[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-4.0.1-188-g979f964
OISF Git
noreply at openinfosecfoundation.org
Wed Dec 20 14:35:24 UTC 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".
The branch, master has been updated
via 979f964260a11e938ec240dba7f52d9772a8972a (commit)
via a9ac6db0dd4372e35ec6e9f2f05adc602ac90a07 (commit)
via 6e65cf138ba8c4d1f65efe8564ce554efb53a132 (commit)
via ac0ae2dcd1ec207e95ef4801c3469c17c392d2a6 (commit)
via ccf202a4f0acb2b46e4d2921129f22f66e329003 (commit)
via 948dee9a981c53f5dc5f36fd671626a8364f43b0 (commit)
via aac15854b41c7db199e6c88ded3b1029341c6b33 (commit)
via 0b97fbbc137fa4e077019b7c690b6723129d6a40 (commit)
via 4438e34ed906b562247d26de6169d3ac5fb7f035 (commit)
via bc46d9a72f82f6eb4d903d60ff5701f985410469 (commit)
via a8b0825c1847b4f680afc0a05046f665df9c8aea (commit)
via 553cd0dc98770ac495a49048a72bf109075d94a7 (commit)
via 189b521239a2be4da2da833f9fd5b2474e4a9464 (commit)
via 711b6fb389d36f10afc72450cc2ae0b81d4f6935 (commit)
via 24f745553c501064f4df2405454aec367236f74c (commit)
via f5ba4c231de27e7b0d9f66177877725c7979294a (commit)
via cbce2c78bd779daeafc541bd6f182941c14eeae0 (commit)
via b0a6934431fc961fcf500400003a719462afe980 (commit)
via 140f8baed99498b734d42254175e141ea8cb784a (commit)
via 31a0783865cd0d4c4c8d4b5020620c534ea2e135 (commit)
via 2d68050e609f12f7f40078de366125f3777efd06 (commit)
via 5be5e7c879b0c095335e5f521e901dceffeb55a5 (commit)
via 7f9f130ec320913d4276ca4607c1d19d8bae55d8 (commit)
from 70695201f6eb6099da2f5cc18656573024146702 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 979f964260a11e938ec240dba7f52d9772a8972a
Author: Victor Julien <victor at inliniac.net>
Date: Sat Oct 14 23:14:31 2017 +0200
hostbits: fix test setup
commit a9ac6db0dd4372e35ec6e9f2f05adc602ac90a07
Author: Victor Julien <victor at inliniac.net>
Date: Sat Oct 14 10:09:57 2017 +0200
file_data: move tests into tests/
commit 6e65cf138ba8c4d1f65efe8564ce554efb53a132
Author: Victor Julien <victor at inliniac.net>
Date: Thu Oct 12 18:19:23 2017 +0200
file_data: unify inspect engines
Call HTTP from the generic file_data engine.
commit ac0ae2dcd1ec207e95ef4801c3469c17c392d2a6
Author: Victor Julien <victor at inliniac.net>
Date: Fri Sep 29 23:09:15 2017 +0200
file_data: smtp file_data to generic file_data
Generalize the SMTP file_data inspection into a 'files'
file_data inspection that can be used for any protocol
that uses the File API.
commit ccf202a4f0acb2b46e4d2921129f22f66e329003
Author: Victor Julien <victor at inliniac.net>
Date: Sun Oct 8 18:28:30 2017 +0200
detect: minor cleanup
commit 948dee9a981c53f5dc5f36fd671626a8364f43b0
Author: Victor Julien <victor at inliniac.net>
Date: Sun Oct 8 18:23:22 2017 +0200
app-layer: use bool for 'HasDecoderEvents'
commit aac15854b41c7db199e6c88ded3b1029341c6b33
Author: Victor Julien <victor at inliniac.net>
Date: Tue Nov 7 11:28:01 2017 +0100
detect: no tcp flags in mask for pseudo packets
commit 0b97fbbc137fa4e077019b7c690b6723129d6a40
Author: Victor Julien <victor at inliniac.net>
Date: Sun Dec 17 20:08:12 2017 +0100
detect/mpm: micro optimization in setup
commit 4438e34ed906b562247d26de6169d3ac5fb7f035
Author: Victor Julien <victor at inliniac.net>
Date: Sun Oct 8 14:28:19 2017 +0200
detect: remove old simd references
commit bc46d9a72f82f6eb4d903d60ff5701f985410469
Author: Victor Julien <victor at inliniac.net>
Date: Wed Dec 20 09:30:42 2017 +0100
decode/vlan: don't consider ARP 'unknown'
commit a8b0825c1847b4f680afc0a05046f665df9c8aea
Author: Victor Julien <victor at inliniac.net>
Date: Wed Dec 20 09:03:33 2017 +0100
pfring: minor code cleanups
commit 553cd0dc98770ac495a49048a72bf109075d94a7
Author: Victor Julien <victor at inliniac.net>
Date: Wed Dec 20 08:57:29 2017 +0100
pfring: add warning for stripped vlan header case
According to PF_RING upstream the vlan header should never be stripped
from the packet PF_RING feeds to Suricata. But upstream also indicated
keeping the check would be a good "safety check".
