aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,701 Commits
8 Branches
165 Tags
213 MiB
main-8.0.x
main-7.0.x
main
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '15f493f516'
${ noResults }
Commit Graph

10438 Commits (15f493f516a452ca810f77595fb57f8e2e96d6e3)

Author SHA1 Message Date
Juliana Fajardini 0bf1227f0f pgsql: fix defect found by coverity 
Pgsql was using bitwise operations to assign password output config to
its context flags, but mixing that with logic negation of the default
value, resulting in the expressions having a constant value as result.

Bug: #5007
 4 years ago
Jason Ish 59ac1fe277 logging: change ownership of application log if needed 
When running with privilege dropping, the application log file
is opened before privileges are dropped resulting in Suricata
failing to re-open the file for file rotation.

If needed, chown the application to the run-as user/group after
opening.

Ticker #4523
 4 years ago
Jason Ish 08518df373 startup: initialize run as user info sooner 
Initialize the run-as user info after loading the config, but
before setting up logging (previously it was done while initializing
signal handlers). This will allow the log file to be given the
correct permissions if Suricata is configured to run as a non-root
user.
 4 years ago
Lukas Sismis f668524731 dpdk: adjust setting of MTU to the new DPDK API (21.11) 4 years ago
Philippe Antoine e8060990d1 detect: fix possible leak found by coverity 
Conditions to create the leak are likely not reachable,
but this is still a bad pattern.
 4 years ago
Juliana Fajardini 579d7dcc01 pgsql: add initial support 
- add nom parsers for decoding most messages from StartupPhase and
SimpleQuery subprotocols
- add unittests
- tests/fuzz: add pgsql to confyaml

Feature: #4241
 4 years ago
Shivani Bhardwaj 8918f53f6b smtp: use AppLayerResult instead of buffering 
Also, remove tests that check for the removed buffers and any middle
states while parsing and buffering.

Ticket 4907
 4 years ago
Victor Julien e02b52c895 quic: add quic.ua for matching user agent 4 years ago
Victor Julien da8b024b99 detect/quic: add quic.sni sticky buffer 4 years ago
Victor Julien 24a21af4ab quic: redo quic.version; parser cleanups 
Reimplement quic.version as sticky buffer.

Removed unused parts of the parser.

Set unidirectional tx flag to fix double matching.
 4 years ago
Emmanuel Thompson 7e51987263 quic: Add QUIC App Layer 
Parses quic and logs a CYU hash for gquic frames
 4 years ago
Philippe Antoine 23fb139e00 detect: do not upgrade base64 decode when fuzzing 
As fuzzing will put a very big value, and then
ThreadCtxDoInit will try to allocate it,
ending in out of memory
 4 years ago
Victor Julien ca29d33c69 proto-detect: set flags in packet direction for UDP 4 years ago
Victor Julien 449cc82943 proto-detect: fix UDP not setting alproto_ts/tc 
This would lead to the `app-layer-protocol` keyword not matching correctly.
 4 years ago
Philippe Antoine 0cfdec1266 detect: xor transform 
Ticket: 3285

The xor transform applies xor decoding to a buffer, with a key
specified as an option in hexadecimal. Arbitrary key sizes are
accepted.
 4 years ago
Philippe Antoine 1d4fe38ccb detect: adds test with invalid uint mode << 4 years ago
Philippe Antoine 2012b14470 detect: use generic functions for icode parsing 4 years ago
Philippe Antoine e2370d6861 fuzz: cleans all flow after one run 
Makes the fuzz target more stateless

And manages to find bugs on the FlowFree path
 4 years ago
Philippe Antoine add1a0f561 fuzz: use parsed rules in sigpcap target 
Ticket: 4125

As commit d21a252238
But for sigpcap target as well
 4 years ago
Philippe Antoine 529678d501 dns: wrap with HAVE_LUA 
This is just code style, to minimize the compiled code.
 4 years ago
Philippe Antoine 6885b66883 fuzz: enable template protocols 
Ticket: 4125
 4 years ago
Philippe Antoine ed11e32076 enip: fix too restrictive check in probing parser 
As is shown later in the code, enip_len can be
ENIP_LEN_REGISTER_SESSION which is 4, which is
smaller than sizeof(ENIPEncapHdr) which is 24
 4 years ago
Philippe Antoine 09c84d0c26 fuzz: use fuzzing confyaml for protodetect target 
As is done for other targets,
so that all app-layer protocols are enabled,
even the ones disabled by default such as enip

And resets protocol detection every time we try
so that probing_parser_toserver_alproto_masks are fresh.
 4 years ago
Victor Julien 44c9241b6a telnet: initial support with frames 
Bootstrapped using setup script. Basic option parsing for purpose
of tagging frames.
 4 years ago
Victor Julien fc4279de85 htp: improve request/response size accuracy 4 years ago
Victor Julien 52ad906d31 htp: implement basic request/response frames 4 years ago
Victor Julien af797b5926 ssl: implement frames for SSLv3 and TLS 4 years ago
Victor Julien a492d94826 detect/frames: implement 'frame' keyword 
Implement a special sticky buffer to select frames for inspection.

