aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,090 Commits
8 Branches
163 Tags
184 MiB
main-7.0.x
main-8.0.x
main
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2a326421aa'
${ noResults }
Commit Graph

580 Commits (2a326421aa29154ebfaada3888974a634feb5f56)

Author SHA1 Message Date
Pierre Chifflier aa608e0ca2 SNMP: add the "snmp.version" detection keyword 6 years ago
Jeff Lucovsky ab1d95446a doc: http keyword update 
This changeset updates the keyword type for http.location and http.server
 7 years ago
Jeff Lucovsky 0960ca0d00 detect/analyzer Add missing HTTP values 
This changeset adds recognition of missing HTTP values
- Raw host
- Header names
- Server body
- User agent
 7 years ago
Mats Klepsland b59e82a642 userguide: add documentation for ja3s.string keyword 7 years ago
Mats Klepsland 76b94c7073 userguide: add documentation for ja3s.hash keyword 7 years ago
Mats Klepsland d15903a2ef userguide: add documentation for Ja3SGetString Lua function 7 years ago
Mats Klepsland 37a0594417 userguide: add documentation for JA3SGetHash Lua function 7 years ago
Mats Klepsland 800608ab65 userguide: add JA3S fields to the TLS logger documentation 7 years ago
Jeff Lucovsky 8a94b93b7b doc: Anomaly logging documentation 
This changeset adds discussion of anomaly log records and
the anomaly log record format.
 7 years ago
Mats Klepsland 7020cffaa8 userguide: 'sticky' instead of 'Sticky' for all tls keywords 7 years ago
Mats Klepsland 03d986dd55 userguide: add documentation for tls.certs keyword 7 years ago
Jeff Lucovsky 7d6875fb68 documentation: Correct rst for ssh-keywords 
This changeset corrects an error in the ssh-keywords
where 3 "`" characters were used instead of 2 "`" characters.
 7 years ago
Jeff Lucovsky 97fc7c1e1a documentation: sticky buffer updates 
This changeset updates the userguide for the TLS and JA3
keywords that have been renamed from <id>_<name> to <id.name>
 7 years ago
Giuseppe Longo 76357350fd doc: update http.protocol description 7 years ago
Shivani Bhardwaj 4705314fd2 doc: Add manpages for suricatasc and suricatactl 
Add the missing manpages and the corresponding Sphinx configuration
for the command line tools `suricatasc` and `suricatactl`.

Closes redmine ticket #884.
 7 years ago
Eric Leblond 360a6ace43 doc: add info about buffer usage in lua 7 years ago
Jason Ish 355d125c4f userguide: remove dns-log 7 years ago
Jason Ish 75a018ead2 doc: remove autoconf replacement var for Rust 
Set to yes as Rust is always enabled now.
 7 years ago
Phil Young 6cfc39d7c9 napatech: auto-config documentation update 
Added documentation describing how to configure suricata to automaticly
configure sreams and host buffers without using NTPL.  I.e. from
suricata.yaml.
 7 years ago
Jeff Lucovsky 9856c5533a doc: ssh.{proto,software} documentation update 7 years ago
Jeff Lucovsky 74cd6a9ee8 doc: add http.location and http.server 7 years ago
Pascal Delalande bde65467a9 doc: add ssh protocol in eve log section 7 years ago
Victor Julien 96c6cf98d5 doc/userguide: add 3rd-party-integration to dist 7 years ago
Victor Julien f1c83c3308 doc/userguide: new 3rd party section, add bluecoat 
Add Symantec SSLV (bluecoat) doc to new 3rd party section for
documenting integrating Suricata with 3rd party tools.
 7 years ago
Bryant Smith 398133b6ce doc: add byte_* documentation to the userguide 
Added byte_test, byte_jump and byte_extract description and example rules
 7 years ago
Victor Julien d6903e70c1 file-log: remove and add warning 
Feature was deprecated and scheduled for removal.

Ticket #2376
 7 years ago
Eric Leblond 83a8df90f3 doc: improvement of xbits documentation page 7 years ago
Eric Leblond 43ede4db7f doc: xbits:noalert is not a valid syntax 7 years ago
Shivani Bhardwaj 2483331a5d doc/unix-socket: Add missing commands and detail 
Add missing commands and their corresponding details in unix-socket
userguide.

