aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,804 Commits
7 Branches
159 Tags
196 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1ac805f1b3'
${ noResults }
Commit Graph

241 Commits (1ac805f1b3018dad46e87eeb77fb8ee4116048fa)

Author SHA1 Message Date
Anoop Saldanha a34f91358d tests to highlight that 
- suricata treates sigs with offset/depth without any packet keywords as stream sigs
- as a consequence suricata will FN on such sigs

The tests introduced here will fail, displaying the issues.  The
next patch in the series would fix the said issues.
 13 years ago
Anoop Saldanha 988c92f71c http user agent keyword + mpm + inspection + fast pattern support added 13 years ago
Victor Julien 073ce64786 Fix parsing of tcp-pkt and tcp-stream sigs, add unittest. 13 years ago
Eileen Donlon da633d490b fix misleading comment 13 years ago
Victor Julien da3c5bf84d Minor error message cleanups 13 years ago
Victor Julien cdba2f50d1 Various fixes and improvements based on feedback by Coverity analyzer. 14 years ago
Anoop Saldanha 4810ee9c5f All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns 14 years ago
Anoop Saldanha 93d7a6e671 code cleanup. Remove unused functions 14 years ago
Anoop Saldanha eb07c345b8 code cleanup - replace SigMatchAppendThreshold with SigMatchAppendSMToList 14 years ago
Anoop Saldanha dd7e710f35 code cleanup - replace SigMatchAppendPostMatch with SigMatchAppendSMToList 14 years ago
Anoop Saldanha a4638fb0ad code cleanup - replace SigMatchAppendPacket with SigMatchAppendSMToList 14 years ago
Anoop Saldanha ff38d42bf1 code cleanup - replace SigMatchAppendTag with SigMatchAppendSMToList 14 years ago
Anoop Saldanha ac68c3f893 code cleanup - replace SigMatchAppendDcePayload with SigMatchAppendSMToList 14 years ago
Anoop Saldanha 6cab663bf0 code cleanup - replace SigMatchAppendPayload with SigMatchAppendSMToList 14 years ago
Anoop Saldanha c4cb37b8da code cleanup - replace SigMatchAppendUricontent with SigMatchAppendSMToList 14 years ago
Anoop Saldanha c9af50ea0c code cleanup - replace SigMatchAppendAppLayer with SigMatchAppendSMToList 14 years ago
Anoop Saldanha bbb9f35f26 code cleanup - replace SigMatchGetLastSM with SigMatchGetLastSMFromLists 14 years ago
Anoop Saldanha 09313cf9bd Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S 14 years ago
Anoop Saldanha 2007c2711c Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword 14 years ago
Anoop Saldanha 3b5d95547d bug #412 - Remove the commented out SigInitReal() 14 years ago
Anoop Saldanha 6cbd3a1046 bug #412 - Unify SigInit() and SigInitReal(). Remove any use of SigInitReal() 14 years ago
Anoop Saldanha 88ad3691d1 bug #405 - fix bug where raw uri inspection sigs were not treated as stateful sigs 14 years ago
Victor Julien c8c4a76dc6 Move threshold to it's own sig match list. 14 years ago
Victor Julien 02e1229565 Enforce flow direction for http_raw_header sigs. Fix unittests that missed the flow direction. 14 years ago
Victor Julien e81f94cd83 Fix flowbits sigmatch structure added to the match and post-match list, causing corruption of the prev ptr. This lead to an endless loop condition in the thresholding code. Thanks to Chris Wakelin for reporting the issue. 14 years ago
Victor Julien 6eeab37ab3 Add post-match list, move flowbits set, etc functions to it. Move flowint set, etc functions to it as well. 14 years ago
Victor Julien aac2d91bcc Set DROP flag for reject action so in addition to sending the rst, in IPS mode also drop the offending packet. 14 years ago
Victor Julien e55390e4e7 Add check to invalidate signatures that inspect raw http headers in the to_client direction (response headers) if libhtp hasn't been patched yet. Also add hack to disable the test for unittests, many tests fail and we'll fix those ASAP. 14 years ago
Victor Julien 21ee59e6f3 Add signature direction (flow:toserver/flow:toclient) as a signature flag. 14 years ago
Victor Julien 298289f43f Let flow:only_stream and flow:no_stream set the require packet and require stream flags. Toss out sigs with conflicting settings. Rename flow:stream_only to flow:only_stream. Fixes #261. 14 years ago
Victor Julien e0cf2ccb91 Fix invalid direction error message. 14 years ago
Victor Julien 07e560b137 file-data: initial file_data support 
Support file_data for: content, pcre (relative), byte_test, byte_jump,
byte_extract, isdataat.

File_data support is handled at signature parsing time, all matches
occurring after the file_data in the rule are converted to http_server_body
matches.

