aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,847 Commits
7 Branches
161 Tags
206 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c57e1425f5'
${ noResults }
Commit Graph

982 Commits (c57e1425f5594e28c662bc4359487bba0a8e8bf6)

Author SHA1 Message Date
Sascha Steinbiss d3d9f1c395 redis: implement XADD stream support 
Ticket: #7082
 9 months ago
Juliana Fajardini 1860aa81e6 userguide: fix integer keyword matches list format 
List wasn't being properly rendered.
 9 months ago
Jason Ish cc519beb91 suricata.yaml: add missing custom tls fields 
Also update the suricata.yaml in the userguide.
 9 months ago
Juliana Fajardini 55b922ceed tls/conf: clarify usage of custom vs extended logs 
Since enabling custom logging will replace the extended logging, thus
possibly leading to certain fields disappearing from the logs, mention
this aspect.

Related to
Bug #7333
 9 months ago
Jeff Lucovsky 1e0d3435db doc: add napatech plugin upgrade notes 
Issue: 7165
 10 months ago
Jason Ish 6ae5ae701b doc/userguide: generate eve documentation 
Add EVE documentation for QUIC and Pgsql to their respective sections of
the userguide.

Also add a complete EVE reference as an appendix.

Other protocols can be done, but its a manual process to document in the
schema, then add the glue to pull them into the documentation.

The documentation is generated during "make dist", or if it doesn't
exist, "conf.py" will attempt to generate the eve documentation for
building on Readthedocs.
 10 months ago
Philippe Antoine bb714c9178 http: have a headers limit 
Ticket: 7191

So as to avoid quadratic complexity in libhtp.
Make the limit configurable from suricata.yaml,
and have an event when network traffic goes over the limit.
 10 months ago
Philippe Antoine e47598110a detect/datasets: implement unset command 
Ticket: 7195

Otherwise, Suricata aborted on such a rule
 10 months ago
Juliana Fajardini 18e0d23ed3 docs: remove mentions to Suricata-6 
Task #7262
 10 months ago
Juliana Fajardini d1d1c8cdac doc/conf/yaml: replace underscore with dashes 
Use sed + regex to replace all occurrences of suricata.yaml terms that
used underscore for their up-to-date dash version.

Also search for such terms in the eve-log.yaml partials file, as that
is referenced in the configuration section.

commands used:

sed -i 's/\(^ *[a-z]*\)_\([a-z]*:\)/\1-\2/g'
sed -i 's/\(^ *[a-z]*\)_\([a-z]*\)_\([a-z]*:\)/\1-\2-\3/g'

Some other instances were found manually.

Task #7260
 10 months ago
Philippe Antoine 7ab833471e doc/rfb: mention accidental fix for security_result log 
Ticket: 7198
 10 months ago
Giuseppe Longo 036b68b0a9 doc: add new sip keywords 10 months ago
Juliana Fajardini ef63aa50e2 doc/configuration: improve emergency-recovery docs 
When removing mentions to `prune-flows` a few inconsistencies for how
we write and refer to `emergency-recovery` were left behind, still.
 10 months ago
Philippe Antoine de9413c654 detect: safety for app-layer logging of stream-only rules 
If a stream-only rule matches, and we find a tx where we
want to log the app-layer data, store into the tx data that
we already logged, so that we do not log again the app-layer metadata

Ticket: 7085
 10 months ago
jason taylor f46a8776ec doc: add note about big endian for icmp_seq match 10 months ago
Juliana Fajardini 1420c83a87 doc/configuration: remove mention to prune-flows 
Although the `prune-flows` option was removed with a5587fec2e,
when documentation for the suricata.yaml config file was added with
b252b0d, this option was also included - as has remained until now.
 10 months ago
Jeff Lucovsky 8064847fc6 doc: Document reference config setting 
Issue: 4974
 10 months ago
Philippe Antoine 0ebb84538e http2: add frames support 
Ticket: 5743

Why ? To add detection capabilities
 11 months ago
Jason Ish 685baa9680 output-filedata: rename and document registration function 
Prefix registration function and pointer function type with SC, as
well as document.

