aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,834 Commits
7 Branches
155 Tags
197 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6c7aacce9e'
${ noResults }
Commit Graph

275 Commits (6c7aacce9e4be2e884ab3034f496fcc770a78943)

Author SHA1 Message Date
Giuseppe Longo fb66d45754 doc: introduce dns compact logging 7 years ago
David DIALLO c2236ea2b3 modbus: Support Unit Identifier 
When destination IP address does not suffice to uniquely identify
the Modbus/TCP device.

Some Modbus/TCP devices act as gateways to other Modbus/TCP devices
that are behind this gateways.
 7 years ago
Victor Julien 50a182194a eve: log pcap filename 7 years ago
Pascal Delalande 2e5b293afb doc: update eve json output for DNS and HTTP 7 years ago
Brandon Sterne a01a229b37 doc: use standard spelling of daemon 7 years ago
Andreas Herz bdb886bd68 docs: remove many outdated and old install docs 7 years ago
Andreas Herz 2e8678a5ff docs: replace redmine links and enforce https on oisf urls 7 years ago
David DIALLO 6c643d8975 modbus: duplicate alerts unaware of direction 
Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction
because Modbus inspection engine is only performing in request (TOSERVER).

Detect Value keyword in read access rule. In read access, match on value
is not possible.

Update Modbus keyword documentation.
 7 years ago
Eric Leblond 7da805ffd9 doc: improve eBPF and XDP doc 
Remove reference to `buggy` clang as a workaround has been found in
libbpf.

Proof read and add information on the structure of eBPF code.
 7 years ago
Eric Leblond 8030e3f66b doc: update documentation 
This patch adds info on kernel requirement for XDP and rework a few
things.
 7 years ago
Eric Leblond 0e1a4173ff doc: how to get live info about ebpf behavior 7 years ago
Eric Leblond 8c7b5cb088 doc: add info about xdp IPS bypass 7 years ago
Eric Leblond ce8b74b524 doc: document XDP CPU redirect 7 years ago
Eric Leblond 60265e023a doc: update xdp documentation 
Also remove configuration info from yaml as they are now in the
documentation.
 7 years ago
Peter Manev 5ee44c877c doc: add XDP setup documentation 7 years ago
Giuseppe Longo d2121945c9 doc: update file_data description 7 years ago
Jason Ish 74e036d09f doc: update eve/alert/metadata configuration 7 years ago
Martin Natano fe9cac5870 eve/alert: include rule text in alert output 
For SIEM analysis it is often useful to refer to the actual rules to
find out why a specific alert has been triggered when the signature
message does not convey enough information.

Turn on the new rule flag to include the rule text in eve alert output.
The feature is turned off by default.

With a rule like this:

    alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;)

The eve alert output might look something like this (pretty-printed for
readability):

    {
      "timestamp": "2017-08-14T12:35:05.830812+0200",
      "flow_id": 1919856770919772,
      "in_iface": "eth0",
      "event_type": "alert",
      "src_ip": "10.20.30.40",
      "src_port": 50968,
      "dest_ip": "8.8.8.8",
      "dest_port": 53,
      "proto": "UDP",
      "alert": {
        "action": "allowed",
        "gid": 1,
        "signature_id": 42,
        "rev": 0,
        "signature": "Google DNS server contacted",
        "category": "",
        "severity": 3,
        "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)"
      },
      "app_proto": "dns",
      "flow": {
        "pkts_toserver": 1,
        "pkts_toclient": 0,
        "bytes_toserver": 81,
        "bytes_toclient": 0,
        "start": "2017-08-14T12:35:05.830812+0200"
      }
    }

Feature #2020
 7 years ago
Eric Leblond 72c8cd67d5 doc: documentation update on metadata 7 years ago
Jason Ish ab939f4aaa doc: breakout eve-log section to a partial file 
Both the suricata.yaml and eve configuration sections
included the eve-log section from suricata.yaml. First,
sync these up with the actual suricata.yaml then break
it out into its own file, so only one file needs to
be kept in sync with the actual configuration file.
 7 years ago
Jason Ish 0e02684634 doc: update eve-log section for metadata 7 years ago
Pascal Delalande 80f2fbac6e rust/tftp: eve logging with rust 7 years ago
Pascal Delalande 0ff60f65ec doc: update filestore for file hash extraction 
Update for extraction based on md5, sha1 and sha256
 7 years ago
Victor Julien 07738af868 detect/content: introduce startswith modifier 
Add startswith modifier to simplify matching patterns at the start
of a buffer.

