aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,943 Commits
7 Branches
155 Tags
200 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f29e5459e6'
${ noResults }
Commit Graph

47 Commits (f29e5459e68bf8e1a5614e772953748be6425451)

Author SHA1 Message Date
Anoop Saldanha d4d18e3136 Transaction engine redesigned. 
Improved accuracy, improved performance.  Performance improvement
noticeable with http heavy traffic and ruleset.

A lot of other cosmetic changes carried out as well.  Wrappers introduced
for a lot of app layer functions.

Failing dce unittests disabled.  Will be reintroduced in the updated dce
engine.

Cross transaction matching taken care of.  FPs emanating from these
matches have now disappeared.  Double inspection of transactions taken
care of as well.
 12 years ago
Victor Julien 9f519e95a2 http: add event for libhtp detection of request port not matching tcp port. 12 years ago
Victor Julien 5cd46433d3 http: now that htp_state has a cfg reference, use it for body limits 13 years ago
Victor Julien 2763a61213 http: allow configuration of request and response body inspection limits. Issue #560. 13 years ago
Eric Leblond 92679442ca Convert to atomic and disable check on HTP config change. 
This patch converts the series of variable to an atomic.

Furthermore, as the callbacks are now always run, it is not
necessary anymore to refuse a ruleswap if HTP parameters are
changing.
 13 years ago
Eric Leblond 66a083dafa Get rid of AppLayerHtpRegisterExtraCallbacks 
This patch add a early exit condition to the body handling callback.
This permits to avoid to avoid a complex system to handle htp
object change.
 13 years ago
Victor Julien 43c7fd7585 file inspection: improve logging when stream.depth limit is reached. #493. 13 years ago
Anoop Saldanha 6fa46d7526 If new ruleset requires any htp callbacks that aren't already set, don't load new ruleset; request user to restart suricata + disable setting fileinsepection flags unconditionally in main 13 years ago
Anoop Saldanha 64625675ce set stream_eof flag per stream, only when the stream initiates a close. Fix htp parser to close connection per direction based on this 13 years ago
Victor Julien d378b76c04 http: body inspection improvement 
Improve http_client_body and file_data performance when request and
response body limits are set to high values.
 13 years ago
Victor Julien e21d8cdf01 file extract: improve multipart parsing and set events on some error conditions. 13 years ago
Victor Julien 3702a33ae9 file-inspection: support POST requests that do not use multipart. 13 years ago
Victor Julien 93d121bf21 Update app layer events for HTTP now that libhtp has fixes for some response errors. 13 years ago
Victor Julien f713b653ab Convert error logging for HTTP to use new app layer event API. Expose libhtp warnings to this as well. 13 years ago
Victor Julien c2c539942b Rework the way the http parser can tell the de_state to reset it's file section on arrival of new files in the same tx. Fixes a dead lock in the auto runmode. 13 years ago
Victor Julien 9878eca086 file handling: expand filestore keyword 
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.

The filestore keyword now takes 2 optional options:

filestore:<direction>,<scope>;

By default the direction is "same as rule match", and scope is "currently
inspected file".

For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".

For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.

For the above case, where a suspious request should lead to a response file
download, this would work:

alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
 13 years ago
Victor Julien d59ca75e46 file extract: split toserver and toclient tracking 
Split toserver and toclient file tracking for the http state.
 13 years ago
Victor Julien b402d97179 File carving -- enable reponse file extraction 
- Enable response body tracking
- Enable file extraction for responses
- File store meta file includes magic, close reason.
- Option to force magic lookup for all stored files.
- Fix libmagic calls thead safety.
 13 years ago
Victor Julien 66a3cd96a8 Prepare HTTP response body tracking. 13 years ago
Victor Julien e1022ee5ae file-extraction: Disconnect file handling from flow and move into the app layer state. 13 years ago
Victor Julien 23e01d23d3 Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored. 13 years ago
Victor Julien 403b2788d6 Add support for extracting PUT files. 13 years ago
Victor Julien a0ee6ade3e Improve HTTP multipart parsing, add streaming parsing for files. 13 years ago
Pablo Rincon 6d60b3a747 filename and fileext keywords 13 years ago
Eric Leblond 60a99915c1 doc: create http support group 
This patch create an httplayer group and adds related files to
it. It also fixes some typo in documentation string and format.
 14 years ago
Anoop Saldanha 4e44073c79 http logging module should log all txs in the list and not just the last complete tx available on EOF 14 years ago
Anoop Saldanha 41d71a6d70 fix http http transaction id update. Update transactions as soon as we receive a callback on new request 14 years ago
Victor Julien 6fca55e068 Add some debug output to app-layer-htp. 14 years ago
Victor Julien 39a5348d2b Remove dead pcre code. 14 years ago
Victor Julien 6ebe7b7cd3 Change the way the request body limit is enforced. 14 years ago
Anoop Saldanha 5c6a65dc58 support relative modifiers for http_client_body. Introduce body processing engine in detect-engine-hcbd.[ch] 14 years ago
Pablo Rincon 06a65cb460 moving http_client_body logic to use it per transactions. Adding unittests 15 years ago
Victor Julien 70b32f7380 First stab at creating a stateful detection engine. 
Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications:

- Generalize transaction tracking, logging and inspection.
- Adapt http and dcerpc to use the new transaction handling.
- Stream engine now always notifies app layer of a stream eof.

This commit fixes bug #124.
 15 years ago
William Metcalf ce01927515 Import of GPLv2 Header 050410 15 years ago
Brian Rectanus a9cdd2bbae Add htp personality configuration. 15 years ago
Anoop Saldanha 97d49d8f5e support for http_client_body keyword 15 years ago
Victor Julien 7a8cd61fdf Cleanups. 15 years ago
Pablo Rincon 25a3a5c6d8 Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks. 15 years ago
Gurvinder Singh 50f7d0a887 app layer htp logging and better htp request handling. removed recent_in_tx. 15 years ago
Pablo Rincon 0165b3f0d8 pcre P modifier support (pcre match over http body requests) 15 years ago
Gurvinder Singh 356a8bf385 applayer uri match and modified http handling 15 years ago
Victor Julien c3269dbcb4 Fix compiler warning in http method code 15 years ago
Victor Julien 4824868766 Application layer detection improvements 
- improve locking of application layer handling, making sure that the flow cannot be freed/cleared when the detection engine is still working with it.
- add a check to the app layer detection to make sure that a match function will only inspect an app layer state if it's of the right type.
 15 years ago
Gurvinder Singh 0a85fd6787 htp error fixed 15 years ago
Gurvinder Singh fc2f7f29fa app layer htp error handling and fixes for memory leaks and segv 15 years ago
Gurvinder Singh 2d6cf71d37 added htp unit test 15 years ago
Gurvinder Singh 07f7ba55b8 initial support for HTP module init 15 years ago