So in addition to the check, add a warning that warns once (per thread
for implementation simplicity) if the vlan hdr does appear to be stripped
after all.
commit 189b521239a2be4da2da833f9fd5b2474e4a9464
Author: Victor Julien <victor at inliniac.net>
Date: Tue Dec 19 20:17:39 2017 +0100
pfring: fix vlan handling issues
When Suricata was monitoring traffic with a single vlan layer, the stats
and output instead showed 2. This was caused by the raw packets PF_RING
feeds Suricata would hold the vlan header, but the code assumed that
the header was stripped and the vlan_id passed to Suricata through
PF_RING's extended_hdr.parsed_pkt.
This patch adds the following logic: Check vlan id from the parser packet
PF_RING prepared. PF_RING sets the vlan_id based on its own parsing or
based on the hardware offload. It gives no indication on where the vlan_id
came from, so we rely on the vlan_offset field. If it's 0, we assume the
PF_RING parser did not see the vlan header and got it from the hardware
offload. In this case we will use this information directly, as we won't
get a raw vlan header later. If PF_RING did set the offset, we do the
parsing in the Suricata decoder so that we have full control.
PF_RING *should* put back the vlan header in all cases, and also set the
vlan_offset field, but as a extra precaution keep the check described
above.
Bug #2355.
commit 711b6fb389d36f10afc72450cc2ae0b81d4f6935
Author: Eric Leblond <eric at regit.org>
Date: Fri Nov 24 16:59:34 2017 +0100
app-layer-ftp: add memcap for ftp
Add a memory cap for the FTP protocol.
commit 24f745553c501064f4df2405454aec367236f74c
Author: Eric Leblond <eric at regit.org>
Date: Sun Nov 19 20:27:17 2017 +0100
doc: update file extraction document
Define the list of protocol parsers supporting extraction in one
single place following Andreas Herz' suggestion.
commit f5ba4c231de27e7b0d9f66177877725c7979294a
Author: Eric Leblond <eric at regit.org>
Date: Sun Nov 19 20:22:46 2017 +0100
doc: update following ftp-data changes
commit cbce2c78bd779daeafc541bd6f182941c14eeae0
Author: Eric Leblond <eric at regit.org>
Date: Sun Nov 19 20:21:08 2017 +0100
detect-ftpdata: match on ftp-data operation
This keyword mathes on ftp operation STOR and RETR. It will allow
rules writer to select if the alert has to be on a put or a fetch
operation.
It is now possible to write a signature like:
alert ftp-data any any -> any any (msg:"FTP data get firwmare"; ftdata_command:retr; sid:2; rev:1;)
to alert when a file is retrieved from a FTP server.
commit b0a6934431fc961fcf500400003a719462afe980
Author: Eric Leblond <eric at regit.org>
Date: Wed Sep 13 15:48:29 2017 +0100
app-layer-ftp: add ftp-data support
Use expectation to be able to identify connections that are
ftp data. It parses the PASV response, STOR message and the
RETR message to provide extraction of files.
Implementation in Rust of FTP messages parsing is available.
Also this patch changes some var name prefixed by ssh to ftp.
commit 140f8baed99498b734d42254175e141ea8cb784a
Author: Eric Leblond <eric at regit.org>
Date: Tue Sep 12 14:11:01 2017 +0100
app-layer-expectation: expectation system
This patch provides a working expectation system. This will allow
suricata to have a way to identify parallel connections opened by
a protocol such as FTP.
Expectation are a chained list and there is a cleaning by timeout
of the entries.
