Commit Graph

565 Commits (af246ae7ab1b70c09f83c0619b253095ccc18667)

Author SHA1 Message Date
Jason Ish f119b29701 lua: disable lua rules by default
To protect against possible supply chain attacks, disable Lua rules by
default. They can be enabled under the "security" section of
suricata.yaml.

Ticket: #6122
3 years ago
Philippe Antoine 7e725c650d flow: optionally use livedev for hash
So that in a setup with different interfaces capturing different
networks, flows do not get mixed up

Ticket: #5270
3 years ago
Jason Ish e7d3904c3f suricata.yaml: use include list for example
For 7.0 multiple includes are allowed, but marked as
deprecated. Update the example to show the new way of pulling in
multiple includes.
3 years ago
Jason Ish f8620d0ed2 docs: update url to docs.suricata.io 3 years ago
Eric Leblond ea95e85755 profiling: set sample rate to power of 2
For the rules profiling, we really want to limit the performance
impact to the maximum. So let's use an hash size that is a power
of 2. This will allow to not use the modulo operation that is
costly and simply use a single binary operator.

This code is only active for rules profiling so we are backward
compatible.
3 years ago
Victor Julien a945982e8f yaml: spelling 3 years ago
Jeff Lucovsky 62f4049705 config/pfring: Document add'l pf-ring cluster types
This commit adds additional cluster-types for use with the pf-ring
packet source.

Issue: 5975
3 years ago
Juliana Fajardini 31066c7c3b docs: clarify exception policy's supported values
As flow.memcap-policy and defrag.memcap-policy do not support flow
actions, clarify that in the documentation. Also fix some typos, and
add missing values in some places where the exception policies were
explained.

Related to
Bug #5940
3 years ago
Jason Ish c6c781ef67 config: put version in configuration as a proper value
Adds a new field, "suricata-version" to the configuration file with
the major and minor version of the Suricata that generated the
configuration file.

This may be useful in the future for presenting warnings about
important changes, or even providing different defaults based on what
the user might expect.

Ticket: 5822
3 years ago
Victor Julien 01b7ccc224 stream: add liberal timetamps option
Linux is slightly more permissive wrt timestamps than many
other OS'. To avoid many events/issues with linux hosts, add an
option to allow for this slightly more permissive behavior.

Ideally the host-os config would be used, but in practice this
setting is rarely set up correctly, if at all.

This option is enabled by default.
3 years ago
Victor Julien 83a16a7a89 eve/stream: per packet stream engine logging
Debug facility to get a per packet view into the stream engine's state.

Logs after a packet has been processed in the stream engine, so the view
into the state includes the updates based on the current packet.

Marked as experimental so it can be changed w/o notice.

Bug: #5876.
3 years ago
Victor Julien 3948b160c7 stream: implement config option for SYN queue
Default to allowing 10 SYNs to not trigger an event on a connection
attempt that times out.
3 years ago
Philippe Antoine e3105a6614 ftp: adds a config option ftp-hash for autofp-scheduler
This allows ftp-data and ftp flows to be processed by the same
thread. Otherwise, there may be a concurrency issue where the
would-be ftp-data flow is first processed, and thus not recognized
as such. And the ftp flow gets processed later and the expectation
coming from it is never found.

To do so, the flow hash gets used as usual, except for flows that
may be either ftp or ftp-data, that is either one port is 21, or
both ports are high ones.

Ticket: #5205
4 years ago
Philippe Antoine b52293b609 dcerpc: config limit maximum number of live transactions
As is done for other protocols

Ticket: #5779
4 years ago
Juliana Fajardini 0d9289014b exceptions: add master switch config option
This allows all traffic Exception Policies to be set from one
configuration point. All exception policy options are available in IPS
mode. Bypass, pass and auto (disabled) are also available in iDS mode

Exception Policies set up individually will overwrite this setup for the
given traffic exception.

