aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,714 Commits
7 Branches
155 Tags
197 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c419b79b7'
${ noResults }
Commit Graph

270 Commits (5c419b79b7fd0c068b04e783f300ba4919c1b7f7)

Author SHA1 Message Date
Philippe Antoine 4e242645be doc: explicit header normalization further 
And their concatenation as described in RFC 2616
 4 years ago
Philippe Antoine 6b30890de9 doc: http.uri.raw has no spaces 
as they are in the protocol

cf bug #2881
 4 years ago
Victor Julien 7b4ac8dbab doc/userguide: update http keywords 4 years ago
Jeff Lucovsky a18a9d3046 doc: New sticky buffer icmpv4.hdr 4 years ago
Victor Julien c95850c6ce doc/rules: document config rule option 4 years ago
Shivani Bhardwaj 87617b200c doc/datasets: add info about memcap and hashsize 5 years ago
Victor Julien e1ecb7dc41 doc/datasets: explain reloads, general improvements 5 years ago
Jeff Lucovsky 06f41f608c doc: Improve grammar, spelling and clarifications 
This commit improves the overall documentation's grammar, spelling, and
adds clarifications  where needed.
 5 years ago
jason taylor b21160a6e3 doc: http.host keyword note for matching on port 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
Philippe Antoine 999af4f62a http2: adds documentation 5 years ago
Sascha Steinbiss c31360070b rust/mqtt: add MQTT parser 5 years ago
Philippe Antoine 1569f3e349 transform: adds url_decode keyword 
Fixes https://redmine.openinfosecfoundation.org/issues/2689

Adds a new source file to handle this keyword.
And modifies documentation, Makefile, and registration accordingly.

