suricata

Commit Graph

Author	SHA1	Message	Date
Philippe Antoine	4bbe7d92dc	detect: helper to have pure rust keywords detect: make number of keywords dynamic Ticket: 4683	1 year ago
Philippe Antoine	82c03f72c3	enip: convert to rust Ticket: 3958 - transactions are now bidirectional - there is a logger - gap support is improved with probing for resync - frames support - app-layer events - enip_command keyword accepts now string enumeration as values. - add enip.status keyword - add keywords : enip.product_name, enip.protocol_version, enip.revision, enip.identity_status, enip.state, enip.serial, enip.product_code, enip.device_type, enip.vendor_id, enip.capabilities, enip.cip_attribute, enip.cip_class, enip.cip_instance, enip.cip_status, enip.cip_extendedstatus	1 year ago
Shivani Bhardwaj	83af42cc03	detect/tls-subjectaltname: add sticky buffer Add TLS SubjectAltName sticky buffer. It is implemented as multi-buffer. Feature 5234	1 year ago
Philippe Antoine	44b6aa5e4b	app-layer: websockets protocol support Ticket: 2695	1 year ago
Sascha Steinbiss	120313f4da	ja4: implement for TLS and QUIC Ticket: OISF#6379	1 year ago
Hadiqa Alamdar Bukhari	3aa313d0c5	dns: add dns.rcode keyword dns.rcode matches the rcode header field in DNS messages It's an unsigned integer valid ranges = [0-15] Does not support prefilter Supports matches in both flow directions Task #6621	1 year ago
Hadiqa Alamdar Bukhari	4b81851097	dns: add dns.rrtype keyword It matches the rrtype field in DNS It's an unsigned integer match valid ranges = [0-65535] Does not support prefilter Supports flow in both directions Feature #6666	1 year ago
jason taylor	3cb7112aa5	detect: update smb.version keyword Signed-off-by: jason taylor <jtfas90@gmail.com>	2 years ago
Eloy Pérez González	415722dab2	smb: add smb.version keyword Ticket: #5075 Signed-off-by: jason taylor <jtfas90@gmail.com>	2 years ago
Philippe Antoine	adf5e6da7b	detect: strip_pseudo_headers transform Ticket: 6546	2 years ago
Jason Ish	5d5b0509a5	requires: add requires keyword Add a new rule keyword "requires" that allows a rule to require specific Suricata versions and/or Suricata features to be enabled. Example: requires: feature geoip, version >= 7.0.0, version < 8; requires: version >= 7.0.3 < 8 requires: version >= 7.0.3 < 8 \| >= 8.0.3 Feature: #5972 Co-authored-by: Philippe Antoine <pantoine@oisf.net>	2 years ago
Jason Ish	482325e28b	dns: add dns.query.name sticky buffer This buffer is much like dns.query_name but allows for detection in both directions. Feature: #6497	2 years ago
Jason Ish	5f99abb0cb	dns: add dns.answer.name keyword This sticky buffer will allow content matching on the answer names. While ansers typically only occur in DNS responses, we allow the buffer to be used in request context as well as the request message format allows it. Feature: #6496	2 years ago
Victor Julien	53591702aa	detect/bytemath: pass match ctx directly Adjust includes to enable this.	2 years ago
Philippe Antoine	32cce122e1	detect: header_lowercase transform Ticket: 6290	2 years ago
Sascha Steinbiss	0c55fe3515	detect: add mqtt.connect.protocolstring Ticket: OISF#6396	2 years ago
Jeff Lucovsky	1110a86cb9	detect/transform: Register case-change transforms Issue: 6439	2 years ago
Philippe Antoine	ab9b6e30b1	detect: adds flow integer keywords Ticket: #6164 flow.pkts_toclient flow.pkts_toserver flow.bytes_toclient flow.bytes_toserver	2 years ago
Jeff Lucovsky	2fd0025ede	detect/file: Filehandler registration logic Add file handler registration functions for consolidated file handling. Issue: 4145	2 years ago
Victor Julien	9b09b29350	detect/fileext: reimplement based on file.name Ticket: #6194.	2 years ago
Philippe Antoine	415b036dca	http1: implement http.request_header So that it is generic for HTTP1 and HTTP2 Ticket: #5780	2 years ago
Victor Julien	b31ffde6f4	output: remove error codes from output	3 years ago
Jason Ish	8683154115	templates: remove C app-layer templates	3 years ago
Eric Leblond	7e516aad94	detect: add ip.src keyword It is a sticky buffer matching on src_ip. Feature: #5383	3 years ago