Closes redmine ticket #2800
 7 years ago
Victor Julien c47164ebc8 doc: add table for custom values of eve/http 7 years ago
Victor Julien 6fcd2db043 tile: remove files 7 years ago
Victor Julien 517b45ea2d netmap: switch to nm_* API 
Process multiple packets at nm_dispatch. Use zero copy for workers
recv mode.

Add configure check netmap check for API 11+ and find netmap api version.

Add netmap guide to the userguide.
 7 years ago
Maurizio Abba 6c0ec0b2f3 eve/http: add request/response http headers 
Add a keyword configuration dump-all-headers, with allowed values
{both, request, response}, dumping all HTTP headers in the eve-log http
object. Each header is a single object in the list request_headers
(response_headers) with the following notation:

{
    "name": <header name>,
    "value": <header value>
}

To avoid forged malicious headers, the header name size is capped at 256
bytes, the header value size at 2048.

By default, dump-all-headers is disabled.
 7 years ago
Maurizio Abba 4697351188 smtp: create raw-extraction feature 
Add a raw-extraction option for smtp. When enabled, this feature will
store the raw e-mail inside a file, including headers, e-mail content,
attachments (base64 encoded). This content is stored in a normal File *,
allowing for normal file detection.
It'd also allow for all-emails extraction if a rule has
detect-filename:"rawmsg" matcher (and filestore).
Note that this feature is in contrast with decode-mime.

This feature is disabled by default, and will be disabled automatically
if decode-mime is enabled.
 7 years ago
Victor Julien eb73008ccf detect/transform: add to_sha1 keyword 7 years ago
Victor Julien 75f9c1ae9f detect/transform: add to_md5 keyword 7 years ago
Victor Julien b3c021f8d0 userguide: improve stats logging documentation 7 years ago
Pascal Delalande f2dca46382 doc: fix minor typo 7 years ago
Eric Leblond 7a121d9b4c doc: add _static dir to make dist 7 years ago
Travis Green c2adb9e669 doc: added tos keyword 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2583
 7 years ago
Victor Julien 9dd925a46a userguide/install: add rust, python-yaml to ubuntu 7 years ago
jason taylor fc395eb2c5 userguide: updated hyperscan version reference 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 7 years ago
jason taylor 131112de13 doc: Remove gulp references 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 7 years ago
jason taylor fc54d750dd doc: add bypass keyword documentation 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 7 years ago
Mats Klepsland be8c06adfd userguide: add documentation for ssl_version keyword 7 years ago
Victor Julien 85f2486e0b multi-tenant: document per tenant settings 7 years ago
Victor Julien 5afeebf884 doc/flow: updates and cleanups to flow section 7 years ago
Victor Julien 72dd4a5f92 doc/rules: initial transforms documentation 7 years ago
Victor Julien 226fe5cab3 doc/performance: redo runmodes explanation 7 years ago
Victor Julien 17e2d39531 doc/install: update Rust info in generic install overview 7 years ago
Victor Julien 473688746b doc/eve: add community id 7 years ago
Mats Klepsland e92fda37c9 doc: add documentation for SSH keywords 7 years ago
Pascal Delalande 64922a476e doc: remove deprecated force-md5 flag from userguide 7 years ago
jason taylor 7f4e5e6eac userguide: update hyperscan documentation 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 7 years ago
Mats Klepsland 4d38d0844b doc: add documentation for Lua function 'TlsGetVersion' 7 years ago
Mats Klepsland 10fcc8d2ca doc: update tls.version documentation 7 years ago
Maurizio Abba bce7c2dd87 eve/http: add tx->request_port_number as http_port 
Add the port specified in the hostname (if any) to the http object in
eve. The port may be different from the dest_port used by the TCP flow.
 7 years ago
Eric Leblond 173e5a1c58 doc: iprep supports CIDR networks 7 years ago
Victor Julien 7c884e0850 doc: update multi-tentant for device feature 7 years ago
Danny Browning 2dc6b6ee14 source-pcap-file: delete when done (2417) 
https://redmine.openinfosecfoundation.org/issues/2417

Add option to have pcap files deleted after they have been processed.
This option combines well with pcap file continuous and streaming
files to a directory being processed.
 7 years ago
Jason Ish ede94e1f66 doc: alphabetize EXTRA_DIST 7 years ago
Jason Ish ff73d908aa doc: add window ips inline doc to extra_dist 7 years ago
Jason Ish d2142cf433 doc: make warnings errors when building man page 7 years ago
Jason Ish 01f477786e doc: link in windows ips setup page 7 years ago
Jacob Masen-Smith ec77632e84 Adds WinDivert support to Windows builds 
Enables IPS functionality on Windows using the open-source
(LGPLv3/GPLv2) WinDivert driver and API.