Task #5219
4 years ago
Philippe Antoine 55c4834e4e smb: configurable max number of transactions per flow
Ticket: #5753
4 years ago
Jason Ish 531c4336c9 logging: use ISO-like timestamp in file log
Also update suricata.yaml to show this default, as updating the
"default-log-format" does not affect the file output.
4 years ago
Jason Ish 761e7c2a63 suricata.yaml: update default-log-format current state
The default-log-format has changed, reflect this in the suricata.yaml.
4 years ago
Jeff Lucovsky e7c2298203 config: Clarify when log format can be overridden 4 years ago
Jeff Lucovsky f8474344cd log: Add module and subsystem identifiers to log
Issue: 2497

This changeset provides subsystem and module identifiers in the log when
the log format string contains "%S". By convention, the log format
surrounds "%S" with brackets.

The subsystem name is generally the same as the thread name. The module
name is derived from the source code module name and usually consists of
the first one or 2 segments of the name using the dash character as the
segment delimiter.
4 years ago
Richard McConnell 6e128f48a2 af-xdp: Add AF_XDP socket support
AF_XDP support is a recent technology introduced that aims at improving
capture performance. With this update, Suricata now provides a new
capture source 'af-xdp' that attaches an eBPF program to the network
interface card. Packets received in the NIC queue are forwarded to
a RX ring in user-space, bypassing the Linux network stack.

Note, there is a configuration option (force-xdp-mode) that forces the
packet through the normal Linux network stack.

libxdp and libbpf is required for this feature and is compile time
configured.

This capture source operates on single and multi-queue NIC's via
suricata.yaml. Here, various features can be enabled, disabled
or edited as required by the use case.

This feature currently only supports receiving packets via AF_XDP,
no TX support has been developed.

Ticket: https://redmine.openinfosecfoundation.org/issues/3306

Additional reading:
https://www.kernel.org/doc/html/latest/networking/af_xdp.html
4 years ago
Todd Mortimer 15c77be937 swf-decompression: Disable by default.
Add an entry to the upgrade guide noting the change.

Ticket: #5632
4 years ago
Aaron Bungay 86037885a9 bittorrent-dht: add bittorrent-dht app layer
Parses and logs the bittorrent-dht protocol.

Note: Includes some compilation fixups after rebase by Jason Ish.

Feature: #3086
4 years ago
Philippe Antoine a003640ecf security: prevents process creation
with setrlimit NPROC.

So that, if Suricata wants to execve or such to create a new process
the OS will forbid it so that RCE exploits are more painful to write.

Ticket: #5373
4 years ago
Lukas Sismis aeb690317a dpdk: allow specifying RSS hash function flags in the config
Ticket: #5400
4 years ago
Philippe Antoine af40873127 pgsql: config limit maximum number of live transactions
As is done for other protocols

Ticket: #5527
4 years ago
Eric Leblond 485d5a4ea4 landlock: basic implementation
This patch is adding support for Landlock, a Linux
Security Module available since Linux 5.13.

The concept is to prevent any file operation on directories where
Suricata is not supposed to access.

Landlock support is built by default if the header is present. The
feature is disabled by default and need to be activated in the YAML
to be active.

Landlock documentation: https://docs.kernel.org/userspace-api/landlock.html

Feature: #5479
4 years ago
Juliana Fajardini bbd968c738 exceptions: add reject support to exception policy
This enables the usage of 'reject' as an exception policy. As for both
IPS and IDS modes the intended result of sending a reject packet is to
reject the related flow, this will effectively mean setting the reject
action to the packet that triggered the exception condition, and then
dropping the associated flow.

Task #5503
4 years ago
Juliana Fajardini fc81c80c04 suricata.yaml: add exception policy config options
Related to
Task #5468
4 years ago
jason taylor 05bca0b6fb config: update commented value to default status
Signed-off-by: jason taylor <jtfas90@gmail.com>
4 years ago
Andreas Dolp e9976a0e14 suricata.yaml.in: Fix default value of prealloc-sessions 4 years ago
Andreas Dolp 32b39d054f suricata.yaml.in: Remove duplicate "with" in comment. 4 years ago
Eric Leblond 58ef7bcdee log/pcap: introduce tag as logging condition
This patch adds the tag as logging condition. If this option is
used all tagged packets are written to the pcap.
4 years ago
Eric Leblond 4cab5e5262 log/pcap: conditional logging
Add an option to only write to pcap packets with alerts and flow
that have alerted.
4 years ago
Jason Ish b5d1a80002 suricata.yaml: include version that generated this file
Add a line to the configuration that says which version generated the
configuration file.  For example:

