aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,411 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '23768c7181'
${ noResults }
Commit Graph

12411 Commits (23768c71814aa267672de772d43394727b3428a4)
 

Author SHA1 Message Date
Jason Ish 4ab1950760 eve/syslog: remove "plugin" naming 3 years ago
Jason Ish 4cd99fc266 eve: register internal output file types 
Register known eve output file types during eve registration. This
removes the function to load internal plugins as they are not really
plugins and moves the registration of them into their respective
subsystem.
 3 years ago
Jason Ish 784a080201 plugins: rename SCPLuginFileType to SCEveFileType 
With internal code using the plugin API to register an Eve
filetype, the name plugin no longer makes sense. This is
part of my idea that internal plugins aren't plugins at all,
and the plugin interface should be an abstraction over
internal APIs.

Along that idea, this is the start of a refactor of the plugin
file types to be internal, where the plugin API is just an external
interface to that internal API.
 3 years ago
Jeff Lucovsky f221c344ed output/syslog: Register syslog plugin 
This commit completes the syslog conversion to an internal output plugin
with registration to make it available as an output file type.
 3 years ago
Jeff Lucovsky b4da070c59 output/plugin: Refactor eve registration function 3 years ago
Jeff Lucovsky 98d4f9eaa4 output/syslog: Refactor syslog definitions 3 years ago
Jeff Lucovsky be9fbe3230 output/syslog: Convert syslog eve output to plugin 
This commit converts the "built-in" syslog eve output handler into an
internal plugin.
 3 years ago
Jeff Lucovsky 0e3773ddef output/json: Refactor internal routines 3 years ago
Jeff Lucovsky 5ba08dfef5 plugin: Refactor and create registration function 
This commit refactors the plugin registration code and creates an API
for plugin registration
 3 years ago
Jeff Lucovsky 18cc0fefab output/plugin: Load internal plugins 
This commit adds an interface for loading plugins that are internal to
Suricata. These are always loaded and are in a modified format from
external pliguns.
 3 years ago
Jeff Lucovsky 0ee5532036 plugin: Add "not set" plugin value type 
This value is used as a sentinel to determine if the configured
eve.json filetype was located.

First, the built-in and internal output plugins are checked. If the
sentinel value remains set, the external plugins are searched for the
filetype.
 3 years ago
Juliana Fajardini b3f447a0df util/lua-common: use lua_pushnumber for SCFileInfo 4 years ago
Juliana Fajardini 751906b71d doc/lua-functions: add sha items to SCFileInfo doc 4 years ago
Juliana Fajardini 1315cb793b util/lua-common: fix SCFileInfo bug & doc comment 
The callback for FileInfo was returning the wrong value, resulting
in loss of some tuple values for one calling SCFileInfo in a script.

The documentation comment wasn't mentioning the sha items that are
pushed.
 4 years ago
Juliana Fajardini 8b53468d32 util/lua-common: use pushinteger w/ byte & pkt cnt 
LuaCallbackStatsPushToStackFromFlow tuple is composed of integer values
not all of them had been converted to lua_pushinteger yet.
 4 years ago
Juliana Fajardini 82cd125c62 util/lua-common: update copyright year 4 years ago
Juliana Fajardini 9b6ce27487 util-lua-common: use lua_pushinteger w/ int values 
replace lua_pushnumber with lua_pushinteger for SCFlowStats and
SCRuleIds.
 4 years ago
Juliana Fajardini 00d7a152eb lua/output: fix typo 4 years ago
Juliana Fajardini 7592a9be43 lua: use pushinteger for int in flow/packet tuples 4 years ago
Shivani Bhardwaj f3fcc39738 ssh: remove futile default port setting 4 years ago
Shivani Bhardwaj 1f48714e75 smb: remove futile default port setting 4 years ago
Shivani Bhardwaj 13741540ce rfb: remove futile default port setting 4 years ago
Shivani Bhardwaj 7c9d573800 nfs: remove futile default port setting 4 years ago
Shivani Bhardwaj d166acbdab applayer: error if probes are null but port is not 
If the default port is set via the Rust registration table but the probe
fns to server and to client are set to None, the port is never used.
Setting port in such a case is useless so error out.
 4 years ago
Shivani Bhardwaj f4f6387a00 dcerpc: use null for default ports 4 years ago
Jason Ish 2cff811609 doc: remove prelude and document as removed 4 years ago
Jason Ish 54be743c48 prelude: remove the prelude output 
It was broken in 6 and that didn't cause much issue. Just remove
it for 7.
 4 years ago
Jason Ish 3e9d1e813a doc/upgrade: move ike logging changes to 7.0 changes 
Was mistakenly put in 6.0 changes.
 4 years ago
Jason Ish f56634ac46 doc/upgrade: mention that nss is no longer required 4 years ago
Shivani Bhardwaj bfac4ff4d2 ci: use quiet option w suricata-verify 4 years ago
Victor Julien e1035fd3ae detect/prefilter: bail early if possible 4 years ago
Victor Julien 88bb23b7cf detect/prefilter: update tx_min_progress to uint8_t 
Now that our make progress value is 47, we don't need an int.
 4 years ago
Victor Julien ed87784907 detect: enforce max app-layer progress 
Allow progress values in the range 0-47 so we have 48 bits to track
prefilter engines.

