suricata

Commit Graph

Author	SHA1	Message	Date
Philippe Antoine	6921608673	http: updates suricata.yaml comments As well as the userguide documentation about suricata.yaml	5 years ago
Jason Ish	9111b9df57	doc: cleanup enging logging Attempt cleanup the engine logging a bit. Also a include a verbatim excerpt of the default configuration here for reference purposes.	5 years ago
Jason Ish	c97195bf0b	doc: -v verbose option documentation update Update -v documentation to reflect the new behaviour discussed in bug #1851 where -v changes the log level to fixed levels instead of an offset of the default log level configured in suricata.yaml.	5 years ago
Konstantin Klinger	808ea0dba9	app-layer: remove obsolete msn protocol detection	5 years ago
Victor Julien	6d2bd6607e	datasets: make clear the feature is experimental	5 years ago
Jeff Lucovsky	17c3e22ecd	doc/eve.alert: Expand metadata description	5 years ago
Victor Julien	4061bf5ceb	doc/datasets: update example config to map	5 years ago
Victor Julien	029683cbac	doc: reformat linux ips guide	5 years ago
Eric Leblond	6d9416148b	doc: add nftables IPS configuration	5 years ago
Eric Leblond	82eb669205	doc: information about scaling AF_PACKET IPS mode	5 years ago
Eric Leblond	ffe81dc9f2	doc: add info about AF_PACKET IPS Based on https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/ Also fix some typo in Netfilter setup.	5 years ago
Jason Ish	0cd5452194	doc: mark independent json loggers as deprecated This is the loggers such as alert-json-log, dns-json-log, etc. They are not even referenced in the default configuration file, and are easily replaced with multiple eve instances.	5 years ago
Jason Ish	212252faf2	doc/drop.log: mark as deprecated and scheduled to be removed Also make sure options are in sync with those in suricata.yaml.	5 years ago
Jason Ish	5345379d14	doc/unified2: add deprecation/removal notice	5 years ago
Jason Ish	873bc290bc	doc/filestore(v1) - make deprecation text a note Highlights that is is deprecated in the HTML output.	5 years ago
Jason Ish	7f32822843	doc/filestore(v1) - document force-filestore field	5 years ago
Jeff Lucovsky	44a59b78c7	doc/anomaly Remove event_no	5 years ago
Victor Julien	be6cdd37f8	stream: remove fix stream.depth references	5 years ago
Peter Manev	10819ed892	doc: Update tuning considerations doc	5 years ago
Peter Manev	6df1001957	doc: Update high performance config doc	5 years ago
Victor Julien	bd2f1e15fd	doc/stats: minor clarrifications on 5.0 defaults	6 years ago
Victor Julien	42438ec08e	doc/userguide: add quickstart to dist	6 years ago
Giuseppe Longo	dd5d0afd79	doc: add SIP keywords	6 years ago
Jason Ish	d3e2cc9926	doc: document dns.opcode keyword	6 years ago
Jason Ish	daed788d49	doc: Replace dns_query with dns.query.	6 years ago
Giuseppe Longo	972be0a560	doc: update file-extraction section	6 years ago
Travis Green	798d874662	doc: fix whitespace	6 years ago
Victor Julien	6aa2d550a1	doc/dotprefix: fix example rules	6 years ago
Jeff Lucovsky	ab3d6328ba	detect/transform: add dotprefix keyword to doc	6 years ago
Victor Julien	df325d63ea	doc/eve.anomaly: fix indent and general formatting	6 years ago
Jeff Lucovsky	075592b66f	doc: Simplified anomaly configuration settings	6 years ago
Jeff Lucovsky	aaacbf28c2	logging/anomaly: Support configuration filter types	6 years ago
Eric Leblond	35bc73e4e2	doc: change eBPF directory path	6 years ago
Zach Kelly	caef8b5b38	protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions	6 years ago
Andreas Herz	d657fd9bf0	doc: add quickstart guide	6 years ago
Victor Julien	d5009c5d8c	doc/stream: briefly explain bypass	6 years ago
Jason Ish	0bb07b550c	userguide: remove section on using Oinkmaster Users should be using Suricata-Update now.	6 years ago
Travis Green	3f146cdd7e	doc: add endswith keyword docs	6 years ago
Travis Green	9f8dcad287	doc: update of ssh-kewords documentation Modifies ssh-keywords.rst to fix syntax error in example rule as well as update descriptions to indicate older keywords have been deprecated.	6 years ago
