[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-2.0beta1-227-ge383cc2
noreply at openinfosecfoundation.org
noreply at openinfosecfoundation.org
Mon Sep 30 10:42:04 UTC 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".
The branch, master has been updated
via e383cc27cd459af1b720a2f3be73c757464bfad0 (commit)
via 980934d670864c627c07a7c52966bda45df29e78 (commit)
via fc826140256290375e3a455563cff9d6d65d443b (commit)
via 06db1e4cb821cb33036c7a456af5fa399f0ca069 (commit)
via 558f5705eb622c86c47c5e03b03cf0213f81b30a (commit)
via 36220b689bed814796e471f4788dd0e33518c596 (commit)
via af1df7a89d5113a6fe680a0ee73006173e41deca (commit)
via 3ec411486e93f201628b366321a15a6e4df6256f (commit)
via d76a5bedbc51a862e3a6722c3c05ae7bd8eb7c75 (commit)
via 96d1ba9106211c4a810615c3ddc34ab55274309c (commit)
via 2cb5bdd3fab4e74f161f3e649e5b0dd9ead4153d (commit)
via e42905f3b9588b3863f1f3588782e97c7a6ce5b2 (commit)
via 6bef5fda06d756663bdf07f94761ae5d23cc1966 (commit)
via 976a86def44bf45b866a7599062523875b46def8 (commit)
via 16144fe38aec318cbb129c566822b487ec715a82 (commit)
via 8ae92c7a5e280e09df65589b45604421a0c92cc3 (commit)
via d0c5f51293d88d123f99dbc4f20ece5cbc77e870 (commit)
via 6eb8f66f0ae6bac3891c9716cb9380138eb6c793 (commit)
via f592c481dc42e7c69ceb390686ca58b67a3e78d8 (commit)
via 9e4eec200f70966036de19e2972ce1e1a19d3ef6 (commit)
via b1dffdfbe0b28962d013cfdad4e52b86a9e0c906 (commit)
via 5e2d9dbdc3079bcdb1a86536aa2e0f615078b32b (commit)
via 60a2b157b2935650fd0c45b68b73629d0092f355 (commit)
via 1077acecd797431364d724d02e426f3b4319e3d0 (commit)
via 6cb0014287db8d7d21a7d0247545fc5a5d6778b8 (commit)
via 64b0939b4a51cf3c23ec4c2c79f28e2edc23f31f (commit)
via 0d7159b525f36dd77c68fee22d6c6ef363e084cd (commit)
via 22c05da3cd938810a102b7862f379417314cb0de (commit)
via c044541b1cc1c892d8ffcb49a7c0251afe689275 (commit)
via 00f546e739a3439799c0fa9456338ba36351b38c (commit)
via 4f7339c423a905f4d39c641cf5c5fa690a1dc46d (commit)
via 8e8bc49063702fb92387bfaabddd96aca09a6816 (commit)
via 94e40907e2f8b8aa4b32f65e485b423ac613bd27 (commit)
via 6f8cfd999f868cde0f52a80c571bdbddb41efa17 (commit)
via ddde572fbad2163994ea38097c54dfb6d381615c (commit)
via d9686fae57f85f2bd4808dabc327c1c6ce7ef7d7 (commit)
from 48b5513ed91b3b85449bce7c60fd893efd119b75 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e383cc27cd459af1b720a2f3be73c757464bfad0
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Sep 29 22:15:46 2013 +0530
Fix a leak in probing parsers. We were freeing just the head of the list,
instead of all the members.
commit 980934d670864c627c07a7c52966bda45df29e78
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Sep 29 22:15:21 2013 +0530
Fix a leak in app layer parser proto code. Free the proto signatures
allocated internally for PM parser.
commit fc826140256290375e3a455563cff9d6d65d443b
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Sep 29 22:11:34 2013 +0530
Fix mem leak in b2g.
commit 06db1e4cb821cb33036c7a456af5fa399f0ca069
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sat Sep 28 13:08:13 2013 +0530
Remove unused vars alp_content_module_handle and proto_map from
struct AlpProtoDetectCtx.
commit 558f5705eb622c86c47c5e03b03cf0213f81b30a
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sat Sep 28 12:20:59 2013 +0530
Remove the unused flow flags - FLOW_TS_PM_PP_ALPROTO_DETECT_DONE and
FLOW_TC_PM_PP_ALPROTO_DETECT_DONE.
commit 36220b689bed814796e471f4788dd0e33518c596
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sat Sep 28 08:48:47 2013 +0530
Reset some flow flags when port numbers are re-used and we re-use the
flow as a part of a new session.
commit af1df7a89d5113a6fe680a0ee73006173e41deca
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Thu Sep 12 20:22:52 2013 +0530
Remove the smtp parser restriction that it accepts data only in to client
direction first.
commit 3ec411486e93f201628b366321a15a6e4df6256f
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Wed Sep 11 15:30:26 2013 +0530
Fix compilation failure when we don't enable unittests. Got to #ifdef
ALPROTO_TEST.
commit d76a5bedbc51a862e3a6722c3c05ae7bd8eb7c75
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Wed Sep 11 12:52:47 2013 +0530
Update stream inline to use the improved app proto detection.
commit 96d1ba9106211c4a810615c3ddc34ab55274309c
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Sep 9 18:29:58 2013 +0530
Cosmetic changes to app parser struct.
