suricata

Commit Graph

Author	SHA1	Message	Date
Victor Julien	eb73008ccf	detect/transform: add to_sha1 keyword	6 years ago
Victor Julien	75f9c1ae9f	detect/transform: add to_md5 keyword	6 years ago
Victor Julien	b3c021f8d0	userguide: improve stats logging documentation	6 years ago
Pascal Delalande	f2dca46382	doc: fix minor typo	6 years ago
Eric Leblond	7a121d9b4c	doc: add _static dir to make dist	6 years ago
Travis Green	c2adb9e669	doc: added tos keyword Redmine issue: https://redmine.openinfosecfoundation.org/issues/2583	6 years ago
Victor Julien	9dd925a46a	userguide/install: add rust, python-yaml to ubuntu	6 years ago
jason taylor	fc395eb2c5	userguide: updated hyperscan version reference Signed-off-by: jason taylor <jtfas90@gmail.com>	6 years ago
jason taylor	131112de13	doc: Remove gulp references Signed-off-by: jason taylor <jtfas90@gmail.com>	6 years ago
jason taylor	fc54d750dd	doc: add bypass keyword documentation Signed-off-by: jason taylor <jtfas90@gmail.com>	6 years ago
Mats Klepsland	be8c06adfd	userguide: add documentation for ssl_version keyword	6 years ago
Victor Julien	85f2486e0b	multi-tenant: document per tenant settings	6 years ago
Victor Julien	5afeebf884	doc/flow: updates and cleanups to flow section	6 years ago
Victor Julien	72dd4a5f92	doc/rules: initial transforms documentation	6 years ago
Victor Julien	226fe5cab3	doc/performance: redo runmodes explanation	6 years ago
Victor Julien	17e2d39531	doc/install: update Rust info in generic install overview	6 years ago
Victor Julien	473688746b	doc/eve: add community id	6 years ago
Mats Klepsland	e92fda37c9	doc: add documentation for SSH keywords	6 years ago
Pascal Delalande	64922a476e	doc: remove deprecated force-md5 flag from userguide	6 years ago
jason taylor	7f4e5e6eac	userguide: update hyperscan documentation Signed-off-by: jason taylor <jtfas90@gmail.com>	7 years ago
Mats Klepsland	4d38d0844b	doc: add documentation for Lua function 'TlsGetVersion'	7 years ago
Mats Klepsland	10fcc8d2ca	doc: update tls.version documentation	7 years ago
Maurizio Abba	bce7c2dd87	eve/http: add tx->request_port_number as http_port Add the port specified in the hostname (if any) to the http object in eve. The port may be different from the dest_port used by the TCP flow.	7 years ago
Eric Leblond	173e5a1c58	doc: iprep supports CIDR networks	7 years ago
Victor Julien	7c884e0850	doc: update multi-tentant for device feature	7 years ago
Danny Browning	2dc6b6ee14	source-pcap-file: delete when done (2417) https://redmine.openinfosecfoundation.org/issues/2417 Add option to have pcap files deleted after they have been processed. This option combines well with pcap file continuous and streaming files to a directory being processed.	7 years ago
Jason Ish	ede94e1f66	doc: alphabetize EXTRA_DIST	7 years ago
Jason Ish	ff73d908aa	doc: add window ips inline doc to extra_dist	7 years ago
Jason Ish	d2142cf433	doc: make warnings errors when building man page	7 years ago
Jason Ish	01f477786e	doc: link in windows ips setup page	7 years ago
Jacob Masen-Smith	ec77632e84	Adds WinDivert support to Windows builds Enables IPS functionality on Windows using the open-source (LGPLv3/GPLv2) WinDivert driver and API. From https://www.reqrypt.org/windivert-doc.html : "WinDivert is a user-mode capture/sniffing/modification/blocking/re-injection package for Windows Vista, Windows Server 2008, Windows 7, and Windows 8. WinDivert can be used to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc., without the need to write kernel-mode code." - adds `--windivert [filter string]` and `--windivert-forward [filter string]` command-line options to enable WinDivert IPS mode. `--windivert[-forward] true` will open a filter for all traffic. See https://www.reqrypt.org/windivert-doc.html#filter_language for more information. Limitation: currently limited to `autofp` runmode. Additionally: - `tmm_modules` now zeroed during `RegisterAllModules` - fixed Windows Vista+ `inet_ntop` call in `PrintInet` - fixed `GetRandom` bug (nonexistent keys) on fresh Windows installs - fixed `RandomGetClock` building on Windows builds - Added WMI queries for MTU	7 years ago
