aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
17,727 Commits
7 Branches
161 Tags
200 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Commit Graph

478 Commits (master)

Author SHA1 Message Date
jason taylor 9e87d89d2e doc: update http.accept keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 8307168ae7 doc: update http.user_agent keyword 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 75c4cdfa1c doc: update http.cookie keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 7a28874c8d doc: update http.header keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor b3af723486 doc: remove legacy description/duplicated data 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 292b3eb9b3 doc: update http.request_line keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor c7f351bd6e doc: update http.protocol keyword documentation 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 2d0ceedeba doc: update urilen keyword documentation 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor ef118aa582 doc: remove legacy uricontent information 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 96e8c10276 doc: update http.uri and http.uri.raw keywords 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor bf192926a8 doc: update http.method keyword 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 0cce5ba447 doc: add http keyword links 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor fd46175203 doc: update http primer information 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 54fd35c5b4 doc: remove legacy tables and image references 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
Hadiqa Alamdar Bukhari 3aa313d0c5 dns: add dns.rcode keyword 
dns.rcode matches the rcode header field in DNS messages
It's an unsigned integer
valid ranges = [0-15]
Does not support prefilter
Supports matches in both flow directions

Task #6621
 1 year ago
Hadiqa Alamdar Bukhari 4b81851097 dns: add dns.rrtype keyword 
It matches the rrtype field in DNS
It's an unsigned integer match
valid ranges = [0-65535]
Does not support prefilter
Supports flow in both directions
Feature #6666
 1 year ago
Philippe Antoine e22217bda8 doc: there is no right shift for integer bitmasks 
Ticket: 6628
 1 year ago
Philippe Antoine f6e1a20215 detect: dns.opcode as first-class integer 
Ticket: 5446

That means it can accept ranges
 1 year ago
Juliana Fajardini 244a35d539 userguide: fix explanation about bsize ranges 
Our code handles Uint ranges as exclusive, but for bsize, our
documentation stated that they're inclusive.

Cf. from uint.rs:

    DetectUintMode::DetectUintModeRange => {
        if val > x.arg1 && val < x.arg2 {
            return true;
        }
    }

Task #6708
 1 year ago
Philippe Antoine b8bc2c7e0f doc: integer keywords 
Ticket: 6628

Document the generic detection capabilities for integer keywords.
and make every integer keyword pointing to this section.
 1 year ago
Jason Ish 8bf8131c31 doc: note what version "requires" was added in 1 year ago
jason taylor 3cb7112aa5 detect: update smb.version keyword 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Eloy Pérez González a4901a1f70 smb: add smb.keyword documentation 2 years ago
Lukas Sismis 6e4cc79b39 doc: remove references to prehistoric versions 
Remove references that are mentioning Suricata 3 or less
As a note - only one Suricata 4 reference found:
(suricata-yaml.rst:"In 4.1.x")
Fast pattern selection criteria can be internally found by inspecting
SupportFastPatternForSigMatchList and SigTableSetup functions.

Ticket: #6570
 2 years ago
Philippe Antoine adf5e6da7b detect: strip_pseudo_headers transform 
Ticket: 6546
 2 years ago
Philippe Antoine 4933b817aa doc: fix byte_test examples 
As this keyword has 4 mandatory arguments, and some examples
had only three...

Ticket: 6629
 2 years ago
Jason Ish 5d5b0509a5 requires: add requires keyword 
Add a new rule keyword "requires" that allows a rule to require specific
Suricata versions and/or Suricata features to be enabled.