url_decode decodes url-encoded data, ie replacing '+' with space
and '%HH' with its value.
 5 years ago
Tristan Fletcher 6cbb4d4909 doc: fix spelling in flowbits image 5 years ago
Jeff Lucovsky 901fbae7b9 doc: Add byte_math documentation 5 years ago
Vadym Malakhatko a80f705d4b userguide: add documentation for Hassh usage 
1. Rules keywords
2. Json keywords
3. Usage in lua
4. Enabling in configuration file
 5 years ago
Jeff Lucovsky b116a56a32 doc: Correct typos 5 years ago
Jeff Lucovsky 59cc3c6281 doc: Update byte_extract doc 5 years ago
Victor Julien 82ac72782d doc/userguide: update app-proto list 5 years ago
Victor Julien e6330c354d doc/userguide: list valid rule actions 5 years ago
Jeff Lucovsky 5e4aa5b851 doc: Improve tos description 
This commit improves the description of the `tos` keyword by emphasizing
that the value used should adhere to the guidelines in RFC2474. Instead
of specifying the DSCP value directly, right shift the DSCP value and
use that.
 5 years ago
Jeff Lucovsky 3005dca3fd doc: pcrexform documentation 5 years ago
Jason Ish 0dd1b2a616 doc: typo: http.server_body should be http.response_body 
Thanks to Jason Williams for pointing this out.
 5 years ago
Todd Mortimer 6b4d32c6bb doc: Update documentation for by_rule and by_both thresholds. 5 years ago
Jeff Lucovsky 4ad6c5421a doc: fix documentation typos 5 years ago
Jeff Lucovsky bc01392e93 doc: Update byte_test documentation 5 years ago
Frank Honza 1c8943dedd add RFB parser 
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
 5 years ago
Philippe Antoine 6251deae21 doc: adds doc for ipv4.hdr signature keyword 5 years ago
Philippe Antoine 1cd314c500 detect: adds icmpv6.mtu keyword 5 years ago
Philippe Antoine 8396333493 detect: adds icmpv6.hdr keyword 5 years ago
Philippe Antoine af1361a988 doc: add missing documentation for ipv6.hdr keyword 5 years ago
jason taylor 1666bc0ad1 doc: minor capitalization fix 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
jason taylor 4f7dc4f136 doc: add bsize documentation and rule example 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
Jason Williams 55a36c79ff doc: update http keywords documentation 5 years ago
jason taylor 95237f9894 docs: update datasets examples 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
EmilienCourt 50bb8d4cb2 doc: fix typo on example 
Quotes have been forgotten in the dnp3.data example, which throws an
SC_ERR_INVALID_SIGNATURE(39) if used like in the example.
 5 years ago
Eric Leblond 9ef2f81ee7 doc/userguide: fix typo 5 years ago
Eric Leblond 821d590f5b doc/userguide: fix base64 example 
Add a sticky buffer example and fix the content modifier one.
 5 years ago
Konstantin Klinger 808ea0dba9 app-layer: remove obsolete msn protocol detection 5 years ago
Victor Julien 6d2bd6607e datasets: make clear the feature is experimental 5 years ago
Victor Julien 4061bf5ceb doc/datasets: update example config to map 5 years ago
Victor Julien be6cdd37f8 stream: remove fix stream.depth references 5 years ago
Giuseppe Longo dd5d0afd79 doc: add SIP keywords 6 years ago
Jason Ish d3e2cc9926 doc: document dns.opcode keyword 6 years ago
Jason Ish daed788d49 doc: Replace dns_query with dns.query. 6 years ago
Travis Green 798d874662 doc: fix whitespace 6 years ago
Victor Julien 6aa2d550a1 doc/dotprefix: fix example rules 6 years ago
Jeff Lucovsky ab3d6328ba detect/transform: add dotprefix keyword to doc 6 years ago
Travis Green 3f146cdd7e doc: add endswith keyword docs 6 years ago
Travis Green 9f8dcad287 doc: update of ssh-kewords documentation 
Modifies ssh-keywords.rst to fix syntax error in example rule as well as
update descriptions to indicate older keywords have been deprecated.
 6 years ago
Victor Julien e36a963196 datasets/doc: minor fixes and clarifications 6 years ago
Victor Julien 0107b9a057 doc/dataset: initial documentation 6 years ago
Nick Price d0a85b7550 ja3: Mention LibNSS dependency for JA3 6 years ago
Eric Leblond 08397e07f1 doc: fix typos in geoip doc 6 years ago
Eric Leblond 0d5608bab2 doc: fix display of icmp code and type array 6 years ago
Eric Leblond 0c84591afe doc: use a table to list direction filter in geoip 6 years ago
Eric Leblond c01cadbade doc: fix geoip syntax 
Spaces are not allowed before country code.
 6 years ago
Vinjar Hillestad 4c18fee3c6 Documenting base64_decode and base64_content 
base64 doc changes based on #4027 pull feedback
 6 years ago
Bill Meeks a291209e47 detect/geoip: migrate to GeoIP2 database format 
Issue #2765
 6 years ago
