Commit Graph

1135 Commits (35d7d77ddb05bc3ba6df6e21e8fe7afe6d8aec1d)

Author SHA1 Message Date
Juliana Fajardini d8c6a56a62 doc/exceptions: change stats counters names
As we've changed them for more search-friendly ones.

Related to
Task #7185
4 months ago
Lukas Sismis 4f2ce17dc5 dpdk: allow zero TX queues when running in IDS mode
When running in non-forwarding (IDS) mode, it is not required
to create TX queues for the interface.
This can be acheived by setting tx-descriptors configuration
field to 0.

Ticket: 7633
4 months ago
Lukas Sismis 1be1c65b6e docs: double quote technical terms in DPDK section 4 months ago
Lukas Sismis fbe5ce7a2b dpdk: document vlan stripping offload
Ticket: 5838
4 months ago
Lukas Sismis 640d0985c2 dpdk: check for link up before full startup
ICE card (Intel E810) was not receiving packets immediatelly
after startup, Suricata workers would act as processing while
it was not. This eliminates the problem by only continuing
in the initialization if the link is already up.

The setting can be turned off manually from the configuraiton
file.

Ticket: 7381
4 months ago
Lukas Sismis cb997a64dc dpdk: replace global with per-thread mempools
It turned out that having global (interface-specific) mempool
that is shared by the threads of the interface is slower than
having individual mempools per queue for each interface.

The commit brings this change and should be user-invisible,
the config setting remains still as a number of objects of
all mempools summed (of that interface).

Ticket: 7382
4 months ago
Lukas Sismis 2ef2a9e26f dpdk: auto configure Rx/Tx descriptors and mempool size
Ticket: 7380
Ticket: 7373
4 months ago
Philippe Antoine 3a092f3027 detect: allow rule which need both directions to match
Ticket: 5665

This is done with `alert ip any any => any any`
The => operator means that we will need both directions
4 months ago
Jason Ish 66eb29affd doc/ndpi: move ndpi docs to new plugins section
Moves the nDPI documentation to an nDPI page in the plugins
section. Remove the duplication of installation and setup
documentation.

Includes some minor cleanups.
4 months ago
Alfredo Cardigliano dfd9ef5784 ndpi: initial implementation of nDPI plugin
Ticket: #7231
4 months ago
Alice Akaki ce2e7aed74 detect: add email.date keyword
email.date matches on MIME EMAIL DATE
This keyword maps to the EVE field email.date
It is a sticky buffer
Supports prefiltering

Ticket: #7591
4 months ago
Victor Julien 8c9dfafc6d doc/tls: add more detail on tls.random 4 months ago
Lukas Sismis 7dc65c2f8a hyperscan: add caching mechanism for hyperscan contexts
Cache Hyperscan serialized databases to disk to prevent compilation
of the same databases when Suricata is run again with the same
ruleset.
Hyperscan binary files are stored per rulegroup in the designated
folder, by default in the cached library folder.
Since caching is per signature group heads,
some chunk of the ruleset can change and it still can reuse part of
the unchanged signature groups.

Loading *fresh* ET Open ruleset:  19 seconds
Loading *cached* ET Open ruleset: 07 seconds

Ticket: 7170
4 months ago
Philippe Antoine 879a733c12 doc/http2: explicit behavior for some http keywords
HTTP/2 does not define a way to carry the version or reason phrase
that is included in an HTTP/1.1 status line.

Ticket: 6548
4 months ago
Juliana Fajardini cd69955d7f doc/userguide: add lua flowlib docs
Task #7489
4 months ago
Juliana Fajardini 9480272509 doc: remove old lua flow methods
Task #7489
4 months ago
Alice Akaki 7ba4ebdc2c detect: add email.cc keyword
email.cc matches on MIME EMAIL Carbon Copy
This keyword maps to the EVE field email.cc[]
It is a sticky buffer
Supports prefiltering

Ticket: #7588
4 months ago
Alice Akaki 9e7d23d73f doc: add keywords to the multi-buffer-matching list 4 months ago
Jason Ish 1a47fdfd46 doc/userguide: group af-packet upgrade notes together
Also fix the rendering of the sip nest list.
4 months ago
Jason Ish 080d48ba29 doc/userguide: upgrade note about defrag now off for inline use
Ticket: #7617
4 months ago
Jason Ish 8fe526006d doc/userguide: upgrade note about tpacket-v3 default for ids
Ticket: #4798
4 months ago
Alice Akaki 5d6a072e35 detect: add email.to keyword
email.to matches on MIME EMAIL TO
This keyword maps to the EVE field email.to[]
It is a sticky buffer
Supports prefiltering

Ticket: #7596
4 months ago
Alice Akaki 09db7c7ac1 detect: add mime email.subject keyword
email.subject matches on MIME EMAIL SUBJECT
This keyword maps to the EVE field email.subject
It is a sticky buffer
Supports prefiltering

Ticket: #7595
4 months ago
Jason Ish 374762d202 af-packet: remove use-mmap option
This option is obsolete and was not used in 7.0 as tpacket-v1 support
was removed (see ticket #4796).
4 months ago
Juliana Fajardini a9b2a62ee4 userguide/exceptions: clarify when stats are logged
The stats for exception policies are only logged/ present when any of
the exception policies are enabled (which means any value other than
"auto" or "ignore" in IDS mode, or "ignore" in IPS mode).

This wasn't clearly stated in the docs.
4 months ago
Juliana Fajardini 08e928988f flow/output: log triggered exception policies
To accompany the Exception Policy stats, also add information about any
Exception Policy triggered and for which target to the flow log event.

