10%
ac-gfbs update. Minor improvement of compression for state 0. Improves performance
ac-gfbs fix output presence combination with mod table
fix ffr shutdown segv. We need to supply stream TV the the stream engine
Further improve compression for ac-gfbs. Character codes shifted to 8 bits from 16/32 bits
indentation fixes for ac-gfbs
Breno Silva (32):
PPP Support
Decode event rule
GRE support
Unified2
Unified2rev1
Unified2rev2
Unified2rev2
Unified2rev2
Unified2rev2
Comments fix
IpOpts Rule Keyword
Regular expression for UnitTests
Signature Flags Keyword
Signature Flags Keyword
FragBits Keyword
Gid Keyword
Unit test 60c fix
Flags janitor
FlagBits fix
FlowBits Unit Tests
FlowBits Unit Tests
PCRE O Modifier
Flags Issue
Threshold Rule
ICMP Seq Rule Keyword
Allow threshold options in any order
FragOffset Rule Keyword
FragOffset Rule Keyword
VLAN Support
Global Threshold config
Global Threshold config
Reference Support
Brian Rectanus (21):
64 bit cleanup
64 bit cleanup part2
Cleanup autoconf
Decode IPv4 options.
Fix compiler warning and add better ipv4 options debugging output.
Added byte extraction util.
Added byte_test and byte_jump support.
Byte utils return num bytes extracted on success instead of zero.
Add byte test to detection engine.
Fixed detect-byte src to use new util-byte return codes.
Cleanup bytetest and bytejump.
IpOpts Rule Keyword
Add ip_proto support.
ip_proto cleanup and fix mem leak.
Sameip Keyword
Ack/Seq Keywords
Ack/Seq Keywords part 2
Fixed warning in detect-content.
Added http_method rule keyword.
Add functions to radix to add ip/netblocks as string. Add macro to get node user data. Cleanup radix code, docs and printing info. Export all printing functions.
Add htp personality configuration.
Chris Wakelin (1):
http log: Add extended information
Eileen Donlon (8):
fixed bug 288; corrected config boolean parsing problems
fixed bug 291 corrected reference to reference-config-file
set layer4 protocol when no ipv6 extension headers
Fixed duplicate signature check
Enable/disable core dump in config (feature 319)
Fixed coredump compile problems on bsd, windows
Fixed coredump windows compile issue
Moved prctl.h check to configure
Eric Leblond (264):
Fix typo in Makefile.am
ethernet: use switch instead of 'else if'
nfq: use switch instead of 'else if'
nfq: add sanity checking
configure: compile with -Wextra
gcc warning fixes.
fix code file permission
nfq: modify queue length computation logic
convert action_type to enum
Suppress generated files from git tree.
autotools: add automatic files generation
nfq: set some options on netlink socket
util-cpu: fix trivial typo in documentation
Import .gitignore file.
Convert thread PRIO to a enum
Checksum match: fix logic problem
Fix error message and adds information to config
Modify Packet structure and prepare accessor.
Modify files to avoid direct pckt payload access
Fix decode part of source-nfq
Supress usage of Packet declaration in tests.
Add interface setting discovery via ioctl
Auto discovery of default packet size
Don't print message after SCMalloc failure.
RFC: modify error treatment in PacketCopyData
Main loop: increase timer.
source-nfq: add define of SOL_NETLINK
yaml: add config for cpu_affinity
Add affinity util function and related files
Include affinity in runmodes and threadvars.
Make runmode parse affinity settings.
Implement function needed for affinity in tm-threads
Handle management thread with corresponding affinity
Convert RunModeIpsNFQAuto to new affinity mode.
Pcap mode: use CPU affinity setting
Pcapfile mode: support for cpu affinity settings
Add per-cpu prio handling
affinity: 'threads' param to configure threads number
affinity: Use configured 'threads' value if set
Delete some commented code in runmodes
Fix some spacing.
Prepare multi queue support in NFQ
Add multi queue support to NFQ run mode
config.h.in is an autogenerated file
source-nfq: autodetection of queue max length function
source-nfq: add simulated non-terminal NFQUEUE verdict
source-nfq: Factorize buffer usage
source-nfq: add detection of already treated packet.
source-nfq: add queue redirect support
source-nfq: improve nfq option system
Fix typo in configure.in
affinity: change config format and misc fixes
affinity: lock get next cpu function
Fix some Packet initialisation.
Import coccinelle test
Add coccinelle check to 'make check'
Add suricata unittests to 'make check'
Replace free and malloc by SC functions.
Replace malloc by SCMalloc in util-mpm-ac
Don't use direct pkt access
Coccinelle: test invalid Packet usage
Fix Packet usage.
Add option to run_check script
Compilation fix for OpenBSD and win32.
decode-event: Add SCTP event
decode sctp: basic SCTP decoding.
Makefile: add sctp files to build
SCTP support: add parsing of sctp
decode: add support for SCTP protocol
detect: Add support for sctp option in rule
Add SCTP to packet validation
flow: Add basic SCTP support
detect: Add sctp detection and parsing.
detect.c: Fix usage of integer standing for protocol
Use already defined macro instead of integer
nfq: fix exit function
fix possible typo in strtoul error handling.
detect-gid: suppress unused type
Add support for 'nfq_set_mark' keyword
coccinelle: add test for banned function
nfq_set_mark: handle feature in NFQ.
Add macro for direct access
pfring: use macro for direct access
pcap: do not leave if interface goes down
Use GET_PKT macros.
Use snprintf instead of sprintf.
Add coccinelle files
Make use of per function/thread data in alert unified.
Use local thread variable buffer in alert unified2.
config file: add missing variable example
NFQ: use per thread allocated data for recv buffer.
Fix len computation.
Unified2: Use local variable for header copy
Fix #290: avoid looping when affinity is invalid
cpu affinity: detect a missed invalid case
Indentation fix on source-pcap.
autotools: fix duplicate check command in Makefile.
Introduce PrintInet function
Transform inet_ntop call into PrintInet one.
doc: introduce doxygen group "threshold"
threshold: fix trivial typo in parsing.
Add sanity check to DetectAdressParse.
threshold: add suppress keyword
threshold: refactoring of parsing code
Export some DetectAddress related function.
suppress: use DetectAddress instead of DetectAddressHead
Rename rule_type_t to ThresholdRuleType.
Fix macro about default packet size
tm-thread: fix documentation string
nfq: Add iterator on nfq_set_verdict
nfq: make thread abort if NFQ verdict fail
nfq: Fix deinit phase
detect: fix regular expression used for check.
pcap-file: Allocated packet must be free if there's error
af-packet: basic support for AF_PACKET socket
factorize pcap live device function
af-packet: finalize code
conf: Introduce new function to input configuration.
af-packet: change configuration format for multi interface
af-packet: multi interface support
af-packet: Add option to disable promiscuous mode
device: Add function to build interface list from config
af-packet: change option name
af-packet: add AFP to per packet performance system.
af-packet: switch to pcktacqloop API.
Rename detect-decode-event to detect-engine-event
Introduce engine-event keyword
Add stream events support to 'engine-event' keyword
Add 'stream-event' keyword.
decode signature optimisation requires different treatment
Add signature file for stream events.
Add reference to events sig files in suricata YAML config.
Rename some decode event structure and macro.
Fix compilation on FreeBSD 8.2
PrintInet: fix compilation on FreeBSD
pcap: add "single" runmode
pcap: add "autofp" runmode
pcap: get rid of old API.
Return OK when leaving cleanly.
NFQ: fix race condition at exit.
rewrite constants and add flag for replace
Add support for replace keyword.
Add and use utility functions for checksum computing.
http-uri: Remove useless function declaration.
Doxygen: Include documentation of define dependant code.
Add factorisation function for runmode.
af-packet: use factorisation function for Auto mode.
af-packet: remove unused function
pfring: use factorisation function
pfring: restore compatibility with v1.0 config
Update configuration file to new pfring format.
pcap: add new config style
pcap: factorize runmode
pcap: use good var name for live-interface
pcap: restore backward compatibility
pfring: restore precedence of command line options.
runmode: add factorisation function for single mode.
pcap: factorise single mode.
pcap: should not call free
af-packet: factorise single mode.
af-packet: should not call free
pcap: add --pcap option
Improve help message
single runmode: add support for multiple capture threads
pfring: add single mode.
pfring: should not call free
pfring: factorize iface and parser initialisation.
Fix coding style and use SC* function.
Make SC_ATOMIC_[SUB|ADD] return result value
runmode: introduce configuration dereferencing.
Suppress useless code.
pfring: fix warning
pfring: Fix typo in help.
Add "workers" runmode.
runmode: treat SCStrdup error.
runmode: suppress printf
util-runmode: rename mod_threads_conf to ModThreadsCount.
Add pcap-info alert format.
pcap-info: fix compilation warning.
Suppress useless parameter in function
Fix suricata start when no interface is given.
unitest helper: Fix copy of packet data.
Introduce StreamSegmentForEach function
alert-debuglog: Add logging of stream segments.
alert-unified2: logging of stream segments.
stream: Change return of StreamSegmentForEach
unified2: improve packet logging logic.
Restore old barnyard2 support.
unified2: set datalink to correct value.
unified2: segment callback log raw packet.
unified2: switch to event->packet->packet mode.
unified2: synchronize IPv4 and IPv6 code
unified2: fix multiple alerts case
unified2: Fix event_id computation
prelude: fix compilation
debuglog: fix segment logging.
debuglog: uses state selection system.
prelude: add stream segment dump
prelude: suppress unused variable.
Remove unified1 output module.
Remove unified related enum.
Don't warn about non enable non existing output module
decode: improve and fix comments.
Fix Defrag unit test.
invalid use of strncat.
Fix various packet access.
cuda: Suppress sprintf usage.
PACKET_INITIALIZE is enough for packet init.
af-packet: improve error handling
pcap: improve error handling.
pfring: improve error handling
source-nfq: suppress insecable space.
Add comment to describe file content.
doc: Add missing params in func description.
Fix minor error message.
doc: doxygenise some comments.
doc: create doxygen group for state detection.
doc: comment link between Flow and application layer.
doc: create http support group
doc: Include htp documentation.
doc: add mainpage.
doc: describe some features and structures.
doc: add decode group and related documentation.
af-packet: add kernel statistics to exit stats.
http log: Add extended option
http log: factorize extended logging
http log: factorize logging function.
Add AF_PACKET to capability system.
threshold: introduce SigGetThresholdTypeIter function
threshold: fix thresholding on signature with multiple threshold.
Add stream-events.rules to distribution.
threshold: fix recently introduced function.
threshold: fix handling of multiple threshold.
af-packet: fix compilation problem on windows.
pcap: Fix setting of buffer size from command line.
coccinelle: test for invalid size_t printing.
Fix printing of sizeof.
pfring: use deinit function.
pfring: fix stupid enum usage.
log: read output filter from config file.
af-packet: suppress annoying debug message.
af-packet: fix reconnection on netdown error.
capability: rework capability assignement
autotools: fix problem of pfring configuration.
autotools: add libpcap dependencyto pfring for checks.
pfring: fix compilation when pfring is desactivated.
af-packet: fix compilation on new systems.
Flow: use condition system instead of short sleep
unified2: log an ethernet header for stream alert.
unified2: avoid to log RAW packet
'auto' running mode does not support 'threads' var.
threads: Add sanity check.
af-packet: simplify code.
util-device: Modify function name.
runmode: Add support for IPS running mode
nfq: factorize auto mode
nfq: Add autofp mode support
nfq: add worker runmode support.
nfq: suppress unused functions.
nfq: add some comments about possible evolution
ipfw: fix indentation of the file.
ipfw: funnier to manage capability in running code.
ips: update copyright date and author list.
ipfw: Add support for autofp and worker runmode
Gerardo Iglesias (1):
Changed printf's to logging API functions
Gerardo Iglesias Galvan (43):
Add fatal failures on unittest and siginit failure (using Conf API)
Fix warnings from previous patch. Add info to usage output.
Add support for daemon, checking for valid combination of modes
Change case values to their corresponding enum values
Add icmp_id keyword support
Improve output when loading rules
Fix bug#30. Fix logging call from prev patch
Add signature line no. to error message when parsing fails
Fix bug in logging msg when using --init-errors-fatal
Fix logging messages related to icmp_id parsing
Fix logging messages related to icmp_id parsing
Improve information about errors on signature failure
Add support for detection_filter keyword
Set threads name. Fix bug #83
Add decode events and comments
Fix inconsistent use of dynamic memory allocation
Add support for http_uri keyword
Update libhtp to 0.2.6
Silence coverity warning
Fix declaration hiding len parameter in IPv6 decoder
Fix potential prelude recourse leak during initialization
Fix potential alert-unified-log recourse leak during initialization
Prevent a memory leak on low memory conditions in http client body handling
Make sure we do all after the null check in HTPStateFree
Fix potential crash in ip-only address parsing code
Fix potential crash in initialization cleanup code
Fix potential crash in signature parsing code
Fix potential crash in classtype parsing code
Make sure return value of fgetc isn't truncated
Check inet_pton retval and properly cleanup on error in unittest helper
Properly check retval for config and conversion function calls
Remove dead code from reference handling
Make all access to memory tracking counters in stream engine lock protected
Fix potential small issue with ftell and fseek
Check return code of DetectEngineCtxInit at startup
Fix potential memory leak in ASN1 parsing code in low memory conditions
Properly free data in tag match function
Remove dead code from the BoyerMoore implementation
Fix very minor mem leak when setting bpf filter
Fix potential issue in TmThreadsSlot1NoIn
Make sure we always check the result of TmThreadCreatePacketHandler
No need to check array pointer
Don't loose memory if PoolInit fails
Gurvinder Singh (161):
Target Based Stream Reassembly with comments
New function for task3
unittests for gap handling
Handling IDS missed packets
test the bug in freeing memory
Handling of IDS missed packets and its unitests
Fixed some issues in gap handling
Task 4 handling of missed packets by IDS only and both IDs and end host
Changed the debug message
Protocol Specific Timeouts
Another and right way i guess for timeouts
setting timeout on first packet in the flow
part2 and part3.1 of timout task
efficient protocol specific timeouts
Some fixes for timeouts
some modification in protocol specifc timeouts and free funtion
proto specific free function
registering stream timeouts and flow prunning unit tests
registering unit tests
Flow get state protocol specific
handle the FLOW_STATE_CLOSED
Fixed seg fault
Stream Size rule option
stream size match function and unittests
regex intial version
use next_seq for stream size and comments
fixed regex to handle space
fixed unittests against protoctx
timestamp support
changed flag name
PAWS support and one unittest
target based paws handling
small performance enhancement
fixed unit tests and add the comments
initial version to support detection byepass
function to set packet flags
unit tests for no packet & payload inspection
some minor changes
add unit test for no stream reassembly
stream flag function made public
fix an issue
added sigmatch payload flag
avoid pm invocation
fixed the ispayload inspecting func
unittest packet payload inspection
added a small comment
initial thread code support
support for thread exit constants
fixed thread issue
one more change
some changes in threading constants
fixed unified alert2 ecode and removed printfs
fast track stream handling and its unitests
detect-engine-proto unit tests and comments
support for ttl keyword
added comments and some minor changes
TTL macros suppport
async stream handling support
Fixed FlowTest01 and StreamReassemblyTest30
tls no reassembly support
fixed DetectByteTest bug
app layer error handling
initial support for HTP module init
changed to LDFLAGS
added htp unit test
fixed port info
updated error info ouput
app layer htp error handling and fixes for memory leaks and segv
updated htp error info
http_cookie keywork support
changed to DetectHttpCookieData
removeh http_cookie flag
fixed-pool-error-and-tcp-state-transition
htp error fixed
fixed 23 bug
bug 21 fixing patch
fixed bug 18
bug19 patch
bug#18 and some minor changes
bug 18 patch update
bug 29 patch
stream reassembling fixes
bug 41 patch
stream os_policy support
some more stream fixes
bug 41 patch
bug 56 patch
bug 57
init b46
memory leak fixes
memory leak fixes
urilen support for engine
applayer uri match and modified http handling
uricontent new design
bug 76 patch
bug 64 patch
bug 66 patch
bug 78
pattern matcher options support
better htp memory handling & flow valgrind error fixed
b86
bug 95 patch
app layer htp logging and better htp request handling. removed recent_in_tx.
