aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,650 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '32594766b7'
${ noResults }
Commit Graph

1068 Commits (32594766b701666a8768b48d724cdd63b74ea469)

Author SHA1 Message Date
Jason Ish 5853fb922d tls-log: deprecate 
tls-log is now deprecated and will be removed in Suricata 9.0. Display
a deprecation notice on use, and add notes to the user guide.

Ticket: #6542
 6 months ago
Jason Ish ab26323a96 http-log: deprecate 
http-log is now deprecated and will be removed in Suricata
9.0. Display a deprecation notice on use, and add notes to the
userguide.

Issue: #6543
 6 months ago
Victor Julien 688bd538cf pcap: implement pcap-file-buffer-size option 
Allows easy specification of buffer size on the commandline.

Ticket: #7155.
 6 months ago
Juliana Fajardini 246acc7140 userguide: clarify flow:stateless explanation 
While not incorrect, the previous wording made the sentence almost
paradoxical. While at it, also highlight a side effect that might not be
so clear to users.

Related to
Bug #6976
 7 months ago
Philippe Antoine 62a186ceef detect/rfb: move keywords to rust 
Ticket: 7178

On the way, convert rfb.secresult to a generic integer with enumeration
cf ticket 6723
 7 months ago
Victor Julien fa9cae3899 doc/userguide: document logging changes from 6 to 7 
Minor other logging related improvements like clarifying language and
improving formatting for pdf output.
 7 months ago
Philippe Antoine 0b2ed97f36 ssh: frames support 
Ticket: 5734

Adds frames for SSH records, that come after banner, and before
the data is encrypted.
These records may contain cipher lists for instance.
 7 months ago
Giuseppe Longo 70ed9f91d8 doc: add ldap protocol 8 months ago
Philippe Antoine bce8f4b853 detect/ssh: remove deprecated keywords 
Ticket: 2377
 8 months ago
Philippe Antoine 0a1062fad2 detect/mqtt: move keywords to rust 
Ticket: 4863

On the way, convert some keywords to use the first-class integer
support.
And helpers for pure rust the support for multi-buffer.

Move the C unit tests about keyword mqtt.protocol_version
to unit tests for generic integer parsing, and test version 5
instead of testing twice version 3.

Also iterate all tx's messages for reason code as is done for other
keywords.

And allow detection on empty topics.
 8 months ago
Jason Ish 5f516c5896 doc: add pf-ring plugin upgrade notes 
Ticket: #7162
 8 months ago
Philippe Antoine e0fd59a20d doc: state that payload-length includes the gaps 8 months ago
Jason Ish 4d3d57249a doc: update dns section of the eve format documentation 8 months ago
Jason Ish d3c08b9643 doc: upgrade guide for dns logging changes 
Bug: #6281
 8 months ago
Sascha Steinbiss 53c62432c6 doc: update MQTT configuration 8 months ago
Shivani Bhardwaj c66f1f4488 doc: add note about datasets string memcaps 
Bug 3910
 8 months ago
Victor Julien afc318737a doc/userguide: document threshold backoff type 8 months ago
Victor Julien e362a01f8d doc/userguide: document new threshold config options 8 months ago
Victor Julien 405491c3fc detect/detection_filter: add support for track by_flow 8 months ago
Victor Julien 3f04af7c7f doc: add thresholding by_flow 8 months ago
Jeff Lucovsky 01e20c91fb doc/transform: Correct typo 8 months ago
Jeff Lucovsky d205ff82d0 doc/transform: Describe the from_base64 transform 
Issue: 6487

Document the new transform and indicate that it's the preferred way to
perform base64 decoding (preferred over base64_decode)
 8 months ago
Philippe Antoine c9ce43b31e output: configurable payload_length field for alerts 
Ticket: 7098
 8 months ago
Victor Julien 3d059611c3 detect: add tls.alpn keyword 
Ticket: #7108.
 8 months ago
Victor Julien c79a382e42 eve/tls: log ALPN for client and server 
Part of the extended logging.

Logs `client_alpns` and `server_alpns` arrays in the tls object.

Ticket: #7055.
 8 months ago
Philippe Antoine ae72376ebe detect/snmp: move keywords to rust 
Ticket: 4863

On the way, convert unit test DetectSNMPCommunityTest to a SV test.