Chris Speidel	1e8959b465	doc: fix minor typo	7 years ago
Victor Julien	693a3df031	tls: document encrypt-handling option Document in sample yaml and user guide.	7 years ago
Victor Julien	c677e07d3e	kerberos: minor doc updates, add author	7 years ago
Jason Ish	fb85822730	dhcp: update user guide	7 years ago
Pierre Chifflier	c51ff32adb	Document Kerberos 5 parsing events	7 years ago
Pierre Chifflier	1076c7cd47	Add krb5_err_code detection keyword	7 years ago
Pierre Chifflier	d6b9c0294a	Add krb5_cname and krb5_sname detection keywords	7 years ago
Pierre Chifflier	0bd81ff838	Add krb5_msg_type detection keyword	7 years ago
Pierre Chifflier	1e5f5d405f	Kerberos 5: add support for TCP as well	7 years ago
Pascal Delalande	4f48927c44	doc: spelling mistakes in various sections of the user guide	7 years ago
Max Fillinger	ce270a8f6a	Add info about pcap log compression to user guide	7 years ago
Eric Leblond	e249ce29bb	doc: add lua directory to Makefile	7 years ago
Victor Julien	4a90dced8e	doc/lua: small update to the usage intro	7 years ago
Eric Leblond	2546e86a16	doc: document lua function about flow var	7 years ago
Eric Leblond	0c4bf2d332	doc: add a lua support top level section Both output and signature are using lua. So lua functions should be displayed in a single section.	7 years ago
Eric Leblond	293b00798e	doc: document lua TLS functions	7 years ago
Pascal Delalande	e3c5784dd5	doc: minor updates (tls custom, TODO removal, ftp/smb file rules)	7 years ago
Victor Julien	83bf60d897	doc: add ntlmssp, kerberos and other setup fields	7 years ago
Richard Sailer	dc07c1fe13	lua output doc: Use more descriptive variable names in the examples This also removes the "args" parameter of the hooking functions in the examples, since this parameter is unused in all functions. It would not be very helpful anyways since 3 of the 4 functions don't get passed any parameters. The only exception is init() which gets a table containing: script_api_ver = 1	7 years ago
Richard Sailer	3307f7a94e	lua output doc: Add explaining introduction text	7 years ago
Victor Julien	e09027915a	doc: fix json formatting in smb doc	7 years ago
Victor Julien	67e81a9555	doc: initial smb eve documentation	7 years ago
Victor Julien	78437375c4	doc: add by_either to suppress explanation	7 years ago
Victor Julien	2c259f2239	doc: add smb section to yaml	7 years ago
Victor Julien	13bdcd5249	doc: minor fix	7 years ago
Victor Julien	1edd9d19fc	doc: add SMB to file extraction. Minor improvements.	7 years ago
Victor Julien	b4771150b8	doc: update suricata-update screenshot	7 years ago
Victor Julien	b531e7725d	doc: improve suricata-update docs now that its bundled	7 years ago
Victor Julien	ac1ed24cb4	doc: improve making sense of alerts	7 years ago
Victor Julien	ccde621ceb	doc: add suricata-update to intro for rules	7 years ago
Pierre Chifflier	6eb48e1e93	Add ikev2 to userguide	7 years ago
Victor Julien	26e807ca34	doc: fix http_header_names example	7 years ago
Eric Leblond	0a72d5be96	doc: fix typo in unix socket doc Also fixes a dead link to code.	7 years ago
Eric Leblond	975f413308	doc: more info on unix socket rule reload	7 years ago
Eric Leblond	e2aab10d29	doc: fix typo in ebpf xdp doc	7 years ago
Mats Klepsland	47a7ebbbc2	doc: add JA3 fields to the TLS logger documentation	7 years ago
Mats Klepsland	fb0bfb614f	doc: add documentation for Ja3GetString Lua function	7 years ago
Mats Klepsland	2514553098	doc: add documentation for Ja3GetHash Lua function	7 years ago
Mats Klepsland	a357f52fa5	doc: add documentation for ja3_string keyword	7 years ago
Mats Klepsland	38cc6f595f	doc: add documentation for ja3_hash keyword	7 years ago
Giuseppe Longo	fb66d45754	doc: introduce dns compact logging	7 years ago
