aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,067 Commits
8 Branches
165 Tags
219 MiB
main
main-8.0.x
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3f04af7c7f'
${ noResults }
Commit Graph

16067 Commits (3f04af7c7fb504ab1a38af671cf74b69078590bc)
 

Author SHA1 Message Date
Victor Julien 3f04af7c7f doc: add thresholding by_flow 1 year ago
Victor Julien f028648750 detect/content: fix wrong value for depth check 
Limits propegation checked for DETECT_DEPTH as a content flag,
which appears to have worked by chance. After reshuffling the
keyword id's it no longer worked. This patch uses the proper
flag DETECT_CONTENT_DEPTH.
 1 year ago
Victor Julien d0f3f2d462 detect: group content inspect keyword id's 1 year ago
Victor Julien 022173d7ab detect: group types used in traffic variables 
Traffic variables (flowvars, flowbits, xbits, etc) use a smaller int for
their type than detection types. As a workaround make sure the values fit
in a uint8_t.
 1 year ago
Victor Julien cfd55ead74 threshold: add by_flow support for global thresholds 
Allow rate_filter and thresholds from the global config to specify
tracking "by_flow".
 1 year ago
Victor Julien 1552f0953a detect/threshold: implement tracking 'by_flow' 
Add support for 'by_flow' track option. This allows using the various
threshold options in the context of a single flow.

Example:

    alert tcp ... stream-event:pkt_broken_ack; \
        threshold:type limit, track by_flow, count 1, seconds 3600;

The example would limit the number of alerts to once per hour for
packets triggering the 'pkt_broken_ack' stream event.

Implemented as a special "flowvar" holding the threshold entries. This
means no synchronization is required, making this a cheaper option
compared to the other trackers.

Ticket: #6822.
 1 year ago
Victor Julien a81b23254c util/var: add comments explaining types 1 year ago
Victor Julien 1fa13e4b81 util/var: remove printf; add assert 1 year ago
Philippe Antoine 5bd17934df http2: do not expand duplicate headers 
Ticket: 7104

As this can cause a big mamory allocation due to the quadratic
nature of the HPACK compression.
 1 year ago
Philippe Antoine 37509e8e0e modbus: abort flow parsing on flood 
Ticket: 6987

Let's not spend more resources for a flow which is trying to
make us do it...
 1 year ago
Victor Julien ce727cf4b1 detect: remove unnecessary detect thread flags stores 1 year ago
Philippe Antoine b34d4b1314 detect/nfs: do not free a null pointer 
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69840
 1 year ago
Jeff Lucovsky 5b97f4040c detect/base64: Use Rust defined modes everywhere 
Issue: 6487

To avoid ambiguity, a single definition for base 64 decoding modes will
be used. The Rust base64 transform contains the definitions for the
existing mode types: Strict, RFC2045, RFC4648
 1 year ago
Jeff Lucovsky 01e20c91fb doc/transform: Correct typo 1 year ago
Jeff Lucovsky d205ff82d0 doc/transform: Describe the from_base64 transform 
Issue: 6487

Document the new transform and indicate that it's the preferred way to
perform base64 decoding (preferred over base64_decode)
 1 year ago
Jeff Lucovsky f042e9034b detect/transform: Add from_base64 transform 
Issue: 6487

Implement the from_base64 transform:
    [bytes value] [offset value] [mode strict|rfc4648|rfc2045]

    The value for bytes and offset may be a byte_ variable or an
    unsigned integer.
 1 year ago
Jeff Lucovsky 1823681709 detect/transform: from_base64 option parsing 
Issue: 6487

Implement from_base64 option parsing in Rust. The Rust module also
contains unit tests.
 1 year ago
Jeff Lucovsky ab0cb960a1 detect/parser: Refactor utility routines 
Refactor utility functions/definitions from the byte_math module into
the parser module. This includes parse_var and ResultValue