Jason Ish	9488002a0d	doc: use describe instead of option for old Sphinx Older versions of Sphinx will generate duplicate IDs when you have options like: .. option:: some-option .. option:: some-other-option The version of Sphinx provided on CentOS 7 has this issue, newer versions of Sphinx do not. As CentOS 7 is still a popular distribution, change ".. option" to ".. describe" which has the same visual output, but does not generate links.	6 years ago
Victor Julien	e36a963196	datasets/doc: minor fixes and clarifications	6 years ago
Victor Julien	0107b9a057	doc/dataset: initial documentation	6 years ago
Victor Julien	1bc738fbe4	doc: typo fixes By @espritlibre and @Zeal0us	6 years ago
Nick Price	d0a85b7550	ja3: Mention LibNSS dependency for JA3	6 years ago
Eric Leblond	cc28d24e9a	doc: install eBPF files in share directory Following proposal by Sascha Steinbiss, let's use /usr/share/suricata to store the eBPF files.	6 years ago
Eric Leblond	3cf49ae868	doc: fix English and some typos	6 years ago
Eric Leblond	4be6701836	doc: pointer to bpfctrl As bpfctrl is currently the easiest way to manage pinned maps, let's point to it. We will switch doc to suricatacl once support has been added.	6 years ago
Eric Leblond	8f1a7de791	doc: improve doc on compiling with eBPF support	6 years ago
Eric Leblond	f1ab27b7cb	doc: improve XDP cpu redirect documentation	6 years ago
Eric Leblond	6d9ac64f7b	doc: only balance by ip pair As there is some issue with defrag, let's recommend to only do IP pair load-balacing for RSS	6 years ago
Eric Leblond	a1d3835b86	doc: document filter.bpf changes Also adds some info to explain maps.	6 years ago
Eric Leblond	08397e07f1	doc: fix typos in geoip doc	6 years ago
Eric Leblond	0d5608bab2	doc: fix display of icmp code and type array	6 years ago
Eric Leblond	0c84591afe	doc: use a table to list direction filter in geoip	6 years ago
Eric Leblond	c01cadbade	doc: fix geoip syntax Spaces are not allowed before country code.	6 years ago
Vinjar Hillestad	4c18fee3c6	Documenting base64_decode and base64_content base64 doc changes based on #4027 pull feedback	6 years ago
Hilko Bengen	36998ab4cd	Add documentation for --with-clang parameter	6 years ago
Andreas Herz	c0bddff078	userguide: remove old reference to rule-reload option	6 years ago
Jeff Lucovsky	a66383569c	userguide: formatting: remove tabs	6 years ago
Jeff Lucovsky	c68510437f	userguide: ftp formatting updates	6 years ago
Jeff Lucovsky	2149807bd6	eve/ftp: Transaction support for unmatched requests Modified transaction logic to create a new transaction with each request; replies location transactions by using the oldest "open" (unmatched) transaction or the last transaction if none are open.	6 years ago
Jeff Lucovsky	1930b1f504	eve/ftp: Log FTP transactions This changeset includes changes that 1. Add transaction support to the FTP parser 2. Support eve json logging of FTP transactions	6 years ago
Bill Meeks	a291209e47	detect/geoip: migrate to GeoIP2 database format Issue #2765	6 years ago
Victor Julien	034555644b	doc: add tcp.hdr and udp.hdr	6 years ago
Victor Julien	a01df4b86b	doc: document tcp.mss keyword	6 years ago
Jeff Lucovsky	6cd39c5cfb	userguide: Document app-layer anomaly items This changeset expands the anomaly section to include newly added app-layer items.	6 years ago
Eric Leblond	1f151dd8a6	doc: address norg comments on eBPF doc	6 years ago
Eloïse Brocas	8692aac97f	doc: specify config file in ebpf doc This patch updates the ebpf-xdp.rst file to specify which configuration file has to be modified.	6 years ago
Eric Leblond	eea3c6b610	doc: info for new bypass counters	6 years ago
Eric Leblond	e3dccb2400	doc: update bypass stats doc	6 years ago
Eric Leblond	dbf3606169	doc: document flow event_type	6 years ago
Eric Leblond	8a11581ac8	doc: update ebpf doc following bypass_filter change	6 years ago
Eric Leblond	253c011c70	doc: update for latest xdp_filter.c change	6 years ago
Eric Leblond	567b5ee1bc	af-packet: rename option 'no-percpu-hash'	6 years ago
