aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,774 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '359f736542'
${ noResults }
Commit Graph

1081 Commits (359f736542da8d140cfab1631905a83d6416143e)

Author SHA1 Message Date
jason taylor f97ba44339 userguide: update ipopts keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
jason taylor 9b4e6e5802 userguide: update ttl keyword information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Philippe Antoine ce710181f6 doc: update doc for HTTP file.data to server 
Ticket: #4144

Completes e587f6792a
 2 years ago
Jeff Lucovsky 5a6e68285b doc/netmap: Describe Netmap IPS usage 
Issue: 5512

This commit summarizes Netmap usage with Suricata's IPS mode.
 2 years ago
Jason Ish 9d653512f9 doc/userguide: update bittorrent-dht eve examples 
Update the bittorrent-dht examples using real log records with peers
and nodes broken down into objects.
 2 years ago
Jason Ish 065f3ab9f1 doc: rename bittorrent-dht to bittorrent_dht in eve output 2 years ago
Jason Ish 0ea9ba66d1 userguide/eve-log: remove mentions of requiring Rust 
Rust is required to build now.
 2 years ago
Aaron Bungay d166c48d28 docs: update for bittorrent-dht app-layer 2 years ago
Philippe Antoine a003640ecf security: prevents process creation 
with setrlimit NPROC.

So that, if Suricata wants to execve or such to create a new process
the OS will forbid it so that RCE exploits are more painful to write.

Ticket: #5373
 2 years ago
Richard McConnell 7f4c1d5e2f doc/systemd: add documentation for sd_notify 2 years ago
Eric Leblond 9fb0137d9d doc: add reference to ipaddr in IP matching 2 years ago
Eric Leblond 3bd48d9336 detect: doc link for ip.src and ip.dst 2 years ago
Eric Leblond da8b16eaeb doc: add ip.dst and ip.src doc 2 years ago
Eric Leblond 3599cbf1c4 doc: document new dataset types 
Feature: #5383
 2 years ago
Eric Leblond a1a22cccd2 doc: document dataset-lookup 
Ticket: #5184
 2 years ago
Eric Leblond 20973e9e6b doc: add dataset-clear command 
Ticket: #5184
 2 years ago
Eric Leblond c5559cb68f doc: document dataset-dump command 
Ticket: #5184
 2 years ago
Victor Julien 2f6c014f70 doc/devguide: update packet (de)alloc in unittests 2 years ago
Lukas Sismis 37cf365e19 docs: remove outdated constraint of negation support for ssl_state 
Commit 487cdda93d adds negation support for the SSL state.
 2 years ago
Juliana Fajardini e4b46e0763 doc/acknowledgements: add a few more names 
Added some names of known contributors to the documentation
 2 years ago
Juliana Fajardini 3c25185e0b devguide: add section about stale tickets policy 
Just to set the right expectations, and to have it registered for us,
too.
 2 years ago
Shivani Bhardwaj 2a0cb1f3da doc: update base64_decode notes 2 years ago
Lukas Sismis e101384e7b transversal: remove suricata-ids.org references 2 years ago
Lukas Sismis a4a69c3e71 doc/dpdk: add IPS setup docs for DPDK mode 
Ticket: #5511
 2 years ago
Eric Leblond f46f895e8d rust/smb: import NT status code for Microsoft doc 
This patch updates the NT status code definition to use the status
definition used on Microsoft documentation website. A first python
script is building JSON object with code definition.

```
import json
from bs4 import BeautifulSoup
import requests

ntstatus = requests.get('https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55')

ntstatus_parsed = BeautifulSoup(ntstatus.text, 'html.parser')

ntstatus_parsed = ntstatus_parsed.find('tbody')

ntstatus_dict = {}

for item in ntstatus_parsed.find_all('tr'):
    cell = item.find_all('td')
    if len(cell) == 0:
        continue
    code = cell[0].find_all('p')
    description_ps = cell[1].find_all('p')
    description_list = []
    if len(description_ps):
        for desc in description_ps:
            if not desc.string is None:
                description_list.append(desc.string.replace('\n ', ''))
    else:
        description_list = ['Description not available']
    if not code[0].string.lower() in ntstatus_dict:
        ntstatus_dict[code[0].string.lower()] = {"text": code[1].string, "desc": ' '.join(description_list)}

print(json.dumps(ntstatus_dict))
```

The second one is generating the code that is ready to be inserted into the
source file:

```
import json

ntstatus_file = open('ntstatus.json', 'r')

ntstatus = json.loads(ntstatus_file.read())

declaration_format = 'pub const SMB_NT%s:%su32 = %s;\n'
resolution_format = '        SMB_NT%s%s=> "%s",\n'

declaration = ""
resolution = ""

text_max = len(max([ntstatus[x]['text'] for x in ntstatus.keys()], key=len))

for code in ntstatus.keys():
    text = ntstatus[code]['text']
    text_spaces = ' ' * (4 + text_max - len(text))
    declaration += declaration_format % (text, text_spaces, code)
    resolution += resolution_format % (text, text_spaces, text)

print(declaration)
print('\n')
print('''
pub fn smb_ntstatus_string(c: u32) -> String {
    match c {
''')
print(resolution)
print('''
        _ => { return (c).to_string(); },
    }.to_string()
}
''')
```

Bug #5412.
 2 years ago
jason taylor db5cf1f8f9 userguide: Add rule file globbing option details 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Juliana Fajardini 7b0008d4f0 userguide: add section about exception policies 
This describes briefly what the exception policies are, what is the
engine's behavior, what options are available and to which parts are
they implemented.

Task #5475
Task #5515
 2 years ago
Juliana Fajardini 6f294f2f2d userguide: minor rewording and typo fixes 
Some of these were recently introduced, some were highlited after the
applayer sections got merged. Some paragraphs seem to have been changed
due to trying to respect character limits for lines. Also includes a
typo pointed out by one of our community members via Discord.
 2 years ago
Jeff Lucovsky 33c424f9ed doc/byte_math: Add byte_math differences with snort 
Issue: 5077
 2 years ago
Jeff Lucovsky 192a31c74e doc: Fixup byte* entries to display tables properly 2 years ago
Philippe Antoine 390cf9248f detect: adds flow.age keyword 
Ticket: #5536
 2 years ago
Philippe Antoine af40873127 pgsql: config limit maximum number of live transactions 
As is done for other protocols

Ticket: #5527
 2 years ago
Eric Leblond 1b24f4d357 doc: document landlock feature 3 years ago
Philippe Antoine fe91506320 doc/http2: suricata.yaml max-streams parameter 
Ticket: #4949
 3 years ago
Juliana Fajardini bbd968c738 exceptions: add reject support to exception policy 
This enables the usage of 'reject' as an exception policy. As for both
IPS and IDS modes the intended result of sending a reject packet is to
reject the related flow, this will effectively mean setting the reject
action to the packet that triggered the exception condition, and then
dropping the associated flow.

