aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,403 Commits
10 Branches
154 Tags
165 MiB
dependabot/github_actions/actions/checkout-4.2.1
dependabot/github_actions/github/codeql-action-3.26.12
dependabot/github_actions/actions/upload-artifact-4.4.3
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '03da49bfaa'
${ noResults }
Commit Graph

10403 Commits (03da49bfaa62a6901ab29058b3e991b2d4ae10ec)
 

Author SHA1 Message Date
Victor Julien 4cd3b84606 tls/ja3: allow dynamic enabling of ja3 5 years ago
Victor Julien 09882ec4cb detect/reference: implement strict parsing option 5 years ago
Victor Julien 89a717d41c detect/classtype: implement strict parsing option 5 years ago
Victor Julien b5521b58bc detect/parse: add --strict-rule-keywords option 
Add --strict-rule-keywords commandline option to enable strict rule
parsing.

It can be used without options or with a comma separated list:
--strict-rule-keywords
--strict-rule-keywords=all
--strict-rule-keywords=classtype,reference

Parsing implementations can use SigMatchStrictEnabled to check
if strict parsing is enabled for them and act accordingly.
 5 years ago
Victor Julien 88e26ea914 detect: use named enum for keyword types 5 years ago
Victor Julien 0b40d4ae93 detect/reference: allow undefined references 
References are currently not used in Suricata, so erroring out on
rules using a undefined reference is too harsh.

Just issue a warning once per unique missing reference.
 5 years ago
Victor Julien 61185cc9ba reference: change scope of add func to global 5 years ago
Victor Julien d17a3b3c2b reference: use global defines for size limits 5 years ago
Victor Julien e278953455 detect/reference: code cleanups 5 years ago
Victor Julien 523e91b231 detect/classtype: check size of rule input 5 years ago
Victor Julien e5f6f38481 classtype: handle missing classification.config 
Still initialize the classtype hash table so that the classtypes
rules use can be added to it.

The file missing now reports a warning instead of error, as we
will continue to work.
 5 years ago
Victor Julien 517834e327 classtype: use global defines for size limits 5 years ago
Victor Julien 99bdb54d9f detect/classtype: show file and line for unknown classtype 5 years ago
Victor Julien 43b5234055 detect/priority: use global define for default prio 5 years ago
Victor Julien 954c43daf4 detect/classtype: allow undefined classtypes 
Effect of classification on Suricata's working is minimal. Impact
of adding undefined classtypes is large: rules will fail to load
completely. This also leads multiple lines of log output per rule,
which in a large ruleset can lead to excessive output.

This patch changes the classtype keyword behavior. Instead of erroring
and invalidating a rule, we will merely warn.

The undefined classtype is then defined with a default priority,
so other rules using the classtype will not also warn. This way
there will be just a single warning per missing classtype.
 5 years ago
Victor Julien 323a747f39 classtype: increase id size 
Switch from u8 to u16 to allow for more classtypes.

Rename Signature::class to Signature::class_id to make it clear
it is an id.
 5 years ago
Victor Julien ccf6c5a6ef classtype: small memory reduction 
Reduce memory use by making sure SCClassConfClasstype
has a more optimal memory layout.
 5 years ago
Victor Julien 26e2370f99 classtype: put UNITTESTS guards where appropriate 5 years ago
Victor Julien e104c3d913 classtype: reduce scope of functions 5 years ago
Victor Julien a37e09cbe0 detect/classtype: change duplicate classtype behavior 
Detect duplicate instances and use the one with the highest
priority.

Use new priority flag to make the logic around explicit priority
sets easier to follow.

Minor code cleanups. Also clean up unittests.
 5 years ago
Victor Julien c471d81f04 detect/priority: change duplicate priority behavior 
Introduce Signature init_flag to indicate priority has been set.
This will be needed in a follow-up classtype update.

Detect duplicate priority instances in a keyword, and use the
highest priority in the rule. Do issue a warning in this case.
 5 years ago
Victor Julien 828d2572f8 detect: use BIT_U32 macros for INIT flags 5 years ago
Victor Julien 3fd4e7bd05 detect/priority: minor cleanups 5 years ago
Victor Julien bfee28db5e detect/classtype: clean up error handling 5 years ago
Victor Julien 5e5761a29c detect/classtype: warn on duplicate classtype 
Issue warning instead of erroring and invalidating the rule.

