[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-4.0.1-106-g0c99338
OISF Git
noreply at openinfosecfoundation.org
Fri Dec 8 14:32:39 UTC 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".
The branch, master has been updated
via 0c99338e071612775bd895f64800d01e865f900b (commit)
via d474c9534931bac45bd9cc8032da1741acf4920b (commit)
via 3396747cd657daa76f09a8744461c80589662460 (commit)
via 44bf785ecf11596080da88e0aabd7c24774cccc8 (commit)
via f6938933d95da7d705999ebce482de7c7615cc7a (commit)
via d830177b7b69614fd0ca9e8519388b04f7348789 (commit)
via 98a1ec490f5eab2af39e83944a8a3f5e4d29a26c (commit)
via 722cff1862c54cb3555478af2c02868ca6470284 (commit)
via 196ba1da702fef7c23d19d269b3369b2722b6a48 (commit)
via a55a6cdb628b1badbf71b9a73ff04221ac2e0582 (commit)
via f6c766112c9be5191c4872dea54cbcebaeb6a56e (commit)
via e9b25988badf57433d6826c6be5262fb5019016f (commit)
via bb1bf2643d7e545777fef28b8cc6fe8134947a0d (commit)
via fea037fda88d6548136f28a071f9c878a56634bc (commit)
via 11990c71173f24f9c20f568b71f3c80592fe912b (commit)
via dfae19247d26b0059b633108daf3bff608656621 (commit)
via 274c36eb2f398d42031b407afcb879e899a6ace5 (commit)
via 3413793768ee5a12019f12609b9460c26bb0d52f (commit)
via a52aacb4ea71415ab82cdaadc823c9e4652e0e0c (commit)
via 44926e23691b3d08d87d8c295bd505e079906b1f (commit)
via 5335d8b877b1fed49efa9bf7a48aee06d3f0a9a8 (commit)
via 606eab937c95eda298d145594d6eda57efa1dec5 (commit)
via c16509a8b611314b5760a8b7d0e4330ac6f50ffc (commit)
via 1090ee9d8d739eb014540ad834509a23f96e0712 (commit)
from 84b66b7aaa908fa5dc3dfacf0237662c54fbc690 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0c99338e071612775bd895f64800d01e865f900b
Author: Pascal Delalande <pdl35 at free.fr>
Date: Fri Dec 8 11:37:54 2017 +0100
doc: update docs for DNS flags logging
commit d474c9534931bac45bd9cc8032da1741acf4920b
Author: Pascal Delalande <pdl35 at free.fr>
Date: Fri Dec 8 11:37:36 2017 +0100
dns: store flags for logging for TCP
commit 3396747cd657daa76f09a8744461c80589662460
Author: Clément Galland <clement.galland at epita.fr>
Date: Thu Oct 19 13:47:03 2017 +0000
Dns logger display flags information
commit 44bf785ecf11596080da88e0aabd7c24774cccc8
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date: Tue Dec 20 15:33:09 2016 +0100
dns: log flags field
This adds dns header's flags in eve
log.
Signed-off-by: Eric Leblond <eric at regit.org>
commit f6938933d95da7d705999ebce482de7c7615cc7a
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sun Dec 3 16:13:38 2017 +0100
doc: Amend the list of accepted protocols
Based on the list in suricata.yaml
commit d830177b7b69614fd0ca9e8519388b04f7348789
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 12:34:28 2017 +0200
doc: Add my own name to the acknowledgements
commit 98a1ec490f5eab2af39e83944a8a3f5e4d29a26c
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 12:29:05 2017 +0200
doc: Move IP reputation keyword to rules section
commit 722cff1862c54cb3555478af2c02868ca6470284
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 12:19:33 2017 +0200
doc: Restructure ToC
* All sections up to 2 levels deep are now shown regardless of whether they are a separate page
* Rename Xbits and Thresholding for more consistent naming
* Minor adjustment in the Payload Keywords section
commit 196ba1da702fef7c23d19d269b3369b2722b6a48
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 12:15:44 2017 +0200
doc: Make the header keywords section separate sections in ToC
commit a55a6cdb628b1badbf71b9a73ff04221ac2e0582
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 12:13:17 2017 +0200
doc: Move flowint as integral part of flow keywords
commit f6c766112c9be5191c4872dea54cbcebaeb6a56e
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 12:09:31 2017 +0200
doc: Minor changes in structuring of HTTP Keywords / Snort differences
commit e9b25988badf57433d6826c6be5262fb5019016f
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 12:06:53 2017 +0200
doc: Move pcre entirely to Payload Keywords section
(plus remove lingering screenshot of a rule)
commit bb1bf2643d7e545777fef28b8cc6fe8134947a0d
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 12:02:55 2017 +0200
doc: Move fast_pattern and prefilter to dedicated page
commit fea037fda88d6548136f28a071f9c878a56634bc
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 11:57:00 2017 +0200
doc: Moved explanation of normalized buffers to rules introduction
commit 11990c71173f24f9c20f568b71f3c80592fe912b
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 11:52:13 2017 +0200
doc: Move the definition of modifier keywords to the introduction
commit dfae19247d26b0059b633108daf3bff608656621
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 11:49:43 2017 +0200
doc: Completely rewrite the rules introduction for more clearity
commit 274c36eb2f398d42031b407afcb879e899a6ace5
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 11:47:38 2017 +0200
doc: Meta-settings -> Meta Keywords plus some textual changes
Most importantly, conventions are now placed in tip boxes
commit 3413793768ee5a12019f12609b9460c26bb0d52f
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 11:43:58 2017 +0200
doc: Use lowercased keyword names as section titles
commit a52aacb4ea71415ab82cdaadc823c9e4652e0e0c
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 11:37:42 2017 +0200
doc: Replace images of tables and rules with text in rules docs
In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis.