    # This configuration generated by:
    #     Suricata 7.0.0-dev

Issue: #4784
4 years ago
Juliana Fajardini 3ace577d54 decode: make packet_alert_max configurable
The maximum of possible alerts triggered by a unique packet was
hardcoded to 15. With usage of 'noalert' rules, that limit could be
reached somewhat easily. Make that configurable via suricata.yaml.

Conf Bug#4941

Task #4207
4 years ago
Jeff Lucovsky d79a317cea suricata.yaml: Add per-thread stack size setting
Issue: 4550
4 years ago
Philippe Antoine 8adf172ab8 nfs: limits the number of active transactions per flow
Ticket: 4530
4 years ago
Philippe Antoine e42094f238 mqtt: make max transactions configurable
Allows users to find balance between completeness of decoding
and increases resource consumption, which can DOS suricata.
5 years ago
Philippe Antoine 4f90d4254e http2: makes some settings configurable
max-streams and max-table-size

Allows users to find balance between completeness of decoding
and increases resource consumption, which can DOS suricata.
5 years ago
Aaron Bungay 272786908c smtp/mime: configurable url scheme extraction
Parse extract-url-schemes from the mime config.
e.g. 'extract-urls-schemes: [http, https, ftp, mailto]'
Update MimeDecConfig struct to new url extraction fields.
Change app-layer-smtp.c & util-decode-mime.c to initialize new struct
fields for MimeDecConfig.
Sets the default value for extract-url-schemes if not found in the
config to 'extract-urls-schemes: [http]' for backwards compatibility.

Uses the schemes defined in the mime config value for
extract-urls-schemes to search for URLS starting with those scheme
names followed by "://".
Logs the URLS with the scheme + '://' at the start if the
log-url-scheme is set in the mime config, otherwise the old behaviour
is reverted to and the urls are logged with the schemes stripped.

Removed unused constant URL_STR now that URLS are being searched for
using extract-urls-schemes mime config values instead of just URL's
starting with 'http://'.

Added commented out new options for extract-urls-schemes and
log-url-scheme to suricata.yaml.in.

Update FindUrlStrings comments.
Remove old outdated comments/commented code from FindUrlStrings.
Update test case for mime which now needs schemes list to be set.
Add Test Cases for FindUrlStrings() method.

Feature: #2054
5 years ago
Juliana Fajardini 579d7dcc01 pgsql: add initial support
- add nom parsers for decoding most messages from StartupPhase and
SimpleQuery subprotocols
- add unittests
- tests/fuzz: add pgsql to confyaml

Feature: #4241
5 years ago
Emmanuel Thompson 7e51987263 quic: Add QUIC App Layer
Parses quic and logs a CYU hash for gquic frames
5 years ago
Victor Julien 44c9241b6a telnet: initial support with frames
Bootstrapped using setup script. Basic option parsing for purpose
of tagging frames.
5 years ago
Victor Julien 60bfade351 eve: implement frame logging
This is mostly to assist development and QA. It produces too much data
for practical use.
5 years ago
Jeff Lucovsky 163f70be9d logging: Stacktrace on signal term setting
This commit adds a configuration setting to enable a stack trace message
if Suricata receives a signal that terminates execution, such as
SIGSEGV, SIGABRT.
5 years ago
Lukas Sismis a7faed1245 dpdk: initial support with workers runmode
Register a new runmode - DPDK. This enables a new flag on Suricata start
(--dpdk).

With the flag given, DPDK runmode is enabled.

Runmode loads the configuration and then initializes EAL.

If successful, it configures the physical NICs according to the configuration
file. After that, worker threads are initialized and then are in continuous
receive loop.
5 years ago
Philippe Antoine 424dcda2c0 http2: enable by default 5 years ago
Victor Julien 7a797631e0 http/range: cleanup and simplification
Simplify locking by using the THashData lock instead of a separate
range lock.