Victor Julien 034555644b doc: add tcp.hdr and udp.hdr 6 years ago
Victor Julien a01df4b86b doc: document tcp.mss keyword 6 years ago
Andreas Herz 30fd80b0ef doc: convert fancy quotes to straight quotes 6 years ago
Pierre Chifflier 9dfec7e734 SNMP: add the "snmp.pdu_type" detection keyword 6 years ago
Pierre Chifflier e1dd19a0eb SNMP: add the "snmp.community" detection keyword 6 years ago
Pierre Chifflier aa608e0ca2 SNMP: add the "snmp.version" detection keyword 6 years ago
Jeff Lucovsky ab1d95446a doc: http keyword update 
This changeset updates the keyword type for http.location and http.server
 6 years ago
Jeff Lucovsky 0960ca0d00 detect/analyzer Add missing HTTP values 
This changeset adds recognition of missing HTTP values
- Raw host
- Header names
- Server body
- User agent
 6 years ago
Mats Klepsland b59e82a642 userguide: add documentation for ja3s.string keyword 6 years ago
Mats Klepsland 76b94c7073 userguide: add documentation for ja3s.hash keyword 6 years ago
Mats Klepsland 7020cffaa8 userguide: 'sticky' instead of 'Sticky' for all tls keywords 6 years ago
Mats Klepsland 03d986dd55 userguide: add documentation for tls.certs keyword 6 years ago
Jeff Lucovsky 7d6875fb68 documentation: Correct rst for ssh-keywords 
This changeset corrects an error in the ssh-keywords
where 3 "`" characters were used instead of 2 "`" characters.
 6 years ago
Jeff Lucovsky 97fc7c1e1a documentation: sticky buffer updates 
This changeset updates the userguide for the TLS and JA3
keywords that have been renamed from <id>_<name> to <id.name>
 6 years ago
Giuseppe Longo 76357350fd doc: update http.protocol description 6 years ago
Eric Leblond 360a6ace43 doc: add info about buffer usage in lua 6 years ago
Jeff Lucovsky 9856c5533a doc: ssh.{proto,software} documentation update 6 years ago
Jeff Lucovsky 74cd6a9ee8 doc: add http.location and http.server 6 years ago
Bryant Smith 398133b6ce doc: add byte_* documentation to the userguide 
Added byte_test, byte_jump and byte_extract description and example rules
 6 years ago
Eric Leblond 83a8df90f3 doc: improvement of xbits documentation page 6 years ago
Eric Leblond 43ede4db7f doc: xbits:noalert is not a valid syntax 6 years ago
Victor Julien eb73008ccf detect/transform: add to_sha1 keyword 6 years ago
Victor Julien 75f9c1ae9f detect/transform: add to_md5 keyword 6 years ago
Pascal Delalande f2dca46382 doc: fix minor typo 6 years ago
Travis Green c2adb9e669 doc: added tos keyword 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2583
 6 years ago
jason taylor fc54d750dd doc: add bypass keyword documentation 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 6 years ago
Mats Klepsland be8c06adfd userguide: add documentation for ssl_version keyword 6 years ago
Victor Julien 5afeebf884 doc/flow: updates and cleanups to flow section 6 years ago
Victor Julien 72dd4a5f92 doc/rules: initial transforms documentation 6 years ago
Mats Klepsland e92fda37c9 doc: add documentation for SSH keywords 6 years ago
Mats Klepsland 10fcc8d2ca doc: update tls.version documentation 7 years ago
Victor Julien c677e07d3e kerberos: minor doc updates, add author 7 years ago
Jason Ish fb85822730 dhcp: update user guide 7 years ago
Pierre Chifflier c51ff32adb Document Kerberos 5 parsing events 7 years ago
Pierre Chifflier 1076c7cd47 Add krb5_err_code detection keyword 7 years ago
Pierre Chifflier d6b9c0294a Add krb5_cname and krb5_sname detection keywords 7 years ago
Pierre Chifflier 0bd81ff838 Add krb5_msg_type detection keyword 7 years ago
Pierre Chifflier 1e5f5d405f Kerberos 5: add support for TCP as well 7 years ago
Pascal Delalande 4f48927c44 doc: spelling mistakes in various sections of the user guide 7 years ago
Eric Leblond 0c4bf2d332 doc: add a lua support top level section 
Both output and signature are using lua. So lua functions should
be displayed in a single section.
 7 years ago
Pascal Delalande e3c5784dd5 doc: minor updates (tls custom, TODO removal, ftp/smb file rules) 7 years ago
Victor Julien ccde621ceb doc: add suricata-update to intro for rules 7 years ago
Pierre Chifflier 6eb48e1e93 Add ikev2 to userguide 7 years ago
Victor Julien 26e807ca34 doc: fix http_header_names example 7 years ago
Mats Klepsland a357f52fa5 doc: add documentation for ja3_string keyword 7 years ago
Mats Klepsland 38cc6f595f doc: add documentation for ja3_hash keyword 7 years ago
David DIALLO c2236ea2b3 modbus: Support Unit Identifier 
When destination IP address does not suffice to uniquely identify
the Modbus/TCP device.