Eric Leblond	ca50f8852e	doc: improve ebpf doc Add example of bypass rules and explain clang dependency.	6 years ago
Eric Leblond	c11eb78141	doc: document netronome hardware bypass usage	6 years ago
Eric Leblond	82c4f5135b	doc: use github mirror to setup libbpf	6 years ago
Eric Leblond	1c4d214cdb	doc: typo fixes on ebpf doc	6 years ago
Eric Leblond	b7560d7547	doc: document externally managed global switch This is currently implemented as an exposed map and it seems a good way to do it.	6 years ago
Eric Leblond	b1769d5f8f	util-ebpf: implement pinned maps loading Load flow tables at start if asked to.	6 years ago
Eric Leblond	19c0a5edf5	doc: white space and typo fix	6 years ago
Eric Leblond	6d41a0ced0	doc: more eBPF and XDP capabilities	6 years ago
Eric Leblond	315c29a8e6	ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.	6 years ago
Andreas Herz	30fd80b0ef	doc: convert fancy quotes to straight quotes	6 years ago
Pierre Chifflier	9dfec7e734	SNMP: add the "snmp.pdu_type" detection keyword	6 years ago
Pierre Chifflier	e1dd19a0eb	SNMP: add the "snmp.community" detection keyword	6 years ago
Pierre Chifflier	aa608e0ca2	SNMP: add the "snmp.version" detection keyword	6 years ago
Jeff Lucovsky	ab1d95446a	doc: http keyword update This changeset updates the keyword type for http.location and http.server	6 years ago
Jeff Lucovsky	0960ca0d00	detect/analyzer Add missing HTTP values This changeset adds recognition of missing HTTP values - Raw host - Header names - Server body - User agent	6 years ago
Mats Klepsland	b59e82a642	userguide: add documentation for ja3s.string keyword	6 years ago
Mats Klepsland	76b94c7073	userguide: add documentation for ja3s.hash keyword	6 years ago
Mats Klepsland	d15903a2ef	userguide: add documentation for Ja3SGetString Lua function	6 years ago
Mats Klepsland	37a0594417	userguide: add documentation for JA3SGetHash Lua function	6 years ago
Mats Klepsland	800608ab65	userguide: add JA3S fields to the TLS logger documentation	6 years ago
Jeff Lucovsky	8a94b93b7b	doc: Anomaly logging documentation This changeset adds discussion of anomaly log records and the anomaly log record format.	6 years ago
Mats Klepsland	7020cffaa8	userguide: 'sticky' instead of 'Sticky' for all tls keywords	6 years ago
Mats Klepsland	03d986dd55	userguide: add documentation for tls.certs keyword	6 years ago
Jeff Lucovsky	7d6875fb68	documentation: Correct rst for ssh-keywords This changeset corrects an error in the ssh-keywords where 3 "`" characters were used instead of 2 "`" characters.	6 years ago
Jeff Lucovsky	97fc7c1e1a	documentation: sticky buffer updates This changeset updates the userguide for the TLS and JA3 keywords that have been renamed from <id>_<name> to <id.name>	6 years ago
Giuseppe Longo	76357350fd	doc: update http.protocol description	6 years ago
Shivani Bhardwaj	4705314fd2	doc: Add manpages for suricatasc and suricatactl Add the missing manpages and the corresponding Sphinx configuration for the command line tools `suricatasc` and `suricatactl`. Closes redmine ticket #884.	6 years ago
Eric Leblond	360a6ace43	doc: add info about buffer usage in lua	6 years ago
Jason Ish	355d125c4f	userguide: remove dns-log	6 years ago
Jason Ish	75a018ead2	doc: remove autoconf replacement var for Rust Set to yes as Rust is always enabled now.	6 years ago
Phil Young	6cfc39d7c9	napatech: auto-config documentation update Added documentation describing how to configure suricata to automaticly configure sreams and host buffers without using NTPL. I.e. from suricata.yaml.	6 years ago
Jeff Lucovsky	9856c5533a	doc: ssh.{proto,software} documentation update	6 years ago
Jeff Lucovsky	74cd6a9ee8	doc: add http.location and http.server	6 years ago
Pascal Delalande	bde65467a9	doc: add ssh protocol in eve log section	6 years ago
Victor Julien	96c6cf98d5	doc/userguide: add 3rd-party-integration to dist	6 years ago
Victor Julien	f1c83c3308	doc/userguide: new 3rd party section, add bluecoat Add Symantec SSLV (bluecoat) doc to new 3rd party section for documenting integrating Suricata with 3rd party tools.	6 years ago
