aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,153 Commits
7 Branches
161 Tags
210 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8c7aee92eb'
${ noResults }
Commit Graph

9153 Commits (8c7aee92eb85e8c1bfdc42c5fdc787a249abf16c)
 

Author SHA1 Message Date
Giuseppe Longo fc38013975 app-layer-htp: close file with TRUNCATE state 
When a file in TOSERVER direction is being stored and
libhtp or stream depth limit is reached,
it will be closed by HTPCallbackRequest without setting
any flags so the file state will be set to CLOSED
instead of TRUNCATED.
 7 years ago
Victor Julien c8fb9bcba5 app-layer-parser: split registration flags 7 years ago
Giuseppe Longo 397f5f5fdf app-layer-parser: don't overwrite stream_depth value 
When an app-layer parser is enabled, it could set its
own stream_depth value calling the API AppLayerParserSetStreamDepth.

Then, the function AppLayerParserPostStreamSetup will replace
the stream_depth value already set with stream_config.reassembly_depth.

To avoid overwriting, in AppLayerParserSetStreamDepth API a flag
will be set internally to specify that a value is already set.
 7 years ago
Victor Julien 7c884e0850 doc: update multi-tentant for device feature 7 years ago
Victor Julien 12fec46d13 multi-tenant: introduce device selector 
Add device to tenant mapping support:

  mappings:
  - device: ens5f0
    tenant-id: 1
  - device: ens5f1
    tenant-id: 23

Implemented by assigning the tenant id to the 'livedev', which means
it's only supported for capture methods that use the livedev API.

It's also currently not supported for IPS. In a case like 'eth0 -> eth1'
it's unclear which tenant should be used for the return traffic in a
flow, where the incoming device is 'eth1'.
 7 years ago
Victor Julien a337908c78 rust/dhcp: free events and destate at tx end 7 years ago
Maurizio Abba 55b14f3721 decode: set pktlen of decode handler to uint32 
Change the decode handler signature to increase the size of its decode
handler, from uint16 to uint32. This is necessary to let suricata use
interfaces with mtu > 65535 (ex: lo interface has default size 65536).

It's necessary to change several primitive for Packet manipulation, to
unify the parameter "packet length" whenever we are before IP decoding.

Add tests before calling DecodeIPVX function to avoid a possible
integer overflow over the len parameter.
 7 years ago
Victor Julien 22f9875096 detect: free rule group init memory at the end of startup 7 years ago
Maurizio Abba f32cc6ca9c detect: fix fileext and filename negated match 
fix bug in fileext and filename preventing negated match to work
correctly. Previously, negated fileext (such as !"php") would cause a
match anyway on files that have extension php, as the last if would not
be accessed.

Using the same workflow as detect-filemagic we remove the final
isolated if and set it as a branch of the previous if.
 7 years ago
Victor Julien 9370805af6 eve/smb: use flow direction for tuple 7 years ago
Victor Julien edd0c2246c smb1: add SMB1_COMMAND_QUERY_INFO_DISK command mapping 7 years ago
Victor Julien 17ced4fb7f smb: add smb-events.rules to dist 7 years ago
Maurizio Abba bf4398b15d output-json: ensure string is json-encodable 
Substitute json_string with SCJsonString custom function.
SCJsonString will ensure string passed is json-encodable (utf-8).
If it's not, the string will be converted in such a way that any
non-printable character will be encoded in its hex form.
The resulting json object will be returned.

rust modification will encode any non-printable character during its
conversion in to_cstring.
 7 years ago
Victor Julien 4f32324fe4 devices: clean up device init code 7 years ago
Eric Leblond 023bb72cc6 suricata: fix init process for layer 2 IPS 
4474889667 did break the logic of IPS
mode detection for layer 2 IPS mode like Netmap and AF_PACKET. This
pach fixes the issue by calling the IPS detection mode after
complete registration of the interfaces.

Reported-by: Alexander Gozman <a.gozman@securitycode.ru>
 7 years ago
Victor Julien 44daf84321 output/tls: don't pass NULL fingerprint to json logging 7 years ago
Victor Julien 155a017cf8 ssl: fix uninitialized variable warning 7 years ago
Victor Julien 3c72d67635 detect/analyzer: log mask flags and more engine details 7 years ago
Victor Julien c4b56ca289 dcerpc: fix dce_iface not matching 7 years ago
Victor Julien a2b8ea57fc detect/dce: fix false positives in detection 
If a signature didn't explicitly specified 'dcerpc' or 'smb' as the
app proto, false positives on other traffic could happen. This was
caused by the sig not having a app_proto set. This isn't set as the
rule is supposed to match against either ALPROTO_DCERPC or ALPROTO_SMB.