From https://www.reqrypt.org/windivert-doc.html : "WinDivert is a
user-mode capture/sniffing/modification/blocking/re-injection package
for Windows Vista, Windows Server 2008, Windows 7, and Windows 8.
WinDivert can be used to implement user-mode packet filters, packet
sniffers, firewalls, NAT, VPNs, tunneling applications, etc., without
the need to write kernel-mode code."

- adds `--windivert [filter string]` and `--windivert-forward [filter
    string]` command-line options to enable WinDivert IPS mode.
    `--windivert[-forward] true` will open a filter for all traffic. See
    https://www.reqrypt.org/windivert-doc.html#filter_language for more
    information.

Limitation: currently limited to `autofp` runmode.

Additionally:
- `tmm_modules` now zeroed during `RegisterAllModules`
- fixed Windows Vista+ `inet_ntop` call in `PrintInet`
- fixed `GetRandom` bug (nonexistent keys) on fresh Windows installs
- fixed `RandomGetClock` building on Windows builds
- Added WMI queries for MTU
 7 years ago
Chris Speidel 1e8959b465 doc: fix minor typo 7 years ago
Victor Julien 693a3df031 tls: document encrypt-handling option 
Document in sample yaml and user guide.
 7 years ago
Victor Julien c677e07d3e kerberos: minor doc updates, add author 7 years ago
Jason Ish fb85822730 dhcp: update user guide 7 years ago
Pierre Chifflier c51ff32adb Document Kerberos 5 parsing events 7 years ago
Pierre Chifflier 1076c7cd47 Add krb5_err_code detection keyword 7 years ago
Pierre Chifflier d6b9c0294a Add krb5_cname and krb5_sname detection keywords 7 years ago
Pierre Chifflier 0bd81ff838 Add krb5_msg_type detection keyword 7 years ago
Pierre Chifflier 1e5f5d405f Kerberos 5: add support for TCP as well 7 years ago
Pascal Delalande 4f48927c44 doc: spelling mistakes in various sections of the user guide 8 years ago
Max Fillinger ce270a8f6a Add info about pcap log compression to user guide 8 years ago
Eric Leblond e249ce29bb doc: add lua directory to Makefile 8 years ago
Victor Julien 4a90dced8e doc/lua: small update to the usage intro 8 years ago
Eric Leblond 2546e86a16 doc: document lua function about flow var 8 years ago
Eric Leblond 0c4bf2d332 doc: add a lua support top level section 
Both output and signature are using lua. So lua functions should
be displayed in a single section.
 8 years ago
Eric Leblond 293b00798e doc: document lua TLS functions 8 years ago
Pascal Delalande e3c5784dd5 doc: minor updates (tls custom, TODO removal, ftp/smb file rules) 8 years ago
Victor Julien 83bf60d897 doc: add ntlmssp, kerberos and other setup fields 8 years ago
Richard Sailer dc07c1fe13 lua output doc: Use more descriptive variable names in the examples 
This also removes the "args" parameter of the hooking functions in the examples,
since this parameter is unused in all functions.
It would not be very helpful anyways since 3 of the 4 functions don't get passed
any parameters. The only exception is init() which gets a table containing:
  script_api_ver = 1
 8 years ago
Richard Sailer 3307f7a94e lua output doc: Add explaining introduction text 8 years ago
Victor Julien e09027915a doc: fix json formatting in smb doc 8 years ago
Victor Julien 67e81a9555 doc: initial smb eve documentation 8 years ago
Victor Julien 78437375c4 doc: add by_either to suppress explanation 8 years ago
Victor Julien 2c259f2239 doc: add smb section to yaml 8 years ago
Victor Julien 13bdcd5249 doc: minor fix 8 years ago
Victor Julien 1edd9d19fc doc: add SMB to file extraction. Minor improvements. 8 years ago
Victor Julien b4771150b8 doc: update suricata-update screenshot 8 years ago
Victor Julien b531e7725d doc: improve suricata-update docs now that its bundled 8 years ago
Victor Julien ac1ed24cb4 doc: improve making sense of alerts 8 years ago
Victor Julien ccde621ceb doc: add suricata-update to intro for rules 8 years ago
Pierre Chifflier 6eb48e1e93 Add ikev2 to userguide 8 years ago
Victor Julien 26e807ca34 doc: fix http_header_names example 8 years ago
Eric Leblond 0a72d5be96 doc: fix typo in unix socket doc 
Also fixes a dead link to code.
 8 years ago
Eric Leblond 975f413308 doc: more info on unix socket rule reload 8 years ago
Eric Leblond e2aab10d29 doc: fix typo in ebpf xdp doc 8 years ago
Mats Klepsland 47a7ebbbc2 doc: add JA3 fields to the TLS logger documentation 8 years ago
Mats Klepsland fb0bfb614f doc: add documentation for Ja3GetString Lua function 8 years ago
Mats Klepsland 2514553098 doc: add documentation for Ja3GetHash Lua function 8 years ago
Mats Klepsland a357f52fa5 doc: add documentation for ja3_string keyword 8 years ago
Mats Klepsland 38cc6f595f doc: add documentation for ja3_hash keyword 8 years ago
Giuseppe Longo fb66d45754 doc: introduce dns compact logging 8 years ago
David DIALLO c2236ea2b3 modbus: Support Unit Identifier 
When destination IP address does not suffice to uniquely identify
the Modbus/TCP device.