Eric Leblond	9cb06d4376	detect/smb: add smb.ntlmssp_domain keyword Feature #5411.	3 years ago
Eric Leblond	69ef1bc194	detect/smb: add smb.ntlmssp_user keyword Feature #5411.	3 years ago
Philippe Antoine	390cf9248f	detect: adds flow.age keyword Ticket: #5536	3 years ago
Victor Julien	682e2a07fe	detect/tls: add tls.cert_chain_len keyword	3 years ago
Victor Julien	e250ef6402	debug: remove empty header	3 years ago
Philippe Antoine	5ef259722b	dhcp: adds renewal-time keyword Ticket: #5507	3 years ago
Philippe Antoine	6faf6299e0	dhcp: adds rebinding-time keyword Ticket: #5506	3 years ago
Shivani Bhardwaj	42c3f418c6	tls: add tls.random* keywords Add tls.random keyword that matches on the 32 bytes of the TLS random field for client as well as server. Add tls.random_time keyword that matches on the first 4 bytes of the TLS random field for client as well as server. Add tls.random_bytes keyword that matches on the last 28 bytes of the TLS random field for client as well as server. All these are sticky buffers. Feature 5190	3 years ago
Philippe Antoine	461725a9bf	dhcp: adds leasetime keyword As it is logged Ticket: #5435	3 years ago
Philippe Antoine	5c7b5c5fb5	krb: detection for ticket encryption As is done for logging. Ticket: #5442	3 years ago
Philippe Antoine	02f2602dde	src: rework includes as per cppclean	3 years ago
Philippe Antoine	c7214be99b	snmp: adds usm keyword as is logged Ticker: #5416	3 years ago
Victor Julien	e02b52c895	quic: add quic.ua for matching user agent	4 years ago
Victor Julien	da8b024b99	detect/quic: add quic.sni sticky buffer	4 years ago
Emmanuel Thompson	7e51987263	quic: Add QUIC App Layer Parses quic and logs a CYU hash for gquic frames	4 years ago
Philippe Antoine	0cfdec1266	detect: xor transform Ticket: 3285 The xor transform applies xor decoding to a buffer, with a key specified as an option in hexadecimal. Arbitrary key sizes are accepted.	4 years ago
Victor Julien	a492d94826	detect/frames: implement 'frame' keyword Implement a special sticky buffer to select frames for inspection. This keyword takes an argument to specify the per protocol frame type: alert <app proto name> ... frame:<specific frame name> Or it can specify both in the keyword: alert tcp ... frame:<app proto name>.<specific frame name> The latter is useful in some cases like http, where "http" applies to both HTTP and HTTP/2. alert http ... frame:http1.request; alert http1 ... frame:request; Examples: tls.pdu smb.smb2.hdr smb.smb3.data Consider a rule like: alert tcp ... flow:to_server; content:"\|ff\|SMB"; content:"some smb 1 issue"; this will scan all toserver TCP traffic, where it will only be limited by a port, depending on how rules are grouped. With this work we'll be able to do: alert smb ... flow:to_server; frame:smb1.data; content:"some smb 1 issue"; This rule will only inspect the data portion of SMB1 frames. It will not affect any other protocol, and it won't need special patterns to "search" for the SMB1 frame in the raw stream.	4 years ago
Sascha Steinbiss	e2dbdd7fd5	ikev1: add ikev1 parser	4 years ago
Eric Leblond	0dba1b09de	suricata: improve list keywords Exit with error if a keyword is not supported or not existing and display a message.	5 years ago
Jeff Lucovsky	dabd50eeee	detect: Register icmpv4 header	5 years ago
Philippe Antoine	1422b18a99	http2: initial support	5 years ago
Sascha Steinbiss	c31360070b	rust/mqtt: add MQTT parser	5 years ago
Philippe Antoine	1569f3e349	transform: adds url_decode keyword Fixes https://redmine.openinfosecfoundation.org/issues/2689 Adds a new source file to handle this keyword. And modifies documentation, Makefile, and registration accordingly. url_decode decodes url-encoded data, ie replacing '+' with space and '%HH' with its value.	5 years ago
Victor Julien	6ab323d323	detect: hide RegisterTests behind ifdef UNITTESTS Update all callers to more aggressively use UNITTESTS guards as well.	5 years ago
Victor Julien	2145cf99a3	detect/config: initial version	5 years ago
Jeff Lucovsky	fb409664d2	detect: byte_math support	5 years ago

1 2 3

115 Commits (4bbe7d92dc858f77484ad9d41327422ff84af655)