aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,392 Commits
8 Branches
165 Tags
212 MiB
main-8.0.x
main-7.0.x
main
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1422b18a99'
${ noResults }
Commit Graph

144 Commits (1422b18a996e76aa67c08cf2c67b0b9b84d9c1b7)

Author SHA1 Message Date
Philippe Antoine 1422b18a99 http2: initial support 5 years ago
Jason Ish fd5d8b78d0 alert/eve: add snmp metadata for rdp alerts 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3441
 5 years ago
Jason Ish ef0ebc9550 alert/eve: add snmp metadata for snmp alerts 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3441
 5 years ago
Sascha Steinbiss c31360070b rust/mqtt: add MQTT parser 5 years ago
Jeff Lucovsky 30ae98f658 output/json: Multi-threaded EVE logging support 
This commit modifies the JSON loggers with changes necessary to support
multi-threaded EVE output.

Each "thread-init" function sets up the per-thread log file context for
subsequent calls to the JSON output to buffer function.
 5 years ago
Victor Julien a8e2399ea9 eve/metadata: create preformatted json string at start up 
Avoid runtime overhead of assembling metadata json string by
pre-creating it at rule parsing time.
 5 years ago
Jason Ish ccc057fdc9 dnp3/eve: convert to jsonbuilder (non generated code) 
First step of converting DNP3 to JsonBuilder by first converting
the non-generated code.
 5 years ago
Victor Julien c1673908ac eve/alert: minor cleanups 5 years ago
Victor Julien d2c48d4faf eve/alert: move files logging into util func 5 years ago
Victor Julien 3dacbcddef eve/alert: move app-layer logic into a util func 5 years ago
Jeff Lucovsky b2c1dab2da output/alert: Correct FORWARD_NULL Coverity issue. 
This commit corrects the FORWARD_NULL issue in AlertJson by
null-checking p->flow
 5 years ago
Jeff Lucovsky 648bd5afff output/ftp: Use "Eve" prefix with FTP helpers 
This commit changes the prefix of the FTP helper routines from Json to
Eve.
 5 years ago
Jeff Lucovsky 03de315bc2 ftp/eve: Convert FTP logging to use JsonBuilder 
This commit converts the FTP logging mechanisms to use JsonBuilder.
 5 years ago
Shivani Bhardwaj a7535099b4 smb/eve: convert to jsonbuilder 
Closes redmine ticket 3712.
 5 years ago
Jeff Lucovsky ff92745851 output/json: Include fileinfo in alerts 
This commit adds fileinfo to alerts when `metadata` is configured.
 5 years ago
Philippe Antoine baf5f52f22 ssh/eve: convert to jsonbuilder 6 years ago
Victor Julien 0db3ee26d0 eve/alert: convert decoder event logging to jsonbuilder 6 years ago
Victor Julien bd3fdeb53f eve/alert: clean up decoder event logging 6 years ago
Victor Julien b3b5802c85 eve/nfs: switch output to jsonbuilder 6 years ago
Giuseppe Longo cb7e72e602 jsonbuilder: fix build error 
Clang's build in travis-ci is actually failing because of this error:

output-json-alert.c:476:40: error: missing field 'state_index' initializer

      [-Werror,-Wmissing-field-initializers]

            JsonBuilderMark mark = { 0 };
 6 years ago
Jason Ish 36d687580a rfb/eve: convert to jsonbuilder 6 years ago
Jason Ish 49f7dc93bd smtp/eve: convert to jsonbuilder 6 years ago
Jason Ish 037c449b85 tls/eve: convert to jsonbuilder 6 years ago
Jason Ish 6ba93d905f http/eve: convert to jsonbuilder 6 years ago
Jason Ish baf2723757 flow/eve: convert to jsonbuilder 6 years ago
Jason Ish 03cf3dcd6d dns/eve: convert to jsonbuilder 6 years ago
Jason Ish 6a70d6bb6e sip/eve: convert to jsonbuilder 6 years ago
Jason Ish 30cc373b7f alert/eve: convert to jsonbuilder 
Convert alert Eve logging JsonBuilder. Currently
makes heavy use of JsonBuilder being able to log Jansson's json_t
which is a temporary measure until all protocols loggers can be
converted to JsonBuilder.

