aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
15,733 Commits
8 Branches
165 Tags
215 MiB
main
main-8.0.x
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '03442c9071'
${ noResults }
Commit Graph

59 Commits (03442c9071b8d863d26b609d54c6eacf4de9e340)

Author SHA1 Message Date
Jason Ish b11bb1c412 detect: rename DetectAppLayerInspectEngineRegister2 
Rename DetectAppLayerInspectEngineRegister2 to
DetectAppLayerInspectEngineRegister as there is no other variant of
this function, and the versioning with lack of supporting
documentation can lead to confusion.
 2 years ago
Philippe Antoine c272a646c5 detect: SigMatchAppendSMToList can fail 
Ticket: #6104

And failures should be handled to say that the rule failed to load

Reverts the fix by 299ee6ed55
that was simple, but not complete (memory leak),
to have this bigger API change which simplifies code.
 2 years ago
Jeff Lucovsky 3286c3b912 detect/pcre: Use local match variables 
pcre2 is not thread-safe wrt match objects so use locally scoped
objects.

Issue: 4797
 2 years ago
Victor Julien ee68947460 detect/tls: minor fingerprint cleanup 2 years ago
Jeff Lucovsky dfcb429524 detect/cert: Use client side certs 
Issue: 5516

This commit modifies the detect logic to choose the certificate based on
the flow direction -- to server or to client.
 3 years ago
Victor Julien b31ffde6f4 output: remove error codes from output 3 years ago
Jeff Lucovsky 63745a7879 detect/tls: Improve tls.fingerprint rule handling 
Issue: 4581

This commit improves the runtime performance of rules with
tls.fingerprint by using the inspection logic from tls.cert_fingerprint.
 3 years ago
Victor Julien e250ef6402 debug: remove empty header 3 years ago
Philippe Antoine 83a8cd80b2 detect: remove wrappers around DetectEngineInspectGenericList 3 years ago
Philippe Antoine 02f2602dde src: rework includes as per cppclean 3 years ago
Philippe Antoine b8524e70d9 detect: change InspectEngineFuncPtr2 to return uint8_t 3 years ago
Philippe Antoine 3de99a214c pcre2: migrate keywords parsing 4 years ago
Victor Julien 84385549fe detect: remove unused arg from generic list inspect 5 years ago
Victor Julien 494f8f2700 detect/tls: convert to v2 inspect API 5 years ago
Victor Julien 6ab323d323 detect: hide RegisterTests behind ifdef UNITTESTS 
Update all callers to more aggressively use UNITTESTS guards as well.
 5 years ago
Victor Julien 26bcc97515 detect/keywords: dynamic version part of doc URL 6 years ago
Jeff Lucovsky d3a65fe156 detect: Provide `de_ctx` to free functions 
This commit makes sure that the `DetectEngineCtx *` is available
to each detector's "free" function.
 6 years ago
Jeff Lucovsky 4b0085b03c detect: Update to take advantage of PCRE refactor 
This commit changes the keyword detectors to use the refactored PCRE
modifications from detect-parse.[ch]
 6 years ago
Victor Julien 0526878fee detect/tls: set alternatives for legacy tls keywords 6 years ago
Victor Julien 14896365ef detect: remove Threadvars argument from API calls 
Remove it as it's (almost) never used. If it is really needed it can
be accessed through DetectEngineThreadCtx::tv as well.
 6 years ago
Eric Leblond 8c1b16e22d doc: fix some links in list-keywords command 7 years ago
Victor Julien ab1200fbd7 compiler: more strict compiler warnings 
Set flags by default:

    -Wmissing-prototypes
    -Wmissing-declarations
    -Wstrict-prototypes
    -Wwrite-strings
    -Wcast-align
    -Wbad-function-cast
    -Wformat-security
    -Wno-format-nonliteral
    -Wmissing-format-attribute
    -funsigned-char

Fix minor compiler warnings for these new flags on gcc and clang.
 9 years ago
Victor Julien 342059835f detect-parse: improve common parser 
In preparation of turning input to keyword parsers to const add
options to the common rule parser to enforce and strip double
quotes and parse negation support.

