aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,222 Commits
7 Branches
155 Tags
194 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '35fd10bc2e'
${ noResults }
Commit Graph

9222 Commits (35fd10bc2ea2c7542035a3611d438d6bbc5483fd)
 

Author SHA1 Message Date
Chris Speidel 1e8959b465 doc: fix minor typo 7 years ago
Jason Ish cf33c9975a filestore: fix truncation warnings 7 years ago
fooinha f67aa5deaa packet: gre over ip link type 7 years ago
Victor Julien 693a3df031 tls: document encrypt-handling option 
Document in sample yaml and user guide.
 7 years ago
Victor Julien 2d50fe499a tls: new config for dealing with encrypted traffic 
Much of encrypted traffic is uninteresting to Suricata. Once encrypted
communication starts, inspecting the packet payloads is generally
not interesting anymore. The default behavior is to disable the parts
of the detection engine and stream reassembly that relate to raw content
inspection.

The tls app-layer parser also had a crude option to affect this behavior:
set 'no-reassemble' to true went much further than the default behavior.
It disabled the TCP reassembly on the flow completely, disabled all
inspection on the flow and enabled bypass if available.

This patch adds a new option: full inspection. This continues to treat
a TLS session as any other, so without any limits to inspection.

The new option is implemented in a new config option 'encrypt-handling',
that replaces 'no-reassemble'. The new option has 3 values:
'default', 'full' and 'bypass'. Default is the current default behavior,
'bypass' is the current 'no-reassemble = true' behavior and 'full'
is the new full inspection mode.
 7 years ago
Victor Julien e6a009ae7f detect/stream_size: code cleanups 7 years ago
Victor Julien f30f038179 detect/stream_size: apply rule to packets & stream 
The use of stream_size in combination with raw content matches is an
indication that the rule needs to be evaluated per packet, not just
per reassembled stream chunk.
 7 years ago
Victor Julien c677e07d3e kerberos: minor doc updates, add author 7 years ago
Victor Julien b61e9c2173 dhcp: add author 7 years ago
Jason Ish fb85822730 dhcp: update user guide 7 years ago
Jason Ish c052e23348 dhcp: add dhcp app-layer rules file 7 years ago
Jason Ish 9210d8743b rust/dhcp: Rust based DHCP decoder and logger. 
This is a DHCP decoder and logger written in Rust. Unlike most
parsers, this one is stateless so responses are not matched
up to requests by Suricata. However, the output does contain
enough fields to match them up in post-processing.

Rules are included to alert of malformed or truncated options.
 7 years ago
Jason Ish 1b0b74dc16 rust: a Rust ConfNode wrapper. 
A Rust wrapper around the C ConfNode object. Currenlty only exposes
ConfGetChildValueBool and ConfGetChildValue.
 7 years ago
Jason Ish 05e20c5c57 eve: check if enabled before attempting to setup 
Before setting up a sub eve-logger, check that it is enabled. This
allows us to set "enabled: no" for loggers that are not registered
with the system without generating an error. An example of this
is loggers that are only available with Rust.
 7 years ago
Jason Ish 2ec3381600 rust/app-layer: macros to export de_state functions 
These macros generate the extern "C" functions for transactions
structs that need provide functions for setting and getting
the de_state. The idea is to provide macros do avoid code
duplication and make it simpler to create an app-layer.