bug 98 patch
stream memory leaks fixed and unit tests added
bug 102 patch
stream and application layer improvements
fixed the API and logic error reported by clang tool
fixed the memory leaks and buffer overflows reported by parfait
fixed more api and logic erros in recent master
fixed the incorrect depth update incase of offset is 0 (bug 134)
correct the typos (but 135)
fixed the regex in bug 136
fixed type in htp (bug 138)
fixed typo in dcerpc (bug 137)
fix bug 133, error caused by seq mismatch in fin_wait_2 state, whis was dicarding the packet which should be accepted
fixed the depth updation when content_len is small (bug 139)
unittests for bug 134&139 and some typo correction
fixed the payload_len for icmpv6 (bug 151)
added unit test for the icmp dsize (bug 151)
fixed the segv caused by null payload due to incorrect icmpv6 decoding
added unittest to check the payload setup, which causes the segv in detection module
set the isdataat keyword when previous sigmatch is either content or pcre (bug 144)
added unit test for the bug 144 to test isdataat setup
fixed setting up byte_test relative when byte_jump is previous keyword (bug 146)
fixed the flags checking and make it more strict in default case (bug 153)
fixed a typo in the detect-content.h
support setting up within keyword when previous keyword is pcre (bug 145) and added unit test for the same
set the byte_jum/byte_test with relative keyword when pcre is previous keyword (bug 142)
support setting up byte_test/relative when byte_jumo is previous keyword
added support for setting up bytejump relative when previous keyword is byte_jump (bug 165)
support for sslv2/sslv3 their unit tests and better stream no reassembly flag handling
added the support for setting up distance sig when previous keyword is byte_jump (bug 163)
fixed the typo in byte_jump and host.c, Thanks to rmkml for pointing out
fixed the memory leaks in htp and radix tree
memroy leaks fixes in detection module, app layer and counters
flowbits, flowvars, pktvars, flow flags and app layer info added to alert-debug.log
fixed the build failure with profiling enabled
support for seperate memcaps for reassembly and stream engine
support for enforcing the depth until when the reassembly will be performed
support for stopping the evasion, which is caused by the use of TCP RST packets for linux based systems
fix the reassembly depth test (bug 216)
support for several tcp evasion attacks. Thanks to Judy Novak and G2 Inc for reporting them
added support to print the engine uptime in stats.log
added the counter for tcp.segment_memcap_drop to show the dropped segments count due to memory limit
support for printing protocol names for known protocol
removed xref from the alert-fastlog
added http_stat_msg keyword support for detection module
support for http_stat_code keyword has been added to detection module
fixed the incorrect port issue in http.log
add the support for >= and <= operator for byte_test
support for stats.log configurable and fixed timezone issue in faslog and debuglog
fixed the timestamp issue in http.log
added support for appending the log files
support for pseudo packet creation from reassembled stream segments
support for validating the ACK before updating the last_ack field and also update next_seq if we missed the last packet
support for pseudo packet creation from reassembled stream segments
add the support to log the fast.log alerts type to syslog
support for ssl_version keyword
added support to log dropped packet as netfilter logs while in inline mode
log error on duplicate sig and also for dup sig with newer revision
Jamie (8):
initial PPPoE decoder commit
test cases for PPPoE, ICMPv4
add perfcounter to pppoe
fix incorrect offset in decode-ethernet for PPPoE, more debug statements
more unit tests for pppoe - part I
victor must be getting sick of PPPoE and ICMP
check that the encapsulated packet is correctly parsed
looking inside ICMP packets
Jan Jezek (6):
Code is now compilable on the Win32 platform
Added missing win32 files.
Added WIN32 compile instructions
Win32 build fixed.
Fixed Win32 compilation, unit tests now compile.
Added inline mode support on Windows
Jason Ish (83):
Basic command line support for pcap (file, network), nfq and unit test modes.
Add some usage.
Simple configuration API.
- Add a configuration dumper.
Unit test will now fail if allow_override bug is reintroduced.
- Autoconf goo for libyaml.
Fix access to ttl.
Add getters for integer and boolean values.
Bug 6
Break out checksum fixup code to make the license separation more clear.
Refactor yaml loader so we can load strings or files.
Files missed in last commit.
First cut at IPv6 re-assembly. Only BSD policy for now, packets don't actually get passed to it yet though.
Index sequence items - allows us to store sequences of mappings in the configuration database.
Add the ability to lookup a child ConfNode, or just the value of a child ConfNode.
An example of how logging could be configured from the log file.
- Fix memory leak error when freeing node.
cleanup warnings.
Windows and Linux policies for IPV6 frag reassembly.
multiline rule support.
solaris policy for ipv6
add first policy for ipv6 frag re-assembly
"last" policy for ipv6
Suppress these debug lines.
use const
Fix issue 36. Give each unit test a fresh configuration context - helps tests pass when a config file is passed in, which can
pretty up ConfDump output for when there is no valid prefix
Allow nested sequences.
Use the V6 insert and re-assembly logic for IPv4 as well. Its a little simpler to track and update.
use a common insert method for ipv4 and ipv6
consolidate more common code between ipv4 and ipv6.
in the unit tests make sure memory allocated from the pool was returned.
Use the configuration file to setup alert logging (and http logging).
Configurable alert outputs for PF_RING modes.
configurable outputs for nfq and pcap file.
initialize vars
don't create a new tracker when frags are received in reverse order.
Do not seen_last unless the packet with more_frags=0 was actually inserted into the frag tracker. Fixes issue 53.
Fix issue 55.
Require that the configuration file begins with a valid YAML version. At this time this means the configuration file must begin with
Have output modules register themselves so run mode configurator becomes aware of them for purposes of being configured from the config file.
Consistency fix.. Xxxlog -> XxxLog.
Fix issue 59. Drop a fragment that extends past the maximum IP packet size.
unit test for issue 59.
Potential fix for issue 60.
Fix issue 65.
Fix issue 74. separate initialization of run modes from adding them to a thread. - fixes issues with multiple output threads.
Fix issue 71. The insert and re-assemble need to be done under the same tracker lock.
Making logging configurable. If no logging outputs are defined the default will be used. - Currently per output log formatting is not available.
I know Snort defaults to syslog in daemon mode, but should we?
Fix for lists that are children of another list. Fix memory leak by only setting the sequence index value to the first item found.
- actually re-inject ipv6 re-assembled packets. - set the next header.
Issue 82 - fragment counters. - number of fragments - number reassembled - number of timeouts
quick way to make max_pending configurable.
Split the defrag counters into ipv4 and ipv6.
supply pcre_get_substring with the proper start of the string.
Set the ethernet header pointer. Without this, alert-unified-log will add an extra ethernet header to every alert logged.
Fix threading issues with unified-log. - Only write the header once, on opening, not per thread init. - Track the size in the log file ctx, not per thread.
- rebase
Cleanup of configuration internals. Use an n-ary type tree for everything instead of a first level hash branching off into n-ary type trees.
afaik integer increments are not atomic, so put inside the lock
Fix bug 99.
Load host OS info from the configuration.
Do policy lookup for defrag. Add unit test for a default host os policy. Update example config to use a default. Add 2 new policies to the stream to cover all the policies for stream and defrag.
Have output plugs use an OutputCtx which is a little more generic than LogFileCtx. The OutputCtx provides a place for module private data to avoi overriding the LogFileCtx.
Looks like something happened in a previous merge: - Don't set the limit here, its already set. - Don't write the log file header here, its also been written.
Fix bug 125. - Always bail on parse errors. - Exit if loading the config file fails. - Display the line number where the parsing failed.
Be compatible with Snort. Stick with a 32 bit style of timeval for the unified outputs.
./configure option, --enable-unified-native-timeval to have unified outputs use a native timeval to be compatible with unpatched barnyard 1 on 64 bit systems.
Fix issue 131.
Basic rule profiling even though the results may be skewed by a bad rule in a grouping of rules.
Support for reading ERF files.
In profiling output, include a % for each rule.
add profiling to stateful detection engine + other fixups.
Display configuration summary at the end of ./configure.
On Mac, don't use -march=native by default unless using gcc >= 4.3.
Track the max ticks for each rule.
Add new profiling sort option, maxticks.
Set decoder event when re-assembled fragments would exceed max IP packet size.
Cleanup assignment of the default defrag policy.
Set decoder event on fragment overlaps.
Use separate frag decoder events for IPv4 and IPv6.
Fix bug 288, accept true in output configuration.
Jason MacLulich (2):
Add initial support for reading packets from a DAG card, we only support reading from a single stream at this time.
o Changed SCMalloc to DecodeThreadVarsAlloc in Decode thread initialization. (Ish) o Changed htons to noths. (Ish) o Added support for handling DAG cards running DSM modules and other non-standard ETH ERF types. o Added support for allowing gracefull restarts of the fetch thread if it fails to read an ERF properly.
Kirby Kuehl (32):
smb and dcerpc work
add smb2 proto and smb, smb2, dcerpc unit tests
readandx and writeandx parsing for smb
fix unittests
dcerpc request smb transact and fix for dcerpc bindack
style patch
fix double free
fix padding calculation and stubdata parser for dcerpc
refactor dcerpc in prep for dcerpc over smb
dcerpc refactoring
dcerpc over smb for transact
fix unittest
smb writeandx dcerpc over smb
reset smb bytesprocessed when complete
fix padding bug
fix warning
signed unsigned comparision cleanup
signed unsigned comparision fix for 64 bit
bug 88 validate dcerpc header
smb safety checks
fix bug88
make sure we have input_len
add maximum andx chain depth
dcerpc udp support
dcerpc udp support
add uuid to uuid_list for udp
fix smb leak
dont alloc 0 length fragment
remove printf
properly handle bytecount of 0
fix multiple dcerpc fragments in one packet
Improve DCERPC big endian support when parsing BIND CTX Items (UUID). Make default byte packing order for the slow path little endian. Byte swapping on slow path will occur if big endian. This is a readability change, not a functional change.
Martin Beyer (11):
use of pagelocked memory for CUDA
cuda-packet-batcher timeout supports float values
cuda handlers support multiple CUmodules per context
cuda streams support in b2g-cuda MPM
added texture reference api to util-cuda
fixed NULL checks in util-cuda
Fixed optional args in SCCudaModuleGetGlobal
Added case sensitive unit test to util-mpm-ac
build cuda modules with make
fixed ptxdump for python3
fixed cuda build: portability issues and nvcc version check
Nick Rogness (1):
Intial IPFW support FreeBSD and OSX
Ondrej Slanina (4):
added support for finding pcap device via it's IP.
added support for synchronous log output on WIN32
added INT and TERM signals on WIN32
added possibility to run suricata as WIN32 service
Pablo Rincon (153):
Adding window and isdataat keyword and some unittests
Changed SignatureIsIPOnly and added some unittests
Adding id keyword and unittests
ICMPv6 Decoder and unittests
Addapting to SCLogDebug
Adding Unittests, doxygen comments, coding style, logging support
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it.
Small fix at detect-parse.c, need to continue with MatchTest05
Updating real unittests. Small fix on TestWithinDistanceOffsetDepth to skip to the next DETECT_CONTENT SigMatch. Adding some checks on within/distance setups.
Commeting out a unittest.
Adding some unittests (one of them dodoesn't work but should)
Fixing alert unified log file rotation. Adding unittests
Forgot to add this file
Adding bidirectional operator support and unittests
Adding support for Mac OS X, FreeBSD, centrailizing mutex/spins/conditions in a macro API, and some unittests
Changing mutex/spinlocks/conditions naming types
First version of flowints
Added support at Flowints for keywords isset and notset
Changing some printf to SCLogDebug at flow vars
Added rpc keyword support at packet level
Adding max pattern length for bidirectional operator. Please, use DetectEngineAppendSig() at the unittests. Look at the bidirectional operator unittests for a usage reference.
