aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
13,546 Commits
7 Branches
155 Tags
195 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '01e64d80da'
${ noResults }
Commit Graph

440 Commits (01e64d80dae179d445d17431a390e84098287b90)

Author SHA1 Message Date
Jason Ish e26718aea3 drop-log: remove drop log (deprecated) 
Remove the old style line based drop log.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2381
 5 years ago
Jason Ish 6ce9b2972b rdp: enable by default 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3255
 5 years ago
Jason Ish 5a7ba62493 sip: enable by default 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3256
 5 years ago
Jason Ish 6850dbc852 suricata.yaml: remove filestore v1 configuration 5 years ago
Victor Julien 1aaf9a80c5 decode/vxlan: minor yaml example clarrification 5 years ago
Victor Julien e97cdb48f3 decode/teredo: implement port support 
Implement support for limiting Teredo detection and decoding to specific
UDP ports, with 3544 as the default.

If no ports are specified, the old behaviour of detecting/decoding on any
port is still in place. This can also be forced by specifying 'any' as the
port setting.
 5 years ago
Frank Honza 1c8943dedd add RFB parser 
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
 5 years ago
Jeff Lucovsky 0c5c2173bc config: General typo and grammar cleanup 5 years ago
Jason Ish 76582e34c1 suricata.yaml/dns: removed unused settings 
Remove DNS settings global-memcap, state-memcap and request-flood.
These have never been used in the Rust implementation of the DNS
decoder.
 5 years ago
Jason Ish d86973b386 unified2: remove deprecated output unified2 
Ticket 2385:
https://redmine.openinfosecfoundation.org/issues/2385
 5 years ago
Phil Young 1c99536945 napatech: add hardware based bypass support 
Napatech hardware bypass support enables Suricata to utilize
capabilities of Napatech SmartNICs to selectively bypass flow-based
traffic.
 5 years ago
Philippe Antoine 4a2918e6b5 yaml: clarify comment about dump-all-headers 
Logs a warning if the value is unknown
Fixes #2810
 5 years ago
Jason Ish 16221c0b33 suricata.yaml/dns: small cleanups, not that default is v2 
Note that the eve dns log format is version 2 by default.

Make the value of commented out values their default.

Update the comment on the types to better reflect what it does.
 5 years ago
Philippe Antoine 6921608673 http: updates suricata.yaml comments 
As well as the userguide documentation about suricata.yaml
 5 years ago
Konstantin Klinger 808ea0dba9 app-layer: remove obsolete msn protocol detection 5 years ago
Victor Julien ebecaca7ea eve/anomaly: enable by default 
Default config will only enable 'app-layer' type within the anomaly
logger.
 5 years ago
Victor Julien 514c7c1a04 yaml: minor improvements 5 years ago
Victor Julien cec8067001 yaml: clean up 'autofp-scheduler' option 5 years ago
Jeff Lucovsky 883cad1a86 logging/anomaly: Clarify anomaly logging 
Clarify the description of the anomaly logging types.
 5 years ago
Jeff Lucovsky af615baaf7 logging/alert: Expand alert logging description 
Clarify the configuration requirements for alerts and http-body logging.
 5 years ago
Victor Julien 788c9f8f11 tls/ja3: don't disable; allowing runtime enabling 5 years ago
jason taylor e4156b2f89 config: update lzma size notes to match others 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
Jason Ish 6c2e9ac27c suricata.yaml: mark drop.log as deprecated 5 years ago
Jason Ish 4e12984ac8 suricata.yaml: mark unified2 as deprecated 5 years ago
Jason Ish d891a8cb79 config: remove all but a stub of file-store v1. 
Remove most of the file-store v1 configuration section and mark
it as deprecated. Provide a link where to find the available
options.
 5 years ago
Victor Julien be6cdd37f8 stream: remove fix stream.depth references 5 years ago
Philippe Antoine af4f816204 http: sets compression bomb limit 6 years ago
Philippe Antoine c09ad01836 http: disable lzma decompression from configuration 6 years ago
Victor Julien 8765839084 sip: disable output by default 6 years ago
Jason Ish a45a2fa1fc sip: disable by default in 5.0 6 years ago
Giuseppe Longo edc2a583a9 rust/sip: add SIP logger 6 years ago
Giuseppe Longo 2e975a0481 rust/sip: add parser for SIP protocol 6 years ago
Jason Ish 4111272c88 config/anomaly: use enabled key word; cleanups 
The anomaly section was commented out, but the types sub object
was not, which then attached the types keyword to the previous
object.