Ticket: #7227
 11 months ago
Jason Ish b51eeb3ab5 output-file: rename and document registration function 
Rename OutputRegisterFileLogger to SCOutputRegisterFileLogger, add
function documentation and include in userguide.

Ticket: #7227
 11 months ago
Jason Ish 14b648f286 output-streaming: rename and document registration 
Prefix the registration function and types with "SC", and add function
documentation.

Ticket: #7227
 11 months ago
Jason Ish 1ebf33b3c9 output-tx: rename and document transaction logger registration 
Rename OutputRegisterTxLogger to SCOutputRegisterTxLogger to make it
part of the public API as well as document.

Ticket: #7227
 11 months ago
Jason Ish bb128e3959 devguide: more on low level logging 
Use the extending/output section to introduce the low level logging
API.

Ticket: #7227
 11 months ago
Juliana Fajardini f3e1095244 userguide: update Security Onion docs reference 
They have updated their docs domain, leading to the link we had
returning a 404.

Also checked the other links. Although some seem to only contain old
traffic, they all still work.
 11 months ago
Sascha Steinbiss cb14e44780 userguide: fix spelling of `security_result` EVE field 
This ensures that the correct spelling of the `security_result` EVE
field for RFB (as opposed to `security-result`) is also reflected in the
documentation.

Ticket: #7210
 11 months ago
Shivani Bhardwaj 1345c6d1cb doc/file-extraction: fix highlight syntax 11 months ago
Juliana Fajardini 682b199ea0 userguide: expand documentation for rule profiling 
The page about performance and rule profiling showed the table generated
by rules profiling but didn't inform how to achieve nor find it.

Task #4359
 11 months ago
Jason Ish 15fe844ae7 syslog: deprecate 
The standalone syslog output is now deprecated for Suricata 8. Display
a warning on use and add notes to the userguide.

Ticket: #6544
 11 months ago
Jason Ish 5853fb922d tls-log: deprecate 
tls-log is now deprecated and will be removed in Suricata 9.0. Display
a deprecation notice on use, and add notes to the user guide.

Ticket: #6542
 11 months ago
Jason Ish ab26323a96 http-log: deprecate 
http-log is now deprecated and will be removed in Suricata
9.0. Display a deprecation notice on use, and add notes to the
userguide.

Issue: #6543
 11 months ago
Victor Julien 688bd538cf pcap: implement pcap-file-buffer-size option 
Allows easy specification of buffer size on the commandline.

Ticket: #7155.
 11 months ago
Juliana Fajardini 246acc7140 userguide: clarify flow:stateless explanation 
While not incorrect, the previous wording made the sentence almost
paradoxical. While at it, also highlight a side effect that might not be
so clear to users.

Related to
Bug #6976
 12 months ago
Philippe Antoine 62a186ceef detect/rfb: move keywords to rust 
Ticket: 7178

On the way, convert rfb.secresult to a generic integer with enumeration
cf ticket 6723
 12 months ago
Victor Julien fa9cae3899 doc/userguide: document logging changes from 6 to 7 
Minor other logging related improvements like clarifying language and
improving formatting for pdf output.
 12 months ago
Philippe Antoine 0b2ed97f36 ssh: frames support 
Ticket: 5734

Adds frames for SSH records, that come after banner, and before
the data is encrypted.
These records may contain cipher lists for instance.
 12 months ago
Giuseppe Longo 70ed9f91d8 doc: add ldap protocol 1 year ago
Philippe Antoine bce8f4b853 detect/ssh: remove deprecated keywords 
Ticket: 2377
 1 year ago
Philippe Antoine 0a1062fad2 detect/mqtt: move keywords to rust 
Ticket: 4863

On the way, convert some keywords to use the first-class integer
support.
And helpers for pure rust the support for multi-buffer.

Move the C unit tests about keyword mqtt.protocol_version
to unit tests for generic integer parsing, and test version 5
instead of testing twice version 3.

Also iterate all tx's messages for reason code as is done for other
keywords.