Removed a flag parameter introuced earlier to indicate the data
that is first acceptable by the parser. We now use a differently
named parameter to carry out the same activity.
commit 2cb5bdd3fab4e74f161f3e649e5b0dd9ead4153d
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Sep 9 18:10:33 2013 +0530
Cosmetic changes to code. Introduce human readabel flag values for some constants. Here the parameter in question is "data_first_seen_dir" for session context.
commit e42905f3b9588b3863f1f3588782e97c7a6ce5b2
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Sep 9 17:19:32 2013 +0530
indentation fix.
commit 6bef5fda06d756663bdf07f94761ae5d23cc1966
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Sep 9 16:55:13 2013 +0530
If we have proto mismatch from 2 directions, use one of the protos, instead of erroring out and not sending the data further to the parser.
The logic we use currently is if we have already sent some data to
a parser before we figure out we have a proto mismatch, we use the
proto from the first direction from which we have already sent the
data to the parser, else we stick to the the to client direction.
commit 976a86def44bf45b866a7599062523875b46def8
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Sep 9 12:04:20 2013 +0530
Introduce convenience macro to set Stream app proto completion flag.
commit 16144fe38aec318cbb129c566822b487ec715a82
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sat Aug 31 08:06:26 2013 +0530
Rename function pointer var to use the FuncPtr typing convention. Resupply "dns" as the alproto name for ALPROTO_DNS.
commit 8ae92c7a5e280e09df65589b45604421a0c92cc3
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Fri Aug 30 16:01:33 2013 +0530
Add unittest to test for http ambiguous host header.
Previously we would not check the port part of the host from the uri
hostname, while we did use the port part from the host header, leading
to FPs.
commit d0c5f51293d88d123f99dbc4f20ece5cbc77e870
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Aug 19 20:52:17 2013 +0530
Update rule engine relationship with regard to setting ip protocol between specifying protocol after action, ip_proto and app-layer-protocol.
Now we can specify alproto, ip_proto combinations this way
alert dns (ip_proto:[tcp/udp];)
alert ip (app-layer-protocol:dns;)
alert ip (app-layer-protocol:dns; ip_proto:tcp;)
alert tcp (app-layer-protocol:dns:)
so on. Neater than using dnstcp/dnsudp.
This is related to feature #424.
commit 6eb8f66f0ae6bac3891c9716cb9380138eb6c793
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Aug 19 11:06:30 2013 +0530
alert ipv4 and alert ipv6 specified proto rules should be treated and PROTO_ANY just like how we treat alert ip rules.
commit f592c481dc42e7c69ceb390686ca58b67a3e78d8
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Aug 18 19:36:55 2013 +0530
Introduce a separate inspection engine for app events.
commit 9e4eec200f70966036de19e2972ce1e1a19d3ef6
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sat Aug 17 17:49:47 2013 +0530
Update htp event handler to both warning and error events regardless of any conditions.
commit b1dffdfbe0b28962d013cfdad4e52b86a9e0c906
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Fri Aug 16 20:08:53 2013 +0530
Add app layer protocol packet event detection support.
commit 5e2d9dbdc3079bcdb1a86536aa2e0f615078b32b
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Aug 11 18:16:53 2013 +0530
Add and use EventGetInfo for getting info on an event.
Also update existing parsers and app-layer-event Setup to use this.
commit 60a2b157b2935650fd0c45b68b73629d0092f355
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Aug 5 20:07:28 2013 +0530
Fix duplicate packet decoder events. Add event entries that were missing as well.
commit 1077acecd797431364d724d02e426f3b4319e3d0
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Aug 5 18:57:44 2013 +0530
validate dns sigs that are reported as plain dns and not dnsudp or dnstcp.
commit 6cb0014287db8d7d21a7d0247545fc5a5d6778b8
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Mon Aug 5 11:16:05 2013 +0530
Move app event module registration as a part of app layer proto table.
commit 64b0939b4a51cf3c23ec4c2c79f28e2edc23f31f
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Aug 4 17:38:54 2013 +0530
code cleanup.
commit 0d7159b525f36dd77c68fee22d6c6ef363e084cd
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Aug 4 12:08:59 2013 +0530
App layer protocol detection updated and improved. We now use
confirmation from both directions and set events if there's a mismatch
between the 2 directions.
FPs from corrupt flows have disappeared with this.
commit 22c05da3cd938810a102b7862f379417314cb0de
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Aug 4 01:31:32 2013 +0530
Replace ssn appproto_detection_completed flag with individual stream ones.
commit c044541b1cc1c892d8ffcb49a7c0251afe689275
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Aug 4 01:10:10 2013 +0530
Provide convenience macros for setting flow flags on protocol matching by
PM and PP phase.
