Commit Graph

134 Commits (820a3e51b752867da1322f29d542e5844bb6e727)

Author SHA1 Message Date
Jason Ish 2ac16ee1a6 detect: break apart sigtable setup and initialization
Allows initialization to be done early, so the table is ready for
dynamic registration by plugins which are loaded before signature
setup.
8 months ago
Philippe Antoine 63324b7368 transforms: move urldecode to rust
Ticket: 7229
9 months ago
Philippe Antoine 8984bc6801 transforms: move xor to rust
Ticket: 7229
9 months ago
Philippe Antoine 45e0acf772 transforms: move http headers transforms to rust
Ticket: 7229
9 months ago
Philippe Antoine f0414570d2 transforms: move casechange to rust
Ticket: 7229
9 months ago
Philippe Antoine 0e5b49d20f transforms: move hash transforms to rust
md5, sha1 and sha256

Ticket: 7229
9 months ago
Philippe Antoine 71da38e702 transforms: move dotprefix to rust
Ticket: 7229
9 months ago
Philippe Antoine 966f659201 transforms: move compress_whitespace to rust
Ticket: 7229
9 months ago
Philippe Antoine 4985ebc0e0 transforms: move strip_whitespace to rust
Ticket: 7229
9 months ago
Philippe Antoine 96c8470cdd template: move detect keywords to pure rust
Ticket: 3195

Also remove unused src/tests/detect-template-buffer.c

Completes commit 4a7567b3f0
to remove references to template-rust
10 months ago
Giuseppe Longo 969f4d131f sip: rustify sticky buffers
Ticket #7204
10 months ago
Philippe Antoine 62a186ceef detect/rfb: move keywords to rust
Ticket: 7178

On the way, convert rfb.secresult to a generic integer with enumeration
cf ticket 6723
12 months ago
Philippe Antoine 0a1062fad2 detect/mqtt: move keywords to rust
Ticket: 4863

On the way, convert some keywords to use the first-class integer
support.
And helpers for pure rust the support for multi-buffer.

Move the C unit tests about keyword mqtt.protocol_version
to unit tests for generic integer parsing, and test version 5
instead of testing twice version 3.

Also iterate all tx's messages for reason code as is done for other
keywords.

And allow detection on empty topics.
1 year ago
Jeff Lucovsky f042e9034b detect/transform: Add from_base64 transform
Issue: 6487

Implement the from_base64 transform:
    [bytes value] [offset value] [mode strict|rfc4648|rfc2045]

    The value for bytes and offset may be a byte_ variable or an
    unsigned integer.
1 year ago
Victor Julien 3d059611c3 detect: add tls.alpn keyword
Ticket: #7108.
1 year ago
Philippe Antoine 4fe3f04fa3 detect/enip: move keywords to rust
Ticket: 4863
1 year ago
Philippe Antoine ce1eea4ad6 detect/websocket: move keywords to rust
Ticket: 4863
1 year ago
Philippe Antoine 16952d67e7 detect/dhcp: move keywords to rust
Ticket: 4863
1 year ago
Philippe Antoine ae72376ebe detect/snmp: move keywords to rust
Ticket: 4863

On the way, convert unit test DetectSNMPCommunityTest to a SV test.

And also, make snmp.pdu_type use a generic uint32 for detection,
allowing operators, instead of just equality.
1 year ago
Philippe Antoine 4bbe7d92dc detect: helper to have pure rust keywords
detect: make number of keywords dynamic

Ticket: 4683
1 year ago
Philippe Antoine 82c03f72c3 enip: convert to rust
Ticket: 3958

- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- frames support
- app-layer events
- enip_command keyword accepts now string enumeration as values.
- add enip.status keyword
- add keywords :
    enip.product_name, enip.protocol_version, enip.revision,
    enip.identity_status, enip.state, enip.serial, enip.product_code,
    enip.device_type, enip.vendor_id, enip.capabilities,
    enip.cip_attribute, enip.cip_class, enip.cip_instance,
    enip.cip_status, enip.cip_extendedstatus
1 year ago
Shivani Bhardwaj 83af42cc03 detect/tls-subjectaltname: add sticky buffer
Add TLS SubjectAltName sticky buffer. It is implemented as multi-buffer.

