aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,973 Commits
7 Branches
155 Tags
195 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'beb45c564e'
${ noResults }
Commit Graph

10973 Commits (beb45c564ec3ed8891189c15ec93195b3e3d87d8)
 

Author SHA1 Message Date
Victor Julien ebecaca7ea eve/anomaly: enable by default 
Default config will only enable 'app-layer' type within the anomaly
logger.
 5 years ago
Victor Julien ea3d9c3230 htp: require 0.5.31 5 years ago
Victor Julien 514c7c1a04 yaml: minor improvements 5 years ago
Victor Julien cec8067001 yaml: clean up 'autofp-scheduler' option 5 years ago
Jeff Lucovsky d514a38913 log/anomaly: remove leading underscore from static var 5 years ago
Jeff Lucovsky 17c3e22ecd doc/eve.alert: Expand metadata description 5 years ago
Jeff Lucovsky 95879c0d5a logging/alert: Warn if metadata not selected 
Warn when HTTP body logging has been selected but applayer/metadata
logging is not configured.
 5 years ago
Jeff Lucovsky 883cad1a86 logging/anomaly: Clarify anomaly logging 
Clarify the description of the anomaly logging types.
 5 years ago
Jeff Lucovsky af615baaf7 logging/alert: Expand alert logging description 
Clarify the configuration requirements for alerts and http-body logging.
 5 years ago
Jeff Lucovsky 354074bac6 ftp: Handle malformed RETR/STOR 
Ensure that RETR (STOR) have a filename -- otherwise, treat the command
string as malformed.

Added unittests for each command and verified that SEGV's occur without
parser change and no longer occur with the parser change.
 5 years ago
Fabrice Fontaine 61becb29bf configure.ac: fix --disable-geoip 
$enableval should be used to know if the user has passed --enable-geoip
or --disable-geoip

Fixes:
 - http://autobuild.buildroot.org/results/a7a34f760ae5fe0922fdb720b8234dbcd85ed222

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 5 years ago
Jason Ish 99d9e09599 config: install classification.config (and ref) to $datadir 
Install classification.config and reference.config to $datadir,
where they can be updated on every upgrade.

This required moving them into a sub-directory for autotools
to do its thing.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3209
 5 years ago
Victor Julien 7609adb05d Revert "runmode: consider test mode a user mode" 
This reverts commit 6dca50a322.

The test mode should actually test in system mode by default as
that is what tools like Suricata-Update need before issuing a
reload command.
 5 years ago
Victor Julien 0771eb1e0e detect/ja3: print error for one rule only 
Use 'silent error' logic for any other rules using ja3 as well.
 5 years ago
Victor Julien 4d44ca7739 detect/parse: allow signature parsing to fail silently 
A sigmatches 'Setup' function may indicate it intends to fail
silently after the first error. It will return -2 instead of -1
in this case.

This is tracked in the DetectEngineCtx object, so errors will
be shown again at rule reloads.
 5 years ago
Victor Julien aa5a6ab5f1 detect/parser: minor cleanup 5 years ago
Victor Julien c582fd28d9 tls/ja3: allow 'auto' setting for ja3 5 years ago
Victor Julien ca5226f0c7 tls/ja3: try to enable ja3 if rule keywords need it 5 years ago
Victor Julien 29dcd98ed1 tls/ja3: add way to check active config 5 years ago
Victor Julien 788c9f8f11 tls/ja3: don't disable; allowing runtime enabling 5 years ago
Victor Julien 4cd3b84606 tls/ja3: allow dynamic enabling of ja3 5 years ago
Victor Julien 09882ec4cb detect/reference: implement strict parsing option 5 years ago
Victor Julien 89a717d41c detect/classtype: implement strict parsing option 5 years ago
Victor Julien b5521b58bc detect/parse: add --strict-rule-keywords option 
Add --strict-rule-keywords commandline option to enable strict rule
parsing.

It can be used without options or with a comma separated list:
--strict-rule-keywords
--strict-rule-keywords=all
--strict-rule-keywords=classtype,reference

Parsing implementations can use SigMatchStrictEnabled to check
if strict parsing is enabled for them and act accordingly.
 5 years ago
Victor Julien 88e26ea914 detect: use named enum for keyword types 5 years ago
Victor Julien 0b40d4ae93 detect/reference: allow undefined references 
References are currently not used in Suricata, so erroring out on
rules using a undefined reference is too harsh.