Adding support to load rule files from config
Loading rules from config support
Improving error report on runmodes and daemon compatibility
Force reset size_current to 0 after rotate
Reutilize the filename buffer and avoid malloc's
Small fix on SigMatchSignaturesAppLayer() and SigMatchSignatures()
Match content fail when two contents are specified in the same rule and the last of them has length = 1
Adding FTP app layer parser and ftpbounce detection at L7
Changing some more printfs with logging api
Small fix
Adding preseending to rands
Adding unittest helper functions for building generic packets, checking arrays of expected match results, perform generic tests, etc. Look at util-unittest-helper.c and detect-ipproto.c for references
More examples of unittest helper functions usage reference
Small fixes at unittest helper functions and TestBidirec03
fmemopen wrapper added (fix compilation problems on macosx and freebsd)
Adding single pattern matcher algorithms. If you cannot store a context for the patterns, use SpmSearch() macro. Adding unittests and stats
Small fix
Detect the number of CPUs configured and online. Printing a small summary at the startup
Including header file for cpu detection
Small fix, renaming
First version of the reputation API
Loading flow settings from config
Fixing redeclaration of run_mode
Changing the veredict actions to flags to allow simultaneous veredict
Renaming errors (naming conventions)
Renaming errors with naming conventions
Allowing no case options for flow keyword. Adding unittests for this
pcre P modifier support (pcre match over http body requests)
Using the loggin API in source-pcap and source-pcap-file
Unified output fixes: alert count per module (not per thread), fix timestamps on pcap mode, write *all* the alerts of a packet, write the log header once also on unified alert
bug87 Fix IPOnly veredicts on flows
Adding auto runmodes based on available core/cpu's. Setting thread priorities
Adding default priority for all the threads
Change priorities only if we are EUID == 0
Adding settings for detect engine group config
Setting thread priorities with nice
Fix on IPOnly match at flows, for inline mode
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
Bug 103, bound checks at pppoe, added macros for 4bit fields
Adding Uricontent inspection with spm. Modifiers for uricontent are now supported
Fixing some naming convention issues and incorrect error messages
IP Only Engine using radix trees
Compare uint8_t's with one byte
Small fix handling netmasks belonging to the same octect on BestMatch search
Release the tmp prefix used for searching on the radix tree
Unittest used to check the radix memleak located at searching
Register the free function for nodes of the radix trees at unittests
Support for ecn/cwr TCP sessions
Fixing memleak also for SCRadixRemoveKey (SCRadixAddKey creates a prefix, but it's the one that the node will hold)
Adding radix tree unittests. Fixing a ipv6 issue with netmasks of 32 (was being handled as if it were ipv4)
Fix redmine issue 49 (allow pcre to end a pattern with an escaped slash, '\')
Adding Boyer Moore context to content patterns, should speed up the search
Enable spm inspection with precooked pattern contexts on content, uricontent and http_client_body (we will also add this to http_header when it gets commited)
Fixing some code reviews (Thanks to Steve Grubb)
Adding support for ecn flags after the handshake
Modifications on http body request handling
Adding pidfile support (thanks to Steve Grubb for the patch)
Fix some error messages and coding style at uri/content modifiers
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Moving inline functions to the .h files, so gcc can inline them correctly
Bug 130: detect-nocase was not recreating the BmCtx with nocase chars, so it was not working with patterns of capital letters as expected
adding http_header keyword support
Fixing http_header unittest printf errors format
Adding missing error msgs at some http_header unittests
http_heade fix, check first that we have a connp before checking transactions
Radix tree issue fix (from Steve Grubs report)
Adding actions order and suport for rule action "pass"
Small fix on pass action handling and added more unittests
Changing threshold logic
Fix action logic after last pass changes
Moving alert logic to detect-engine-alert.c
ASN1 decoder and keyword implementation
app layer ftp fix (mem leak)
Fixing asn1 relative offset, negative values
Adding some flow improvements and recovery on emergency mode
Adding emergency mode recovery options on config
Removing FlowAllocDirect since it's not needed anymore
UDP support at AppLayer message handling
Adding rate_filter support for threshold.config, multiline support and unittests
Move rate_filter rule tracking data from Signature to Threshold context
Adding threshold.config example at suricata.yaml
Adding tag keyword support
Fixing flow cleanup and ctx initialization
Fix for bug 186 and thresholding issue handling ip versions
Fix threshold handling ip addr
Moving urilen inspection to detect-engine-uri. Adding unittests for pcre /U and urilen, in combination with uricontent
Adding unittests for anchored pcres for anchored
Tag engine improvements. Output tags only on unified format. Added atomic counter for tagged hosts/sessions
Avoid mem allocations while searching on radix trees (temporal prefix)
Fix valgrind ctx error on asn1 test 06
This patch for app-layer-ssl fix the bug #198 (SSLParserTest01). It seems that with -O2 and -O3, the compiler doesn't handle the initialization correctly (weird..)
Load signatures with incompatible fast_pattern option (due to design differences for optimization)
Updating the http modifers that cannot be loaded with fast_pattern
Print also the Signature raw string
Fixing unittests for fast_pattern options compatibility
Updating other http modifiers for sigs with fast_pattern option
Updating pkconfig install on macosx
Don't avoid inspecting uricontents if we get no match. It can be negated uricontents (and urilens/pcre..). But at least skip the search if we get no match
App layer proto specific sigs (use the app layer to match proto)
Fix bug 205 (at stream-tcp-reassemble)
Fix for bug 207 (depth/offset not correctly updated on certain cases)
Fix for bug 180 (check proto specified at the IP hdr)
Fix for bug 204 (signature ordering with flowbit priority)
Fix bug 217 (segv on profiling summary if no rule was specified
Fix for bug221 (avoid considering sig as "decoder event only" if ports are specified). Now the sig gets grouped to get a sgh at SigMatchSignatures
Adding ssh app layer module with two new keywords: ssh.protoversion and ssh.softwareversion
Adding modifiers /C /H and /M to pcre (http cookie, header and method)
Fix segv condition on DetectHttpMethodMatch (if the applayer unset the connp)
Set default gid to 1 on Sig init
Make malloc errors on initialization stage a fatal error, resulting on a exit() call
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
Reference atomic vars with SC_ATOMIC_EXTERN properly (considering if we support atomic operations or not)
moving http_client_body logic to use it per transactions. Adding unittests
Adding atomic bitwise operations api and rwlocks support
Fix asn1 decoder frame oob mem. Adding max stack frames to suricata.yaml
Converting threadvar flags to atomic vars to avoid using the old spinlock
Fix CPU_* macros for Mac OS X
IPOnly module fix for building stage. Radix Tree fix inserting diferent netmask user datas
Fix compilation on Mac OS X (it was missing IPPROTO_SCTP definition)
filename and fileext keywords
Pablo Rincon Crespo (2):
Preparing multithreading support for alert modules and logfilectx
Updating tests fo unified2 with LogFileCtx
Pierre Chifflier (7):
Prelude plugin: add detection in configure script
Add Prelude output plugin
Fix prelude init and cleanup sequence using OutputCtx
Fix autoconf code for Prelude option (Fix: #175)
Log verdict in Prelude alert module
Add options to choose if we log header and content in Prelude alert module.
Prelude: fix test always returning true
Steve Grubb (5):
memory leak cleanup in alerts
Memory leak cleanup in detectors
memory leak cleanups in misc places
Get make distcheck working
Add relro flags to libhtp
System Administrator (1):
Flow files
Victor Julien (1288):
test
Initial add of the files.
Add copyright msg (test commit).
test commit
update authors
WIP address matching stuff
WIP addressing handling. Big progress. Address groups for ipv4 more or less getting shape.
Remove partial and broken address handling implementation now address2 is working.
No longer track Makefile.in files in Git.
Rename address2 to address
complete rename of address2 to address
Implement the address code for IPv6 as well.
small fixes for Wills patch
Split up address code in ipv4 and ipv6 specific files. Cleanups.
Add simple test report to unittesting.
Add error checking to CIDRGet and make it quiet.
Fix including the header for htonl breaking the code.
Fix some address code related compiler warnings.
Further develop the address api. Added dynamic group head support.
Fix crash when to_client traffic was scanned for uricontent when there was no uri available...
Add unittest registration to the threading modules api.
Start on addr and proto parsing in rules.
Cleanup signature parsing and other detect.c parts.
Signature rule keywords are case insensitive. Support that.
support for 'negation' in addresses and the 'any' special case.
Set p->proto and add TCP, UDP, etc macros.
Update todo of alert-fastlog
cosmetic update of alert-fastlog Will
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
Source NFQ update... less hackish, but still needs work as soon as we know how to do configuration.
Support priority keyword, add priority to alert-fastlog.
Use a default prio of 3.
Add noalert keyword for use with sigs that are used for capturing only.
Add log-httplog module that logs http request uri's, hosts and useragents to a per line text format.
Fix issue with log-httplog where it logged uri's of previous packets because of a broken uri check.
Fix mixed up CI and CS searching in WuManber. Add better tests.
Support address lists.
Speed up appending of sigs to a sig group head by using a tail ptr.
Fix a memory error in the addresslist parsing code. Add a functions aimed at speeding up the signature initialization code.
Make nocase keyword initilization failure fatal and slightly improve the error message it prints.
Big speedup of the initialization code for signatures. Contains WIP code as well.
Update todo.
Small update to the pcre used for signature parsing.
Improve memory handling of the pcre rule keyword.
Large update to the detection engine. Greatly improve initialization speed and memory usage.
Improve memory handling and parsing of the msg rule keyword.
Update todo
branching test
Style cleanups for resets.
Add GIT guide.
Allow CFLAGS to be overridden by ./configure.
Group signatures by protocol.
Switch to using a detection engine ctx.
Small cleanups
Fix uricontent mpm ctx comparison.
Properly support 'alert ip' rules. Add support for handling ip only rules differently.
Rename some detection engine related files.
Large detection engine update.
Update the wu-manber pattern matcher: it supports dynamic hash sizes and improves init times.
Update build sys
todo file update
Remove obsolete decode-http files.
Small update and new tests for wu-manber.
Big detection engine update.
Fix a Floating point exception error.
Alloc a new packet if the queue is empty.
Small fixes
Alloc a new packet if the queue is empty. Fix this.
New approach for the empty packet queue issue. Now we just wait until it's no longer empty.
New approach to tunnel decoding.
Tunnel fixes.
Small format fix.
Tunnel update.
Implement per packet variables and switch the http stuff to it.
Fix packets getting stuck in NFQ under high load.
Threading update for tunneling and high load
make output more quiet
Add hashing and bloomfilter api's
Add hashing and bloomfilter api's: now include buildsys update
Fix sig unittests
Small fixes and dbg additions.
default to all.rules
Fix port check.
Improve logging, add alert-output module, at module exit stats, add HTTP POST uri capture.
Add Scan before Search to the detection engine.
Fix negated variables, add tests.
Detection engine improvement: don't run pattern matcher on packets with payload sizes less that the biggest content we need to match. Add some extra stats.
Add the scanning to uricontent as well.
Fix uricontent scan for copied siggroupheads.
big update
Add implementation of the Simple BNDM 2gram pattern matcher algorithm.
Fix rule tree update. Fix bloomfilter error in b2g.
Add b3g 3gram BNDM pattern matcher. Fix multi queue nfq initialization. Improve speed of b2g and wumanber.
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
Add compare func to hash table, fix remove in hashlist table.
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
Add support for flowbits.
Use different rule grouping settings for toclient and toserver. Fix flowbits accounting.
Fix Flowvar idx retrieval.
Fix iponly matching.
IP only rule loading optimization and counting fix.
Fix ip-only again: flowbit sigs were not handled correctly and tcp/udp sigs with ports set also were not.
Fix pktvar and http uri memory leaks.
Large update: pcap support, threading fixes, initial stream tracking, time handling, pool support, runmodes, decoders added, autojunk update.
Comment updates.
Pool update. Stream reassembly start.
Add tests for pool.
Remove vips references. Rename to eidps.
Enforce max pool size.
Add Address copy macro.
Add decoder events to ethernet and sll decoding.
Stream reassembly update and WIP code for L7 modules.
Small layout fixes to the ppp code.
Updates & cleanups to stream & l7 stuff
Small pcap layout fixes, also made it a little bit more quiet.
Pcap fixes.
Small pcap cleanups.
Fix IPv4 and IPv6 decoders not being able to deal with ethernet packets with trailing bytes.
Implement flow:established and flow:stateless
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful.
Improve the threading code to enable a single pcap file processing thread.
Merge branch 'master' of oisfgit at phalanx.openinfosecfoundation.org:oisf
Fix pool bug.
Merge branch 'master' of oisfgit at phalanx.openinfosecfoundation.org:oisf
Fix wrong segment ordering, fix stream messages not being queue'd right.
Merge branch 'victor_local'
Add unit test to pool for the bug from yesterday.
Adapt Flow subsys init function to be able to initialize quietly for us in unit tests. Add flow to PPP unit tests. Fixes a floating point exception error.
Merge branch 'victor_local'
Output more info about sequence gaps.
Kill the engine if one of the threads fails to initialize.
Merge branch 'victor_local'
Add debug output to SetupPkt.
Merge branch 'victor_local'
Small cleanups.
Fix printf formatting error in a pool unittest.
--enable-unittests now controls compilation of unittest code. Added crude commandline support for running unittests: ./eidps runtests
Slightly moved around the NFQ define a bit.
Small counter output fixes.
Small output fix for counters.
Add some dbg output to the counters.
Add doxygen syntaxed comments to the threadvars structure.
Make sure flow isn't freed while stream msgs are still in use.
valgrind drd: fix flow mutex reinitialization in the flow subsystem when called by unittests.
valgrind memcheck: fix small pool memory leaks in the unittests.
valgrind memcheck: fix a b3g mem leak at shutdown.
Fix locking error causing deadlocks.
Fix setting l7 thread name.
Switch to pthread_cond_timedwait in streammsg queue.
Small reshuffling of the unittests, fix of a buffer overflow, hide some dbg output in the stream reassembly.
Fix git merge artifact.
Fixes for the stream reassembly. It turned out that using both a prev_seg pointer and a list_seg->prev pointer at the same time was not the best of ideas. So removed the prev_seg ptr. Cleaned up some copy functions too. Added some more debug statements. Made sure the L7 stuff doesn't kick in when running the unittests for reassembly.
Revert default runmode change. Fix running decode event unittests twice.
Fix broken test. Fix content keyword parsing not escaping properly.
Fix decode event compiler warning.
Merge branch 'de'
Fix pcap returning out of it's loop every time.
Fix small error in thread creation.
Fix list handling in reassembly
Merge branch 'victor_local'
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
Update to the parsers.