Example:

  requires: feature geoip, version >= 7.0.0, version < 8;
  requires: version >= 7.0.3 < 8
  requires: version >= 7.0.3 < 8 | >= 8.0.3

Feature: #5972

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
 2 years ago
Jason Ish c1a8dbcb72 doc/userguide: document dns.query.name, dns.answer.name 
With some other minor cleanups in the DNS keyword section.
 2 years ago
Shivani Bhardwaj b9540df5ad doc: clarify IP-only with iprep 2 years ago
jason taylor fc81c99b58 doc: add file.name information to smtp keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor 9d1ad0187e doc: add file.name information to nfs keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor 327ba7397a doc: add file.name information to smb keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor e4077b8803 doc: update ftp keyword doc example rule format 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor bb1f7575d3 doc: add file.name information to ftp keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor bbc17b1c7d doc: add file.name information to http keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Philippe Antoine 32cce122e1 detect: header_lowercase transform 
Ticket: 6290
 2 years ago
jason taylor c50002978d doc: update file.data keyword documentation 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Sascha Steinbiss 0c55fe3515 detect: add mqtt.connect.protocolstring 
Ticket:  OISF#6396
 2 years ago
Victor Julien 6b2c33990f doc/userguide: add tag keyword page 
Ticket: #3015.
 2 years ago
Jeff Lucovsky 9ee55d2394 doc/transform: Document case-changing transforms. 
Issue: 6439
 2 years ago
Philippe Antoine ab9b6e30b1 detect: adds flow integer keywords 
Ticket: #6164

flow.pkts_toclient
flow.pkts_toserver
flow.bytes_toclient
flow.bytes_toserver
 2 years ago
jason taylor 535938d7f6 doc: add tls.cert_chain_len docs 
Ticket: #6386

Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Travis Green 96a0e7016f doc: add tcp flags documentation 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor be324d7856 doc: update file.magic information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor 008cc78a03 doc: update fileext keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor e99b1787a2 doc: update file.name keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Andreas Herz da68692547 doc: dataset - add type to be mandatory 2 years ago
jason taylor c95fce39f0 doc: add multi buffer support note to keyword docs 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor 88960e909d doc: add multiple buffer matching documentation 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Jeff Lucovsky 47e268d609 detect/byte_math: Document bytes variable name 
Issue: 6145

Document that byte_math accepts a variable name for bytes (optional)
 2 years ago
Jeff Lucovsky 3a4554fc2b detect/byte-jump: Document var usage for nbytes 
Issue: 6105
 2 years ago
Jeff Lucovsky 73b943276e doc/byte_test: Document byte_test variable usage 
Issue: 6144

This commit updates the byte_test documentation now that a variable name
can be used for the nbytes value.
 2 years ago
Shivani Bhardwaj b6f8f5eb3b doc/http: use "sticky buffer" where applicable 2 years ago
Jason Ish 14daa42e0b doc/userguide: dataset upgrade notes 2 years ago
Jason Ish 4a97461f9a doc/userguide: notes about Lua rules being disabled by default 2 years ago
Philippe Antoine 415b036dca http1: implement http.request_header 
So that it is generic for HTTP1 and HTTP2

Ticket: #5780
 2 years ago
Philippe Antoine 7256ec8a6e detect/http2: do not escape ':' in header name or value 
for keywords http.request_header and http.response_header

Ticket: #5780
 2 years ago
Philippe Antoine 656554f293 http2: rename http2.header to http.request_header 
Or http.response_header based on the direction

http2.header had a different behavior than http.header and this was
confusing.

Ticket: #5780
 2 years ago
Eloy Pérez González b3c7130749 krb5: update krb5_msg_type keyword docs 2 years ago
Victor Julien 0903536fd6 doc: spelling 
Thanks to Josh Soref.
 2 years ago
Philippe Antoine 9bd2b72e2b doc: explain where tls.store stores certificates 
By adding a reference/link to the doc about the suricata.yaml
config section pecifying the directory where the certificates
are stored
 2 years ago
Victor Julien c0d9b3c078 doc/userguide: spelling 2 years ago
Andreas Herz 3045e75ee1 doc: add note on the hashsize recommendation for datasets 2 years ago
Philippe Antoine 59734d16a1 detect: use http.connection to client 
Ticket: #5746
 2 years ago
Philippe Antoine 6bc7f02e13 doc: rules can have http1 as protocol 
Ticket: #5962
 2 years ago
Jeff Lucovsky fd46c93a8f doc/byte_math: Add divide by 0 discussion. 
Issue: 5945
 2 years ago
Jeff Lucovsky 35bbdf4124 doc/content: Add limits for distance/within 
Ticket: 5740
 2 years ago
Shivani Bhardwaj 0f3e7761da doc: add dataset examples 2 years ago
Haleema Khan 609df1776e userguide: update tls keywords information 
Ticket #5544
 2 years ago
jason taylor 0632233791 userguide: update http.cookie description 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Jeff Lucovsky 197ad51138 doc: Update bsize documentation 
This commit updates the bsize documentation

