suricata

Commit Graph

Author	SHA1	Message	Date
Victor Julien	869109a6a0	stream/app layer: add Truncate app layer callback that is called if stream depth is reached. Use it to trunc open files in HTTP.	13 years ago
Victor Julien	8f71333e12	file: implement filesize keyword. #489 .	13 years ago
Victor Julien	87ec969b3d	filemd5: fix compilation if libnss isn't available	13 years ago
Victor Julien	c9e93ec52c	filemd5: add support code for md5 handling for signatures.	13 years ago
Victor Julien	5b457807e2	file: fix file length and md5 tracking when file storing is disabled	13 years ago
Victor Julien	22349f863b	file magic: don't disable inspecting magic for both directions if files in only one direction don't need magic.	13 years ago
Victor Julien	e3935a2af2	Improve http filename parsing.	13 years ago
Victor Julien	8b1333a277	Add more flow lock assertions to the debug validation code.	13 years ago
Victor Julien	5ba41c7890	Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.	13 years ago
Victor Julien	337f7861a4	Make sure that if not built against libnss, we still compile. Only no md5 for you then\!	13 years ago
Victor Julien	69b3df96fb	Initial on the fly MD5 calculation for extracted files using libnss.	13 years ago
Victor Julien	18d79c4215	file store: respect flowbits and other keywords The filestore keyword until now flagged a file, tx or ssn for storage as soon as the keyword was inspected. This happens before flowbits and some other keywords, so files were stored that weren't supposed to. This patch makes the filestore keyword fill an array in the detect engine thread ctx. Then if the full signature matches, a post-match filestore function makes the store final.	13 years ago
Victor Julien	9878eca086	file handling: expand filestore keyword Filestore keyword by default (... filestore; ... ) marks only the file in the same direction as the rule match for storing. This makes sense when inspecting individual files (filemagic, filename, etc) but not so much when looking at suspicious file requests, where the actual file is in the response. The filestore keyword now takes 2 optional options: filestore:<direction>,<scope>; By default the direction is "same as rule match", and scope is "currently inspected file". For direction the following values are possible: "request" and "to_server", "response" and "to_client", "both". For scope the following values are possible: "tx" for all files in the current HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow. For the above case, where a suspious request should lead to a response file download, this would work: alert http ... content:"/suspicious/"; http_uri; filestore:response; ...	13 years ago
Victor Julien	b74c73309b	file handling: improve filestore keyword handling In stateful detection only inspect the file portion of the rule after all other conditions matched. This to prevent "filestore" from tagging files for storage during a partial match. Add a couple of unittests to test the behaviour change.	13 years ago
Victor Julien	4cbe7519fa	Add missing file util code.	13 years ago

15 Commits (0eeccb4b176b3a0a4c2717f14fd0bd668520e6fa)