aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,477 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1261d30df0'
${ noResults }
Commit Graph

8477 Commits (1261d30df0fd1d9139c3d3a8ee371fdd3032b7fb)
 

Author SHA1 Message Date
Victor Julien 1261d30df0 mingw/cygwin: explicitly disable unix socket 7 years ago
Victor Julien 6b75162194 mingw: use c:\Program Files\Suricata for w64 7 years ago
Victor Julien 650e6b316d ipv6: add string validation function 7 years ago
Victor Julien 13477d60ee ipv4: add string validation function 7 years ago
Victor Julien aa2eddfb98 decode/mime: improve ip address validation 
inet_pton on Windows/MinGW is very liberal, so do manual validation
of IP address formatting.
 7 years ago
Victor Julien d6a7f6b53f mingw: work around mingw more liberal ip parsing 7 years ago
Victor Julien 269cd03a43 console: no color for native windows build 7 years ago
Victor Julien 275eb839d1 mingw: disable pid checking from pidfile 
kill() call is not supported in MinGW
 7 years ago
Victor Julien 3fc73addae mingw: fix 'struct tm' compilation issue 7 years ago
Victor Julien 46cb00ec6c strptime: add implementation from NetBSD 
As MinGW doesn't come with strptime take the BSD licensed
implementation from NetBSD. More specifically, the one from

https://github.com/Alexpux/MINGW-packages/blob/master/mingw-w64-libkml/strptime.c

It's slightly modified to get rid on 'uint'.
 7 years ago
Victor Julien 11be9bd971 mingw: add SCNtohl and SCNtohs macro's 
On MinGW the result of ntohl needs to be casted to uint32_t and
the result of ntohs to uint16_t. To avoid doing this everywhere
add SCNtohl and SCNtohs macros.
 7 years ago
Victor Julien 895df9a6f6 mingw: fix use of undefined USR2 signal 7 years ago
Victor Julien e113fa96e9 mingw: fix compilation of signals code 7 years ago
Victor Julien d8ddd3b5bc mingw: work around mingw mkdir 
mingw doesn't come with a posix compliant mkdir as it only takes
a single argument.
 7 years ago
Jason Ish 223d9a1e3a eve: remove json format option - was not used 7 years ago
Jason Ish 1587772b90 eve.flow: removed unused http parameters 7 years ago
Jason Ish c4d30ddaf9 eve: fix context datatype used in init functions 
Many were using AlertJsonThread instead of OutputJsonCtx,
but as the datatypes were similar enough no harm was done.

Now that they are using their proper datatype, removed
AlertJsonThread from output.h as its no longer used.
 7 years ago
Jason Ish b005cceb0a eve.dnp3: removed unsed context field 7 years ago
Jason Ish ecf9eda340 eve.flow: remove "hi" log message 7 years ago
Jason Ish 07ab338145 eve.netflow: remove "hi" log message 7 years ago
Victor Julien 6c251b8576 rust: add --enable-rust-debug 
Add option to put Rust code in non-'--release' mode, preserving
debug symbols.

Until now Suricata would have to be compiled with --enable-debug for
this.
 7 years ago
Victor Julien 979f964260 hostbits: fix test setup 7 years ago
Victor Julien a9ac6db0dd file_data: move tests into tests/ 7 years ago
Victor Julien 6e65cf138b file_data: unify inspect engines 
Call HTTP from the generic file_data engine.
 7 years ago
Victor Julien ac0ae2dcd1 file_data: smtp file_data to generic file_data 
Generalize the SMTP file_data inspection into a 'files'
file_data inspection that can be used for any protocol
that uses the File API.
 7 years ago
Victor Julien ccf202a4f0 detect: minor cleanup 7 years ago
Victor Julien 948dee9a98 app-layer: use bool for 'HasDecoderEvents' 7 years ago
Victor Julien aac15854b4 detect: no tcp flags in mask for pseudo packets 7 years ago
Victor Julien 0b97fbbc13 detect/mpm: micro optimization in setup 7 years ago
Victor Julien 4438e34ed9 detect: remove old simd references 7 years ago
Victor Julien bc46d9a72f decode/vlan: don't consider ARP 'unknown' 7 years ago
Victor Julien a8b0825c18 pfring: minor code cleanups 7 years ago
Victor Julien 553cd0dc98 pfring: add warning for stripped vlan header case 
According to PF_RING upstream the vlan header should never be stripped
from the packet PF_RING feeds to Suricata. But upstream also indicated
keeping the check would be a good "safety check".

So in addition to the check, add a warning that warns once (per thread
for implementation simplicity) if the vlan hdr does appear to be stripped
after all.
 7 years ago
Victor Julien 189b521239 pfring: fix vlan handling issues 
When Suricata was monitoring traffic with a single vlan layer, the stats
and output instead showed 2. This was caused by the raw packets PF_RING
feeds Suricata would hold the vlan header, but the code assumed that
the header was stripped and the vlan_id passed to Suricata through
PF_RING's extended_hdr.parsed_pkt.