It's not a very serious issue, so don't error out.
 5 years ago
Victor Julien 282e1c2520 detect/classtype: fix parsing error checking 5 years ago
Jason Ish 2d0b3d7320 detect/test: update test for file prune changes 
As the file prune is now moved to the flow worker, the file
prune is run later, meaning the first file has not yet
been pruned from the file container list.

Adjust test to look for a second file, and check the
flags on that file.

For commit addressing bug 2490.
 5 years ago
Jason Ish ebcc4db84a file extraction: always prune files after detect 
If a keyword like filemd5 was being used without a filestore,
or a file output enabled, it would be pruned before detection
had a chance to match.

Consolidate file pruning to the end of the flow worker so files
are available for detection even when a file output is not
enabled.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2490
 5 years ago
Victor Julien c7e4433fe9 afl/decode: fix stats related memleak reports 5 years ago
Shivani Bhardwaj 8940a9d326 afp: nicer error message in case of fanout failure 
Use clearer message in case fanout is not supported or cluster_id is
already in use.

Closes redmine ticket #1940.
 5 years ago
Shivani Bhardwaj ac55b21184 suricata: Check if default log dir is writable 
At the startup, if the default log dir provided either by command line
options or suricat.yaml is not writable, the error comes quite later.
This patch makes suricata exit if there is such an error in the
beginning itself.

Closes redmine ticket #2386.
 5 years ago
Shivani Bhardwaj 5fbb7cef0a Makefile: Make libhtp available at install-rules stage 
So far when "make install-rules" stage was executed, libhtp path was not
recognized as ldconfig does not run by this stage.
Set "LD_LIBRARY_PATH" since we already know the path where libhtp would
be.

Closes redmine ticket #2669.
 5 years ago
Victor Julien 4061bf5ceb doc/datasets: update example config to map 5 years ago
Victor Julien 6dca50a322 runmode: consider test mode a user mode 5 years ago
Victor Julien 914c5b7975 datasets: fix error handling 5 years ago
Victor Julien 1021465f23 datasets: improve and doc return codes 5 years ago
Jason Ish a2fcc304e7 dataset: fix return value check on isnotset 
The dataset api returns -1 for not found.
 5 years ago
Victor Julien c6cda99bcd thash: fix prealloc config setting 5 years ago
Victor Julien e264a0cee8 datasets: fix hash table config 
Example:

datasets:
  ua-seen:
    type: string
    state: ua-seen.lst
    hash:
      hash-size: 100000
      prealloc: 1000
      memcap: 256mb
 5 years ago
Victor Julien 9b64b6794b datasets: change config to map 
Example:

datasets:
  ua-seen:
    type: string
    state: ua-seen.lst
  dns-sha256-seen:
    type: sha256
    state: dns-sha256-seen.lst
 5 years ago
Victor Julien 1e50b2e404 lua: fix lua int size detection 
Failed to work with non-bundled htp and with some stricter
compile flags.
 5 years ago
Jason Ish f9c9548b74 configure: detect lua integer size 
Lua 5.1 and 5.3 use a different integer size. Run a test program
to set the integer size used in the Rust FFI layer to Rust.
 5 years ago
Jason Ish 342fa8ee26 magic/test: remove NULL as format string 
Remove passing NULL as a format string parameter
in test. Convert to FAIL_IF_NULL.
 5 years ago
Jason Ish 5f1c851716 configure: remove unused LUA_PC_NAME. 
This variable is no longer used. Instead multiple
lua pkg-config names are checked.
 5 years ago
jason taylor e4156b2f89 config: update lzma size notes to match others 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
Victor Julien 029683cbac doc: reformat linux ips guide 5 years ago
Eric Leblond 6d9416148b doc: add nftables IPS configuration 5 years ago
Eric Leblond 82eb669205 doc: information about scaling AF_PACKET IPS mode 5 years ago
Eric Leblond ffe81dc9f2 doc: add info about AF_PACKET IPS 
Based on https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/

Also fix some typo in Netfilter setup.
 5 years ago
Jason Ish 0cd5452194 doc: mark independent json loggers as deprecated 
This is the loggers such as alert-json-log, dns-json-log, etc.
They are not even referenced in the default configuration file,
and are easily replaced with multiple eve instances.
 5 years ago