aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
15,119 Commits
7 Branches
159 Tags
196 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0b6b015e26'
${ noResults }
Commit Graph

15119 Commits (0b6b015e26e92d88ebfd7ddac6ee34646fc0a57c)
 

Author SHA1 Message Date
Philippe Antoine 0b6b015e26 output/alert: rewrite code for app-layer properties 
Especially fix setup-app-layer script to not forget this part

This allows, for simple loggers, to have a unique definition
of the actual logging function with the jsonbuilder.
This way, alerts, files, and app-layer event can share the code
to output the same data.

Ticket: #3827
 2 years ago
Philippe Antoine 90c17652a3 rust: remove unused 
Ticket: #4083
 2 years ago
Philippe Antoine 32cce122e1 detect: header_lowercase transform 
Ticket: 6290
 2 years ago
Joseph Reilly 55a4e12884 af-xdp: detach XDP program early 
To mitigate a bug with AF_XDP sockets in high traffic scenarios, the XDP program must be detatched before
the sockets are closed. This issue happens when large ammounts of traffic are sent to suricata and
the XDP program is not removed before AF_XDP sockets are closed. I believe this is a race
condition bug as detailed here: https://bugzilla.kernel.org/show_bug.cgi?id=217712

Further investigation shows this may be a bug exclusive to the driver/AMD processor combination.

This commit addresses the bug by ensuring the first thread to run the deinit function
removes the XDP program, which fixes the bug as detailed in the bugzilla link.

Bug #6238
 2 years ago
Eric Leblond 180459eeb6 detect/stream_size: fix prefiltering registration 
Ticket: #6551
 2 years ago
jason taylor c50002978d doc: update file.data keyword documentation 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Thomas Winter 7d40a9f178 rule-reload: Release excess memory freed during engine reload 
The hot reload results in large chunks of memory being freed as the
as the old signature tables are discarded. Help the memory management
system along by telling to release as much memory as it can at this
point.

Bug: #6454.
 2 years ago
Jason Ish d2b25af3f4 examples: add an example plugin of an eve filetype 
This is an example of what adding plugin examples to the Suricata repo
could look like.

This plugin is an example plugin for an EVE filetype. It could be
extended to support outputs like Redis, syslog, etc.

There is one issue with adding plugins like this to an autotools
project, the project can't be built with --disable-shared, which is
more of an autotools limitation, and not really a Suricata issue.
Suricata built with --disable-shared will load plugins just fine.

Note that the examples directory was added as DIST_SUBDIRS as we don't
want normal builds to recurse into it and attempt to build the plugin,
its just an example, but we still need to keep distcheck happy.
 2 years ago
Juliana Fajardini a649a92afd userguide: update tls not_after/not_before mentions 
Our tls fields not_after and not_before are actually logged as
`notafter` and `notbefore`, but were documented with the underscore.

Update the documentation, since updating the log format itself would be
a breaking change.

Task #5494
 2 years ago
Juliana Fajardini 58fb559594 userguide: document flow_id, with examples 
Flow_id explanation expanded from version shared by Peter Manev.

Task #6445
 2 years ago
Jason Ish bec1d8ca9f github-ci: don't add author names/emails to new author comment 
The new author details will still be available in the artifact, we're
just not calling them out in a nighly visible pull request comment.
 2 years ago
Jason Ish 2b9603d94d github-ci: cancel previous builds workflow for branch 
On a push of the same branch, cancel the previous running builds.yml
workflow.
 2 years ago
Jeff Lucovsky 924c59448f bool: Remove TRUE/FALSE 2 years ago
Jeff Lucovsky 36e5792501 debug/bool: Switch use_color to a bool 2 years ago
Jeff Lucovsky 0a716afadc run/bool: Use bool for threading value 2 years ago
Jeff Lucovsky 28c950cef5 htp/bool: Use bool instead of int 2 years ago
Jeff Lucovsky 84b2d665d6 detect/bool: Use bool type for unittests 2 years ago
Jeff Lucovsky 8f2a3ea7be prefilter/bool: Use bool values for is_last 2 years ago
Jeff Lucovsky d2c46110d6 pcap/bool: Use bool type for is_private 2 years ago
Jeff Lucovsky 2016d68f41 stream/bool: Use bool for StreamTcpInlineMode 2 years ago
Jeff Lucovsky 9bd2b7425d general/bool: Change Suricata int to bool 
Change Suricata operational values from int to bool.
 2 years ago
Jeff Lucovsky 051a14acd3 general/bool: Use bool for file support 2 years ago
Jeff Lucovsky 310dcd1dc4 general: Use bool instead of int for condition fns 
This commit changes the conditional logging functions to use bool rather
than int values.
 2 years ago
Comfort Amaechi 491f5dcc31 util-memcmp: Convert unittests to new FAIL/PASS API 
Ticket: #6107
 2 years ago
Sascha Steinbiss d07e7f6862 detect: fix typo 2 years ago
Sascha Steinbiss 0c55fe3515 detect: add mqtt.connect.protocolstring 
Ticket:  OISF#6396
 2 years ago
Victor Julien 68a2fcaad3 mpm: thread ctx cleanups 
Remove unused thread ctx' from AC variants

Use single thread store in detection.