Small update.
Fix 1 byte searching in BinSearch function.
Further work on the stream L7 parser, it's api and the http stub implementation.
Fix compiler warning in binsearch fix.
Fix unittests -u commandline option.
Fix missing limits.h include.
Add two counters: avg_pkt_size and max_pkt_size.
Convert tabs to spaces in PPPoE code.
Use double for the avg counter.
Fix sizeof printf related compiler warnings.
Improve unittest error message if unittests are not compiled in.
Fix nfq compilation.
Layout fixes.
Fix a memory read error in the BDNM search algorithms. Also (hopefully) fix a 64bit error.
Fix short IPv4 packets not getting detected in the decoder. Set decode event on short ipv6 packets.
Fix compiler warning about 'mode'.
Use finer grained locking for app layer parsing.
Small reshuffle of the free funcs in the Stream code.
Merge branch 'will'
Small name support code update for flowbits, flowvars and pktvars.
Fix compilation without unittests enabled.
Adapted flow comments to doxygen style.
Unify all counter registration code on uint16_t counter id's.
Pass the DecodeThreadVars to all Decoder functions properly. Improve the error handling.
use C99 int's.
Fixup some rule parser memleaks
Fix error in freeing the ctx of a SigMatch.
Improvements to content keyword memory handling.
Fix compiler warning.
Fix missing conf include.
Remove noisy debugging output.
Removing GPLv2 license info as our bylaws aren't final yet and we will redist code non-GPL as well. Rename struct conf_node to ConfNode to comply with engine coding style.
Fix a ipv4 compiler warning. Improve TCP opt decoding error handling logic.
Improve GRE counting. Actually use the GRE decoder. Register the GRE counter.
Fix tunnel packet handling.
Work around some Tcp session free issues in the app layer parsers.
Add seg_list integrity testing to reassemly. Remove all debug output but some. Better deal with packets before the point that we already reassembled.
Git merge artifact.
Cleanups
Rename all pmt->det_ctx.
Complete removal of global de_ctx. UtRuntests now returns the number of failed tests or 0 on none. Program exits with code 1 on failed tests, code 0 otherwise. Removal of broken http uri test.
Fix a number of broken overlap calculations. Add comments exmplaining them all.
Fix wrong data type used in a reassembly error checking.
More cleanups.
Add 'BySize' field parser. Add stub tls parser.
Fix pointer issue in sig loading.
Add TLS 1.1 and 1.2 detection.
Fixes for issues found by static code analyzer.
updated config.h.in
2nd try of fixing some bugs reported by static code analysis tool.
GRE struct naming fix, comment adds.
Adding a "flow" queue handler. This queue handler passes packets of the same flow to the same queue. Changed the default IDS mode to use this.
Actually add the new queue handler.
Add macro's for access to ICMPv(4|6) type & code.
Small threading update.
Small flow updates.
Big update:
Small tm module API rename to reflect that Init/Deinit/ExitPrintStats are per thread calls.
Fix reassembly unittests.
Make sure stream_size works on IPv6 as well, only checks TCP packets, validates input better.
Fix "ip" rules not ending up in the tcp and udp sig group heads correctly.
Suppress debug output in yaml loader.
Clean up stream tests memory handling. Remove counters in the address handling that were thread unsafe.
Lock threadvars flags using spinlocks.
Merge branch 'threading' into t
Fixed a few missing places for tv->flags access. Changed mutex init for packets slightly.
Add TCP_GET_TS1 and TCP_GET_TS2 marco's to efficiently retrieve the TCP timestamps in host order.
Merge branch 'tcpopt' into next
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
Put the precooked runmodes in a separate file.
Fix compilation on 32bit
Minor layout fixes.
Add pktvar and flowvar tests to ip only unittest. Make output cleaner.
Reorganize header inclusions.
Remove unnecessary header.
Fix detection of failed thread startup. Cleanup startup output a bit.
Fix pcap file mode
Fix datalink retrieval for pcap file mode and nfq mode for use in unified2.
Suppress nfq debug output.
Tie app layer parsing to the stream engine.
Make locking of the flow optional in the app layer subsys so we can also pass locked flows to it.
Fix clang warnings.
Silence clang warn.
Improve error checking in detect, add comments.
Fix engine lockup due to mutex locking error.
Small fixes to pfring patch.
Fix segv in reassembly. Fix sequence gap handling tests.
Set signal handlers after the unittests so we can kill the test runs with ctrl-c.
Improve the handling of addresses and ports. Properly detect !any, other full negation. Fix [80:!80] syntax errors being undetected.
First batch of fixes for new debug and logging API usage.
Another round of logging api usage updates.
More logging API usage changes.
Yet more logging api usage changes.
More logging API usage. Changed logging macro's slightly so the vars inside them won't conflict with vars used by the calling function.
Fix merge artifact and add new logging init code to pfring runmodes as well.
Small stream fixes.
Strange fix for issue where signals seemed to be ignored in some cases.
Fix unified2 tests relying on each other.
Fix segv in unified2 unittests.
Add a few more tests for portrange validation.
Fix flowbits match being unable to deal with a packet without a flow.
Prepare for merging ipproto patch.
re-add unittests that were removed to prevent a git merge mess.
Fixup ip_proto keyword.
Use correct free function in DetectPortParseInsertString.
Move unittests away from detect.c
Add support for moving detection tests outside of detect.c and move the 'id' tests to it's own file.
Move pcre test out of detect.c
Change default log settings to be more development friendly. Breaks one test.
Fixup merge artifact.
Small layout fix.
Small layout fix.
Detect errors in the spin locks which somehow seems to fix some deadlocking withing valgrind.
Remove unused var and fix compilation with DEBUG enabled.
Fix warning free compilation of defrag. Fix a missing variable initialization that cause a segv in the unittests.
Fix small memleak at engine init.
Bunch of mostly unittest related memleak fixes.
Get rid of global mpm_ctx.
More engine init memleaks fixed. HashListTable remove function fixed.
Merge DetectAddressData and DetectAddressGroup
Speed up per sgh content maxlen calc. Remove mpm ptrs from mpm ctx. Add unittests testing the detection engine internals.
Fix compilation warning in conf test.
Fixup formatting on the smb code.
Replace sgh refcnt by a flag.
Further memory cleanups. Split out init only vars out of the sig group head.
Cleanup of address functions.
Rename DetectAddressGroup* to DetectAddress*
Fix msg parsing.
Fix a compiler warning on Ubuntu 9.10 gcc 4.4.1 in the pattern matchers where the size of the thread ctx can be optimized to 0.
Small detect engine proto cleanups.
Fixup flow bits sig tests to work with the changes to the pattern matchers.
Improve message on test expected to fail at this point.
Fixup siggroup merge artifacts.
Fixup artifact from automatic renames: rename DetectAddresssHead to DetectAddressHead.
Create reputation.h
Cleanup comments.
- Fix pattern matchers b2g and b3g not being able to deal with a single pattern of the max pattern length (32 bytes by default).
Fix within in some corner cases and add some more tests.
Fix compilation of address and port error messages in debug mode.
Fixes for distance and within content modifiers.
Fix a few memory issues.
Fix another case where distance/within checks didn't fully work as expected.
Add function name printing to the default output while we're still in development.
Fix debug compilation
Add some debugging code
Set the DETECT_CONTENT_WITHIN_NEXT and DETECT_CONTENT_DISTANCE_NEXT flags on content chunks if appropriate.
Fix signatures with ports and/or addresses but without sigmatches.
Remove a few commented out code lines.
Make sure we don't sleep to test time lapses, we can modify the engine's time internally for that.
Fix merge artifacts.
Time handling: improve time handling in unittests
Support newly reported 4WHS TCP setup.
TCP streams: support falling back to 3WHS when we were led to believe we were in 4WHS mode. Add unittests.
TLS no inspect: fixes and cleanups
First iteration of doing app layer detection.
Add unitttest.
Compilation fixes after merge.
Fix app layer detect to actually work.
TLS: small updates to the tls parser
initial version of better error checking/handling in the app layer code
Compile fix.
config.h.in autoreconf update.
Fixup rebase typo.
Fix http module warnings.
Use new threading calls in htp code.
Use correct mutex call in flow-vars code.
Make engine initialization a bit more quiet.
Use updated mutex calls.
Disable noisy debugging statements
Make nfq module use logging api.
Convert stats printing in nfq to logging api.
Add some debugging and simplify locking for app layer slightly.
updated config.h.in
Remove need_lock from app layer parsers.
Rename to Suricata.
Fix segv when testing for sid 2002181
Fix bug fix
Fix compilation after suricata rename.
compile fixes
Improve matching of packet and app layer sigs.
Support for sigs with both pkt and applayer detect
Implement alert sid storage in the flow so we can check previous alerts in the flow.
Support for sigs with both pkt and applayer detect
Improve threshold hash table handling.
Improve http cookie htp state checking before using it.
Fix potential deadlock in http cookie match.
Small cleanups.
fix typo
Fix compiler warning when using HTP rev 68.
Fix signatures not being initialized properly
Application layer detection improvements
Clean up smb/dcerpc code
Fix packet flags field not being cleared properly when the packet is being reused. Add some debug statements and cleanup some.
Fix scan patterns sometimes not being added to the scan ctx. Should fix bug #9.
Add icmp flow handling.
Fix wrong negation of ports.
Fix negation for addresses as well.
Test PortTestMatchDoubleNegation is no longer expected to fail.
Fix broken pattern len compilation causing certain patterns to no match when they should.
DetectContentChunkMatchTest11 is no longer expected to fail.
Make sure icmp rules also apply to icmpv6
Fix thresholding coding changing unlocked and supposed to be static memory areas.
Fixup calculation of the minimum scan pattern lenght in some cases.
Make sure offset modifies depth.
build update
Flags keyword fix. Fatal init fix.
Move rand seed code into util-random
add version output, -V option
Improve distance/within/nocase handling, sig parsing error reporting.
Fix extra spaces confusing content and uricontent.
Fixup noisy debug statement
Add pcre negate support.
online abort() in stream reassembly if were in debug mode
Add tag keyword stub
silence a debug statement in the msg handling
Improve depth and offset setup error reporting
Fixup smb/smb2/dcerpc wrt loops, debug printing, style.
Remove contents of VRT classification.config.
Set default classification file location in the config file.
Fix compilation and a small memory error.
Fix up initialization and hopefully make the SEQ macro's fix up an 64bit issue we're seeing...
Make sure we can't overflow our packet alert storage
Update install doc
Actually use classification msg
Exit if no classification.config has been found.
Improve default-log-dir error checking and reporting.
Mention that libpfring 4.0 is required for our pfring support.
Set default-rule-path in example config to /etc/suricata/rules/
Fixup code to compile with -Wall -Werror -Wextra -Wno-unused-parameter compiler options.
Fix compilation with -Wextra
Don't scan more of a stream for proto detection than necessary.
Fixup month displaying for the stats log.
Fix compiler warning in http method code
Fix not decreasing the flow use_cnt reference counter in some cases from the app layer detection code. This caused some streams to never fully time out and thus clutter up the flow table and session pool.
Add some safety checks.
fix wrong keyword name
Enable bytes per sec and mbit per sec for nfq as well
Fix typo.
Fix app layer proto detection code not being thread safe.
Fix packet timestamp handling for encapsulated packets.
Set payload no inspect flag for packets with encapsulated packets as these are inspected separately
Fixup unittests that use buffers that simulate configuration files. They now include the YAML header.
Suppress some flow messages.
Clean ip fields from packet as well when the packet is reused. Prevents issues with malformed packets that are rejected by the decoders before ipaddresses are set.
Fixup unittest error output for RAW decoder.
Fixup unused variable compiler warning in the dce code.
Make sure pcre PCRE_EXTRA_MATCH_LIMIT_RECURSION check works with strict compiler settings.
Rename fmem_t to SCFmem and make sure it's not exported.
Make engine startup a little less verbose.
Merge applayer detect function into normal match function. Should speed up detection.
Properly lock app layer result pool and add some debugging code for memory tracking.
Fix broken debug code in stream reassembly
Set no reassembly flags on sessions we don't recognize the protocol for.
PPPoE fixes.
Fixup flowbits signature keyword parsing memory handling.
Add OpenBSD's strlcpy and strlcat and replace all strcat/strcpy/strncat/strncpy by those calls.
Fixup noisy debug statement.
Remove obsolete files.
Remove unused conditional locking code from the app layer parsing code.
remove unused variables
Fix reassembly updating the wrong stream on ACK
Only inspect http flows against uri sigs, clean up uri scanning code.
Add missing return value evaluation in port parsing and fix broken unittest.
Set sensible tcp timeout defaults and no longer set the timeouts from the stream engine.
Fix merge artifact.
Fix the flow manager sleeping for way too long in some situations.
Manually merge Pablo's IPFW action patch.
Fix weird compile error
Stream engine memory handling update
Small compilation fixes when debugging is disabled.
Fix ipfw verdict.
First step for proper HTTP CONNECT handling.
Cleanup AppLayerDetectGetProto a bit.
Work around for unsupported CONNECT support handling.
Build sys update after applying prelude patches.
Build update
Move bpf string retrieval to it's own function. Clean up pcap sourcres a bit.
Cleanup pcap output.
Check reassembly limits against correct stream direction. Set proper direction flag in stream msgs.
Disable unused jabber proto detection as it made the proto detection code look way more into the stream than without it.
fix crash in urilen
Fix reject code to not send resets for all alerts.
Fixup smb tests.
Fix a endless loop condition in the smb parser and make dcerpc parser more quiet.
Compile fix.
Make urilen inspect the normalized uri, cleanup uri (error) handling.
Apply configurable max pending packets to nfq and ipfw
Make pcre P have it's own sm type.
Disable htp cleanup code as I'm not yet convinced it does what it should.
Handle ip only matching correctly on big endian systems. Thanks to Yao-Min Chen for figuring this out.
Fix big endian iponly handling.
CUDA build system support & compile fixes
Disable unused uri scanning code.
Mhz->MHz
Cleanup threading cpu affinity and prio output.
Update version to 0.8.1
Fixup Linux compilation after applying win32 patches.
Update autojunk.sh + build update.
Disable thread priority code until we understand it better.
Move windows install file to doc
Make unittests run more quiet.
Fix segv in http log module.
