suricata

Commit Graph

Author	SHA1	Message	Date
Anoop Saldanha	d4d18e3136	Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.	12 years ago
Last G	8ae11f73b2	Added parentheses to fix Eclipse static code analysis Fixed bug in action priority (REJECT_DST had lowest prio)	13 years ago
Anoop Saldanha	b99f9fe890	New app inspection engine introduced. Moved existing inspecting engines to use it.	13 years ago
Anoop Saldanha	7b4eac3e8d	Change all inspect callbacks to accept TV and a tx_id param.	13 years ago
Victor Julien	8f71333e12	file: implement filesize keyword. #489 .	13 years ago
Victor Julien	3849588c61	Create separate detect API call (FileMatch) for file detection keywords. #531 .	13 years ago
Victor Julien	c9e93ec52c	filemd5: add support code for md5 handling for signatures.	13 years ago
Victor Julien	9f7588a756	Add filemd5 keyword that loads a list of md5's to match a file's md5 against.	13 years ago
Victor Julien	19a7e7f395	flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default.	14 years ago
Victor Julien	2650551192	Rename signature init flags to indicate they are init flags.	14 years ago
Victor Julien	3009429e3c	HTTP transaction handling improvement In some cases AppLayerTransactionGetInspectId can return -1, which is now handled by all it's callers. Improve logic of selecting which transactions are inspected by the various HTTP keywords.	14 years ago
Victor Julien	938e9b3db0	Fix filestore related segv.	14 years ago
Victor Julien	9878eca086	file handling: expand filestore keyword Filestore keyword by default (... filestore; ... ) marks only the file in the same direction as the rule match for storing. This makes sense when inspecting individual files (filemagic, filename, etc) but not so much when looking at suspicious file requests, where the actual file is in the response. The filestore keyword now takes 2 optional options: filestore:<direction>,<scope>; By default the direction is "same as rule match", and scope is "currently inspected file". For direction the following values are possible: "request" and "to_server", "response" and "to_client", "both". For scope the following values are possible: "tx" for all files in the current HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow. For the above case, where a suspious request should lead to a response file download, this would work: alert http ... content:"/suspicious/"; http_uri; filestore:response; ...	14 years ago
Victor Julien	d59ca75e46	file extract: split toserver and toclient tracking Split toserver and toclient file tracking for the http state.	14 years ago
Victor Julien	04ea70ccf7	file extract: pruning Add pruning of files in memory so we keep only memory what we really need. Fix magic logic. Reset file part of the de_state on receiving another file in the same tx.	14 years ago
Victor Julien	b402d97179	File carving -- enable reponse file extraction - Enable response body tracking - Enable file extraction for responses - File store meta file includes magic, close reason. - Option to force magic lookup for all stored files. - Fix libmagic calls thead safety.	14 years ago
Victor Julien	e1022ee5ae	file-extraction: Disconnect file handling from flow and move into the app layer state.	14 years ago
Victor Julien	9b62ec65ab	Make sure filemagic works properly regardless of filestore being in use for a flow.	14 years ago
Victor Julien	5945e652d6	Initial implementation of filemagic keyword.	14 years ago
Victor Julien	23e01d23d3	Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored.	14 years ago

20 Commits (f10dd603ff42201ec931c33325327d1bdce00e18)