Some Modbus/TCP devices act as gateways to other Modbus/TCP devices
that are behind this gateways.
 8 years ago
Victor Julien 50a182194a eve: log pcap filename 8 years ago
Pascal Delalande 2e5b293afb doc: update eve json output for DNS and HTTP 8 years ago
Brandon Sterne a01a229b37 doc: use standard spelling of daemon 8 years ago
Andreas Herz bdb886bd68 docs: remove many outdated and old install docs 8 years ago
Andreas Herz 2e8678a5ff docs: replace redmine links and enforce https on oisf urls 8 years ago
David DIALLO 6c643d8975 modbus: duplicate alerts unaware of direction 
Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction
because Modbus inspection engine is only performing in request (TOSERVER).

Detect Value keyword in read access rule. In read access, match on value
is not possible.

Update Modbus keyword documentation.
 8 years ago
Eric Leblond 7da805ffd9 doc: improve eBPF and XDP doc 
Remove reference to `buggy` clang as a workaround has been found in
libbpf.

Proof read and add information on the structure of eBPF code.
 8 years ago
Eric Leblond 8030e3f66b doc: update documentation 
This patch adds info on kernel requirement for XDP and rework a few
things.
 8 years ago
Eric Leblond 0e1a4173ff doc: how to get live info about ebpf behavior 8 years ago
Eric Leblond 8c7b5cb088 doc: add info about xdp IPS bypass 8 years ago
Eric Leblond ce8b74b524 doc: document XDP CPU redirect 8 years ago
Eric Leblond 60265e023a doc: update xdp documentation 
Also remove configuration info from yaml as they are now in the
documentation.
 8 years ago
Peter Manev 5ee44c877c doc: add XDP setup documentation 8 years ago
Giuseppe Longo d2121945c9 doc: update file_data description 8 years ago
Jason Ish 74e036d09f doc: update eve/alert/metadata configuration 8 years ago
Martin Natano fe9cac5870 eve/alert: include rule text in alert output 
For SIEM analysis it is often useful to refer to the actual rules to
find out why a specific alert has been triggered when the signature
message does not convey enough information.

Turn on the new rule flag to include the rule text in eve alert output.
The feature is turned off by default.