Task #5503
 3 years ago
Philippe Antoine 5ef259722b dhcp: adds renewal-time keyword 
Ticket: #5507
 3 years ago
Philippe Antoine 6faf6299e0 dhcp: adds rebinding-time keyword 
Ticket: #5506
 3 years ago
Juliana Fajardini ef54f36e34 userguide: briefly introduce exception policy opts 
Added them in the configuration section so folks can be more aware of
them, while a more complete documentation isn't around.

Related to
Task #5475
 3 years ago
Juliana Fajardini 3c74e443bd userguide: update defrag settings options 
We were still mentioning that there were only three options.
 3 years ago
Juliana Fajardini 0cc040cf61 userguide: merge sections about AppLayer Parsers 
We had two sections under the suricata.yaml configuration section
describing settings for application layer parsers. This merges them into
one and also fixes a few subsection title levels.

Task #5364
 3 years ago
Shivani Bhardwaj a77977ec62 doc: add description for tls.random 3 years ago
jason taylor c29942c029 userguide: update dsize documentation/examples 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Philippe Antoine 461725a9bf dhcp: adds leasetime keyword 
As it is logged

Ticket: #5435
 3 years ago
Shivani Bhardwaj 2c4d6b33ae doc/conf: fix sphinx language setting 
sphinx-build 5.1.1 and above throws a warning which is treated as an
error while building.

Invalid configuration value found: 'language = None'. Update your configuration to a valid language code. Falling back to 'en' (English).
 3 years ago
Benjamin Wilkins 3b1b9a32fb doc: Document SCByteVarGet lua function 
Add documentation for accessing results from byte_extract and byte_math
in lua match functions

Issue: 2871
 3 years ago
Philippe Antoine 5c7b5c5fb5 krb: detection for ticket encryption 
As is done for logging.

Ticket: #5442
 3 years ago
Jufajardini Reichow 61f9f0df55 userguide/rules/meta: minor formatting adjustments 3 years ago
Jufajardini Reichow 45f14bb97c userguide/rules: explain sid uniqueness within gid 
While Suri will throw an error if two signatures have the same `sid`
and no `gid`, or same `sid` and same `gid`, it will just accept same
`sid` for different `gid`s.

Related to

Task #5441
 3 years ago
jason taylor 87990b138c doc: update priority wording userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor a7d739a05b doc: update to 80 char formatting userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 9bd55ff81b doc: metadata information update userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 563dc66837 doc: update priority information userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor f73a60eb89 doc: update reference section in userguide meta 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor e611ef5ccb doc: update userguide meta classtype information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 39bc56ec97 doc: update rev and gid userguide meta wording 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor b9cb66c58f doc: add clarity around userguide meta information 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 790ef9a53f doc: add sid reserved range reference 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 38a179d89d doc: add clarity to rule msg tips 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 299a931e49 doc: update example rule list 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 98c29da6ec doc: add clarity to role wording 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor c0bdb6cc10 doc: meta keyword doc example rule update 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor ca9e9009ba doc: add bsize keyword examples 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Jufajardini Reichow f9c9091bb5 userguide: fix typo in inline mode illustration 
The image describing Suricata's sliding window had two of the "packets"
with the same text. Now they actually give the sense of a sliding
window.

This was found by Zhiyuan-liao.
 3 years ago
jason taylor 34e0a384ad doc: update to include additional rule references 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 4405704372 doc: update intro direction content 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 3eeacf8a3d doc: fixed HOME_NET/EXTERNAL example formatting 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor f2c7998903 doc: add clarity around HOME_NET/EXTERNAL_NET 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 76cca8b08a doc: minor example rule description update 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 4f61a35fe7 doc: minor wording restructure 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 845ba154a6 doc: add tcp-pkt/tcp-stream to intro 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 56f49bfe8e doc: minor punctuation update 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor ab300ab0ae doc: intro example rule update to simpler example 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 2f240230f0 doc: minor intro wording update 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Philippe Antoine c7214be99b snmp: adds usm keyword 
as is logged

Ticker: #5416
 3 years ago
Juliana Fajardini 45b7aad2b5 devguide: incorporate contribution process page 
That page existed only in our redmine. Updated and added a few things,
like a paragraph about our expectations for feature contributors.

Also updated links, contacts and some other processes that may have
changed since last edition.

Added some section labels in related documents, for ease of referencing.

Task #4929
 3 years ago
Andreas Dolp db73a12540 doc/tls: Add documentation for TLS logging 3 years ago
Andreas Dolp f42bb45ccd doc/tls: Remove redundant example 3 years ago
Andreas Dolp 324f5ec10c doc: Add missing ")" in example 3 years ago
Andreas Dolp e4163c4e02 doc: Fix typos 3 years ago
Andreas Dolp 49bd6cfa5d doc: Fix broken link 3 years ago
Eric Leblond 6f06f7c22c doc: add info about capture_file key 3 years ago
Eric Leblond 0c7e4c13a1 doc: add conditional pcap logging info 3 years ago
jason taylor d799956348 doc: add note about file.data and file_data 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 83f2056d20 doc: update file_data to file.data keyword 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor cd54d0dbc8 doc: remove extra newline in order to match style 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
jason taylor 38bd775ca0 doc: remove extraneous + characters 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 3 years ago
Jason Ish 6ceeb08351 doc/userguide: updates for eve dns v1 removal 
Ticket: #4157
 3 years ago
Juliana Fajardini 1956dc3d5d userguide: explain alert queue behavior and stats 
Added sections along packet-alert-max config section explaining
packet alert queue overflow (when Suri reaches packet alert max), when
alerts are discarded etc.

Since from the user perspective it shouldn't matter how we process the
alert queue, the term "replace" is used, even though there's not exactly
a replacing action happening, with the queue bein pre-processed before
being appended to the Packet.

Also described the associated stats and added an explanation on when to
change packet-alert-max.

Task #5178
 3 years ago
Juliana Fajardini 49542d0f1b doc/userguide: explain packet-alert-max config 
Task #4207
 3 years ago
Jason Ish 7d6bc60abb doc/userguide: document ftp max-line-length 3 years ago
Victor Julien 976748b777 doc/smb: add resource limits section 3 years ago
William Harding f0528afc2d doc/userguide: sphinx syntax correction 3 years ago
Juliana Fajardini 55843aee8e devguide: update readme 
Use it to explain how to go about the sequence diagram images
(generation, updating, what is mscgen etc).

Also remove portion that referred to Sphinx builds, as these don't make
sense now.
 3 years ago
Juliana Fajardini e0c8dba7ac userguide: dynamically determine copyright date 
This uses the date of doc generation to determine the copyright date
for the trailing date. Based on Jeff Lucovsky solution.
 3 years ago
Juliana Fajardini 67af1504b3 devguide: drop use of mscgen script in builds/make 
Currently, it seems easier to upload the diagram images to git than to
try to make the image generation script work with out of the tree builds
and other corner cases.

This means, however, that one must activelly remember to update msc
diagram files, run the script and re-add new png files, if those ever
need to be updated. To raise awareness to that, a watermark was added
to the diagram images.