Bryant Smith	398133b6ce	doc: add byte_* documentation to the userguide Added byte_test, byte_jump and byte_extract description and example rules	6 years ago
Victor Julien	d6903e70c1	file-log: remove and add warning Feature was deprecated and scheduled for removal. Ticket #2376	6 years ago
Eric Leblond	83a8df90f3	doc: improvement of xbits documentation page	6 years ago
Eric Leblond	43ede4db7f	doc: xbits:noalert is not a valid syntax	6 years ago
Shivani Bhardwaj	2483331a5d	doc/unix-socket: Add missing commands and detail Add missing commands and their corresponding details in unix-socket userguide. Closes redmine ticket #2800	6 years ago
Victor Julien	c47164ebc8	doc: add table for custom values of eve/http	6 years ago
Victor Julien	6fcd2db043	tile: remove files	6 years ago
Victor Julien	517b45ea2d	netmap: switch to nm_* API Process multiple packets at nm_dispatch. Use zero copy for workers recv mode. Add configure check netmap check for API 11+ and find netmap api version. Add netmap guide to the userguide.	6 years ago
Maurizio Abba	6c0ec0b2f3	eve/http: add request/response http headers Add a keyword configuration dump-all-headers, with allowed values {both, request, response}, dumping all HTTP headers in the eve-log http object. Each header is a single object in the list request_headers (response_headers) with the following notation: { "name": <header name>, "value": <header value> } To avoid forged malicious headers, the header name size is capped at 256 bytes, the header value size at 2048. By default, dump-all-headers is disabled.	6 years ago
Maurizio Abba	4697351188	smtp: create raw-extraction feature Add a raw-extraction option for smtp. When enabled, this feature will store the raw e-mail inside a file, including headers, e-mail content, attachments (base64 encoded). This content is stored in a normal File *, allowing for normal file detection. It'd also allow for all-emails extraction if a rule has detect-filename:"rawmsg" matcher (and filestore). Note that this feature is in contrast with decode-mime. This feature is disabled by default, and will be disabled automatically if decode-mime is enabled.	6 years ago
Victor Julien	eb73008ccf	detect/transform: add to_sha1 keyword	6 years ago
Victor Julien	75f9c1ae9f	detect/transform: add to_md5 keyword	6 years ago
Victor Julien	b3c021f8d0	userguide: improve stats logging documentation	6 years ago
Pascal Delalande	f2dca46382	doc: fix minor typo	6 years ago
Eric Leblond	7a121d9b4c	doc: add _static dir to make dist	6 years ago
Travis Green	c2adb9e669	doc: added tos keyword Redmine issue: https://redmine.openinfosecfoundation.org/issues/2583	6 years ago
Victor Julien	9dd925a46a	userguide/install: add rust, python-yaml to ubuntu	6 years ago
jason taylor	fc395eb2c5	userguide: updated hyperscan version reference Signed-off-by: jason taylor <jtfas90@gmail.com>	6 years ago
jason taylor	131112de13	doc: Remove gulp references Signed-off-by: jason taylor <jtfas90@gmail.com>	6 years ago
jason taylor	fc54d750dd	doc: add bypass keyword documentation Signed-off-by: jason taylor <jtfas90@gmail.com>	6 years ago
Mats Klepsland	be8c06adfd	userguide: add documentation for ssl_version keyword	6 years ago
Victor Julien	85f2486e0b	multi-tenant: document per tenant settings	6 years ago
Victor Julien	5afeebf884	doc/flow: updates and cleanups to flow section	6 years ago
Victor Julien	72dd4a5f92	doc/rules: initial transforms documentation	6 years ago
Victor Julien	226fe5cab3	doc/performance: redo runmodes explanation	6 years ago
Victor Julien	17e2d39531	doc/install: update Rust info in generic install overview	6 years ago
Victor Julien	473688746b	doc/eve: add community id	6 years ago
Mats Klepsland	e92fda37c9	doc: add documentation for SSH keywords	6 years ago
Pascal Delalande	64922a476e	doc: remove deprecated force-md5 flag from userguide	6 years ago
jason taylor	7f4e5e6eac	userguide: update hyperscan documentation Signed-off-by: jason taylor <jtfas90@gmail.com>	7 years ago
