You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

History

Victor Julien 7bfee147ef stream: SYN queue support Support case where there are multiple SYN retransmits, where each has a new timestamp. Before this patch, Suricata would only accept a SYN/ACK that matches the last timestamp. However, observed behavior is that the server may choose to only respond to the first. In IPS mode this could lead to a connection timing out as Suricata drops the SYN/ACK it considers wrong, and the server continues to retransmit it. This patch reuses the SYN/ACK queuing logic to keep a list of SYN packets and their window, timestamp, wscale and sackok settings. Then when the SYN/ACK arrives, it is first evaluated against the normal session state. But if it fails due to a timestamp mismatch, it will look for queued SYN's and see if any of them match the timestamp. If one does, the ssn is updated to use that SYN and the SYN/ACK is accepted. Bug: #5856.		2 years ago
..
Makefile.am	ftp: add events for command too long	2 years ago
README.md	rules/readme: document sid ranges in source tree	2 years ago
app-layer-events.rules	…
decoder-events.rules	decoder: mention removal of udp.hlen_invalid sig	2 years ago
dhcp-events.rules	…
dnp3-events.rules	…
dns-events.rules	dns: parse and alert on invalid opcodes	2 years ago
files.rules	…
ftp-events.rules	ftp: add events for command too long	2 years ago
http-events.rules	protocol-change: sets event in case of failure	3 years ago
http2-events.rules	…
ipsec-events.rules	…
kerberos-events.rules	…
modbus-events.rules	…
mqtt-events.rules	mqtt: raise event on parse error	3 years ago
nfs-events.rules	…
ntp-events.rules	…
quic-events.rules	quic: events and rules on them	3 years ago
smb-events.rules	smb: checks against nbss records length	2 years ago
smtp-events.rules	protocol-change: sets event in case of failure	3 years ago
ssh-events.rules	…
stream-events.rules	stream: SYN queue support	2 years ago
tls-events.rules	…

README.md

Suricata Reserved SID Allocations

Unless otherwise noted, each component or protocol is allocated 1000 signature IDs.

Components

Component	Start	End
Decoder	2200000	2200999
Stream	2210000	2210999
Generic App-Layer	2260000	2260999

App-Layer Protocols

Protocol	Start	End
SMTP	2220000	2220999
HTTP	2221000	2221999
NTP	2222000	2222999
NFS	2223000	2223999
IPsec	2224000	2224999
SMB	2225000	2225999
Kerberos	2226000	2226999
DHCP	2227000	2227999
SSH	2228000	2228999
MQTT	2229000	2229999
TLS	2230000	2230999
QUIC	2231000	2231999
FTP	2232000	2232999
DNS	2240000	2240999
MODBUS	2250000	2250999
DNP3	2270000	2270999
HTTP2	2290000	2290999