suricata

Commit Graph

Author	SHA1	Message	Date
Eric Leblond	843dba0a28	datasets: add dataset-lookup command Ticket: #5184	3 years ago
Shivani Bhardwaj	5ac94fc407	datasets: allow memcap, hashsize be set via yaml or rule It is now possible to set the memcap and hashsize via suricata.yaml and rules. Rule example: alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv,memcap 100mb,hashsize 2048; sid:1;) suricata.yaml example: datasets: ua-seen: type: string load: datasets.csv memcap: 20mb hashsize: 2048	5 years ago
Shivani Bhardwaj	e9fe5ada7f	datasets: reload static sets	5 years ago
Victor Julien	af06883f65	datasets: add 'remove' support	5 years ago
Victor Julien	e264a0cee8	datasets: fix hash table config Example: datasets: ua-seen: type: string state: ua-seen.lst hash: hash-size: 100000 prealloc: 1000 memcap: 256mb	6 years ago
Victor Julien	1d6a358d8a	datasets: unix socket dataset-add command	6 years ago
Victor Julien	317376f59d	datasets: match on lists of data Datasets are sets/lists of data that can be accessed or added from the rule language. This patch implements 3 data types: 1. string (or buffer) 2. md5 3. sha256 The patch also implements 2 new rule keywords: 1. dataset 2. datarep The dataset keyword allows matching against a list of values to see if it exists or not. It can also add the value to the set. The set can optionally be stored to disk on exit. The datarep support matching/lookups only. With each item in the set a reputation value is stored and this value can be matched against. The reputation value is unsigned 16 bit, so values can be between 0 and 65535. Datasets can be registered in 2 ways: 1. through the yaml 2. through the rules The goal of this rules based approach is that rule writers can start using this without the need for config changes. A dataset is implemented using a thash hash table. Each dataset is its own separate thash.	6 years ago

7 Commits (a9c05c7d96c0973684f9f0fef794c5dba9c18339)