This patch adds the following logic: Check vlan id from the parser packet
PF_RING prepared. PF_RING sets the vlan_id based on its own parsing or
based on the hardware offload. It gives no indication on where the vlan_id
came from, so we rely on the vlan_offset field. If it's 0, we assume the
PF_RING parser did not see the vlan header and got it from the hardware
offload. In this case we will use this information directly, as we won't
get a raw vlan header later. If PF_RING did set the offset, we do the
parsing in the Suricata decoder so that we have full control.

PF_RING *should* put back the vlan header in all cases, and also set the
vlan_offset field, but as a extra precaution keep the check described
above.

Bug #2355.
 7 years ago
Eric Leblond 711b6fb389 app-layer-ftp: add memcap for ftp 
Add a memory cap for the FTP protocol.
 7 years ago
Eric Leblond 24f745553c doc: update file extraction document 
Define the list of protocol parsers supporting extraction in one
single place following Andreas Herz' suggestion.
 7 years ago
Eric Leblond f5ba4c231d doc: update following ftp-data changes 7 years ago
Eric Leblond cbce2c78bd detect-ftpdata: match on ftp-data operation 
This keyword mathes on ftp operation STOR and RETR. It will allow
rules writer to select if the alert has to be on a put or a fetch
operation.

It is now possible to write a signature like:

  alert ftp-data any any -> any any (msg:"FTP data get firwmare"; ftdata_command:retr; sid:2; rev:1;)

to alert when a file is retrieved from a FTP server.
 7 years ago
Eric Leblond b0a6934431 app-layer-ftp: add ftp-data support 
Use expectation to be able to identify connections that are
ftp data. It parses the PASV response, STOR message and the
RETR message to provide extraction of files.

Implementation in Rust of FTP messages parsing is available.

Also this patch changes some var name prefixed by ssh to ftp.
 7 years ago
Eric Leblond 140f8baed9 app-layer-expectation: expectation system 
This patch provides a working expectation system. This will allow
suricata to have a way to identify parallel connections opened by
a protocol such as FTP.

Expectation are a chained list and there is a cleaning by timeout
of the entries.

This patch also defined a counter of expectations that is also
used to check if we need to query IPPairs. This way we only query
the IPPairs store if we have an expectation.
 7 years ago
Eric Leblond 31a0783865 app-layer: add Flow to probing parser functions 7 years ago
Eric Leblond 2d68050e60 flow: add parent_id field 
This patch adds a parent_id field to the Flow structure that
contain the flow ID of the parent connection for protocol with
dynamic parallel connection opening like FTP.
 7 years ago
Eric Leblond 5be5e7c879 detect: increase signature mask length 7 years ago
Eric Leblond 7f9f130ec3 suricata: storage early to get it everywhere 7 years ago
Giuseppe Longo 70695201f6 doc: add memcap commands in unix-socket section 7 years ago
Giuseppe Longo 16ddba61d6 suricatasc: add commands for memcap handling 7 years ago
Giuseppe Longo 3668ea2522 runmode-unix-socket: add commands for memcap handling 
This permits to handle memcap values through
unix socket for:
- stream
- stream-reassembly
- flow
- applayer-proto-http
- defrag
- ippair
- host

It will be possible to show or change a memcap value
for a specified configuration and list all memcap values
available.

The following commands are registered for unix-socket:
- memcap-set
- memcap-show
- memcap-list

Output:
>>> memcap-show flow
Success:
{
    "value": "64mb"
}

>>> memcap-set flow 64mb
Success:
"memcap value for 'flow' updated: 67108864"

Command with invalid memcap key:
>>> memcap-set udp 32mb
Error:
"Available config: stream stream-reassembly flow applayer-proto-http defrag ippair host"

Command with an invalid memcap value:
>>> memcap-set http 32mmb
Error:
"error parsing memcap specified, value not changed"
 7 years ago
Giuseppe Longo bba8cfb626 host: get/set memcap value 
This adds new functions that will be called
through unix-socket and permit to update
and show memcap value.

The memcap value needs to be handled in a
thread safe way, so for this reason it is
declared as atomic var.

Another function is added to gets
the memuse value since it will be shown
through unix-socket.
 7 years ago
Giuseppe Longo e4a18bb942 ippair: get/set memcap value 
This adds new functions that will be called
through unix-socket and permit to update
and show memcap value.

The memcap value needs to be handled in a
thread safe way, so for this reason it is
declared as atomic var.

Another function is added to gets
the memuse value since it will be shown
through unix-socket.
 7 years ago
Giuseppe Longo 0839d06514 defrag: get/set memcap value 
This adds new functions that will be called
through unix-socket and permit to update
and show memcap value.

The memcap value needs to be handled in a
thread safe way, so for this reason it is
declared as atomic var.

Another function is added to gets
the memuse value since it will be shown
through unix-socket.
 7 years ago