And allow detection on empty topics.
 1 year ago
Jason Ish 5f516c5896 doc: add pf-ring plugin upgrade notes 
Ticket: #7162
 1 year ago
Philippe Antoine e0fd59a20d doc: state that payload-length includes the gaps 1 year ago
Jason Ish 4d3d57249a doc: update dns section of the eve format documentation 1 year ago
Jason Ish d3c08b9643 doc: upgrade guide for dns logging changes 
Bug: #6281
 1 year ago
Sascha Steinbiss 53c62432c6 doc: update MQTT configuration 1 year ago
Shivani Bhardwaj c66f1f4488 doc: add note about datasets string memcaps 
Bug 3910
 1 year ago
Victor Julien afc318737a doc/userguide: document threshold backoff type 1 year ago
Victor Julien e362a01f8d doc/userguide: document new threshold config options 1 year ago
Victor Julien 405491c3fc detect/detection_filter: add support for track by_flow 1 year ago
Victor Julien 3f04af7c7f doc: add thresholding by_flow 1 year ago
Jeff Lucovsky 01e20c91fb doc/transform: Correct typo 1 year ago
Jeff Lucovsky d205ff82d0 doc/transform: Describe the from_base64 transform 
Issue: 6487

Document the new transform and indicate that it's the preferred way to
perform base64 decoding (preferred over base64_decode)
 1 year ago
Philippe Antoine c9ce43b31e output: configurable payload_length field for alerts 
Ticket: 7098
 1 year ago
Victor Julien 3d059611c3 detect: add tls.alpn keyword 
Ticket: #7108.
 1 year ago
Victor Julien c79a382e42 eve/tls: log ALPN for client and server 
Part of the extended logging.

Logs `client_alpns` and `server_alpns` arrays in the tls object.

Ticket: #7055.
 1 year ago
Philippe Antoine ae72376ebe detect/snmp: move keywords to rust 
Ticket: 4863

On the way, convert unit test DetectSNMPCommunityTest to a SV test.

And also, make snmp.pdu_type use a generic uint32 for detection,
allowing operators, instead of just equality.
 1 year ago
Lukas Sismis bd9608771e doc: port user install and build instruction from master-6.0.x 
Ticket: #6686
 1 year ago
Lukas Sismis 521d1cb8e7 doc: update eBPF compilation instructions 
Ticket: #6599
 1 year ago
Victor Julien 8b42182fee doc/userguide: document iprep isset/isnotset 1 year ago
Victor Julien 2f74d435d3 doc/userguide: add more operators to iprep 1 year ago
Victor Julien 50ef646d45 doc/userguide: add noalert/alert keyword docs 1 year ago
Victor Julien c83e3285ae doc/userguide: give pcre1 to pcre2 proper heading 1 year ago
Juliana Fajardini 43b998aa73 userguide/upgrade: add note about alerts' increase 
With triggering stream reassembly early, since for certain types of
rules there may be more alerts triggered - even in IPS mode, make this
clear in the upgrading section.

Bug #7026
 1 year ago
Philippe Antoine 82c03f72c3 enip: convert to rust 
Ticket: 3958

- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- frames support
- app-layer events
- enip_command keyword accepts now string enumeration as values.
- add enip.status keyword
- add keywords :
    enip.product_name, enip.protocol_version, enip.revision,
    enip.identity_status, enip.state, enip.serial, enip.product_code,
    enip.device_type, enip.vendor_id, enip.capabilities,
    enip.cip_attribute, enip.cip_class, enip.cip_instance,
    enip.cip_status, enip.cip_extendedstatus
 1 year ago
Victor Julien 17b32f98d7 doc/userguide: fix rule container typo 
Fixes: 8781e9352a ("doc/userguide: add documentation for SMTP frames")
 1 year ago
Victor Julien 8781e9352a doc/userguide: add documentation for SMTP frames 1 year ago
Juliana Fajardini aeb200e001 devguide: highlight commit message example 
Although we have the example for a commit message in our Code Submission
Process sub-chapter, seems that people still oversee it a lot. It was
suggested that we put it in a note-box, to make it more visible.
 1 year ago
Jason Ish 3eb8c728fd doc: update lua sandbox docs for allowed packages/functions 1 year ago
Jason Ish bc011f2205 lua: use rust crate to vendor (bundle) lua 
Remove lua-dev(el) from all CI tests.
 1 year ago
Jo Johnson ba6a976e06 doc: Initial doc for lua sandbox 1 year ago
Jo Johnson 712496bb3f lua: Remove luajit support 
lua 5.4 support is not available in luajit

Ticket: #4776
 1 year ago
Jo Johnson 586c92d9d5 lua: require lua 5.4 
github-ci: Disable lua on debian 10 as it doesn't have Lua 5.4.