1. Describe what happens when "content" immediately precedes "bsize"
2. Include the operators and
3. Include examples using the operators.
 3 years ago
jason taylor 9dc8fffe05 userguide: update tos keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 1d9b91a987 userguide: update fragoffset keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 7c73144988 userguide: update fragbits information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 4be9793e36 userguide: update geoip information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor e8eba6e4a1 userguide: update id keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor cfd0da133e userguide: update ipv6.hdr keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 150a04b597 userguide: update ipv4.hdr keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 298f59c2ba userguide: update ip_proto keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 6226492976 userguide: update sameip keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor f97ba44339 userguide: update ipopts keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 9b4e6e5802 userguide: update ttl keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Philippe Antoine ce710181f6 doc: update doc for HTTP file.data to server 
Ticket: #4144

Completes e587f6792a
 3 years ago
Aaron Bungay d166c48d28 docs: update for bittorrent-dht app-layer 3 years ago
Eric Leblond 9fb0137d9d doc: add reference to ipaddr in IP matching 3 years ago
Eric Leblond 3bd48d9336 detect: doc link for ip.src and ip.dst 3 years ago
Eric Leblond da8b16eaeb doc: add ip.dst and ip.src doc 3 years ago
Eric Leblond 3599cbf1c4 doc: document new dataset types 
Feature: #5383
 3 years ago
Eric Leblond a1a22cccd2 doc: document dataset-lookup 
Ticket: #5184
 3 years ago
Eric Leblond 20973e9e6b doc: add dataset-clear command 
Ticket: #5184
 3 years ago
Eric Leblond c5559cb68f doc: document dataset-dump command 
Ticket: #5184
 3 years ago
Lukas Sismis 37cf365e19 docs: remove outdated constraint of negation support for ssl_state 
Commit 487cdda93d adds negation support for the SSL state.
 3 years ago
Shivani Bhardwaj 2a0cb1f3da doc: update base64_decode notes 3 years ago
Eric Leblond f46f895e8d rust/smb: import NT status code for Microsoft doc 
This patch updates the NT status code definition to use the status
definition used on Microsoft documentation website. A first python
script is building JSON object with code definition.

```
import json
from bs4 import BeautifulSoup
import requests

ntstatus = requests.get('https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55')

ntstatus_parsed = BeautifulSoup(ntstatus.text, 'html.parser')

ntstatus_parsed = ntstatus_parsed.find('tbody')

ntstatus_dict = {}

for item in ntstatus_parsed.find_all('tr'):
    cell = item.find_all('td')
    if len(cell) == 0:
        continue
    code = cell[0].find_all('p')
    description_ps = cell[1].find_all('p')
    description_list = []
    if len(description_ps):
        for desc in description_ps:
            if not desc.string is None:
                description_list.append(desc.string.replace('\n ', ''))
    else:
        description_list = ['Description not available']
    if not code[0].string.lower() in ntstatus_dict:
        ntstatus_dict[code[0].string.lower()] = {"text": code[1].string, "desc": ' '.join(description_list)}

print(json.dumps(ntstatus_dict))
```

