aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,264 Commits
7 Branches
155 Tags
194 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd9e5dfa1f0'
${ noResults }
Commit Graph

8264 Commits (d9e5dfa1f0e5170b7d493b89c1c95592a6fe82cb)
 

Author SHA1 Message Date
Victor Julien 4697330b73 doc: flowints formatting cleanup 8 years ago
Victor Julien 0af562d4c8 doc: move parts out of snort difference doc 
Move generic keyword descriptions to the keyword documentation.
 8 years ago
David Wharton a8d0ae460c doc: removing (replaced) snort-compatibility.rst 
snort-compatibility.rst replaced by differences-from-snort.rst
 8 years ago
David Wharton 8a53d49e81 doc: replacing snort-compatibility link 
The snort-compatibility.rst document is being replaced by
differences-from-snort.rst. This commit updates the link.
 8 years ago
David Wharton 6bc7c64794 doc: overhaul of the snort-compatibility document 
This is intended to replace the existing 'snort-compatibility.rst'
document.
Based on "The Suricata Rule Writing Guide for The Snort Expert"
2016 SuriCon talk.
 8 years ago
Victor Julien c513896786 bug 2113: unix-socket start up race 8 years ago
Victor Julien 5b56d324c4 app-layer: optimize many-tx case 8 years ago
Victor Julien 4459b88782 output: tx logging optimizations 8 years ago
Victor Julien 5c01b40931 tests: update tests for app-layer changes 8 years ago
Victor Julien 3148ff34b6 app-layer API optimizations and cleanups 8 years ago
Victor Julien cd97fa80f1 file: fix pruning for parallel files 
Allow pruning of random files, not just list head.
 8 years ago
Victor Julien afedd5c6df file: fix storing parallel files 
When looping available files 'flags' misuse would lead to all files
being closed after the first close.

This patch separates per file and per call flags.
 8 years ago
Victor Julien ae99e08396 file: update loops to account for parallel files 8 years ago
Victor Julien c4c93872f8 file: introduce per file 'track id' 
Some protocols transfer multiple files in parallel. To support this add
a 'track id' to the API. This track id is set by the protocol parser. It
will use this id to indicate what file in the FileContainer it wants to
act on.
 8 years ago
Victor Julien 1062a9213b file-store: small cleanup 8 years ago
Victor Julien 944ab48b20 file: clarify file store id name 8 years ago
Victor Julien f18c976a8e flow: counters for total number of flows 
flow.tcp
flow.udp
flow.icmpv4
flow.icmpv6
 8 years ago
Jason Ish ac7cf48a98 dnp3: in template, include files own headers 
To deal with -Wmissing-prototypes as added in
ab1200fbd7

Note: Change was already applied to source files, this just
updates the generation.
 8 years ago
Victor Julien 312ad9e3ad pfring: compiler warning fixes 8 years ago
Victor Julien f6e3755b5c lua: extend SCFlowAppLayerProto 
Change SCFlowAppLayerProto to return 5 values:
<alproto> <alproto_ts> <alproto_tc> <alproto_orig> <alproto_expect>:

alproto: detected protocol
alproto_ts: detected protocol in toserver direction
alproto_tc: detected protocol in toclient direction
alproto_orig: pre-change/upgrade protocol
alproto_expected: expected protocol in change/upgrade

Orig and expect are used when changing and upgrading protocols. In a
SMTP STARTTLS case, orig would normally be set to "smtp" and expect
to "tls".
 8 years ago
Victor Julien 9c071d1724 eve.flow: log original and expected app_protocols 
Log protocols if they are available.
 8 years ago
Victor Julien 88177694fd nfq: don't try to verdict detect/log flush pkts 8 years ago
Victor Julien d9908216d8 connect/starttls: handle detection corner cases 
When switching protocol from http to tls the following corner case
was observed:

 pkt 6, TC "200 connection established"
 pkt 7, TS acks pkt 6 + adds "client hello"
 pkt 8 TC, acks pkt 7
 pkt 8 is where normally the detect on the 200 connection established
       would run however before detection runs the app-layer is called
       and it resets the state

So the issue is missed detection on the last data in the original
protocol before the switch.

Another case was:

TS ->    STARTTLS
TC ->    Ack "STARTTLS data"
         220
TS ->    Ack "220 data"
         Client Hello

In IDS mode, this made a rule that wanted to look at content:"STARTTLS"
in combination with the protocol SMTP 'alert smtp ... content:"STARTTLS";'
impossible. By the time the content would match, the protocol was already
switched.

This patch fixes this case by creating a 'Detect/Log Flush' packet in
both directions. This will force final inspection and logging of the
pre-upgrade protocol (SMTP in this example) before doing the final
switch.
 8 years ago
Victor Julien 6f42ae91c7 app-layer: protocol change API 
Add API calls to upgrade to TLS or to request a protocol change
without a specific protocol expectation.