Just issue a warning once per unique missing reference.
 5 years ago
Victor Julien 61185cc9ba reference: change scope of add func to global 5 years ago
Victor Julien d17a3b3c2b reference: use global defines for size limits 5 years ago
Victor Julien e278953455 detect/reference: code cleanups 5 years ago
Victor Julien 523e91b231 detect/classtype: check size of rule input 5 years ago
Victor Julien e5f6f38481 classtype: handle missing classification.config 
Still initialize the classtype hash table so that the classtypes
rules use can be added to it.

The file missing now reports a warning instead of error, as we
will continue to work.
 5 years ago
Victor Julien 517834e327 classtype: use global defines for size limits 5 years ago
Victor Julien 99bdb54d9f detect/classtype: show file and line for unknown classtype 5 years ago
Victor Julien 43b5234055 detect/priority: use global define for default prio 5 years ago
Victor Julien 954c43daf4 detect/classtype: allow undefined classtypes 
Effect of classification on Suricata's working is minimal. Impact
of adding undefined classtypes is large: rules will fail to load
completely. This also leads multiple lines of log output per rule,
which in a large ruleset can lead to excessive output.

This patch changes the classtype keyword behavior. Instead of erroring
and invalidating a rule, we will merely warn.

The undefined classtype is then defined with a default priority,
so other rules using the classtype will not also warn. This way
there will be just a single warning per missing classtype.
 5 years ago
Victor Julien 323a747f39 classtype: increase id size 
Switch from u8 to u16 to allow for more classtypes.

Rename Signature::class to Signature::class_id to make it clear
it is an id.
 5 years ago
Victor Julien ccf6c5a6ef classtype: small memory reduction 
Reduce memory use by making sure SCClassConfClasstype
has a more optimal memory layout.
 5 years ago
Victor Julien 26e2370f99 classtype: put UNITTESTS guards where appropriate 5 years ago
Victor Julien e104c3d913 classtype: reduce scope of functions 5 years ago
Victor Julien a37e09cbe0 detect/classtype: change duplicate classtype behavior 
Detect duplicate instances and use the one with the highest
priority.

Use new priority flag to make the logic around explicit priority
sets easier to follow.

Minor code cleanups. Also clean up unittests.
 5 years ago
Victor Julien c471d81f04 detect/priority: change duplicate priority behavior 
Introduce Signature init_flag to indicate priority has been set.
This will be needed in a follow-up classtype update.

Detect duplicate priority instances in a keyword, and use the
highest priority in the rule. Do issue a warning in this case.
 5 years ago
Victor Julien 828d2572f8 detect: use BIT_U32 macros for INIT flags 5 years ago
Victor Julien 3fd4e7bd05 detect/priority: minor cleanups 5 years ago
Victor Julien bfee28db5e detect/classtype: clean up error handling 5 years ago
Victor Julien 5e5761a29c detect/classtype: warn on duplicate classtype 
Issue warning instead of erroring and invalidating the rule.

It's not a very serious issue, so don't error out.
 5 years ago
Victor Julien 282e1c2520 detect/classtype: fix parsing error checking 5 years ago
Jason Ish 2d0b3d7320 detect/test: update test for file prune changes 
As the file prune is now moved to the flow worker, the file
prune is run later, meaning the first file has not yet
been pruned from the file container list.

Adjust test to look for a second file, and check the
flags on that file.

For commit addressing bug 2490.
 5 years ago
Jason Ish ebcc4db84a file extraction: always prune files after detect 
If a keyword like filemd5 was being used without a filestore,
or a file output enabled, it would be pruned before detection
had a chance to match.

Consolidate file pruning to the end of the flow worker so files
are available for detection even when a file output is not
enabled.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2490
 5 years ago
Victor Julien c7e4433fe9 afl/decode: fix stats related memleak reports 5 years ago
Shivani Bhardwaj 8940a9d326 afp: nicer error message in case of fanout failure 
Use clearer message in case fanout is not supported or cluster_id is
already in use.

Closes redmine ticket #1940.
 5 years ago