Avoid size_t in function arguments.

Clean up file handling functions.

Implement handling of alloc errors.

Rename yaml entry to byterange

Unify public api naming
5 years ago
Philippe Antoine e82416a415 http/range: reassemble files from different flows with range
adds a container, ie a thread safe hash table whose
key is the filename

keep a tree of unordered ranges, up to a memcap limit

adds HTPFileOpenWithRange to handle like HTPFileOpen
if there is a range : open 2 files, one for the whole reassembled,
and one only for the current range
5 years ago
Jason Ish 54be743c48 prelude: remove the prelude output
It was broken in 6 and that didn't cause much issue. Just remove
it for 7.
5 years ago
Sascha Steinbiss 9aedc7fd1a mqtt: enable in config and remove misleading comment 5 years ago
Victor Julien b08a7b9a66 stream: update memcaps in code to match config 5 years ago
Victor Julien 3c1cc1e345 mqtt: move sub/unsub limits into app-layer config 5 years ago
Sascha Steinbiss 4c0ef73bf2 detect/mqtt: add topic inspection limit
We add a new 'mqtt.(un)subscribe-topic-match-limit' option
to allow a user to specify the maximum number of topics in
a MQTT SUBSCRIBE or UNSUBSCRIBE message to be evaluated
in detection.
5 years ago
Jeff Lucovsky 8867dcf403 config/plugin: Add template for plugins 5 years ago
frank honza ecdf9f6b0b ikev1: rename ikev2 to common ike
Renaming was done with shell commands, git mv for moving the files and content like
find -iname '*.c' | xargs sed -i 's/ikev1/ike/g' respecting the different mixes of upper/lower case.
5 years ago
Philippe Antoine 7500c29300 decode: limits the number of decoded layers
so as to avoid overrecursion leading to stack exhaustion
5 years ago
Victor Julien af13d4de18 detect: set HTTP SWF decompress limits 5 years ago
Philippe Antoine a04b5566a6 http: makes decompression time limit configurable 5 years ago
Phil Young dc5349a30c napatech: Add Deprecation Warning Message for HBA
Added a message that HBA will be deprecated in the future and removed
hba from default conf file.
6 years ago
Jeff Lucovsky 8f009cf9b5 output/json: Update threaded filename example 6 years ago
Shivani Bhardwaj 1286b0a8f1 datasets: parse defaults section from yaml
Datasets can now have a global defaults setting in suricata.yaml. In
case the settings for memcap and hashsize are not find in the yaml or
rule, this shall be the fallback.

Example:

datasets:
  defaults:
    memcap: 100mb
    hashsize: 2048
  ua-seen:
    type: string
    load: datasets.csv
6 years ago
Philippe Antoine 9b5c923327 http: disables lzma by default for HTTP 6 years ago
Victor Julien 57a611b429 decode/geneve: add config to yaml 6 years ago
Ali Jad Khalil 5d955c1836 decode/geneve: Add Geneve decoding functionality
These changes are in response to feature request 3063. Geneve is
very similar to VXLAN, but uses a slightly different encapsulation
scheme.
6 years ago
Jason Ish 5d5eef624b suricata.yaml: mark http2 as experimental
Make it clear that HTTP2 is experimental and disabled by default.
6 years ago
Philippe Antoine 1422b18a99 http2: initial support 6 years ago
Sascha Steinbiss 4e1a41a17d output-json: add MAC address output
This commit adds MAC address output to the EVE-JSON format. We follow the
remarks made in Redmine ticket #962: for packets, log MAC src/dst as a
scalar field in EVE; for flows, log MAC src/dst as lists in EVE. Field names
are different between flow and packet context to avoid type confusion
(src_mac vs. src_macs). Configuration approach and JSON representation is
taken from previous GitHub PR #2700.
6 years ago
Victor Julien 5db1d9b841 eve/yaml: move mqtt down 6 years ago
Sascha Steinbiss c31360070b rust/mqtt: add MQTT parser 6 years ago
Jeff Lucovsky 30ae98f658 output/json: Multi-threaded EVE logging support
This commit modifies the JSON loggers with changes necessary to support
multi-threaded EVE output.