Minor cleanups.
 2 years ago
Victor Julien 3b826fff68 detect/tag: reuse result of previous host lookup 
Minor optimization that could lead to a reduction in host table
lookups if more than one host feature is in use.
 2 years ago
Victor Julien 6b2c33990f doc/userguide: add tag keyword page 
Ticket: #3015.
 2 years ago
Victor Julien 4a02a14df1 doc/userguide: document host table yaml settings 2 years ago
Victor Julien 3cad7cfa56 unittests: free packet using PacketFree 
Update SigTest17 which left a dangling pointer.
 2 years ago
Victor Julien 4a079541b2 detect: fix inspect engine return codes 
Use proper inspect engine codes instead of bool.
 2 years ago
Victor Julien 58c7a438ed detect/flow: optimize only_stream/no_stream options 
Until now the implementation would scan the stream, fallback to the
packet payload in exception cases, then keep track of where the match
was and in the flow match logic reject the match if it was in the wrong
buffer.

This patch simplifies this logic, by refusing to inspect the packet
payload when `only_stream` is set.

To do this the `only_stream`/`no_stream` options are now translated
to the pseudo protocols `tcp-stream` and `tcp-pkt` at parsing, so that
the `flow` keyword doesn't have to evaluate these conditions anymore.
 2 years ago
Philippe Antoine e3cd0d073f http2: app-layer event for userinfo in uri 
Ticket: #6426

as per RFC 9113
":authority" MUST NOT include the deprecated userinfo subcomponent
for "http" or "https" schemed URIs.
 2 years ago
Jeff Lucovsky a46779d866 detect/transform: Clarify transformation validation 
Issue: 6439

Clarify the transform validation step. When a transform indicates that
the content/byte-array is not compatible, validation will stop.

Content is incompatible is some cases -- e.g., following the
to_lowercase transform with content containing uppercase characters.
An alert is not possible since the content contains uppercase and the
transform has converted the buffer into all lowercase.
 2 years ago
Jeff Lucovsky 1110a86cb9 detect/transform: Register case-change transforms 
Issue: 6439
 2 years ago
Jeff Lucovsky 9ee55d2394 doc/transform: Document case-changing transforms. 
Issue: 6439
 2 years ago
Jeff Lucovsky e5c2f9a56d detect/transform: Add case changing transforms 
This commit adds the implementation for the case changing transforms:
to_lowercase and to_uppercase

Issue: 6439
 2 years ago
Jeff Lucovsky ffd559cd8e detect/transform: Add case-change transform constants 
Add the constants for the to_lowercase and to_uppercase transforms

Issue: 6439
 2 years ago
Jeff Lucovsky 6a41843035 detect/tenants: Add tenant context to rule loads 
Issue: 1520

This commit adds the tenant id for context to rule and .config file
loads.
 2 years ago
Jeff Lucovsky 9d8eec453a general: Remove vi formatting directives 2 years ago
Jeff Lucovsky ad96382cf2 output/null: Add the null output device 
This commit adds the null output device; to use, set the filetype
to "nullsink" for each output that should discard and never persist
logs/alerts/etc.

This is implemented as an "internal eve output plugin" just like the
syslog eve output type.
 2 years ago
Ralph Eastwood 9865164e75 napatech: update docs to remove hba reference 2 years ago
Ralph Eastwood 7b0a5dae60 napatech: remove deprecated hba support 2 years ago
Philippe Antoine ab9b6e30b1 detect: adds flow integer keywords 
Ticket: #6164

flow.pkts_toclient
flow.pkts_toserver
flow.bytes_toclient
flow.bytes_toserver
 2 years ago
Philippe Antoine 8c5310aefd doc: quic in eve/schema 
Ticket: #6076
 2 years ago
Victor Julien 2f4027c117 version: start work on 8.0.0 2 years ago
Victor Julien 6bb882c4c0 macset: remove dead flow init/cleanup code 
FlowInit() will only be called on a newly allocated, or a fully cleaned
up flow, so no existing storage will exist.

The only caller of `FLOW_RECYCLE` first calls `FlowFreeStorage()`, so
the reset logic in `FLOW_RECYCLE` can never trigger.

Remove now unused MacSetReset logic.
 2 years ago
daniel zhao de14e3d0b5 detect/flow: fix DETECT_FLOW_FLAG_ESTABLISHED check 
Ticket: #6448
 2 years ago
Victor Julien 741ba51c1e github-ci: Fedora 37 to 39; use packaged cbindgen 2 years ago