aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,231 Commits
7 Branches
155 Tags
195 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd3bd008e33'
${ noResults }
Commit Graph

12231 Commits (d3bd008e331072171de2f6a1fe44f3180d051f46)
 

Author SHA1 Message Date
Victor Julien b08a7b9a66 stream: update memcaps in code to match config 4 years ago
Philippe Antoine f77b027ada app-layer/pd: review bailout conditions 
To take TCP window into account
And to actually bail out if we received too much data
where the limit is configured by stream.reassembly.depth
 4 years ago
Victor Julien 7a114e506a app-layer/pd: only consider actual available data 
For size limit checks consider only available data at the stream start
and before any GAPS.

The old check would consider too much data if there were temporary gaps,
like when a data packet was in-window but (far) ahead of the expected
segment.
 4 years ago
Victor Julien be1baa8cab streaming/buffer: account sbb data size 
When tracking data track the size of the blocks so that in case
of gaps we can still know how much data we hold.
 4 years ago
Juliana Fajardini b8499de498 detect/iprep: convert to FAIL/PASS API 4 years ago
Philippe Antoine 31dccd1171 modbus: do not claim to handle gaps 4 years ago
showipintbri a39025bf24 doc: Grammar Correction 4 years ago
Shivani Bhardwaj a17da8374a counters: only print alerts if stats are enabled 4 years ago
Juliana Fajardini b24fb5781b detect: fix typos and update copyright year 4 years ago
Juliana Fajardini a15fada727 detect: fix bug where rule without sid is accepted 
Before, if Suricata parsed a rule without a 'sid' option, instead of
failing that rule, the rule was parsed and attributed a sid 0.
Changes to:
detect-parse:
- add logic to filter out rules without sid;
- change unittest which didn't have a sid, but used to pass.
detect-sid: add unittest for rules without sid or with sid: 0
 4 years ago
Philippe Antoine 0eefd90a93 fuzz: only build fuzz_sigpcap_aware if asked 
With the other fuzz targets, and do not build it if fuzzpcap
is available but we did not want to build the fuzz targets
 4 years ago
Sascha Steinbiss d541b3d4a8 rust: fix warnings with nightly 4 years ago
Eric Leblond 2c8c043185 stream/tcp: limit ACK validation 
Only limit ACK value validation for packet where the ACK bit is
set.
 4 years ago
Eric Leblond 556570f7dd stream/tcp: don't reject on bad ack 
Not using a packet for the streaming analysis when a non zero
ACK value and ACK bit was unset was leading to evasion as it was
possible to start a session with a SYN packet with a non zero ACK
value to see the full TCP stream to escape all stream and application
layer detection.

This addresses CVE-2021-35063.

Fixes: fa692df37 ("stream: reject broken ACK packets")

Ticket: #4504.
 4 years ago
Eric Leblond 0d81173d6e stream/tcp: update ack handling logic 
Only update the ack value of a session for regular packets when
the ACK bit is set.
 4 years ago
Philippe Antoine 9e7ea631b2 dns: improve probing parser 
Checks opcode is valid
Checks additional_rr do not exceed message length
Better logic for incomplete cases
 4 years ago
Victor Julien d8d1fbe443 detect/files: fix buffer tracking with multiple files 4 years ago
Victor Julien 3c1cc1e345 mqtt: move sub/unsub limits into app-layer config 4 years ago
Sascha Steinbiss 4c0ef73bf2 detect/mqtt: add topic inspection limit 
We add a new 'mqtt.(un)subscribe-topic-match-limit' option
to allow a user to specify the maximum number of topics in
a MQTT SUBSCRIBE or UNSUBSCRIBE message to be evaluated
in detection.
 4 years ago
Philippe Antoine 33fa7ab596 smtp: null terminate before calling strtoul 
by copying in a temporary buffer
as is done in ByteExtractString
 4 years ago
Philippe Antoine 4d2f9cc8a0 swf: right input length for decompression 4 years ago
Philippe Antoine 6f03ee2e47 dcerpc: handles bigger inputs than 2^16 
By comparing integers with the largest size
 4 years ago
Philippe Antoine 7d0a39412b detect: use u32 for InspectionBufferMultipleForList 
So that we do not have an endless loop casting index to
u16 and having more than 65536 buffers in one transaction

Changes for all protocols, even ones where it is impossible
to have such a pattern, so as to avoid bad pattern copy/paste
in the future
 4 years ago
Victor Julien e611adf3dc detect: set event if max inspect buffers exceeded 
If a parser exceeds 1024 buffers we stop processing them and
set a detect event instead. This is to avoid parser bugs as well as
crafted bad traffic leading to resources starvation due to excessive
loops.
 4 years ago
Victor Julien 3dc50322db detect: fix multi inspect buffer issue; clean up 
Fix multi inspect buffer API causing cleanup logic in the single
inspect buffer paths. This could lead to a buffer overrun in the
"to clear" logic.