Mats Klepsland	4d38d0844b	doc: add documentation for Lua function 'TlsGetVersion'	7 years ago
Mats Klepsland	10fcc8d2ca	doc: update tls.version documentation	7 years ago
Maurizio Abba	bce7c2dd87	eve/http: add tx->request_port_number as http_port Add the port specified in the hostname (if any) to the http object in eve. The port may be different from the dest_port used by the TCP flow.	7 years ago
Eric Leblond	173e5a1c58	doc: iprep supports CIDR networks	7 years ago
Victor Julien	7c884e0850	doc: update multi-tentant for device feature	7 years ago
Danny Browning	2dc6b6ee14	source-pcap-file: delete when done (2417) https://redmine.openinfosecfoundation.org/issues/2417 Add option to have pcap files deleted after they have been processed. This option combines well with pcap file continuous and streaming files to a directory being processed.	7 years ago
Jason Ish	ede94e1f66	doc: alphabetize EXTRA_DIST	7 years ago
Jason Ish	ff73d908aa	doc: add window ips inline doc to extra_dist	7 years ago
Jason Ish	d2142cf433	doc: make warnings errors when building man page	7 years ago
Jason Ish	01f477786e	doc: link in windows ips setup page	7 years ago
Jacob Masen-Smith	ec77632e84	Adds WinDivert support to Windows builds Enables IPS functionality on Windows using the open-source (LGPLv3/GPLv2) WinDivert driver and API. From https://www.reqrypt.org/windivert-doc.html : "WinDivert is a user-mode capture/sniffing/modification/blocking/re-injection package for Windows Vista, Windows Server 2008, Windows 7, and Windows 8. WinDivert can be used to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc., without the need to write kernel-mode code." - adds `--windivert [filter string]` and `--windivert-forward [filter string]` command-line options to enable WinDivert IPS mode. `--windivert[-forward] true` will open a filter for all traffic. See https://www.reqrypt.org/windivert-doc.html#filter_language for more information. Limitation: currently limited to `autofp` runmode. Additionally: - `tmm_modules` now zeroed during `RegisterAllModules` - fixed Windows Vista+ `inet_ntop` call in `PrintInet` - fixed `GetRandom` bug (nonexistent keys) on fresh Windows installs - fixed `RandomGetClock` building on Windows builds - Added WMI queries for MTU	7 years ago
Chris Speidel	1e8959b465	doc: fix minor typo	7 years ago
Victor Julien	693a3df031	tls: document encrypt-handling option Document in sample yaml and user guide.	7 years ago
Victor Julien	c677e07d3e	kerberos: minor doc updates, add author	7 years ago
Jason Ish	fb85822730	dhcp: update user guide	7 years ago
Pierre Chifflier	c51ff32adb	Document Kerberos 5 parsing events	7 years ago
Pierre Chifflier	1076c7cd47	Add krb5_err_code detection keyword	7 years ago
Pierre Chifflier	d6b9c0294a	Add krb5_cname and krb5_sname detection keywords	7 years ago
Pierre Chifflier	0bd81ff838	Add krb5_msg_type detection keyword	7 years ago
Pierre Chifflier	1e5f5d405f	Kerberos 5: add support for TCP as well	7 years ago
Pascal Delalande	4f48927c44	doc: spelling mistakes in various sections of the user guide	7 years ago
Max Fillinger	ce270a8f6a	Add info about pcap log compression to user guide	7 years ago
Eric Leblond	e249ce29bb	doc: add lua directory to Makefile	7 years ago
Victor Julien	4a90dced8e	doc/lua: small update to the usage intro	7 years ago
Eric Leblond	2546e86a16	doc: document lua function about flow var	7 years ago
Eric Leblond	0c4bf2d332	doc: add a lua support top level section Both output and signature are using lua. So lua functions should be displayed in a single section.	7 years ago
Eric Leblond	293b00798e	doc: document lua TLS functions	7 years ago
Pascal Delalande	e3c5784dd5	doc: minor updates (tls custom, TODO removal, ftp/smb file rules)	7 years ago
Victor Julien	83bf60d897	doc: add ntlmssp, kerberos and other setup fields	7 years ago
