aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,860 Commits
8 Branches
154 Tags
167 MiB
dependabot/github_actions/github/codeql-action-3.26.13
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '47a5b493d7'
${ noResults }
Commit Graph

7860 Commits (47a5b493d748e899c478ec7f75c4858fee4552ee)
 

Author SHA1 Message Date
Jason Ish 0c3f1e2974 logging: move lock into write function 
All loggers were wrapping just the write in a lock with some
updating a counter.  This moves the lock into the write function.

The log_ctx alerts counter was also removed as many modules have
stopped using this and the alert count is available elsewhere.

Should satisfy Coverity CID 1400798:

CID 1400798 (#1 of 1): Data race condition (MISSING_LOCK) 2.
missing_lock: Accessing log_ctx->rotation_flag without holding lock
LogFileCtx_.fp_mutex. Elsewhere, "LogFileCtx_.rotation_flag" is accessed
with LogFileCtx_.fp_mutex held 4 out of 5 times.

Which appears to be a false positive as all calls to SCLogFileWrite
were done under lock, but this will make it more explicit.
 8 years ago
Jason Ish ddf1bf6518 unified2: unlock using same dereference as lock 
Addresses Coverity CIDs:
    1400797
    1400796

Note that the mutex was actually being unlocked, but
from a different variable pointing to the same mutex.
 8 years ago
Mats Klepsland 285b566205 doc: add documentation for TlsGetCertSerial Lua function 8 years ago
Mats Klepsland ee9f822b8e doc: add documentation for tls_cert_serial keyword 8 years ago
Mats Klepsland d6508e640a detect: add (mpm) keyword tls_cert_serial 
Match on TLS certificate serial number using tls_cert_serial
keyword, e.g.:

alert tls any any -> any any (msg:"TLS cert serial test";
        tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1";
        sid:12345;)
 8 years ago
Mats Klepsland 95864375f2 lua: add function to print certificate serial number 
Add function LuaGetCertSerial to print serial number from TLS
certificate.

Example:

function log (args)
    serial = TlsGetCertSerial()

    if serial then
        file:write(serial .. "\n");
        file:flush()
    end
end
 8 years ago
Mats Klepsland 2e339aa791 tls-log: log certificate serial number 8 years ago
Mats Klepsland 2b460b8d06 output-json-lua: log certificate serial number 8 years ago
Mats Klepsland 2c1a36dd6e app-layer-tls: decode certificate serial number 8 years ago
Alexander Gozman 310b27a196 af-packet: fix parsing packet in TPACKET_V3 mode 
AFPParsePacketV3() saved tpacket_block_desc structure
instead of tpacket3_hdr. As a result, reconstructed
packets were wrong.

Bug #2044.
 8 years ago
Alexander Gozman e41a9d637b af-packet: get VLAN info for packets in TPACKET_V3 mode 8 years ago
Alexander Gozman ee7e689b54 af-packet: write VLAN info for both TPACKET_V2 and V3 8 years ago
Jason Ish 92db12c349 pidfile: fail if the pid file exists 
Changes the pidfile check function to fail just on the
existence of the file to address issue
https://redmine.openinfosecfoundation.org/issues/1335
but log a message if the pid file appears to be stale.
 8 years ago
David Wharton 1bf7ded224 doc: specify buffers that can be used for fast_pattern 
Updated notes on the following buffers indicating that they can
be used for fast_pattern:
tls_cert_subject
tls_cert_issuer
tls_sni
 8 years ago
David Wharton b1ad770b36 doc: removed references to older Suricata versions 
docs are versioned; references to older Suricata versions undesired.
 8 years ago
Mats Klepsland e91bb09c91 doc: add documentation for TLS eve-log 8 years ago
Mats Klepsland bbd32c1419 output-json-tls: code cleanup 8 years ago
Mats Klepsland 115b3138cc output-json-tls: log certificate and chain 
Log entire certificate and certificate chain Base64 encoded.
 8 years ago
Mats Klepsland 0716199acb output-json-tls: custom tls logging 8 years ago
Jason Ish 89ba5816dc doc: update unified2 section 
Remove documentation on older unified formats that have
been removed.
 8 years ago
Jason Ish 82f6103149 unified2: nostamp and file rotation 
Give unified2 a nostamp option which will create the file
without the timestamp suffix (like Snort's nostamp option).

Also register for rotation notification on SIGHUP so the file
will be recreated if it is removed by an external rotation
program (only when nostamp is used).
 8 years ago
Jason Ish 2c01985e73 autoconf - look for stdbool.h 8 years ago
Jason Ish d8e9e1fd77 unified2: minor cleanups 
- remove unused arguments and make static
 8 years ago
Jason Ish c810748a60 Makefile: fix race condition in make install-full 
Use recursive make for the install process so it
is executed in a predictable order.