Content matches relative to the file_data are converted. Within to depth,
distance to offset. Relative to the start of the body buffer.
 14 years ago
Victor Julien d5ed28b065 Remove SIG_FLAG_MPM flag. 14 years ago
Victor Julien 4992f7c417 Remove SIG_FLAG_MPM_URI flag. It was checked but never set. 14 years ago
Victor Julien 2650551192 Rename signature init flags to indicate they are init flags. 14 years ago
Victor Julien 89f83e714c Introduce http_server_body keyword. 
The http_server_body content modifier modifies the previous content to inspect
the normalized (dechunked, unzipped) http_server_body. The workings are similar
to http_client_body. Additionally, a new pcre flag was introduced "/S".

To facilitate this change the signature flags field was changed to be 64 bit.
 14 years ago
Victor Julien 23e01d23d3 Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored. 14 years ago
Victor Julien 70f0d3d2e7 Add negation to filename and fileext, use same syntax as with content. 14 years ago
Eileen Donlon a92d15ed37 Fixed duplicate signature check 14 years ago
Anoop Saldanha 7433d92dd2 undo this commit - 
commit eff08f93d8
Author: Anoop Saldanha <poonaatsoc@gmail.com>
Date:   Thu Nov 3 14:31:24 2011 +0530

    update failing unittest to reflect the mpm design update

Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
 14 years ago
Victor Julien d070869c48 Reinstate replace validation check. 14 years ago
Anoop Saldanha eff08f93d8 update failing unittest to reflect the mpm design update 14 years ago
Victor Julien af51493da2 Mpm update: Toss out signatures that mix pkt and stream/state. Update profiling code to track new mpm. 14 years ago
Anoop Saldanha 9887084370 support multiple ipprotos in the same sig + unittest 14 years ago
Anoop Saldanha 432c3317d2 app layer probing parser updates 14 years ago
Anoop Saldanha 4307ea2348 Replace all frees with SCFrees 14 years ago
Eric Leblond a85dc9b0e2 Add support for replace keyword. 
This patch adds support for the replace keyword. It is used with
content to change selected part of the payload. The major point
with this patch is that having a replace keyword made necessary
to avoid all stream level check because we need to access to the
could-be-modified packet payload.

One of the main difficulty is to handle complex signature. If there is
other content check, we must do the substitution when we're sure all
match are valid. The patch adds an attribute to the thread context
variable to be able to deal with recursivity of the match function.

Replace is only activated in IPS mode and apply only to raw match.
 14 years ago
Gerardo Iglesias Galvan 44692c83aa Properly check retval for config and conversion function calls 14 years ago
Gerardo Iglesias Galvan 73dd5562c3 Fix potential crash in signature parsing code 14 years ago
Victor Julien 681f8329a6 Make error on <- direction operation use more explicit. 14 years ago
Anoop Saldanha 966119b6aa support for http_raw_uri keyword + mpm engine 14 years ago
Victor Julien b9fd978253 Fix compiler warnings in two unittests. 14 years ago
Victor Julien 153f9298e7 Fix priority handling during the signature parsing stage. Fixes #275. 15 years ago
Gurvinder Singh 27f67c97de log error on duplicate sig and also for dup sig with newer revision 15 years ago
Eric Leblond 2c80f18dc9 detect: Add sctp detection and parsing. 
This patch adds the support of SCTP in signature subsystem.
 15 years ago
Anoop Saldanha c9897a44a4 fast pattern support for http_cookie. Also support relative modifiers 15 years ago
Anoop Saldanha bbbedaf963 fast pattern support for http_method. Also support relative modifiers 15 years ago
Anoop Saldanha 2321a4dd58 support isdataat negation. Also fix addiing isdataat to appropriate lists 15 years ago
Eric Leblond 1db4aadd16 Supress usage of Packet declaration in tests. 
For convenience, a massive usage of 'Packet p;' declaration has
been done in the tests function. Although this was completely
legal, this is not possible anymore because of the new Packet
allocation structure. This massive patch modifies all suricata
files to use a SCMalloc allocated pointer to Packet instead.