The second one is generating the code that is ready to be inserted into the
source file:

```
import json

ntstatus_file = open('ntstatus.json', 'r')

ntstatus = json.loads(ntstatus_file.read())

declaration_format = 'pub const SMB_NT%s:%su32 = %s;\n'
resolution_format = '        SMB_NT%s%s=> "%s",\n'

declaration = ""
resolution = ""

text_max = len(max([ntstatus[x]['text'] for x in ntstatus.keys()], key=len))

for code in ntstatus.keys():
    text = ntstatus[code]['text']
    text_spaces = ' ' * (4 + text_max - len(text))
    declaration += declaration_format % (text, text_spaces, code)
    resolution += resolution_format % (text, text_spaces, text)

print(declaration)
print('\n')
print('''
pub fn smb_ntstatus_string(c: u32) -> String {
    match c {
''')
print(resolution)
print('''
        _ => { return (c).to_string(); },
    }.to_string()
}
''')
```

Bug #5412.
 3 years ago
Juliana Fajardini 7b0008d4f0 userguide: add section about exception policies 
This describes briefly what the exception policies are, what is the
engine's behavior, what options are available and to which parts are
they implemented.

Task #5475
Task #5515
 3 years ago
Jeff Lucovsky 33c424f9ed doc/byte_math: Add byte_math differences with snort 
Issue: 5077
 3 years ago
Jeff Lucovsky 192a31c74e doc: Fixup byte* entries to display tables properly 3 years ago
Philippe Antoine 390cf9248f detect: adds flow.age keyword 
Ticket: #5536
 3 years ago
Philippe Antoine 5ef259722b dhcp: adds renewal-time keyword 
Ticket: #5507
 3 years ago
Philippe Antoine 6faf6299e0 dhcp: adds rebinding-time keyword 
Ticket: #5506
 3 years ago
Shivani Bhardwaj a77977ec62 doc: add description for tls.random 3 years ago
jason taylor c29942c029 userguide: update dsize documentation/examples 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Philippe Antoine 461725a9bf dhcp: adds leasetime keyword 
As it is logged

Ticket: #5435
 3 years ago
Philippe Antoine 5c7b5c5fb5 krb: detection for ticket encryption 
As is done for logging.

Ticket: #5442
 3 years ago
Jufajardini Reichow 61f9f0df55 userguide/rules/meta: minor formatting adjustments 3 years ago
Jufajardini Reichow 45f14bb97c userguide/rules: explain sid uniqueness within gid 
While Suri will throw an error if two signatures have the same `sid`
and no `gid`, or same `sid` and same `gid`, it will just accept same
`sid` for different `gid`s.

Related to

Task #5441
 3 years ago
jason taylor 87990b138c doc: update priority wording userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor a7d739a05b doc: update to 80 char formatting userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 9bd55ff81b doc: metadata information update userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 563dc66837 doc: update priority information userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor f73a60eb89 doc: update reference section in userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor e611ef5ccb doc: update userguide meta classtype information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 39bc56ec97 doc: update rev and gid userguide meta wording 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor b9cb66c58f doc: add clarity around userguide meta information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 790ef9a53f doc: add sid reserved range reference 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 38a179d89d doc: add clarity to rule msg tips 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 299a931e49 doc: update example rule list 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 98c29da6ec doc: add clarity to role wording 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor c0bdb6cc10 doc: meta keyword doc example rule update 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor ca9e9009ba doc: add bsize keyword examples 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 34e0a384ad doc: update to include additional rule references 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 4405704372 doc: update intro direction content 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 3eeacf8a3d doc: fixed HOME_NET/EXTERNAL example formatting 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor f2c7998903 doc: add clarity around HOME_NET/EXTERNAL_NET 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 76cca8b08a doc: minor example rule description update 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 4f61a35fe7 doc: minor wording restructure 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 845ba154a6 doc: add tcp-pkt/tcp-stream to intro 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 56f49bfe8e doc: minor punctuation update 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor ab300ab0ae doc: intro example rule update to simpler example 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 2f240230f0 doc: minor intro wording update 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Philippe Antoine c7214be99b snmp: adds usm keyword 
as is logged