This patch also defined a counter of expectations that is also
used to check if we need to query IPPairs. This way we only query
the IPPairs store if we have an expectation.
commit 31a0783865cd0d4c4c8d4b5020620c534ea2e135
Author: Eric Leblond <eric at regit.org>
Date: Tue Sep 12 16:43:41 2017 +0100
app-layer: add Flow to probing parser functions
commit 2d68050e609f12f7f40078de366125f3777efd06
Author: Eric Leblond <eric at regit.org>
Date: Sat Sep 16 13:28:22 2017 +0100
flow: add parent_id field
This patch adds a parent_id field to the Flow structure that
contain the flow ID of the parent connection for protocol with
dynamic parallel connection opening like FTP.
commit 5be5e7c879b0c095335e5f521e901dceffeb55a5
Author: Eric Leblond <eric at regit.org>
Date: Fri Sep 15 14:33:33 2017 +0100
detect: increase signature mask length
commit 7f9f130ec320913d4276ca4607c1d19d8bae55d8
Author: Eric Leblond <eric at regit.org>
Date: Tue Sep 12 22:53:51 2017 +0100
suricata: storage early to get it everywhere
-----------------------------------------------------------------------
Summary of changes:
doc/userguide/file-extraction/file-extraction.rst | 10 +-
doc/userguide/rules/ftp-keywords.rst | 31 +
doc/userguide/rules/index.rst | 1 +
rust/src/ftp/mod.rs | 110 ++++
rust/src/lib.rs | 1 +
src/Makefile.am | 4 +-
src/app-layer-detect-proto.c | 80 ++-
src/app-layer-detect-proto.h | 5 +-
src/app-layer-dnp3.c | 12 +-
src/app-layer-dns-tcp-rust.c | 3 +-
src/app-layer-dns-tcp.c | 11 +-
src/app-layer-dns-udp-rust.c | 3 +-
src/app-layer-dns-udp.c | 3 +-
src/app-layer-enip.c | 2 +-
src/app-layer-expectation.c | 331 +++++++++++
src/{detect-target.h => app-layer-expectation.h} | 14 +-
src/app-layer-ftp.c | 622 +++++++++++++++++++--
src/app-layer-ftp.h | 26 +
src/app-layer-modbus.c | 3 +-
src/app-layer-nfs-tcp.c | 4 +-
src/app-layer-nfs-udp.c | 4 +-
src/app-layer-parser.c | 10 +-
src/app-layer-parser.h | 4 +-
src/app-layer-protos.c | 3 +
src/app-layer-protos.h | 1 +
src/app-layer-smb.c | 3 +-
src/app-layer-ssl.c | 3 +-
src/app-layer-template.c | 2 +-
src/app-layer.c | 8 +
src/decode-vlan.c | 2 +
src/detect-engine-build.c | 13 +-
src/detect-engine-build.h | 2 +-
src/detect-engine-filedata-smtp.c | 563 -------------------
src/detect-engine-filedata.c | 278 +++++++++
...ne-filedata-smtp.h => detect-engine-filedata.h} | 20 +-
src/detect-engine-mpm.c | 5 +-
src/detect-engine-register.c | 2 +-
src/detect-engine-register.h | 1 +
src/detect-engine-state.c | 7 +-
src/detect-engine-state.h | 4 +-
src/detect-engine.c | 8 +-
src/detect-file-data.c | 48 +-
src/detect-filename.c | 8 +
src/detect-ftpbounce.c | 1 +
src/detect-ftpdata.c | 278 +++++++++
src/{detect-template.h => detect-ftpdata.h} | 26 +-
src/detect-hostbits.c | 1 +
src/detect.c | 12 +-
src/detect.h | 27 +-
src/flow-util.h | 2 +
src/flow.h | 26 +-
src/output-json-alert.c | 10 +-
src/output-json.c | 3 +
src/runmode-unittests.c | 2 +-
src/source-pfring.c | 58 +-
src/stream-tcp-util.c | 2 +
src/suricata.c | 2 +-
src/tests/detect-engine-filedata.c | 300 ++++++++++
src/tests/detect.c | 3 -
src/util-error.c | 1 +
src/util-error.h | 3 +-
suricata.yaml.in | 1 +
62 files changed, 2286 insertions(+), 747 deletions(-)
create mode 100644 doc/userguide/rules/ftp-keywords.rst
create mode 100644 rust/src/ftp/mod.rs
create mode 100644 src/app-layer-expectation.c
copy src/{detect-target.h => app-layer-expectation.h} (64%)
delete mode 100644 src/detect-engine-filedata-smtp.c
create mode 100644 src/detect-engine-filedata.c
rename src/{detect-engine-filedata-smtp.h => detect-engine-filedata.h} (71%)
create mode 100644 src/detect-ftpdata.c
copy src/{detect-template.h => detect-ftpdata.h} (62%)
create mode 100644 src/tests/detect-engine-filedata.c
hooks/post-receive
--
OISF
More information about the Oisf-devel
mailing list