Task #6215
4 months ago
Jason Ish a6b116bcbe lua: document new suricata.dns lua library
Ticket: #7602
4 months ago
Alice Akaki 90aab0d62f detect: add email.from
email.from matches on MIME EMAIL FROM
This keyword maps to the EVE field email.from
It is a sticky buffer
Supports prefiltering

Ticket: #7592
4 months ago
Joyce Yu dac0d6371e Doc: update eve-json-output ethernet description
Document getting mac addresses from flow when flow timeout.
4 months ago
Shivani Bhardwaj be372ce39d doc: explain priority port setting
Ticket 7329
4 months ago
Shivani Bhardwaj 040c694256 doc: format and align suricata.yaml section 4 months ago
Juliana Fajardini 3985b24e1b upgrade: list inspection recursion default limit
As the yaml indicated before that if no value was specified there were
no limits, and now there will be one.
4 months ago
Juliana Fajardini e1f9e66af0 doc/upgrade: add datasets hash size limit note 4 months ago
Jason Ish c6d18fc871 doc/userguide: af-packet upgrade notes
Add note about increased block size and how to change it back to old
defaults if needed.

Ticket: #7458
4 months ago
Philippe Antoine 32d0bd2bbb detect: limit base64_decode `bytes` to 64KiB
Ticket: 7613

Avoids potential large per-thread memory allocation. A buffer with the
size of the largest decode_base64 buffer size setting would be allocated
per thread. As this was a u32, it could mean a per-thread 4GiB memory
allocation.

64KiB was already the built-in default for cases where bytes size wasn't
specified.
4 months ago
Juliana Fajardini d8523d9d97 userguide/header-keywords: fix typos, adjust format 5 months ago
Juliana Fajardini 28407b2fb8 doc/rule-types: remove trailing underscore
And other minor fixes that were overseen.
5 months ago
Juliana Fajardini 4a8da8c448 userguide/suricatactl: use suricata community page
We were mentioning "Suricata Support" page, which could be a bit
misleading -- and also used a link that is actually redirected to the
Suricata Community page, anyways.
5 months ago
Jason Ish 814e9ffb7a dns: add keywords for additionals and authorities rrnames
Add keywords dns.additionals.rrname and dns.authorities.rrname. Along
the way, consolidate dns.query.name and dns.answer.name into a single file
and register them altogether since there is a lot of common code.
5 months ago
Jason Ish a026293b42 dns: rename dns.response keyword to dns.response.rrname
This is a better name as the keyword is looking at all rrname type
fields in the response.
5 months ago
Nathan Scrivens d3953dee8b doc/userguide: document dns.response
Feature: 7012
5 months ago
Alice Akaki 137f7fe652 detect: add ldap.responses.message
ldap.responses.message matches on LDAPResult error message
This keyword maps the following eve fields:
ldap.responses[].bind_response.message
ldap.responses[].search_result_done.message
ldap.responses[].modify_response.message
ldap.responses[].add_response.message
ldap.responses[].del_response.message
ldap.responses[].mod_dn_response.message
ldap.responses[].compare_response.message
ldap.responses[].extended_response.message
It is a sticky buffer
Supports prefiltering

Ticket: #7532
5 months ago
Alice Akaki 84605db01d detect: add ldap.responses.result_code
ldap.responses.result_code matches on LDAP result code
This keyword maps the following eve fields:
ldap.responses[].bind_response.result_code
ldap.responses[].search_result_done.result_code
ldap.responses[].modify_response.result_code
ldap.responses[].add_response.result_code
ldap.responses[].del_response.result_code
ldap.responses[].mod_dn_response.result_code
ldap.responses[].compare_response.result_code
ldap.responses[].extended_response.result_code
It is an unsigned 32-bit integer
Doesn't support prefiltering

Ticket: #7532
5 months ago
Alice Akaki 599d33c5bf ldap: return empty buffer in ldap_tx_get_responses_dn
Funciton ldap_tx_get_responses_dn returns empty buffer in case
the response doesn't contain the distinguished name field

Fixes: 73ae6e997f ("detect: add ldap.responses.dn")
5 months ago
Alice Akaki 82ca3e667b ldap: fix LDAPDN nits
Change variable name 'req' to 'resp' in function ldap_tx_get_responses_dn and documentation nits

Fixes:
73ae6e997f ("detect: add ldap.responses.dn")
16dcee46fc ("detect: add ldap.request.dn")
5 months ago
Jason Ish f1d305b373 doc: add upgrade note about suricatasc and suricatactl 5 months ago
Jason Ish 1aa47649ca dist: include generate-evedoc.sh
Without this script `make distcheck` fails on a system with
documentation tooling installed, as its required to build the EVE
appendix.
5 months ago
Jason Ish 11a589f633 doc: remove python references related to suricatasc
These should probably be removed even without the rewrite, and
suricatasc has been installed as a proper program for many releases.
5 months ago
Jeff Lucovsky a3a3ad8968 doc/output: EVE output buffering related settings 5 months ago
Jeff Lucovsky dd344bd07c ftp: Move config file handling to Rust
Issue: 4082

Move the configuration file handling to Rust.

These changes will no longer terminate Suricata when there's an invalid
value for ftp.memcap. Like earlier Suricata releases, an error message
is logged "Invalid value <value> for ftp.memcap" but Suricata will no
longer terminate execution. It will use a default value of "0" instead.
5 months ago