Anoop Saldanha
|
c61c68fd36
|
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
|
15 years ago |
Anoop Saldanha
|
778ec0939c
|
make client body buffer limit configurable. Also some minor changes
|
15 years ago |
Anoop Saldanha
|
0aa5cffb12
|
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
|
15 years ago |
Anoop Saldanha
|
c227aeeacb
|
remove support for skipping reinspecting fast pattern contents once again during packet payload inspection. Also make some changes to our detection engine
|
15 years ago |
Anoop Saldanha
|
bbd0c5056b
|
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
|
15 years ago |
Anoop Saldanha
|
6df051321f
|
fix fp when content is negated and also added to mpm
|
15 years ago |
Anoop Saldanha
|
5c6a65dc58
|
support relative modifiers for http_client_body. Introduce body processing engine in detect-engine-hcbd.[ch]
|
15 years ago |
Anoop Saldanha
|
3d2f81d978
|
replace all Signature->dmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_DMATCH]
|
15 years ago |
Anoop Saldanha
|
a7353be20d
|
replace all Signature->amatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_AMATCH]
|
15 years ago |
Anoop Saldanha
|
e0476242c6
|
replace all Signature->umatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_UMATCH]
|
15 years ago |
Anoop Saldanha
|
e54358a9e1
|
replace all Signature->pmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_PMATCH]
|
15 years ago |
Anoop Saldanha
|
82fd581b64
|
replace all sm lists (match, pmatch, dmatch, umatch, amatch, tmatch) with an array Signature->sm_lists[]. Replace all Signature->match instances in the engine with Signature->sm_lists[DETECT_SM_LIST_MATCH]
|
15 years ago |
Victor Julien
|
001f91056e
|
Add http_raw_header as an alias to the http_header keyword as that actually inspects the raw headers (see issue #243). Closes issue #242.
|
15 years ago |
Gurvinder Singh
|
b7da115e6d
|
support for http_stat_code keyword has been added to detection module
|
15 years ago |
Gurvinder Singh
|
1deae70cf7
|
added http_stat_msg keyword support for detection module
|
15 years ago |
Anoop Saldanha
|
2cdb5be391
|
Print out file name for fast_pattern engine_analysis. Also add some info logs
|
15 years ago |
Anoop Saldanha
|
a2d04a94b5
|
selecting auto for detect-engine.sgh_mpm_context now uses single if the mpm is ac, full otherwise
|
15 years ago |
Anoop Saldanha
|
174048544d
|
fix hash generation in b2g and ac addpattern. Brings down the no of patterns added from close to a million to a couple of thousands
|
15 years ago |
Anoop Saldanha
|
0ef684705c
|
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
|
15 years ago |
Anoop Saldanha
|
a85fa6b792
|
support for fast_pattern only and fast_pattern:offset,length. Also support the new option for engine-analysis
|
15 years ago |
Anoop Saldanha
|
0d741b9a55
|
fix for bug 227. For negated contents that have been added to mpm we might have pmq.pattern_id_array_cnt as 0. We can't ignore inspecting sigs if this is 0, in case the content added is negated
|
15 years ago |
Victor Julien
|
cbd4c298ed
|
Initial version of a new bitmask based signature pre-filtering method.
|
15 years ago |
Victor Julien
|
94898a91cc
|
Reorganize SigMatchSignatures.
|
15 years ago |
Victor Julien
|
fc248ca7a1
|
Many small performance updates.
|
15 years ago |
Pablo Rincon
|
5c43db85ce
|
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
|
15 years ago |
Anoop Saldanha
|
f094523eb1
|
clang fix - some minor fixes for unittests
|
15 years ago |
Pablo Rincon
|
9d7baa7a9f
|
Adding ssh app layer module with two new keywords: ssh.protoversion and ssh.softwareversion
|
15 years ago |
Victor Julien
|
04d3832d8f
|
Remove ports check and fix small typo.
|
15 years ago |
Victor Julien
|
a492518e7a
|
Properly detect detect-event-only sigs.
|
15 years ago |
Pablo Rincon
|
21d79b05ad
|
Fix for bug221 (avoid considering sig as "decoder event only" if ports are specified). Now the sig gets grouped to get a sgh at SigMatchSignatures
|
15 years ago |
Victor Julien
|
6299fbfb0f
|
Fix stream msg content inspection not inspecting the correct id.
|
15 years ago |
Victor Julien
|
1071a53210
|
Fix unittests after ip_proto keyword change.
|
15 years ago |
Pablo Rincon
|
70bda6506d
|
Fix for bug 180 (check proto specified at the IP hdr)
|
15 years ago |
Victor Julien
|
7acb97da9d
|
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
|
15 years ago |
Victor Julien
|
9ba11dbfbd
|
Clean up detection engine mpm initialization phase.
|
15 years ago |
Victor Julien
|
0d008c8135
|
Change stateful detection engine to be able to start the stateful detection separate from other sigs. Fixes bugs #213, #214, #215.
|
15 years ago |
Victor Julien
|
689d05b10b
|
Add missing protocol check in the sig matching process. This prevents FP's such as the one reported in bug #209.
|
15 years ago |
Victor Julien
|
0219b767b8
|
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
|
15 years ago |
Victor Julien
|
102092a89c
|
Make signature address matching more cache efficient.
|
15 years ago |
Victor Julien
|
1eec149f5e
|
Use Address structure in DetectAddress struct.
|
15 years ago |
Victor Julien
|
c6ddcda7f8
|
Improve out of memory handling during initialization.
|
15 years ago |
Victor Julien
|
bfd167521e
|
Fix DCERPC over SMB/SMB2 detection issues. Fix not updating transaction id in a stream direction if there was no sgh.
|
15 years ago |
Anoop Saldanha
|
33f4beb0bc
|
batching of packets support for cuda b2g mpm. Supported for both 32 and 64 bit platforms
|
15 years ago |
Victor Julien
|
b3c22cd512
|
Improve app layer proto check.
|
15 years ago |
Victor Julien
|
39cb1bdbda
|
Fix app layer sigs being recognized as decoder event only or ip only.
|
15 years ago |
Victor Julien
|
d41b5645ef
|
Make sure decoder event rules are inspected even if the packet is invalid and has no addesses or proto. Update fast log and alert debug log to display the alerts. Fixes #179.
|
15 years ago |
Victor Julien
|
e685579231
|
Add optional structure validation code.
|
15 years ago |
Victor Julien
|
393acd77d2
|
Detection improvements: uricontent escaping now working, better negated pattern (content) handling.
|
15 years ago |
Anoop Saldanha
|
9ecade76b9
|
in case of duplicate signatures used the one with the latest revision
|
15 years ago |
Gurvinder Singh
|
8852b83fa7
|
flowbits, flowvars, pktvars, flow flags and app layer info added to alert-debug.log
|
15 years ago |