To avoid adding runtime costs for checking for both protocols, this
patch adds a new flag for DCERPC in the 'mask' logic. The flag is set
on the sig if dce_* keywords are present and set on the packet if the
flow's app proto is either ALPROTO_DCERPC or ALPROTO_SMB.

Bug #2559

Reported-by: Jason Taylor
 7 years ago
Victor Julien 8547d113bf detect: minor code cleanups 7 years ago
Victor Julien 329e029525 detect/dce: keyword cleanups 7 years ago
Victor Julien 177966970a smb: probing parser improvement 7 years ago
Victor Julien fd38989113 proto/detect: remove probing parser offset argument 
Remove offset argument as it was unused.
 7 years ago
Victor Julien 991ec4ed60 detect/flow: minor code cleanups 7 years ago
Victor Julien bfa884c956 detect: avoid potential use-after-free in error path 7 years ago
Victor Julien 9cd0bbcab1 proto/detect: minor cleanup 7 years ago
Victor Julien d062089c60 detect: clean up counter registration 7 years ago
Victor Julien e8079e2f1b flow: fix comment typos 7 years ago
Victor Julien c6e79f4410 nfs4: create tx for CREATE procedure 7 years ago
Victor Julien 90e0e3da27 nfs: fix applying nfs3 logging logic to nfs4 7 years ago
Victor Julien cb3abba1e0 nfs4: log remove procedure + add multi-proc support 
Add TX creation for NFS4 transactions. Start with the 'REMOVE' procedure.

Start on logging all procs. In NFS4 COMPOUND records there are multiple
procedures. One of them can be considered the 'main' procedure, with others
as supporting utility. This patch adds the first step in supporting to
track those in the TX for logging and inspection.
 7 years ago
Victor Julien ff518e5c64 nfs4: for putrootfh set 'mount root' as name 7 years ago
Victor Julien 22e0fc97f8 nfs: rename generic functions from nfs3 to nfs 7 years ago
Victor Julien d22c170c38 nfs: move v2 parsing into own file 7 years ago
Victor Julien 9b42073e54 nfs3: move nfs3 specific handling into own file 7 years ago
Victor Julien 4c09766b33 nfs: request parser cleanup 7 years ago
Victor Julien e0a58ffa41 changelog: update to 4.1rc1 7 years ago
Victor Julien 87839d973c changelog: add missing 4.1beta1 tickets 7 years ago
Victor Julien f570905f8c nfs: get rid of reachable panic statements 7 years ago
Victor Julien 8a1af5c367 nfs4: remove panic calls, set events instead 7 years ago
Victor Julien f2382356b1 nfs4: support 4.1 SEQUENCE procedure 7 years ago
Jason Ish 64b6ff7392 config: better default rule file configuration 
Move the rule file configuration down near the bottom of the
configuration file under advanced settings. With the bundling
of Suricata-Update, any rule file configuration within
suricata.yaml could be considered advanced.

Add extra comments to the yaml to make it more clear which was
enabled at installation time.
 7 years ago
Danny Browning cd40a3f7ac detect-parse: fix missing space in error message (2541) 
Fix missing space in error message.
 7 years ago
Victor Julien f68bf3301a enip: harden byte parsing code 
Make sure we never read more than we have.

Reported-by: Henning Perl
 7 years ago
Victor Julien 9ba89a31ef ssh: fix out of bounds read in banner parsing 
Reported-by: Henning Perl
 7 years ago
Victor Julien 843d0b7a10 stream: support RST getting lost/ignored 
In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'.
However, the target of the RST may not have received it, or may not
have accepted it. Also, the RST may have been injected, so the supposed
sender may not actually be aware of the RST that was sent in it's name.

In this case the previous behavior was to switch the state to CLOSED and
accept no further TCP updates or stream reassembly.

This patch changes this. It still switches the state to CLOSED, as this
is by far the most likely to be correct. However, it will reconsider
the state if the receiver continues to talk.

To do this on each state change the previous state will be recorded in
TcpSession::pstate. If a non-RST packet is received after a RST, this
TcpSession::pstate is used to try to continue the conversation.

If the (supposed) sender of the RST is also continueing the conversation
as normal, it's highly likely it didn't send the RST. In this case
a stream event is generated.

Ticket: #2501

Reported-By: Kirill Shipulin
 7 years ago
Victor Julien 33614fcae0 stream-events: fix mapping 7 years ago
Victor Julien 2b581cd6db smb: log trans2 that enable delete on close 7 years ago
Victor Julien eefac0ef95 smb1: add support for trans2 set_path_info rename 7 years ago