Instead keep "anomaly" enabled in the yaml (not commented out)
and use the "enabled: no" to have it disabled by default.

Additonally reformat the comments to be better viewed in 80
columns.
 6 years ago
Jason Ish 61a6eaf330 htp/lzma: set limit from configuration 
Also use a default defined in Suricata, not libhtp.
 6 years ago
Jeff Lucovsky aaacbf28c2 logging/anomaly: Support configuration filter types 6 years ago
Victor Julien c1b333c96e rdp: disable eve.rdp by default 6 years ago
Jason Ish 664605b5f1 rdp: disable rdp by default for 5.0 6 years ago
Zach Kelly caef8b5b38 protocol parser: rdp 
Initial implementation of feature 2314:
1. Add protocol parser for RDP
2. Add transactions for RDP negotiation
3. Add eve logging of transactions
 6 years ago
Shivani Bhardwaj 59da7ae302 counters: Add new default for decoder events 
Set the new default for decoder events to `decoder.event` instead of the
previously used `decoder`. Remove the corresponding warning for 5.0.
 6 years ago
Victor Julien d5009c5d8c doc/stream: briefly explain bypass 6 years ago
Jason Ish 55852d0de3 rules: remove configuration for legacy rule handling 
Removes the autoconf, and suricata.yaml sections for using
the legacy style of rule management.
 6 years ago
Jeff Lucovsky 2149807bd6 eve/ftp: Transaction support for unmatched requests 
Modified transaction logic to create a new transaction with each
request; replies location transactions by using the oldest "open"
(unmatched) transaction or the last transaction if none are open.
 6 years ago
Jeff Lucovsky 9b88ecb3c1 suricata.yaml: Add ftp logging option to eve-log 6 years ago
Bill Meeks a291209e47 detect/geoip: migrate to GeoIP2 database format 
Issue #2765
 6 years ago
Victor Julien 82de6e0659 decoder/vxlan: improvements and cleanups 
Implement port config handling. Also check both src port and dest
port for tunnels that only set the destination port to the VXLAN
port. At the point of the check we don't know the packet direction
yet.

Implement as Suricata tunnel similar to Teredo.

Cleanups.
 6 years ago
Jason Ish 577c8cb0c0 dns-log: remove from config 
dns-log has been removed from the code.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2297
 6 years ago
Eric Leblond 4e94c2b8c2 suricata.yaml: fix path to ebpf and xdp doc 6 years ago
Pierre Chifflier 6fc7fc74cb SNMP: add logger 6 years ago
Pierre Chifflier 2df840a8b8 Add SNMP (v1/v2c/v3) application layer 6 years ago
Mats Klepsland a4eaef25d6 eve: add JA3S field to TLS JSON logger 
Add JA3S object to TLS JSON logger (extended log).
 6 years ago
Eric Leblond 5d76f0897c af-packet: remove rollover reference 
This patch removes reference to rollover in the configuration file
and add warnings when it is used.
 6 years ago
Jeff Lucovsky cc492c50c8 eve/logging: disable anomaly logging by default 
Disable anomaly logging by default. Networks with excessive issues may
experience packet processing degradation.
 6 years ago
Jeff Lucovsky a8938f449d logging: Anomaly logging 
This changeset adds anomaly logging to suricata for issue 2282.

Anomaly logging is controlled via the `anomaly` section within eve-log.
There is a single option -- `packethdr` -- for including the packet header
in the anomaly.
 6 years ago
Jason Ish fc3191dc2d config: enable all things requiring Rust 
Instead of only enabling them if Rust is enabled, as Rust is
always enabled now.
 6 years ago
Phil Young 05271bfbe5 napatech: simplify integration with Napatech cards 
- There is now an option to automatically create streams on the
  correct NUMA node when using cpu affinity.

- When not using cpu affinity the user can specify streams to be
  created in the suricata.yaml file.  It is no longer required to
  use NTPL to create streams before running suricata.

