aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
17,359 Commits
7 Branches
161 Tags
206 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c6e0ba2b85'
${ noResults }
Commit Graph

165 Commits (c6e0ba2b8549adf3c8b82ebdc13a5cd9f8ae0370)

Author SHA1 Message Date
Philippe Antoine 4af3bd9c91 rust: bindgen SCDetectHelperKeywordSetCleanCString 
Ticket: 7667
 2 months ago
Philippe Antoine 41fcf3b356 detect: fix some -Wshorten-64-to-32 warnings 
Ticket: #6186
 3 months ago
Jeff Lucovsky 19fe098e88 detect/ftp: Add ftp.dynamic_port keyword 
Issue: 7504

Add implementation of the ftp.dynamic_port rule keyword. The
implementation uses the U16 integer matching/parsing and thus supports
the comparison operations such as <, >, <=, >=, !, !=, and range (-).
 3 months ago
Philippe Antoine aa7f926ff4 detect: rust helper to register sticky buffer 3 months ago
Philippe Antoine a7f4fd12d5 detect: remove never set SIGMATCH_NOT_BUILT 3 months ago
Philippe Antoine 9814b698c8 detect/dns: move keywords to rust 
Ticket: 7529
Ticket: 3725

Adds url for dns.opcode on the way
 3 months ago
Victor Julien f96e97205c firewall: detect: add feature flag for keywords supporting firewall 3 months ago
Victor Julien 88e96c9d49 detect/domain: move transform fully to rust 4 months ago
Jeff Lucovsky e0131f6098 detect/ftp: Add ftp.reply rule keyword 
Issue: 7508

Add the rule detection keyword "ftp.reply". This is a multi-buffer
command.
 4 months ago
Eric Leblond 0b031a33c6 domain: add new transformation 
Ticket: #5639
 4 months ago
Victor Julien 6f5fd77cb9 detect/app-layer-state: keyword for protocol state 
Allow matching on the app-layer protocol state.
 4 months ago
Victor Julien 67df6ad94e detect: introduce explicit hooks 
Generic:
        <app_proto>:request_started and <app_proto>:response_started
        <app_proto>:request_complete and <app_proto>:response_complete

Per protocol, it uses the registered progress (state) values. E.g.

        tls:client_hello_done

A rule ruleset could be:

        pass tls:client_hello_done any any -> any any (tls.sni; content:"www.google.com"; sid:21; alert;)
        drop tls:client_hello_done any any -> any any (sid:22;)

The pass rule is evaluated when the client hello is parsed, and if it
doesn't match the drop rule will be evaluated.

Registers each generic lists as "<alproto>:<progress state>:generic"
(e.g. "tls:client_hello_done:generic").

Ticket: #7485.
 4 months ago
Philippe Antoine 3b271b3f5b detect: rename with prefix SCSigTablePreRegister 
to make it available to rust via bindgen
 4 months ago
Philippe Antoine d24a3eb5f6 snmp: register protocol dynamically 
Ticket: 4103
 4 months ago
Jeff Lucovsky 559cdc358d detect/ftp: ftp.command_data keyword 
Issue: 7503

Add the rule keyword ftp.command_data; a sticky buffer that matches on
the values send with FTP commands, e.g., USER someuser
 4 months ago
Victor Julien 4da69a52fe detect/sdp: minor style fixup 4 months ago
Giuseppe Longo 2f24f49dba sdp: add sdp.session_name sticky buffer 
This adds a sticky buffer to match the "Session name" field in both
requests and responses.

Ticket #7291
 4 months ago
Jeff Lucovsky fdc0ac590e detect/entropy: Add entropy keyword 
This commit adds keyword/build support for the entropy keyword. The
entropy keyword compares an entropy value with a value calculated
according to the Shannon entropy on the available content.

Issue: 4162
 4 months ago
Alice Akaki 90aab0d62f detect: add email.from 
email.from matches on MIME EMAIL FROM
This keyword maps to the EVE field email.from
It is a sticky buffer
Supports prefiltering

Ticket: #7592
 4 months ago
Jason Ish 814e9ffb7a dns: add keywords for additionals and authorities rrnames 
Add keywords dns.additionals.rrname and dns.authorities.rrname. Along
the way, consolidate dns.query.name and dns.answer.name into a single file
and register them altogether since there is a lot of common code.
 5 months ago
Nathan Scrivens 07632fdf4e dns: add dns.response sticky buffer 
Feature: 7012
Add dns.response sticky buffer to match on dns response fields.
Add rust functions to return dns response packet data.
Unit tests verifying signature matching.
 5 months ago
Alice Akaki 7b350e9933 misc: fix name prefix in detect register functions 5 months ago
Jeff Lucovsky b662feb162 detect/ftp.command: Add sticky buffer 
Issue: 7502

Add a sticky buffer for "ftp.command" for matching on FTP command names.
 6 months ago
Philippe Antoine 3d3b1ade9d detect/smtp: smtp.helo keyword 
Ticket: 7515