David DIALLO	c2236ea2b3	modbus: Support Unit Identifier When destination IP address does not suffice to uniquely identify the Modbus/TCP device. Some Modbus/TCP devices act as gateways to other Modbus/TCP devices that are behind this gateways.	7 years ago
Victor Julien	50a182194a	eve: log pcap filename	7 years ago
Pascal Delalande	2e5b293afb	doc: update eve json output for DNS and HTTP	7 years ago
Brandon Sterne	a01a229b37	doc: use standard spelling of daemon	7 years ago
Andreas Herz	bdb886bd68	docs: remove many outdated and old install docs	7 years ago
Andreas Herz	2e8678a5ff	docs: replace redmine links and enforce https on oisf urls	7 years ago
David DIALLO	6c643d8975	modbus: duplicate alerts unaware of direction Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction because Modbus inspection engine is only performing in request (TOSERVER). Detect Value keyword in read access rule. In read access, match on value is not possible. Update Modbus keyword documentation.	7 years ago
Eric Leblond	7da805ffd9	doc: improve eBPF and XDP doc Remove reference to `buggy` clang as a workaround has been found in libbpf. Proof read and add information on the structure of eBPF code.	7 years ago
Eric Leblond	8030e3f66b	doc: update documentation This patch adds info on kernel requirement for XDP and rework a few things.	7 years ago
Eric Leblond	0e1a4173ff	doc: how to get live info about ebpf behavior	7 years ago
Eric Leblond	8c7b5cb088	doc: add info about xdp IPS bypass	7 years ago
Eric Leblond	ce8b74b524	doc: document XDP CPU redirect	7 years ago
Eric Leblond	60265e023a	doc: update xdp documentation Also remove configuration info from yaml as they are now in the documentation.	7 years ago
Peter Manev	5ee44c877c	doc: add XDP setup documentation	7 years ago
Giuseppe Longo	d2121945c9	doc: update file_data description	7 years ago
Jason Ish	74e036d09f	doc: update eve/alert/metadata configuration	7 years ago
Martin Natano	fe9cac5870	eve/alert: include rule text in alert output For SIEM analysis it is often useful to refer to the actual rules to find out why a specific alert has been triggered when the signature message does not convey enough information. Turn on the new rule flag to include the rule text in eve alert output. The feature is turned off by default. With a rule like this: alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;) The eve alert output might look something like this (pretty-printed for readability): { "timestamp": "2017-08-14T12:35:05.830812+0200", "flow_id": 1919856770919772, "in_iface": "eth0", "event_type": "alert", "src_ip": "10.20.30.40", "src_port": 50968, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "alert": { "action": "allowed", "gid": 1, "signature_id": 42, "rev": 0, "signature": "Google DNS server contacted", "category": "", "severity": 3, "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)" }, "app_proto": "dns", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 81, "bytes_toclient": 0, "start": "2017-08-14T12:35:05.830812+0200" } } Feature #2020	7 years ago
Eric Leblond	72c8cd67d5	doc: documentation update on metadata	7 years ago
Jason Ish	ab939f4aaa	doc: breakout eve-log section to a partial file Both the suricata.yaml and eve configuration sections included the eve-log section from suricata.yaml. First, sync these up with the actual suricata.yaml then break it out into its own file, so only one file needs to be kept in sync with the actual configuration file.	7 years ago
Jason Ish	0e02684634	doc: update eve-log section for metadata	7 years ago
Pascal Delalande	80f2fbac6e	rust/tftp: eve logging with rust	7 years ago
Pascal Delalande	0ff60f65ec	doc: update filestore for file hash extraction Update for extraction based on md5, sha1 and sha256	7 years ago