Additionally, some tables embedded into images were also replaced by reST tables.
commit 44926e23691b3d08d87d8c295bd505e079906b1f
Author: Ralph Broenink <ralph at ralphbroenink.net>
Date: Sat Oct 14 11:17:19 2017 +0200
doc: Add suricata.css to allow for some custom styling
commit 5335d8b877b1fed49efa9bf7a48aee06d3f0a9a8
Author: Victor Julien <victor at inliniac.net>
Date: Fri Nov 24 15:49:26 2017 +0100
detect/uri: apply urilen contents as depth
commit 606eab937c95eda298d145594d6eda57efa1dec5
Author: Victor Julien <victor at inliniac.net>
Date: Fri Nov 24 15:48:26 2017 +0100
detect/http_uri: remove broken tests
commit c16509a8b611314b5760a8b7d0e4330ac6f50ffc
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date: Wed Dec 6 11:12:42 2017 +0000
conf: stack-based buffer-overflow in ParseFilename
There is a stack-based buffer-overflow in ParseFilename. Since the length of "outputs.pcap-log.filename" is not checked and the destination buffer "str" has a fixed length of 512 bytes, a buffer overflow happens with long filenames. An attacker could exploit this for code execution if the configuration-file is not protected properly. This commit fixes ticket #2335
This is what the asan-output looks like:
~/suricata-1/src# suricata -T -c ./suricata.yaml
[27871] 3/12/2017 -- 20:48:13 - (suricata.c:1876) <Info> (ParseCommandLine) -- Running suricata under test mode
[27871] 3/12/2017 -- 20:48:13 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev f3fea60b)
=================================================================
==27871==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffbe9d75e0 at pc 0x55897b5f935f bp 0x7fffbe9d72b0 sp 0x7fffbe9d72a8
WRITE of size 1 at 0x7fffbe9d75e0 thread T0 (Suricata-Main)
0 0x55897b5f935e in ParseFilename /root/suricata-1/src/log-pcap.c:895
1 0x55897b5fb173 in PcapLogInitCtx /root/suricata-1/src/log-pcap.c:985
2 0x55897b6af103 in RunModeInitializeOutputs /root/suricata-1/src/runmodes.c:752
3 0x55897b72c6b5 in PreRunPostPrivsDropInit /root/suricata-1/src/suricata.c:2263
4 0x55897b730416 in main /root/suricata-1/src/suricata.c:2898
5 0x7f947f6db2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
6 0x55897b2d4c19 in _start (/usr/local/bin/suricata+0xc4c19)
Address 0x7fffbe9d75e0 is located in stack of thread T0 (Suricata-Main) at offset 672 in frame
0 0x55897b5f7fcc in ParseFilename /root/suricata-1/src/log-pcap.c:836
This frame has 3 object(s):
[32, 104) 'toks'
[160, 672) 'str' <== Memory access at offset 672 overflows this variable
[704, 2752) '_sc_log_msg'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/suricata-1/src/log-pcap.c:895 in ParseFilename
Shadow bytes around the buggy address:
0x100077d32e60: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x100077d32e70: 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
0x100077d32e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077d32e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077d32ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100077d32eb0: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
0x100077d32ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077d32ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077d32ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077d32ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077d32f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27871==ABORTING
commit 1090ee9d8d739eb014540ad834509a23f96e0712
Author: Ruslan Usmanov <ruslan.usmanov at threattrack.com>
Date: Fri Oct 27 12:50:32 2017 -0400
rate_filter by_both through IPPair storage
Ticket https://redmine.openinfosecfoundation.org/issues/2127
-----------------------------------------------------------------------