And also, make snmp.pdu_type use a generic uint32 for detection,
allowing operators, instead of just equality.
 9 months ago
Lukas Sismis bd9608771e doc: port user install and build instruction from master-6.0.x 
Ticket: #6686
 9 months ago
Lukas Sismis 521d1cb8e7 doc: update eBPF compilation instructions 
Ticket: #6599
 9 months ago
Victor Julien 8b42182fee doc/userguide: document iprep isset/isnotset 9 months ago
Victor Julien 2f74d435d3 doc/userguide: add more operators to iprep 9 months ago
Victor Julien 50ef646d45 doc/userguide: add noalert/alert keyword docs 9 months ago
Victor Julien c83e3285ae doc/userguide: give pcre1 to pcre2 proper heading 9 months ago
Juliana Fajardini 43b998aa73 userguide/upgrade: add note about alerts' increase 
With triggering stream reassembly early, since for certain types of
rules there may be more alerts triggered - even in IPS mode, make this
clear in the upgrading section.

Bug #7026
 9 months ago
Philippe Antoine 82c03f72c3 enip: convert to rust 
Ticket: 3958

- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- frames support
- app-layer events
- enip_command keyword accepts now string enumeration as values.
- add enip.status keyword
- add keywords :
    enip.product_name, enip.protocol_version, enip.revision,
    enip.identity_status, enip.state, enip.serial, enip.product_code,
    enip.device_type, enip.vendor_id, enip.capabilities,
    enip.cip_attribute, enip.cip_class, enip.cip_instance,
    enip.cip_status, enip.cip_extendedstatus
 9 months ago
Victor Julien 17b32f98d7 doc/userguide: fix rule container typo 
Fixes: 8781e9352a ("doc/userguide: add documentation for SMTP frames")
 9 months ago
Victor Julien 8781e9352a doc/userguide: add documentation for SMTP frames 9 months ago
Juliana Fajardini aeb200e001 devguide: highlight commit message example 
Although we have the example for a commit message in our Code Submission
Process sub-chapter, seems that people still oversee it a lot. It was
suggested that we put it in a note-box, to make it more visible.
 9 months ago
Jason Ish 3eb8c728fd doc: update lua sandbox docs for allowed packages/functions 9 months ago
Jason Ish bc011f2205 lua: use rust crate to vendor (bundle) lua 
Remove lua-dev(el) from all CI tests.
 9 months ago
Jo Johnson ba6a976e06 doc: Initial doc for lua sandbox 9 months ago
Jo Johnson 712496bb3f lua: Remove luajit support 
lua 5.4 support is not available in luajit

Ticket: #4776
 9 months ago
Jo Johnson 586c92d9d5 lua: require lua 5.4 
github-ci: Disable lua on debian 10 as it doesn't have Lua 5.4.

Ticket: #4776
 9 months ago
jason taylor 47d6c3a3ab doc: add source verification docs 
Ticket: #6908

Signed-off-by: jason taylor <jtfas90@gmail.com>
 9 months ago
Shivani Bhardwaj 719fda3967 doc: add description about tls.subjectaltname 
Feature 5234
 9 months ago
Philippe Antoine 2c305ba37e pop3: protocol detection 
Ticket: #6366
 10 months ago
Philippe Antoine 7582b18a9f http: configures libhtp to allow spaces in uri 
Ticket: #2881
 10 months ago
Giuseppe Longo 8a171c9d74 doc: add arp changes 10 months ago
Philippe Antoine fcdd7f000a detect: add options to app-layer-protocol keyword 
Ticket: 4921

app-layer-protocol keyword accept an optional mode to precise
which protocol we want to match: toclient, toserver, final,
or original
 10 months ago
Philippe Antoine 715bf048ee frames: rust API makes tx_id explicit 
And set it right for SIP and websocket,
so that relevant tx app-layer metadata gets logged.

Ticket: 6973
 10 months ago
Shivani Bhardwaj 6d92596548 doc: add note about fast_pattern w base64_data 
Bug 5220
 10 months ago
jason taylor abb74245cc doc: update normalization notes 
Ticket: #6781

Signed-off-by: jason taylor <jtfas90@gmail.com>
 10 months ago
jason taylor 5dacf4d92b doc: add http.connection ref and fix location 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 10 months ago
Victor Julien fcca5c7514 detect/iprep: update doc about 0 value 
A value of 0 was already allowed by the rule parser, but didn't
actually work.

Bug: #6834.
 10 months ago
jason taylor aa919f8081 doc: update flowbits information 
Ticket: #6991

Signed-off-by: jason taylor <jtfas90@gmail.com>
 10 months ago
Giuseppe Longo 4f1e71bb4e doc: add sdp update 10 months ago
Juliana Fajardini bb59124063 yaml: unify 0 stats counter config option terms 
When we added feature #5976 (72146b969), we overlook that we also have
a config stats option for the human-readable stats logs to output
0 counters.
Due to not seeing this before, we now have two different setting names
for basically the same thing, but in different logs:
- zero-valued-counters for EVE
- null-values for stats.log

This ensures we use the same terminology, and change the recently added
one to `null-values`, as this one has been around for longer.

