aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
13,455 Commits
7 Branches
161 Tags
184 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e250ef6402'
${ noResults }
Commit Graph

69 Commits (e250ef6402998eac36dfb46b6d91aca0e4d184b2)

Author SHA1 Message Date
Victor Julien e250ef6402 debug: remove empty header 3 years ago
Victor Julien ad3e68f378 detect/file: minor cleanups 3 years ago
Victor Julien af145ad125 detect/file: reduce scope of keyword data structures 3 years ago
Victor Julien 73eb7744d8 detect/file: update copyright years 3 years ago
Philippe Antoine 02f2602dde src: rework includes as per cppclean 3 years ago
Philippe Antoine b8524e70d9 detect: change InspectEngineFuncPtr2 to return uint8_t 3 years ago
Victor Julien 4feb0529a4 detect/file: minor code cleanup 
Reduce scope where possible. Suggested by cppcheck.
 3 years ago
Victor Julien d8d1fbe443 detect/files: fix buffer tracking with multiple files 4 years ago
Victor Julien 3dc50322db detect: fix multi inspect buffer issue; clean up 
Fix multi inspect buffer API causing cleanup logic in the single
inspect buffer paths. This could lead to a buffer overrun in the
"to clear" logic.

Multi buffers now use InspectionBufferSetupMulti instead of
InspectionBuffer. This is enforced by a check in debug validation.

Simplify the multi inspect buffer setup code and update the callers.
 4 years ago
Philippe Antoine 707f027231 protos: renaming ALPROTO_HTTP* constants 
Having now ALPROTO_HTTP1, ALPROTO_HTTP2 and ALPROTO_HTTP

Run with 3 sed commands
git grep ALPROTO_HTTP | cut -d: -f1 | uniq |
 xargs sed -i -e 's/ALPROTO_HTTP/ALPROTO_HTTP1/g'
git grep ALPROTO_HTTP12 | cut -d: -f1 | uniq |
 xargs sed -i -e 's/ALPROTO_HTTP12/ALPROTO_HTTP2/g'
git grep ALPROTO_HTTP1_ANY | cut -d: -f1 | uniq |
 xargs sed -i -e 's/ALPROTO_HTTP1_ANY/ALPROTO_HTTP/g'

and then running clang-format
 5 years ago
Victor Julien 13cebb1857 detect: fix heap overflow issue with buffer setup 
In some cases, the InspectionBufferGet function would be followed by
a failure to set the buffer up, for example due to a HTTP body limit
not yet being reached. Yet each call to InspectionBufferGet would lead
to the matching list_id to be added to the
DetectEngineThreadCtx::inspect.to_clear_queue. This array is sized to
add each list only once, but in this case the same id could be added
multiple times, potentially overflowing the array.
 5 years ago
Victor Julien 45eddde573 detect/file.name: register inspect engine for ftp-data 5 years ago
Victor Julien e0e4454db7 detect/files: inspect api v2 5 years ago
Philippe Antoine 096dce4bba http2: allow filestore to work with HTTP2 5 years ago
Philippe Antoine 61d0cd1399 signature: checks protocol for file.name keyword 
By setting the flags as for the filename keyword (not sticky version)
 5 years ago
Victor Julien 6ab323d323 detect: hide RegisterTests behind ifdef UNITTESTS 
Update all callers to more aggressively use UNITTESTS guards as well.
 5 years ago
Victor Julien 26bcc97515 detect/keywords: dynamic version part of doc URL 5 years ago
Jeff Lucovsky d3a65fe156 detect: Provide `de_ctx` to free functions 
This commit makes sure that the `DetectEngineCtx *` is available
to each detector's "free" function.
 5 years ago
Victor Julien a4a4d17ad0 app-layer/files: optimize GetFiles calls 
Remove FlowGetProtoMapping calls from the GetFiles wrapper and
get the alstate from the flow directly.
 6 years ago
Victor Julien 4dff903b35 detect: introduce pkt mpm engines 
Instead of the hardcode L4 matching in MPM that was recently introduced,
add an API similar to the AppLayer MPM and inspect engines.

Share part of the registration code with the AppLayer.

Implement for the tcp.hdr and udp.hdr keywords.
 6 years ago
Victor Julien 14896365ef detect: remove Threadvars argument from API calls 
Remove it as it's (almost) never used. If it is really needed it can
be accessed through DetectEngineThreadCtx::tv as well.
 6 years ago
Victor Julien 32fb7d773a detect/content-inspect: turn void arg into Packet 
Replace the 'void *data' argument by a 'Packet *p' as this was
the only user left of the data pointer.
 6 years ago
Victor Julien d64fbb71ae detect/file: add file.data, small cleanups 6 years ago
Victor Julien a6a0b0aa4a detect/files: fix file sigs state handling 
Make sure all file sig mismatches indicate this in their return
code, not just the ones with filestore enabled. This is needed
to tell the stateful detect engine that it is dealing with a file
sig, so it can make sure these are inspected correctly even if
there are possibly multiple files per tx.
 6 years ago
Eric Leblond 497f35164b detect-filename: avoid multiple inspections of buf 
If the filename inspection function is returning nomatch this will
trigger iterative inspections with same content (aka filename) being
inspected. To avoid this we change the return as the buffer inspection
has not to be inspected anymore.
 6 years ago
Victor Julien e710b06669 detect: add file.name sticky buffer 7 years ago
Victor Julien 164252e381 detect/file: fix minor scan-build warnings 7 years ago
Maurizio Abba f32cc6ca9c detect: fix fileext and filename negated match 
fix bug in fileext and filename preventing negated match to work
correctly. Previously, negated fileext (such as !"php") would cause a
match anyway on files that have extension php, as the last if would not
be accessed.