Richard Sailer	dc07c1fe13	lua output doc: Use more descriptive variable names in the examples This also removes the "args" parameter of the hooking functions in the examples, since this parameter is unused in all functions. It would not be very helpful anyways since 3 of the 4 functions don't get passed any parameters. The only exception is init() which gets a table containing: script_api_ver = 1	7 years ago
Richard Sailer	3307f7a94e	lua output doc: Add explaining introduction text	7 years ago
Victor Julien	e09027915a	doc: fix json formatting in smb doc	7 years ago
Victor Julien	67e81a9555	doc: initial smb eve documentation	7 years ago
Victor Julien	78437375c4	doc: add by_either to suppress explanation	7 years ago
Victor Julien	2c259f2239	doc: add smb section to yaml	7 years ago
Victor Julien	13bdcd5249	doc: minor fix	7 years ago
Victor Julien	1edd9d19fc	doc: add SMB to file extraction. Minor improvements.	7 years ago
Victor Julien	b4771150b8	doc: update suricata-update screenshot	7 years ago
Victor Julien	b531e7725d	doc: improve suricata-update docs now that its bundled	7 years ago
Victor Julien	ac1ed24cb4	doc: improve making sense of alerts	7 years ago
Victor Julien	ccde621ceb	doc: add suricata-update to intro for rules	7 years ago
Pierre Chifflier	6eb48e1e93	Add ikev2 to userguide	7 years ago
Victor Julien	26e807ca34	doc: fix http_header_names example	7 years ago
Eric Leblond	0a72d5be96	doc: fix typo in unix socket doc Also fixes a dead link to code.	7 years ago
Eric Leblond	975f413308	doc: more info on unix socket rule reload	7 years ago
Eric Leblond	e2aab10d29	doc: fix typo in ebpf xdp doc	7 years ago
Mats Klepsland	47a7ebbbc2	doc: add JA3 fields to the TLS logger documentation	7 years ago
Mats Klepsland	fb0bfb614f	doc: add documentation for Ja3GetString Lua function	7 years ago
Mats Klepsland	2514553098	doc: add documentation for Ja3GetHash Lua function	7 years ago
Mats Klepsland	a357f52fa5	doc: add documentation for ja3_string keyword	7 years ago
Mats Klepsland	38cc6f595f	doc: add documentation for ja3_hash keyword	7 years ago
Giuseppe Longo	fb66d45754	doc: introduce dns compact logging	7 years ago
David DIALLO	c2236ea2b3	modbus: Support Unit Identifier When destination IP address does not suffice to uniquely identify the Modbus/TCP device. Some Modbus/TCP devices act as gateways to other Modbus/TCP devices that are behind this gateways.	7 years ago
Victor Julien	50a182194a	eve: log pcap filename	7 years ago
Pascal Delalande	2e5b293afb	doc: update eve json output for DNS and HTTP	7 years ago
Brandon Sterne	a01a229b37	doc: use standard spelling of daemon	7 years ago
Andreas Herz	2e8678a5ff	docs: replace redmine links and enforce https on oisf urls	7 years ago
David DIALLO	6c643d8975	modbus: duplicate alerts unaware of direction Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction because Modbus inspection engine is only performing in request (TOSERVER). Detect Value keyword in read access rule. In read access, match on value is not possible. Update Modbus keyword documentation.	7 years ago
Eric Leblond	7da805ffd9	doc: improve eBPF and XDP doc Remove reference to `buggy` clang as a workaround has been found in libbpf. Proof read and add information on the structure of eBPF code.	7 years ago
Eric Leblond	8030e3f66b	doc: update documentation This patch adds info on kernel requirement for XDP and rework a few things.	7 years ago
Eric Leblond	0e1a4173ff	doc: how to get live info about ebpf behavior	7 years ago
Eric Leblond	8c7b5cb088	doc: add info about xdp IPS bypass	7 years ago
Eric Leblond	ce8b74b524	doc: document XDP CPU redirect	7 years ago
Eric Leblond	60265e023a	doc: update xdp documentation Also remove configuration info from yaml as they are now in the documentation.	7 years ago
Peter Manev	5ee44c877c	doc: add XDP setup documentation	7 years ago
Giuseppe Longo	d2121945c9	doc: update file_data description	7 years ago
Jason Ish	74e036d09f	doc: update eve/alert/metadata configuration	7 years ago