Change the way we replace contents by http_method and http_cookie, fixing #90.
Fix file permissions.
Use snprintf instead sprintf
Fix two separate segv's in the http logging code.
Fix compilation on Linux, add error checking to Win32 SCFmemopen and properly indent.
Make sure log-http checks for a valid p->flow ptr before using it.
Reenable --enable-htp-debug option for libhtp so Suricata's --enable-debug won't automatically enable libhtp's debug as well.
Fix typo in example config.
Merge branch 'cnftypo' into next
Clean up flow mutexes after use.
Fix bogus error message.
Share content id's between identical patterns.
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
Update prev ptrs in SigMatchReplaceContent
Detection keyword cleanup
Fix rules with thresholding set not being able to be ip-only.
Fix broken pmatch list handling.
Remove search phase from b2g pattern matcher.
Make sure nocase applies to the last pattern, content or uricontent.
Fix thresholding signature unittests. Because of the bug fix that made thresholding compatible to ip-only sigs the test sigs needed to be made non-ip-only.
Remove all search code from the pattern matchers, cleanup mpm api, remove unused http code, more cleanups.
Remove all references to the scan phase from the pattern matchers and it's api.
Remove nosearch flag from pattern api and add a generic bitwise flags field.
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag.
Fix nocase searching in payload search phase.
Cleanups.
More scan/search related cleanups.
Remove more scan references.
Only process a app layer sig if it has the proper state. Make sure a sig can't have conflicting sigmatches, such as ftpbouce and uricontent.
Fix compilation
Fix compilation of new detect-filter code, fix ip-only compatibility of detect-filter code.
Don't scan more cookie headers than necessary.
Don't inspect more methods than necessary.
Remove wrong copyright info, cleanup headers.
Comment SigMatchSignatures a bit.
Fix broken unittest, improve within error messaging.
Properly clear list tail ptr in segment list.
Small SMB cleanups.
Make sure we only run the app layer proto detection (successfully) once per flow. Solves an issue found by the fuzzer where both flow directions were detected as different protos, messing up the app layer parser.
Make sure all smsgs are handled every time, even in case or error. The fuzzer found an issue where unhandled messages remained in the queue leading to threading issues.
Add more comments to detect and flow structures.
Small uri cleanups.
Cleanup global threshold code.
Move flow flags to flow.h
Update http_client_body code to recent changes.
Fix locking issue in the uri scanning code.
Remove loop from radix unittest. We can detect memleaks with valgrind.
Comment ECN/CWR changes more.
Fix ecn/cwr unittests
Use correct datatype in HTPCallbackResponse fixing possible endless looping issues.
Small cleanup and comment update to htp code.
Because the HTP personalities code changes how the htp state's connp is initialized, we need to check for it in more places.
Rename structures that don't adhere to our naming conventions.
Fix tcp segment list corruption bug
Improve pcap file mode EOF message. Fixes #123. Small cleanups to pcap file code.
Pcap eof msg can be informational
Rename CUDA kernel
Minor dbg output formatting fix.
Cleanup of libnet patch.
Improve http body chunk memory handling robustness.
Remove duplicate cuda kernel file.
Different approach to the reference keyword. Lots of cleanups, bug fixes in reference keyword code and tests.
Fix invalid free in HTP config deinit.
Fix invalid free in HTP config deinit.
Merge branch 'b115' into next
Improve error detection in the pidfile api.
Small error message and comment update to the nocase keyword.
Properly cleanup stream engine spinlocks and mutexes at shutdown. Fixes drd errors in unittests.
Improve yaml loaded debug output formatting.
Make sure we set the address family (AF_INET & AF_INET6) in the flow's address structures. Needed by HTP personalities code.
Properly cleanup used mutexes and condition vars in the flow subsys.
Explicitly test for ipv6 in the htp personalities code. Update all affected unittests to set addr family to the flow.
Fix logging api not cleaning up LogFileCtx mutex.
Reintroduce usage of the SC_RADIX_NODE_USERDATA marco into the htp code. Rewrite the macro slightly, add unittests for the macro.
Improve dce-iface keyword unittests.
Improve detection-filter parsing code error handling.
Improve http-cookie keyword unittests error handling. Fix memory errors in the tests too.
Improve sig parsing unittest error handling.
Improve detect-threshold parser error handling.
Add comment explaining how I feel a CLANG related change is unnecessary, but that I might be wrong :-)
Use strlcpy instead of strncpy.
Fix compilation if debugging is disabled.
Move SCSetThreadName to proper functions.
Small error checking rewrite.
Fix a couple of harmless compiler warnings.
In unified1-alert the ip addresses are in host order.
Add warning about needing a patch for Barnyard 0.2.0 on 64-bit. Rename sc_timeval32 to SCTimeval32.
Fix icmp_id keyword and improve icmp_seq keyword logic.
Console logging settings are now overridden by env vars.
Fix errors in the unittests reported by valgrind's drd tool. Add explanation of a FP.
Make sure that the SC_LOG_OP_FILTER env var overrides config as well.
Flush fp to be sure before closing.
Bump version to 0.8.2
Print Suricata version after initializing logging subsys.
Remove leftover debug print.
Use threadsafe time functions.
Remove Makefile.am reference to non-existing file.
Add classification.config to Makefile.am as well.
NFQ inline changes
Improve a number of error and info messages.
Switch decode-event comments to doxygen format
Make sure we don't leak memory on app layer protocols we detect, but don't parse. Fixed #132. Thanks to Gurvinder Singh for pointing out where the issue was.
Fix a typo in detect-decode-event.h causing a compilation error.
Move TmThread*Flag functions to the header so they can be inline with gnu99 as well.
Convert DecodeSetNoPayloadInspectionFlag and DecodeSetNoPacketInspectionFlag to macro's.
Remove inline's from spm to satisfy gnu99
Fix compilation of pm algo's with gnu99
Fix payload and uri detection inline errors in gnu99
Fix stream_size detection inline errors in gnu99
Fix pm algo's inline errors in gnu99
Fix radix inline error on gnu99
Fix thread flag code to compile with gnu99
Gnu99 inline fixes for stream engine.
Remove inline from counters to make gnu99 happy.
Fix small memuse counter issue in flow subsys, remove emergency printfs
Properly set content and uricontent depth. Fixes #134.
Make HTTP proto detection more reliable. Add HEAD keyword. Thanks rmkml for the report/request.
Libcap-ng support by Gurvinder Singh and myself. Basic support for per thread caps is added, but not activated as it doesn't seem to work yet. Work around for incompatibility between libnet 1.1 and libcap-ng added.
Kick out streams with gaps in them in the app layer parser until we add proper support.
Hack around cornercase in debug code in stream engine. Works around #140.
Fix checking for the stream GAP after the ssn ptr was initialized.
Add a packet count var for pcap file mode to the Packet structure to ease debugging.
Fix a bug in the signature grouping code that didn't properly setup the mpm ctx's in some cases.
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148.
Add tcp seq info and pcap file packet number to the alert-debuglog.
Fix typo in uricontent within handling causing within to be wrong.
Use proper tcp/udp macro's in alert-debuglog
Fix failing thresholding unittests
Bump version to 0.9.0.
Fix/workaround a strange detection issue.
Fix a compiler warning, add some comments, cleanup layout of smb parser.
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
Fix signature grouping bug for protocols without ports. Add debugging code.
Complete conversion of pattern id mpm storage vs sig id storage.
Convert flow bucket lock from mutex to spinlock. Locks should be very short, so spinlocks should be faster.
Small ICMPV6PayloadTest01 unittest cleanup.
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
Improve flow hash debugging, switch to csv output.
Use one less thread in pcap file mode. Reduces locking overhead.
Move to different way of enforcing max_pending. Should require less locks.
Fix tunneled and defrag reassembled packets with the new pending limits.
Switch time api from mutex to spinlock.
Cleanup packet recycling code. Fix issues in the packet tunnel/pseudo code.
Fix compilation if debug is disabled.
Use bigger stream msg.
Fix broken stream unittest.
Fix broken ICMPv4 unittests. Fixes #161.
Fix NFQ compilation.
Fix NFQ receive/verdict race condition in cases where the packetpool is empty.
Fix small potential bug in debug mode found by clang.
Fix updated memory api using debug mode by default. Small cleanups.
Properly lock flow before setting IP only action flags. Small alert api cleanups.
First stab at creating a stateful detection engine.
Rename asn1 files, fix an invalid free, fix improper init of vars in one unittest.
Improve SSL input validation.
Rename TranslateIPToPcapDev to PcapTranslateIPToDevice and make the length argument size_t.
Fix malformed ipv6 packet causing an endless loop in exthdr decoding.
Fix small memleak in ip only parsing code.
Fix thresholding 'both'. Fixes bug #160.
Properly update depth if offset+content_len < depth. Fixes #164.
Fix typo in depth changes.
Fix radix and stateful detect engine memory leaks.
Remove unnecessary header inclusion in app layer ssl.
Bump version 0.9.1.
Improve memory handling in error conditions in the radix implementation.
Lockfree ringbuffer wip.
lockfree ringbuffer wip2, including proper shutdown.
Make pcap file mode read multiple packets per 'read'. Update threading model to deal with this.
Add multi packet reading for pcap live mode. Add a partly lock free multi writer, multi reader ringbuffer.
Add support for class id in classification code. Submitted by firnsy at securixlive.com, thanks.
Use ringbuffers in the pcap live auto runmode as well.
Finish http_uri keyword, fix invalid read issue in one of the tests.
Fix a corner case where the pcap receive modules could alloc packets at line rate until memory was depleted.
Fix adding the http_uri sigmatch to the uri list twice.
Lock detection state reset function properly.
Introduce atomic operations API that supports GCC's atomic operations and a fallback using (spin)locks. Convert ringbuffer api to use the new atomic api.
Enable perf counter updates in the ringbuffer queue handler.
Small ip to pcap dev cleanup.
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
Remove unnecessary locking for thread-local packet-queues breaking on Win32.
Cleanup thresholding code.
Fix ringbuffer number wrap around issue causing buffer items getting overwritten and thus lost.
Clean up flags keyword.
Disable flowbits stats.
Fix a endless loop condition introduced by the threshold cleanup.
Detect cleanups.
Fix pcap file mode not shutting down on ctrl-c
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
Fix thresholding issues.
Fix detection_filter issue.
Fix flow engine memory handling.
Add subtracktion wrapper to the atomic api.
Switch flow memuse counter to the atomic api.
Move flow use cnt to atomic and outside of the flow mutex protection.
Reduce size of event bit array in the packet structure.
Fix HTTP HEAD detection code.
Check for being properly setup before activating a thread. Fixes a potential although unlikely null-dereference.
Store stream msgs processed by the app layer in the tcp session so they can be inspected by the detection module as well. The detection module returns them to the pool.
Make sure a stream that has a failing app layer inspection module no longer stops reassembly, but only app layer inspection. This way we can continue to inspect the reassembled stream.
Inspect the reassembled stream together with the packet payload in the same direction.
Fixes to stream pattern matching.
Moving the stream content scanning to have it's own mpm ctx.
Applayer to flow fixes and cleanups.
Fix flags mixup issue in the app layer.
Add support for retrieving float and double variables from the configuration.
Allow the user to disable setting cpu affinity and allow configuring the number of detect threads relative to the number of CPU's/CPU cores.
Convert uricontent scanning to use the detect engine state.
Fix detect engine state unittest, add another.
Scan uricontent mpm on demand.
Improve stateful uri detection code.
Improve B2g performance by merging pattern array and hash.
Move dce payload inspection to stateful detection engine.
Fix a segv caused by invalidly accessing the smsg_pmq array.
Prefilter signatures before fully scanning them.
Improve detection of app layer, making sure we only handle app layer on 'established' packets. Should really fix #166.
Add missing include resulting in a compiler warning.
Have the detect.alerts counter count actual alerts.
Small decode-event code cleanup.
Bump version to 0.9.2.
Fix tcp connections that are reset (RST packet) not always inspecting the reassembled stream. Update transaction id code to make sure both directions of a transaction are inspected before incrementing the inspect_id.
Make sure ICMP unreach packets are not inspected against the flow sgh as it's for the original protocol, not for the ICMP packet. Fixes #174.
Add a (disabled by default) flow pinned runmode for file pcap.
Merge different ringbuffer structures.
Fix SCondWait -> SCCondWait typo.
Add thread cond_t based waiting in the ringbuffer.
Split ringbuffer queue handler into multiple, for mrsw, srsw, srmw modes.
In the ringbuffers spin before the wait
Move packet pool to ringbuffer, update packet pool api and ringbuffer api. Remove memset usage from PACKET_RECYCLE, add proper cleanup macros.
Fix dcerpc unittest, add comments.
Atomic macro's typo fix.
Disable condition based waiting in ringbuffers until we fix lockup issues.
Compiler warning fix for tag, make sure we do timeout checks under lock protection as well.
Fix thresholding code for packets that are neither (valid) ipv4 and ipv6.
Fix a data race for packet pool packets when defrag/tunnel code needs a packet.
Fix segv conditions caused by broken flow cleanup code.
Fix valgrind error in tls unittest.
Don't scan TCP packet payload if it was added to the stream. Inspect the tcp stream with the correct packet. Should fix #184 and #185.
Make sure we inspect all outstanding reassembled stream chunks (smsg) if the stream is shutting down. Make sure to do inspect signatures that use dsize against the tcp packet payload, even if that payload was already added to the stream. Likewise, the dsize signatures are not inspected against the reassembled stream.
Disable alert-debuglog and unified1 in the default config. Add comments to the default config about pending packets, alert log types.
Make SigWrapper private to detect-parse.c and rename to SigDuplWrapper to reflect it's use and purpose.
More thoroughly cleanup a Packet when we recycle it. Fixes a corner case where we'd have a invalid tcp packet but p->proto would still say IPPROTO_TCP because of a previous run. Fixes bug #187.
Add a -fno-tree-pre to our CFLAGS as it breaks the ringbuffers on Ubuntu 9.10/64 bit.
Add some checks for 'impossible' conditions that become possible after enabling optimizations :-/
Detection improvements: uricontent escaping now working, better negated pattern (content) handling.
Fix pcap file auto flow pinned runmode (disabled by default).
Add optional structure validation code.
Add unittests for ringbuffer.