Task #6962
 11 months ago
Philippe Antoine 44b6aa5e4b app-layer: websockets protocol support 
Ticket: 2695
 11 months ago
Sascha Steinbiss 120313f4da ja4: implement for TLS and QUIC 
Ticket: OISF#6379
 11 months ago
Jeff Lucovsky 7a5a1e2560 doc: Describe noalert keyword 
Issue: 6685
 11 months ago
Juliana Fajardini 72146b969c eve/stats: allow hiding counters whose valued is 0 
Some stats can be quite verbose if logging all zero valued-counters.
This allows users to disable logging such counters. Default is still
true, as that's the expected behavior for the engine.

Task #5976
 11 months ago
Juliana Fajardini 514e8b8b04 userguide: document exception policy stats 
Configuration options and defaults, existing counters etc.

Related to
Task #5816
 11 months ago
Juliana Fajardini 94b111283d userguide: highlight exception policy effects 
Some exception policies can only be applied to entire flows or
individual packets, for some exception scenarios. Make this easier to
read, in the documentation.

Related to
Task #5816
 11 months ago
jason taylor 7de16809ef doc: update http keyword listing order 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 8b3db3c3b5 doc: update file.name keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 49dba7bb94 doc: update file.data keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor bee3aa9709 doc: update http.response_header keyword 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor dcb548106e doc: update http.request_header keyword 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 3f5d228b9e doc: update http.host http.host.raw keyword 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 739dfe5e5e doc: update http.location keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 9ddd8cf9e0 doc: update http.server keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 3af98f3b92 doc: update http.response_body keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 64760e2e75 doc: update http.response_line keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 566bc0d39c doc: update http.stat_msg keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 271321249f doc: update http.stat_code keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 71d8488cb5 doc: update http.request_body keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor c2783e9391 doc: update http.header_names keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 5eadbc2ff0 doc: update http.start keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 7e65554462 doc: update http.referer keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 876dfb99ca doc: update http.content_len keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 8ff06c1bc0 doc: update http.content_type keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor b2854486dd doc: update http.connection keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 75436dff9c doc: update http.accept_lang keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor f6375e487e doc: update http.accept_enc keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 7e3288f5a7 doc: update http keyword normalization notes 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 9e87d89d2e doc: update http.accept keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 8307168ae7 doc: update http.user_agent keyword 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 75c4cdfa1c doc: update http.cookie keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 7a28874c8d doc: update http.header keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor b3af723486 doc: remove legacy description/duplicated data 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 292b3eb9b3 doc: update http.request_line keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor c7f351bd6e doc: update http.protocol keyword documentation 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 2d0ceedeba doc: update urilen keyword documentation 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor ef118aa582 doc: remove legacy uricontent information 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 96e8c10276 doc: update http.uri and http.uri.raw keywords 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor bf192926a8 doc: update http.method keyword 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 0cce5ba447 doc: add http keyword links 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor fd46175203 doc: update http primer information 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
jason taylor 54fd35c5b4 doc: remove legacy tables and image references 
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 11 months ago
Victor Julien 34f53f85bc systemd: reimplement sd_notify logic using UNIX socket 
One of the lessons of the XZ backdoor story was that just linking to
libsystemd to call sd_notify is discouraged by the systemd project:

Lennart Poettering:
"PSA: In context of the xzpocalypse we now added an example reimplementation
of sd_notify() to our man page:

https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html#Notes

It's pretty comprehensive (i.e. uses it for reload notification too), but
still relatively short.

In the past, I have been telling anyone who wanted to listen that if all you
want is sd_notify() then don't bother linking to libsystemd, since the
protocol is stable and should be considered the API, not our C wrapper
around it. After all, the protocol is so trivial"

From: https://mastodon.social/@pid_eins/112202687764571433

This commit takes the example code and uses it to reimplement the notify
logic.

The code is enabled if Linux is detected in configure. Since the code
won't do anything if the NOTIFY_SOCKET env var isn't set, this should
also work fine on systems w/o systemd.

Ticket: #6913.
 11 months ago
Jason Ish 51bf1c3510 docs/userguide: use a consistent date for reproducible builds 
By default, when Sphinx generates the man pages, the current date will
be embedded in them. This can be set to a specific date with the
"today" variable. Typically the date embedded in manpages in the
release date.

To achieve this, attempt to use the environment variable, RELEASE_DATE
to set the "today" variable, reverting back to the empty string if not
set. It is up to our build system to properly set this date.

Ticket: #6911
 11 months ago