Also removed configuration steps that added mscgen as dependency
(locally and for workflow builds and readthedocs).
 3 years ago
Juliana Fajardini 5d63613c4b devguide: add watermark to sequence diagrams 
Make it more evident that the sequence diagrams in the transactions
page are generated with Mscgen
 3 years ago
Juliana Fajardini 6f77c722a2 devguide: move into userguide as last chapter 
Moved devguide dir into userguide dir.
Since the devguide is now incorporated as the last chapter of the
userguide, removed build and configuration files from the devguide
dir, as these are no longer needed.

Task #4909
 3 years ago
Juliana Fajardini 69c6657127 devguide: clarify cargo test usage for modules 
The documentation was showing an invalid path for running single tests.
 3 years ago
Philippe Antoine cfcade58ad http: move xff logging to alert object 
Ticket: 4860

instead of root field
 3 years ago
Andreas Dolp d4144c04cd Doc: Fix typo in documentation of suricata.yaml. 3 years ago
Shivani Bhardwaj 015c9fe1e3 doc: add usage of flowbits OR op 
Ticket 5130
 3 years ago
Juliana Fajardini 6c616d84b1 devguide: clarify style guide for getframe funcs 
As the GetFrameIdByName can be probed, we must warn developers not to
leave any output in them, or misleading messages could be printed.

Task #5129
 3 years ago
Jeff Lucovsky 117e11b0ae doc: Describe per-thread stack size config setting 
Issue: 4550

This commit documents the new per-thread stack-size setting. Some
systems have a small default value that is not suitable for Suricata's
multi-threaded architecture and adjustment may be required.
 3 years ago
Victor Julien e04fcfcf2f doc/userguide: minor rewording and reformatting for runmodes 3 years ago
Juliana Fajardini 28b5f4a555 devguide: add page about app-layer frame support 
This explains the frame support from the perspective of a developer,
with introductory explanation on how to add frame support to an
applayer proto.

Doc #4697
 3 years ago
Philippe Antoine 8adf172ab8 nfs: limits the number of active transactions per flow 
Ticket: 4530
 3 years ago
Jason Ish b9a429e6ce devguide: move image generation into sphinx setup 
While ReadTheDocs can't execute arbitrary scripts, we can install
mscgen in the container that builds the docs (see .readthedocs.yaml).

Then instead of calling generate-images.sh from the Makefile, move this
into the setup function defined on conf.yaml, which will generate the
scripts as part of a normal Sphinx workflow.

This should give us an image generation solution that works on
ReadTheDocs, and locally within anyones build system provided they have
mscgen installed.
 3 years ago
Philippe Antoine 11d3af551b doc: suricata.yaml fields about maximum transactions 
For HTTP2, MQTT and FTP.
 3 years ago
Juliana Fajardini 579d7dcc01 pgsql: add initial support 
- add nom parsers for decoding most messages from StartupPhase and
SimpleQuery subprotocols
- add unittests
- tests/fuzz: add pgsql to confyaml

Feature: #4241
 3 years ago
Victor Julien cf4ddab6f4 doc/quic: update for new quic.version logic 3 years ago
Emmanuel Thompson 6641efb74f doc/quic: Add documentation for QUIC keywords 3 years ago
Emmanuel Thompson 9ad60e7661 doc/quic: Add quic to eve json format 3 years ago
Andreas Dolp f714484591 Doc: Fix typos in documentation of suricata.yaml. 3 years ago
Philippe Antoine 0cfdec1266 detect: xor transform 
Ticket: 3285

The xor transform applies xor decoding to a buffer, with a key
specified as an option in hexadecimal. Arbitrary key sizes are
accepted.
 3 years ago
Jason Ish cda11b8d97 doc/update: mention change of default rule path 3 years ago
Jason Ish 8071d8239e doc: update rule section to current default 
Update the rule section to better describe whats seen in a default
install of Suricata including a link to the rule management section.
 3 years ago
Jeff Lucovsky 93842aa14a doc/yaml: Signal-termination option description 3 years ago
Juliana Fajardini 6ae80b2819 doc: replace ohloh with openhub link 3 years ago
Juliana Fajardini de0ce26e3f userguide: update references to Suricata website 
Many places were still referencing the old Suricata page.
Used git grep with replace to update them. Checked that new links work.
Left old references when they were only documentation examples (for
output or unittests).

Task#4915
 3 years ago
Juliana Fajardini 7b20488d4e userguide: fix low-hanging typos Config page 3 years ago
Odin Jenseg 2a5d79e426 doc/eve-json-format/dns: Describing Z-bit 3 years ago
Lukas Sismis dab3274263 dpdk: add documentation for the DPDK runmode 
Briefly present the DPDK runmode through configuration file.
 3 years ago
Lukas Sismis e4b5239202 doc: fix typo in "Stream engine" documentation 3 years ago
Philippe Antoine 27dd0c6b3d eve/ftp-data: log alert metadata in ftp-data object 
Ticket: 4860

instead of directly in root
 3 years ago
Juliana Fajardini 7c636d25c7 userguide: (nit) fix typo in lua-output page 3 years ago
Juliana Fajardini 4256c1ccd5 userguide: rename pg Lua Scripting->Lua Detection 
Since we can have scripts for output _or_ detection, it seems more
clear to rename this page to add more meaning
 3 years ago
Juliana Fajardini 59e5a21fca userguide: update buffers list for lua-scripting 3 years ago
Juliana Fajardini e7f1736f3a userguide/lua: add explanation about `need` diffs 
The differences on how the `need` key works, depending on script
usage (output or detection) confuses users, sometimes (cf doc#4725).
While we don't fix that, just explain this behavior.
 3 years ago
Andreas Dolp b25350ee13 doc: Fix typo in documentation of rule keyword flow 3 years ago
Juliana Fajardini c6e97222b7 devguide: add page about rust unittests 
Part of the task to offer better guidance on how and when to write
unit tests or suricata-verify tests
Also updated linking and index files, as well as testing page to refer
to the unit tests pages

Doc: #4590
 3 years ago
Juliana Fajardini 747d225c84 devguide: repurpose unittests page to unittests-c 
Part of ongoing task to add more guidance on how to create unittests
and suricata-verify tests for suri. There will also be a unittests-rust
page.

Doc: #4590
 3 years ago
Juliana Fajardini 5b4c575f3b devguide: add page about testing 
This page offers guidance about when to use unittests or s-v tests,
and how to create input for those. Also lists other common ways to test
Suri, such as fuzzing and the CI checks.

