aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
15,215 Commits
7 Branches
161 Tags
204 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e2fbcf9654'
${ noResults }
Commit Graph

15215 Commits (e2fbcf9654c3687d22ec4e6f2bb9dd9c0a0b3f90)
 

Author SHA1 Message Date
Victor Julien e2fbcf9654 detect/payload: remove unneeded pointer reset 
DetectEngineThreadCtx::replist is managed elsewhere.
 2 years ago
Victor Julien 6db02563f1 detect/isdataat: optimize recursion mismatches 
Since recursive content matching goes through the buffer from left to
right, it is possible to bail early when isdataat is part of the
recursive checking. If `isdataat:50,relative` fails for offset 10, it
will surely also fail for offset 20. So break inspection in such cases.

The exception is for dynamic isdataat, where the value is determined
by a prior byte_extract that may be updated during the recursion.
 2 years ago
Victor Julien c19d11ff0d detect/content-inspect: flatten branches 
Flatten else branches after terminating ifs.
 2 years ago
Victor Julien 4cce7ba48b detect/content-inspect: localize recursion counting 
Use stack local var instead of DetectEngineThreadCtx member. Instead
setup a stack local struct that both counts and holds the limit. Make sure
the limit is a const so we can avoid rereading it.

This is part of an effort to reduce the size of the DetectEngineThreadCtx
structure and reduce the number of memory writes to it. Additionally, it
is part of an effect to reduce the number of places where detection
tracks various forms of state.
 2 years ago
Victor Julien 97f78e1b49 detect/content-inspect: reduce scope of internal func 2 years ago
Victor Julien e9b33c48f0 detect/base64: move content inspection logic 
Integrate with rest of content inspect code.
 2 years ago
Victor Julien 6a01f40d40 detect/krb5.sname: use new content inspect entry 2 years ago
Victor Julien c9ab95cbe2 detect/dns.query: use new content inspect entry 2 years ago
Victor Julien d73cce478c detect/content-inspect: add entry for InspectionBuffer 
This is a convinience addition to abstract away the internals of
the InspectionBuffer in keyword specific detection code.
 2 years ago
Victor Julien b357532e7e detect/content-inspect: switch type of enum 2 years ago
Victor Julien 1f265d9d79 detect/content-inspect: assist branch prediction 
Hitting the recursion limit should be rare.
 2 years ago
Victor Julien b1fa975503 detect/content-inspect: remove const casting 2 years ago
Victor Julien 0ba4b297df detect/content-inspect: pass const to inspect func 2 years ago
Victor Julien a7c9028f01 detect/content-inspect: reduce scope of variables 2 years ago
Stephen Donnelly 0850e3d137 util/time: Improve usecs handling in time macros 
Fix SCTIME_ADD_SECS zeroing subsecond part

When adding s seconds to SCtime_t ts, don't zero out the ts.usecs field.

Issue: 6584

Fix SCTIME_FROM_TIMESPEC garbage microseconds part

When converting nanosecond to microseconds divide by 1000 instead
of multiplying by 1000.

Issue: 6585
 2 years ago
Ilya Bakhtin 417806ca35 napatech: Fix packet timestamps 
Initialize both seconds and useconds of packet timestamp from napatech
timestamp format.

This commit uses updated macro definitions from util-utime.h to avoid
zero seconds value.

Issue: 6372
 2 years ago
Ilya Bakhtin d3095ac058 util/time: Prevent usecs overflow 
This commit takes care of original seconds value and prevents the
useconds field from overflowing pas its maximum value.

Issue: 6372
 2 years ago
Juliana Fajardini bdec2d8ea8 pgsql: don't log password msg if password disabled 
If the logging of the password is disabled, there isn't much point in
logging the password message itself.
 2 years ago
jason taylor fc81c99b58 doc: add file.name information to smtp keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor 9d1ad0187e doc: add file.name information to nfs keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor 327ba7397a doc: add file.name information to smb keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor e4077b8803 doc: update ftp keyword doc example rule format 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor bb1f7575d3 doc: add file.name information to ftp keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor bbc17b1c7d doc: add file.name information to http keyword doc 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Vincent Li 64d12aacc8 ebpf: Update eBPF map to BTF defined map 
legacy map definition is removed from libbpf1.0+.
update the legacy map definition to BTF defined map.

Distros with < libbpf1.0 (0.5, 0.6, 0.7, 0.8) bpf_helpers.h
support BTF map definition, this change does not break
old libbpf and support new libpbf1.0+.

