Commit Graph

240 Commits (2c01985e731d97eafb4b644cd78641197093f859)

Author SHA1 Message Date
Victor Julien 5ca4a2e6fe outputs: vars log
EVE addition called 'vars' that logs pkt/flow vars for each packet/flow.
9 years ago
Victor Julien 1a2ad059a1 eve: log pktvars/flowvars/bits/ints
Optionally logs 'vars' into alerts
9 years ago
Victor Julien 75907fce06 profiling: output all sort options for rules
Limit the default number of sids to 10.
9 years ago
Victor Julien 7d8a5a75ef profiling: honor limit in json rule output 9 years ago
Victor Julien a0580d8805 stream: initialize stream segment pool from mtu
If segments section in the yaml is ommitted (default) or when the
pool size is set to 'from_mtu', the size of the pool will be MTU
minus 40. If the MTU couldn't be determined, it's assumed to be
1500, so the segment size for the bool will be 1460.
9 years ago
Victor Julien 15f4144eda smb: add tcp/445 to proto detect fallback 9 years ago
Travis Green f08cc1f3db yaml: update commented rule files
Disabled scada.rules, added commented rule file names to help
administrators find informational rule files.
9 years ago
Victor Julien 3012edae1c luajit: update default yaml and doc for 'states' 9 years ago
Victor Julien 3973363164 yaml: group ICS protocols together 9 years ago
Victor Julien b231558957 ENIP: add default ports to yaml 9 years ago
Jason Ish bbaa79b80e DNP3: Application layer decoder.
Decodes TCP DNP3 and raises some DNP3 decoder alerts.
9 years ago
Victor Julien b789d2ae3d tls: change 'no-reassemble' option to default off
This option was broken so there should be no visible change to
actual deployments.
9 years ago
Jason Ish a6854147be pcap-log config: sguil-base-dir -> dir and update comment
The code already looks for "dir" first instead of
"squil-base-dir", and already respects this configuration
parameter in other modes than the "sguil" mode.

Coda will still access "sguil-base-dir".
9 years ago
Victor Julien e6cf7ae8fa yaml: improve stream-depth comments 9 years ago
Giuseppe Longo 3f214b506a file-store: add depth setting
When a rules match and fired filestore we may want
to increase the stream reassembly depth for this specific.

This add the 'depth' setting in file-store config,
which permits to specify how much data we want to reassemble
into a stream.
9 years ago
Giuseppe Longo 9ab1194f68 modbus: set stream depth
Some protocol like modbus requires
a infinite stream depth because session
are kept open and we want to analyze everything.

Since we have a stream reassembly depth per stream,
we can also set a stream reassembly depth per proto.
9 years ago
Victor Julien 050f36eaa5 enip: improve yaml 9 years ago
kwong a3ffebd835 Adding SCADA EtherNet/IP and CIP protocol support
Add support for the ENIP/CIP Industrial protocol

This is an app layer implementation which uses the "enip" protocol
and "cip_service" and "enip_command" keywords

Implements AFL entry points
9 years ago
Victor Julien 125603871b detect: config opt to enable keyword prefilters 9 years ago
Giuseppe Longo e6bac998d9 flow: add timeout for local bypass
This adds a new timeout value for local bypassed state. For user
simplication it is called only `bypassed`. The patch also adds
a emergency value so we can clean bypassed flows a bit faster.
9 years ago
Giuseppe Longo 177df305d4 stream-tcp: enable bypass setting
This permits to enable/disable in suricata.yaml
and the bypass function will be called
when stream.depth is reached.
9 years ago
Giuseppe Longo 97783f8142 nfq: introduce bypass function 9 years ago
Victor Julien da8f3c987b offloading: make disabling offloading configurable
Add a generic 'capture' section to the YAML:

  # general settings affecting packet capture
  capture:
    # disable NIC offloading. It's restored when Suricata exists.
    # Enabled by default
    #disable-offloading: false
    #
    # disable checksum validation. Same as setting '-k none' on the
    # commandline
    #checksum-validation: none
9 years ago
Duarte Silva 53ebe4c538 file-hashing: added configuration options and common parsing code 9 years ago
Eric Leblond f2d1e93e65 unix-socket: add auto mode
When running in live mode, the new default 'auto' value of
unix-command.enabled causes unix-command to be activated. This
will allow users of live capture to benefit from the feature and
result in no side effect for user running in offline capture.
9 years ago
Victor Julien 2997d086be eve-drop: allow logging all drops
- drop:
    alerts: yes      # log alerts that caused drops
    flows: all       # start or all: 'start' logs only a single drop
                     # per flow direction. All logs each dropped pkt.
9 years ago
Tom DeCanio 0f6c8806a0 output-json-dns: dns output filtering. 9 years ago
Jason Ish 1691c10681 eve: make logging of tagged packets optional
But it is enabled in the default configuration.
9 years ago
Victor Julien f7124b1149 afpacket: disable tpacket-v3 by default
It's still considered experimental at this point.
9 years ago
Victor Julien 5ec885e451 http: set of response body decompress limit
This is a per personality setting.
10 years ago
Victor Julien 0b6171854d yaml: improve affinity defaults 10 years ago
Victor Julien 723e90a174 affinity: rename detect-cpu-set to worker-cpu-set
Add fallback for existing configs.
10 years ago
Victor Julien 45b72d61c9 affinity: improve suricata.yaml doc 10 years ago
Victor Julien 570b9d06e0 affinity: remove unused settings
These were never referenced to in the code so they can be removed.

Add bypass to config parser in case the settings are still in old
yamls.
10 years ago
Victor Julien 1c0f20f0e5 yaml: profiling 'json' depend on jansson availability 10 years ago
Victor Julien d58d02fed5 netmap: handle missing config with better defaults
Default to 'threads: auto' which uses RSS RX count when no config
has been created for a interface.
10 years ago
Victor Julien be9cd0fd84 yaml: replace ac-tile by ac-ks 10 years ago
Victor Julien f55dbca57b yaml: make eve log in yaml depend on libjansson 10 years ago
Victor Julien df6f9269ec yaml: improve capture comments 10 years ago
Victor Julien 766bc95e3c yaml: move classification etc below the rules 10 years ago
Victor Julien 1b4e1ea389 yaml: new defaults for outputs
Enable eve.flow, disable plain http.log.
10 years ago
Victor Julien 4d056912d3 yaml: file logging at info level 10 years ago
Victor Julien cb47c2f682 yaml: improved defaults and misc cleanups 10 years ago
Victor Julien ea7923cc81 yaml: add performance tuning section 10 years ago
Victor Julien 6d7b4c81e3 yaml: more reshuffling 10 years ago
Victor Julien a6a69f0099 yaml: create advancted sections
Sections for advancted detection settings and traffic tracking and
reconstruction.
10 years ago
Victor Julien d79c95dded yaml: add hw accel section, move cuda there 10 years ago
Victor Julien 8fae138d3b yaml: add netfilter section 10 years ago
Victor Julien 056f88b458 yaml: move outputs to the logging step 10 years ago
Victor Julien 11e6809d55 yaml: introduce 'advanced settings' 10 years ago