Victor Julien	07738af868	detect/content: introduce startswith modifier Add startswith modifier to simplify matching patterns at the start of a buffer. Instead of: content:"abc"; depth:3; This enables: content:"abc"; startswith; Especially with longer patterns this makes the intention of the rule more clear and eases writing the rules. Internally it's simply a shorthand for 'depth:<pattern len>;'. Ticket https://redmine.openinfosecfoundation.org/issues/742	7 years ago
Jason Ish	5420c0ab06	doc: document file-store v2	7 years ago
Victor Julien	746638b220	cuda: remove Remove CUDA support as it has been broken for a long time. Ticket #2382.	7 years ago
Eric Leblond	24f745553c	doc: update file extraction document Define the list of protocol parsers supporting extraction in one single place following Andreas Herz' suggestion.	7 years ago
Eric Leblond	f5ba4c231d	doc: update following ftp-data changes	7 years ago
Giuseppe Longo	70695201f6	doc: add memcap commands in unix-socket section	7 years ago
Eric Leblond	3bf098e52f	doc: document log reopen unix socket command	7 years ago
Victor Julien	be9ec3958e	doc: initial suricata-update page	7 years ago
Andreas Herz	6f0794c16f	keyword-filesize: add units	7 years ago
Dana Helwig	3ab9120821	source-pcap-file: Pcap Directory Mode (Feature #2222 ) https://redmine.openinfosecfoundation.org/issues/2222 Pcap file mode that when passed a directory will process all files in that directory. If --pcap-file-continuous or continuous option is passed in json, the directory will be monitored until the directory is moved/deleted, suricata is interrupted, or the pcap-interrupt command is used with unix command socket. Existing file implementation and new directory implementation has moved from source-pcap-file into pcap-file-helper and pcap-directory-helper. Engine state will not reset between files. Also satisfies: * https://redmine.openinfosecfoundation.org/issues/2299 * https://redmine.openinfosecfoundation.org/issues/724 * https://redmine.openinfosecfoundation.org/issues/1476 Co-Authors: Dana Helwig <dana.helwig@protectwise.com> and Danny Browning <danny.browning@protectwise.com>	7 years ago
Eric Leblond	94e9d13791	doc: add ruleset commands available in unix socket	7 years ago
Pascal Delalande	0c99338e07	doc: update docs for DNS flags logging	7 years ago
Ralph Broenink	f6938933d9	doc: Amend the list of accepted protocols Based on the list in suricata.yaml	7 years ago
Ralph Broenink	d830177b7b	doc: Add my own name to the acknowledgements	7 years ago
Ralph Broenink	98a1ec490f	doc: Move IP reputation keyword to rules section	7 years ago
Ralph Broenink	722cff1862	doc: Restructure ToC * All sections up to 2 levels deep are now shown regardless of whether they are a separate page * Rename Xbits and Thresholding for more consistent naming * Minor adjustment in the Payload Keywords section	7 years ago
Ralph Broenink	196ba1da70	doc: Make the header keywords section separate sections in ToC	7 years ago
Ralph Broenink	a55a6cdb62	doc: Move flowint as integral part of flow keywords	7 years ago
Ralph Broenink	f6c766112c	doc: Minor changes in structuring of HTTP Keywords / Snort differences	7 years ago
Ralph Broenink	e9b25988ba	doc: Move pcre entirely to Payload Keywords section (plus remove lingering screenshot of a rule)	7 years ago
Ralph Broenink	bb1bf2643d	doc: Move fast_pattern and prefilter to dedicated page	7 years ago
Ralph Broenink	fea037fda8	doc: Moved explanation of normalized buffers to rules introduction	7 years ago
Ralph Broenink	11990c7117	doc: Move the definition of modifier keywords to the introduction	7 years ago
Ralph Broenink	dfae19247d	doc: Completely rewrite the rules introduction for more clearity	7 years ago
Ralph Broenink	274c36eb2f	doc: Meta-settings -> Meta Keywords plus some textual changes Most importantly, conventions are now placed in tip boxes	7 years ago
Ralph Broenink	3413793768	doc: Use lowercased keyword names as section titles	7 years ago