Doc: #4590
 3 years ago
Juliana Fajardini fc958e9e89 userguide: update wiresharkwiki in public datasets 3 years ago
Juliana Fajardini dbeb8bfa1f doc/devguide: add few more explanations & details 3 years ago
Juliana Fajardini 2cd25e8105 devguide/app-layer: rename /img dir to /diagrams 
Semantically speaking it makes more sense, because it stores `msc`
files for dynamic image generation.
Updated files that refered to `img` accordingly, too.
 3 years ago
Juliana Fajardini f65b3908ed devguide/transactions: add TSL_STATE enum snippet 3 years ago
Juliana Fajardini d6c5dfacc7 devguide/transactions: update & refine diagrams 
- DNS sequence diagram was incorrect (transactions should be
unidirectional). After changing it, it made sense to rename the file.
Adjusted spacing, too. Updated transactions.rst accordingly.
- TLS sequence diagram was refined to illustrate how Suricata actually
implements the protocol.
 3 years ago
Juliana Fajardini 84311ab151 devguide/transactions: fix wordings 3 years ago
Juliana Fajardini 2f3cee2429 devguide/code-style: fix typo in banned functions 3 years ago
Juliana Fajardini a5b344e015 doc/devguide: add Transactions documentation page 
A guide on what is a transaction for Suricata engine, focusing on
developers.
- What's the purpose of a transaction;
- transaction states and API callbacks;
- Examples and sequence diagrams.
- doc/devguide: add transactions.rst
- doc/devguide/extending/app-layer/index.rst: add transactions.rst
 3 years ago
Philippe Antoine bce3c46874 pcre2: remove PCRE1 as dependency 3 years ago
Philippe Antoine fae7389ae2 pcre2: document the behavioral changes 3 years ago
Juliana Fajardini 751906b71d doc/lua-functions: add sha items to SCFileInfo doc 4 years ago
Jason Ish 2cff811609 doc: remove prelude and document as removed 4 years ago
Jason Ish 3e9d1e813a doc/upgrade: move ike logging changes to 7.0 changes 
Was mistakenly put in 6.0 changes.
 4 years ago
Jason Ish f56634ac46 doc/upgrade: mention that nss is no longer required 4 years ago
Lukas Sismis 71196098a1 doc: Update public-data-sets.rst 
Replace dead link

Dataset on ll.mit.edu returns 404. Link updated with a search result of more datasets.
 4 years ago
Joshua Lumb cf9b2b5fd1 detect-dsize: Add ! operator for dsize matching 4 years ago
myr463 755124763d doc: escape dot in pcre 4 years ago
Shivani Bhardwaj 51be8f0238 doc/dcerpc: add proto keywords 4 years ago
showipintbri a39025bf24 doc: Grammar Correction 4 years ago
Juliana Fajardini 6b8b58f98a doc/eve: common fields and alert updates 
- update examples for both
- change app_proto from alert field to common field, as
  per JsonBuilder's changes.
 4 years ago
Juliana Fajardini eacf933edf doc/eve: fix typos 4 years ago
Philippe Antoine 95f225e8fb doc: update sphinx api to use add_css_file 
instead of deprecated add_stylesheet
 4 years ago
Jeff Lucovsky fcd1ae3bf1 doc: Protocol name/case change for upgrade doc 
This commit adds a one-liner to the upgrade document for 7.0 stating
that protocol names/values are now builtin to Suricata and that names
and their casing may change.
 4 years ago
Simon Dugas 0ed62e93ec doc/modbus: add eve logging documentation 4 years ago
frank honza f83d51d0cb ike: set event for multiple server proposals 4 years ago
Andreas Herz a5f36eccf1 doc: add documentation for rawbytes keyword 4 years ago
frank honza ab59ef0d79 ikev1: add documentation for ikev1 4 years ago
frank honza ecdf9f6b0b ikev1: rename ikev2 to common ike 
Renaming was done with shell commands, git mv for moving the files and content like
find -iname '*.c' | xargs sed -i 's/ikev1/ike/g' respecting the different mixes of upper/lower case.
 4 years ago
Shivani Bhardwaj d708744f2b doc: fix ubuntu pkg name for tcmalloc 4 years ago
Jason Ish 560974b2db doc/quickstart: use new test url that works 
Replace http://testmyids.org with http://testmynids.org/uid/index.html,
as testmyids.org now always redirects to https.
 4 years ago
Josh Stroschein 7ece0ac31f doc: update installation documentation for CentOS and Fedora 4 years ago
Philippe Antoine a04b5566a6 http: makes decompression time limit configurable 4 years ago
Jeff Lucovsky 25e9483168 doc/lua: Lua API name consistency 
This commit updates the documentation of the SCFlow* function names
available to Lua scripts.

Formerly, they used the prefix "Sc"; now they use "SC".
 4 years ago
Jason Ish 547afcb983 doc/userguide/transforms: remove not about libnss being required 4 years ago
Jason Ish 41591af48b doc/userguide/install: remove libnss 4 years ago
Jason Ish 4b9af8d2ce doc/userguide: document --disable-hashing 4 years ago
Jason Ish c0ddad8e7e doc/ja3: libnss support no longer required 4 years ago
Kirby Kuehl 5499a6f7cd doc: fix URL for unix-socket python example 4 years ago
Sascha Steinbiss f78f444a5e doc: build all manpages 4 years ago
Carl Smith 9b840104bd lua: Make the rule action available to output scripts 
Useful for those that want to do custom logging from lua
 4 years ago
Justin Ossevoort 320de5f43d eve: Log tenant_id for all eve-json messages 4 years ago
Victor Julien 372fc26739 ci: buildbot is decommissioned, so remove prscript refs 4 years ago
Sascha Steinbiss 15c42e0d83 doc: add documentation for SRV DNS JSON structure 4 years ago
Philippe Antoine 096dce4bba http2: allow filestore to work with HTTP2 4 years ago
Philippe Antoine 4e242645be doc: explicit header normalization further 
And their concatenation as described in RFC 2616
 4 years ago
Philippe Antoine 6b30890de9 doc: http.uri.raw has no spaces 
as they are in the protocol

cf bug #2881
 4 years ago
Victor Julien 7b4ac8dbab doc/userguide: update http keywords 4 years ago
Victor Julien ca47d75c80 doc/userguide: explain --strict-rule-keywords 4 years ago
Jeff Lucovsky a18a9d3046 doc: New sticky buffer icmpv4.hdr 4 years ago
Phil Young 76de981574 napatech: Added comment indicating that hba will be deprecated 
HBA will be deprecated in Suricata 7
 4 years ago
Jason Ish 3030a3da18 doc: provide eve 1 deprecation date 4 years ago
Victor Julien c95850c6ce doc/rules: document config rule option 4 years ago
Jeff Lucovsky 6f9b7e052a doc/eve: Update threaded filename examples 4 years ago
Jason Ish f70e1f571e doc/userguide: add info about --set and lists 4 years ago
Jason Ish 69fffb2dc4 doc/userguide: include man page even when not including pdf 
Fix a mistake in Makefile.am where the man page was only being
added to the distribution if the PDF was also created. It should
be included even if the PDF cannot be included.
 4 years ago
Shivani Bhardwaj 87617b200c doc/datasets: add info about memcap and hashsize 5 years ago
Jason Ish 7d44e80a50 doc: document removal of unified2 
And suggest an alternate tool, Meer if compatibility with
Barnyard2 style databases is required.

Redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3497
 5 years ago
Jason Ish e71f2b22fa doc: add removal of individual json loggers 
Add link to multiple eve instances as a replacement for this
feature.
 5 years ago
Philippe Antoine 9b5c923327 http: disables lzma by default for HTTP 5 years ago
Victor Julien e1ecb7dc41 doc/datasets: explain reloads, general improvements 5 years ago
Simon Dugas 48da18b081 doc: dns - document additional fields in eve event 
Documentation of additional fields for soa and sshfp. Also some minor
doc fixes and updates.
 5 years ago
Jeff Lucovsky 06f41f608c doc: Improve grammar, spelling and clarifications 
This commit improves the overall documentation's grammar, spelling, and
adds clarifications  where needed.
 5 years ago
jason taylor b21160a6e3 doc: http.host keyword note for matching on port 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
Roland Fischer de7c7eeff0 doc: Add dev code-style 5 years ago
Odin Jenseg 4549505418 doc/userguide: fix outdated xdp info 5 years ago
Philippe Antoine 999af4f62a http2: adds documentation 5 years ago
James Dutrisac 8d5e54c046 pcap: recusively reading pcaps / documentation 
Changes to doc/userguide/partials/options.rst for feature 2363
   (reading pcaps recursively)
 5 years ago
Sascha Steinbiss 4e1a41a17d output-json: add MAC address output 
This commit adds MAC address output to the EVE-JSON format. We follow the
remarks made in Redmine ticket #962: for packets, log MAC src/dst as a
scalar field in EVE; for flows, log MAC src/dst as lists in EVE. Field names
are different between flow and packet context to avoid type confusion
(src_mac vs. src_macs). Configuration approach and JSON representation is
taken from previous GitHub PR #2700.
 5 years ago
Sascha Steinbiss c31360070b rust/mqtt: add MQTT parser 5 years ago
Jeff Lucovsky a5d30a3220 doc/output: Document multithreaded eve option 5 years ago
Philippe Antoine 1569f3e349 transform: adds url_decode keyword 
Fixes https://redmine.openinfosecfoundation.org/issues/2689

Adds a new source file to handle this keyword.
And modifies documentation, Makefile, and registration accordingly.

url_decode decodes url-encoded data, ie replacing '+' with space
and '%HH' with its value.
 5 years ago
Victor Julien 00cc3c7374 eve/ssh: change hassh logging format 
Elastic search didn't accept the 'hassh' and 'hassh.string'. It would
see the first 'hassh' as a string and split the second key into a
object 'hassh' with a string member 'string'. So two different types
for 'hassh', so it rejected it.

This patch mimics the ja3(s) logging by creating a 'hassh' object
with 2 members: 'hash', which holds the md5 representation, and
'string' which holds the string representation.
 5 years ago
Tristan Fletcher 6cbb4d4909 doc: fix spelling in flowbits image 5 years ago
Victor Julien e04d48c8c8 doc/userguide: fix outdated mpm info 5 years ago
Victor Julien 04d88e7012 doc/suricata-update: fix typo and do minor cleanups 
Thanks to showipintbri PR 4465.
 5 years ago
Jeff Lucovsky 901fbae7b9 doc: Add byte_math documentation 5 years ago
Jeff Lucovsky 496306e6a9 doc: update stream-depth description 5 years ago
Jeff Lucovsky ec07f58705 doc: update file-store stream depth description 5 years ago
Vadym Malakhatko a80f705d4b userguide: add documentation for Hassh usage 
1. Rules keywords
2. Json keywords
3. Usage in lua
4. Enabling in configuration file
 5 years ago
Jeff Lucovsky b116a56a32 doc: Correct typos 5 years ago
Jeff Lucovsky 59cc3c6281 doc: Update byte_extract doc 5 years ago
Jeff Lucovsky 297f91479e doc: Fix spelling error 5 years ago
Victor Julien 06f414d66d doc/manpage: improve intro, add examples 5 years ago
Victor Julien 75727c05e0 doc/manpage: add --reject-dev option 5 years ago
Victor Julien 82ac72782d doc/userguide: update app-proto list 5 years ago
Victor Julien e6330c354d doc/userguide: list valid rule actions 5 years ago
Jeff Lucovsky 5e4aa5b851 doc: Improve tos description 
This commit improves the description of the `tos` keyword by emphasizing
that the value used should adhere to the guidelines in RFC2474. Instead
of specifying the DSCP value directly, right shift the DSCP value and
use that.
 5 years ago
Jeff Lucovsky 3005dca3fd doc: pcrexform documentation 5 years ago
Jason Ish a77662bdbf userguide: remove old drop-log documentation 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2381
 5 years ago
Jason Ish 8997a114cb userguide: RDP now enabled by default 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3255
 5 years ago
Jason Ish 3eb0461abd userguide: SIP now enabled by default 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/3256
 5 years ago
Victor Julien d0526e71c0 doc/userguide: add IPS with BPF info, minor cleanups 5 years ago
Jason Ish 6b8320d1c0 doc: document file-store v1 to v2 configuration changes 5 years ago
Jason Ish 6850dbc852 suricata.yaml: remove filestore v1 configuration 5 years ago
Victor Julien e5fd47dcfd doc/devguide: create basic layout 
Issue: #3343
 5 years ago
Jason Ish 0dd1b2a616 doc: typo: http.server_body should be http.response_body 
Thanks to Jason Williams for pointing this out.
 5 years ago
Victor Julien a611ae2102 doc/perf: minor improvements 5 years ago
Andreas Herz 1d9db2b5f9 doc: add performance analysis section 5 years ago
Sascha Steinbiss 5598ff5bb3 doc/install: refer to buster as Debian stable 5 years ago
Todd Mortimer 6b4d32c6bb doc: Update documentation for by_rule and by_both thresholds. 5 years ago
Jeff Lucovsky 5f71e7a371 doc/devguide: Submission and style 
This commit adds code submission and coding style guidelines to the
devguide. Most of the material is a straight port from the wiki but
there have been some content modifications and additions.
 5 years ago
Jason Ish 752e4828d7 devguide: include sources in EXTRA_DIST 
Required for distcheck to pass, and required to build docs
from a dist archive.
 5 years ago
Victor Julien e97cdb48f3 decode/teredo: implement port support 
Implement support for limiting Teredo detection and decoding to specific
UDP ports, with 3544 as the default.

