[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-2.0beta2-220-g385c041
noreply at openinfosecfoundation.org
noreply at openinfosecfoundation.org
Fri Jan 31 12:36:16 UTC 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".
The branch, master has been updated
via 385c04164b7df5ab5dadcbeac4c6afd0a022fa5b (commit)
via 717c271e58f09e560cd6274dba119f45ba014934 (commit)
via 1e4421a7d46cb16257070458ce9748fd43564e41 (commit)
via 74fb60c010f7dcc09310d60ea45e1fac8491910d (commit)
via c07f5397f48b75f030acf904e6572b6ee083953f (commit)
via 2b60871bf1b898ba54e9494a3563a4f5dea2b534 (commit)
via 0032ad34d4b9c7ab8b56a4f9239df204c899c541 (commit)
via 0cf71befbb957f2e4919b809a4c6d709fe5b7c1c (commit)
via a6474bd6bf3a74865ae7c37dffcc759fc8cf4475 (commit)
via 9ef9a14315127a0464002ea36d8c9a2095bf6dc3 (commit)
via 0189b4d1ebf6f4834b2e3d2def1436dddaa624cc (commit)
via 6fd9b4b255abac78a4dff88dcd4d10f279c632ce (commit)
via 93a84180dc904c75c087fef06ddb800e0c54e87f (commit)
via eab0b7fae9d09de2a16e3edd46cb374365dd2b49 (commit)
via 7a9efd74e4d88e39c6671f6a0dda28ac931ffe10 (commit)
from 31a024c9b5a37ac17232806a72bfa7aa7acdaf2f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 385c04164b7df5ab5dadcbeac4c6afd0a022fa5b
Author: Victor Julien <victor at inliniac.net>
Date: Fri Jan 31 12:53:26 2014 +0100
Updated banned function cocci check
Added: strndup and strchrnul
Both are not supported on OS X 10.6. It's rather old, but it's the
only Mac QA box I have, so for now it'll have to do.
commit 717c271e58f09e560cd6274dba119f45ba014934
Author: Victor Julien <victor at inliniac.net>
Date: Fri Jan 31 12:52:36 2014 +0100
Replace strchrnul with strchr
And add a null check then of course. strchrnul isn't supported on
all platforms.
commit 1e4421a7d46cb16257070458ce9748fd43564e41
Author: Victor Julien <victor at inliniac.net>
Date: Fri Jan 31 12:25:16 2014 +0100
Remove SCStrndup
Removed strndup wrapper as it's not available in all plaforms.
commit 74fb60c010f7dcc09310d60ea45e1fac8491910d
Author: Victor Julien <victor at inliniac.net>
Date: Fri Jan 31 12:23:53 2014 +0100
Replace remaining SCStrndup calls
Replace them with BytesToString().
commit c07f5397f48b75f030acf904e6572b6ee083953f
Author: Victor Julien <victor at inliniac.net>
Date: Fri Jan 31 12:21:47 2014 +0100
Introduce BytesToString utility
Introduce a utility function to convert an array of bytes into a
null-terminated string:
char *BytesToString(const uint8_t *bytes, size_t nbytes);
All non-printables are copied over, except for '\0', which is
turned into literal '\' '0' in the string. So the resulting string
may be bigger than the input.
commit 2b60871bf1b898ba54e9494a3563a4f5dea2b534
Author: Victor Julien <victor at inliniac.net>
Date: Fri Jan 31 10:49:57 2014 +0100
json loggers: dup bstr with bstr_util_strdup_to_c
In various places SCStrndup was used to 'dup' a bstr string, however
libhtp provides bstr_util_strdup_to_c for this. As this is a cleaner
interface, it's preferred.
commit 0032ad34d4b9c7ab8b56a4f9239df204c899c541
Author: Victor Julien <victor at inliniac.net>
Date: Fri Jan 31 09:33:29 2014 +0100
stream: yaml addition for recent config options
commit 0cf71befbb957f2e4919b809a4c6d709fe5b7c1c
Author: Victor Julien <victor at inliniac.net>
Date: Thu Jan 30 16:23:44 2014 +0100
util-host-os-info: scan-build fix
util-host-os-info.c:202:13: warning: Potential leak of memory pointed to by 'user_data'
SCLogError(SC_ERR_INVALID_IPV6_ADDR, "Invalid IPV6 address inside");
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:278:35: note: expanded from macro 'SCLogError'
#define SCLogError(err_code, ...) SCLogErr(SC_LOG_ERROR, err_code, \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:214:82: note: expanded from macro 'SCLogErr'
char _sc_log_err_msg[SC_LOG_MAX_LOG_MSG_LEN] = ""; \
^~
1 warning generated.
commit a6474bd6bf3a74865ae7c37dffcc759fc8cf4475
Author: Victor Julien <victor at inliniac.net>
Date: Thu Jan 30 16:08:20 2014 +0100
util-host-os-info: scan build fixes
util-host-os-info.c:200:13: warning: Potential leak of memory pointed to by 'ip_str'
SCLogError(SC_ERR_INVALID_IPV6_ADDR, "Invalid IPV6 address inside");
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:278:35: note: expanded from macro 'SCLogError'
#define SCLogError(err_code, ...) SCLogErr(SC_LOG_ERROR, err_code, \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:214:82: note: expanded from macro 'SCLogErr'
char _sc_log_err_msg[SC_LOG_MAX_LOG_MSG_LEN] = ""; \
^~
util-host-os-info.c:200:13: warning: Potential leak of memory pointed to by 'user_data'
SCLogError(SC_ERR_INVALID_IPV6_ADDR, "Invalid IPV6 address inside");
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:278:35: note: expanded from macro 'SCLogError'
#define SCLogError(err_code, ...) SCLogErr(SC_LOG_ERROR, err_code, \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:214:82: note: expanded from macro 'SCLogErr'
char _sc_log_err_msg[SC_LOG_MAX_LOG_MSG_LEN] = ""; \
^~
2 warnings generated.
