d830177b7b 
								
							
								 
							
						 
						
							
							
								
								doc: Add my own name to the acknowledgements  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								98a1ec490f 
								
							
								 
							
						 
						
							
							
								
								doc: Move IP reputation keyword to rules section  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								722cff1862 
								
							
								 
							
						 
						
							
							
								
								doc: Restructure ToC  
							
							... 
							
							
							
							* All sections up to 2 levels deep are now shown regardless of whether they are a separate page
* Rename Xbits and Thresholding for more consistent naming
* Minor adjustment in the Payload Keywords section 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								196ba1da70 
								
							
								 
							
						 
						
							
							
								
								doc: Make the header keywords section separate sections in ToC  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								a55a6cdb62 
								
							
								 
							
						 
						
							
							
								
								doc: Move flowint as integral part of flow keywords  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								f6c766112c 
								
							
								 
							
						 
						
							
							
								
								doc: Minor changes in structuring of HTTP Keywords / Snort differences  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								e9b25988ba 
								
							
								 
							
						 
						
							
							
								
								doc: Move pcre entirely to Payload Keywords section  
							
							... 
							
							
							
							(plus remove lingering screenshot of a rule) 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								bb1bf2643d 
								
							
								 
							
						 
						
							
							
								
								doc: Move fast_pattern and prefilter to dedicated page  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								fea037fda8 
								
							
								 
							
						 
						
							
							
								
								doc: Moved explanation of normalized buffers to rules introduction  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								11990c7117 
								
							
								 
							
						 
						
							
							
								
								doc: Move the definition of modifier keywords to the introduction  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								dfae19247d 
								
							
								 
							
						 
						
							
							
								
								doc: Completely rewrite the rules introduction for more clearity  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								274c36eb2f 
								
							
								 
							
						 
						
							
							
								
								doc: Meta-settings -> Meta Keywords plus some textual changes  
							
							... 
							
							
							
							Most importantly, conventions are now placed in tip boxes 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								3413793768 
								
							
								 
							
						 
						
							
							
								
								doc: Use lowercased keyword names as section titles  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								a52aacb4ea 
								
							
								 
							
						 
						
							
							
								
								doc: Replace images of tables and rules with text in rules docs  
							
							... 
							
							
							
							In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis.
Additionally, some tables embedded into images were also replaced by reST tables. 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								44926e2369 
								
							
								 
							
						 
						
							
							
								
								doc: Add suricata.css to allow for some custom styling  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								5335d8b877 
								
							
								 
							
						 
						
							
							
								
								detect/uri: apply urilen contents as depth  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								606eab937c 
								
							
								 
							
						 
						
							
							
								
								detect/http_uri: remove broken tests  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								c16509a8b6 
								
							
								 
							
						 
						
							
							
								
								conf: stack-based buffer-overflow in ParseFilename  
							
							... 
							
							
							
							There is a stack-based buffer-overflow in ParseFilename. Since the length of "outputs.pcap-log.filename" is not checked and the destination buffer "str" has a fixed length of 512 bytes, a buffer overflow happens with long filenames. An attacker could exploit this for code execution if the configuration-file is not protected properly. This commit fixes ticket #2335 
This is what the asan-output looks like:
~/suricata-1/src# suricata -T -c ./suricata.yaml
[27871] 3/12/2017 -- 20:48:13 - (suricata.c:1876) <Info> (ParseCommandLine) -- Running suricata under test mode
[27871] 3/12/2017 -- 20:48:13 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev f3fea60b 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								1090ee9d8d 
								
							
								 
							
						 
						
							
							
								
								rate_filter by_both through IPPair storage  
							
							... 
							
							
							
							Ticket https://redmine.openinfosecfoundation.org/issues/2127  
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								84b66b7aaa 
								
							
								 
							
						 
						
							
							
								
								enum: don't printf on util-enum errors  
							
							... 
							
							
							
							When util-enum encounters an error around enum value it should log the error
rather than losing it to console with printf.
Bug #2268  
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								999b50476b 
								
							
								 
							
						 
						
							
							
								
								detect/http_host: add sid to nocase warning  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								f68067be94 
								
							
								 
							
						 
						
							
							
								
								hosts: release packet references to hosts  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								637a7c8e55 
								
							
								 
							
						 
						
							
							
								
								Adds options to mark when a file is final.  
							
							... 
							
							
							
							This takes the form of an option to add the pid of the process to file
names. Additionally, it adds a suffix to the file name to indicate it is
not finalized.
Adding the pid to the file name reduces the likelihood that a file is
overwritten when suricata is unexpectedly killed. The number in the
waldo file is only written out during a clean shutdown. In the event
of an improper shutdown, extracted files will be written using the old
number and existing files with the same name will be overwritten.
Writes extracted files and their metadata to a temporary file suffixed
with '.tmp'. Renames the files when they are completely done being
written. As-is there is no way to know that a file on disk is still
being written to by suricata. 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								a1f8cf40e2 
								
							
								 
							
						 
						
							
							
								
								detect/http_start: check if 'line' is valid  
							
							... 
							