Issue: 6487
 1 year ago
Shivani Bhardwaj 903283d76e flow: declare and use constansts where possible 1 year ago
Shivani Bhardwaj 00a644c5c2 flow/manager: make fn calls only when necessary 1 year ago
Shivani Bhardwaj eb95d2bf66 flow/timeout: cleanup fn names and comments 1 year ago
Shivani Bhardwaj 8818b9cbe0 flow: remove unneeded args to fn 1 year ago
Shivani Bhardwaj f97b4ec1e8 flow/manager: add fn docs 1 year ago
Shivani Bhardwaj 14cd594d3c flow: add defensive check 1 year ago
Shivani Bhardwaj a87c8eb46f packetpool: use DEBUG_VALIDATE statement 1 year ago
Shivani Bhardwaj 87fa7f10ef flow: use bool wherever possible 1 year ago
Philippe Antoine 8b831e6751 detect/icmp: require real packet in signature 
Fixes: 956c8bebd1 ("detect/prefilter: use sig mask to exclude pkt engines")
 1 year ago
Philippe Antoine 0a953fe1ce detect: add to signature mask for decode events 
Ticket: 6291
 1 year ago
Philippe Antoine 4e584ed201 detect: fix check for app_layer events 
Ticket: 7106
 1 year ago
Jeff Lucovsky 834cd6fbdb af-packet: Remove unused preprocessor define 
Remove unused preprocessor value; exposed by compilation warning
 1 year ago
Philippe Antoine c9ce43b31e output: configurable payload_length field for alerts 
Ticket: 7098
 1 year ago
Philippe Antoine a21232828e dcerpc: add app-layer metadata in alerts 
Ticket: 6090
 1 year ago
Philippe Antoine 5f35035928 filestore: do not try to store a file set to nostore 
Ticket: 6390

This can happen with keyword filestore:both,flow
If one direction does not have a signature group with a filestore,
the file is set to nostore on opening, until a signature in
the other direction tries to set it to store.
Subsequent files will be stored in both directions as flow flags
are now set.
 1 year ago
Philippe Antoine 0d4efe0c0f app-layer: fix -Wshorten-64-to-32 warnings 
Ticket: #6186

Warnings about downcast from 64 to 32 bits
 1 year ago
Philippe Antoine 1790aa49a4 util: fix -Wshorten-64-to-32 warnings 
Ticket: 6186

Warnings about downcast from 64 to 32 bits

Generic fixes required to get app-layer clean
 1 year ago
Philippe Antoine dc043d0297 detect: remove unused field 
content_inspect_window is used in app-layer-smtp, but
not directly in detect-file-data
 1 year ago
Victor Julien 3d059611c3 detect: add tls.alpn keyword 
Ticket: #7108.
 1 year ago
Victor Julien 869d5492dc eve/schema: update for alpn 1 year ago
Victor Julien c79a382e42 eve/tls: log ALPN for client and server 
Part of the extended logging.

Logs `client_alpns` and `server_alpns` arrays in the tls object.

Ticket: #7055.
 1 year ago
Victor Julien 0b37654578 tls: store all ALPN records in the state 
For later logging and detection.
 1 year ago
Victor Julien 7f474af1d0 eve/schema: minor enip reformat 1 year ago
Jason Ish 6256391408 github-ci: run cargo update test on pull requests 
Previously it was run once a week, hiding some issues until
Monday's. Instead run on pull requests, but still not every push.
 1 year ago
Victor Julien e3e917d967 detect/icmp-id: remove prefilter pseudo check 
This is now handled at registration with SIG_MASK_REQUIRE_REAL_PKT.
 1 year ago
Victor Julien 8df53d6411 detect/dsize: remove prefilter pseudo check 
This is now handled at registration with SIG_MASK_REQUIRE_REAL_PKT.
 1 year ago
Victor Julien 44d2e1aad7 detect/stream_size: allow match on pseudo packets 
Often used with stream content, which can be inspected with pseudo packets.
 1 year ago
Victor Julien 6958efa2dc detect/csum: remove pseudo packet checks 1 year ago
Victor Julien 64f5865efc detect/csum: general code cleanups 1 year ago
Victor Julien 956c8bebd1 detect/prefilter: use sig mask to exclude pkt engines 
Add an argument to the packet prefilter registration function to include
`SignatureMask` flags. This will be used at runtime to only call these
prefilter engines when the mask check passes.
 1 year ago
Victor Julien 4c2960169c detect/prefilter: minor function ptr cleanup 
Use a typedef'd function pointer for packet Prefilter callbacks to make
the code consistent with the other callbacks.
 1 year ago
Victor Julien 2d1ccb76b1 detect: remove pseudo checks from packet keywords 
Keep as debug validation check.
 1 year ago