aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,665 Commits
7 Branches
155 Tags
198 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '71a033ac62'
${ noResults }
Commit Graph

14665 Commits (71a033ac62e0b71953f1884ecba7e6461c744197)
 

Author SHA1 Message Date
Victor Julien 89aee640e3 changelog: spelling 2 years ago
Victor Julien fb7ff5b61c github-ci: spelling 2 years ago
Victor Julien 9ab5480257 ftp: rename enum to fix spelling 2 years ago
Victor Julien 3516ce8c93 enip: rename struct to fix spelling 2 years ago
Victor Julien 791f4f05d5 dnp3: rename flag to fix spelling 2 years ago
Victor Julien 3c7ad453fe classification: spelling 2 years ago
Victor Julien 21f7d51e24 exception/policy: spelling 2 years ago
Victor Julien ef5ec842e5 detect/threshold: reword alloc failure message 2 years ago
Victor Julien da89164ba1 detect: spelling: DetectBufferMpmRegistry 2 years ago
Victor Julien 29d59ee155 detect: spelling: SIG_FLAG_INIT_PRIO_EXPLICIT 2 years ago
Victor Julien 0c5e47b735 detect: spelling: update SigTableApplyStrictCommandLineOption 2 years ago
Victor Julien bbcf6fe76b detect: spelling: multi-tenancy fixes 2 years ago
Victor Julien a3c8105ac4 fuzz: spelling: AFLFUZZ_PERSISTENT_MODE 2 years ago
Victor Julien 4dbdaf8a8e doc/install: point to userguide 2 years ago
Victor Julien 19cabc9a02 doc: remove legacy windows install guide 2 years ago
Victor Julien 01f43604b9 doc: remove legacy pfring install guide 2 years ago
Victor Julien 9520aac79c prscript: remove as it is obsolete 2 years ago
Wes Hurd aee41957e1 doc: add docutils.conf to disable smart quotes 2 years ago
Victor Julien 2634e6b3f8 runmode/unix-socket: don't lead http range memory 
Init was per run, Deinit global, so Init overwrote memory if multiple
pcaps were processed.

Bug: #6046.
 2 years ago
Victor Julien 74d03c2b61 detect/loader: set proper thread flags 
Fixes: 13beba141c ("source: add THV_RUNNING flag to notify of running state")

Bug: #6043.
 2 years ago
Victor Julien d630f0fa34 rust: rustfmt files with recent new tests 2 years ago
Victor Julien 77f1658c2a rust: fix new clippy warnings 2 years ago
Andreas Herz 3045e75ee1 doc: add note on the hashsize recommendation for datasets 2 years ago
Lancer Cheng 0cf742a9ca smb: add unit tests 
Issue: 4865
 2 years ago
Victor Julien a006aef4d0 doc: fix description of iptables rules 2 years ago
tianjinshan 2c0c6cb0a5 smb/ntlmssp: fix parsing of negotiate flags 
Ticket: #5783
 2 years ago
Bazzan Don 38b3fffbc7 doc/optimization: move "convert.py" to Python3 
Ticket: #5596
 2 years ago
Morris Chan b9aac6dd18 yaml: grammar fixup 2 years ago
Juliana Fajardini ae2a477978 devguide: clarify clang formatting changes policy 
It was pointed out by a contributor that our workflow mentioned
rewrite-branch as the preferred way, while in fact our policy is to add
said changes to a different commit. Updating documentation to prevent
other situations like that.
 2 years ago
Juliana Fajardini dc71faaa8a scripts/clang: remove mention to rewrite-branch 
Although we prefer that formatting changes (e.g. the ones made by
running clang) go in a different commit, our script error message was
still suggesting `rewrite-branch` as an option. Removed that and added
that the changes made by the script should go into a separate commit.
 2 years ago
Rafael Girão 6ec3bc189a docs: remove obsolete af-packet warning 2 years ago
Jason Ish 0e55307c1d app-layer: remove APP_LAYER_PARSER_OPT_UNIDIR_TXS 
This flag is no longer needed as a parser can now create a transaction
as unidirectional.

Setting this flag also doesn't make sense on parsers that may have
request/reply and some unidirectional messaging.
 2 years ago
John Dewey 365bec3da6 netmap: Correct LB + Netmap YAML usage 
Corrected the example YAML configuration when using Netmap and
LB.
 2 years ago
Philippe Antoine 6b9fce7728 app-layer: shorter code for proto string helpers 2 years ago
Philippe Antoine e1046239ea scripts: fix setup app layer for output 
using rust nowadays.

