aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,091 Commits
10 Branches
154 Tags
164 MiB
dependabot/github_actions/actions/checkout-4.2.1
dependabot/github_actions/github/codeql-action-3.26.12
dependabot/github_actions/actions/upload-artifact-4.4.3
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bf4398b15d'
${ noResults }
Commit Graph

9091 Commits (bf4398b15d4244a51800ece59566babd2be1fa05)
 

Author SHA1 Message Date
Maurizio Abba bf4398b15d output-json: ensure string is json-encodable 
Substitute json_string with SCJsonString custom function.
SCJsonString will ensure string passed is json-encodable (utf-8).
If it's not, the string will be converted in such a way that any
non-printable character will be encoded in its hex form.
The resulting json object will be returned.

rust modification will encode any non-printable character during its
conversion in to_cstring.
 6 years ago
Victor Julien 4f32324fe4 devices: clean up device init code 6 years ago
Eric Leblond 023bb72cc6 suricata: fix init process for layer 2 IPS 
4474889667 did break the logic of IPS
mode detection for layer 2 IPS mode like Netmap and AF_PACKET. This
pach fixes the issue by calling the IPS detection mode after
complete registration of the interfaces.

Reported-by: Alexander Gozman <a.gozman@securitycode.ru>
 6 years ago
Victor Julien 44daf84321 output/tls: don't pass NULL fingerprint to json logging 6 years ago
Victor Julien 155a017cf8 ssl: fix uninitialized variable warning 6 years ago
Victor Julien 3c72d67635 detect/analyzer: log mask flags and more engine details 6 years ago
Victor Julien c4b56ca289 dcerpc: fix dce_iface not matching 6 years ago
Victor Julien a2b8ea57fc detect/dce: fix false positives in detection 
If a signature didn't explicitly specified 'dcerpc' or 'smb' as the
app proto, false positives on other traffic could happen. This was
caused by the sig not having a app_proto set. This isn't set as the
rule is supposed to match against either ALPROTO_DCERPC or ALPROTO_SMB.

To avoid adding runtime costs for checking for both protocols, this
patch adds a new flag for DCERPC in the 'mask' logic. The flag is set
on the sig if dce_* keywords are present and set on the packet if the
flow's app proto is either ALPROTO_DCERPC or ALPROTO_SMB.

Bug #2559

Reported-by: Jason Taylor
 6 years ago
Victor Julien 8547d113bf detect: minor code cleanups 6 years ago
Victor Julien 329e029525 detect/dce: keyword cleanups 6 years ago
Victor Julien 177966970a smb: probing parser improvement 6 years ago
Victor Julien fd38989113 proto/detect: remove probing parser offset argument 
Remove offset argument as it was unused.
 6 years ago
Victor Julien 991ec4ed60 detect/flow: minor code cleanups 6 years ago
Victor Julien bfa884c956 detect: avoid potential use-after-free in error path 6 years ago
Victor Julien 9cd0bbcab1 proto/detect: minor cleanup 6 years ago
Victor Julien d062089c60 detect: clean up counter registration 6 years ago
Victor Julien e8079e2f1b flow: fix comment typos 6 years ago
Victor Julien c6e79f4410 nfs4: create tx for CREATE procedure 6 years ago
Victor Julien 90e0e3da27 nfs: fix applying nfs3 logging logic to nfs4 6 years ago
Victor Julien cb3abba1e0 nfs4: log remove procedure + add multi-proc support 
Add TX creation for NFS4 transactions. Start with the 'REMOVE' procedure.

Start on logging all procs. In NFS4 COMPOUND records there are multiple
procedures. One of them can be considered the 'main' procedure, with others
as supporting utility. This patch adds the first step in supporting to
track those in the TX for logging and inspection.
 6 years ago
Victor Julien ff518e5c64 nfs4: for putrootfh set 'mount root' as name 6 years ago
Victor Julien 22e0fc97f8 nfs: rename generic functions from nfs3 to nfs 6 years ago
Victor Julien d22c170c38 nfs: move v2 parsing into own file 6 years ago
Victor Julien 9b42073e54 nfs3: move nfs3 specific handling into own file 6 years ago
Victor Julien 4c09766b33 nfs: request parser cleanup 6 years ago
Victor Julien e0a58ffa41 changelog: update to 4.1rc1 6 years ago
Victor Julien 87839d973c changelog: add missing 4.1beta1 tickets 6 years ago
Victor Julien f570905f8c nfs: get rid of reachable panic statements 6 years ago
Victor Julien 8a1af5c367 nfs4: remove panic calls, set events instead 6 years ago
Victor Julien f2382356b1 nfs4: support 4.1 SEQUENCE procedure 6 years ago
Jason Ish 64b6ff7392 config: better default rule file configuration 
Move the rule file configuration down near the bottom of the
configuration file under advanced settings. With the bundling
of Suricata-Update, any rule file configuration within
suricata.yaml could be considered advanced.