New functions that replace Jansson versions with JsonBuilder
variations use "Eve" instead of "JSON".
 6 years ago
Jason Ish 5e1b44ac71 alert/eve: use addr info struct for source/target (jsonbuilder prep) 
Update the source/target logging to use the cached address info
instead of fetching it from the constructed json_t object.

This is required for migration to JsonBuilder which does not
have the ability to retrieve already set fields.
 6 years ago
Jason Ish 5ab673aee2 flow/eve: separate flow and app_proto logging (jsonbuilder prep) 
Currently the flow logger also logs app_proto information,
but not to the flow object, but instead to the root object
of the log record.

Refactor into 2 separate methods, one for the app_proto
and one for the flow, to make this more clear, as well
as make it easier to refactor for JsonBuilder as JsonBuilder
can only write to the currently open object.
 6 years ago
Jason Ish 99f460aa5a eve/fivetuple: use intermediate address struct (jsonbuilder prep) 
Currently alert logging relies on the ability to change existing
values in the json_t structure to overwrite addresses with xff
data. This feature is also used for the "target" logging.

As we can't do this with JsonBuilder, create a new struct to
hold the 5 tuple, with the values swapped as needed, and
overwritten with XFF data if needed. This struct will now
be used to write out the 5 tuple, as well as cache the information
for log fields to be written out later on in the log path.
 6 years ago
Jason Ish cc4f9d7f3d alert/eve: remove jansson specific feature (jsonbuilder prep) 
Remove the Jansson specific feature of being able to delete
an object from json_t, in prep for refactors to JsonBuilder.

Instead create a new header for each alert to be logged.
 6 years ago
Jason Ish f4f1fdbf86 alert/eve: move logging of rule text (jsonbuilder prep) 
Move the logging of the rule text to where the alert object
is being logged to remove the usage of json_object_get...

Getting previously logged objects will not be possible with
JsonBuilder.
 6 years ago
Philippe Antoine 69b4fffdae parse: move SSH parser from C to Rust 6 years ago
Frank Honza 1c8943dedd add RFB parser 
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
 6 years ago
Jason Ish a0e3e2d7b4 dns: register parsers from Rust 
And port the C DNS tests to Rust.
 6 years ago
Jason Ish 0af9a3a5f7 dns: remove C wrapper functions to Rust 
Remove registration of C wrapper functions and register
the Rust functions directly for UDP.
 6 years ago
Victor Julien 9716c24ba1 eve/alert: clean up proto metadata 
Use a switch statement to select the protocol specific function.
 6 years ago
Victor Julien edd2cd626f jansson: remove HAVE_LIBJANSSON guards 6 years ago
Victor Julien 5e9714e384 rust: remove all HAVE_RUST guards 6 years ago
Jeff Lucovsky 95879c0d5a logging/alert: Warn if metadata not selected 
Warn when HTTP body logging has been selected but applayer/metadata
logging is not configured.
 6 years ago
Giuseppe Longo c88559dc72 output/json-alert: add sip metadata 
Put SIP information to alert event.
 6 years ago
Jeff Lucovsky 3d5eccf084 output/json: Refactor output buffer size macro 6 years ago
Jeff Lucovsky 74f436d209 logging: display base64 decoded string for packet 
This changeset changes the packet display to be base64, rather than hex.
 7 years ago
Jeff Lucovsky 5e222129d5 eve/alert: Remove unused results from PrintRawLineHexBuf 
This changeset removes the call to `PrintRawLineHexBuf`. The
return values were never used.
 7 years ago
Jason Ish 67b2692d34 dns: remove as much C DNS code as possible 
As some of the C code is still used it can't all be removed.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2850
 7 years ago
Jason Ish 9bf6f7d5a9 rust/dns: add dns to dns alerts 7 years ago
Victor Julien e956b484c5 eve/json: handle common options in central function 7 years ago
Victor Julien df1ec82b55 eve/json: move common settings into it's own struct 7 years ago
Maurizio Abba bf4398b15d output-json: ensure string is json-encodable 
Substitute json_string with SCJsonString custom function.
SCJsonString will ensure string passed is json-encodable (utf-8).
If it's not, the string will be converted in such a way that any
non-printable character will be encoded in its hex form.
The resulting json object will be returned.

rust modification will encode any non-printable character during its
conversion in to_cstring.
 7 years ago