If no ports are specified, the old behaviour of detecting/decoding on any
port is still in place. This can also be forced by specifying 'any' as the
port setting.
 5 years ago
Jeff Lucovsky 4ad6c5421a doc: fix documentation typos 5 years ago
Jeff Lucovsky bc01392e93 doc: Update byte_test documentation 5 years ago
Frank Honza 1c8943dedd add RFB parser 
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
 5 years ago
Victor Julien ccfdcb55fb devguide: document new app-layer retvals 5 years ago
Philippe Antoine 6251deae21 doc: adds doc for ipv4.hdr signature keyword 5 years ago
Philippe Antoine 1cd314c500 detect: adds icmpv6.mtu keyword 5 years ago
Jeff Lucovsky e14447d594 docs/napatech: Correct typo 5 years ago
Shivani Bhardwaj c5cee05169 doc: Fix typo Generate -> Generator 5 years ago
Shivani Bhardwaj 7b1699c5a8 doc: Add chassis for dev docs 
Closes redmine ticket 3344.
 5 years ago
Philippe Antoine 8396333493 detect: adds icmpv6.hdr keyword 5 years ago
Philippe Antoine af1361a988 doc: add missing documentation for ipv6.hdr keyword 5 years ago
Jason Ish d3f6a95b56 doc: removed unified2 output 5 years ago
Jeff Lucovsky 8c132c0b87 doc: Correct RST quote usage 
Corrects misplaced backticks preventing proper formatting of `mpm-algo`
section.
 5 years ago
Jeff Lucovsky 3385859176 doc/userguide: Update for dump-features 5 years ago
Phil Young 3fbcacf9a8 napatech: documentation hardware based bypass support 
Napatech hardware bypass support enables Suricata to utilize
capabilities of Napatech SmartNICs to selectively bypass flow-based
traffic.
 5 years ago
Shivani Bhardwaj 700eebaecc doc/conf: Update copyright and regex for version 
Make the new regex in compliance with the modern autoconf syntax.
Closes redmine ticket #3423
 5 years ago
jason taylor 1666bc0ad1 doc: minor capitalization fix 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
jason taylor 4f7dc4f136 doc: add bsize documentation and rule example 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
Daisu fccdb1c642 doc/commandline: -i option is useable several times 5 years ago
Steven Hostetler 4ac5ab00b7 doc/install: fix geoip typo 5 years ago
Victor Julien 411dd69e92 doc/eve: layout and formatting fixes 5 years ago
Jason Williams 55a36c79ff doc: update http keywords documentation 5 years ago
jason taylor 95237f9894 docs: update datasets examples 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 5 years ago
EmilienCourt 50bb8d4cb2 doc: fix typo on example 
Quotes have been forgotten in the dnp3.data example, which throws an
SC_ERR_INVALID_SIGNATURE(39) if used like in the example.
 5 years ago
Eric Leblond 9ef2f81ee7 doc/userguide: fix typo 5 years ago
Eric Leblond 821d590f5b doc/userguide: fix base64 example 
Add a sticky buffer example and fix the content modifier one.
 5 years ago
Pascal Delalande 8e6a2bd42e doc: removal of disable-rust and path typo for suricatasc 5 years ago
Victor Julien d5ae68afc2 doc: fix version in install doc 5 years ago
Victor Julien 1c27a99827 doc: add upgrade page 5 years ago
Jason Ish 718fcbb682 doc: document eve/dns v2 as the default 
Adds eve/dns v2 format documentation. Update legacy format
to require the version field.
 5 years ago
Philippe Antoine 6921608673 http: updates suricata.yaml comments 
As well as the userguide documentation about suricata.yaml
 5 years ago
Jason Ish 9111b9df57 doc: cleanup enging logging 
Attempt cleanup the engine logging a bit.

Also a include a verbatim excerpt of the default configuration
here for reference purposes.
 5 years ago
Jason Ish c97195bf0b doc: -v verbose option documentation update 
Update -v documentation to reflect the new behaviour discussed
in bug #1851 where -v changes the log level to fixed levels
instead of an offset of the default log level configured
in suricata.yaml.
 5 years ago
Konstantin Klinger 808ea0dba9 app-layer: remove obsolete msn protocol detection 5 years ago
Victor Julien 6d2bd6607e datasets: make clear the feature is experimental 5 years ago
Jeff Lucovsky 17c3e22ecd doc/eve.alert: Expand metadata description 5 years ago
Victor Julien 4061bf5ceb doc/datasets: update example config to map 5 years ago
Victor Julien 029683cbac doc: reformat linux ips guide 5 years ago
Eric Leblond 6d9416148b doc: add nftables IPS configuration 5 years ago
Eric Leblond 82eb669205 doc: information about scaling AF_PACKET IPS mode 5 years ago
Eric Leblond ffe81dc9f2 doc: add info about AF_PACKET IPS 
Based on https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/

Also fix some typo in Netfilter setup.
 5 years ago
Jason Ish 0cd5452194 doc: mark independent json loggers as deprecated 
This is the loggers such as alert-json-log, dns-json-log, etc.
They are not even referenced in the default configuration file,
and are easily replaced with multiple eve instances.
 5 years ago
Jason Ish 212252faf2 doc/drop.log: mark as deprecated and scheduled to be removed 
Also make sure options are in sync with those in
suricata.yaml.
 5 years ago
Jason Ish 5345379d14 doc/unified2: add deprecation/removal notice 5 years ago
Jason Ish 873bc290bc doc/filestore(v1) - make deprecation text a note 
Highlights that is is deprecated in the HTML output.
 5 years ago
Jason Ish 7f32822843 doc/filestore(v1) - document force-filestore field 5 years ago
Jeff Lucovsky 44a59b78c7 doc/anomaly Remove event_no 5 years ago
Victor Julien be6cdd37f8 stream: remove fix stream.depth references 5 years ago
Peter Manev 10819ed892 doc: Update tuning considerations doc 5 years ago
Peter Manev 6df1001957 doc: Update high performance config doc 5 years ago
Victor Julien bd2f1e15fd doc/stats: minor clarrifications on 5.0 defaults 6 years ago
Victor Julien 42438ec08e doc/userguide: add quickstart to dist 6 years ago
Giuseppe Longo dd5d0afd79 doc: add SIP keywords 6 years ago
Jason Ish d3e2cc9926 doc: document dns.opcode keyword 6 years ago
Jason Ish daed788d49 doc: Replace dns_query with dns.query. 6 years ago
Giuseppe Longo 972be0a560 doc: update file-extraction section 6 years ago
Travis Green 798d874662 doc: fix whitespace 6 years ago
Victor Julien 6aa2d550a1 doc/dotprefix: fix example rules 6 years ago
Jeff Lucovsky ab3d6328ba detect/transform: add dotprefix keyword to doc 6 years ago
Victor Julien df325d63ea doc/eve.anomaly: fix indent and general formatting 6 years ago
Jeff Lucovsky 075592b66f doc: Simplified anomaly configuration settings 6 years ago
Jeff Lucovsky aaacbf28c2 logging/anomaly: Support configuration filter types 6 years ago
Eric Leblond 35bc73e4e2 doc: change eBPF directory path 6 years ago
Zach Kelly caef8b5b38 protocol parser: rdp 
Initial implementation of feature 2314:
1. Add protocol parser for RDP
2. Add transactions for RDP negotiation
3. Add eve logging of transactions
 6 years ago
Andreas Herz d657fd9bf0 doc: add quickstart guide 6 years ago
Victor Julien d5009c5d8c doc/stream: briefly explain bypass 6 years ago
Jason Ish 0bb07b550c userguide: remove section on using Oinkmaster 
Users should be using Suricata-Update now.
 6 years ago
Travis Green 3f146cdd7e doc: add endswith keyword docs 6 years ago
Travis Green 9f8dcad287 doc: update of ssh-kewords documentation 
Modifies ssh-keywords.rst to fix syntax error in example rule as well as
update descriptions to indicate older keywords have been deprecated.
 6 years ago
Jason Ish 9488002a0d doc: use describe instead of option for old Sphinx 
Older versions of Sphinx will generate duplicate IDs when you have
options like:

.. option:: some-option

.. option:: some-other-option

The version of Sphinx provided on CentOS 7 has this issue, newer
versions of Sphinx do not.  As CentOS 7 is still a popular
distribution, change ".. option" to ".. describe" which has the
same visual output, but does not generate links.
 6 years ago
Victor Julien e36a963196 datasets/doc: minor fixes and clarifications 6 years ago
Victor Julien 0107b9a057 doc/dataset: initial documentation 6 years ago
Victor Julien 1bc738fbe4 doc: typo fixes 
By @espritlibre and @Zeal0us
 6 years ago
Nick Price d0a85b7550 ja3: Mention LibNSS dependency for JA3 6 years ago
Eric Leblond cc28d24e9a doc: install eBPF files in share directory 
Following proposal by Sascha Steinbiss, let's use /usr/share/suricata
to store the eBPF files.
 6 years ago
Eric Leblond 3cf49ae868 doc: fix English and some typos 6 years ago
Eric Leblond 4be6701836 doc: pointer to bpfctrl 
As bpfctrl is currently the easiest way to manage pinned maps,
let's point to it. We will switch doc to suricatacl once support
has been added.
 6 years ago
Eric Leblond 8f1a7de791 doc: improve doc on compiling with eBPF support 6 years ago
Eric Leblond f1ab27b7cb doc: improve XDP cpu redirect documentation 6 years ago
Eric Leblond 6d9ac64f7b doc: only balance by ip pair 
As there is some issue with defrag, let's recommend to only do
IP pair load-balacing for RSS
 6 years ago
Eric Leblond a1d3835b86 doc: document filter.bpf changes 
Also adds some info to explain maps.
 6 years ago
Eric Leblond 08397e07f1 doc: fix typos in geoip doc 6 years ago
Eric Leblond 0d5608bab2 doc: fix display of icmp code and type array 6 years ago
Eric Leblond 0c84591afe doc: use a table to list direction filter in geoip 6 years ago
Eric Leblond c01cadbade doc: fix geoip syntax 
Spaces are not allowed before country code.
 6 years ago
Vinjar Hillestad 4c18fee3c6 Documenting base64_decode and base64_content 
base64 doc changes based on #4027 pull feedback
 6 years ago
Hilko Bengen 36998ab4cd Add documentation for --with-clang parameter 6 years ago
Andreas Herz c0bddff078 userguide: remove old reference to rule-reload option 6 years ago
Jeff Lucovsky a66383569c userguide: formatting: remove tabs 6 years ago
Jeff Lucovsky c68510437f userguide: ftp formatting updates 6 years ago
Jeff Lucovsky 2149807bd6 eve/ftp: Transaction support for unmatched requests 
Modified transaction logic to create a new transaction with each
request; replies location transactions by using the oldest "open"
(unmatched) transaction or the last transaction if none are open.
 6 years ago
Jeff Lucovsky 1930b1f504 eve/ftp: Log FTP transactions 
This changeset includes changes that
1. Add transaction support to the FTP parser
2. Support eve json logging of FTP transactions
 6 years ago
Bill Meeks a291209e47 detect/geoip: migrate to GeoIP2 database format 
Issue #2765
 6 years ago
Victor Julien 034555644b doc: add tcp.hdr and udp.hdr 6 years ago
Victor Julien a01df4b86b doc: document tcp.mss keyword 6 years ago
Jeff Lucovsky 6cd39c5cfb userguide: Document app-layer anomaly items 
This changeset expands the anomaly section to include newly added
app-layer items.
 6 years ago
Eric Leblond 1f151dd8a6 doc: address norg comments on eBPF doc 6 years ago
Eloïse Brocas 8692aac97f doc: specify config file in ebpf doc 
This patch updates the ebpf-xdp.rst file to specify which
configuration file has to be modified.
 6 years ago
Eric Leblond eea3c6b610 doc: info for new bypass counters 6 years ago
Eric Leblond e3dccb2400 doc: update bypass stats doc 6 years ago
Eric Leblond dbf3606169 doc: document flow event_type 6 years ago
Eric Leblond 8a11581ac8 doc: update ebpf doc following bypass_filter change 6 years ago
Eric Leblond 253c011c70 doc: update for latest xdp_filter.c change 6 years ago
Eric Leblond 567b5ee1bc af-packet: rename option 'no-percpu-hash' 6 years ago
Eric Leblond ca50f8852e doc: improve ebpf doc 
Add example of bypass rules and explain clang dependency.
 6 years ago
Eric Leblond c11eb78141 doc: document netronome hardware bypass usage 6 years ago
Eric Leblond 82c4f5135b doc: use github mirror to setup libbpf 6 years ago
Eric Leblond 1c4d214cdb doc: typo fixes on ebpf doc 6 years ago
Eric Leblond b7560d7547 doc: document externally managed global switch 
This is currently implemented as an exposed map and it seems
a good way to do it.
 6 years ago
Eric Leblond b1769d5f8f util-ebpf: implement pinned maps loading 
Load flow tables at start if asked to.
 6 years ago
Eric Leblond 19c0a5edf5 doc: white space and typo fix 6 years ago
Eric Leblond 6d41a0ced0 doc: more eBPF and XDP capabilities 6 years ago
Eric Leblond 315c29a8e6 ebpf: change the logic to avoid ktime usage 
Kernel time is not available (and/or costly) on NIC such as
Netronome so we update the logic to detect dead flows based on a
lack of update of packets counters. This way, the XDP filter will
be usable by network card.

This patch also updates the ebpf code to support per CPU and
regular mapping. Netronome is not supporting it and the structure
is using atomic for counter so the cost of simultaneous update
is really low.

This patch also updates the xdp_filter to be able to select if the
flow table is per CPU on shared. Second option will be used for
hardward offload. To deactivate the per cpu hash, you need to set
USE_PERCPU_HASH to 0.

This patch also adds an new option to af-packet named no-percpu-hash
If this option is set to yes then the Flow bypassed manager thread
will use one CPU instead of the number of cores. By doing that
we are able to handle the case where USE_PERCPU_HASH is unset (so
hardware offload for Netronome).