Instead of:
    content:"abc"; depth:3;
This enables:
    content:"abc"; startswith;

Especially with longer patterns this makes the intention of the rule
more clear and eases writing the rules.

Internally it's simply a shorthand for 'depth:<pattern len>;'.

Ticket https://redmine.openinfosecfoundation.org/issues/742
 7 years ago
Jason Ish 5420c0ab06 doc: document file-store v2 7 years ago
Victor Julien 746638b220 cuda: remove 
Remove CUDA support as it has been broken for a long time.

Ticket #2382.
 7 years ago
Eric Leblond 24f745553c doc: update file extraction document 
Define the list of protocol parsers supporting extraction in one
single place following Andreas Herz' suggestion.
 7 years ago
Eric Leblond f5ba4c231d doc: update following ftp-data changes 7 years ago
Giuseppe Longo 70695201f6 doc: add memcap commands in unix-socket section 7 years ago
Eric Leblond 3bf098e52f doc: document log reopen unix socket command 7 years ago
Victor Julien be9ec3958e doc: initial suricata-update page 7 years ago
Andreas Herz 6f0794c16f keyword-filesize: add units 7 years ago
Dana Helwig 3ab9120821 source-pcap-file: Pcap Directory Mode (Feature #2222) 
https://redmine.openinfosecfoundation.org/issues/2222

Pcap file mode that when passed a directory will process all files in
that directory. If --pcap-file-continuous or continuous option is passed
in json, the directory will be monitored  until the directory is
moved/deleted, suricata is interrupted, or the pcap-interrupt command
is used with unix command socket. Existing file implementation and new
directory implementation has moved from source-pcap-file into
pcap-file-helper and pcap-directory-helper.

Engine state will not reset between files.

Also satisfies:
 * https://redmine.openinfosecfoundation.org/issues/2299
 * https://redmine.openinfosecfoundation.org/issues/724
 * https://redmine.openinfosecfoundation.org/issues/1476

Co-Authors: Dana Helwig <dana.helwig@protectwise.com> and
Danny Browning <danny.browning@protectwise.com>
 7 years ago
Eric Leblond 94e9d13791 doc: add ruleset commands available in unix socket 7 years ago
Pascal Delalande 0c99338e07 doc: update docs for DNS flags logging 7 years ago
Ralph Broenink f6938933d9 doc: Amend the list of accepted protocols 
Based on the list in suricata.yaml
 7 years ago
Ralph Broenink d830177b7b doc: Add my own name to the acknowledgements 7 years ago
Ralph Broenink 98a1ec490f doc: Move IP reputation keyword to rules section 7 years ago
Ralph Broenink 722cff1862 doc: Restructure ToC 
* All sections up to 2 levels deep are now shown regardless of whether they are a separate page
* Rename Xbits and Thresholding for more consistent naming
* Minor adjustment in the Payload Keywords section
 7 years ago
Ralph Broenink 196ba1da70 doc: Make the header keywords section separate sections in ToC 7 years ago
Ralph Broenink a55a6cdb62 doc: Move flowint as integral part of flow keywords 7 years ago
Ralph Broenink f6c766112c doc: Minor changes in structuring of HTTP Keywords / Snort differences 7 years ago
Ralph Broenink e9b25988ba doc: Move pcre entirely to Payload Keywords section 
(plus remove lingering screenshot of a rule)
 7 years ago
Ralph Broenink bb1bf2643d doc: Move fast_pattern and prefilter to dedicated page 7 years ago
Ralph Broenink fea037fda8 doc: Moved explanation of normalized buffers to rules introduction 7 years ago
Ralph Broenink 11990c7117 doc: Move the definition of modifier keywords to the introduction 7 years ago
Ralph Broenink dfae19247d doc: Completely rewrite the rules introduction for more clearity 7 years ago
Ralph Broenink 274c36eb2f doc: Meta-settings -> Meta Keywords plus some textual changes 
Most importantly, conventions are now placed in tip boxes
 7 years ago
Ralph Broenink 3413793768 doc: Use lowercased keyword names as section titles 7 years ago
Ralph Broenink a52aacb4ea doc: Replace images of tables and rules with text in rules docs 
In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis.

Additionally, some tables embedded into images were also replaced by reST tables.
 7 years ago