Multi buffers now use InspectionBufferSetupMulti instead of
InspectionBuffer. This is enforced by a check in debug validation.

Simplify the multi inspect buffer setup code and update the callers.
 4 years ago
Victor Julien 23d7beb458 detect: reformat events table 4 years ago
Philippe Antoine b3c1f2ab48 nfs: improve probing parser 
Checks credentials flavor is known
 4 years ago
Philippe Antoine 0c948142b9 enip: improve probing parser 
Strict length for register sessions
NOP command must have options=0
 4 years ago
Philippe Antoine 8bf6530540 config: fix null dereference in MacSetRegisterFlowStorage 
Crash happens with
--set outputs.eve-json.types.files.force-magic=yes
 4 years ago
Philippe Antoine 39575e2cc9 modbus: use ascii character classes while parsin rule 
As the rust regex crate is unicode aware, which was
not the case of the C version
 4 years ago
Philippe Antoine ef5755338f rust: SCLogDebug is real nop when built as release 
Before, even if there were no outputs, all the arguments
were evaluated, which could turn expensive

All variables which are used only in certain build configurations
are now prefixed by underscore to avoid warnings
 4 years ago
Victor Julien 20e8f90981 http2: set Debug on structs 4 years ago
Victor Julien 86e600dab8 unittests: optimize RunmodeIsUnittests() 4 years ago
Victor Julien 4ecde6efb0 stream: packet to stream flags macro 4 years ago
Victor Julien beb6b1e0d1 packets: more detailed entry debug for detect/stream 4 years ago
Victor Julien 3587033d9e files: construct with default, free on drop 
Update protocols.
 4 years ago
Victor Julien d757545f03 files: implement default support 4 years ago
Philippe Antoine fdab22d924 rust: fix app-layer parser flags 
This especially allows for SSH bypass to work
 4 years ago
Jeff Lucovsky 61fa748e9d decode/vxlan: Delay var init until needed 
This commit modifies the var initialization slightly until after
integrity checks have been performed.
 4 years ago
Jeff Lucovsky 415db83d2d general/typo: Correct typo 4 years ago
Jeff Lucovsky 83067e5a55 decode: Eliminate NULL pkt checks 
This commit removes the NULL pkt check that each decoder performs as
this is a "can't happen" case.
 4 years ago
Mats Klepsland 2a326421aa thresholds: Fix buffer overflow in threshold context 
th_entry is resized using ThresholdHashRealloc() every time a rule with
a threshold using by_rule tracking is added. The problem is that this is
done before the rules are reordered, so occasionally a rule with by_rule
tracking gets a higher signature number (after reordering) than the
number of th_entries allocated, causing Suricata to crash.

This commit fixes this by allocating th_entries after all the rules are
loaded and reordered.

Backtrace from core dump:

  Program terminated with signal SIGSEGV, Segmentation fault.

  #0  0x000000000051b381 in ThresholdHandlePacket (p=p@entry=0x7fb0080f3960, lookup_tsh=0x51, new_tsh=new_tsh@entry=0x7fb016c316e0, td=td@entry=0x14adedf0, sid=9800979, gid=1, pa=0x7fb0080f3b18)
      at detect-engine-threshold.c:415
  415>----                if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {

Bug #4503.
 4 years ago
Mats Klepsland f47e4375b3 thresholds: syntax fixes 
Fix syntax of if statement in SigGetThresholdTypeIter()
 4 years ago
Mats Klepsland b0b4fab794 thresholds: remove unneeded function argument 
Remove packet pointer from SigGetThresholdTypeIter() as it is
unused.
 4 years ago
Juliana Fajardini 6b8b58f98a doc/eve: common fields and alert updates 
- update examples for both
- change app_proto from alert field to common field, as
  per JsonBuilder's changes.
 4 years ago
Juliana Fajardini eacf933edf doc/eve: fix typos 4 years ago
Jeff Lucovsky 02fe026046 output: Fix possible null deref 
This commit corrects an issue uncovered by Coverity. See the redmine
issue for details: https://redmine.openinfosecfoundation.org/issues/4495
 4 years ago
Philippe Antoine d00b755b64 http2: only mimic http1 request if there is one 
That may not be the case in midstream/async configurations
 4 years ago
Jason Ish 70b21df756 makefile: don't include the whole test/ directory 
Including the whole directory results in .deps files ending up
in the distribution archive which shouldn't be there. Instead
we have to list all the test sources individually.
 4 years ago
Jeff Lucovsky aa8871a5be rust/default: Enable Default usage 4 years ago