With a rule like this:

    alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;)

The eve alert output might look something like this (pretty-printed for
readability):

    {
      "timestamp": "2017-08-14T12:35:05.830812+0200",
      "flow_id": 1919856770919772,
      "in_iface": "eth0",
      "event_type": "alert",
      "src_ip": "10.20.30.40",
      "src_port": 50968,
      "dest_ip": "8.8.8.8",
      "dest_port": 53,
      "proto": "UDP",
      "alert": {
        "action": "allowed",
        "gid": 1,
        "signature_id": 42,
        "rev": 0,
        "signature": "Google DNS server contacted",
        "category": "",
        "severity": 3,
        "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)"
      },
      "app_proto": "dns",
      "flow": {
        "pkts_toserver": 1,
        "pkts_toclient": 0,
        "bytes_toserver": 81,
        "bytes_toclient": 0,
        "start": "2017-08-14T12:35:05.830812+0200"
      }
    }

Feature #2020
 8 years ago
Eric Leblond 72c8cd67d5 doc: documentation update on metadata 8 years ago
Jason Ish ab939f4aaa doc: breakout eve-log section to a partial file 
Both the suricata.yaml and eve configuration sections
included the eve-log section from suricata.yaml. First,
sync these up with the actual suricata.yaml then break
it out into its own file, so only one file needs to
be kept in sync with the actual configuration file.
 8 years ago
Jason Ish 0e02684634 doc: update eve-log section for metadata 8 years ago
Pascal Delalande 80f2fbac6e rust/tftp: eve logging with rust 8 years ago
Pascal Delalande 0ff60f65ec doc: update filestore for file hash extraction 
Update for extraction based on md5, sha1 and sha256
 8 years ago
Victor Julien 07738af868 detect/content: introduce startswith modifier 
Add startswith modifier to simplify matching patterns at the start
of a buffer.

Instead of:
    content:"abc"; depth:3;
This enables:
    content:"abc"; startswith;

Especially with longer patterns this makes the intention of the rule
more clear and eases writing the rules.

Internally it's simply a shorthand for 'depth:<pattern len>;'.

Ticket https://redmine.openinfosecfoundation.org/issues/742
 8 years ago
Jason Ish 5420c0ab06 doc: document file-store v2 8 years ago
Victor Julien 746638b220 cuda: remove 
Remove CUDA support as it has been broken for a long time.

Ticket #2382.
 8 years ago
Eric Leblond 24f745553c doc: update file extraction document 
Define the list of protocol parsers supporting extraction in one
single place following Andreas Herz' suggestion.
 8 years ago
Eric Leblond f5ba4c231d doc: update following ftp-data changes 8 years ago
Giuseppe Longo 70695201f6 doc: add memcap commands in unix-socket section 8 years ago
Eric Leblond 3bf098e52f doc: document log reopen unix socket command 8 years ago
Victor Julien be9ec3958e doc: initial suricata-update page 8 years ago
Andreas Herz 6f0794c16f keyword-filesize: add units 8 years ago
Dana Helwig 3ab9120821 source-pcap-file: Pcap Directory Mode (Feature #2222) 
https://redmine.openinfosecfoundation.org/issues/2222

Pcap file mode that when passed a directory will process all files in
that directory. If --pcap-file-continuous or continuous option is passed
in json, the directory will be monitored  until the directory is
moved/deleted, suricata is interrupted, or the pcap-interrupt command
is used with unix command socket. Existing file implementation and new
directory implementation has moved from source-pcap-file into
pcap-file-helper and pcap-directory-helper.

Engine state will not reset between files.

Also satisfies:
 * https://redmine.openinfosecfoundation.org/issues/2299
 * https://redmine.openinfosecfoundation.org/issues/724
 * https://redmine.openinfosecfoundation.org/issues/1476