Summary of changes:
doc/userguide/_static/css/suricata.css | 27 ++
doc/userguide/acknowledgements.rst | 1 +
doc/userguide/conf.py | 10 +
doc/userguide/configuration/global-thresholds.rst | 2 +
doc/userguide/index.rst | 2 +-
doc/userguide/output/eve/eve-json-format.rst | 14 +-
.../ipreputation/ip-reputation-format.rst | 2 +-
.../reputation/ipreputation/ip-reputation.rst | 3 +-
doc/userguide/rules/differences-from-snort.rst | 11 +-
doc/userguide/rules/flow-keywords.rst | 161 +++++++++-
doc/userguide/rules/flowint.rst | 147 ----------
doc/userguide/rules/header-keywords.rst | 185 +++++++++---
.../rules/header-keywords/ICMP_type_code.png | Bin 138533 -> 0 bytes
doc/userguide/rules/header-keywords/ICMP_types.png | Bin 47309 -> 0 bytes
doc/userguide/rules/header-keywords/Window.png | Bin 26681 -> 0 bytes
doc/userguide/rules/header-keywords/ack.png | Bin 25305 -> 0 bytes
doc/userguide/rules/header-keywords/fragbits.png | Bin 42764 -> 0 bytes
doc/userguide/rules/header-keywords/fragoffset.png | Bin 45033 -> 0 bytes
doc/userguide/rules/header-keywords/icmp_id.png | Bin 19474 -> 0 bytes
doc/userguide/rules/header-keywords/icmp_seq.png | Bin 21191 -> 0 bytes
doc/userguide/rules/header-keywords/icmp_type.png | Bin 19622 -> 0 bytes
doc/userguide/rules/header-keywords/icode.png | Bin 16627 -> 0 bytes
doc/userguide/rules/header-keywords/id.png | Bin 55094 -> 0 bytes
doc/userguide/rules/header-keywords/ip_proto.png | Bin 21788 -> 0 bytes
doc/userguide/rules/header-keywords/ipopts.png | Bin 33790 -> 0 bytes
.../rules/header-keywords/ipopts_rule.png | Bin 18357 -> 0 bytes
doc/userguide/rules/header-keywords/sameip.png | Bin 27181 -> 0 bytes
doc/userguide/rules/header-keywords/seq.png | Bin 23340 -> 0 bytes
doc/userguide/rules/header-keywords/ttl.png | Bin 26909 -> 0 bytes
doc/userguide/rules/http-keywords.rst | 70 ++---
doc/userguide/rules/http-keywords/uricontent.png | Bin 53276 -> 0 bytes
doc/userguide/rules/http-keywords/urilen1.png | Bin 49672 -> 0 bytes
doc/userguide/rules/http-uri-normalization.rst | 10 -
doc/userguide/rules/index.rst | 11 +-
doc/userguide/rules/intro.rst | 323 +++++++++++++--------
doc/userguide/rules/intro/Dest_port.png | Bin 41492 -> 0 bytes
doc/userguide/rules/intro/Direction.png | Bin 41001 -> 0 bytes
doc/userguide/rules/intro/Source-port.png | Bin 40112 -> 0 bytes
doc/userguide/rules/intro/Source.png | Bin 40040 -> 0 bytes
doc/userguide/rules/intro/action.png | Bin 40842 -> 0 bytes
doc/userguide/rules/intro/destination.png | Bin 42050 -> 0 bytes
doc/userguide/rules/intro/intro_sig.png | Bin 43552 -> 0 bytes
doc/userguide/rules/intro/protocol.png | Bin 38983 -> 0 bytes
.../ipreputation => rules}/ip-reputation-rules.rst | 12 +-
doc/userguide/rules/meta.rst | 172 ++++++-----
doc/userguide/rules/meta/classification.png | Bin 41206 -> 0 bytes
doc/userguide/rules/meta/classtype.png | Bin 42404 -> 0 bytes
doc/userguide/rules/meta/gid.png | Bin 30298 -> 0 bytes
doc/userguide/rules/meta/msg.png | Bin 38884 -> 0 bytes
doc/userguide/rules/meta/reference.png | Bin 37896 -> 0 bytes
doc/userguide/rules/meta/rev.png | Bin 39811 -> 0 bytes
doc/userguide/rules/meta/sid.png | Bin 41173 -> 0 bytes
doc/userguide/rules/normalized-buffers.rst | 18 --
doc/userguide/rules/payload-keywords.rst | 186 ++++++++++--
doc/userguide/rules/payload-keywords/content.png | Bin 41151 -> 0 bytes
doc/userguide/rules/payload-keywords/dsize.png | Bin 31300 -> 0 bytes
doc/userguide/rules/payload-keywords/rpc.png | Bin 24363 -> 0 bytes
doc/userguide/rules/pcre.rst | 138 ---------
doc/userguide/rules/pcre/pcre.png | Bin 41419 -> 0 bytes
.../{fast-pattern.rst => prefilter-keywords.rst} | 28 +-
doc/userguide/rules/prefilter.rst | 13 -
