aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,889 Commits
7 Branches
161 Tags
210 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b14c67cbdf'
${ noResults }
Commit Graph

16889 Commits (b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b)
 

Author SHA1 Message Date
Philippe Antoine b14c67cbdf detect/pcre: avoid infinite loop after negated pcre 
Ticket: 7526

The usage of negated pcre, followed by other relative payload
content keywords could lead to an infinite loop.

This is because regular (not negated) pcre can test multiple
occurences, but negated pcre should be tried only once.
 5 months ago
Jason Ish 66e47a1983 rust: pin once_cell to work with Rust 1.67.1 
Clap uses once_cell which recently released v1.20 which updated its
MSRV to 1.70. Locally pin once_cell to 1.20.3 to maintain our MSRV.
 5 months ago
Victor Julien 559e4ce062 pcap: skip pcap-config if pkgconfig in use 5 months ago
Victor Julien 2aceb9b76f detect/action: minor action parsing cleanup 
Preparation for explicit action scope parsing.
 5 months ago
Victor Julien fa9dbe3970 detect/loader: minor code cleanup 5 months ago
Victor Julien ce26159a03 detect: constify rule file and lines in parsing and analyzer 5 months ago
Victor Julien c65756a38c tls: fix handshake handling being too strict 
e.g. server hello done has no data
 5 months ago
Victor Julien f5e4c52f44 app-layer: constify AppLayerGetProtoByName 5 months ago
Victor Julien b5cd1e578b detect/tls: don't double register tls_validity generic list 5 months ago
Victor Julien c1155e473d detect/nfs: don't double register nfs_request generic list 5 months ago
Victor Julien 7cafdfac11 detect: don't register duplicate app inspect engines 5 months ago
Victor Julien b649252059 detect/analyzer: add policy 
Example output:

    "match_policy": {
        "actions": [
            "alert",
            "drop"
        ],
        "scope": "flow"
    },
 5 months ago
Victor Julien 609a59a529 smtp/events: set direction on rules 
Several rules matched on both directions even if events are set in a single direction.
 5 months ago
Jason Ish 3658d502ff github-ci: don't run builds on PR if only docs changed 5 months ago
Jason Ish ed30e95a09 github-ci: stop caching system packages 5 months ago
Victor Julien fbfeea752a lua: remove script_api_ver 
Not documented and never set to new values despite updates.

Ticket: #7492.
 5 months ago
Victor Julien 0f13908b72 contrib: remove suri-graphite 
Built for py2.

Remove now empty contrib dir.

Ticket: #6888.
 5 months ago
Victor Julien 1c386e64ce contrib: remove file_processor 
Has been developed for a now obsolete file log format.

Ticket: #6888.
 5 months ago
Victor Julien 99f151c907 detect/dcerpc.iface: remove commented out unittest 5 months ago
Victor Julien b8ed01e23e eve/schema: map tls fields to keywords 5 months ago
Shivani Bhardwaj fc1dbf6eb4 schema: add rule keyword mapping for dcerpc 5 months ago
Juliana Fajardini d8523d9d97 userguide/header-keywords: fix typos, adjust format 5 months ago
Juliana Fajardini 28407b2fb8 doc/rule-types: remove trailing underscore 
And other minor fixes that were overseen.
 5 months ago
Juliana Fajardini 4a8da8c448 userguide/suricatactl: use suricata community page 
We were mentioning "Suricata Support" page, which could be a bit
misleading -- and also used a link that is actually redirected to the
Suricata Community page, anyways.
 5 months ago
Jason Ish 5718d5c0fa github-ci: pin rust version for clippy tests 
Prevents CI breakage after a new Rust release until we're ready to make
the changes.
 5 months ago
Jason Ish cbc296f313 github-ci: update rpm builder to fedora 41 5 months ago
Jason Ish 65b863b087 github-ci: update Fedora non-root build to Fedora 41 5 months ago
Jason Ish 70d5bae160 github-ci: remove fedora 40 builds where 41 exists 
Remove Fedora 40 builds where there is a Fedora 41 equivalent.
 5 months ago
Jason Ish facd525692 eve-parity: merge $ref props into current object 
Allows for a "suricata" entry along with a "$ref".
 5 months ago
Jason Ish 744f301df4 eve-parity: handle arrays of scalars 
And add an example with "client_alpns".
 5 months ago
Bryan Benson 15da9d783e rust: Update sawp dependencies to 0.13.1 due to SPDX license compatibility. 5 months ago
Jeff Lucovsky e9717f3ad2 detect/lua: Fix max value displayed in error msg 
This commit corrects an error message displayed when the key length is
out of range.
 5 months ago
Jeff Lucovsky 3d26f917ee var: Use 16-bit container for type 
Issue: 6855: Match sigmatch type field in var and bit structs

Align the size and datatype of type, idx, and next members across:
- FlowVarThreshold
- FlowBit
- FlowVar
- GenericVar
- XBit
- DetectVarList

Note that the FlowVar structure has been intentionally constrained to
match the structure size prior to this commit. To achieve this, the
keylen member was restricted to 8 bits after it was confirmed its value
is checked against a max of 0xff.
 5 months ago
Philippe Antoine d8ddef4c14 detect: delay tx cleanup in some edge case 
Ticket: 7552

f->sgh_toserver may be NULL but because FLOW_SGH_TOSERVER is unset
and thus, we want to delay cleanup until detection has really been
run with the right signature group head.