Ticker: #5416
 3 years ago
Andreas Dolp 324f5ec10c doc: Add missing ")" in example 3 years ago
Andreas Dolp e4163c4e02 doc: Fix typos 3 years ago
Andreas Dolp 49bd6cfa5d doc: Fix broken link 3 years ago
jason taylor d799956348 doc: add note about file.data and file_data 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 83f2056d20 doc: update file_data to file.data keyword 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor cd54d0dbc8 doc: remove extra newline in order to match style 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 38bd775ca0 doc: remove extraneous + characters 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Shivani Bhardwaj 015c9fe1e3 doc: add usage of flowbits OR op 
Ticket 5130
 3 years ago
Victor Julien cf4ddab6f4 doc/quic: update for new quic.version logic 4 years ago
Emmanuel Thompson 6641efb74f doc/quic: Add documentation for QUIC keywords 4 years ago
Philippe Antoine 0cfdec1266 detect: xor transform 
Ticket: 3285

The xor transform applies xor decoding to a buffer, with a key
specified as an option in hexadecimal. Arbitrary key sizes are
accepted.
 4 years ago
Juliana Fajardini de0ce26e3f userguide: update references to Suricata website 
Many places were still referencing the old Suricata page.
Used git grep with replace to update them. Checked that new links work.
Left old references when they were only documentation examples (for
output or unittests).

Task#4915
 4 years ago
Juliana Fajardini 4256c1ccd5 userguide: rename pg Lua Scripting->Lua Detection 
Since we can have scripts for output _or_ detection, it seems more
clear to rename this page to add more meaning
 4 years ago
Juliana Fajardini 59e5a21fca userguide: update buffers list for lua-scripting 4 years ago
Juliana Fajardini e7f1736f3a userguide/lua: add explanation about `need` diffs 
The differences on how the `need` key works, depending on script
usage (output or detection) confuses users, sometimes (cf doc#4725).
While we don't fix that, just explain this behavior.
 4 years ago
Andreas Dolp b25350ee13 doc: Fix typo in documentation of rule keyword flow 4 years ago
Philippe Antoine fae7389ae2 pcre2: document the behavioral changes 4 years ago
Joshua Lumb cf9b2b5fd1 detect-dsize: Add ! operator for dsize matching 4 years ago
myr463 755124763d doc: escape dot in pcre 4 years ago
Shivani Bhardwaj 51be8f0238 doc/dcerpc: add proto keywords 4 years ago
showipintbri a39025bf24 doc: Grammar Correction 4 years ago
frank honza f83d51d0cb ike: set event for multiple server proposals 4 years ago
Andreas Herz a5f36eccf1 doc: add documentation for rawbytes keyword 4 years ago
frank honza ab59ef0d79 ikev1: add documentation for ikev1 4 years ago
frank honza ecdf9f6b0b ikev1: rename ikev2 to common ike 
Renaming was done with shell commands, git mv for moving the files and content like
find -iname '*.c' | xargs sed -i 's/ikev1/ike/g' respecting the different mixes of upper/lower case.
 4 years ago
Jason Ish 547afcb983 doc/userguide/transforms: remove not about libnss being required 5 years ago
Jason Ish c0ddad8e7e doc/ja3: libnss support no longer required 5 years ago
Philippe Antoine 4e242645be doc: explicit header normalization further 
And their concatenation as described in RFC 2616
 5 years ago
Philippe Antoine 6b30890de9 doc: http.uri.raw has no spaces 
as they are in the protocol

cf bug #2881
 5 years ago
Victor Julien 7b4ac8dbab doc/userguide: update http keywords 5 years ago
Jeff Lucovsky a18a9d3046 doc: New sticky buffer icmpv4.hdr 5 years ago
Victor Julien c95850c6ce doc/rules: document config rule option 5 years ago
Shivani Bhardwaj 87617b200c doc/datasets: add info about memcap and hashsize 5 years ago
Victor Julien e1ecb7dc41 doc/datasets: explain reloads, general improvements 5 years ago
Jeff Lucovsky 06f41f608c doc: Improve grammar, spelling and clarifications 
This commit improves the overall documentation's grammar, spelling, and
adds clarifications  where needed.
 5 years ago
jason taylor b21160a6e3 doc: http.host keyword note for matching on port 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
Philippe Antoine 999af4f62a http2: adds documentation 5 years ago
Sascha Steinbiss c31360070b rust/mqtt: add MQTT parser 5 years ago
Philippe Antoine 1569f3e349 transform: adds url_decode keyword 
Fixes https://redmine.openinfosecfoundation.org/issues/2689