doc/userguide/rules/thresholding.rst | 4 +-
doc/userguide/rules/xbits.rst | 4 +-
rust/src/dns/log.rs | 16 +
src/app-layer-dns-common.h | 1 +
src/app-layer-dns-tcp.c | 1 +
src/app-layer-dns-udp.c | 1 +
src/detect-engine-threshold.c | 268 +++++++++++------
src/detect-engine-threshold.h | 6 +-
src/detect-engine-uri.c | 247 ----------------
src/detect-http-raw-uri.c | 11 +
src/detect-http-uri.c | 11 +
src/detect-threshold.h | 1 +
src/detect-urilen.c | 78 +++++
src/detect-urilen.h | 2 +
src/host-timeout.c | 2 +-
src/ippair-timeout.c | 8 +-
src/log-pcap.c | 11 +-
src/output-json-dns.c | 16 +
src/util-threshold-config.c | 241 ++++++++++++++-
80 files changed, 1449 insertions(+), 1026 deletions(-)
create mode 100644 doc/userguide/_static/css/suricata.css
delete mode 100644 doc/userguide/rules/flowint.rst
delete mode 100644 doc/userguide/rules/header-keywords/ICMP_type_code.png
delete mode 100644 doc/userguide/rules/header-keywords/ICMP_types.png
delete mode 100644 doc/userguide/rules/header-keywords/Window.png
delete mode 100644 doc/userguide/rules/header-keywords/ack.png
delete mode 100644 doc/userguide/rules/header-keywords/fragbits.png
delete mode 100644 doc/userguide/rules/header-keywords/fragoffset.png
delete mode 100644 doc/userguide/rules/header-keywords/icmp_id.png
delete mode 100644 doc/userguide/rules/header-keywords/icmp_seq.png
delete mode 100644 doc/userguide/rules/header-keywords/icmp_type.png
delete mode 100644 doc/userguide/rules/header-keywords/icode.png
delete mode 100644 doc/userguide/rules/header-keywords/id.png
delete mode 100644 doc/userguide/rules/header-keywords/ip_proto.png
delete mode 100644 doc/userguide/rules/header-keywords/ipopts.png
delete mode 100644 doc/userguide/rules/header-keywords/ipopts_rule.png
delete mode 100644 doc/userguide/rules/header-keywords/sameip.png
delete mode 100644 doc/userguide/rules/header-keywords/seq.png
delete mode 100644 doc/userguide/rules/header-keywords/ttl.png
delete mode 100644 doc/userguide/rules/http-keywords/uricontent.png
delete mode 100644 doc/userguide/rules/http-keywords/urilen1.png
delete mode 100644 doc/userguide/rules/http-uri-normalization.rst
delete mode 100644 doc/userguide/rules/intro/Dest_port.png
delete mode 100644 doc/userguide/rules/intro/Direction.png
delete mode 100644 doc/userguide/rules/intro/Source-port.png
delete mode 100644 doc/userguide/rules/intro/Source.png
delete mode 100644 doc/userguide/rules/intro/action.png
delete mode 100644 doc/userguide/rules/intro/destination.png
delete mode 100644 doc/userguide/rules/intro/intro_sig.png
delete mode 100644 doc/userguide/rules/intro/protocol.png
rename doc/userguide/{reputation/ipreputation => rules}/ip-reputation-rules.rst (75%)
delete mode 100644 doc/userguide/rules/meta/classification.png
delete mode 100644 doc/userguide/rules/meta/classtype.png
delete mode 100644 doc/userguide/rules/meta/gid.png
delete mode 100644 doc/userguide/rules/meta/msg.png
delete mode 100644 doc/userguide/rules/meta/reference.png
delete mode 100644 doc/userguide/rules/meta/rev.png
delete mode 100644 doc/userguide/rules/meta/sid.png
delete mode 100644 doc/userguide/rules/normalized-buffers.rst
delete mode 100644 doc/userguide/rules/payload-keywords/content.png
delete mode 100644 doc/userguide/rules/payload-keywords/dsize.png
delete mode 100644 doc/userguide/rules/payload-keywords/rpc.png
delete mode 100644 doc/userguide/rules/pcre.rst
delete mode 100644 doc/userguide/rules/pcre/pcre.png
rename doc/userguide/rules/{fast-pattern.rst => prefilter-keywords.rst} (76%)
delete mode 100644 doc/userguide/rules/prefilter.rst
hooks/post-receive
--
OISF
More information about the Oisf-devel
mailing list