This patch has been done using coccinelle (http://coccinelle.lip6.fr)
which is a semantic patching tool. This ensures that things like call
to SCFree() should have not been forget because the semantic patch
explicitly forces the call to SCFree(p) before each return. With this
patch all unittests are running fine with a small and a big default
packet size.
 15 years ago
Anoop Saldanha 2b781f00d7 support relative pcre for client body. All pcre processing for client body moved to hcbd engine 15 years ago
Victor Julien 435d0fb327 Clean up signature flags creating room for merging flags and mpm_flags. Merge flags and mpm_flags. Move new mpm id's into signature header. Get rid of full signature access in signature prefiltering. 15 years ago
Victor Julien 169aa5581a Rename SIG_FLAG_AMATCH flag to SIG_FLAG_STATE_MATCH to better reflects its purpose. 15 years ago
Victor Julien d7b92d9bfe Consolidate several signature flags into one. 15 years ago
Anoop Saldanha 07f20674ac allow sigs for http client body of the form content:one; content:two; distance:0; http_client_body; 15 years ago
Anoop Saldanha 5c6a65dc58 support relative modifiers for http_client_body. Introduce body processing engine in detect-engine-hcbd.[ch] 15 years ago
Anoop Saldanha 4883efd0f6 unifying content structure - uricontent now uses DetectContentData 15 years ago
Anoop Saldanha 6eaba8941c Use new flags to indicate uricontent has a mpm set 15 years ago
Anoop Saldanha 46b4806d8e use a single populatempm() function to add the right content for mpm 15 years ago
Anoop Saldanha 4a038511ff Change the struct members uricontent and uricontent_len in DetectUricontentData to content and content_len. Make replacements everywhere else in the codebase to accomodate these changes 15 years ago
Anoop Saldanha ede7be34b5 replace all Signature->tmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_TMATCH] 15 years ago
Anoop Saldanha 3d2f81d978 replace all Signature->dmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_DMATCH] 15 years ago
Anoop Saldanha a7353be20d replace all Signature->amatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_AMATCH] 15 years ago
Anoop Saldanha e0476242c6 replace all Signature->umatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_UMATCH] 15 years ago
Anoop Saldanha e54358a9e1 replace all Signature->pmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_PMATCH] 15 years ago
Anoop Saldanha 82fd581b64 replace all sm lists (match, pmatch, dmatch, umatch, amatch, tmatch) with an array Signature->sm_lists[]. Replace all Signature->match instances in the engine with Signature->sm_lists[DETECT_SM_LIST_MATCH] 15 years ago
Victor Julien afdb39e5f6 Print an error if the protocol field of a signature contains a unknown/invalid value. 15 years ago
Anoop Saldanha 88d94b136d Support for reference.config file 15 years ago
Anoop Saldanha fe700737a3 fix null dereference in detect parse test - clang fix 15 years ago
Anoop Saldanha f094523eb1 clang fix - some minor fixes for unittests 15 years ago
Pablo Rincon bbab0f9987 Set default gid to 1 on Sig init 15 years ago
Victor Julien c62a3d995e Fix signatures with trailing spaces being rejected by the regex. Add test. 15 years ago
Victor Julien 05ae4f99d8 Kick out invalid signature with uricontent and flow:to_client or flow:from_server. 15 years ago
Pablo Rincon c6e090f72c App layer proto specific sigs (use the app layer to match proto) 15 years ago
Victor Julien 102092a89c Make signature address matching more cache efficient. 15 years ago
Anoop Saldanha 89e3d92cdb fix creating a static array of length 0 in SigMatchGetLastSMFromLists - clang fix 15 years ago
Pablo Rincon 693d4f54eb Load signatures with incompatible fast_pattern option (due to design differences for optimization) 15 years ago
Anoop Saldanha 673322f01f unittests for dce_stub_data content based singature parsing + fixes 15 years ago
Anoop Saldanha ce8d27425d fix signature parsing to how snort does it for content based keywords along with dce_stub_data 15 years ago
Anoop Saldanha 5fb6981e9e content handling changes in detect-engine-payload.c for multiple relative matches 15 years ago
Victor Julien 393acd77d2 Detection improvements: uricontent escaping now working, better negated pattern (content) handling. 15 years ago
Victor Julien 7454336ef5 Make SigWrapper private to detect-parse.c and rename to SigDuplWrapper to reflect it's use and purpose. 15 years ago
Anoop Saldanha 9ecade76b9 in case of duplicate signatures used the one with the latest revision 15 years ago
Pablo Rincon b931895901 Fixing flow cleanup and ctx initialization 15 years ago
Pablo Rincon eed0ef6e69 Adding tag keyword support 15 years ago
Victor Julien 37442a8a84 Prefilter signatures before fully scanning them. 15 years ago
Anoop Saldanha 45ea0d914e dce stub content keywords support using dcepayload.c support for all dce related content keywords 15 years ago
Victor Julien 0a607fce3d Finish http_uri keyword, fix invalid read issue in one of the tests. 15 years ago
Gurvinder Singh cda664a8c4 memroy leaks fixes in detection module, app layer and counters 15 years ago
Victor Julien 70b32f7380 First stab at creating a stateful detection engine. 
Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications:

- Generalize transaction tracking, logging and inspection.
- Adapt http and dcerpc to use the new transaction handling.
- Stream engine now always notifies app layer of a stream eof.

This commit fixes bug #124.
 15 years ago
Victor Julien 7a427ec7f4 Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach. 15 years ago