aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,572 Commits
7 Branches
161 Tags
210 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '07df1ce6af'
${ noResults }
Commit Graph

8999 Commits (07df1ce6afffb35c0acd25b3b787ce04643306b1)

Author SHA1 Message Date
Victor Julien 07df1ce6af output: clarify registration 6 years ago
Victor Julien 284c3cf68a output/tx: bail early if no flow 6 years ago
Victor Julien ed99e9204f output: fatal error if root logger alloc fails 6 years ago
Danny Browning b573c16dd5 build: cbindgen 
Rust headers are now generated using cbindgen. If cbindgen is present, they can
be generated during dist, otherwise they will be available for builds.
 6 years ago
Victor Julien 2c050187a3 streaming/api: fix overlap check 
In some cases a SBB could be seen as overlapping with the requested
offset, when it was in fact precisely before it. In some special cases
this could lead to the stream engine not progressing the 'raw' progress.
 6 years ago
Victor Julien 0f41cf3d74 debug/validation: check tcp/app-layer data lengths 6 years ago
Victor Julien a742c86741 stream: improve app-layer data retrieval with GAPs 
Don't assume that the next block after the sbb head is after the
requested offset.

If the next block was before the offset, the returned data_len
would underflow and return a nonsense value to the app-layer.

Bug #2993.
 6 years ago
Jeff Lucovsky ed2f6ac64b modbus: Correct typo 6 years ago
Jeff Lucovsky d4428d94de modbus: Update correct TX flags 6 years ago
Jeff Lucovsky 6c2cdbb5f0 analysis: exit if table entries are stale 
This commit causes Suricata to exit when a buffer from the analyzer
table is not recognized.

Since the table must match what's registered, exiting will bring noticed
to the condition.
 6 years ago
Victor Julien 627cc23769 detect/asn1: fix offset bounds checking 6 years ago
Jason Ish 8609939e60 ipv4: continue parsing options after invalid option 
As long as an option has a valid length, we can continue
parsing the options after an invalid one.
 6 years ago
Jason Ish df8db1ddb0 ipv4: fail packet decoding on bad ipv4 option length 
Currently all failures in IPv4 option decode are ignore with
respect to continuing to handle the packet.

Change this to fail, and abort handling the packet if the
option length is invalid.

Ticket 3328:
https://redmine.openinfosecfoundation.org/issues/3328
 6 years ago
Victor Julien fa692df37a stream: reject broken ACK packets 
Fix evasion posibility by rejecting packets with a broken ACK field.
These packets have a non-0 ACK field, but do not have a ACK flag set.

Bug #3324.

Reported-by: Nicolas Adba
 6 years ago
Victor Julien 9f0294fadc stream: fix SYN_SENT RST/FIN injection 
RST injection during the SYN_SENT state could trick Suricata into marking
a session as CLOSED. The way this was done is: using invalid TSECR value
in RST+ACK packet. The ACK was needed to force Linux into considering the
TSECR value and compare it to the TSVAL from the SYN packet.

The second works only against Windows. The client would not use a TSVAL
but the RST packet would. Windows will reject this, but Suricata considered
the RST valid and triggered the CLOSED logic.

This patch addresses both. When the SYN packet used timestamp support
the timestamp of incoming packet is validated. Otherwise, packet responding
should not have a timestamp.

Bug #3286

Reported-by: Nicolas Adba
 6 years ago
Victor Julien df74f34a62 decode/tcp: accept TCP fast open cookie request 6 years ago
Victor Julien 040aff5197 htp: close request only from request side 
This allows the response side to keep going for just
a bit longer.
 6 years ago
Victor Julien 77539e08fc stream: in IDS mode, call app-layer at EOF 
On stream end call app-layer with empty message in IDS mode.
 6 years ago
Victor Julien eceb7dcba4 eve: support pcap_filename for unix socket mode 
Bug #3390.
 6 years ago
Philippe Antoine 4a2918e6b5 yaml: clarify comment about dump-all-headers 
Logs a warning if the value is unknown
Fixes #2810
 6 years ago
Victor Julien 007a461d69 detect/parse: track negation during address parsing 
Fix address negation detection not resolving variables when
looking for the negation.

This patch makes use of the actual parsing routines to relay this
information to the signature parser.

Bug #3389.

Fixes: 92f08d85aa ("detect/iponly: improve negation handling in parsing")
 6 years ago
Victor Julien 34b7035a0d detect/iponly: debug output improvements 6 years ago
Victor Julien 618ad0d92f app-layer: optimize inspection id tracking 
Increase the inspect id for a completely inspected tx in any case.
This avoids re-evaluating transactions.