Attempt to work around NULL packets we're seeing ending up in queues when the compiler has optimized our code.
Add missing util-validate.h
Fall back to the old mutex based queue's to see if that fixes an obscure lockup at higher optimization levels in gcc in file pcap mode.
Fix broken stream engine config initialization: due wrong casts settings could be overwritten in memory.
Fix compiler warning about incomplete prototype.
Fix bug where valid FIN packets would be rejected.
Fix compiler warning about incomplete prototype (2).
In case of error in pcap file reading mode, we shut the engine down hard instead of gracefully.
Fix STREAM_EOF flag overwriting STREAM_START flag on short streams. This made us miss short HTTP sessions.
Make sure decoder event rules are inspected even if the packet is invalid and has no addesses or proto. Update fast log and alert debug log to display the alerts. Fixes #179.
Disable per second counters as they are unreliable.
Fix app layer sigs being recognized as decoder event only or ip only.
Improve app layer proto check.
Fix cuda compilation.
Use 'simple' queue for cuda too. Fix hanging in cuda mode.
Fix PACKET_RECYCLE not cleaning all of the packet.
Improve configure messages. Make sure CUDA doesn't try to process packets that are too big.
Remove leftover printf.
Bump version to 1.0.0
Add comments on CUDA usage in suricata.yaml.
Fix DCERPC over SMB/SMB2 detection issues. Fix not updating transaction id in a stream direction if there was no sgh.
Don't set negated uricontent signature flag twice.
Better handle low memory conditions.
Improve out of memory handling during initialization.
Fix config file typo.
Force stream reassembly on streams where we didn't yet detect the protocol if the stream is closing.
Use Address structure in DetectAddress struct.
Make signature address matching more cache efficient.
Reenable and fix AlpDetectTestSig5
Cleanup suricata.yaml.
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
Add missing protocol check in the sig matching process. This prevents FP's such as the one reported in bug #209.
Make sure holding up to_client reassembly stops after the proto is detected or we're sure we'll never detect it. Fixes issues related to bug 205.
Comment out broken SSLParserTest03 test.
Really fix bug 205 this time, repair a broken unittest.
Kick out invalid signature with uricontent and flow:to_client or flow:from_server.
Change stateful detection engine to be able to start the stateful detection separate from other sigs. Fixes bugs #213, #214, #215.
Fix segv on loading signatures with unsupported combinations of pcre and the relative flag.
Clean up detection engine mpm initialization phase.
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
Merge decode and stream threads in RunModeIdsPcapAuto like in the file runmode. Fix these runmodes not adhering to the cpu affinity setting if CUDA is compiled in.
Fix unittests after ip_proto keyword change.
Fix -Wall -Werror compilation after unittests update.
Add config output for new stream settings.
Fix signatures with trailing spaces being rejected by the regex. Add test.
Fix stream msg content inspection not inspecting the correct id.
Revert yesterday's dcerpc commits as there were to many corner cases for it to go into 1.0.1.
Properly detect detect-event-only sigs.
Remove ports check and fix small typo.
Bump version to 1.0.1
Small update to the ssh module: fix a valgrind warning and a couple of compiler warnings. Do a few small style updates.
Compiler warning fix for memory macro's. Small layout changes.
Properly set tmp_ra_base_seq in streams. By Gurvinder.
Disable broken unittests and fix one.
Bump version to 1.0.2
Make outputs part of the flowpinned threads in the AutoFp runmode.
Print engine uptime on the same line as date and time.
Make sure the DetectHttpMethodData structure is properly initialized before using it.
WIP B2gc
Switch to faster tolower function for u8_tolower.
Change BloomFilter structure layout to reflect order of access.
Fix setting hash size in the config for b2g pattern matcher.
Further improve B2gc. Add B2gm. Improve memory layout.
Add padding to commonly used data structures.
Switch to b2gc as default pattern matcher as it uses less memory and is a little faster.
Many small performance updates.
Reorganize SigMatchSignatures.
Add memcmp api with a plain memcmp function and a SSE3 accelerated memcmp.
Add memcmp functions for SSE4.1 and SSE4.2.
Fix retval of SCMemcmp for non-SIMD implementation.
Fix pcre compilation with debug enabled.
Small layout update
Updated install doc after automake run.
Initial version of a new bitmask based signature pre-filtering method.
Fix unittest.
change dcerpc warnings into debugs.
Remove unused code from b2gm.
Fix setting hash size in the config for b3g. Part of fix for bug #222.
Store the first frag flag in the uuid as the pfc_flags field is overwritten. Part of fixing #206.
Disable expensive unittests that don't really test anything.
Better handle low memory conditions.
Adapt malloc macro's to only display errors during init, not during runtime. At runtime it could make us crawl if the system runs out of memory.
Add comment and layout update to new fast_pattern code.
Fix TmThreadsUnsetFlag not unsetting flag if __sync_fetch_and_nand was used.
Sleep after checking for a thread flag in TmThreadWaitOnThreadInit now that the check is so much cheaper.
Default to 'single' ctx for ac-gfbs as well.
Fix http_method not inspecting all http transactions all the time. Fix proper nocase setting. Switch to pattern scanning only, no more numeric compares as it turned to be incompatible with how the keyword is used (nocase, etc).
Remove a BUG_ON statement from the payload inspection code.
Add telus and bid references for etpro.
Add secunia reference pending our reference.config support.
Really add secunia reference support.
Change mpm hash_size config setting highest to higher as highest wasn't the... highest. Max was higher. Leaving highest as an alias to higher for backwards compatibility.
Apply revision 233 and 234 from libhtp to improve memory handling when Suricata runs out of memory.
Minor reference.config support changes: improve error handling, reduce hash table size.
Clean up output of signature ordering module.
Remove stray newline char from profiling output.
Fix negated http_method not working properly, causing false positives.
Cleanup http_stat_code unittests, shrink data structure.
Fix a case where alerting in inline mode would lead dropping on alert sigs.
Print an error if the protocol field of a signature contains a unknown/invalid value.
Fix depth error messages referring to distance instead of depth, fix their layout.
Add http_raw_header as an alias to the http_header keyword as that actually inspects the raw headers (see issue #243). Closes issue #242.
Change default of detect-engine.sgh-mpm-context to auto.
Simplify NFQ runmode reducing the number of threads and thus queues.
Layout updates to NFQ runmode.
Switch back to defaulting to full for detect-engine.sgh-mpm-context as it broke many tests.
Converts port vars in http logger from uint32_t to Port and update output.
Fix a potential invalid memory read in the protocol name code used by alert-fastlog.
Slightly cleanup detect-engine.sgh-mpm-context option parsing.
Make sure we have a response message before inspecting it in http_stat_msg.
Fix compilation in --enable-debug mode.
Add check to fast pattern keyword to make sure that the offset and length don't exceed the actual pattern length.
Fix printing unprintable characters in the engine-analysis fast_pattern mode.
Fix --enable-debug compilation, just unittest with --enable-debug-validation enabled.
Fix potential locking issue in out of memory conditions in the http_header, http_raw_header code. Fix other potential small issues in http_ code.
Cleanup and rearrange detection code slightly.
Consolidate several signature flags into one.
Rename SIG_FLAG_AMATCH flag to SIG_FLAG_STATE_MATCH to better reflects its purpose.
Clean up signature flags creating room for merging flags and mpm_flags. Merge flags and mpm_flags. Move new mpm id's into signature header. Get rid of full signature access in signature prefiltering.
Change locking of http_header, http_raw_header and http_client_body so that flow isn't accessed without lock anywhere.
Reduce number of locks required for http_header and http_client_body inspection.
Remove redundant checks in http header and http client body code.
Manually add unittest by Pablo Rincon from bug #210.
Change the way the request body limit is enforced.
Remove dead pcre code.
Fix request-body-limit option for libhtp config.
Add reference to suricata.yaml documentation in our redmine wiki.
Move updating the time from the pcap callback to the decoding stage in file mode.
Remove flowbits as a mask prefilter as they are dynamic. Add a dynamic check.
Fix FlowBitsTestSig06 test no longer working properly.
Don't stop stream reassembly if protocol detection failed, only stop/prevent app layer parsing.
Have each output use the global log format if none is specified for that specific output.
Disable adding to unregistered mbit/s counter.
Remove unused stream flag.
Fix compiler warnings, cleanup counters config code.
Fix compiler warning in log-httplog.c & change stats.log to log as mm/dd/yyyy as well.
Clean up output.
Fix potential null deref (introduced a few commits ago) found by clang.
Handle a clang warning that says dstq can be null referenced. In no call of FlowRequeue dstq can be null so not a real issue. Added a BUG_ON just in case, but only in DEBUG mode to prevent the extra overhead. If the code changes we will run it in DEBUG mode and catch the error.
Disable DBG_PERF by default except for when DEBUG is enabled.
Fix a clang issue 'Assigned value is garbage or undefined' in the threshold code in case a packet was neither ipv4 or ipv6.
Fix a number of small clang issues. Clang doesn't know we exit on malloc errors during init.
Work around a suspected fp in clang.
Fix a clang warning in unittest DetectUriSigTest12.
Fix couple of cases where incorrect handling of keyword parsing errors would lead to access of uninitialized memory. Found by clang.
Minor unified1-log changes to work around a clang issue, but also to clean up the logic slightly.
Another batch of clang fixes. Nothing really serious. Includes a couple of fixes for broken fixes from yesterday.
Update version to 1.1beta1
Switch mpm-algo in example suricata.yaml to ac
Add missing 'reference' to reference.config to Makefile.am.
Extend 'append' option to stats.log as well. Small cleanups.
Suppress a AC debug message.
Cleanup defrag engine on shutdown.
Clean up stream pmqs in the detect thread ctx.
Clean up packet pool handler on shutdown.
Add a simple revision based on the git rev to the version number, like a build number.
Fix a compiler warning due to a broken prototype declaration.
Make mpm-algo use the mpm_table that has the actual mpm's registered. Clean up dead code.
Add (experimental) support for using multiple pcap devices to acquire packets from. Just passing multiple -i <dev> options on the commandline will activate this. Windows not yet supported.
Use a different way of getting a short git rev that is compatible to older git versions.
Fix FlowTest* unittests to fail sometimes.
Fix 2 cases where overlapping data in the stream engine wouldn't be properly handled potentially causing the wrong data being used in stream reassembly.
Make sure http_cookie inspects all HTTP transactions. Clean up error messages. Get rid of unused code and dead comments.
Make sure we reuse a TCP session if we receive a valid 3WHS on a closed TCP session, can happen if a new session has the same tuple.
Create a AppLayerHandleTCPData function to directly feed data from the reassembly engine to the app layer parsing.
Cleanup and document AppLayerHandleTCPData
Add error counters.
Split applayer and raw stream reassembly
Inspect a pseudo packet upon receiving a RST so that we are sure both sides of the TCP session are inspected.
Never create a pseudo packet based on a pseudo packet.
Increment flow use cnt for pseudo packets as the flow is not supposed to disappear while dealing with those packets.
Fix compilation with --enable-debug
Fix the pseudo packet having the wrong proto set, causing massive fp's. Flag packets to be part of the established phase of a tcp session, so we won't prematurely inspect the app layer state.
Add pseudo packet counter.
Update all unittests
Fix new unittests introduced by rebase with next branch.
Comment out disabled unittests.
Adapt stream code to packet memory allocation changes.
Make sure we don't try to 'verdict' the fake PKT_PSEUDO_STREAM_END packets.
Fix unittests after merge.
Inspect a pseudo packet upon receiving a RST so that we are sure both sides of the TCP session are inspected.
Fix the pseudo packet having the wrong proto set, causing massive fp's. Flag packets to be part of the established phase of a tcp session, so we won't prematurely inspect the app layer state.
Initial code for stream 'inline' mode: packets that are (partly) overlapping with already accepted packets (meaning in the streams seg list) are rewritten to make sure they contain the exact same data.
First round of adding 'stream events'. Basic stream tracking events added.
Add some debug output to app-layer-htp.
Better support ack/psh data packets on several states. Updates to ack validation code.
Improve stream gap handling. Instead of giving up as soon as we see a gap we now wait much longer before we decide it's a gap.
Fix minor comment typo.
Improve ACK value validation, timestamp checking code. Overall layout.
Change the way the reassembly depth is enforced. Ignore retransmissions, get rid of per session counter.
Add depth comment.
Remove unused pseudo packet reassembly code.
Add ACK validation to Reset/RST validation code.
Rename RST validation function to match convention
Another iteration of the reassembly depth enforcement, now considering retransmissions.
Have reassembly errors also set a stream event.
Update to depth code. Get segment from the correct pool when a payload is truncated.
Minor cleanups.
Don't handle and validate the TCP timestamp at the same time. Instead validate first, then later when all other validation has been done as well, handle.
Fix the stream.inline config option. Set PKT_STREAM_EST flag also for packets that are part of a session in a state beyond TCP_ESTABLISHED.
Add a new app layer reassembly function that is for inline use, and use it when the stream engine is in inline mode.
Initial version of a inline raw reassembly function that reassembles in a sliding window. Introduce new unittest helpers for stream reassembly.
Add missing stream inline files.
Make sure tunnel packets (and pseudo packets) properly decrement the flow use counter in all cases.
Add flow prune debug counters (disabled by default).
Update stream section of example configuration.
Improve RawInline reassembly: remove unnecessary segments from the stream in an earlier stage. Test this properly.
Add more debug printing of reassembled data into the app layer api.
Expand and fix stream unittest helpers.
Improve Inline reassembly wrt to GAP handling. Add more tests.
Do the actual checksum recalculation and packet replacement on modifing a packet in the stream engine.
Fix compilation for non-DEBUG case.
Fix PKT_STREAM_EOF never being set, resulting in some raw stream chunks never being inspected. Improve debug output.
Fix a reassembly overlap issue. Fix a inline reassembly gap handling issue.
Add a counter to NFQ for modified packets.
Fix bug in the segment insert code causing an inconsistent segment list in some overlap conditions.
Inspect all stream msgs at any time when running in stream-inline mode. Skip detection for packets flagged for dropping before detect.
Increase stream msg size.
Add configure check for signed or unsigned nfq_get_payload, adapt code.
Fix nfq lockup due to improper handling of PKT_PSEUDO_STREAM_END packets.
Add option to set the syslog level for the alerts. Minor cleanups.