Co-Authors: Dana Helwig <dana.helwig@protectwise.com> and
Danny Browning <danny.browning@protectwise.com>
 8 years ago
Eric Leblond 94e9d13791 doc: add ruleset commands available in unix socket 8 years ago
Pascal Delalande 0c99338e07 doc: update docs for DNS flags logging 8 years ago
Ralph Broenink f6938933d9 doc: Amend the list of accepted protocols 
Based on the list in suricata.yaml
 8 years ago
Ralph Broenink d830177b7b doc: Add my own name to the acknowledgements 8 years ago
Ralph Broenink 98a1ec490f doc: Move IP reputation keyword to rules section 8 years ago
Ralph Broenink 722cff1862 doc: Restructure ToC 
* All sections up to 2 levels deep are now shown regardless of whether they are a separate page
* Rename Xbits and Thresholding for more consistent naming
* Minor adjustment in the Payload Keywords section
 8 years ago
Ralph Broenink 196ba1da70 doc: Make the header keywords section separate sections in ToC 8 years ago
Ralph Broenink a55a6cdb62 doc: Move flowint as integral part of flow keywords 8 years ago
Ralph Broenink f6c766112c doc: Minor changes in structuring of HTTP Keywords / Snort differences 8 years ago
Ralph Broenink e9b25988ba doc: Move pcre entirely to Payload Keywords section 
(plus remove lingering screenshot of a rule)
 8 years ago
Ralph Broenink bb1bf2643d doc: Move fast_pattern and prefilter to dedicated page 8 years ago
Ralph Broenink fea037fda8 doc: Moved explanation of normalized buffers to rules introduction 8 years ago
Ralph Broenink 11990c7117 doc: Move the definition of modifier keywords to the introduction 8 years ago
Ralph Broenink dfae19247d doc: Completely rewrite the rules introduction for more clearity 8 years ago
Ralph Broenink 274c36eb2f doc: Meta-settings -> Meta Keywords plus some textual changes 
Most importantly, conventions are now placed in tip boxes
 8 years ago
Ralph Broenink 3413793768 doc: Use lowercased keyword names as section titles 8 years ago
Ralph Broenink a52aacb4ea doc: Replace images of tables and rules with text in rules docs 
In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis.

Additionally, some tables embedded into images were also replaced by reST tables.
 8 years ago
Ralph Broenink 44926e2369 doc: Add suricata.css to allow for some custom styling 8 years ago
Ruslan Usmanov 1090ee9d8d rate_filter by_both through IPPair storage 
Ticket https://redmine.openinfosecfoundation.org/issues/2127
 8 years ago
Gaurav Singh 637a7c8e55 Adds options to mark when a file is final. 
This takes the form of an option to add the pid of the process to file
names. Additionally, it adds a suffix to the file name to indicate it is
not finalized.

Adding the pid to the file name reduces the likelihood that a file is
overwritten when suricata is unexpectedly killed. The number in the
waldo file is only written out during a clean shutdown. In the event
of an improper shutdown, extracted files will be written using the old
number and existing files with the same name will be overwritten.

Writes extracted files and their metadata to a temporary file suffixed
with '.tmp'. Renames the files when they are completely done being
written. As-is there is no way to know that a file on disk is still
being written to by suricata.
 8 years ago
Mats Klepsland 9556d4fef3 doc: add documentation for tls_cert_fingerprint keyword 8 years ago
Victor Julien 1180687574 doc/file_data: add note on negated matching 
Explain issue #2216 and how to avoid it.
 8 years ago
Victor Julien 456af8faa8 doc/napatech: formatting fixes 8 years ago
Andreas Herz c048ee6505 doc: reflect most recent cpu affinity settings 
Some settings like output-cpu-set never been used and detect got renamed
to worker. This reflects those changes already present in the yaml also
within the documentation.
 8 years ago
Julian f27b4fc8fe redis: support for rpush in list mode 
This adds a new redis mode rpush. Also more consistent config keywords orientated at the redis command: lpush and publish.
Keeping list and channel config keywords for backwards compatibility
 8 years ago
Phil Young 5f613e6e7d napatech: Added section describing packet counters. 8 years ago
Phil Young f6838f9085 napatech: Added description of hba usage. 8 years ago
Victor Julien fc229430f8 doc: add rust and update version in install 8 years ago
Sebastian Garcia d32ba60b51 Update public-data-sets.rst with stratosphere project 
Add the datasets of the Stratosphere project to the list.
 8 years ago
Jason Ish f715b0ae6b doc: add pid-file section to suricata.yaml doc 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2104
 8 years ago
Jason Ish 59d69666ea doc: add more details to log rotation doc 8 years ago
Jason Ish 92f15b7ffb doc: move log rotation to output section 8 years ago
Victor Julien 62b6f9fe25 decode: add config option to disable teredo 
Ticket #744.
 8 years ago
Abbed 320b032a88 doc: small typo under '4.3.1.5' section 8 years ago
Eric Leblond b763c7ec11 doc: document http-body logging 8 years ago
Eric Leblond 9e581436a7 doc: info about new config for alert events in EVE 8 years ago
Eric Leblond ef88689f1e doc: add app_proto to alert event 8 years ago
Selivanov Pavel 5162b58260 Fixed small typo: double sudo 8 years ago
Eric Leblond f4374ffd0b doc: some more info about alert format 8 years ago
Eric Leblond f5ad6a2095 doc: document target keyword 8 years ago
Eric Leblond a3f07ec02e doc: document drop-invalid option. 9 years ago
Eric Leblond e933eb849a doc: document filestore update 9 years ago
Andreas Herz bf1a8d08da doc: rephrase nocase placement explanation 9 years ago
Victor Julien 71c6df1655 lua: add SCFlowId for getting the flow id 9 years ago
Victor Julien 4697330b73 doc: flowints formatting cleanup 9 years ago
Victor Julien 0af562d4c8 doc: move parts out of snort difference doc 
Move generic keyword descriptions to the keyword documentation.
 9 years ago
David Wharton a8d0ae460c doc: removing (replaced) snort-compatibility.rst 
snort-compatibility.rst replaced by differences-from-snort.rst
 9 years ago
David Wharton 8a53d49e81 doc: replacing snort-compatibility link 
The snort-compatibility.rst document is being replaced by
differences-from-snort.rst. This commit updates the link.
 9 years ago
David Wharton 6bc7c64794 doc: overhaul of the snort-compatibility document 
This is intended to replace the existing 'snort-compatibility.rst'
document.
Based on "The Suricata Rule Writing Guide for The Snort Expert"
2016 SuriCon talk.
 9 years ago
Victor Julien f6e3755b5c lua: extend SCFlowAppLayerProto 
Change SCFlowAppLayerProto to return 5 values:
<alproto> <alproto_ts> <alproto_tc> <alproto_orig> <alproto_expect>:

