Commit Graph

305 Commits (6607ee8489f925c0ba918bfe0952124fd5cf2596)

Author SHA1 Message Date
Max Fillinger ce270a8f6a Add info about pcap log compression to user guide 8 years ago
Eric Leblond e249ce29bb doc: add lua directory to Makefile 8 years ago
Victor Julien 4a90dced8e doc/lua: small update to the usage intro 8 years ago
Eric Leblond 2546e86a16 doc: document lua function about flow var 8 years ago
Eric Leblond 0c4bf2d332 doc: add a lua support top level section
Both output and signature are using lua. So lua functions should
be displayed in a single section.
8 years ago
Eric Leblond 293b00798e doc: document lua TLS functions 8 years ago
Pascal Delalande e3c5784dd5 doc: minor updates (tls custom, TODO removal, ftp/smb file rules) 8 years ago
Victor Julien 83bf60d897 doc: add ntlmssp, kerberos and other setup fields 8 years ago
Richard Sailer dc07c1fe13 lua output doc: Use more descriptive variable names in the examples
This also removes the "args" parameter of the hooking functions in the examples,
since this parameter is unused in all functions.
It would not be very helpful anyways since 3 of the 4 functions don't get passed
any parameters. The only exception is init() which gets a table containing:
  script_api_ver = 1
8 years ago
Richard Sailer 3307f7a94e lua output doc: Add explaining introduction text 8 years ago
Victor Julien e09027915a doc: fix json formatting in smb doc 8 years ago
Victor Julien 67e81a9555 doc: initial smb eve documentation 8 years ago
Victor Julien 78437375c4 doc: add by_either to suppress explanation 8 years ago
Victor Julien 2c259f2239 doc: add smb section to yaml 8 years ago
Victor Julien 13bdcd5249 doc: minor fix 8 years ago
Victor Julien 1edd9d19fc doc: add SMB to file extraction. Minor improvements. 8 years ago
Victor Julien b4771150b8 doc: update suricata-update screenshot 8 years ago
Victor Julien b531e7725d doc: improve suricata-update docs now that its bundled 8 years ago
Victor Julien ac1ed24cb4 doc: improve making sense of alerts 8 years ago
Victor Julien ccde621ceb doc: add suricata-update to intro for rules 8 years ago
Pierre Chifflier 6eb48e1e93 Add ikev2 to userguide 8 years ago
Victor Julien 26e807ca34 doc: fix http_header_names example 8 years ago
Eric Leblond 0a72d5be96 doc: fix typo in unix socket doc
Also fixes a dead link to code.
8 years ago
Eric Leblond 975f413308 doc: more info on unix socket rule reload 8 years ago
Eric Leblond e2aab10d29 doc: fix typo in ebpf xdp doc 8 years ago
Mats Klepsland 47a7ebbbc2 doc: add JA3 fields to the TLS logger documentation 8 years ago
Mats Klepsland fb0bfb614f doc: add documentation for Ja3GetString Lua function 8 years ago
Mats Klepsland 2514553098 doc: add documentation for Ja3GetHash Lua function 8 years ago
Mats Klepsland a357f52fa5 doc: add documentation for ja3_string keyword 8 years ago
Mats Klepsland 38cc6f595f doc: add documentation for ja3_hash keyword 8 years ago
Giuseppe Longo fb66d45754 doc: introduce dns compact logging 8 years ago
David DIALLO c2236ea2b3 modbus: Support Unit Identifier
When destination IP address does not suffice to uniquely identify
the Modbus/TCP device.

Some Modbus/TCP devices act as gateways to other Modbus/TCP devices
that are behind this gateways.
8 years ago
Victor Julien 50a182194a eve: log pcap filename 8 years ago
Pascal Delalande 2e5b293afb doc: update eve json output for DNS and HTTP 8 years ago
Brandon Sterne a01a229b37 doc: use standard spelling of daemon 8 years ago
Andreas Herz bdb886bd68 docs: remove many outdated and old install docs 8 years ago
Andreas Herz 2e8678a5ff docs: replace redmine links and enforce https on oisf urls 8 years ago
David DIALLO 6c643d8975 modbus: duplicate alerts unaware of direction
Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction
because Modbus inspection engine is only performing in request (TOSERVER).

Detect Value keyword in read access rule. In read access, match on value
is not possible.

Update Modbus keyword documentation.
8 years ago
Eric Leblond 7da805ffd9 doc: improve eBPF and XDP doc
Remove reference to `buggy` clang as a workaround has been found in
libbpf.

Proof read and add information on the structure of eBPF code.
8 years ago
Eric Leblond 8030e3f66b doc: update documentation
This patch adds info on kernel requirement for XDP and rework a few
things.
8 years ago
Eric Leblond 0e1a4173ff doc: how to get live info about ebpf behavior 8 years ago
Eric Leblond 8c7b5cb088 doc: add info about xdp IPS bypass 8 years ago
Eric Leblond ce8b74b524 doc: document XDP CPU redirect 8 years ago
Eric Leblond 60265e023a doc: update xdp documentation
Also remove configuration info from yaml as they are now in the
documentation.
8 years ago
Peter Manev 5ee44c877c doc: add XDP setup documentation 8 years ago
Giuseppe Longo d2121945c9 doc: update file_data description 8 years ago
Jason Ish 74e036d09f doc: update eve/alert/metadata configuration 8 years ago
Martin Natano fe9cac5870 eve/alert: include rule text in alert output
For SIEM analysis it is often useful to refer to the actual rules to
find out why a specific alert has been triggered when the signature
message does not convey enough information.

Turn on the new rule flag to include the rule text in eve alert output.
The feature is turned off by default.

With a rule like this:

    alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;)

The eve alert output might look something like this (pretty-printed for
readability):

    {
      "timestamp": "2017-08-14T12:35:05.830812+0200",
      "flow_id": 1919856770919772,
      "in_iface": "eth0",
      "event_type": "alert",
      "src_ip": "10.20.30.40",
      "src_port": 50968,
      "dest_ip": "8.8.8.8",
      "dest_port": 53,
      "proto": "UDP",
      "alert": {
        "action": "allowed",
        "gid": 1,
        "signature_id": 42,
        "rev": 0,
        "signature": "Google DNS server contacted",
        "category": "",
        "severity": 3,
        "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)"
      },
      "app_proto": "dns",
      "flow": {
        "pkts_toserver": 1,
        "pkts_toclient": 0,
        "bytes_toserver": 81,
        "bytes_toclient": 0,
        "start": "2017-08-14T12:35:05.830812+0200"
      }
    }

Feature #2020
8 years ago
Eric Leblond 72c8cd67d5 doc: documentation update on metadata 8 years ago
Jason Ish ab939f4aaa doc: breakout eve-log section to a partial file
Both the suricata.yaml and eve configuration sections
included the eve-log section from suricata.yaml. First,
sync these up with the actual suricata.yaml then break
it out into its own file, so only one file needs to
be kept in sync with the actual configuration file.
8 years ago