Martin Natano	fe9cac5870	eve/alert: include rule text in alert output For SIEM analysis it is often useful to refer to the actual rules to find out why a specific alert has been triggered when the signature message does not convey enough information. Turn on the new rule flag to include the rule text in eve alert output. The feature is turned off by default. With a rule like this: alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;) The eve alert output might look something like this (pretty-printed for readability): { "timestamp": "2017-08-14T12:35:05.830812+0200", "flow_id": 1919856770919772, "in_iface": "eth0", "event_type": "alert", "src_ip": "10.20.30.40", "src_port": 50968, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "alert": { "action": "allowed", "gid": 1, "signature_id": 42, "rev": 0, "signature": "Google DNS server contacted", "category": "", "severity": 3, "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)" }, "app_proto": "dns", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 81, "bytes_toclient": 0, "start": "2017-08-14T12:35:05.830812+0200" } } Feature #2020	7 years ago
Eric Leblond	72c8cd67d5	doc: documentation update on metadata	7 years ago
Jason Ish	ab939f4aaa	doc: breakout eve-log section to a partial file Both the suricata.yaml and eve configuration sections included the eve-log section from suricata.yaml. First, sync these up with the actual suricata.yaml then break it out into its own file, so only one file needs to be kept in sync with the actual configuration file.	7 years ago
Jason Ish	0e02684634	doc: update eve-log section for metadata	7 years ago
Pascal Delalande	80f2fbac6e	rust/tftp: eve logging with rust	7 years ago
Pascal Delalande	0ff60f65ec	doc: update filestore for file hash extraction Update for extraction based on md5, sha1 and sha256	7 years ago
Victor Julien	07738af868	detect/content: introduce startswith modifier Add startswith modifier to simplify matching patterns at the start of a buffer. Instead of: content:"abc"; depth:3; This enables: content:"abc"; startswith; Especially with longer patterns this makes the intention of the rule more clear and eases writing the rules. Internally it's simply a shorthand for 'depth:<pattern len>;'. Ticket https://redmine.openinfosecfoundation.org/issues/742	7 years ago
Jason Ish	5420c0ab06	doc: document file-store v2	7 years ago
Victor Julien	746638b220	cuda: remove Remove CUDA support as it has been broken for a long time. Ticket #2382.	7 years ago
Eric Leblond	24f745553c	doc: update file extraction document Define the list of protocol parsers supporting extraction in one single place following Andreas Herz' suggestion.	7 years ago
Eric Leblond	f5ba4c231d	doc: update following ftp-data changes	7 years ago
Giuseppe Longo	70695201f6	doc: add memcap commands in unix-socket section	7 years ago
Eric Leblond	3bf098e52f	doc: document log reopen unix socket command	7 years ago
Victor Julien	be9ec3958e	doc: initial suricata-update page	7 years ago
Andreas Herz	6f0794c16f	keyword-filesize: add units	7 years ago
Dana Helwig	3ab9120821	source-pcap-file: Pcap Directory Mode (Feature #2222 ) https://redmine.openinfosecfoundation.org/issues/2222 Pcap file mode that when passed a directory will process all files in that directory. If --pcap-file-continuous or continuous option is passed in json, the directory will be monitored until the directory is moved/deleted, suricata is interrupted, or the pcap-interrupt command is used with unix command socket. Existing file implementation and new directory implementation has moved from source-pcap-file into pcap-file-helper and pcap-directory-helper. Engine state will not reset between files. Also satisfies: * https://redmine.openinfosecfoundation.org/issues/2299 * https://redmine.openinfosecfoundation.org/issues/724 * https://redmine.openinfosecfoundation.org/issues/1476 Co-Authors: Dana Helwig <dana.helwig@protectwise.com> and Danny Browning <danny.browning@protectwise.com>	7 years ago
Eric Leblond	94e9d13791	doc: add ruleset commands available in unix socket	7 years ago
Pascal Delalande	0c99338e07	doc: update docs for DNS flags logging	7 years ago
