aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
17,040 Commits
7 Branches
161 Tags
205 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c92f0f6d27'
${ noResults }
Commit Graph

147 Commits (c92f0f6d2794342795585f943da68640d452b225)

Author SHA1 Message Date
Alice Akaki 90aab0d62f detect: add email.from 
email.from matches on MIME EMAIL FROM
This keyword maps to the EVE field email.from
It is a sticky buffer
Supports prefiltering

Ticket: #7592
 4 months ago
Jason Ish 814e9ffb7a dns: add keywords for additionals and authorities rrnames 
Add keywords dns.additionals.rrname and dns.authorities.rrname. Along
the way, consolidate dns.query.name and dns.answer.name into a single file
and register them altogether since there is a lot of common code.
 5 months ago
Nathan Scrivens 07632fdf4e dns: add dns.response sticky buffer 
Feature: 7012
Add dns.response sticky buffer to match on dns response fields.
Add rust functions to return dns response packet data.
Unit tests verifying signature matching.
 5 months ago
Alice Akaki 7b350e9933 misc: fix name prefix in detect register functions 5 months ago
Jeff Lucovsky b662feb162 detect/ftp.command: Add sticky buffer 
Issue: 7502

Add a sticky buffer for "ftp.command" for matching on FTP command names.
 6 months ago
Philippe Antoine 3d3b1ade9d detect/smtp: smtp.helo keyword 
Ticket: 7515

It is a sticky buffer mapping to the smtp.helo log field
 6 months ago
Alice Akaki cdb043810f detect: add ldap.request.operation 
ldap.request.operation matches on Lightweight Directory Access Protocol request operations
This keyword maps to the eve field ldap.request.operation
It is an unsigned 8-bit integer
Doesn't support prefiltering

Ticket: #7453
 6 months ago
Jason Ish c5089ac5f4 dhcp: cleanup visibility and naming 
- remove "rs_" prefix from functions that are not exported
- prefix exported functions with "SC"
- don't export functions that are only used by pointer

Ticket: 7498
 6 months ago
Alice Akaki 078c6469a0 detect: add vlan.layers keyword 
vlan.layers matches on the number of VLAN layers per packet
It is an unsigned 8-bit integer
Valid range = [0-3]
Supports prefiltering

Ticket: #1065
 6 months ago
Alice Akaki b1c2643c87 detect: add vlan.id keyword 
vlan.id matches on Virtual Local Area Network IDs
It is an unsigned 16-bit integer
Valid range = [0-4095]
Supports prefiltering

Ticket: #1065
 6 months ago
Philippe Antoine eab212b0be plugins: app-layer plugins 
Ticket: 5053
 6 months ago
Shivani Bhardwaj aad313438c flow/pkts: make syntax cleaner and compact 
Currently, the syntax includes direction as a part of the keyword which
is against how usually keywords are done. By making direction as a
mandatory argument, it is possible to make the syntax cleaner and the
implementation more compact and easily extendable.
Pros:
- Registration table sees lesser entries if newer options are added
- If the options have to be extended, it can be done trivially
- In accordance w existing keyword implementations

Note that this commit also retains the existing direction specific
keywords.
 6 months ago
Jason Ish 8bcc844b6f sigtable: add function to test for a keyword 
To be used by the requires keyword to check for keyword support.

Ticket: #7403
 8 months ago
Jason Ish 2ac16ee1a6 detect: break apart sigtable setup and initialization 
Allows initialization to be done early, so the table is ready for
dynamic registration by plugins which are loaded before signature
setup.
 8 months ago
Philippe Antoine 63324b7368 transforms: move urldecode to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 8984bc6801 transforms: move xor to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 45e0acf772 transforms: move http headers transforms to rust 
Ticket: 7229
 9 months ago
Philippe Antoine f0414570d2 transforms: move casechange to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 0e5b49d20f transforms: move hash transforms to rust 
md5, sha1 and sha256

Ticket: 7229
 9 months ago
Philippe Antoine 71da38e702 transforms: move dotprefix to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 966f659201 transforms: move compress_whitespace to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 4985ebc0e0 transforms: move strip_whitespace to rust 
Ticket: 7229
 9 months ago
Philippe Antoine 96c8470cdd template: move detect keywords to pure rust 
Ticket: 3195

Also remove unused src/tests/detect-template-buffer.c

Completes commit 4a7567b3f0
to remove references to template-rust
 10 months ago
Giuseppe Longo 969f4d131f sip: rustify sticky buffers 
Ticket #7204
 10 months ago
Philippe Antoine 62a186ceef detect/rfb: move keywords to rust 
Ticket: 7178

On the way, convert rfb.secresult to a generic integer with enumeration
cf ticket 6723
 12 months ago
Philippe Antoine 0a1062fad2 detect/mqtt: move keywords to rust 
Ticket: 4863

On the way, convert some keywords to use the first-class integer
support.
And helpers for pure rust the support for multi-buffer.

