aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,747 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8a643c893c'
${ noResults }
Commit Graph

10747 Commits (8a643c893c4cae61a22e343f1b910461dd110a54)
 

Author SHA1 Message Date
Jason Ish 8a643c893c detect/parse: allow for OK signature parsing errors 
The idea of an OK signature parsing error is an error that is
allowed to occur, but still lets test mode pass, unlike
silent errors which will still fail testing.

This is introduced to allow for app-layer event keywords to be
removed, but not have old rules fail out on this case. For example
the Rust DNS parser removes from DNS app-layer events that are
not used anymore.

To signal that an error is OK, -3 is returned. This also implies
silent.
 5 years ago
Jason Ish 947cfac62e detect/parse: softer error on unknown app-layer event 
On an unknown app-layer event, return -3 for "silent OK fail". A
warning will still be emitted, but its not considered a rule parse
error. This is to handle app-layer events being removed in a more
graceful manner for the user.

This allows -T to pass with an old app-layer events rule file
that may used removed app-layer event keywords.
 5 years ago
Jason Ish 688874582a dhcp: remove C app-layer-dhcp wrapper 
This just wrapped the Rust function to register the parse,
so instead just call the Rust function directly to remove
the C wrapper, and the 2 C files.
 5 years ago
Jason Ish a0e3e2d7b4 dns: register parsers from Rust 
And port the C DNS tests to Rust.
 5 years ago
Jason Ish 0af9a3a5f7 dns: remove C wrapper functions to Rust 
Remove registration of C wrapper functions and register
the Rust functions directly for UDP.
 5 years ago
Jason Ish 1b44f839e6 dns: cleanup: move event callbacks into Rust 
Remove app-layer-dns-common.c as its no longer needed.
 5 years ago
Jason Ish ca5a3f0f04 dns: cleanup: remove unused events 
Removed events that are no longer used since the Rust
implementation of DNS:
- UnsolicitedResponse
- StateMemCapReached
- Flooded
 5 years ago
Jason Ish 4d312b6813 dns: cleanup: remove C DNS type definitions (dead code) 5 years ago
Jason Ish d809b0959b dns: cleanup: move DnsGetRcode (Lua) to rust 
Move the implementation of Lua DnsGetRcode to Rust.
 5 years ago
Jason Ish d6b3b33f4a dns: cleanup: remove unused function DNSCreateTypeString 5 years ago
Shivani Bhardwaj c5cee05169 doc: Fix typo Generate -> Generator 5 years ago
Shivani Bhardwaj 7b1699c5a8 doc: Add chassis for dev docs 
Closes redmine ticket 3344.
 5 years ago
Philippe Antoine 23f796a021 kerberos: fix against packet split in record size 5 years ago
Victor Julien 76dd951523 krb5/tcp: remove notice logging on failed records 5 years ago
Philippe Antoine 8396333493 detect: adds icmpv6.hdr keyword 5 years ago
Philippe Antoine 02d94f5cf2 detect: fix typo for ipv6.hdr description 5 years ago
Philippe Antoine fc48a7cebf detect: use SC macros for IPV6 header 5 years ago
Philippe Antoine af1361a988 doc: add missing documentation for ipv6.hdr keyword 5 years ago
Philippe Antoine 5f95822f8b doc: fix typo in ByteExtractUint32 description 5 years ago
Jeff Lucovsky c20ab53eae detect/threshold: Correct typos 5 years ago
Jeff Lucovsky ff9a01ee1b detect/threshold: Don't allow duplicates 
This commit detects duplicate threshold rule options. When duplicates
are found in a rule, an error message is displayed and the rule is
rejected.
 5 years ago
Victor Julien f6c77dcdd9 pcap/file: minor code cleanups 5 years ago
Victor Julien faf5beed2f threads/time: minor code cleanup 5 years ago
Sascha Steinbiss 11912bd715 sip: address trailing space parsing 5 years ago
Jeff Lucovsky c92975e22b mime: Test cases for filename length limit 5 years ago
Jeff Lucovsky 9a33b5d5de smtp/mime: Fix typos 5 years ago
Jeff Lucovsky 130b8d26e7 smtp/mime: Set event when name exceeds limit 5 years ago
Jeff Lucovsky d0d20bd874 smtp/mime: Restrict file name lengths 
This commit places restrictions on the length of the file name specified
in attachments (`name=` or `filename=`) to `NAME_MAX`. Names exceeding
these limits will be truncated and processing will continue with the
truncated name.
 5 years ago
Victor Julien 072c421e46 pcap/file: improve time handling 
This patch addresses two problems.