Addresses issue:
https://redmine.openinfosecfoundation.org/issues/1470
which triggered on OSX/macOS.
 8 years ago
Mats Klepsland 234a3a890b output-json-alert: print 'tunnel' JSON object if tunnel 
Log src_ip, dst_ip and proto for root packet (p->root) if the
packet that triggered is inside a tunnel, as JSON object
'tunnel'. Also log recursion depth to indicate the depth of
the tunnel.
 8 years ago
Mats Klepsland 7293286f2f output-json: move code to get 5-tuple to own function 
Move code to get 5-tuple in JSON object to own function 'JsonFiveTuple'.
This enables this code to be reused when printing 'parent' JSON object in
output-json-alert.
 8 years ago
Mats Klepsland 8c8db1cf0f output-json-alert: fix wrongful comments 8 years ago
Mats Klepsland 6a382259f8 doc: documentation for custom JSON flags in eve-log 8 years ago
Mats Klepsland 65317ba865 output-json: make JSON flags in eve-log user configurable 8 years ago
Victor Julien d445b4b5fa dce: remove commented out code 8 years ago
Victor Julien 9da7be81f0 flow-worker: clean up thread init 8 years ago
Victor Julien c859d39f4f coverity: suppress CID 1400648 8 years ago
Victor Julien 955c227127 detect-ssh: cleanup duplicate code 8 years ago
Victor Julien 2f30adb08a detect-lua: setup cleanup, fixing a potential int issue 8 years ago
Victor Julien 511e804915 detect: fix missing unlock in error path 8 years ago
Victor Julien f74eff9eac threads: address sleep under lock issue 8 years ago
Victor Julien f380871057 threads: don't sleep under lock 8 years ago
Victor Julien cc4010343d detect: add and use util func for alproto sets 8 years ago
Victor Julien c477c4370e doc: update for unix socket hostbits 8 years ago
Victor Julien 4a49260897 flowvar: shrink flowvar type by using padded space 8 years ago
Victor Julien 99517cbd53 lua: support key/value flowvars in lua 8 years ago
Victor Julien f0af133c5f flowvar: remove unused DETECT_VAR_TYPE_ALWAYS 8 years ago
Victor Julien 71607c905a doc: update unix socket 8 years ago
Victor Julien 8fde6f967f suricatasc: add/list/remove hostbit commands 
Syntax:
    add-hostbit <ip> <bit name> <expire>
Example:
    add-hostbit 1.2.3.4 blacklist 3600

Syntax:
    remove-hostbit <ip> <bit name>
Example:
    remove-hostbit 1.2.3.4 blacklist

Syntax:
    list-hostbit <ip>
Example:
    list-hostbit 1.2.3.4
 8 years ago
Victor Julien 88888c3d8b unix-socket: add/list/remove hostbit commands 
add-hostbit adds a named hostbit with an expire time in seconds.
remove-hostbit removes hostbit by name.

add-hostbit, remove-hostbit return success or failure.

list-hostbit returns a json array of hostbits with their name and
expire time:

    {
        "message": {
            "count": 1,
            "hostbits":
                [{
                    "expire": 3222,
                    "name": "firefox-users"
                }]
        },
        "return": "OK"
    }
 8 years ago
Victor Julien b6e4276792 hostbits: add list API 8 years ago
Victor Julien 996112edf5 pktvars: same name pktvars, key-value vars 8 years ago
Victor Julien 5ca4a2e6fe outputs: vars log 
EVE addition called 'vars' that logs pkt/flow vars for each packet/flow.
 8 years ago
Victor Julien 1a2ad059a1 eve: log pktvars/flowvars/bits/ints 
Optionally logs 'vars' into alerts
 8 years ago
Victor Julien 1ba8c2fe3a pcre: new way of specifying var names 
Until now the way to specify a var name in pcre substring capture
into pkt and flow vars was to use the pcre named substring support:
e.g. /(?P<pkt_somename>.*)/

This had 2 drawbacks:

1. limitations of the name. The name could be max 32 chars, only have
   alphanumeric and the underscore characters. This imposed limitations
   that are not present in flowbits/ints.

2. we didn't actually use the named substrings in pcre through the
   API. We parsed the names separately. So putting the names in pcre
   would actually be wasteful.

This patch introduces a new way of mapping captures with names:

  pcre:"/(.*)/, pkt:somename";
  pcre:"/([A-z]+) ([0-9]+)/, pkt:somename,flow:anothername";

The order of the captures and the order of the names are mapped 1 on 1.
This method is no longer limited by the pcre API's naming limits. The
'flow:' and 'pkt:' prefixes indicate what the type of variable is. It's
mandatory to specify one.

The old method is still supported as well.
 8 years ago