Bug: #6250

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Co-authored-by: Victor Julien <vjulien@oisf.net>
 2 years ago
Juliana Fajardini 9aeeac532e pgsql: remove probe_ts function 
With the changes in the probing_ts function, this other one could become
obsolete. Remove it, and directly call `parser::parse_request` when
checking for gaps, instead.
 2 years ago
Juliana Fajardini 53d29f652a pgsql: remove unused error handling call 2 years ago
Juliana Fajardini afd6e4dc41 pgsql: don't log unknown message type 2 years ago
Juliana Fajardini 4f85d06192 pgsql: fix probing functions 
Some non-pgsql traffic seen by Suricata is mistankenly identified as
pgsql, as the probing function is too generic. Now, if the parser sees
an unknown message type, even if it looks like pgsql, it will fail.

Bug #6080
 2 years ago
Juliana Fajardini 1ac5d97259 pgsql: add unknonwn frontend message type 
We had unkonwn message type for the backend, but not the frontend
messages. It's important to better identify those to improve pgsql
probing functions.

Related to
Bug #6080
 2 years ago
Shivani Bhardwaj c1bf955326 detect-engine: use ports only after edge case handling 
Also, add comments to clarify what's happening in the code.
 2 years ago
Shivani Bhardwaj 77eb85e224 detect: remove misleading comment 
The comment seems to have come from the enum for addresses where IPv4
and IPv6 matters.
 2 years ago
Shivani Bhardwaj 8960a86f4f detect/port: remove BUG_ON in favor of PORT_ER 
Either the BUG_ON condition would hit or PORT_ER. Prefer to return error
in case of an error as the fn expects that.
 2 years ago
Shivani Bhardwaj d8a887e518 detect/engine: defensive check and comment update 2 years ago
Shivani Bhardwaj 945ec4bc0a detect: remove redundant null setting 
de_ctx->dport_hash_table is already set to NULL in the fn
DetectPortHashFree which is called right before this setting.
Remove the redundant setting.
 2 years ago
Shivani Bhardwaj 6076b9e2f0 detect: use proper names for whitelist score criteria 2 years ago
Shivani Bhardwaj 4a00ae6076 detect/engine: fix whitelisted port range check 
So far, the condition for checking if the whitelisted port was in the
port range of "a" said

a->port >= w->port && a->port2 <= w->port

But, if a->port <= a->port2, this condition could only be true when
a->port == w->port == a->port2. However, the motivation for this fn was
to be able to find if the whitelisted port for a carrier proto already
was in the range of the given protocol and calculate a score for the
port accordingly.
Fix the range check such that a->port <= w->port <= a->port2.
 2 years ago
Shivani Bhardwaj 2b73a17bb0 detect: rename whitelist to score 
The term "whitelist" is actually used to store a list of DetectPort type
items for tcp and udp in detect.h. Using the same term for also keeping
the score that affects the grouping of rules is confusing. So, rename
the variable to "score".
 2 years ago
Shivani Bhardwaj 1f78a4fcd8 detect-engine: use only the exact match fn 
DetectFlagsSignatureNeedsSynPackets checks if TCP SYN flag is set among
other flags.
DetectFlagsSignatureNeedsSynOnlyPackets checks if only TCP SYN flag is
set and no other flag.

Since DetectFlagsSignatureNeedsSynOnlyPackets also already checks for
TCP SYN flag, it does not need to be used in combination with
DetectFlagsSignatureNeedsSynPackets as this fn seems to be the superset
of the former.
 2 years ago
Victor Julien d3ccff5822 detect/asn1: handle in PMATCH 
Since the asn1 keyword is processing payload data, move the handling of
the keyword into the PMATCH with content inspection.

Use u32 as buffer length in the Rust FFI
 2 years ago
Victor Julien 13cc493885 flow/timeout: clean up flow finish code 2 years ago
Victor Julien ea4503c3e3 flow/timeout: use single packet for timeout handling 
In the FlowFinish logic, one or two pseudo packets are used to finish flow
handling. In the case of 2 (one per direction), the logic first set up the
2 packets, then it would process them one by one. This lead to poor cache
locality.

This patch processes the first packet entirely first, followed by the second
packet.
 2 years ago
Victor Julien 2a4fd85d1d flow/timeout: use const TcpSession; cleanup prototypes 2 years ago
Victor Julien 9639da32b7 detect/content-inspect: minor code cleanups 2 years ago
Victor Julien a3ac3e69d6 detect/replace: minor code cleanup 2 years ago
Victor Julien 3d7e0927bf detect/content: minor code/comment cleanups 2 years ago
Victor Julien 8ba7f23c9b detect/content: use const pointer where possible 2 years ago
Victor Julien 643f25280b detect/app-layer-events: constify arguments; minor cleanups 2 years ago
Victor Julien 15b545d16f detect: improve explanation of offset tracking 2 years ago
Victor Julien 65560ad8ca detect/content: test cleanup 2 years ago