Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.

cybersecurityidsintrusion-detection-systemintrusion-prevention-systemipsnetwork-monitornetwork-monitoringnsmsecuritysuricatathreat-hunting

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Eric Leblond 5f224f87d1 reject: update computation of seq and ack ... We have follow TCP RFC (http://tools.ietf.org/html/rfc793#section-3.4). There is two cases depending on wether the original packet contains a ACK. If packet has no ACK, the RST seq number is 0 and the ACK is built the standard way. If packet has a ACK, the seq of the RST packet is equal to the ACK of incoming packet and the ACK is build using packet sequence number and size of the data. Regarding standard Ack number, it is computed using seq number of captured packet added to packet length. Finally 1 is added so we respect the RFC: If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established this is always sent. With this patch we have some correct results. With the following rule: reject ssh any any -> 192.168.56.3 any (msg:"no SSH way"; sid:3; rev:1;) ssh connection to 192.168.56.3 is correctly resetted on client side. But this is not perfect. If we have the following rule: reject tcp any any -> 192.168.56.3 22 (msg:"no way"; sid:2; rev:1;) then the connection is not resetted on a standard ethernet network. But if we introduce 20ms delay on packets, then it is correctly resetted. This is explained when looking at the network trace. The reset is sent as answer to the SYN packet and it is emitted after the SYN ACK from server because the exchange is really fast. So this is discarded by the client OS which has already seen a ACK for the same sequence number. This should fix #895.		12 years ago
benches	Initial add of the files.	16 years ago
contrib	Add one shot run option to suri-graphite.	12 years ago
doc	Update docs from wiki	13 years ago
m4	Prelude plugin: add detection in configure script	16 years ago
qa	coccinelle: implement parallel check	12 years ago
rules	Add decoder event rule for tls event "invalid_ssl_record", which will now be available "app-layer-event:tls.invalid_ssl_record".	12 years ago
scripts	suricatasc: fix make distcheck.	13 years ago
src	reject: update computation of seq and ack	12 years ago
.gitignore	unittest: make check use a qa/log dir for logging	12 years ago
COPYING	Initial add of the files.	16 years ago
ChangeLog	Update changelog for 2.0beta1	12 years ago
LICENSE	import of gplv2 LICENSE	16 years ago
Makefile.am	Use wget or curl to download ruleset.	12 years ago
Makefile.cvs	Initial add of the files.	16 years ago
acsite.m4	Added C99 defs/macros to acsite.m4 for CentOS	16 years ago
autogen.sh	OpenBSD 5.2 build fixes, Unit test fix.	13 years ago
classification.config	Import of classification.config	15 years ago
config.rpath	Add file needed for some autotools version.	12 years ago
configure.ac	pcre: check for pcre_free_study, fall back to pcre_free if it unavailable	12 years ago
doxygen.cfg	Adding an updated doxygen config file, because the old one was created a couple major versions ago.	12 years ago
mkinstalldirs	Update autojunk.sh + build update.	16 years ago
reference.config	Add md5 to reference.config.	14 years ago
suricata.yaml.in	reject: use host-mode to set interface	12 years ago
threshold.config	threshold: improve comments of shipped threshold.config, add links to wiki.	13 years ago