aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,242 Commits
7 Branches
161 Tags
202 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '424eead8c0'
${ noResults }
Commit Graph

53 Commits (424eead8c08ed2a437554bbe6e8b3f3aec5a3d26)

Author SHA1 Message Date
Giuseppe Longo 424eead8c0 detect/sip.method: add sticky buffer 
Matches on uri field in SIP.
 6 years ago
Jason Ish d79c23baa3 dns/detect: dns.opcode keyword 
Add a rule keyword, dns.opcode to match on the opcode flag
found in the DNS request and response headers.

Only exact matches are allowed with negation.

Examples:
  - dns.opcode:4;
  - dns.opcode:!1;
 6 years ago
Jeff Lucovsky 7808b946e3 detect/transform: add dotprefix keyword 6 years ago
Victor Julien 317376f59d datasets: match on lists of data 
Datasets are sets/lists of data that can be accessed or added from
the rule language.

This patch implements 3 data types:

1. string (or buffer)
2. md5
3. sha256

The patch also implements 2 new rule keywords:

1. dataset
2. datarep

The dataset keyword allows matching against a list of values to see if
it exists or not. It can also add the value to the set. The set can
optionally be stored to disk on exit.

The datarep support matching/lookups only. With each item in the set a
reputation value is stored and this value can be matched against. The
reputation value is unsigned 16 bit, so values can be between 0 and 65535.

Datasets can be registered in 2 ways:

1. through the yaml
2. through the rules

The goal of this rules based approach is that rule writers can start using
this without the need for config changes.

A dataset is implemented using a thash hash table. Each dataset is its own
separate thash.
 6 years ago
Victor Julien 24f0092b72 detect: add ipv6.hdr sticky buffer 
Inspects IPv6 header and extension headers.
 6 years ago
Victor Julien 4ac327f5b5 detect/ipv4: add ipv4.hdr sticky buffer 6 years ago
Victor Julien ac694b089a detect: add udp.hdr sticky buffer 6 years ago
Victor Julien bdf53f449c detect/tcp: rename tcp keyword files 6 years ago
Victor Julien 35be8385eb detect: tcp.hdr sticky buffer 
Sticky buffer to inspect the TCP header.
 6 years ago
Victor Julien 66648df099 detect: add tcp.mss keyword 
Allows matching on TCP option MSS.

Syntax:

    tcp.mss:<value>;
    tcp.mss:<value1>-<value2>;
    tcp.mss:<op><value>;

Operator can be: >, <.
 6 years ago
Pierre Chifflier 9dfec7e734 SNMP: add the "snmp.pdu_type" detection keyword 6 years ago
Pierre Chifflier e1dd19a0eb SNMP: add the "snmp.community" detection keyword 6 years ago
Pierre Chifflier aa608e0ca2 SNMP: add the "snmp.version" detection keyword 6 years ago
Mats Klepsland 0b489f329c detect: add (mpm) keyword ja3s.string 
Match on JA3S string using ja3s.string keyword, e.g:

  alert tls any any -> any any (msg:"ja3s.string test";
      ja3s.string; content:"10-11-12"; sid:1;)
 6 years ago
Mats Klepsland 80cee50916 detect: add (mpm) keyword ja3s.hash 
Match on JA3S hash using ja3s.hash keyword, e.g:

  alert tls any any -> any any (msg:"ja3s.hash test";
      ja3s.hash; content:"b26c652e0a402a24b5ca2a660e84f9d5"; sid:1;)
 6 years ago
Mats Klepsland ba857e9739 detect: add tls.certs keyword 
Add keyword to do "raw" matching on each of the certificates in the
TLS certificate sticky buffer.