- The legacy usage model of running NTPL to create streams is still
  available. This can be used for legacy configurations and complex
  configurations that cannot be satisfied by the auto-config option.
 6 years ago
Victor Julien d00950be81 log/file: use default-log-dir for suricata.log 
Default to just suricata.log instead of the full path, so that
in user mode we can log in the user mode location.
 6 years ago
Eric Leblond abe2836caf suricata.yaml: fix name of encryption-handling var 6 years ago
Victor Julien d6903e70c1 file-log: remove and add warning 
Feature was deprecated and scheduled for removal.

Ticket #2376
 6 years ago
Victor Julien 6fcd2db043 tile: remove files 6 years ago
Victor Julien 517b45ea2d netmap: switch to nm_* API 
Process multiple packets at nm_dispatch. Use zero copy for workers
recv mode.

Add configure check netmap check for API 11+ and find netmap api version.

Add netmap guide to the userguide.
 6 years ago
Maurizio Abba 6c0ec0b2f3 eve/http: add request/response http headers 
Add a keyword configuration dump-all-headers, with allowed values
{both, request, response}, dumping all HTTP headers in the eve-log http
object. Each header is a single object in the list request_headers
(response_headers) with the following notation:

{
    "name": <header name>,
    "value": <header value>
}

To avoid forged malicious headers, the header name size is capped at 256
bytes, the header value size at 2048.

By default, dump-all-headers is disabled.
 6 years ago
Maurizio Abba 4697351188 smtp: create raw-extraction feature 
Add a raw-extraction option for smtp. When enabled, this feature will
store the raw e-mail inside a file, including headers, e-mail content,
attachments (base64 encoded). This content is stored in a normal File *,
allowing for normal file detection.
It'd also allow for all-emails extraction if a rule has
detect-filename:"rawmsg" matcher (and filestore).
Note that this feature is in contrast with decode-mime.

This feature is disabled by default, and will be disabled automatically
if decode-mime is enabled.
 6 years ago
Victor Julien 0d86263efd eve.stats: make decoder event prefix configurable 6 years ago
Victor Julien 1dd81f7346 yaml: add missing eve pcap-file comment 6 years ago
Jason Ish 87250da0fc rust/dns: add v1 dns logging 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2704
 6 years ago
Travis Green 3539ae3041 Updated link for Prelude SIEM 
Updated link for Prelude SIEM to https://www.prelude-siem.org/
 6 years ago
Eric Leblond 24806c2102 suricata.yaml: fix path to XDP doc 6 years ago
Victor Julien 1467c30883 pfring: implement 'threads: auto' 
If threads is set to auto, first try the CPU count. If that would
fail, fall back to RSS queue count.
 6 years ago
Victor Julien 3ba2c9fba7 pfring: multiple receive threads is not experimental 6 years ago
Victor Julien 4f84672d7c stats: decoder/stream events as stats 6 years ago
Victor Julien c4d8508f51 eve/json: introduce community flow id 
Add support for community flow id, meant to give a records a
predictable flow id that can be used to match records to
output of other tools.

Takes a 'seed' that needs to be same across sensors and tools
to make the id less predictable.
 6 years ago
Victor Julien ed712768d5 rust: enable by default 
Remove 'experimental' label for Rust, and enable it by default if
rustc and cargo (and libjansson) are available.

Add rustc and cargo versions to the build-info.
 6 years ago
Victor Julien 8b213e9d63 yaml: fix typo 7 years ago
jason taylor d038c78cd6 config: added ja3 to tls custom logging example 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 7 years ago
Konstantin Klinger 2938f797f2 yaml: add var for DC_SERVERS (Domain Controller) 7 years ago
Konstantin Klinger 99193b1492 yaml: add note for dns v1 not available with rust 7 years ago
Konstantin Klinger a3832e4594 yaml: add note for dns.log with Rust 
It is not availbale when rust is enabled.
 7 years ago
Victor Julien 0b46d027d0 rust/smb: implement stream-depth, unlimited by default 7 years ago
Jason Ish 64b6ff7392 config: better default rule file configuration 
Move the rule file configuration down near the bottom of the
configuration file under advanced settings. With the bundling
of Suricata-Update, any rule file configuration within
suricata.yaml could be considered advanced.