Mark bits 48-62 as reserved explicitly.

Add debug validation checks to make sure the reserved space isn't used.
 4 years ago
Victor Julien 932cf0b6a6 detect: track prefilter by progress, not engine 
Fix FNs in case of too many prefilter engines. A transaction was tracking
which engines have run using a u64 bit array. The engines 'local_id' was
used to set and check this bit. However the bit checking code didn't
handle int types correctly, leading to an incorrect left shift result of
a u32 to a u64 bit value.

This commit addresses that by fixing the int handling, but also by
changing how the engines are tracked.

To avoid wasting prefilter engine tracking bit space, track what
ran by the progress they are registered at, instead of the individual
engine id's. While we can have many engines, the protocols use far
fewer unique progress values. So instead of tracking for dozens of
prefilter id's, we track for the handful of progress values.

To allow for this the engine array is sorted by tx_min_progress, then
app_proto and finally local_id. A new field is added to "know" when
the last relevant engine for a progress value is reached, so that we
can set the prefilter bit then.

A consquence is that the progress values have a ceiling now that
needs to fit in a 64 bit bitarray. The values used by parsers currently
does not exceed 5, so that seems to be ok.

Bug: #4685.
 4 years ago
Victor Julien 9a09fe454b flow: log action applied to all packets 
Log if action applied to whole flow is drop or pass.
 4 years ago
Victor Julien 3874d08015 tests: fix drop test; cleanup 
SigTestDropFlow04 was incorrectly expecting an alert in the packet
following a "drop" packet. The first drop is applied to the flow, so
it should lead to the 2nd packet being dropped before inspection is
run.

Clean up the test as well.
 4 years ago
Victor Julien e36b9b89a1 detect/tests: improve detection entry 
Lots of tests still use SigMatchSignatures as their main detection
entry function, which bypassed some logic. Make it match main logic
more closely.
 4 years ago
Victor Julien 3f4110af32 tests: clean up drop test 4 years ago
Victor Julien 802c1ffee3 detect: enforce flow drops earlier 
Enforcing flow drops is now done earlier in the detection engine and
moved out of the IP-only engine where it didn't belong.
 4 years ago
Victor Julien aa93984b7e detect: unify alert handling; fix bugs 
Unify handling of signature matches between various rule types and
between noalert and regular rules.

"noalert" sigs are added to the alert queue initially, but removed
from it after handling their actions. This way all actions are applied
from a single place.

Make sure flow drop and pass are mutually exclusive.

The above addresses issue with pass and drops not getting applied
correctly in various cases.

Bug: #4663
Bug: #4670
 4 years ago
Victor Julien ae89874b06 detect: remove dead code 4 years ago
Victor Julien 33c8fda795 detect/lua: use BIT_U32 for flags 4 years ago
Victor Julien dc6755bf8e detect/lua: minor cleanup 4 years ago
Victor Julien 093ed6f9bc output/tx: check flags using BIT_U32 4 years ago
Victor Julien 29d5eb969e packet: use BIT_U32 for flags 4 years ago
Victor Julien ce18f4b8e2 detect/mpm: micro optimization for initialization 
Do less expensive check first.
 4 years ago
Victor Julien dfe71bb773 detect: remove ticker 
Last consumer of it has been converted.
 4 years ago
Victor Julien 9a5c666b26 detect/http: clean up header buffer logic 
Simplify and clean up header buffer management. The code was designed
to track buffers for several transactions in parallel, from when the
detection engine wasn't aware of transactions.

For http.start and http.header_names use generic mpm and inspect
functions.
 4 years ago
Philippe Antoine ca760e305c ipv6: decoder event on invalid length 
From RFC 2460, section 4.5,
each fragment, except the last one, must have a length
which is a multiple of 8
 4 years ago
Philippe Antoine 596a4a9d6e http2: better rust style 4 years ago