alproto: detected protocol
alproto_ts: detected protocol in toserver direction
alproto_tc: detected protocol in toclient direction
alproto_orig: pre-change/upgrade protocol
alproto_expected: expected protocol in change/upgrade

Orig and expect are used when changing and upgrading protocols. In a
SMTP STARTTLS case, orig would normally be set to "smtp" and expect
to "tls".
 9 years ago
Victor Julien 79389558ac doc: update for stream changes 9 years ago
Victor Julien 245a89b7e7 doc: http keywords update 9 years ago
Ray Ruvinskiy 7539973109 tls: logging for session resumption 
We assume session resumption has occurred if the Client Hello message
included a session id, we have not seen the server certificate, but
we have seen a Change Cipher Spec message from the server.

Previously, these transactions were not logged at all because the
server cert was never seen.

Ticket: https://redmine.openinfosecfoundation.org/issues/1969
 9 years ago
fooinha 36667ab8a1 doc: async mode for redis eve output 
async: true ## if redis replies are read asynchronously
 9 years ago
psanders240 1223de4208 doc: Napatech docs improvement 
Fix errors and simplify filters.
 9 years ago
Victor Julien aca27ff383 doc: expand on bpf 9 years ago
Mats Klepsland 8b9f84bff2 doc: add documentation for date modifiers in eve-log 9 years ago
Mats Klepsland 37a12fe799 doc: add documentation for eve-log file rotation 9 years ago
fooinha 20d4d40051 log: tls custom format log 9 years ago
Mats Klepsland 7b1dae6251 doc: add documentation for Lua SCFlowTimestamps 9 years ago
Mats Klepsland 3b23387664 doc: add documentation for eve-log file permissions 9 years ago
Jon Zeolla ce8a65a58e docs: fix statement about flow:to_server 9 years ago
Jon Zeolla 1589a15495 docs: clarify how iprep works 9 years ago
Mats Klepsland 285b566205 doc: add documentation for TlsGetCertSerial Lua function 9 years ago
Mats Klepsland ee9f822b8e doc: add documentation for tls_cert_serial keyword 9 years ago
David Wharton 1bf7ded224 doc: specify buffers that can be used for fast_pattern 
Updated notes on the following buffers indicating that they can
be used for fast_pattern:
tls_cert_subject
tls_cert_issuer
tls_sni
 9 years ago
David Wharton b1ad770b36 doc: removed references to older Suricata versions 
docs are versioned; references to older Suricata versions undesired.
 9 years ago
Mats Klepsland e91bb09c91 doc: add documentation for TLS eve-log 9 years ago
Jason Ish 89ba5816dc doc: update unified2 section 
Remove documentation on older unified formats that have
been removed.
 9 years ago
Mats Klepsland 6a382259f8 doc: documentation for custom JSON flags in eve-log 9 years ago
Victor Julien c477c4370e doc: update for unix socket hostbits 9 years ago
Victor Julien 71607c905a doc: update unix socket 9 years ago
Eric Leblond c357dafed9 doc: document the tls_sni keyword 9 years ago
Mats Klepsland edbb035160 doc: add documentation for Lua SCFlowHasAlerts 9 years ago
Victor Julien a2d31b5e04 doc: napatech formatting fixes 9 years ago
Victor Julien b7b9b5b682 doc: add napatech to userguide 9 years ago
Peter Sanders 28c1516be7 doc: initial Napatech documentation 9 years ago