Add extra comments to the yaml to make it more clear which was
enabled at installation time.
 7 years ago
jason taylor a2bc008093 add note about eve-alert metadata 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 7 years ago
Victor Julien 693a3df031 tls: document encrypt-handling option 
Document in sample yaml and user guide.
 7 years ago
Jason Ish 9210d8743b rust/dhcp: Rust based DHCP decoder and logger. 
This is a DHCP decoder and logger written in Rust. Unlike most
parsers, this one is stateless so responses are not matched
up to requests by Suricata. However, the output does contain
enough fields to match them up in post-processing.

Rules are included to alert of malformed or truncated options.
 7 years ago
Pierre Chifflier 6ae53a1869 Add event rules for Kerberos 5 7 years ago
Pierre Chifflier fd175f2bfb Add logger for Kerberos 5 metadata 7 years ago
Pierre Chifflier 77f0c11c9e Add Kerberos 5 application layer 7 years ago
Jason Ish 0d51ebc71a eve/alert: use eve-level xff config by default 
The alert section can still have an xff configuration which
will take priority over the eve level xff config.
 7 years ago
Jason Ish 36ec1281b2 eve/files: use eve-level xff config by default 
The files section can still have an xff configuration which
will take priority over the eve level xff config.
 7 years ago
Jason Ish 6607ee8489 eve/http: use eve-level xff config by default 
The http section can still have an xff configuration which
will take priority over the eve level xff config.
 7 years ago
Jason Ish 576584152c eve: use eve-level xff configuration 
If an "xff" configuration section exists on the eve object,
parse and save it for child loggers to use.
 7 years ago
Maurizio Abba 2543930d74 xff: Use XFF configuration in eve and filestore 
XFF configuration is already set in app-layer-htp-xff, and in
output-json-alert. Extending XFF configuration to files and HTTP allow
to get the same behavior as for alerts.

Extend the configuration of filestore json to let filestore metafile
dump be aware of xff. This is available only if write-fileinfo is set
to yes and file-store version is 2.
 7 years ago
Max Fillinger b85a0b188b Add an option for compressing pcap-log files 
Introduces the option 'outputs.pcap-log.compression' which can be set
to 'none' or 'lz4', plus options to set the compression level and to
enable checksums. SCFmemopen is used to make pcap_dump() write to a
buffer which is then compressed using liblz4.
 7 years ago
Jason Ish e048a74ecd rules: set default rule dir to suricata-update if bundled 
If suricata-update is bundled, set the default-rule-dir
to lib/suricata/rules under the $localstatedir

For now use 2 rule-files section that are renamed depending
on if suricata-update is bundled or not.
 7 years ago
Victor Julien f201a3761f rust: remove multi level 'experimental' 
Don't treat 'external' parsers as more experimental. All parsers
depend on crates to some extend, and all have C glue code. So the
distinction doesn't really make sense.
 7 years ago
Pierre Chifflier d16397ce61 Add rules for IKEv2 events 7 years ago
Pierre Chifflier c99b9462d7 Add new parser: IKEv2 
Add a new parser for Internet Key Exchange version (IKEv2), defined in
RFC 7296.
The IKEv2 parser itself is external. The embedded code includes the
parser state and associated variables, the state machine, and the
detection code.

The parser looks the first two messages of a connection, and analyzes
the client and server proposals to check the cryptographic parameters.
 7 years ago
Eric Leblond 66b37d8689 suricata.yaml: fix some spelling mistakes 7 years ago
Mats Klepsland c130820bff conf: user-configurable umask setting 
Make umask user-configurable by setting 'umask' in suricata.yaml.
 7 years ago
Mats Klepsland 0c16cd0120 app-layer-ssl: generate JA3 fingerprints 
Decode additional fields from the client hello packet and generate
JA3 fingerprints.
 7 years ago
Giuseppe Longo 869b7c0e0c output-json-dns: add new configuration 
This patch adds a new configuration for dns,
introducing a "version" that permits to switch
between the new and old format to provide
backward compatibility.

The new configuration is made up of these new fields:
- version
- requests (query)
- response (answer)
- types (custom)
 7 years ago
Victor Julien 251a8e7deb smb: add smb to default eve-log config 7 years ago