aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,617 Commits
7 Branches
155 Tags
201 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '93b056d89e'
${ noResults }
Commit Graph

8617 Commits (93b056d89e857c6270d4eeeea48c49aa82363aa0)
 

Author SHA1 Message Date
Jason Ish 93b056d89e eve/alert: log metadata be default 
By default log metadata.

Remove toggles for individual protocol types and just use a
single toggle to control including the app-layer with the
alert.

The metadata (currently app-layer and flow) can be disabled
by setting metadata to a falsey value, but its removed
from the default configuration (but wil be in docs)
 7 years ago
Jason Ish b659222ea0 eve/metadata: log flowvars as a list of k/v pairs 
To match the pktvars output.
 7 years ago
Jason Ish 1f47f77bd5 eve/metadata: special handling for traffic-id labels 
Give traffic/id and traffic/label flowbits special handling
in the eve output. Instead of just logging them as flowbits,
give them their own top level object.

{
  "traffic": {
    "id": ["id0", "id1"],
    "label": ["label0", "label1"]
  }
}
 7 years ago
Jason Ish 0e02684634 doc: update eve-log section for metadata 7 years ago
Jason Ish 572a62f35a output-json-vars: rename to metadata 
No functional change, just rename of files and functions
to reflect the metadata event type now used.
 7 years ago
Jason Ish 34811cf69e json-vars: rename to metadata and use new metadata format 7 years ago
Jason Ish a23d54ce3e eve: netflow: global metadata config 7 years ago
Jason Ish 3eaca7c239 eve: http: global metadata config 7 years ago
Jason Ish 790ce3743b eve: flow: global metadata config 7 years ago
Jason Ish 23bbbc5818 eve: dns: global metadata config 7 years ago
Jason Ish 4a05160353 eve: alert: global metadata config 
Also, remove vars as a subtype. Adding the top level metadata
field is an eve lebel parameter, not alert now.
 7 years ago
Jason Ish 5da5fc1f7d eve: drop: global metadata config 7 years ago
Jason Ish 2247b9aad2 eve: email: respect global metadata config 7 years ago
Jason Ish 885452fc22 eve: nfs: respect global metadata config 7 years ago
Jason Ish b577f4a0c9 eve: smtp: respect global metadata config 7 years ago
Jason Ish 7f5439a300 eve: dnp3: respect global metadata config 7 years ago
Jason Ish 32da579239 eve: ssh: respect global metadata config 7 years ago
Jason Ish 88ac0f2b1a eve: tls: respect global metadata config 7 years ago
Jason Ish dd988d9934 eve: metadata setting to enable/disable metadata 
This is a top level metadata object containing flowbits,
flowints, pktvars and flowvars.

Enabling it at the top level enables it for all log types.
 7 years ago
Jason Ish 5138f99c58 eve: top level metadata object 
Contains:
- flowbits (as array)
- flowints (map)
- flowvars (map)
- pktvars (map)
 7 years ago
Victor Julien 6f339abdf0 htp: minor debug addition 7 years ago
Victor Julien e86be22737 htp: remove unused field from tx state 7 years ago
Victor Julien c63b1ce2c6 htp: remove used body operation field 7 years ago
Victor Julien 07cbbfb0d1 htp: code cleanups 7 years ago
Victor Julien 9ca71beb03 htp: remove usused file flags 7 years ago
Victor Julien daeba48f77 htp: remove usused flags 7 years ago
Victor Julien c0d26de665 stream: improve overlap detection 
Improve detection of overlapping different data. Keep some data around
even if it was already ACK'd to check if packets have overlap.
 7 years ago
Victor Julien e64941144e htp: allow HTTP pickup of response data 
Now that libhtp can pick up sessions that start with a response
we can enable support for it as well.
 7 years ago
Victor Julien 49927024c6 http: add tests for malformed response lines 7 years ago
Victor Julien ca67408e79 stream: set event for suspected data injection during 3whs 
This rule will match on the STREAM_3WHS_ACK_DATA_INJECT, that is
set if we're:
- in IPS mode
- get a data packet from the server
- that matches the exact SEQ/ACK expectations for the 3whs

The action of the rule is set to drop as the stream engine will drop.
So the rule action is actually not needed, but for consistency it
is drop.
 7 years ago
Victor Julien d1adf5f7e9 stream: handle data on incomplete 3whs 
If we have only seen the SYN and SYN/ACK of the 3whs, accept from
server data if it perfectly matches the SEQ/ACK expectations. This
might happen in 2 scenarios:

1. packet loss: if we lost the final ACK, we may get data that fits
   this pattern (e.g. a SMTP EHLO message).