Move the C unit tests about keyword mqtt.protocol_version
to unit tests for generic integer parsing, and test version 5
instead of testing twice version 3.

Also iterate all tx's messages for reason code as is done for other
keywords.

And allow detection on empty topics.
 1 year ago
Jeff Lucovsky f042e9034b detect/transform: Add from_base64 transform 
Issue: 6487

Implement the from_base64 transform:
    [bytes value] [offset value] [mode strict|rfc4648|rfc2045]

    The value for bytes and offset may be a byte_ variable or an
    unsigned integer.
 1 year ago
Victor Julien 3d059611c3 detect: add tls.alpn keyword 
Ticket: #7108.
 1 year ago
Philippe Antoine 4fe3f04fa3 detect/enip: move keywords to rust 
Ticket: 4863
 1 year ago
Philippe Antoine ce1eea4ad6 detect/websocket: move keywords to rust 
Ticket: 4863
 1 year ago
Philippe Antoine 16952d67e7 detect/dhcp: move keywords to rust 
Ticket: 4863
 1 year ago
Philippe Antoine ae72376ebe detect/snmp: move keywords to rust 
Ticket: 4863

On the way, convert unit test DetectSNMPCommunityTest to a SV test.

And also, make snmp.pdu_type use a generic uint32 for detection,
allowing operators, instead of just equality.
 1 year ago
Philippe Antoine 4bbe7d92dc detect: helper to have pure rust keywords 
detect: make number of keywords dynamic

Ticket: 4683
 1 year ago
Philippe Antoine 82c03f72c3 enip: convert to rust 
Ticket: 3958

- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- frames support
- app-layer events
- enip_command keyword accepts now string enumeration as values.
- add enip.status keyword
- add keywords :
    enip.product_name, enip.protocol_version, enip.revision,
    enip.identity_status, enip.state, enip.serial, enip.product_code,
    enip.device_type, enip.vendor_id, enip.capabilities,
    enip.cip_attribute, enip.cip_class, enip.cip_instance,
    enip.cip_status, enip.cip_extendedstatus
 1 year ago
Shivani Bhardwaj 83af42cc03 detect/tls-subjectaltname: add sticky buffer 
Add TLS SubjectAltName sticky buffer. It is implemented as multi-buffer.

Feature 5234
 1 year ago
Philippe Antoine 44b6aa5e4b app-layer: websockets protocol support 
Ticket: 2695
 1 year ago
Sascha Steinbiss 120313f4da ja4: implement for TLS and QUIC 
Ticket: OISF#6379
 1 year ago
Hadiqa Alamdar Bukhari 3aa313d0c5 dns: add dns.rcode keyword 
dns.rcode matches the rcode header field in DNS messages
It's an unsigned integer
valid ranges = [0-15]
Does not support prefilter
Supports matches in both flow directions

Task #6621
 1 year ago
Hadiqa Alamdar Bukhari 4b81851097 dns: add dns.rrtype keyword 
It matches the rrtype field in DNS
It's an unsigned integer match
valid ranges = [0-65535]
Does not support prefilter
Supports flow in both directions
Feature #6666
 1 year ago
jason taylor 3cb7112aa5 detect: update smb.version keyword 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Eloy Pérez González 415722dab2 smb: add smb.version keyword 
Ticket: #5075

Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Philippe Antoine adf5e6da7b detect: strip_pseudo_headers transform 
Ticket: 6546
 2 years ago
Jason Ish 5d5b0509a5 requires: add requires keyword 
Add a new rule keyword "requires" that allows a rule to require specific
Suricata versions and/or Suricata features to be enabled.

Example:

  requires: feature geoip, version >= 7.0.0, version < 8;
  requires: version >= 7.0.3 < 8
  requires: version >= 7.0.3 < 8 | >= 8.0.3

Feature: #5972

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
 2 years ago
Jason Ish 482325e28b dns: add dns.query.name sticky buffer 
This buffer is much like dns.query_name but allows for detection in both
directions.

Feature: #6497
 2 years ago
Jason Ish 5f99abb0cb dns: add dns.answer.name keyword 
This sticky buffer will allow content matching on the answer names.
While ansers typically only occur in DNS responses, we allow the buffer
to be used in request context as well as the request message format
allows it.

Feature: #6496
 2 years ago
Victor Julien 53591702aa detect/bytemath: pass match ctx directly 
Adjust includes to enable this.
 2 years ago
Philippe Antoine 32cce122e1 detect: header_lowercase transform 
Ticket: 6290
 2 years ago
Sascha Steinbiss 0c55fe3515 detect: add mqtt.connect.protocolstring 
Ticket:  OISF#6396
 2 years ago
Jeff Lucovsky 1110a86cb9 detect/transform: Register case-change transforms 
Issue: 6439
 2 years ago
Philippe Antoine ab9b6e30b1 detect: adds flow integer keywords 
Ticket: #6164

flow.pkts_toclient
flow.pkts_toserver
flow.bytes_toclient
flow.bytes_toserver
 2 years ago