Each "thread-init" function sets up the per-thread log file context for
subsequent calls to the JSON output to buffer function.
6 years ago
Shivani Bhardwaj 9f9670ebdc logging: Add DCERPC logger 6 years ago
Jeff Lucovsky a58fdcd41d suricata.yaml.in: update stream-depth description 6 years ago
Vadym Malakhatko a80f705d4b userguide: add documentation for Hassh usage
1. Rules keywords
2. Json keywords
3. Usage in lua
4. Enabling in configuration file
6 years ago
Jason Ish e26718aea3 drop-log: remove drop log (deprecated)
Remove the old style line based drop log.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2381
6 years ago
Jason Ish 6ce9b2972b rdp: enable by default
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3255
6 years ago
Jason Ish 5a7ba62493 sip: enable by default
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3256
6 years ago
Jason Ish 6850dbc852 suricata.yaml: remove filestore v1 configuration 6 years ago
Victor Julien 1aaf9a80c5 decode/vxlan: minor yaml example clarrification 6 years ago
Victor Julien e97cdb48f3 decode/teredo: implement port support
Implement support for limiting Teredo detection and decoding to specific
UDP ports, with 3544 as the default.

If no ports are specified, the old behaviour of detecting/decoding on any
port is still in place. This can also be forced by specifying 'any' as the
port setting.
6 years ago
Frank Honza 1c8943dedd add RFB parser
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
6 years ago
Jeff Lucovsky 0c5c2173bc config: General typo and grammar cleanup 6 years ago
Jason Ish 76582e34c1 suricata.yaml/dns: removed unused settings
Remove DNS settings global-memcap, state-memcap and request-flood.
These have never been used in the Rust implementation of the DNS
decoder.
6 years ago
Jason Ish d86973b386 unified2: remove deprecated output unified2
Ticket 2385:
https://redmine.openinfosecfoundation.org/issues/2385
6 years ago
Phil Young 1c99536945 napatech: add hardware based bypass support
Napatech hardware bypass support enables Suricata to utilize
capabilities of Napatech SmartNICs to selectively bypass flow-based
traffic.
7 years ago
Philippe Antoine 4a2918e6b5 yaml: clarify comment about dump-all-headers
Logs a warning if the value is unknown
Fixes #2810
7 years ago
Jason Ish 16221c0b33 suricata.yaml/dns: small cleanups, not that default is v2
Note that the eve dns log format is version 2 by default.

Make the value of commented out values their default.

Update the comment on the types to better reflect what it does.
7 years ago
Philippe Antoine 6921608673 http: updates suricata.yaml comments
As well as the userguide documentation about suricata.yaml
7 years ago
Konstantin Klinger 808ea0dba9 app-layer: remove obsolete msn protocol detection 7 years ago
Victor Julien ebecaca7ea eve/anomaly: enable by default
Default config will only enable 'app-layer' type within the anomaly
logger.
7 years ago
Victor Julien 514c7c1a04 yaml: minor improvements 7 years ago
Victor Julien cec8067001 yaml: clean up 'autofp-scheduler' option 7 years ago
Jeff Lucovsky 883cad1a86 logging/anomaly: Clarify anomaly logging
Clarify the description of the anomaly logging types.
7 years ago
Jeff Lucovsky af615baaf7 logging/alert: Expand alert logging description
Clarify the configuration requirements for alerts and http-body logging.
7 years ago
Victor Julien 788c9f8f11 tls/ja3: don't disable; allowing runtime enabling 7 years ago
jason taylor e4156b2f89 config: update lzma size notes to match others
Signed-off-by: jason taylor <jtfas90@gmail.com>
7 years ago
Jason Ish 6c2e9ac27c suricata.yaml: mark drop.log as deprecated 7 years ago
Jason Ish 4e12984ac8 suricata.yaml: mark unified2 as deprecated 7 years ago
Jason Ish d891a8cb79 config: remove all but a stub of file-store v1.
Remove most of the file-store v1 configuration section and mark
it as deprecated. Provide a link where to find the available
options.
7 years ago
Victor Julien be6cdd37f8 stream: remove fix stream.depth references 7 years ago
Philippe Antoine af4f816204 http: sets compression bomb limit 7 years ago
Philippe Antoine c09ad01836 http: disable lzma decompression from configuration 7 years ago
Victor Julien 8765839084 sip: disable output by default 7 years ago
Jason Ish a45a2fa1fc sip: disable by default in 5.0 7 years ago
Giuseppe Longo edc2a583a9 rust/sip: add SIP logger 7 years ago
Giuseppe Longo 2e975a0481 rust/sip: add parser for SIP protocol 7 years ago
Jason Ish 4111272c88 config/anomaly: use enabled key word; cleanups
The anomaly section was commented out, but the types sub object
was not, which then attached the types keyword to the previous
object.