Example:
  alert tls any any -> any any (msg:"tls.certs test"; tls.certs; \
          content:"|01 02 03 04|"; sid:1;)
 6 years ago
Victor Julien 84da0376fb detect/http.host: rename file for consistency 6 years ago
Victor Julien ccdafe6697 detect/http-server-body: move tests to tests/ 7 years ago
Victor Julien 64987f36fb detect/file-data: move tests into tests/ 7 years ago
Victor Julien 9a8092249e detect/http-client-body: move tests into tests/ 7 years ago
Victor Julien 76fd666cad detect/http_raw_header: move tests into tests/ 7 years ago
Victor Julien ab027cb481 detect/http_cookie: move tests into tests/ 7 years ago
Victor Julien 2f342da048 detect/http_stat_code: move tests into tests/ 7 years ago
Victor Julien 5dfba01b2e detect/http_stat_msg: move tests to tests/ 7 years ago
Victor Julien b469938998 detect/http_raw_host: move raw into regular host logic 7 years ago
Victor Julien dc43f35427 detect/http_host: move tests into tests/ 7 years ago
Victor Julien cb332b4cda detect/http_method: move all tests into tests/ 7 years ago
Victor Julien 0a405e27a0 detect/http_raw_uri: code reorganization 
Move registration into http_uri logic, move tests into the other uri
tests. Switch to v2 mpm/inspect APIs.
 7 years ago
Victor Julien 10e2731f18 detect/http-uri: move tests into tests/ 7 years ago
Victor Julien 3111910fc6 detect/http_user_agent: move tests into tests/ 7 years ago
Victor Julien 33b81f7439 detect: add verbosity of --list-keywords 
Add indicators of content modifier or sticky buffer, and also
allow registering an alternative to a keyword.
 7 years ago
Victor Julien eb73008ccf detect/transform: add to_sha1 keyword 7 years ago
Victor Julien 75f9c1ae9f detect/transform: add to_md5 keyword 7 years ago
Victor Julien ecb5d6419b rules/transform: add to list-keywords 7 years ago
Jason Ish 35fd10bc2e rust: app-layer detect template for rust parsers 7 years ago
Victor Julien 486054595a detect/template2: template with prefilter (copy of ttl) 7 years ago
Victor Julien af6f52cc09 rules: hide 'template' from --list-keywords 7 years ago
Victor Julien b0577402b6 rules: hide internal keywords from --list-keywords 7 years ago
Pierre Chifflier 1076c7cd47 Add krb5_err_code detection keyword 7 years ago
Pierre Chifflier d6b9c0294a Add krb5_cname and krb5_sname detection keywords 7 years ago
Pierre Chifflier 0bd81ff838 Add krb5_msg_type detection keyword 7 years ago
Mats Klepsland 6e23ae230b detect: add (mpm) keyword ja3_string 
Match on JA3 string using ja3_string keyword, e.g:

alert tls any any -> any any (msg:"JA3 string test";
        ja3_string; content:"65-68-69-102"; sid:1;)
 7 years ago
Mats Klepsland 6c7aacce9e detect: add (mpm) keyword ja3_hash 
Match on JA3 hash using ja3_hash keyword, e.g:

alert tls any any -> any any (msg:"JA3 hash test";
        ja3_hash;
        content:"e7eca2baf4458d095b7f45da28c16c34";
        sid:1;)
 7 years ago
Victor Julien 75d7c9d64a rust/smb: initial support 
Implement SMB app-layer parser for SMB1/2/3. Features:
- file extraction
- eve logging
- existing dce keyword support
- smb_share/smb_named_pipe keyword support (stickybuffers)
- auth meta data extraction (ntlmssp, kerberos5)
 7 years ago
Victor Julien 4d1fa4aaf9 detect: bsize keyword 
Allows matching on stickybuffers. Like dsize, it allows matching on
exact values, greater than and less than, and ranges.

For streaming buffers, such as HTTP bodies, the final size of the
body is only known at the end of the transaction.
 8 years ago
Victor Julien 7f97fc40d5 detect/transform: initial to_sha256 implementation 
Takes input buffer and replaces it with hash value for that buffer.
Hash value is in raw bytes.
 8 years ago
Victor Julien 016d65fdf8 detect/transform: initial compress_whitespace implementation 8 years ago
Victor Julien 38ed6cd050 detect/transform: initial strip_whitespace implementation 8 years ago
Victor Julien a499a44f7a detect: move buffer type map into detect ctx 
Move previously global table into detect engine ctx. Now that we
can register buffers at rule loading time we need to take concurrency
into account.

Move DetectBufferType to detect.h and update DetectBufferCtx API calls
to include a detect engine ctx reference.
 8 years ago
Eric Leblond 9ecd60c7a2 detect-ftpdata: register keyword 
Keyword registration was missing so the keyword was not existing.
 8 years ago