Ticket: #4776
 1 year ago
jason taylor 47d6c3a3ab doc: add source verification docs 
Ticket: #6908

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
Shivani Bhardwaj 719fda3967 doc: add description about tls.subjectaltname 
Feature 5234
 1 year ago
Philippe Antoine 2c305ba37e pop3: protocol detection 
Ticket: #6366
 1 year ago
Philippe Antoine 7582b18a9f http: configures libhtp to allow spaces in uri 
Ticket: #2881
 1 year ago
Giuseppe Longo 8a171c9d74 doc: add arp changes 1 year ago
Philippe Antoine fcdd7f000a detect: add options to app-layer-protocol keyword 
Ticket: 4921

app-layer-protocol keyword accept an optional mode to precise
which protocol we want to match: toclient, toserver, final,
or original
 1 year ago
Philippe Antoine 715bf048ee frames: rust API makes tx_id explicit 
And set it right for SIP and websocket,
so that relevant tx app-layer metadata gets logged.

Ticket: 6973
 1 year ago
Shivani Bhardwaj 6d92596548 doc: add note about fast_pattern w base64_data 
Bug 5220
 1 year ago
jason taylor abb74245cc doc: update normalization notes 
Ticket: #6781

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 5dacf4d92b doc: add http.connection ref and fix location 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
Victor Julien fcca5c7514 detect/iprep: update doc about 0 value 
A value of 0 was already allowed by the rule parser, but didn't
actually work.

Bug: #6834.
 1 year ago
jason taylor aa919f8081 doc: update flowbits information 
Ticket: #6991

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
Giuseppe Longo 4f1e71bb4e doc: add sdp update 1 year ago
Juliana Fajardini bb59124063 yaml: unify 0 stats counter config option terms 
When we added feature #5976 (72146b969), we overlook that we also have
a config stats option for the human-readable stats logs to output
0 counters.
Due to not seeing this before, we now have two different setting names
for basically the same thing, but in different logs:
- zero-valued-counters for EVE
- null-values for stats.log

This ensures we use the same terminology, and change the recently added
one to `null-values`, as this one has been around for longer.

Task #6962
 1 year ago
Philippe Antoine 44b6aa5e4b app-layer: websockets protocol support 
Ticket: 2695
 1 year ago
Sascha Steinbiss 120313f4da ja4: implement for TLS and QUIC 
Ticket: OISF#6379
 1 year ago
Jeff Lucovsky 7a5a1e2560 doc: Describe noalert keyword 
Issue: 6685
 1 year ago
Juliana Fajardini 72146b969c eve/stats: allow hiding counters whose valued is 0 
Some stats can be quite verbose if logging all zero valued-counters.
This allows users to disable logging such counters. Default is still
true, as that's the expected behavior for the engine.

Task #5976
 1 year ago
Juliana Fajardini 514e8b8b04 userguide: document exception policy stats 
Configuration options and defaults, existing counters etc.

Related to
Task #5816
 1 year ago
Juliana Fajardini 94b111283d userguide: highlight exception policy effects 
Some exception policies can only be applied to entire flows or
individual packets, for some exception scenarios. Make this easier to
read, in the documentation.

Related to
Task #5816
 1 year ago
jason taylor 7de16809ef doc: update http keyword listing order 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 8b3db3c3b5 doc: update file.name keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 49dba7bb94 doc: update file.data keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor bee3aa9709 doc: update http.response_header keyword 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor dcb548106e doc: update http.request_header keyword 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 3f5d228b9e doc: update http.host http.host.raw keyword 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 739dfe5e5e doc: update http.location keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 9ddd8cf9e0 doc: update http.server keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 3af98f3b92 doc: update http.response_body keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago
jason taylor 64760e2e75 doc: update http.response_line keyword information 
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
 1 year ago