First, various parts of the engine, but most notably the flow manager (FM),
use a minimum of the time notion of the packet threads. This did not
however, take into account the scenario where one or more of these
threads would be inactive for prolonged times. This could lead to the
time used by the FM could get stale.

This is addressed by keeping track of the last time the per thread packet
timestamp was updated, and only considering it for the 'minimum' when it
is reasonably current.

Second, there was a minor race condition at start up, where the FM would
already inspect the hash table(s) while the packet threads weren't active
yet. Since FM gets the time from the packet threads, it would use a bogus
time of 0.

This is addressed by adding a wait loop to the start of the FM that waits
for 'time' to get ready.
 5 years ago
Victor Julien 4977daec32 threads/time: rename ts to pktts to make purpose clear 5 years ago
Victor Julien ae4137937e pcap/file: fix race during pcap processing start 
A race condition during the start of pcap file processing could cause
missed alerts and logged events. This race happens between the packet
threads and the flow manager. It was observed on slower hardware, but in
theory could happen on any machine. It required the 'autofp' runmode.

In commit 6f560144c1 ("time: improve offline time handling") the logic
was added to make the flow manager use a minimum of all the packet threads
perception of time.

The race condition was that the flow manager may become active _before_
all of the packet threads have started processing packets and thus setting
their timestamp. The threads that had not yet initialized their timestamp
would not be considered when calculating the minimum.

As a result of this, older packets timestamps would not yet be registered.
This would give the Flow Manager a timestamp too far in the future. While
the FM was running, the packet processing would start and a flow would
be created. This flow would then immediately be considered 'timed out' by
the FM, due to the timestamp too far in the future.

In the observed case, the thread processing packet 1 from the pcap had not
yet started processing while other threads had already started. The FM was
also already active. Due to the timestamps in the pcap this meant that the
time the FM used was about 500 seconds in the future compared to packet 1.

This patch fixes the issue by initializing all of the threads timestamps
with the timestamp value of the first packet. This way the minimum will
always consider this timestamp.
 5 years ago
Victor Julien 1b1855c3bd time: remove unused time structure 5 years ago
Victor Julien 13b4ece11d time: minor code cleanup 5 years ago
Victor Julien 6176338d0b time: fix function name typo 5 years ago
Victor Julien 227e2812f6 pcap/file: fix function ptr naming 5 years ago
Victor Julien 95e7246b75 rust: bump minimum supported version to 1.34.2 5 years ago
Victor Julien 74305c0486 rust/nfs: minor code cleanups 5 years ago
Victor Julien 576e92983e rust/rpc: add partial data tests 5 years ago
Pierre Chifflier 442500678b rust: use the streaming version of combinators to fix incomplete reads 5 years ago
Pierre Chifflier df9a4fd635 rust/rdp: use the streaming version of combinators to fix incomplete reads 5 years ago
Pierre Chifflier 2561da89c0 rust/rdp: fix regression introduced during nom 5 upgrade 5 years ago
Pierre Chifflier f3ddd7127c rust: Add types annotation when required 
Unfortunately, the transition to nom 5 (and functions instead of macros)
has side-effects, one of them being requiring lots of types annotations
when using a parsing, for ex in a match instruction.
 5 years ago
Pierre Chifflier 62e31396ae rust/ftp: upgrade to nom 5 
CompleteByteSlice type has been removed, and replaced by combinators
under the nom::character::complete namespace.
 5 years ago
Pierre Chifflier 1a505ccd11 rust/rdp: add custom error handling 5 years ago
Pierre Chifflier d1bf34a427 rust/smb: add custom error handling 5 years ago
Pierre Chifflier 1ab8c5763c rust: add SecBlobError custom error type for the Kerberos parser 5 years ago
Pierre Chifflier 030c9a3d86 rust: add take_until_and_consume replacement function 5 years ago
Pierre Chifflier 8664a55ee7 rust/dns: remove unneeded calls to closure! 5 years ago
Pierre Chifflier 5b809f77f1 rust: upgrade all parsers to nom 5 5 years ago
Jason Ish a2d91d9bf5 log-pcap: fix log message: unified2 -> pcap 
Likely a result of copy and pasted code.
 5 years ago