Instead keep "anomaly" enabled in the yaml (not commented out)
and use the "enabled: no" to have it disabled by default.

Additonally reformat the comments to be better viewed in 80
columns.
7 years ago
Jason Ish 61a6eaf330 htp/lzma: set limit from configuration
Also use a default defined in Suricata, not libhtp.
7 years ago
Jeff Lucovsky aaacbf28c2 logging/anomaly: Support configuration filter types 7 years ago
Victor Julien c1b333c96e rdp: disable eve.rdp by default 7 years ago
Jason Ish 664605b5f1 rdp: disable rdp by default for 5.0 7 years ago
Zach Kelly caef8b5b38 protocol parser: rdp
Initial implementation of feature 2314:
1. Add protocol parser for RDP
2. Add transactions for RDP negotiation
3. Add eve logging of transactions
7 years ago
Shivani Bhardwaj 59da7ae302 counters: Add new default for decoder events
Set the new default for decoder events to `decoder.event` instead of the
previously used `decoder`. Remove the corresponding warning for 5.0.
7 years ago
Victor Julien d5009c5d8c doc/stream: briefly explain bypass 7 years ago
Jason Ish 55852d0de3 rules: remove configuration for legacy rule handling
Removes the autoconf, and suricata.yaml sections for using
the legacy style of rule management.
7 years ago
Jeff Lucovsky 2149807bd6 eve/ftp: Transaction support for unmatched requests
Modified transaction logic to create a new transaction with each
request; replies location transactions by using the oldest "open"
(unmatched) transaction or the last transaction if none are open.
7 years ago
Jeff Lucovsky 9b88ecb3c1 suricata.yaml: Add ftp logging option to eve-log 7 years ago
Bill Meeks a291209e47 detect/geoip: migrate to GeoIP2 database format
Issue #2765
7 years ago
Victor Julien 82de6e0659 decoder/vxlan: improvements and cleanups
Implement port config handling. Also check both src port and dest
port for tunnels that only set the destination port to the VXLAN
port. At the point of the check we don't know the packet direction
yet.

Implement as Suricata tunnel similar to Teredo.

Cleanups.
7 years ago
Jason Ish 577c8cb0c0 dns-log: remove from config
dns-log has been removed from the code.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2297
7 years ago
Eric Leblond 4e94c2b8c2 suricata.yaml: fix path to ebpf and xdp doc 7 years ago
Pierre Chifflier 6fc7fc74cb SNMP: add logger 7 years ago
Pierre Chifflier 2df840a8b8 Add SNMP (v1/v2c/v3) application layer 7 years ago
Mats Klepsland a4eaef25d6 eve: add JA3S field to TLS JSON logger
Add JA3S object to TLS JSON logger (extended log).
7 years ago
Eric Leblond 5d76f0897c af-packet: remove rollover reference
This patch removes reference to rollover in the configuration file
and add warnings when it is used.
7 years ago
Jeff Lucovsky cc492c50c8 eve/logging: disable anomaly logging by default
Disable anomaly logging by default. Networks with excessive issues may
experience packet processing degradation.
7 years ago
Jeff Lucovsky a8938f449d logging: Anomaly logging
This changeset adds anomaly logging to suricata for issue 2282.