Victor Julien bc38cd5932 doc: initial xbits documentation 9 years ago
Victor Julien 41074a87a0 doc: DNP3 support is now available 9 years ago
Jason Ish 0c6c9784a2 doc: document that that ;, \, " need to be escaped in rules 9 years ago
Victor Julien 3012edae1c luajit: update default yaml and doc for 'states' 9 years ago
Jason Ish 0792f80909 doc: only build pdf on dist if pdflatex is installed 9 years ago
Jason Ish ee16b86900 doc: fix build pdf on non gnu make platforms 
The Makefile generated by sphinx-build is GNU Make specific
causing the PDF phase to fail. Instead call pdflatex directly
based on how the generated Makefile was doing it.
 9 years ago
Victor Julien 1aa70fb39e doc: add rate_filter 9 years ago
Jason Ish 1a724ba851 doc: flow: update and add new keywords 9 years ago
Victor Julien 56ffba9fd8 doc: initial app-layer keywords 
Document app-layer-protocol and make a start with app-layer-event.
 9 years ago
Victor Julien c6134e007e doc: app-layer tls including no-reassemble 9 years ago
Nicolas Thill 3750c15632 doc: add SCPacketTimestamp Lua function 
Signed-off-by: Nicolas Thill <ntl@p1sec.com>
 9 years ago
Victor Julien 4126fd82a0 doc: small eve update: add dns 9 years ago
Victor Julien e3b2d95100 doc: add recent tls keywords 9 years ago
Victor Julien 08b875c03b doc: clean up fast_pattern 9 years ago
Victor Julien f1046db113 doc: fix header keywords layout 9 years ago
Victor Julien d80914d350 doc: move rule reload and adding rules into rule-management 9 years ago
Victor Julien e24c3937b3 doc: add rule-management chapter 9 years ago
Victor Julien 80bd59ae86 doc: improve install doc, configure 9 years ago
Victor Julien 48274218df doc: multi-tenancy is not work in progress 9 years ago
Victor Julien f64decf5e2 doc: clean up log rotation 9 years ago
Victor Julien 729fd2e406 doc: update libcap-ng doc 9 years ago
Victor Julien e5ee665f24 doc: rewrite rule reload doc 9 years ago
Victor Julien 6a831f8125 doc: add simple install guide 9 years ago
Jason Ish 2c60e9b4de doc: remove userguide.pdf on clean instead of suricata.pdf 
As the pdf is a built artifact, it needs to be removed to
satisfy distcheck.
 9 years ago
Jason Ish afead7e565 doc: add missing docs to EXTRA_DIST 9 years ago
Jason Ish dbde356053 doc: exclude docs in partials/ from reference errors 
These docs are already included with the include statement,
but older versions of Sphinx still complain that they
are not in a table of contents.
 9 years ago
Victor Julien aaf0fe4d29 doc: eve update 9 years ago
Victor Julien a35bea28f3 doc: rules-meta typo 9 years ago
Victor Julien 76b55214f0 doc: rules-meta small cleanup 9 years ago
Victor Julien 3cf1b12061 doc: http sticky vs modifier 9 years ago
Victor Julien 0d15593258 doc: move urilen to other uri keywords 9 years ago
Victor Julien 34bfacdee0 doc: add minimal http request/response line sections 9 years ago
Victor Julien adb6c75e2e doc: only make sphinx warnings fatal on html/pdf 9 years ago
Jason Ish 82a6bfd599 doc: manpage: add bugs and notes section 9 years ago
Jason Ish a4450b768e doc: manpage: add signals section 9 years ago