A trait would be the correct solution, but it doesn't look like
you can use traits to export extern "C" functions.
 7 years ago
Jason Ish da4912dfe7 rust: add get_tx_iterator to parser registration 7 years ago
Jason Ish 14843a7b43 app-layer-register: add GetTxIterator 
Add a field to set the GetTxIterator function to the AppLayerParser
registration struct.
 7 years ago
Jason Ish 9fc1250ca8 app-layer-detect-proto: remove unnecessary gotos 7 years ago
Pierre Chifflier e9ae62ed05 Kerberos 5: properly handle TCP buffering 7 years ago
Pierre Chifflier c51ff32adb Document Kerberos 5 parsing events 7 years ago
Pierre Chifflier 1076c7cd47 Add krb5_err_code detection keyword 7 years ago
Pierre Chifflier d6b9c0294a Add krb5_cname and krb5_sname detection keywords 7 years ago
Pierre Chifflier 0bd81ff838 Add krb5_msg_type detection keyword 7 years ago
Pierre Chifflier 5037051161 Kerberos 5: rename weak crypto to weak encryption, and log it 7 years ago
Pierre Chifflier 6ae53a1869 Add event rules for Kerberos 5 7 years ago
Pierre Chifflier 3a017f61b0 Kerberos 5: pretty-print error code when logging 7 years ago
Pierre Chifflier 52f5c7914f Log Kerberos 5 errors 7 years ago
Pierre Chifflier 1e5f5d405f Kerberos 5: add support for TCP as well 7 years ago
Pierre Chifflier 645ba17509 Kerberos: check version in probing function 7 years ago
Pierre Chifflier fd175f2bfb Add logger for Kerberos 5 metadata 7 years ago
Pierre Chifflier 77f0c11c9e Add Kerberos 5 application layer 7 years ago
Eric Leblond 325f336f63 util-random: fix detection of getrandom failure 7 years ago
Eric Leblond 851efd9c60 util-random: workaround getrandom unavailability 
getrandom syscall availability is detected at runtime. So it is
possible that the build is done on a box that supports it but
the run is done on a system with no availability. So a workaround
solution is needed to fix this case.

Also we have seen some issue in docker environment where the build
is detecting getrandom but where it does not work at runtime.

For both reasons, the code is updated to have a call to a fallback
function if ever the getrandom call returns that the syscall is
not available.
 7 years ago
Jason Ish d73b5ee276 rust: cargo fixes for out of tree build 7 years ago
Jason Ish 7e06e765f3 python: fixes for out of tree build 
Autoconf/automake and python setup.py don't play that well
together with out of tree builds.

Makes suricatasc not an autoconf input file, instead use the
defaults module that is already being created.

In the case of an out of tree build, copy the generated defaults.py
to the build directory manually.
 7 years ago
Pascal Delalande 4f48927c44 doc: spelling mistakes in various sections of the user guide 7 years ago
Pierre Chifflier 2d1c4420de Update ntp-parser to 0.2.0 7 years ago
Jason Ish 95481a9176 eve/json/xff - remove check for flow being NULL. 
Fix Coverity issue:
** CID 1435535:  Null pointer dereferences  (REVERSE_INULL)
/src/output-json-file.c: 212 in JsonBuildFileInfoRecord()

Where we check a variable for being NULL, when all paths to the
code show that it can't be NULL.
 7 years ago
Victor Julien 26b61bad90 htp: cleanup and fix test 7 years ago
Victor Julien 08af5ddd88 http: add tests for header folding 
To test for https://github.com/OISF/libhtp/issues/159
 7 years ago
Victor Julien 953dceece2 http: clean up unittest 7 years ago
Victor Julien d0a8310fcf pcap-log: don't divide by 0 on no traffic 7 years ago
Jason Ish 0d51ebc71a eve/alert: use eve-level xff config by default 
The alert section can still have an xff configuration which
will take priority over the eve level xff config.
 7 years ago
Jason Ish e3645bd9ae eve/alert: separate xff and metadata configuration 
Put xff setup and metadata setup into their own
functions.
 7 years ago
Jason Ish 4822387411 qa/coccinelle: allow to run from non git directory 
For example, when I put the contents of a git worktree into
a Docker image for a test build .git will not be a directory
causing the run_check.sh script to fail.
 7 years ago
Jason Ish 36ec1281b2 eve/files: use eve-level xff config by default 
The files section can still have an xff configuration which
will take priority over the eve level xff config.
 7 years ago
Jason Ish 6607ee8489 eve/http: use eve-level xff config by default 
The http section can still have an xff configuration which
will take priority over the eve level xff config.
 7 years ago
Jason Ish 576584152c eve: use eve-level xff configuration 
If an "xff" configuration section exists on the eve object,
parse and save it for child loggers to use.
 7 years ago
Jason Ish 781a7e1089 xff: HttpXFFGetCfg - allow conf to be NULL 
The code fully handles conf being NULL, and we have other functions
where conf can be NULL.
 7 years ago
Maurizio Abba 2543930d74 xff: Use XFF configuration in eve and filestore 
XFF configuration is already set in app-layer-htp-xff, and in
output-json-alert. Extending XFF configuration to files and HTTP allow
to get the same behavior as for alerts.

Extend the configuration of filestore json to let filestore metafile
dump be aware of xff. This is available only if write-fileinfo is set
to yes and file-store version is 2.
 7 years ago