It is a sticky buffer mapping to the smtp.helo log field
 6 months ago
Alice Akaki cdb043810f detect: add ldap.request.operation 
ldap.request.operation matches on Lightweight Directory Access Protocol request operations
This keyword maps to the eve field ldap.request.operation
It is an unsigned 8-bit integer
Doesn't support prefiltering

Ticket: #7453
 6 months ago
Jason Ish c5089ac5f4 dhcp: cleanup visibility and naming 
- remove "rs_" prefix from functions that are not exported
- prefix exported functions with "SC"
- don't export functions that are only used by pointer

Ticket: 7498
 6 months ago
Alice Akaki 078c6469a0 detect: add vlan.layers keyword 
vlan.layers matches on the number of VLAN layers per packet
It is an unsigned 8-bit integer
Valid range = [0-3]
Supports prefiltering

Ticket: #1065
 6 months ago
Alice Akaki b1c2643c87 detect: add vlan.id keyword 
vlan.id matches on Virtual Local Area Network IDs
It is an unsigned 16-bit integer
Valid range = [0-4095]
Supports prefiltering

Ticket: #1065
 6 months ago
Philippe Antoine eab212b0be plugins: app-layer plugins 
Ticket: 5053
 6 months ago
Shivani Bhardwaj aad313438c flow/pkts: make syntax cleaner and compact 
Currently, the syntax includes direction as a part of the keyword which
is against how usually keywords are done. By making direction as a
mandatory argument, it is possible to make the syntax cleaner and the
implementation more compact and easily extendable.
Pros:
- Registration table sees lesser entries if newer options are added
- If the options have to be extended, it can be done trivially
- In accordance w existing keyword implementations

Note that this commit also retains the existing direction specific
keywords.
 7 months ago
Jason Ish 8bcc844b6f sigtable: add function to test for a keyword 
To be used by the requires keyword to check for keyword support.

Ticket: #7403
 8 months ago
Jason Ish 2ac16ee1a6 detect: break apart sigtable setup and initialization 
Allows initialization to be done early, so the table is ready for
dynamic registration by plugins which are loaded before signature
setup.
 8 months ago
Philippe Antoine 63324b7368 transforms: move urldecode to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 8984bc6801 transforms: move xor to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 45e0acf772 transforms: move http headers transforms to rust 
Ticket: 7229
 9 months ago
Philippe Antoine f0414570d2 transforms: move casechange to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 0e5b49d20f transforms: move hash transforms to rust 
md5, sha1 and sha256

Ticket: 7229
 9 months ago
Philippe Antoine 71da38e702 transforms: move dotprefix to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 966f659201 transforms: move compress_whitespace to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 4985ebc0e0 transforms: move strip_whitespace to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 96c8470cdd template: move detect keywords to pure rust 
Ticket: 3195

Also remove unused src/tests/detect-template-buffer.c

Completes commit 4a7567b3f0
to remove references to template-rust
 10 months ago
Giuseppe Longo 969f4d131f sip: rustify sticky buffers 
Ticket #7204
 10 months ago
Philippe Antoine 62a186ceef detect/rfb: move keywords to rust 
Ticket: 7178

On the way, convert rfb.secresult to a generic integer with enumeration
cf ticket 6723
 12 months ago
Philippe Antoine 0a1062fad2 detect/mqtt: move keywords to rust 
Ticket: 4863

On the way, convert some keywords to use the first-class integer
support.
And helpers for pure rust the support for multi-buffer.

Move the C unit tests about keyword mqtt.protocol_version
to unit tests for generic integer parsing, and test version 5
instead of testing twice version 3.

Also iterate all tx's messages for reason code as is done for other
keywords.

And allow detection on empty topics.
 1 year ago
Jeff Lucovsky f042e9034b detect/transform: Add from_base64 transform 
Issue: 6487

Implement the from_base64 transform:
    [bytes value] [offset value] [mode strict|rfc4648|rfc2045]

    The value for bytes and offset may be a byte_ variable or an
    unsigned integer.
 1 year ago
Victor Julien 3d059611c3 detect: add tls.alpn keyword 
Ticket: #7108.
 1 year ago
Philippe Antoine 4fe3f04fa3 detect/enip: move keywords to rust 
Ticket: 4863
 1 year ago
Philippe Antoine ce1eea4ad6 detect/websocket: move keywords to rust 
Ticket: 4863
 1 year ago
Philippe Antoine 16952d67e7 detect/dhcp: move keywords to rust 
Ticket: 4863
 1 year ago
Philippe Antoine ae72376ebe detect/snmp: move keywords to rust 
Ticket: 4863

On the way, convert unit test DetectSNMPCommunityTest to a SV test.

And also, make snmp.pdu_type use a generic uint32 for detection,
allowing operators, instead of just equality.
 1 year ago