Replace the areas of the code that would otherwise rely on setting/reading
these flags with these macros.
Other minor tweaks to some api calls.
commit 00f546e739a3439799c0fa9456338ba36351b38c
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Aug 4 00:52:45 2013 +0530
update pmp to return whole set of matches, rather than a single match.
commit 4f7339c423a905f4d39c641cf5c5fa690a1dc46d
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Aug 4 00:03:46 2013 +0530
code cleanup.
commit 8e8bc49063702fb92387bfaabddd96aca09a6816
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sun Aug 4 00:03:23 2013 +0530
Introduce detection parser function pointer.
commit 94e40907e2f8b8aa4b32f65e485b423ac613bd27
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sat Aug 3 19:46:46 2013 +0530
feature #727 - Add support for app-layer-protocol:<protocol> keyword
commit 6f8cfd999f868cde0f52a80c571bdbddb41efa17
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Sat Aug 3 14:53:13 2013 +0530
Allow detection ports for alproto to be specified via the conf file.
To understand the option have a look at the option
app-layer.protocols.tls.detection-ports
commit ddde572fbad2163994ea38097c54dfb6d381615c
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Fri Aug 2 21:42:58 2013 +0530
Introduce new options into the conf file to enable/disable -
1. Proto detection
2. Parsers
For app layer protocols.
libhtp has now been moved to the section under app-layer.protocols.http,
but we still provide backward compatibility with older conf files.
commit d9686fae57f85f2bd4808dabc327c1c6ce7ef7d7
Author: Anoop Saldanha <anoopsaldanha at gmail.com>
Date: Fri Aug 2 15:23:35 2013 +0530
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
-----------------------------------------------------------------------
Summary of changes:
src/Makefile.am | 2 +
src/app-layer-dcerpc-udp.c | 33 +-
src/app-layer-dcerpc.c | 35 +-
src/app-layer-detect-proto.c | 341 +-
src/app-layer-detect-proto.h | 24 +-
src/app-layer-dns-common.c | 23 +-
src/app-layer-dns-common.h | 3 +
src/app-layer-dns-tcp.c | 83 +-
src/app-layer-dns-udp.c | 82 +-
src/app-layer-ftp.c | 35 +-
src/app-layer-htp.c | 132 +-
src/app-layer-parser.c | 5142 +++++---------------
src/app-layer-parser.h | 148 +-
src/app-layer-protos.c | 81 +-
src/app-layer-protos.h | 4 +-
src/app-layer-smb.c | 61 +-
src/app-layer-smb2.c | 18 +-
src/app-layer-smtp.c | 166 +-
src/app-layer-ssh.c | 26 +-
src/app-layer-ssl.c | 131 +-
src/app-layer.c | 3112 ++++++++++++-
src/app-layer.h | 7 +-
src/decode-events.c | 121 +-
src/decode-events.h | 106 +-
src/decode.h | 5 +
src/detect-app-layer-event.c | 552 ++-
src/detect-app-layer-protocol.c | 412 ++
src/{util-ip.h => detect-app-layer-protocol.h} | 16 +-
src/detect-byte-extract.c | 2 +
src/detect-dns-query.c | 73 +-
src/detect-engine-apt-event.c | 75 +
...{detect-http-hh.h => detect-engine-apt-event.h} | 17 +-
src/detect-engine-event.h | 81 +-
src/detect-engine-proto.c | 20 +-
src/detect-engine-state.c | 13 +-
src/detect-engine-state.h | 1 +
src/detect-engine.c | 8 +
src/detect-ftpbounce.c | 5 +-
src/detect-http-header.c | 82 +
src/detect-ipproto.c | 409 ++
src/detect-parse.c | 237 +-
src/detect-ssh-proto-version.c | 11 +-
src/detect-ssh-software-version.c | 12 +-
src/detect-tls.c | 44 +-
src/detect.c | 7 +-
src/detect.h | 4 +
src/flow-util.h | 8 +
src/flow.h | 8 +-
src/runmode-unittests.c | 2 +
src/stream-tcp-private.h | 23 +-
src/stream-tcp-reassemble.c | 1091 +++--
src/stream-tcp-reassemble.h | 7 +
src/stream-tcp.c | 12 +-
src/stream-tcp.h | 6 +
src/util-mpm-b2g.c | 6 +
suricata.yaml.in | 207 +-
56 files changed, 7744 insertions(+), 5628 deletions(-)
create mode 100644 src/detect-app-layer-protocol.c
copy src/{util-ip.h => detect-app-layer-protocol.h} (73%)
create mode 100644 src/detect-engine-apt-event.c
copy src/{detect-http-hh.h => detect-engine-apt-event.h} (59%)
hooks/post-receive
--
OISF
More information about the Oisf-devel
mailing list