Reported-by: Ilya Bakhtin
 6 years ago
Victor Julien f302f3543f files: add call for setting inspect sizes 
The inspect sizes are currently only used during file prune
house keeping for SMTP.
 6 years ago
Victor Julien f9f958d66e smtp: fix and clean up new file handling 
Set tx id on files that were just opened.

Move logic to a small util func.
 6 years ago
Victor Julien 683b22d114 smtp: use FILE_USE_DETECT for raw-extract 6 years ago
Victor Julien 21760bfc76 files: change pruning behavior 
If file prune is called inspect has already run. So if file is closed
we can just prune. No need to consider a window anymore.

When still in progress, fix the left_edge calculation.
 6 years ago
Victor Julien 682014619f files: fix FILE_USE_DETECT with --disable-detection 
Don't set FILE_USE_DETECT flag if detect is disabled.
 6 years ago
Victor Julien 4ac9cd2c70 files: move smtp prune logic to main 
Now that we call the file prune loop very regularly, we can move the
SMTP specific inspection pruning logic into this loop. Helps with
cases there we don't (often) update a files inspection trackers.
 6 years ago
Victor Julien 4b7599af90 http/file: modernize unittests 
Part of ticket #2975.
 6 years ago
Victor Julien 1cdb2182e4 fastlog: apply icmp type logic to icmpv6 too 6 years ago
Victor Julien 5ef05ffad1 http/multipart: small cleanup 6 years ago
Victor Julien aae00df4df http/multipart: use wider type for boundary lengths 
Use uint32_t for a local type instead of uint8_t to avoid casts.

Length should always stay under this regardless.
 6 years ago
Victor Julien 4d0db9cb4a http/multipart: optimize form end search 
If we already know that the boundary exists, we can start looking
there. Otherwise, we can skip trying as the boundary is a subset
of the form end marker.
 6 years ago
Victor Julien 54d93e1eb9 http/multipart: process incomplete file data 
Start processing multipart data as soon as it is available to
allow inspection sooner.
 6 years ago
Jeff Lucovsky fcfb679893 detect/analyzer: Suppress direction warnings 
This commit ensures direction warnings for ICMP v4 and v6
are suppressed and corrects check so that both protocols
are checked (instead of the same protocol being checked twice).
 6 years ago
Eric Leblond 1b9009ea0e suricata: fix computing of default packet size 
Update the default packet size computation to use LiveDeviceName
instead of LiveDevice as the LiveDevice list is not built when
the default packet size is built.
 6 years ago
Victor Julien c010f092e0 detect/replace: fix debug print issue 
Don't print field that will likely not be 0 terminated.
 6 years ago
Victor Julien c3ea5e71e5 detect/file.data: fix buffer reusing id 0 6 years ago
Victor Julien cd66c37711 http/multipart: use proper progress value to test eof 6 years ago
Philippe Antoine 08b84e060b fastlog: use icmp type and code instead of port 
Fixes #3266
 6 years ago
Philippe Antoine 75a7d9641c fastlog: move code to reduce variable scope 6 years ago
Philippe Antoine c2fdd7c969 transform: fixes comment about compress_whitespace 6 years ago
Philippe Antoine 9126fc25c1 transform: updates doc about compress_whitespace 
And removes duplicate test from strip_whitespace
 6 years ago
Eric Leblond 3ded7f1170 qa/coccinelle: fix false positive in setter getter 
Coccinelle test was doing a false positive on the function
AppLayerParserStateSetFlag and AppLayerParserStateIssetFlag.
To address that, this patch adds a new coccinelle markup:

 /* coccinelle: AppLayerParserStateSetFlag():2,2:APP_LAYER_PARSER_ */

It indicates that AppLayerParserStateSetFlag is a setter and getter
and that the checks should be disabled inside the function.

Currently this markup is only used for that but following patch will
add some checks on option value.
 6 years ago
Jeff Lucovsky 8f4f1cb633 detect/analyzer: Improved fast pattern display 
When transforms are part of a rule, improve information displayed with
fast patterns to include the original buffer name and whether any
transform(s) are applied.
 6 years ago
Jeff Lucovsky c88c1f1e14 detect/analyzer: Suppress direction warnings 
This commit suppresses direction warnings by the rules analyzer for ICMP
and ICMPV6 since it's not actionable.
 6 years ago
Victor Julien 83bbe287e7 stats: fix stats not always syncing in flow timeout 6 years ago
Jason Ish ba3a2c31bf app-layer: validate TX detect flag callbacks 
Check that both are set or unset.
 6 years ago
Jason Ish 706558d4d5 enip: add tx detect flags 6 years ago