This patch also remove aligment indications in the eBPF filter. This
was not really needed and it seems it is causing problem with
some recent version of LLVM toolchain.
 6 years ago
Andreas Herz 30fd80b0ef doc: convert fancy quotes to straight quotes 6 years ago
Pierre Chifflier 9dfec7e734 SNMP: add the "snmp.pdu_type" detection keyword 6 years ago
Pierre Chifflier e1dd19a0eb SNMP: add the "snmp.community" detection keyword 6 years ago
Pierre Chifflier aa608e0ca2 SNMP: add the "snmp.version" detection keyword 6 years ago
Jeff Lucovsky ab1d95446a doc: http keyword update 
This changeset updates the keyword type for http.location and http.server
 6 years ago
Jeff Lucovsky 0960ca0d00 detect/analyzer Add missing HTTP values 
This changeset adds recognition of missing HTTP values
- Raw host
- Header names
- Server body
- User agent
 6 years ago
Mats Klepsland b59e82a642 userguide: add documentation for ja3s.string keyword 6 years ago
Mats Klepsland 76b94c7073 userguide: add documentation for ja3s.hash keyword 6 years ago
Mats Klepsland d15903a2ef userguide: add documentation for Ja3SGetString Lua function 6 years ago
Mats Klepsland 37a0594417 userguide: add documentation for JA3SGetHash Lua function 6 years ago
Mats Klepsland 800608ab65 userguide: add JA3S fields to the TLS logger documentation 6 years ago
Jeff Lucovsky 8a94b93b7b doc: Anomaly logging documentation 
This changeset adds discussion of anomaly log records and
the anomaly log record format.
 6 years ago
Mats Klepsland 7020cffaa8 userguide: 'sticky' instead of 'Sticky' for all tls keywords 6 years ago
Mats Klepsland 03d986dd55 userguide: add documentation for tls.certs keyword 6 years ago
Jeff Lucovsky 7d6875fb68 documentation: Correct rst for ssh-keywords 
This changeset corrects an error in the ssh-keywords
where 3 "`" characters were used instead of 2 "`" characters.
 6 years ago
Jeff Lucovsky 97fc7c1e1a documentation: sticky buffer updates 
This changeset updates the userguide for the TLS and JA3
keywords that have been renamed from <id>_<name> to <id.name>
 6 years ago
Giuseppe Longo 76357350fd doc: update http.protocol description 6 years ago
Shivani Bhardwaj 4705314fd2 doc: Add manpages for suricatasc and suricatactl 
Add the missing manpages and the corresponding Sphinx configuration
for the command line tools `suricatasc` and `suricatactl`.

Closes redmine ticket #884.
 6 years ago
Eric Leblond 360a6ace43 doc: add info about buffer usage in lua 6 years ago
Jason Ish 355d125c4f userguide: remove dns-log 6 years ago
Jason Ish 75a018ead2 doc: remove autoconf replacement var for Rust 
Set to yes as Rust is always enabled now.
 6 years ago
Phil Young 6cfc39d7c9 napatech: auto-config documentation update 
Added documentation describing how to configure suricata to automaticly
configure sreams and host buffers without using NTPL.  I.e. from
suricata.yaml.
 6 years ago
Jeff Lucovsky 9856c5533a doc: ssh.{proto,software} documentation update 6 years ago
Jeff Lucovsky 74cd6a9ee8 doc: add http.location and http.server 6 years ago
Pascal Delalande bde65467a9 doc: add ssh protocol in eve log section 6 years ago
Victor Julien 96c6cf98d5 doc/userguide: add 3rd-party-integration to dist 6 years ago
Victor Julien f1c83c3308 doc/userguide: new 3rd party section, add bluecoat 
Add Symantec SSLV (bluecoat) doc to new 3rd party section for
documenting integrating Suricata with 3rd party tools.
 6 years ago
Bryant Smith 398133b6ce doc: add byte_* documentation to the userguide 
Added byte_test, byte_jump and byte_extract description and example rules
 6 years ago
Victor Julien d6903e70c1 file-log: remove and add warning 
Feature was deprecated and scheduled for removal.

Ticket #2376
 6 years ago
Eric Leblond 83a8df90f3 doc: improvement of xbits documentation page 6 years ago
Eric Leblond 43ede4db7f doc: xbits:noalert is not a valid syntax 6 years ago
Shivani Bhardwaj 2483331a5d doc/unix-socket: Add missing commands and detail 
Add missing commands and their corresponding details in unix-socket
userguide.

Closes redmine ticket #2800
 6 years ago
Victor Julien c47164ebc8 doc: add table for custom values of eve/http 6 years ago
Victor Julien 6fcd2db043 tile: remove files 6 years ago
Victor Julien 517b45ea2d netmap: switch to nm_* API 
Process multiple packets at nm_dispatch. Use zero copy for workers
recv mode.

Add configure check netmap check for API 11+ and find netmap api version.

Add netmap guide to the userguide.
 6 years ago
Maurizio Abba 6c0ec0b2f3 eve/http: add request/response http headers 
Add a keyword configuration dump-all-headers, with allowed values
{both, request, response}, dumping all HTTP headers in the eve-log http
object. Each header is a single object in the list request_headers
(response_headers) with the following notation:

{
    "name": <header name>,
    "value": <header value>
}

To avoid forged malicious headers, the header name size is capped at 256
bytes, the header value size at 2048.

By default, dump-all-headers is disabled.
 6 years ago
Maurizio Abba 4697351188 smtp: create raw-extraction feature 
Add a raw-extraction option for smtp. When enabled, this feature will
store the raw e-mail inside a file, including headers, e-mail content,
attachments (base64 encoded). This content is stored in a normal File *,
allowing for normal file detection.
It'd also allow for all-emails extraction if a rule has
detect-filename:"rawmsg" matcher (and filestore).
Note that this feature is in contrast with decode-mime.

This feature is disabled by default, and will be disabled automatically
if decode-mime is enabled.
 6 years ago
Victor Julien eb73008ccf detect/transform: add to_sha1 keyword 6 years ago
Victor Julien 75f9c1ae9f detect/transform: add to_md5 keyword 6 years ago
Victor Julien b3c021f8d0 userguide: improve stats logging documentation 6 years ago
Pascal Delalande f2dca46382 doc: fix minor typo 6 years ago
Eric Leblond 7a121d9b4c doc: add _static dir to make dist 6 years ago
Travis Green c2adb9e669 doc: added tos keyword 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2583
 6 years ago
Victor Julien 9dd925a46a userguide/install: add rust, python-yaml to ubuntu 6 years ago
jason taylor fc395eb2c5 userguide: updated hyperscan version reference 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 6 years ago
jason taylor 131112de13 doc: Remove gulp references 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 6 years ago
jason taylor fc54d750dd doc: add bypass keyword documentation 
Signed-off-by: jason taylor <jtfas90@gmail.com>
 6 years ago
Mats Klepsland be8c06adfd userguide: add documentation for ssl_version keyword 6 years ago
Victor Julien 85f2486e0b multi-tenant: document per tenant settings 6 years ago
Victor Julien 5afeebf884 doc/flow: updates and cleanups to flow section 6 years ago
Victor Julien 72dd4a5f92 doc/rules: initial transforms documentation 6 years ago
Victor Julien 226fe5cab3 doc/performance: redo runmodes explanation 6 years ago