This may happen for a rule using
`alert tcp any any -> any any` and
a app-layer keyword to client
with a app-layer supporting both udp and tcp
with stream.midstream=true
and with the first packet of a flow being a server response

In this case, we swap the flow and reset its signature group heads
 5 months ago
Philippe Antoine d74bc774b7 detect: reset signature groups when reversing flow 
Ticket: 7552

When we use midstream, and the first packet we see of a flow is
a response from server, and we want to match on some signature
to client :
- we had first set sgh_toserver/FLOW_SGH_TOSERVER as we first
  thought this was a packet to server
- we then swap/reverse the flow, so sgh_toclient becomes sgh_toserver
  but it contains signatures to server and cannot match our
  to_client signature

The detect engine with DetectRunSetup will set again the
signatures group heads properly
 5 months ago
Jason Ish 6477b31199 eve-parity: skip transform keywords 5 months ago
Jason Ish 771d9d9d8b schema: mark dns.version and dns.grouped as having no keywords 5 months ago
Jason Ish 00a571a25c schema: mark "stats" and "drop" as having no keywords 5 months ago
Jason Ish 33c29be139 detect-dns-response: remove unit tests 
Should have coverage by S-V now.
 5 months ago
Jason Ish 861896ed39 script/eve-parity: add script for checking eve/keyword parity 
Currently this script has two commands: "missing" and "having".

"missing" will show eve fields that do not map to any keywords.

"having" will sohw eve fields along with their keyword mappsings,
while also validating that those keywords really exist.

Related to tickets: #6463, #4772
 5 months ago
Jason Ish 115d7d3c6d schema: add an object for mapping fields to keywords 
To some EVE fields and a "suricata" object that contains an array of
keywords. These are the keywords that map directly to this field, or
somehow cover this field.

This is an attempt at tooling to help with EVE and keyword parity.

Related to tickets: #5642, #6463, #4772
 5 months ago
Jason Ish 814e9ffb7a dns: add keywords for additionals and authorities rrnames 
Add keywords dns.additionals.rrname and dns.authorities.rrname. Along
the way, consolidate dns.query.name and dns.answer.name into a single file
and register them altogether since there is a lot of common code.
 5 months ago
Jason Ish c57e1425f5 detect: split new keyword id from registration 
Split DetectHelperKeywordRegister into 2 functions, one for acquiring
a new keyword ID, and another to perform the registration.

This makes it easier to do the traditional C keyword initialization
with a dynamic ID.
 5 months ago
Jason Ish 870bf73380 dns: refactor function to get rrname to be safe 
Make the function safe by returning a reference to the DNSName object,
the unsafe C wrapper can do the conversion to pointers.
 5 months ago
Jason Ish a9bf6bbd0e detect-dns-response: disable clang-format around byte arrays 
These arrays are manually formatted for readability.
 5 months ago
Jason Ish a026293b42 dns: rename dns.response keyword to dns.response.rrname 
This is a better name as the keyword is looking at all rrname type
fields in the response.
 5 months ago
Nathan Scrivens d3953dee8b doc/userguide: document dns.response 
Feature: 7012
 5 months ago
Nathan Scrivens 07632fdf4e dns: add dns.response sticky buffer 
Feature: 7012
Add dns.response sticky buffer to match on dns response fields.
Add rust functions to return dns response packet data.
Unit tests verifying signature matching.
 5 months ago
Philippe Antoine f68e2f5537 files: append data on closing even with FILE_NOSTORE 
Ticket: 7577

When HTTP1 post multipart handles a small file, it will call
HTPFileClose with some data
This data needs to be appended to the streaming buffer for usage
by file.data keyword even if we do not end up storing the file
 5 months ago
Alice Akaki 137f7fe652 detect: add ldap.responses.message 
ldap.responses.message matches on LDAPResult error message
This keyword maps the following eve fields:
ldap.responses[].bind_response.message
ldap.responses[].search_result_done.message
ldap.responses[].modify_response.message
ldap.responses[].add_response.message
ldap.responses[].del_response.message
ldap.responses[].mod_dn_response.message
ldap.responses[].compare_response.message
ldap.responses[].extended_response.message
It is a sticky buffer
Supports prefiltering

Ticket: #7532
 5 months ago