Ralph Broenink	a52aacb4ea	doc: Replace images of tables and rules with text in rules docs In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis. Additionally, some tables embedded into images were also replaced by reST tables.	7 years ago
Ralph Broenink	44926e2369	doc: Add suricata.css to allow for some custom styling	7 years ago
Ruslan Usmanov	1090ee9d8d	rate_filter by_both through IPPair storage Ticket https://redmine.openinfosecfoundation.org/issues/2127	7 years ago
Gaurav Singh	637a7c8e55	Adds options to mark when a file is final. This takes the form of an option to add the pid of the process to file names. Additionally, it adds a suffix to the file name to indicate it is not finalized. Adding the pid to the file name reduces the likelihood that a file is overwritten when suricata is unexpectedly killed. The number in the waldo file is only written out during a clean shutdown. In the event of an improper shutdown, extracted files will be written using the old number and existing files with the same name will be overwritten. Writes extracted files and their metadata to a temporary file suffixed with '.tmp'. Renames the files when they are completely done being written. As-is there is no way to know that a file on disk is still being written to by suricata.	7 years ago
Mats Klepsland	9556d4fef3	doc: add documentation for tls_cert_fingerprint keyword	7 years ago
Victor Julien	1180687574	doc/file_data: add note on negated matching Explain issue #2216 and how to avoid it.	8 years ago
Victor Julien	456af8faa8	doc/napatech: formatting fixes	8 years ago
Andreas Herz	c048ee6505	doc: reflect most recent cpu affinity settings Some settings like output-cpu-set never been used and detect got renamed to worker. This reflects those changes already present in the yaml also within the documentation.	8 years ago
Julian	f27b4fc8fe	redis: support for rpush in list mode This adds a new redis mode rpush. Also more consistent config keywords orientated at the redis command: lpush and publish. Keeping list and channel config keywords for backwards compatibility	8 years ago
Phil Young	5f613e6e7d	napatech: Added section describing packet counters.	8 years ago
Phil Young	f6838f9085	napatech: Added description of hba usage.	8 years ago
Victor Julien	fc229430f8	doc: add rust and update version in install	8 years ago
Sebastian Garcia	d32ba60b51	Update public-data-sets.rst with stratosphere project Add the datasets of the Stratosphere project to the list.	8 years ago
Jason Ish	f715b0ae6b	doc: add pid-file section to suricata.yaml doc Redmine issue: https://redmine.openinfosecfoundation.org/issues/2104	8 years ago
Jason Ish	59d69666ea	doc: add more details to log rotation doc	8 years ago
Jason Ish	92f15b7ffb	doc: move log rotation to output section	8 years ago
Victor Julien	62b6f9fe25	decode: add config option to disable teredo Ticket #744.	8 years ago
Abbed	320b032a88	doc: small typo under '4.3.1.5' section	8 years ago
Eric Leblond	b763c7ec11	doc: document http-body logging	8 years ago
Eric Leblond	9e581436a7	doc: info about new config for alert events in EVE	8 years ago
Eric Leblond	ef88689f1e	doc: add app_proto to alert event	8 years ago
Selivanov Pavel	5162b58260	Fixed small typo: double sudo	8 years ago
Eric Leblond	f4374ffd0b	doc: some more info about alert format	8 years ago
Eric Leblond	f5ad6a2095	doc: document target keyword	8 years ago
Eric Leblond	a3f07ec02e	doc: document drop-invalid option.	8 years ago
Eric Leblond	e933eb849a	doc: document filestore update	8 years ago
Andreas Herz	bf1a8d08da	doc: rephrase nocase placement explanation	8 years ago
Victor Julien	71c6df1655	lua: add SCFlowId for getting the flow id	8 years ago
Victor Julien	4697330b73	doc: flowints formatting cleanup	8 years ago
Victor Julien	0af562d4c8	doc: move parts out of snort difference doc Move generic keyword descriptions to the keyword documentation.	8 years ago

1 2 3 4 5 ...

446 Commits (c769909dada7dd16c63180ce89ba3d160d371de3)