At registration, the keyword can register 3 extra flags:

    SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted

    SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted

    SIGMATCH_HANDLE_NEGATION: leading ! is parsed

In all cases leading spaces are removed. If the 'quote' flags are
set, the quotes are removed from the input as well.
 9 years ago
Victor Julien d304be5bc3 detect: register progress in inspect engines 
Register required progress so we can stop inspecting as soon
as the progress isn't far enough yet.
 9 years ago
Victor Julien cc4010343d detect: add and use util func for alproto sets 9 years ago
Victor Julien 6ef4712cd6 detect: convert old tls keywords to dynamic list 9 years ago
Victor Julien ef149bed7b tls.store: convert to postmatch 9 years ago
Victor Julien 8b3a71a285 tls.store: cleanup 9 years ago
Victor Julien 8edc954e82 detect: get rid of Signature::sm_lists 
Instead use the lists in init_data during setup and the SigMatchData
arrays during runtime.
 9 years ago
Victor Julien bfd4bc8233 detect: constify Signature/SigMatch use at runtime 9 years ago
Eric Leblond a2e2f50fb9 documentation: fix list keywords URLs 
Update URLs in keyword definition to point to sphinx documentation.
 9 years ago
Jason Ish 1f4725fcab detect-tls: make check on fingerprint directional 9 years ago
Victor Julien 9030e89c94 detect: don't set alproto while registering keyword 
The field is not used except for some printing, and is wrong for
many keywords.
 9 years ago
Victor Julien e67ae0f174 detect keywords: use parse regex util func 10 years ago
Eric Leblond 50ea76a88b detect-tls: fix memleaks 10 years ago
Victor Julien 8b4615f8e7 tls: fix a tls.fingerprint issue in debug mode 
Print proper variable so we don't NULL-deref.

Bug #1279.
 11 years ago
Ken Steele 8f1d75039a Enforce function coding standard 
Functions should be defined as:

int foo(void)
{
}

Rather than:
int food(void) {
}

All functions where changed by a script to match this standard.
 11 years ago
Victor Julien 6e0112d737 detect: modify AMATCH locking 
This is an intrusive change. This patch modifies the way AMATCH
inspection uses locking.

So far, each keyword did it's own locking. This lead to a situation
where a 'alstate' pointer was passed around that was not always
protected by a lock.

This patch moves the locking to the Stateful detection functions.
 12 years ago
Eric Leblond c2fcf329f0 tls: fix negated match 
A negated match is matching if the tested field is NULL. But as it
is not set, nor negated nor normal test must match.

Without this patch, a rule like:
 alert tls any any -> any any (msg:"negated match"; tls.subject:!"CN=home.regit.org"; sid:1; rev:1;)
is alerting for all connections. Event if they are done on a certificate
with matching subject. This was due to the fact that tls protocol
is discovered before the handshake is complete. Thus the condition
on tls is true with a NULL tls.subject. And code was returning a
positive match in the case of a NULL subject and a signature with
a negated match.
 12 years ago
Eric Leblond 28c5c68192 error checking: add missing alloc error treatment 
The return of some malloc like functions was not treated in some
places of the code.
 12 years ago
Victor Julien 6cd6caf3ea tls: allow matching for @ symbol in tls.subject 
Also in tls.issuerdn keyword.

Original patch by Chris Wakelin.

Fixes #1042.
 12 years ago
Anoop Saldanha b1dffdfbe0 Add app layer protocol packet event detection support. 12 years ago
Eric Leblond 6842545331 Add documentation url in list-keyword output. 
The output of the list-keyword is modified to include the url to
the keyword documentation when this is available. All documented
keywords should have their link set.

list-keyword can be used with an optional value:
 no option or short: display list of keywords
 csv: display a csv output on info an all keywords
 all: display a human readable output of keywords info
 $KWD: display the info about one keyword.
 13 years ago
Eric Leblond 5e4552fdcd suricata: update list-keyword command 
This patch update the list-keyword command. Without any option,
the previous behavior is conserved. If 'all' is used as option,
suricata print a csv formatted output of keyword information:
	name;features;description
If a keyword name is used as argument, suricata print a readable
message:
tls.subject
Features: state inspecting
Description: Match TLS/SSL certificate Subject field
 13 years ago
Eric Leblond e176be6fcc Use unlikely for error treatment. 
When handling error case on SCMallog, SCCalloc or SCStrdup
we are in an unlikely case. This patch adds the unlikely()
expression to indicate this to gcc.

This patch has been obtained via coccinelle. The transformation
is the following:

@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)";
@@

x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
 13 years ago
Eric Leblond d292004880 Add some missing checks of SCStrdup return. 13 years ago
Eric Leblond f82573be12 tls: suppress always true condition. 13 years ago
Eric Leblond a3b2cee0d5 detect-tls: various indent fixes. 
And delete a useless FIXME.
 13 years ago
Jean-Paul Roliers c4df7a45ae tls: adding store option for TLS 
This patch adds a TLS store option to save certificate in PEM format.
Each time the store action is met, a file and a metafile are created.

Reworked-by: Eric Leblond <eric@regit.org>
 13 years ago
Jean-Paul Roliers 00d4357362 tls: adding support for fingerprint rule matching. 
Add the support for tls.fingerprint keyword in rules.
 13 years ago