2. MOTS/MITM packet injection: an attacker can send a data packet
   together with its SYN/ACK packet. The client due to timing almost
   certainly gets the SYN/ACK before considering the data packet,
   and will respond with the final ACK before processing the data
   packet.

In IDS mode we will accept the data packet and rely on the reassembly
engine to warn us if the packet was indeed injected.

In IPS mode we will drop the packet. In the packet loss case we will
rely on retransmissions to get the session back up and running. For
the injection case we blocked this injection attempt.
 7 years ago
Victor Julien e1ef57c848 stream: still inspect packets dropped by stream 
The detect engine would bypass packets that are set as dropped. This
seems sane, as these packets are going to be dropped anyway.

However, it lead to the following corner case: stream events that
triggered the drop could not be matched on the rules. The packet
with the event wouldn't make it to the detect engine due to the bypass.

This patch changes the logic to not bypass DROP packets anymore.
Packets that are dropped by the stream engine will set the no payload
inspection flag, so avoid needless cost.
 7 years ago
Victor Julien 700781c53b enip: support gaps 
Due to a bug in the GAP handling the TCP layer the parser would already
get data after GAPs before.
 7 years ago
Victor Julien 89dc05d4a6 stream/app-layer: fix GAP handling issue 
Fix case where data after GAP was processed as in order data by app-layer.
This happened even if protocol parser did not register to accept GAPs.
 7 years ago
Victor Julien 251156e253 pcre: don't leak memory in data extraction 7 years ago
Pascal Delalande 80f2fbac6e rust/tftp: eve logging with rust 7 years ago
Clement Galland b9cf49e933 rust/tftp: add tftp parsing and logging 
TFTP parsing and logging written in Rust.
Log on eve.json the type of request (read or write), the name of the file and
the mode.

Example of output:
    "tftp":{"packet":"read","file":"rfc1350.txt","mode":"octet"}
 7 years ago
Pascal Delalande 0ff60f65ec doc: update filestore for file hash extraction 
Update for extraction based on md5, sha1 and sha256
 7 years ago
Victor Julien e8939335ea rust/nfs: explicitly handle GAPs from C 
It seems that Rust optimizes this code in such a way that it
passes the null ptr along as real data.

    if buf.as_ptr().is_null() && input_len > 0 {
 7 years ago
Victor Julien 2c3c8f8b85 rust/filetracker: if file API return error, trunc file 7 years ago
Victor Julien d27ed5957f rust/nfs: fix read reply handling 
READ replies with large data chunks are processed partially to avoid
queuing too much data. When the final chunk was received however, the
start of the chunk would already tag the transaction as 'done'. The
more aggressive tx freeing that was recently merged would cause this
tx to be freed before the rest of the in-progress chunk was done.

This patch delays the tagging of the tx until the final data has been
received.
 7 years ago
Victor Julien d75d9d0b45 file: minor cleanups 7 years ago
Victor Julien ce08a43bda file: use enum for state 
Makes debugging easier.
 7 years ago
Victor Julien 3a2e4614d0 rust/file: handle file open errors 7 years ago
Victor Julien 45c5030ff0 rust/file: change return type for FileOpenFileWithId 
Make it int so we can easily check it in Rust. No consumer used the
File pointer that was returned before anyway.
 7 years ago
Victor Julien 288ddc95ac rust/core: comment cleanup 7 years ago
Jason Ish 4a89d939fc .gitignore: only ignore *.yaml in root directory 7 years ago
Alexander Gozman cba41207b3 af_packet: bug #2422. 
This commit fixes a leak of mmap'ed ring buffer that was not
unmaped when a socket was closed. In addition, the leak could
break an inline channel on certain configurations.

Also slightly changed AFPCreateSocket():
1. If an interface is not up, it does not try to apply any
   settings to a socket. This reduces a number of error messages
   while an interface is down.
2. Interface is considered active if both IFF_UP and IFF_RUNNING
   are present.
 7 years ago
Danny Browning 790ef2701a runmode-unix-socket: interrupt as commanded (2413) 
https://redmine.openinfosecfoundation.org/issues/2413

Once interrupt occurs, reset the interrupt flag so that future runs are
not immediately interrupted.
 7 years ago
Pascal Delalande 63b9b9e9aa unix-socket: socket permission update 
So far, the suricata socket suricata-command.socket has the rights
 rw-r----- suricata:user.
When suricata is used with restricted access, an other application
(suricatasc like) that needs to access to the command socket also
with restricted access can not write to the socket since it is not
the owner (e.g suricata within container, with an hardened value
for umask and hardened rights for users).

The socket should be set as rw-rw----. Use chmod instead of fchmod
and set it after the socket creation.
 7 years ago