Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Console View

Categories: default personal
Legend:   Passed Failed Warnings Failed Again Running Exception Offline No data

default personal
Giuseppe Longo
output-json-http: add functions to log http body
This patch adds two functions that permits to log the http body
in printable or base64 format.
Victor Julien
pcap: fix linktype raw issues
On OpenBSD 6.0 and 6.1 the following pcap gets a datalink type of
101 instead of our defined DLT_RAW.

    File type:          Wireshark/tcpdump/... - pcap
    File encapsulation:  Raw IP
    File timestamp precision:  microseconds (6)
    Packet size limit:  file hdr: 262144 bytes
    Number of packets:  23
    File size:          11 kB
    Data size:          11 kB
    Capture duration:    7,424945 seconds
    First packet time:  2017-05-25 21:59:31,957953
    Last packet time:    2017-05-25 21:59:39,382898
    Data byte rate:      1536 bytes/s
    Data bit rate:      12 kbps
    Average packet size: 496,00 bytes
    Average packet rate: 3 packets/s
    SHA1:                120cff9878b93ac74b68fb9216027bef3b3c018f
    RIPEMD160:          35fa287bf30d8be8b8654abfe26e8d3883262e8e
    MD5:                13fe4bc50fe09bdd38f07739bd1ff0f0
    Strict time order:  True
    Number of interfaces in file: 1
    Interface #0 info:
                        Encapsulation = Raw IP (7/101 - rawip)
                        Capture length = 262144
                        Time precision = microseconds (6)
                        Time ticks per second = 1000000
                        Number of stat entries = 0
                        Number of packets = 23

On Linux it is 12.

On the tcpdump/libpcap site the DLT_RAW is defined as 101:

Strangely, on OpenBSD the DLT_RAW macro is defined as 14 as expected.
So for some reason, libpcap on OpenBSD uses 101 which seems to match
the tcpdump/libpcap documentation.

So this patch adds support for datalink 101 as RAW.
Jason Ish
log: wrap rotation and write in lock
The application log is subject to rotation, so the check for
rotation, the actual rotation and write needs to be done under
lock to ensure the file pointer is in a consisten state
at the time of write().

Fixes issue:
Pierre Chifflier
Add NTP parser (rust-experimental)
Eric Leblond
output-json-alert: fix error handling
MemBuffer was not freed in case of allocation error.
Victor Julien
der/asn1: limit recursion
Limit the number of recursive calls in the DER/ASN.1 decoder to avoid
stack overflows.

Found using AFL.
Victor Julien
lua/alert: expose transaction if available
Bug #1748.
Victor Julien
isdataat: fix mem leak
Eric Leblond
doc: document http-body logging
Victor Julien
rust/nfs: implement events
Remove lots of panic statements in favor of setting non-fatal events.

Bug #2175.
Victor Julien
rust: enable/disable yaml settings
Based on compile time settings, enable/disable app-layers
and loggers.
Victor Julien
gcc7: fixes for format string warnings
GCC 7.1.1 on Fedora gave several warnings with -Wimplicit-fallthrough
and -Wformat-truncation

This patch addresses the warnings.
Victor Julien
ssl: minor code reformatting
Pierre Chifflier
NTP: change parse function to return the number of parsed messages
Pierre Chifflier
Add NTP event rules (commented) to the default config
Victor Julien
rust/nfs: improve proto detect
Victor Julien
gcc7: fix format truncation warning
detect-rpc.c: In function ‘DetectRpcParse’:
detect-rpc.c:225:50: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
                SCLogError(SC_ERR_INVALID_VALUE, "invalid rpc option %s",args[i]);
util-debug.h:239:77: note: in definition of macro ‘SCLogErr’
            int _sc_log_ret = snprintf(_sc_log_msg, SC_LOG_MAX_LOG_MSG_LEN, __VA_ARGS__);  \
detect-rpc.c:225:17: note: in expansion of macro ‘SCLogError’
                SCLogError(SC_ERR_INVALID_VALUE, "invalid rpc option %s",args[i]);
Pierre Chifflier
Add event rules for NTP events
Victor Julien
gcc7: format-truncation fix for lua
Victor Julien
rust/nfs: remove debug rec_size check
Records larger than 40k are perfectly valid.