Some Modbus/TCP devices act as gateways to other Modbus/TCP devices
that are behind this gateways.
 7 years ago
Andreas Herz 2e8678a5ff docs: replace redmine links and enforce https on oisf urls 7 years ago
David DIALLO 6c643d8975 modbus: duplicate alerts unaware of direction 
Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction
because Modbus inspection engine is only performing in request (TOSERVER).

Detect Value keyword in read access rule. In read access, match on value
is not possible.

Update Modbus keyword documentation.
 7 years ago
Giuseppe Longo d2121945c9 doc: update file_data description 7 years ago
Eric Leblond 72c8cd67d5 doc: documentation update on metadata 7 years ago
Pascal Delalande 0ff60f65ec doc: update filestore for file hash extraction 
Update for extraction based on md5, sha1 and sha256
 7 years ago
Victor Julien 07738af868 detect/content: introduce startswith modifier 
Add startswith modifier to simplify matching patterns at the start
of a buffer.

Instead of:
    content:"abc"; depth:3;
This enables:
    content:"abc"; startswith;

Especially with longer patterns this makes the intention of the rule
more clear and eases writing the rules.

Internally it's simply a shorthand for 'depth:<pattern len>;'.

Ticket https://redmine.openinfosecfoundation.org/issues/742
 7 years ago
Eric Leblond f5ba4c231d doc: update following ftp-data changes 7 years ago
Andreas Herz 6f0794c16f keyword-filesize: add units 7 years ago
Ralph Broenink f6938933d9 doc: Amend the list of accepted protocols 
Based on the list in suricata.yaml
 7 years ago
Ralph Broenink 98a1ec490f doc: Move IP reputation keyword to rules section 7 years ago
Ralph Broenink 722cff1862 doc: Restructure ToC 
* All sections up to 2 levels deep are now shown regardless of whether they are a separate page
* Rename Xbits and Thresholding for more consistent naming
* Minor adjustment in the Payload Keywords section
 7 years ago
Ralph Broenink 196ba1da70 doc: Make the header keywords section separate sections in ToC 7 years ago
Ralph Broenink a55a6cdb62 doc: Move flowint as integral part of flow keywords 7 years ago
Ralph Broenink f6c766112c doc: Minor changes in structuring of HTTP Keywords / Snort differences 7 years ago
Ralph Broenink e9b25988ba doc: Move pcre entirely to Payload Keywords section 
(plus remove lingering screenshot of a rule)
 7 years ago
Ralph Broenink bb1bf2643d doc: Move fast_pattern and prefilter to dedicated page 7 years ago
Ralph Broenink fea037fda8 doc: Moved explanation of normalized buffers to rules introduction 7 years ago
Ralph Broenink 11990c7117 doc: Move the definition of modifier keywords to the introduction 7 years ago
Ralph Broenink dfae19247d doc: Completely rewrite the rules introduction for more clearity 7 years ago
Ralph Broenink 274c36eb2f doc: Meta-settings -> Meta Keywords plus some textual changes 
Most importantly, conventions are now placed in tip boxes
 7 years ago
Ralph Broenink 3413793768 doc: Use lowercased keyword names as section titles 7 years ago
Ralph Broenink a52aacb4ea doc: Replace images of tables and rules with text in rules docs 
In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis.

Additionally, some tables embedded into images were also replaced by reST tables.
 7 years ago
Mats Klepsland 9556d4fef3 doc: add documentation for tls_cert_fingerprint keyword 7 years ago
Victor Julien 1180687574 doc/file_data: add note on negated matching 
Explain issue #2216 and how to avoid it.
 8 years ago
Abbed 320b032a88 doc: small typo under '4.3.1.5' section 8 years ago
Eric Leblond f5ad6a2095 doc: document target keyword 8 years ago
Andreas Herz bf1a8d08da doc: rephrase nocase placement explanation 8 years ago
Victor Julien 4697330b73 doc: flowints formatting cleanup 8 years ago
Victor Julien 0af562d4c8 doc: move parts out of snort difference doc 
Move generic keyword descriptions to the keyword documentation.
 8 years ago
David Wharton a8d0ae460c doc: removing (replaced) snort-compatibility.rst 
snort-compatibility.rst replaced by differences-from-snort.rst
 8 years ago
David Wharton 8a53d49e81 doc: replacing snort-compatibility link 
The snort-compatibility.rst document is being replaced by
differences-from-snort.rst. This commit updates the link.
 8 years ago
David Wharton 6bc7c64794 doc: overhaul of the snort-compatibility document 
This is intended to replace the existing 'snort-compatibility.rst'
document.
Based on "The Suricata Rule Writing Guide for The Snort Expert"
2016 SuriCon talk.
 8 years ago
Victor Julien 245a89b7e7 doc: http keywords update 8 years ago
Mats Klepsland ee9f822b8e doc: add documentation for tls_cert_serial keyword 8 years ago
David Wharton 1bf7ded224 doc: specify buffers that can be used for fast_pattern 
Updated notes on the following buffers indicating that they can
be used for fast_pattern:
tls_cert_subject
tls_cert_issuer
tls_sni
 8 years ago
David Wharton b1ad770b36 doc: removed references to older Suricata versions 
docs are versioned; references to older Suricata versions undesired.
 8 years ago
Victor Julien c477c4370e doc: update for unix socket hostbits 8 years ago
Eric Leblond c357dafed9 doc: document the tls_sni keyword 8 years ago
Victor Julien bc38cd5932 doc: initial xbits documentation 8 years ago
Victor Julien 41074a87a0 doc: DNP3 support is now available 8 years ago
Jason Ish 0c6c9784a2 doc: document that that ;, \, " need to be escaped in rules 8 years ago
Jason Ish 1a724ba851 doc: flow: update and add new keywords 8 years ago
Victor Julien 56ffba9fd8 doc: initial app-layer keywords 
Document app-layer-protocol and make a start with app-layer-event.
 9 years ago
Victor Julien e3b2d95100 doc: add recent tls keywords 9 years ago
Victor Julien 08b875c03b doc: clean up fast_pattern 9 years ago