aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,145 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1173bb788e'
${ noResults }
Commit Graph

16145 Commits (1173bb788eba9d77701983d36ae2db156fbd18dd)
 

Author SHA1 Message Date
Philippe Antoine 1854503465 qa: remove depcrecated files 
lgtm has been superseded by codeql github action
docker and travis are obsolete

Preparatory work for ticket 2696 libhtp rust conversion
 8 months ago
Philippe Antoine 6b56d5971a output/tx: use dynamic number of app-layer protos 
OutputTxLoggerThreadData gets allocated after the number of app-layer
protos is definite
 8 months ago
Philippe Antoine 6a942f589c detect/profiling: use dynamic number of app-layer protos 8 months ago
Philippe Antoine f74997f5c7 app-layer: use already defined constant 
FLOW_PROTO_APPLAYER_MAX
 8 months ago
Philippe Antoine deb4a5a8cc detect/file-data: use dynamic number of app-layer protos 8 months ago
Philippe Antoine 647e878f7c detect: helper function for multibuffer 8 months ago
Victor Julien afc318737a doc/userguide: document threshold backoff type 8 months ago
Victor Julien 9e735fd6bd stream: enable backoff on event rules 
Enable backoff for most rules. The rules looking at the session start up
use a count of 1 and a multiplier of 2.

Post-3whs rules use a count of 1 and a multiplier of 10.
 8 months ago
Victor Julien 12130df21c detect/threshold: implement backoff type 
Implement new `type backoff` for thresholding. This allows alerts to be
limited.

A count of 1 with a multiplier of 10 would generate alerts for matching packets:
1, 10, 100, 1000, 10000, 100000, etc.

A count of 1 with a multiplier of 2 would generate alerts for matching packets:
1, 2, 4, 8, 16, 32, etc.

Like with other thresholds, rule actions like drop and setting of
flowbits will still be performed for each matching packet.

Current implementation is only for the by_flow tracker and for per rule
threshold statements.

Tracking is done using uint32_t. When it reaches this value, the rest of
the packets in the tracker will use the silent match.

Ticket: #7120.
 8 months ago
Victor Julien a0d515bfdd detect/threshold: regex cleanup 8 months ago
Victor Julien 2abe0df136 detect/threshold: format file 8 months ago
Victor Julien e362a01f8d doc/userguide: document new threshold config options 8 months ago
Victor Julien 7d4fcc311c detect/threshold: make hash size and memcap configurable 8 months ago
Victor Julien 10eaf550b7 detect/threshold: includes cleanup 8 months ago
Victor Julien 7bcf364095 detect/threshold: expand cache support for rule tracking 
Use the same hash key as for the regular threshold storage,
so include gid, rev, tentant id.
 8 months ago
Victor Julien 1e9fdc4005 detect/threshold: consider tenant id in tracking 
Ticket: #6967.
 8 months ago
Victor Julien 2be998fbcd detect/threshold: include rev in threshold tracking 8 months ago
Victor Julien 3471c0f6ad detect/threshold: improve hash function 8 months ago
Victor Julien b8028bf386 thresholds: use dedicated storage 
Instead of a Host and IPPair table thresholding layer, use a dedicated
THash to store both. This allows hashing on host+sid+tracker or
ippair+sid+tracker, to create more unique hash keys.

This allows for fewer hash collisions.

The per rule tracking also uses this, so that the single big lock is no
longer a single point of contention.

Reimplement storage for flow thresholds to reuse as much logic as
possible from the host/ippair/rule thresholds.

Ticket: #426.
 8 months ago
Victor Julien ac400af8f4 range: use thash expiry API for timeout 8 months ago
Victor Julien 00e1e89449 thash: add expiration logic 
Add a callback and helper function to handle data expiration.

Update datasets to explicitly not use expiration.
 8 months ago
Victor Julien 114fc37294 detect/address: constify ipv6 cmp funcs 8 months ago
Victor Julien 3a7247b1ed detect/threshold: minor rate filter cleanup 8 months ago
Victor Julien ab5e04525f detect/threshold: minor code cleanup 
Packet pointer is not used during allocation.
 8 months ago
Victor Julien 6622dc7444 detect/threshold: minor cleanup 8 months ago
Victor Julien c08c81cacf detect/threshold: implement per thread cache 
Thresholding often has 2 stages:

1. recording matches
2. appling an action, like suppress

E.g. with something like:
threshold:type limit, count 10, seconds 3600, track by_src;
the recording state is about counting 10 first hits for an IP,
then followed by the "suppress" state that might last an hour.

