Next 20160922 v10 #2266

Moved and adapted code from detect-filemd5 to util-detect-file-hash, generalised code to work with SHA-1 and SHA-256 and added necessary flags and other constants.

We don't want to break existing setups. Do issue a warning that a new option is available.

The ssl_state keyword needs the current state, not the cumulative state in order be compatible with Snort's implementation.

Snort compatible SSL state negation. Adds "," as a state separator, but keeps "|" for compatibility with existing Suricata rules.

Add functions for setting IFCAP flags.

Add global flag to disable offloading or just warn on it.

Add a generic 'capture' section to the YAML: # general settings affecting packet capture capture: # disable NIC offloading. It's restored when Suricata exists. # Enabled by default #disable-offloading: false # # disable checksum validation. Same as setting '-k none' on the # commandline #checksum-validation: none

Instead of a single big FlowProto array containing timeouts separately for normal and emergency cases, plus the 'Free' pointer for the protoctx, split up these arrays. An array made of FlowProtoTimeout for just the normal timeouts and an mirror of that for emergency timeouts are used through a pointer that will be set at init and by swapped by the emergency logic. It's swapped back when the emergency is over. The free funcs are moved to their own array. This simplifies the timeout lookup code and shrinks the data that is commonly used.

Until now the flow manager would walk the entire flow hash table on an interval. It would thus touch all flows, leading to a lot of memory and cache pressure. In scenario's where the number of tracked flows run into the hundreds on thousands, and the memory used can run into many hundreds of megabytes or even gigabytes, this would lead to serious performance degradation. This patch introduces a new approach. A timestamp per flow bucket (hash row) is maintained by the flow manager. It holds the timestamp of the earliest possible timeout of a flow in the list. The hash walk skips rows with timestamps beyond the current time. As the timestamp depends on the flows in the hash row's list, and on the 'state' of each flow in the list, any addition of a flow or changing of a flow's state invalidates the timestamp. The flow manager then has to walk the list again to set a new timestamp. A utility function FlowUpdateState is introduced to change Flow states, taking care of the bucket timestamp invalidation while at it. Empty flow buckets use a special value so that we don't have to take the flow bucket lock to find out the bucket is empty. This patch also adds more performance counters: flow_mgr.flows_checked | Total | 929 flow_mgr.flows_notimeout | Total | 391 flow_mgr.flows_timeout | Total | 538 flow_mgr.flows_removed | Total | 277 flow_mgr.flows_timeout_inuse | Total | 261 flow_mgr.rows_checked | Total | 1000000 flow_mgr.rows_skipped | Total | 998835 flow_mgr.rows_empty | Total | 290 flow_mgr.rows_maxlen | Total | 2 flow_mgr.flows_checked: number of flows checked for timeout in the last pass flow_mgr.flows_notimeout: number of flows out of flow_mgr.flows_checked that didn't time out flow_mgr.flows_timeout: number of out of flow_mgr.flows_checked that did reach the time out flow_mgr.flows_removed: number of flows out of flow_mgr.flows_timeout that were really removed flow_mgr.flows_timeout_inuse: number of flows out of flow_mgr.flows_timeout that were still in use or needed work flow_mgr.rows_checked: hash table rows checked flow_mgr.rows_skipped: hash table rows skipped because non of the flows would time out anyway The counters below are only relating to rows that were not skipped. flow_mgr.rows_empty: empty hash rows flow_mgr.rows_maxlen: max number of flows per hash row. Best to keep low, so increase hash-size if needed. flow_mgr.rows_busy: row skipped because it was locked by another thread

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Next 20160922 v10 #2266

Next 20160922 v10 #2266

Commits on Sep 22, 2016