Philippe Antoine
1cd314c500
detect: adds icmpv6.mtu keyword
5 years ago
Philippe Antoine
8396333493
detect: adds icmpv6.hdr keyword
5 years ago
Giuseppe Longo
e06291922f
detect/sip.response_line: add sticky buffer
...
Matches on response line field in SIP.
6 years ago
Giuseppe Longo
17de4a8023
detect/sip.request_line: add sticky buffer
...
Matches on request line field in SIP.
6 years ago
Giuseppe Longo
8939ece538
detect/sip.stat_msg: add sticky buffer
...
Matches on status msg field in SIP.
6 years ago
Giuseppe Longo
bd2219cac6
detect/sip.stat_code: add sticky buffer
...
Matches on status code field in SIP.
6 years ago
Giuseppe Longo
8454122eb2
detect/sip.protocol: add sticky buffer
...
Matches on protocol field in SIP.
6 years ago
Giuseppe Longo
2661c5b298
detect/sip.uri: add sticky buffer
...
Matches on uri field in SIP.
6 years ago
Giuseppe Longo
424eead8c0
detect/sip.method: add sticky buffer
...
Matches on uri field in SIP.
6 years ago
Jason Ish
d79c23baa3
dns/detect: dns.opcode keyword
...
Add a rule keyword, dns.opcode to match on the opcode flag
found in the DNS request and response headers.
Only exact matches are allowed with negation.
Examples:
- dns.opcode:4;
- dns.opcode:!1;
6 years ago
Jeff Lucovsky
7808b946e3
detect/transform: add dotprefix keyword
6 years ago
Victor Julien
317376f59d
datasets: match on lists of data
...
Datasets are sets/lists of data that can be accessed or added from
the rule language.
This patch implements 3 data types:
1. string (or buffer)
2. md5
3. sha256
The patch also implements 2 new rule keywords:
1. dataset
2. datarep
The dataset keyword allows matching against a list of values to see if
it exists or not. It can also add the value to the set. The set can
optionally be stored to disk on exit.
The datarep support matching/lookups only. With each item in the set a
reputation value is stored and this value can be matched against. The
reputation value is unsigned 16 bit, so values can be between 0 and 65535.
Datasets can be registered in 2 ways:
1. through the yaml
2. through the rules
The goal of this rules based approach is that rule writers can start using
this without the need for config changes.
A dataset is implemented using a thash hash table. Each dataset is its own
separate thash.
6 years ago
Victor Julien
24f0092b72
detect: add ipv6.hdr sticky buffer
...
Inspects IPv6 header and extension headers.
6 years ago
Victor Julien
4ac327f5b5
detect/ipv4: add ipv4.hdr sticky buffer
6 years ago
Victor Julien
ac694b089a
detect: add udp.hdr sticky buffer
6 years ago
Victor Julien
bdf53f449c
detect/tcp: rename tcp keyword files
6 years ago
Victor Julien
35be8385eb
detect: tcp.hdr sticky buffer
...
Sticky buffer to inspect the TCP header.
6 years ago
Victor Julien
66648df099
detect: add tcp.mss keyword
...
Allows matching on TCP option MSS.
Syntax:
tcp.mss:<value>;
tcp.mss:<value1>-<value2>;
tcp.mss:<op><value>;
Operator can be: >, <.
6 years ago
Pierre Chifflier
9dfec7e734
SNMP: add the "snmp.pdu_type" detection keyword
6 years ago
Pierre Chifflier
e1dd19a0eb
SNMP: add the "snmp.community" detection keyword
6 years ago
Pierre Chifflier
aa608e0ca2
SNMP: add the "snmp.version" detection keyword
6 years ago
Mats Klepsland
0b489f329c
detect: add (mpm) keyword ja3s.string
...
Match on JA3S string using ja3s.string keyword, e.g:
alert tls any any -> any any (msg:"ja3s.string test";
ja3s.string; content:"10-11-12"; sid:1;)
6 years ago
Mats Klepsland
80cee50916
detect: add (mpm) keyword ja3s.hash
...
Match on JA3S hash using ja3s.hash keyword, e.g:
alert tls any any -> any any (msg:"ja3s.hash test";
ja3s.hash; content:"b26c652e0a402a24b5ca2a660e84f9d5"; sid:1;)
6 years ago
Mats Klepsland
ba857e9739
detect: add tls.certs keyword
...
Add keyword to do "raw" matching on each of the certificates in the
TLS certificate sticky buffer.
Example:
alert tls any any -> any any (msg:"tls.certs test"; tls.certs; \
content:"|01 02 03 04|"; sid:1;)
6 years ago
Victor Julien
84da0376fb
detect/http.host: rename file for consistency
6 years ago
Victor Julien
ccdafe6697
detect/http-server-body: move tests to tests/
7 years ago
Victor Julien
64987f36fb
detect/file-data: move tests into tests/
7 years ago
Victor Julien
9a8092249e
detect/http-client-body: move tests into tests/
7 years ago
Victor Julien
76fd666cad
detect/http_raw_header: move tests into tests/
7 years ago
Victor Julien
ab027cb481
detect/http_cookie: move tests into tests/
7 years ago
Victor Julien
2f342da048
detect/http_stat_code: move tests into tests/
7 years ago
Victor Julien
5dfba01b2e
detect/http_stat_msg: move tests to tests/
7 years ago
Victor Julien
b469938998
detect/http_raw_host: move raw into regular host logic
7 years ago
Victor Julien
dc43f35427
detect/http_host: move tests into tests/
7 years ago
Victor Julien
cb332b4cda
detect/http_method: move all tests into tests/
7 years ago
Victor Julien
0a405e27a0
detect/http_raw_uri: code reorganization
...
Move registration into http_uri logic, move tests into the other uri
tests. Switch to v2 mpm/inspect APIs.
7 years ago
Victor Julien
10e2731f18
detect/http-uri: move tests into tests/
7 years ago
Victor Julien
3111910fc6
detect/http_user_agent: move tests into tests/
7 years ago
Victor Julien
33b81f7439
detect: add verbosity of --list-keywords
...
Add indicators of content modifier or sticky buffer, and also
allow registering an alternative to a keyword.
7 years ago
Victor Julien
eb73008ccf
detect/transform: add to_sha1 keyword
7 years ago
Victor Julien
75f9c1ae9f
detect/transform: add to_md5 keyword
7 years ago
Victor Julien
ecb5d6419b
rules/transform: add to list-keywords
7 years ago
Jason Ish
35fd10bc2e
rust: app-layer detect template for rust parsers
7 years ago
Victor Julien
486054595a
detect/template2: template with prefilter (copy of ttl)
7 years ago
Victor Julien
af6f52cc09
rules: hide 'template' from --list-keywords
7 years ago
Victor Julien
b0577402b6
rules: hide internal keywords from --list-keywords
7 years ago
Pierre Chifflier
1076c7cd47
Add krb5_err_code detection keyword
7 years ago
Pierre Chifflier
d6b9c0294a
Add krb5_cname and krb5_sname detection keywords
7 years ago
Pierre Chifflier
0bd81ff838
Add krb5_msg_type detection keyword
7 years ago
Mats Klepsland
6e23ae230b
detect: add (mpm) keyword ja3_string
...
Match on JA3 string using ja3_string keyword, e.g:
alert tls any any -> any any (msg:"JA3 string test";
ja3_string; content:"65-68-69-102"; sid:1;)
7 years ago