If the HTTP CONNECT session includes a port on the url, use that to
look up the probing parser during protocol detection. Solves a
missed detection of a SSLv2 session that upgrades to TLSv1. SSLv2
relies on the probing parser which is limited to certain ports.

In case of STARTTLS in SMTP and FTP, the port is hardcoded to 443.

A new event APPLAYER_UNEXPECTED_PROTOCOL is set if there was a
mismatch.
 8 years ago
Mats Klepsland 72c757433a app-layer: add decoder event for missing TLS after STARTTLS 8 years ago
Mats Klepsland 11b9e6fdab app-layer-ftp: add STARTTLS support 8 years ago
Mats Klepsland 8125f78f5f app-layer-ftp: detect FTP alproto when using AUTH TLS 
Try to detect FTP using the patterns '220 (' and 'FEAT', since 'USER '
and 'PASS ' are not sent in cleartext when using AUTH TLS.
 8 years ago
Mats Klepsland 74aa65073b output-json-tls: log 'from_proto' field 
Log the original application level protocol when protocol have been
changed because of STARTTLS, HTTP CONNECT or similar.
 8 years ago
Mats Klepsland e8800b1893 app-layer-smtp: add STARTTLS support 8 years ago
Mats Klepsland b6c2b7052b app-layer-htp: add HTTP CONNECT support 8 years ago
Victor Julien 893f868b42 proto-detect: add debug output 8 years ago
Mats Klepsland b8d13f354b app-layer: support changing flow alproto 
Support changing the application level protocol for a flow. This is
needed by STARTTLS and HTTP CONNECT to switch from the original
alproto to tls.

This commit allows a flag to be set 'FLOW_CHANGE_PROTO', which
triggers a new protocol detection on the next packet for a flow.
 8 years ago
Victor Julien 9b1f74409b magic: fix compile warnings 8 years ago
Victor Julien 3ff5dc3653 nfq: remove obsolete and broken netfilterforwin support 8 years ago
Victor Julien ea99099c64 isdataat: add test for leading space 8 years ago
Victor Julien 6142e88ed5 nflog: compiler warning fix 8 years ago
Victor Julien ab1200fbd7 compiler: more strict compiler warnings 
Set flags by default:

    -Wmissing-prototypes
    -Wmissing-declarations
    -Wstrict-prototypes
    -Wwrite-strings
    -Wcast-align
    -Wbad-function-cast
    -Wformat-security
    -Wno-format-nonliteral
    -Wmissing-format-attribute
    -funsigned-char

Fix minor compiler warnings for these new flags on gcc and clang.
 8 years ago
Victor Julien 342059835f detect-parse: improve common parser 
In preparation of turning input to keyword parsers to const add
options to the common rule parser to enforce and strip double
quotes and parse negation support.

At registration, the keyword can register 3 extra flags:

    SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted

    SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted

    SIGMATCH_HANDLE_NEGATION: leading ! is parsed

In all cases leading spaces are removed. If the 'quote' flags are
set, the quotes are removed from the input as well.
 8 years ago
Victor Julien 842dfbc3f8 detect: enforce isdataat:!1,relative earlier 
The expression 'isdataat:!1,relative' is used to make sure a match
is at the end of a buffer quite often. This patch optimizes this case
for 'content' followed by the expression. It enforces it by setting
and 'ends with' flag on the content and then taking that flag into
account while doing the pattern match.
 8 years ago
Victor Julien c0275c2b29 detect: more content inspection tests 8 years ago
Victor Julien 7eda6beade detect: don't rescan when just distance is used 
Content inspection optimization: when just distance is used without
within we don't need to search recursively.

E.g. content:"a"; content:"b"; distance:1; will scan the buffer for
'a' and when it finds 'a' it will scan the remainder for 'b'. Until
now, the failure to find 'b' would lead to looking for the next 'a'
and then for 'b' after that. However, we already inspected the
entire buffer for 'b', so we know this will fail.
 8 years ago
Victor Julien 84b97ca155 detect: content-inspection tests 
Add tests for the content inspection engine that count the number
of steps it takes to eval a rule.
 8 years ago
Victor Julien b9579fbe7d detect: avoid needless recursive scanning 
Don't recursively inspect a detect list if the recursion
doesn't increase chance of success.
 8 years ago
Victor Julien bc7c01ecbc detect: use BIT_U32 macro for content flags 8 years ago
Victor Julien c65a119cc0 debug: suppress notice message 8 years ago
Victor Julien 276125c1ef cleanup: remove unused ringbuffer code 8 years ago
Victor Julien cda6e0291f cleanup: remove libpcap < 1 support 8 years ago
Victor Julien 119115d3b6 configure: remove CentOS5 pkg-config fix 8 years ago
Victor Julien 0516b5d704 cleanup: from AS_VERSION_COMPARE CentOS5 workaround 8 years ago
Victor Julien d31cb083e9 detect: update tests that mix state/stream inspect 8 years ago