Adds a new source file to handle this keyword.
And modifies documentation, Makefile, and registration accordingly.

url_decode decodes url-encoded data, ie replacing '+' with space
and '%HH' with its value.
 5 years ago
Tristan Fletcher 6cbb4d4909 doc: fix spelling in flowbits image 5 years ago
Jeff Lucovsky 901fbae7b9 doc: Add byte_math documentation 5 years ago
Vadym Malakhatko a80f705d4b userguide: add documentation for Hassh usage 
1. Rules keywords
2. Json keywords
3. Usage in lua
4. Enabling in configuration file
 5 years ago
Jeff Lucovsky b116a56a32 doc: Correct typos 5 years ago
Jeff Lucovsky 59cc3c6281 doc: Update byte_extract doc 5 years ago
Victor Julien 82ac72782d doc/userguide: update app-proto list 5 years ago
Victor Julien e6330c354d doc/userguide: list valid rule actions 5 years ago
Jeff Lucovsky 5e4aa5b851 doc: Improve tos description 
This commit improves the description of the `tos` keyword by emphasizing
that the value used should adhere to the guidelines in RFC2474. Instead
of specifying the DSCP value directly, right shift the DSCP value and
use that.
 5 years ago
Jeff Lucovsky 3005dca3fd doc: pcrexform documentation 5 years ago
Jason Ish 0dd1b2a616 doc: typo: http.server_body should be http.response_body 
Thanks to Jason Williams for pointing this out.
 5 years ago
Todd Mortimer 6b4d32c6bb doc: Update documentation for by_rule and by_both thresholds. 5 years ago
Jeff Lucovsky 4ad6c5421a doc: fix documentation typos 5 years ago
Jeff Lucovsky bc01392e93 doc: Update byte_test documentation 5 years ago
Frank Honza 1c8943dedd add RFB parser 
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
 5 years ago
Philippe Antoine 6251deae21 doc: adds doc for ipv4.hdr signature keyword 5 years ago
Philippe Antoine 1cd314c500 detect: adds icmpv6.mtu keyword 5 years ago
Philippe Antoine 8396333493 detect: adds icmpv6.hdr keyword 5 years ago
Philippe Antoine af1361a988 doc: add missing documentation for ipv6.hdr keyword 5 years ago
jason taylor 1666bc0ad1 doc: minor capitalization fix 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 6 years ago
jason taylor 4f7dc4f136 doc: add bsize documentation and rule example 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 6 years ago
Jason Williams 55a36c79ff doc: update http keywords documentation 6 years ago
jason taylor 95237f9894 docs: update datasets examples 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 6 years ago
EmilienCourt 50bb8d4cb2 doc: fix typo on example 
Quotes have been forgotten in the dnp3.data example, which throws an
SC_ERR_INVALID_SIGNATURE(39) if used like in the example.
 6 years ago
Eric Leblond 9ef2f81ee7 doc/userguide: fix typo 6 years ago
Eric Leblond 821d590f5b doc/userguide: fix base64 example 
Add a sticky buffer example and fix the content modifier one.
 6 years ago
Konstantin Klinger 808ea0dba9 app-layer: remove obsolete msn protocol detection 6 years ago
Victor Julien 6d2bd6607e datasets: make clear the feature is experimental 6 years ago
Victor Julien 4061bf5ceb doc/datasets: update example config to map 6 years ago
Victor Julien be6cdd37f8 stream: remove fix stream.depth references 6 years ago
Giuseppe Longo dd5d0afd79 doc: add SIP keywords 6 years ago