Add extra comments to the yaml to make it more clear which was
enabled at installation time.
 6 years ago
Danny Browning cd40a3f7ac detect-parse: fix missing space in error message (2541) 
Fix missing space in error message.
 6 years ago
Victor Julien f68bf3301a enip: harden byte parsing code 
Make sure we never read more than we have.

Reported-by: Henning Perl
 6 years ago
Victor Julien 9ba89a31ef ssh: fix out of bounds read in banner parsing 
Reported-by: Henning Perl
 6 years ago
Victor Julien 843d0b7a10 stream: support RST getting lost/ignored 
In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'.
However, the target of the RST may not have received it, or may not
have accepted it. Also, the RST may have been injected, so the supposed
sender may not actually be aware of the RST that was sent in it's name.

In this case the previous behavior was to switch the state to CLOSED and
accept no further TCP updates or stream reassembly.

This patch changes this. It still switches the state to CLOSED, as this
is by far the most likely to be correct. However, it will reconsider
the state if the receiver continues to talk.

To do this on each state change the previous state will be recorded in
TcpSession::pstate. If a non-RST packet is received after a RST, this
TcpSession::pstate is used to try to continue the conversation.

If the (supposed) sender of the RST is also continueing the conversation
as normal, it's highly likely it didn't send the RST. In this case
a stream event is generated.

Ticket: #2501

Reported-By: Kirill Shipulin
 6 years ago
Victor Julien 33614fcae0 stream-events: fix mapping 6 years ago
Victor Julien 2b581cd6db smb: log trans2 that enable delete on close 6 years ago
Victor Julien eefac0ef95 smb1: add support for trans2 set_path_info rename 6 years ago
Victor Julien 1b86d4e1a2 smb: improve dcerpc logic 
Detect whether a pipe is a dcerpc channel based on the name of the
pipe.
 6 years ago
Victor Julien 7c8a078a2c smb1: improve NT Create response record parsing 6 years ago
Victor Julien 83e7ddf41f http: fix setting event on the last tx 6 years ago
Victor Julien 62e6e0eb3c pcap-file: fix segv on bad pcap format 6 years ago
Victor Julien d0cded2523 http: set events for too many layers of compression 
libhtp would already issue warnings, but these were not mapped
to events yet.
 6 years ago
Danny Browning 2dc6b6ee14 source-pcap-file: delete when done (2417) 
https://redmine.openinfosecfoundation.org/issues/2417

Add option to have pcap files deleted after they have been processed.
This option combines well with pcap file continuous and streaming
files to a directory being processed.
 6 years ago
Victor Julien 84fc43842f detect: fix memory leak in app-layer-event keyword 
Bug #2515.
 6 years ago
Victor Julien 5c584c2b74 app-layer/tcp: set STREAM_MIDSTREAM flag 6 years ago
Victor Julien 2e6014b15c rust/smb: search for record on midstream start 
Calls with both START and MIDSTREAM mean the record might be cut and the
start of it could be missing. For this case, enable the same logic as is
used when catching up after a GAP. Search for the start of the record
instead of assuming it sits exactly at the start of the input data.
 6 years ago
Victor Julien 905d9a1dd8 rust: define all STREAM_* types 6 years ago
Victor Julien 7bc3c3ac6e app-layer: pass STREAM_* flags to parser 
Pass the STREAM_* flags to the app-layer parser functions so that
the parser can know more about how it is called.
 6 years ago
Victor Julien df88c048ba detect: fix delayed detect 
Last multi-detect changes broken delayed-detect by refusing to reload
a 'stub' detect engine. This patch distinguishes between a stub for
multi-tenancy and for delayed detect.
 6 years ago