Feature 5234
1 year ago
Philippe Antoine 44b6aa5e4b app-layer: websockets protocol support
Ticket: 2695
1 year ago
Sascha Steinbiss 120313f4da ja4: implement for TLS and QUIC
Ticket: OISF#6379
1 year ago
Hadiqa Alamdar Bukhari 3aa313d0c5 dns: add dns.rcode keyword
dns.rcode matches the rcode header field in DNS messages
It's an unsigned integer
valid ranges = [0-15]
Does not support prefilter
Supports matches in both flow directions

Task #6621
1 year ago
Hadiqa Alamdar Bukhari 4b81851097 dns: add dns.rrtype keyword
It matches the rrtype field in DNS
It's an unsigned integer match
valid ranges = [0-65535]
Does not support prefilter
Supports flow in both directions
Feature #6666
1 year ago
jason taylor 3cb7112aa5 detect: update smb.version keyword
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Eloy Pérez González 415722dab2 smb: add smb.version keyword
Ticket: #5075

Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Philippe Antoine adf5e6da7b detect: strip_pseudo_headers transform
Ticket: 6546
2 years ago
Jason Ish 5d5b0509a5 requires: add requires keyword
Add a new rule keyword "requires" that allows a rule to require specific
Suricata versions and/or Suricata features to be enabled.

Example:

  requires: feature geoip, version >= 7.0.0, version < 8;
  requires: version >= 7.0.3 < 8
  requires: version >= 7.0.3 < 8 | >= 8.0.3

Feature: #5972

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
2 years ago
Jason Ish 482325e28b dns: add dns.query.name sticky buffer
This buffer is much like dns.query_name but allows for detection in both
directions.

Feature: #6497
2 years ago
Jason Ish 5f99abb0cb dns: add dns.answer.name keyword
This sticky buffer will allow content matching on the answer names.
While ansers typically only occur in DNS responses, we allow the buffer
to be used in request context as well as the request message format
allows it.

Feature: #6496
2 years ago
Victor Julien 53591702aa detect/bytemath: pass match ctx directly
Adjust includes to enable this.
2 years ago
Philippe Antoine 32cce122e1 detect: header_lowercase transform
Ticket: 6290
2 years ago
Sascha Steinbiss 0c55fe3515 detect: add mqtt.connect.protocolstring
Ticket:  OISF#6396
2 years ago
Jeff Lucovsky 1110a86cb9 detect/transform: Register case-change transforms
Issue: 6439
2 years ago
Philippe Antoine ab9b6e30b1 detect: adds flow integer keywords
Ticket: #6164

flow.pkts_toclient
flow.pkts_toserver
flow.bytes_toclient
flow.bytes_toserver
2 years ago
Jeff Lucovsky 2fd0025ede detect/file: Filehandler registration logic
Add file handler registration functions for consolidated file handling.

Issue: 4145
2 years ago
Victor Julien 9b09b29350 detect/fileext: reimplement based on file.name
Ticket: #6194.
2 years ago
Philippe Antoine 415b036dca http1: implement http.request_header
So that it is generic for HTTP1 and HTTP2

Ticket: #5780
2 years ago
Victor Julien b31ffde6f4 output: remove error codes from output 3 years ago
Jason Ish 8683154115 templates: remove C app-layer templates 3 years ago
Eric Leblond 7e516aad94 detect: add ip.src keyword
It is a sticky buffer matching on src_ip.

Feature: #5383
3 years ago
Eric Leblond 9cb06d4376 detect/smb: add smb.ntlmssp_domain keyword
Feature #5411.
3 years ago
Eric Leblond 69ef1bc194 detect/smb: add smb.ntlmssp_user keyword
Feature #5411.
3 years ago
Philippe Antoine 390cf9248f detect: adds flow.age keyword
Ticket: #5536
3 years ago
Victor Julien 682e2a07fe detect/tls: add tls.cert_chain_len keyword 3 years ago
Victor Julien e250ef6402 debug: remove empty header 3 years ago
Philippe Antoine 5ef259722b dhcp: adds renewal-time keyword
Ticket: #5507
3 years ago
Philippe Antoine 6faf6299e0 dhcp: adds rebinding-time keyword
Ticket: #5506
3 years ago