By_src/by_dst are expensive, as they do a host table lookup and lock
the host. If many threads require this access, lock contention becomes
a serious problem.

This patch adds a thread local cache to avoid the synchronization
overhead. When the threshold for a host enters the "apply" stage,
a thread local hash entry is added. This entry knows the expiry
time and the action to apply. This way the action can be applied
w/o the synchronization overhead.

A rbtree is used to handle expiration.

Implemented for IPv4.
 8 months ago
Victor Julien c963158443 detect: add ticket id to var related todos 8 months ago
Victor Julien 405491c3fc detect/detection_filter: add support for track by_flow 8 months ago
Victor Julien 3f04af7c7f doc: add thresholding by_flow 8 months ago
Victor Julien f028648750 detect/content: fix wrong value for depth check 
Limits propegation checked for DETECT_DEPTH as a content flag,
which appears to have worked by chance. After reshuffling the
keyword id's it no longer worked. This patch uses the proper
flag DETECT_CONTENT_DEPTH.
 8 months ago
Victor Julien d0f3f2d462 detect: group content inspect keyword id's 8 months ago
Victor Julien 022173d7ab detect: group types used in traffic variables 
Traffic variables (flowvars, flowbits, xbits, etc) use a smaller int for
their type than detection types. As a workaround make sure the values fit
in a uint8_t.
 8 months ago
Victor Julien cfd55ead74 threshold: add by_flow support for global thresholds 
Allow rate_filter and thresholds from the global config to specify
tracking "by_flow".
 8 months ago
Victor Julien 1552f0953a detect/threshold: implement tracking 'by_flow' 
Add support for 'by_flow' track option. This allows using the various
threshold options in the context of a single flow.

Example:

    alert tcp ... stream-event:pkt_broken_ack; \
        threshold:type limit, track by_flow, count 1, seconds 3600;

The example would limit the number of alerts to once per hour for
packets triggering the 'pkt_broken_ack' stream event.

Implemented as a special "flowvar" holding the threshold entries. This
means no synchronization is required, making this a cheaper option
compared to the other trackers.

Ticket: #6822.
 8 months ago
Victor Julien a81b23254c util/var: add comments explaining types 8 months ago
Victor Julien 1fa13e4b81 util/var: remove printf; add assert 8 months ago
Philippe Antoine 5bd17934df http2: do not expand duplicate headers 
Ticket: 7104

As this can cause a big mamory allocation due to the quadratic
nature of the HPACK compression.
 8 months ago
Philippe Antoine 37509e8e0e modbus: abort flow parsing on flood 
Ticket: 6987

Let's not spend more resources for a flow which is trying to
make us do it...
 8 months ago
Victor Julien ce727cf4b1 detect: remove unnecessary detect thread flags stores 8 months ago
Philippe Antoine b34d4b1314 detect/nfs: do not free a null pointer 
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69840
 8 months ago
Jeff Lucovsky 5b97f4040c detect/base64: Use Rust defined modes everywhere 
Issue: 6487

To avoid ambiguity, a single definition for base 64 decoding modes will
be used. The Rust base64 transform contains the definitions for the
existing mode types: Strict, RFC2045, RFC4648
 8 months ago
Jeff Lucovsky 01e20c91fb doc/transform: Correct typo 8 months ago
Jeff Lucovsky d205ff82d0 doc/transform: Describe the from_base64 transform 
Issue: 6487

Document the new transform and indicate that it's the preferred way to
perform base64 decoding (preferred over base64_decode)
 8 months ago
Jeff Lucovsky f042e9034b detect/transform: Add from_base64 transform 
Issue: 6487

Implement the from_base64 transform:
    [bytes value] [offset value] [mode strict|rfc4648|rfc2045]

    The value for bytes and offset may be a byte_ variable or an
    unsigned integer.
 8 months ago
Jeff Lucovsky 1823681709 detect/transform: from_base64 option parsing 
Issue: 6487

Implement from_base64 option parsing in Rust. The Rust module also
contains unit tests.
 8 months ago
Jeff Lucovsky ab0cb960a1 detect/parser: Refactor utility routines 
Refactor utility functions/definitions from the byte_math module into
the parser module. This includes parse_var and ResultValue

Issue: 6487
 8 months ago
Shivani Bhardwaj 903283d76e flow: declare and use constansts where possible 8 months ago
Shivani Bhardwaj 00a644c5c2 flow/manager: make fn calls only when necessary 8 months ago
Shivani Bhardwaj eb95d2bf66 flow/timeout: cleanup fn names and comments 8 months ago
Shivani Bhardwaj 8818b9cbe0 flow: remove unneeded args to fn 8 months ago