Using the same workflow as detect-filemagic we remove the final
isolated if and set it as a branch of the previous if.
 7 years ago
Victor Julien 75d7c9d64a rust/smb: initial support 
Implement SMB app-layer parser for SMB1/2/3. Features:
- file extraction
- eve logging
- existing dce keyword support
- smb_share/smb_named_pipe keyword support (stickybuffers)
- auth meta data extraction (ntlmssp, kerberos5)
 8 years ago
Eric Leblond b0a6934431 app-layer-ftp: add ftp-data support 
Use expectation to be able to identify connections that are
ftp data. It parses the PASV response, STOR message and the
RETR message to provide extraction of files.

Implementation in Rust of FTP messages parsing is available.

Also this patch changes some var name prefixed by ssh to ftp.
 8 years ago
Victor Julien 0d79181d78 nfs: rename nfs3 to nfs 
Since the parser now also does nfs2, the name nfs3 became confusing.
As it's still in beta, we can rename so this patch renames all 'nfs3'
logic to simply 'nfs'.
 8 years ago
Victor Julien d6592211d0 rust/nfs: NFSv3 parser, logger and detection 8 years ago
Victor Julien a636d96b15 detect/file: cleanups 
TX id is enfored in the engine, so the keywords don't need to.

Unify detect file engines.
 8 years ago
Victor Julien ab1200fbd7 compiler: more strict compiler warnings 
Set flags by default:

    -Wmissing-prototypes
    -Wmissing-declarations
    -Wstrict-prototypes
    -Wwrite-strings
    -Wcast-align
    -Wbad-function-cast
    -Wformat-security
    -Wno-format-nonliteral
    -Wmissing-format-attribute
    -funsigned-char

Fix minor compiler warnings for these new flags on gcc and clang.
 8 years ago
Victor Julien 342059835f detect-parse: improve common parser 
In preparation of turning input to keyword parsers to const add
options to the common rule parser to enforce and strip double
quotes and parse negation support.

At registration, the keyword can register 3 extra flags:

    SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted

    SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted

    SIGMATCH_HANDLE_NEGATION: leading ! is parsed

In all cases leading spaces are removed. If the 'quote' flags are
set, the quotes are removed from the input as well.
 8 years ago
Victor Julien d304be5bc3 detect: register progress in inspect engines 
Register required progress so we can stop inspecting as soon
as the progress isn't far enough yet.
 9 years ago
Victor Julien 5bafc64c08 detect: unify FileMatch API with other calls 9 years ago
Victor Julien 8bd1422948 detect: detect engine registration cleanup 9 years ago
Victor Julien b68343e372 files: use dynamic list 9 years ago
Victor Julien bd456076a8 detect: pass SigMatchData to inspect functions 9 years ago
Victor Julien bfd4bc8233 detect: constify Signature/SigMatch use at runtime 9 years ago
Eric Leblond a2e2f50fb9 documentation: fix list keywords URLs 
Update URLs in keyword definition to point to sphinx documentation.
 9 years ago
Victor Julien 6f253e1ea7 file detect: register inspect engines from keyword 9 years ago
Victor Julien 9030e89c94 detect: don't set alproto while registering keyword 
The field is not used except for some printing, and is wrong for
many keywords.
 9 years ago
Victor Julien c957c62824 detect file: enable HTTP inspection from validate func 9 years ago
Victor Julien 621860f5b2 detect file: enforce protocol in single place 
Instead of trying to enforce the app layer protocol in each file
function, enforce it in the generic validation function.
 9 years ago
Eric Leblond ed90a16e89 detect: fix setup for some keywords 
Fix problems found by siginit.cocci.
 9 years ago
Jason Ish 796dd5223b tests: no longer necessary to provide successful return code 
1 pass, 0 is fail.
 10 years ago
Ken Steele 923a77e952 Change Match() function to take const SigMatchCtx* 
The Match functions don't need a pointer to the SigMatch object, just the
context pointer contained inside, so pass the Context to the Match function
rather than the SigMatch object. This allows for further optimization.

Change SigMatch->ctx to have type SigMatchCtx* rather than void* for better
type checking. This requires adding type casts when using or assigning it.

The SigMatch contex should not be changed by the Match() funciton, so pass it
as a const SigMatchCtx*.
 11 years ago
David Abarbanel c2dc686742 SMTP MIME Email Message decoder 11 years ago