Don't pass config to unittests run in make check.
Improve error cleanup in output function. Thanks to iswalker.
Reenable SSE3 memcmp and switch AC memcmp to use the SCMemcmp wrapper.
Fix FreeBSD's compilation of the new affinity code.
Don't test the several packet detection checks against pseudo packets as the matches would not be meaningful anyway. Prevents a segv in the csum detection.
Don't print errors/warnings based on malformed traffic.
Minor drop log cleanups.
Don't print drop log on pseudo packet.
Set DROP flag on a packet in addition to the REJECT flags. This makes sure we not only send a reject, but also drop the offending packet. Closes #248.
Remove debug stream testing code from non-debug builds.
Fix a issue in stream reassembly causing the segment list getting into a inconsistent state.
Improve byte to numeric value error reporting and testing.
Update pfring doc.
Increase logline max length.
Rename request-body-limit to request_body_limit to remain consistant with other options. Keep old notation around for compatibility.
Wrap a number of BUG_ON's in the detection engine in DEBUG ifdefs as the conditions they check for are not serious enough to abort the engine.
Reduce SCTP_HEADER_LEN to reflect actual pkt header size.
Print [drop] as well for syslog output.
Fix priority handling during the signature parsing stage. Fixes #275.
Fix missing rename for request-body-limit to request_body_limit.
Add option to PF_RING to have multiple reader threads. Improve general performance of the PF_RING module.
Small pfring doc update by Joshua White from Everis.
Fix compilation error on non-pfring systems.
Fix header_len in GRE decoder getting out of control in some cases.
Fix valgrind error on pfring_recv, rename threads from RecvPfring to RxPfring so the name still looks right for 100+ threads. Add --pfring commandline option that just enables pfring, then takes interface from config.
Allow users of the alert-syslog to set the identity.
Make sure PID is logged as well in alert-syslog output.
Fix compiler warning in isdataat keyword setup code.
Fix compiler warnings in two unittests.
Fix compiler warnings about unused IPv6 Address code.
Move unittest code into UNITTESTS ifdefs in the HTP parser. Fixes a compiler warning.
Fix broken setup of end of stream pseudo packet.
Fix invalid RST considered valid due to wrong returns codes. Only validate ACK from a RST packet if an ACK value was set.
Force reassembly of unack'd data on receiving a valid RST packet.
Add --build-info command line option to output some basic build settings.
Add a few extra safety checks in new SSL code.
Misc pcap logging cleanups.
Add limit option to pcap-log logging config.
Fix compilation for nfq_set_mark code when NFQ is not enabled.
Fix many address unittests using explicit byte order and thus failing on big-endian systems.
Fix IP-Only unittests failing on Big Endian.
Fix bloomfilter issue on big endian.
Fix counter unittest on big endian.
Fix broken ICMPv4 unittests on big endian, fix broken ID macro on ICMPv6.
Fix address test on big-endian.
Fix icmpv4 unittest on big endian, extract embedded sport and dport even if a full tcph doesn't fit.
Various fixes for issues reported by clang.
Fix [drop] not being printed for IPv6 fast.log alerts.
Fix unified2 overwriting tag alerts.
Exit on thread restart limit reached.
Allow pcap-log to log outside of default-log-dir by passing a absolute path as filename.
Add special sguil mode to log-pcap to support logging into date based directory structure and rotate when the day passes. Also do not log packets beyond stream reassembly depth and encrypted traffic.
Fix potential segv in pcap logging deinit code.
Fix defrag4 setting the packet length on the wrong packet.
Ignore tunnel/defrag packets in log-pcap module.
Add strncpy and strncat to banned function list as we have better replacements: strlcpy and strlcat.
Fix compilation of pcap reopen code for older libpcap code.
Fix decode-event keyword parsing. Fix code that indicates a signature is decode-event only. Add 'pkthdr' protocol as an alias for any/ip to be used by decode-event signatures.
Fixing libpcap 0.x.x specific code, take 2.
Fix compiler warnings in defrag unittests.
Change segment removal in stream engine to not discard segments right away. Now they are only removed if they are fully before ra_base_seq.
Fix missing segment flag, fix 2 unittests broken after previous stream changes.
Make sure we actually remove no longer required segments.
Only remove segments from segment list if they are completely before ra_base_seq.
Account for seg list not always being empty when stream closes.
Store matching stream msg (ptr) in packets alert structure so it's available to the output plugins.
Remove minimum init chunk length code, set a default limit of 2560 to the minimum chunk size, allow toclient raw reassembly to start even if toserver hasn't started yet.
Disable unused code, fix compiler warning.
Enforce configurable minimum chunk size in raw stream reassembly. Minor stream cleanups, unittest updates.
Make sure TAG alerts don't work with an uninitialized alert_msg pointer.
Support logging of reassembled stream data in IPv4 unified2.
Enable logging of stream chunk in IPV6/TCP. Make sure IPV6 events have a ethernet header to work around Barnyard2 not liking DLT_RAW+IPV6.
Set datalink on stream pseudo packets to prevent unified2 from writing a malformed record.
Make stream inline use the chunk size settings.
Disable alert-debuglog that was accidently enabled in a previous commit.
Slightly clean up --list-runmodes output.
Properly initialize pfring runmode before using it. Fix malformed conf api calls.
If shutdown doesn't complete processing all packets that are already in the engine within 30 seconds, force quit.
Fix a copy issue in PacketCopyDataOffset.
Don't set ip{4,6} header on reassembled ip packet until we know for sure what buffer the packet is stored in.
Clear pcap_cnt variable on packet recycle.
If engine shutdown (processing in-engine packets) times out, exit Suricata with EXIT_FAILURE.
Make sure to only alloc a new pseudo packet once during ip defrag.
Fix pfring commandline handling.
Make error on <- direction operation use more explicit.
Wait longer at shutdown before concluding it's taking too long. Hopefully enables our slow QA boxes to complete in time.
Add qa/wirefuzz.pl to release tarball.
Bump version to 1.1beta2
Include initial version of decoder-event rules.
Add decoder-events to Makefile.am as well.
Fix a memory leak in flow recycle code causing the detection engine state not to be fully freed (recycled) but reference to memory removed anyway.
Allow for 0 (unlimited) HTTP request_body_limit, fix option parsing.
Add TCP packet SACK option decoding.
Implement SACK in the stream engine.
Small optimizations to IPV4 and TCP header parsing.
Fix setting libhtp personality.
Stream reassembly fixes.
Process a stream end pseudo packet when going from TIME_WAIT to CLOSED.
Fix 2 stream reassembly unittests
Minor fixes in defrag engine, shrink DefragTracker_ structure.
Make sure that the stream engine fully reassembles both sides of the session upon receiving a valid RST.
Fix a logic error in the SACK list cleanup causing a memleak and invalid memory access at the same time.
Shrink Flow structure with 20 bytes (on 32 bit) and reorder it. Clean up init, recycle, destroy macro's.
Wrap HTP code that is only used in debug mode in debug ifdefs.
Add proper RST handling to all TCP states.
Disable to_client http detection. Libhtp expects to_server data first.
Update bundled libhtp to libhtp svn tag 0.2.5.
Add support for new libhtp htp_config_register_request_uri_normalize callback.
Add configure check for new htp 0.2.5 uri normalize hook.
Fix not using new htp callback when using the bundled htp. Add indication to --build-info. Fix valgrind warning in test and further improve test.
Minor profiling fix: don't close stdout.
Cleanup configures pcre sljit test.
Fix SSE memcmp functions reading beyond the buffer. Add tests to bench them.
Properly reset IPv6 extension headers structure.
Fix memcmp checks that prevent reading past buffer boundary.
Shrink PacketAlerts structure so that Packet structure is a lot smaller. Reduce max events per packet from 256 to 15.
Convert Packet tunnel variables to bit flag checks.
Remove tunnel_proto field from Packet structure.
Convert mutex protected tunnel counters to lockless atomic counters.
Remove a debug statement from single pcap file runmode.
Account for distance when checking within. Bug #285.
Rearrange syslog.h including so we won't fail to build on win32.
Include <windows.h> to get access to THREAD_PRIORITY_* defines.
Remove unnecessary include that breaks windows builds.
Don't compile alert-syslog module on Windows, it doesn't work anyway.
Fix log-pcap compilation on Windows.
Fix stream reassembly engine compilation on Windows.
Clean up & better check includes to allow Windows to build.
Update libhtp/INSTALL doc based on autogen.sh.
Simplify packet decoding macro's.
Remove unused and broken htp code.
Make sure we don't process TAG records from the flow multiple times and outside the flow lock.
Fix TAG removal in certain conditions.
Remove dead code from flowbits parsing.
Change libhtp configure to not enable debug when suricata does.
Add unittests for debugging a libhtp issue.
Fix HTP unittests that test pre 0.2.6 libhtp issue. HTP config wasn't restored properly.
Fix broken fix.
Add compiler and hardware barrier macro's.
Add Vector datatype for SSE operations.
Add wrappers for aligned memory allocation.
Match packet mask against 16 signature masks at once using SIMD instructions for SSE3 and up.
Clean up new SIMD mask checking code, improve non-SIMD checks.
Check 32 masks per run instead of 16 in the SIMD code.
Use 64 bit mask on 64-bit systems.
Add more mask flags.
Always reset alert cnt and always increment det_ctx->pkts.
Fix signature mask bitorder.
Fix SIMD mask checking on 64 bit systems.
Clean up stateful detection code.
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes.
Use pmmintrin.h as older gcc's don't have immintrin.h it seems.
libhtp/m4 dir won't be created on CentOS 5.3 by autogen.sh, so work around that by having it in git
Fix broken stateful detection unittest.
Fix complition on OS/archs that don't support atomic variables.
Fix passing a uint8_t as an int. Breaks on some args.
Make sure stateful detection engine inspecting HTTP streams works well for to_client rules as well.
Fix minor compiler comments in CUDA code.
Fix a number of unittests not properly initializing a packet causing issues on some archs.
Attempt to work around missing __WORDSIZE define on FreeBSD.
Only compile byte_extract unittests if --enable-unittests is enabled.
Fix a reassembly bug that in some cases could lead to a crash.
Fix unified2 packet length not being set properly for reassembled stream packets.
Use p->proto in detect to determine TCP/UDP/SCTP.
Fix handling of FIN/ACK packet on TCP state TCP_FIN_WAIT2.
Fix stream unittest.
Improve HTPParserTest07 test to be more helpful if it fails.
Fixes for out of bounds pcre_get_substring calls no longer silently accepted by modern pcre.
Implement a pkt acq loop infra with support for pcap-file.
Small optimizations to pkt acq loop code.
Fix ssl keyword pcre_get_substring issue.
Fix urilen keyword pcre_get_substring issue.
Fix flowint keyword pcre_get_substring issue.
Rename profile macro's and variables to reflect that they are for rule profiling.
Add per packet profiling.
Move TlsConfig structure out of app-layer-protos.h and rename it to SslConfig.
Add per app layer parser profiling
Add a few more example gnuplot scripts.
Remove vim .swp file from repo.
profiling / qa: make plot-csv-large-all.sh much more flexible.
profiling: fix stream ticks miscalculation on stream end pseudo packets.
Profiling: add per packet accounting of how much ticks are spend in protocol detection.
Profiling: add accounting for several detection phases.
Extend packet profiling to other thread 'slot' functions.
Engine and stream events only rules can are deonly compat as well.
Add profiling to various HTTP buffer MPM calls.
Undo tunnel reference counting using atomic operations. Revert to mutex based code.
Make sure stream/engine-event signatures are recognized as such.
Update PCRE JIT code to support official JIT implementation in pcre-8.20-RC1.
ip-only: added support for matching on ports.
Profiling: convert all packet profile counters/variables to u64. Improve output for larger numbers.
Fix compilation when profiling is enabled.
Fix minor address parsing compiler warning.
Fix stream-events not working. Stream events won't fit our 'detection only' schema. Fixes #321.
Don't match on IP only rules that use ports if packet is not (proper) TCP, UDP or SCTP. Rules out frags matching as well.
pcap-log: fall back to sguil_base_dir option if 'dir' isn't set. Minor cleanups.
Fix compilation with profiling enabled.
Convert stream memcaps to u64. Bug #332.
Convert flow memcap to u64. Bug #332.
Fix too many SMTP commands causing an integer overflow in the cmds_cnt variable, in turn causing an out of bounds memory write.
tag: fixes and cleanups
Add util-optimize.h to suricata-common.h so all code can use it.
Fix detection engine informational message misrepresenting decoder only signatures.
Implement a counter for TCP packets with invalid checksums: tcp.invalid_checksum. Bug #311.
Improve atomic operation support detection. Fixes #342.
Add packet alert flag to indicate a match happened (partly) in the app layer state. Make unified2 use this flag.
Support stream.inline mode in unified2 tcp segments logging.
Bump version to 1.1beta3.
Add missing cuda header file causing 'make distcheck' to fail.
Improve error detection in the port and address parsing in signatures. Bug #295.
Update default suricata.yaml to use more sane settings for EXTERNAL_NET and AIM_SERVERS.
Handle failing thread modules that are called by the Pcap file callback.
Don't set higher transaction id's in HTTP sessions than we have.
Unlock flow in StreamTcpSegmentForEach if there is no TCP session.
Consider signatures with the flags keyword to be packet inspecting only, not stream.
Exlcude DSIZE LT case from setting the 'need payload' mask bit as it can include 0, which means no payload.
Override HTP IDS personality normalizing the query string to lowercase. Bug #362.
Add missing case sensitive to insensitive conversions for http_header, http_raw_header, http_method, http_cookie and http_raw_uri with 'nocase' set.
Fix broken macro call.
Fix compiler warning and fix using GET_IPV4_DST_ADDR_PTR macro to access IPv6 header.
Make http logging code more robust against cases where the htp state is incomplete (out of memory conditions).
Add stream engine counters
Add flow counters: memuse, pruning stats, emergency mode. Bug #348.
Fix stream unittests.
Improve asn1 keyword handling of a malformed asn1 state.
Fix potential suppression parsing issue found by CLANG.
Fix a number of potential issues found by CLANG and cppcheck.
Fix broken tests.
Fix broken fix. Shame on me for committing without testing.
Fix thresholding code suppressing an alert if no threshold/suppress rules needed to be checked.