Anomaly logging is controlled via the `anomaly` section within eve-log.
There is a single option -- `packethdr` -- for including the packet header
in the anomaly.
7 years ago
Jason Ish fc3191dc2d config: enable all things requiring Rust
Instead of only enabling them if Rust is enabled, as Rust is
always enabled now.
7 years ago
Phil Young 05271bfbe5 napatech: simplify integration with Napatech cards
- There is now an option to automatically create streams on the
  correct NUMA node when using cpu affinity.

- When not using cpu affinity the user can specify streams to be
  created in the suricata.yaml file.  It is no longer required to
  use NTPL to create streams before running suricata.

- The legacy usage model of running NTPL to create streams is still
  available. This can be used for legacy configurations and complex
  configurations that cannot be satisfied by the auto-config option.
7 years ago
Victor Julien d00950be81 log/file: use default-log-dir for suricata.log
Default to just suricata.log instead of the full path, so that
in user mode we can log in the user mode location.
7 years ago
Eric Leblond abe2836caf suricata.yaml: fix name of encryption-handling var 7 years ago
Victor Julien d6903e70c1 file-log: remove and add warning
Feature was deprecated and scheduled for removal.

Ticket #2376
8 years ago
Victor Julien 6fcd2db043 tile: remove files 8 years ago
Victor Julien 517b45ea2d netmap: switch to nm_* API
Process multiple packets at nm_dispatch. Use zero copy for workers
recv mode.

Add configure check netmap check for API 11+ and find netmap api version.

Add netmap guide to the userguide.
8 years ago
Maurizio Abba 6c0ec0b2f3 eve/http: add request/response http headers
Add a keyword configuration dump-all-headers, with allowed values
{both, request, response}, dumping all HTTP headers in the eve-log http
object. Each header is a single object in the list request_headers
(response_headers) with the following notation:

{
    "name": <header name>,
    "value": <header value>
}

To avoid forged malicious headers, the header name size is capped at 256
bytes, the header value size at 2048.

By default, dump-all-headers is disabled.
8 years ago
Maurizio Abba 4697351188 smtp: create raw-extraction feature
Add a raw-extraction option for smtp. When enabled, this feature will
store the raw e-mail inside a file, including headers, e-mail content,
attachments (base64 encoded). This content is stored in a normal File *,
allowing for normal file detection.
It'd also allow for all-emails extraction if a rule has
detect-filename:"rawmsg" matcher (and filestore).
Note that this feature is in contrast with decode-mime.

This feature is disabled by default, and will be disabled automatically
if decode-mime is enabled.
8 years ago
Victor Julien 0d86263efd eve.stats: make decoder event prefix configurable 8 years ago
Victor Julien 1dd81f7346 yaml: add missing eve pcap-file comment 8 years ago
Jason Ish 87250da0fc rust/dns: add v1 dns logging
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2704
8 years ago
Travis Green 3539ae3041 Updated link for Prelude SIEM
Updated link for Prelude SIEM to https://www.prelude-siem.org/
8 years ago
Eric Leblond 24806c2102 suricata.yaml: fix path to XDP doc 8 years ago
Victor Julien 1467c30883 pfring: implement 'threads: auto'
If threads is set to auto, first try the CPU count. If that would
fail, fall back to RSS queue count.
8 years ago
Victor Julien 3ba2c9fba7 pfring: multiple receive threads is not experimental 8 years ago
Victor Julien 4f84672d7c stats: decoder/stream events as stats 8 years ago
Victor Julien c4d8508f51 eve/json: introduce community flow id
Add support for community flow id, meant to give a records a
predictable flow id that can be used to match records to
output of other tools.

Takes a 'seed' that needs to be same across sensors and tools
to make the id less predictable.
8 years ago
Victor Julien ed712768d5 rust: enable by default
Remove 'experimental' label for Rust, and enable it by default if
rustc and cargo (and libjansson) are available.

Add rustc and cargo versions to the build-info.
8 years ago
Victor Julien 8b213e9d63 yaml: fix typo 8 years ago
jason taylor d038c78cd6 config: added ja3 to tls custom logging example
Signed-off-by: jason taylor <jtfas90@gmail.com>
8 years ago
Konstantin Klinger 2938f797f2 yaml: add var for DC_SERVERS (Domain Controller) 8 years ago