							
							
							In certain conditions like low memory the line can be NULL.
Bug #2307 . 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								9abac08cc7 
								
							
								 
							
						 
						
							
							
								
								detect/flowint: harden code  
							
							... 
							
							
							
							Make sure packet has a flow.
Related to bug #2288 . 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								40a819d5a6 
								
							
								 
							
						 
						
							
							
								
								detect/flowint: only check if packet has flow  
							
							... 
							
							
							
							Fixed bug #2288 . 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								db24fee16e 
								
							
								 
							
						 
						
							
							
								
								detect/flowint: improve unittests  
							
							... 
							
							
							
							In preparation of fixing bug #2288 , make sure the unittests setup
the flow in the packet properly. 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								7394ee17ec 
								
							
								 
							
						 
						
							
							
								
								unittest/helpers: add helper to assign flow to packet  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								83f220a6b0 
								
							
								 
							
						 
						
							
							
								
								detect/depth: reject rules with depth smaller than content  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								d0846cc561 
								
							
								 
							
						 
						
							
							
								
								detect-parse: string copy not required  
							
							... 
							
							
							
							Without using pcre, copies of the strings are no longer
required. 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								73d1e4bc84 
								
							
								 
							
						 
						
							
							
								
								detect-parse: don't use pcre for rule parsing  
							
							... 
							
							
							
							Don't use pcre for the high level rule parsing, instead
using a tokenizing parser for breaking out the rule
into keywords and options.
Much faster, especially on older CPUs. Should also allow
us to provide better context where a rule parse error
occurs. 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								93b120e70d 
								
							
								 
							
						 
						
							
							
								
								runmodes: config test is offline  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								71c3141ec6 
								
							
								 
							
						 
						
							
							
								
								afl: enable afl dumps by envvar  
							
							... 
							
							
							
							If SC_AFL_DUMP_FILES is set the inputs are stored to disk. 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								f1da18ec1a 
								
							
								 
							
						 
						
							
							
								
								http: allow shinking in HTPRealloc  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								5748df3eed 
								
							
								 
							
						 
						
							
							
								
								Add support for PCAP LINKTYPE_IPV4  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								223a38aeee 
								
							
								 
							
						 
						
							
							
								
								mingw: service init compile warning fix  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								81408df0cf 
								
							
								 
							
						 
						
							
							
								
								output: clean up log API unittests  
							
							... 
							
							
							
							Disable for MinGW as the setenv/getenv implementations seems to
be undeterministic. 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								7ed1debc96 
								
							
								 
							
						 
						
							
							
								
								flow: optimize Flow structure layout  
							
							... 
							
							
							
							Shrink structure with 8 bytes by moving new ttl fields into an
existing 'gap'.
Also fixes a strange ASAN issue in GCC 5.4.0 in unittests. 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								17c4623975 
								
							
								 
							
						 
						
							
							
								
								thresholds: simplify config parsing  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								2a237bdfca 
								
							
								 
							
						 
						
							
							
								
								detect: make glob.h optional  
							
							... 
							
							
							
							glob.h is not available on MinGW.
Simply use the input on the rule list as a literal pattern. 
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								e1d1a7f2ac 
								
							
								 
							
						 
						
							
							
								
								detect: fix flow bypass flag handling  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								ddd3c0b1df 
								
							
								 
							
						 
						
							
							
								
								detect/analyzer: formatting fixup  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								e86c3f0a40 
								
							
								 
							
						 
						
							
							
								
								detect: constify rule group lookup  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								a9ee041984 
								
							
								 
							
						 
						
							
							
								
								detect: minor profiling cleanup  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								26abf5337c 
								
							
								 
							
						 
						
							
							
								
								detect/mpm: minor cleanup: remove unused function arg  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								03274051cf 
								
							
								 
							
						 
						
							
							
								
								detect-state: minor cleanups  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								c79b9cb317 
								
							
								 
							
						 
						
							
							
								
								detect: constify address match functions  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								63291d0f01 
								
							
								 
							
						 
						
							
							
								
								detect: style cleanup  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								64aec6aaea 
								
							
								 
							
						 
						
							
							
								
								app-layer: minor cleanup  
							
							
							
						 
						
							8 years ago  
				
					
						
							
							
								 
						
							
							
								66530c6179 
								
							
								 
							
						 
						
							
							
								
								app-layer: cleanup: use true bool type for 'logger'  
							
							
							
						 
						
							8 years ago