Rewrite SetupLogging to not leak the fd. Thanks to Steve Grubb for advice on this.
Fix unittest compiler warning.
Mpm update: Toss out signatures that mix pkt and stream/state. Update profiling code to track new mpm.
Reinstate replace validation check.
Win32 compile fixes.
Bump version to 1.1rc1.
Fix compiler warning.
Fix SMTP unittest.
Get rid of strcasestr call as win32 doesn't have it.
Fix windows adapter id being truncated for pcap mode.
Fixes for building in Cygwin.
Minor code cleanups fixing all GCC 4.6 compiler warnings for default, debug and unittests mode.
Fix CUDA build.
Fix an invalid free in bpf code.
Bump version to 1.1 (final)
Add content to ChangeLog and add links to more up to date versions of various docs.
Add -S commandline option that loads a rule file exclusively. Issue #338.
Set version to 1.2dev to reflect we're in the 1.2 branch.
Consider Windows new line chars as well when parsing rule files. Bug #374.
Clean up SID allocation for decoder and stream rules.
Fix stream reassembly engine rejecting valid packet for reassembly.
flow: support requeue of flows from closed to new list for TCP ssn reuse.
stream: improve TCP ssn reuse cleanup.
stream reassembly: simplify base_seq tracking for protocol detection. Shrinks TcpStream structure.
App Layer cleanup
flow: shrink Flow datatype
Small optimizations to IPV4 and TCP header parsing.
Handle all strings as raw strings in HTTP content-type and content-disposition header parsing.
Improve HTTP multipart parsing, add streaming parsing for files.
Implement flow file storage API, create HTP wrappers for it, use it in HTTP parsing.
Improve testing and fix some bugs.
Allow for 0 (unlimited) HTTP request_body_limit, fix option parsing.
Add a file descriptor to the flow file structure.
Initial checkin of a log-file module, that can write files extracted from flows to disk.
Fix setting libhtp personality.
Fix a bug in the HTTP file closing.
log-file log-dir option added, meta file created, fixes.
Add negation to filename and fileext, use same syntax as with content.
Cleanups to the Multipart parsing code. Fixes to negation in filename and fileext.
Adding comments, some cleanups.
Add file log to default suricata.yaml.
Fix not using new htp callback when using the bundled htp. Add indication to --build-info. Fix valgrind warning in test and further improve test.
Add support for extracting PUT files.
Fix improper error handling in http body chunk function.
Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored.
Add libmagic detection, linking and a basic API.
Initial implementation of filemagic keyword.
Make sure filemagic works properly regardless of filestore being in use for a flow.
Remove unused util-filetype.[ch] from Makefile.am.
file-extraction: Disconnect file handling from flow and move into the app layer state.
file-extraction: remove no longer used files.
Prepare HTTP response body tracking.
File carving -- enable reponse file extraction
Don't store fd per file (too many fd's). Enable IPv6 storing. Close file on receiving stream end flag.
file extract: pruning
file extract: split toserver and toclient tracking
file inspect: stateful inspection split
Fix a multipart body parsing issue.
Fix code after rebase.
file handling: filemagic matching improvement
Make sure we check the sgh for no magic and no store once per flow direction.
Update suricata.yaml for file extraction.
file handling: add example files.rules file
Remove duplicate include.
Fix merge artefact.
Add magic-file example to suricta.yaml.
Add missing file util code.
file handling: improve filestore keyword handling
Improve handling of packets when stream is in the fin_wait1 or fin_wait2 state.
stream reassembly: account stream gaps
Stream reassembly / app layer: disable gap errors
Stream engine: gap handling
file handling: expand filestore keyword
Don't consider payload len in ACK value validation check.
Convert StreamTcpSetEvent function into macro. Eases debug.
Add checksum validation rules to decoder events rules.
Add debug output to engine event.
Unify output functions for alert-debug for IPv4 and IPv6.
Fix filestore related segv.
Don't parse layers / ext headers above ipv6 frag header. This is taken care of by defrag.
Lower flow manager wake up timer to 0.4 seconds as that performs 2% better in my tests.
flow manager: timing change
Clean up for unittests code: only compile unittest api code when unittests are enabled. Fix unittest code that wasn't wrapped in the proper UNITTESTS ifdefs.
Fix a compile warning when debug is enabled.
Support libhtp's different handling of CONNECT requests.
Add some debug statements for debugging a smtp issue.
HTTP transaction handling improvement
Improve debug validation code for packet, add new macro for flow.
Fix unified2 setting the wrong eth_type.
Add missing hash row unlock.
flow engine: introduce FlowRequeueMoveToBot
flow engine: introduce FlowRequeueMoveToSpare
flow engine: remove unneeded 'need_srclock' argument for FlowRequeue
flow engine: make FlowEnqueue lock the queue. Adapt callers.
flow engine: convert flow hash code FlowRequeue call to FlowEnqueue.
flow engine: no longer allow FlowRequeue to be called with the same src and dst queue.
flow engine: minor cleanup.
flow engine: release flow lock earlier in flow kill/prune process. Minor cleanups.
Fix ParseSizeString return code and a compiler warning.
Make sure existing log-pcap and unified2-alert 'limit' settings don't break.
Introduce http_server_body keyword.
Optimize detection engine prefiltering logic.
Detection engine -- mpm
Fix signature flag definitions on 32 bit.
Rename signature init flags to indicate they are init flags.
Remove SIG_FLAG_MPM_URI flag. It was checked but never set.
Remove per sgh mpm_streamcontent_maxlen variable. It was checked but never set.
Remove SIG_FLAG_MPM flag.
Merge all http mpm related signature flags into a single set: SIG_FLAG_MPM_HTTP and SIG_FLAG_MPM_HTTP_NEG.
Shrink signature flags field to 32 bits.
file-data: create initial keyword registration.
file-data: initial file_data support
file-data: implement relative pcre support.
file-data: make bytejump, bytetest, byteextract and isdataat work better with file_data.
file-data: add more unittests
Remove unused variable.
Fix compiler warnings in a couple of unittests.
file store: respect flowbits and other keywords
Fix filestore match code not expecting NULL file ptr.
Rework the way the http parser can tell the de_state to reset it's file section on arrival of new files in the same tx. Fixes a dead lock in the auto runmode.
Remove duplicate sys/prctl.h configure check. Wrap another include in HAVE_SYS_PRCTL_H.
Remove stream BUG_ON's that could fire on TCP session reuse.
Update Changelog to reflect changes in 1.1.1 and 1.2beta1.
Add md5 to reference.config.
Will Metcalf (7):
libpcap stuff v2
more project name updates
import of gplv2 LICENSE
configure.in update
updated to include more rulesets more sane vars
fixes for init failure stuff
more fixes for exit on sig init failure
William (9):
PF_RING hang at exit fix
Convert to logging perf stats to file by default. Add a few columns to output avg ticks per match, avg ticks non match, allow sorting on based on them.
Experimental support for PCRE-sljit enable via --enable-pcre-sljit
Add Num, Rev, and Gid columns to rule perf output
Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required.
Only set PF_RING cluster if we have more than one receive thread. Gives us accurate drop stats.
Only check for PF_RING if we enable PF_RING.
Fix for silly pcap counters mistake made by me. ps_recv includes dropped packets.
Actually limit recursion and backtracking and stack usage by PCRE. Logic was broken, no example was provided in suricata.yaml even though it could be set from there.
William Metcalf (124):
adding autojunk.sh
groups fixed for pcre < 7
fixed sig written with ?<http_uri
NFQUE drop support added with ident of 4 :-(
updates for configure.in, added reject code, some decode stuff for tcp
udp decoding added icmp unreachables added to reject
added macros for ICMP defines
added fix for compiler warning in reject code
libpcap fixes for error handling and defines
Multi-Threading capable libpcap
Remove Libpcap GlobalVars from source-pcap.c
Small debug fix in decode-udp.c
source-pcap.c comments modified for doxygen formatting
Small regex fix for portlists in detect-parse.c
Added doxygen.cfg file and doc directory
Moved GITGUIDE to doc/
Updated flow parsing code for validation, added unit tests, fixed statless check
Small printf fixes to detect-flow
Updated configure.in for libpcre libpthread libpcap checking
Update to libtoolize command in autojunk.sh for build on CentOS
Made NFQ optional via --enable-nfqueue, --enable-logsigs will now load local.rules in the path other fixes
Added unit tests to detect-content.c to show problems with escaped chars ; " \ : in snort rule lang
fix regression in detect-parse.c
added optional option to specify signature file to load
Added acsite.m4 for missing CentOS defs/macros
Added C99 defs/macros to acsite.m4 for CentOS
added detection of PF_RING for -lpfring enabled pcap
compile fix for source-nfq.c
fix for older libc's missing def for IPPROTO_DCCP
missing memsets in pppoe unit tests
comment out printf for unittest format
fix for duplicate lib linking, remove call to libnet-config
changed sigs for http logging to use established keyword
added support for escapes inside of msg keyword
native PF_RING support with fixes
invalid negation unittests added
added --enable-debug config option to set -DDEBUG
remove invalid dir from pcre + unit test
verify valid port range
split out pcre parsing fixed some errors
change debug code around to use global log dir
various unittest fixes for detect-engine-sigorder
fixes to mimic snort escape behavior in msg
unittest regex changes and fixes
added check for full al_parser_table
fixed for invalid netmask being set to 0
detct-msg changes and unittests
silence pfring compiler warning
upated INSTALL moved other doc files to doc/ deleted Welcome
failed unittest for within distance
detect-dsize regex doxygen logging subsys changes
port space negation notification
added --enable-gccprotect to optionally detect and enable compile time protections
failing unit test where fast_pattern rule and non-fast_pattern rule inspect same payload
shellcode ports var should be negated
more invalid netmask fixes and unittest
unit test showing flags:0 alerting when it shouldn't
small fixes to htp detection in configure.in
FreeBSD correct arch specific gettid defs
failing unittest rules with same content match fail
failing unit test depth doesn't take into account offset
failing unit test showing negated pcre treated as nonnegated match
raw pcap support additionl ipv4/6 validation
small unittest fixes to decode-raw.c
--enable-gccprofile sets -pg flag detect presence of pcre recursion
new pfring runmode for quad core, other small pfring fixes
added configure option for enabling march=native gcc 4.2 and later
small fix for ! inside of content match
bpf support for pcap modes
printf to logging subsys conversion for src/detect-bytejump.c
pcap and pfring exit stats
small fix for source-pfring.c after stat err rename
import of integrated htp lib and small libnet fixes
Rolled back to 0.2.x branch renamed htp to libhtp
Steve Grub fixes... Thanx Steve!
switch from autojunk.sh to more standard autogen.sh
small PF_RING update cmd line opts changed
Import of fuzzer script qa/wirefuzz.pl
libnet now optional
Small windows fixes ifdef wrapper for netinet/in.h O_NOFOLLOW def missing so added ifndef define install doc updated.
Import of classification.config
Integration of libhtp-0.2.3 rev 199
Small fix where a space was added before \n in fast-log if a xref wasn't used
Import of GPLv2 Header 050410
Small wrapper fixes to allow for windows compilation
small CentOS 4 workarounds
increment packet count before assigning value, tshark/wireshark starts with pkt no 1 so should we
clang fixes for null derefrences
Added an install doc for PF_RING to doc/INSTALL.PF_RING
Updates to the fuzzer script. Some clean up but you can now also: 1. Keep log files. 2. Exclude files based on user supplied regex.
only show cli opts via help that we have support for
Null deref fixes for util-radix-tree.c
Null deref fixe for detect-engine-address.c
Null deref fix for detect-engine-port.c
Null deref fix for detect-engine-iponly.c
Null deref fix for detect-tls-version.c
Null deref fix for detect-id.c
patch to configure.in for libhtp minimum version detection via PKG_CHECK_MODULES
compilation fixes for PF_RING and IPFW after removal of mutex_pending
More null deref fixes for util-radix-tree.c
GPL and Copyright header updates.
set proper caps based run_mode
Add option for setting pcap buffer size if it is available
updates to the INSTALL doc
add missing docs to Makefile.am
Updated windows install doc to add pkg-config to msys
fix for potential NULL deref on error in detect-http-method.c
small operator fixes to qa script
properly init flows inside of unit-tests caused lock-up when falling back to using mutex locks
Updates to allow for disabling options based on Pierre Chifflier's patch
Set -std=gnu99 CFLAG always and Use -march=native by default if supported by installed version of gcc
FLOW_DESTROY added to clean-up UT's that init flow
change LogInfo to LogDebug for icmp seq matches
missing flow init in DetectTagTestPacket04 fix ut lockup on older os's
PacketQueue postp added to TmEcodes for ipfw and pf_ring to silence compiler warnings
seems to be a race between FlowTestPrune and FLOW_DESTROY in FlowTest0* comment out the later for now
pkg-config detection added to configure.in added to install doc except for OSX
Fixed broken nocase for http_method and http_header
Doc update for EPEL install link
compilation fix missing UT ifdef wrapper in reference code
Add the ET reference.config file as a default
first stab at pcap logging no rotating buff etc
Add -z option for excluding pcaps from fuzzing.. What you don't want to fuzz a 750G pcap?
You spin me right round baby, right round like a rotating packet capture right round. Oh, also log file size counters are now uint64_t
deltay (6):
#277 Add -F option to load bpf filter from file
#277 ignore bpf filter if fread failed.
Register http parser callbacks in the right place.
Add pfring bpf filter, require pfring >= 5.1
Get pidfile from config file if not available in command options
ignore signal SIGPIPE and SIGSYS
famousjs (4):
Added welcome file
Email test
Email welcome
Email test
pilcrow (2):
Safer macro parenthesization and do/while use
Always try PCRE_NO_AUTO_CAPTURE first for signature regexes.
root (13):
Small fixes
fix smb and dcerpc unit tests
better smb parsing
smb2 work
smb2 work
DCERPC BIND work
bind and bind_ack tracking
64 bit portability
fix bug 61
endianness handling update
add stubdata pointer
pfring support lb type, and now uses logging subsys
Return 0 instead of -1 when SMB and DCERPC encounter non fatal errors to clean up errors emitted in AppLayerParse.
-----------------------------------------------------------------------
hooks/post-receive
--
OISF
More information about the Oisf-devel
mailing list