commit 9ef9a14315127a0464002ea36d8c9a2095bf6dc3
Author: Victor Julien <victor at inliniac.net>
Date: Thu Jan 30 16:02:17 2014 +0100
Fix util-debug scan-build warnings
util-debug.c:461:12: warning: Potential leak of memory pointed to by 'substr'
return SC_ERR_SPRINTF;
^~~~~~~~~~~~~~
util-debug.c:856:31: warning: Potential leak of memory pointed to by 's'
op_ifaces_ctx = SCLogInitFileOPIface(s, NULL, SC_LOG_LEVEL_MAX);
~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
util-debug.c:1349:9: warning: Potential leak of memory pointed to by 's'
if (log_level >= 0 && log_level < SC_LOG_LEVEL_MAX)
^~~~~~~~~
3 warnings generated.
commit 0189b4d1ebf6f4834b2e3d2def1436dddaa624cc
Author: Eric Leblond <eric at regit.org>
Date: Fri Jan 31 12:05:48 2014 +0100
json file: separate http params
This patch separates http keys from file to have a different value
list:
{
"time":"01\/31\/2014-12:04:52.837245","event_type":"file","src_ip":"5.3.1.1","src_port":80,"dest_ip":"1.8.1.9","dest_port":9539,"proto":"TCP",
"http":{"url":"/foo/","hostname":"bar.com","http_refer":"http:\/\/bar.org","http_user_agent":"Mozilla\/5.0"},
"file":{"filename":"bar","magic":"unknown","state":"CLOSED","stored":false,"size":21}
}
One interest of this modification is that it is possible to use the
same key as the one used in http events. Thus correlating both type
of events is trivial. On code side, this will permit to factorize
the code by simply asking the underlying protocol to output its
info in a json object.
Second interest is that adding file extraction for a new protocol
will result in only changing the protocol specific json list.
commit 6fd9b4b255abac78a4dff88dcd4d10f279c632ce
Author: Eric Leblond <eric at regit.org>
Date: Fri Jan 31 11:54:19 2014 +0100
json: add event_type key
This patch adds an event_type key to the generated events. Current
value is one of "dns", "alert, "file", "tls", "http", "drop". It is
then easy to differentiate in log analysis tools the events based on
source inside Suricata.
commit 93a84180dc904c75c087fef06ddb800e0c54e87f
Author: Eric Leblond <eric at regit.org>
Date: Fri Jan 31 10:58:35 2014 +0100
json dns: do not use array to output answer
Without this patch DNS answers for a single query are stored in a
single json event. The result is an array in the object like this one:
{"type":"answer","id":45084,"rrname":"s-static.ak.facebook.com","rrtype":"CNAME","ttl":734},
{"type":"answer","id":45084,"rrname":"s-static.ak.facebook.com.edgekey.net","rrtype":"CNAME","ttl":1710},
This type of output is not well supported in logstash. It is
displayed as it is written above and it is not possible to
query the fields.
I think the reason is that this is not logical if we consider search
query. For example if we search for "rrname" equal "s-static.ak.facebook.com"
we got one entry with two values in it. That's against the logic
of event. Furthermore, if we want to get a complete query, we can
used the id.
This patch splits the answer part in mulitple message. The result
is then accepted by logstash and fields can be queried easily.
commit eab0b7fae9d09de2a16e3edd46cb374365dd2b49
Author: Eric Leblond <eric at regit.org>
Date: Fri Jan 31 09:43:31 2014 +0100
json-dns: sync field names with draft rfc2629
This patch updates DNS field name to be in sync with RFC 2629:
https://github.com/adulau/pdns-qof
This will allow to easily use Suricata with other passive DNS tools.
commit 7a9efd74e4d88e39c6671f6a0dda28ac931ffe10
Author: Eric Leblond <eric at regit.org>
Date: Thu Jan 30 23:33:45 2014 +0100
json: sync key name with CIM
This patch is synchronizing key name with Common Information Model.
It updates key name following what is proposed in:
http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference
The interest of these modifications is that using the same key name
as other software will provide an easy to correlate and improve
data. For example, geoip setting in logstash can be applied on
all src_ip fields allowing geoip tagging of data.
-----------------------------------------------------------------------
Summary of changes:
qa/coccinelle/banned-functions.cocci | 2 +-
src/output-json-alert.c | 18 +++++-----
src/output-json-dns.c | 56 ++++++++++++++++------------------
src/output-json-drop.c | 2 +-
src/output-json-file.c | 55 ++++++++++++++++++++-------------
src/output-json-http.c | 49 ++++++++++++-----------------
src/output-json-tls.c | 2 +-
src/output-json.c | 16 ++++++----
src/output-json.h | 2 +-
src/util-byte.c | 43 ++++++++++++++++++++++++++
src/util-byte.h | 11 +++++++
src/util-debug.c | 27 +++++++++++-----
src/util-host-os-info.c | 8 +++++
src/util-mem.h | 40 ------------------------
suricata.yaml.in | 32 +++++++++++++++++++-
15 files changed, 214 insertions(+), 149 deletions(-)
hooks/post-receive
--
OISF
More information about the Oisf-devel
mailing list