Bug #2162.
Victor Julien
log: destroy file mutex
Victor Julien
decode: add config option to disable teredo
Ticket #744.
Victor Julien
Update Changelog for 4.0.0-rc1 release
Victor Julien
gcc7: fix format-truncation warnings in runmodes

util-runmodes.c: In function ‘RunModeSetIPSAutoFp’:
util-runmodes.c:496:40: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
        snprintf(qname, sizeof(qname), "pickup%d", thread+1);
util-runmodes.c:496:9: note: ‘snprintf’ output between 8 and 17 bytes into a destination of size16
        snprintf(qname, sizeof(qname), "pickup%d", thread+1);

Solved by reducing 'thread' to a uint16_t and limiting the max
thread count to 1024.
Victor Julien
stream: don't reset state on syn/ack resend
Bug #1958.

The reset was originally created for issue #523, but that works
well without the reset as well.
Victor Julien
pcre: fix \xHH issue for http_host
The http_host keyword checks if the regex contains uppercase characters.
This check was rejecting valid syntax in the following format:

    content:"|2E|suricata"; http_host; pcre:"/\x2Esuricata$/W";

This patch addresses this case.

Bug #1957.
Victor Julien
changelog: update for 4.0.0-rc2 release
Victor Julien
stats: print alert count at shutdown
Bug #1855.
Pierre Chifflier
Autotools: add switch to build experimental Rust parsers
Pierre Chifflier
Rust gen-c-headers: keep 'const' attribute
Jason Ish
rust/dns: handle multiple txt strings
Fix handling of TXT records when there are multiple strings
in a single TXT record. For now, conform to the C implementation
where an answer record is created for each string in a single
txt record.

Also removes the data_len field from the answer entry. In Rust,
the length is available from actual data, which after decoding
may actually be different than the encoded data length, so just
use the length from the actual data.
Victor Julien
radix: fix risky malloc call
GCC7 said:
  CC      util-radix-tree.o
In file included from util-debug-filters.h:29:0,
                from util-debug.h:34,
                from suricata-common.h:421,
                from util-radix-tree.c:26:
util-radix-tree.c: In function ‘SCRadixAddKey’:
util-mem.h:177:12: error: argument 1 range [18446744071562067968, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Werror=alloc-size-larger-than=]
    ptrmem = malloc((a)); \
util-radix-tree.c:749:42: note: in expansion of macro ‘SCMalloc’
            if ( (inter_node->netmasks = SCMalloc((node->netmask_cnt - i) *
In file included from suricata-common.h:69:0,
                from util-radix-tree.c:26:
/usr/include/stdlib.h:443:14: note: in a call to allocation function ‘malloc’ declared here
extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur;

scan-build said:
util-radix-tree.c:749:42: warning: Call to 'malloc' has an allocation size of 0 bytes
            if ( (inter_node->netmasks = SCMalloc((node->netmask_cnt - i) *
./util-mem.h:177:14: note: expanded from macro 'SCMalloc'
    ptrmem = malloc((a)); \
1 warning generated.
Victor Julien
detect: fix mix of pass and noalert
Noalert rules did not apply pass logic to the flow.

Bug #1888.
Eric Leblond
output-json-alert: log http body
Add support for HTTP body logging as printable or as base64.
doc: small typo under '' section
Jason Ish
rust/dns/tcp - probe even if payload is short
As the DNS probe just uses the query portion of a response, don't
require there to be as many bytes as specified in the TCP DNS
header. This can occur in large responses where probe is called
without all the data.

Fixes the cases where the app proto is recorded as failed.

Fixes issue:
Victor Julien
pcap-log: fix path construct check
Victor Julien
proto detect: improve 'failed' handling
Don't try to call parser for 'failed'. Also don't set one direction
warning if TS is failed and our direction is unknown/complete so failed
as well.
Eric Leblond
app-layer: increment flow counter if one sided
In the case of protocol like SMTP, we detect application layer on
only one side.  Consequence was a missed increment in the flow
Pierre Chifflier
Add NULL-terminator to app-layer template (fix #1930)