Ralph Broenink	f6938933d9	doc: Amend the list of accepted protocols Based on the list in suricata.yaml	7 years ago
Ralph Broenink	d830177b7b	doc: Add my own name to the acknowledgements	7 years ago
Ralph Broenink	98a1ec490f	doc: Move IP reputation keyword to rules section	7 years ago
Ralph Broenink	722cff1862	doc: Restructure ToC * All sections up to 2 levels deep are now shown regardless of whether they are a separate page * Rename Xbits and Thresholding for more consistent naming * Minor adjustment in the Payload Keywords section	7 years ago
Ralph Broenink	196ba1da70	doc: Make the header keywords section separate sections in ToC	7 years ago
Ralph Broenink	a55a6cdb62	doc: Move flowint as integral part of flow keywords	7 years ago
Ralph Broenink	f6c766112c	doc: Minor changes in structuring of HTTP Keywords / Snort differences	7 years ago
Ralph Broenink	e9b25988ba	doc: Move pcre entirely to Payload Keywords section (plus remove lingering screenshot of a rule)	7 years ago
Ralph Broenink	bb1bf2643d	doc: Move fast_pattern and prefilter to dedicated page	7 years ago
Ralph Broenink	fea037fda8	doc: Moved explanation of normalized buffers to rules introduction	7 years ago
Ralph Broenink	11990c7117	doc: Move the definition of modifier keywords to the introduction	7 years ago
Ralph Broenink	dfae19247d	doc: Completely rewrite the rules introduction for more clearity	7 years ago
Ralph Broenink	274c36eb2f	doc: Meta-settings -> Meta Keywords plus some textual changes Most importantly, conventions are now placed in tip boxes	7 years ago
Ralph Broenink	3413793768	doc: Use lowercased keyword names as section titles	7 years ago
Ralph Broenink	a52aacb4ea	doc: Replace images of tables and rules with text in rules docs In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis. Additionally, some tables embedded into images were also replaced by reST tables.	7 years ago
Ralph Broenink	44926e2369	doc: Add suricata.css to allow for some custom styling	7 years ago
Ruslan Usmanov	1090ee9d8d	rate_filter by_both through IPPair storage Ticket https://redmine.openinfosecfoundation.org/issues/2127	7 years ago
Gaurav Singh	637a7c8e55	Adds options to mark when a file is final. This takes the form of an option to add the pid of the process to file names. Additionally, it adds a suffix to the file name to indicate it is not finalized. Adding the pid to the file name reduces the likelihood that a file is overwritten when suricata is unexpectedly killed. The number in the waldo file is only written out during a clean shutdown. In the event of an improper shutdown, extracted files will be written using the old number and existing files with the same name will be overwritten. Writes extracted files and their metadata to a temporary file suffixed with '.tmp'. Renames the files when they are completely done being written. As-is there is no way to know that a file on disk is still being written to by suricata.	7 years ago
Mats Klepsland	9556d4fef3	doc: add documentation for tls_cert_fingerprint keyword	7 years ago
Victor Julien	1180687574	doc/file_data: add note on negated matching Explain issue #2216 and how to avoid it.	8 years ago
Victor Julien	456af8faa8	doc/napatech: formatting fixes	8 years ago
Andreas Herz	c048ee6505	doc: reflect most recent cpu affinity settings Some settings like output-cpu-set never been used and detect got renamed to worker. This reflects those changes already present in the yaml also within the documentation.	8 years ago
Julian	f27b4fc8fe	redis: support for rpush in list mode This adds a new redis mode rpush. Also more consistent config keywords orientated at the redis command: lpush and publish. Keeping list and channel config keywords for backwards compatibility	8 years ago
Phil Young	5f613e6e7d	napatech: Added section describing packet counters.	8 years ago
Phil Young	f6838f9085	napatech: Added description of hba usage.	8 years ago

... 3 4 5 6 7 ...

577 Commits (f1f43cba5e16666b34467b7b373659c5aa7b210b)