This keyword takes an argument to specify the per protocol frame type:

    alert <app proto name> ... frame:<specific frame name>

Or it can specify both in the keyword:

    alert tcp ... frame:<app proto name>.<specific frame name>

The latter is useful in some cases like http, where "http" applies to
both HTTP and HTTP/2.

    alert http ... frame:http1.request;
    alert http1 ... frame:request;

Examples:

    tls.pdu
    smb.smb2.hdr
    smb.smb3.data

Consider a rule like:

    alert tcp ... flow:to_server; content:"|ff|SMB"; content:"some smb 1 issue";

this will scan all toserver TCP traffic, where it will only be limited by a port,
depending on how rules are grouped.

With this work we'll be able to do:

    alert smb ... flow:to_server; frame:smb1.data; content:"some smb 1 issue";

This rule will only inspect the data portion of SMB1 frames. It will not affect
any other protocol, and it won't need special patterns to "search" for the
SMB1 frame in the raw stream.
 4 years ago
Victor Julien 02f98796a7 detect/frames: limit mixing frames and other detection 
Don't allow mixing of payload/stream/tx and frame keywords. Initial
support is only for 'pure' frame inspection.
 4 years ago
Victor Julien 3cbe33de57 detect/analyzer: add frame support 4 years ago
Victor Julien f6f124f283 detect/engine: support frames 
Implement the low level detect engine support for inspecting frames,
including MPM, transforms and inspect API's.
 4 years ago
Victor Julien c0ec3984fa eve/alert: add support for logging frame 
If detection was done in a frame, the frame will be added to the
eve.alert output.
 4 years ago
Victor Julien 60bfade351 eve: implement frame logging 
This is mostly to assist development and QA. It produces too much data
for practical use.
 4 years ago
Victor Julien a27ee49c73 app-layer: move app_progress forward on errors as well 
In case of APP_LAYER_ERROR still move the app_progress forward.
This helps validation of frame offsets and should be harmless
otherwise.
 4 years ago
Victor Julien 1556e86c7d app/frames: initial support 
The idea of stream frames is that the applayer parsers can tag PDUs and
other arbitrary frames in the stream while parsing. These frames can then
be inspected from the rule language. This will allow rules that are more
precise and less costly.

The frames are stored per direction in the `AppLayerParserState` and will only
be initialized when actual frames are in use. The per direction storage has a
fixed size static portion and dynamic support for a larger number. This is done
for effeciency.

When the Stream Buffer slides, frames are updated as they use offsets relative
to the stream. A negative offset is used for frames that started before the
current window.

Frames have events to inspect/log parser errors that don't fit the TX model.

Frame id starts at 1. So implementations can keep track of frame ids where 0
is not set.

Frames affect TCP window sliding. The frames keep a "left edge" which
signifies how much data to keep for frames that are still in progress.
 4 years ago
Victor Julien e6f49e5a05 app/frames: implement name to id API for frames 4 years ago
Victor Julien eeee740e84 stream: add util function to get 'usable' data 4 years ago
Lukas Sismis 52d8d35453 dpdk: fix received/error counters 4 years ago
Victor Julien 3cbbe66ea2 tests/pppoe: clean up more tests to use PASS/FAIL macros 4 years ago
Steven Ottenhoff 6bf2117056 pppoe: fix protocol field length variation 
Detect when protocol field is not a 16 bit field.
Added tests to prove logic

Ticket: 4810
 4 years ago
Steven Ottenhoff 260bc03603 test/pppoe: refactor to use FAIL/PASS macros 4 years ago
Modupe Falodun 3dbf74ff10 detect-file-data: remove SMTP unittests 
These tests are reimplemented as Suricata-verify tests

Task: 4938
 4 years ago
Eric Leblond 264eddb81f output/alert: don't call basic logging twice 
Issue: 4106
 4 years ago
Victor Julien a7e77dd22d stream: suppress noisy debug message 4 years ago
Victor Julien 78f5e082f5 stream: fix stream pruning being too aggressive 
Pruning of StreamBufferBlocks could remove blocks that fell entirely
after the target offset due to a logic error. This could lead to data
being evicted that was still meant to be processed in theapp-layer
parsers.

Bug: #4953.
 4 years ago
Victor Julien 544ff0fb52 stream: debug code for showing segment list state 4 years ago
Jeff Lucovsky f30d8ece80 detect: Avoid recomputing ntohl() in addr match 
This commit makes a small optimization when comparing IPv4 and IPv6
addresses by making the host order value invariant and calculating the
value once, before entering the loop.
 4 years ago
Philippe Antoine 86ea7f2474 file: define own variable instead of PATH_MAX 
to be used for maximum size of file names,
and not depend on the OS
 4 years ago
Philippe Antoine c56b1c99d5 ssl: fix int warnings 
especially increasing padding_len size
 4 years ago
Philippe Antoine 078e1cdacc smtp: fix int warnings 
and explicitly truncating filename's length
 4 years ago