Also remove useless code about files that do not need changes
anymore
 2 years ago
Philippe Antoine 5b2605bdfe debug: use AppProtoToString 
instead of recoding it.
This way, setup-app-layer.py needs to patch one file less
 2 years ago
Philippe Antoine e80974966d detect: allow 0-sized non-NULL buffers to match 
Such as a HTTP1 header with an empty value

Ticket: #6025
 2 years ago
Jason Ish b5fbdc3e5f capture: use uint16_t for max_pending_packets 
Use a fixed type of max_pending_packets instead of intmax_t which can
differ based on the platform/standard library.

Should also prevent lints about possible arithmetic overflow.
 2 years ago
Shivani Bhardwaj bbe13885a2 util/mime: enable debug validation check 2 years ago
Shivani Bhardwaj c0067a5fff smtp: return on line completion 
Problem:
If we receive a long line w/o LF, we cap it to 4k bytes and wait until a
line with LF comes in order to consider the previous line complete. Any
data post the 4k bytes is discarded. Currently, if a line with LF comes
in after a long line, we reset all the parameters used for processing it
like the line.len and line.delim_len but we still make the call to
SMTPProcessRequest fn without even the need to process anything. Since
such a line (with len and delim_len set to 0) should not reach mime
decoder, a debug assertion triggers there in this case.

Fix:
Make sure to return early as the line has to be skipped and not
processed at all.

Bug 6019
 2 years ago
Arne Welzel 51aef3c230 af-packet: Ignore outgoing packets on loopback interfaces 
When reading a loopback interface, packets are received twice: Once as
outgoing packets and once as incoming packets.

Libpcap ignores outgoing packets. With current versions of Suricata, sniffing
a single http://localhost:80 request over lo using the af-packet source
minimally shows two syn packets, two synacks and twice as many packets in
the stats entries than you'd expect when running tcpdump or Wireshark.
 2 years ago
Victor Julien cd7d6e651a error: minor header cleanup 2 years ago
Victor Julien 235ee36211 respond/reject: fix IPv6 TCP resets 
Fix length and next header field settings.

Bug: #6038.
 2 years ago
Victor Julien 1f0aed0775 respond/reject: minor code cleanups 2 years ago
Victor Julien adf0bef7f0 respond/reject: minor cleanups 2 years ago
Jason Ish f8ec993401 rust/time: add note why this needs to be pinned 2 years ago
Jason Ish 5925b63d82 rust: update x509-parser to 0.15.0 2 years ago
Shivani Bhardwaj 6190913a46 util/mime: disable assertion check until resolution 2 years ago
Victor Julien 5890a8a8ab detect: register multi-buffer keywords 
Register the keywords that use multi buffer support as such, so that
rule parsing can set them up with multi-instance support.

Ticket: #5784.
 2 years ago
Victor Julien ad88efc2d8 detect: support multi buffer matching 
Multi buffer matching is implemented as a way for a rule to match
on multiple buffers within the same transaction.

Before this patch a rule like:

    dns.query; content:"example"; dns.query; content:".com";

would be equivalent to:

    dns.query; content:"example"; content:".com";

If a DNS query would request more than one name, e.g.:

    DNS: [example.net][something.com]

Eeach would be inspected to have both patterns present. Otherwise,
it would not be a match. So the rule above would not match, as neither
example.net and somthing.com satisfy both conditions at the same time.

This patch changes this behavior. Instead of the above, each time the
sticky buffer is specified, it creates a separate detection unit. Each
buffer is a "multi buffer" sticky buffer will now be evaluated against
each "instance" of the sticky buffer.

To continue with the above example:

    DNS: [example.net] <- matches 'dns.query; content:"example";'
    DNS: [something.com] <- matches 'dns.query; content:".com"'

So this would now be a match.

To make sure both patterns match in a single query string, the expression
'dns.query; content:"example"; content:".com";' still works for this.

This patch doesn't yet enable the behavior for the keywords. That is
done in a follow up patch.

To be able to implement this the internal storage of parsed rules
is changed. Until this patch and array of lists was used, where the
index was the buffer id (e.g. http_uri, dns_query). Therefore there
was only one list of matches per buffer id. As a side effect this
array was always very sparsely populated as many buffers could not
be mixed.

This patch changes the internal representation. The new array is densely
packed:

    dns.query; content:"1"; dns.query; bsize:1; content:"2";

    [type: dns_query][list: content:"1";]
    [type: dns_query][list: bsize:1; content:"2";]

The new scheme allows for multiple instances of the same buffer.
These lists are then translated into multiple inspection engines
during the final setup of the rule.

Ticket: #5784.
 2 years ago