aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,339 Commits
7 Branches
155 Tags
198 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '73d1e4bc84'
${ noResults }
Commit Graph

8339 Commits (73d1e4bc84d535298fe888309ad5a35b20cba6ae)
 

Author SHA1 Message Date
Eric Leblond c3806ebd2a suricata.yaml: add some port variables 
These variables are used by Talos ruleset and defining them allow
to get almost all rules of ruleset loaded.
 8 years ago
Eric Leblond eb70b1e195 detect-asn1: fix memory leak 8 years ago
Eric Leblond 170591a0b1 util-print: add 0 at end of buffer 
Add a 0 at the end of the printed buffer to be sure we terminate
with a 0 to avoid problem when calling strlen().
 8 years ago
Victor Julien d61fa0c43c tunnel: refactor tunnel verdict handling 
Observed:

STARTTLS creates 2 pseudo packets which are tied to a real packet.
TPR (tunnel packet ref) counter increased to 2.

Pseudo 1: goes through 'verdict', increments 'ready to verdict' to 1.
Packet pool return code frees this packet and decrements TPR in root
to 1. RTV counter not changed. So both are now 1.

Pseudo 2: verdict code sees RTV == TPR, so verdict is set based on
pseudo packet. This is too soon. Packet pool return code frees this
packet and decrements TPR in root to 0.

Real packet: TRP is 0 so set verdict on this packet. As verdict was
already set, NFQ reports an issue.

The decrementing of TPR doesn't seem to make sense as RTV is not
updated.

Solution:

This patch refactors the ref count and verdict count logic. The beef
is now handled in the generic function TmqhOutputPacketpool(). NFQ
and IPFW call a utility function VerdictTunnelPacket to see if they
need to verdict a packet.

Remove some unused macro's for managing these counters.
 8 years ago
Victor Julien 7c119cc595 nfs: log number of chunks that xfer'd a file 8 years ago
Victor Julien ed706583e9 nfs: add nfs to alerts 
Also add a single 'applayer' option for alert augmentation that
applies to all app-layers.
 8 years ago
Victor Julien e8dae2e093 nfs: add to fileinfo events 8 years ago
Victor Julien db2d928151 rust/nfs: add (file)handle to log as crc32 8 years ago
Jason Ish 671e39642c travis: set dist to trusty (Ubuntu 14.04). 
The default is still 12.04 which is EOL.
 8 years ago
Jason Ish 829155b9d5 rust/dns: pass byte arrays directly to rust/json 
Using the json.set_string_from_bytes which will
safely convert the bytes printable ascii string
before logging.
 8 years ago
Jason Ish 96cc503026 rust/lua: use lua_pushlstring for strings 
Lua strings can contain NULLs, and Rust strings are UTF8 which
can also contain NULLs. Use pushlstring so a NULL containing
string can be pushed.
 8 years ago
Jason Ish 6dbc5be4be rust/json: only output printable characters 
Rust strings are UTF8 and we cannot yet rely on jansson
having json_stringn on all supported OS distributions yet
so sanitize strings to ascii before printing.

Also add set_string_from_bytes which is like set_string, but
accepts a byte array as input.
 8 years ago
Victor Julien becf1a2dfe rust/nfs: fix style warning 8 years ago
Victor Julien e0c6565e68 nfs: nfs_version keyword 
Store nfs version in tx and add keyword to match on it.
 8 years ago
Victor Julien aff576b524 eve/nfs: log nfs version 8 years ago
Victor Julien 0d79181d78 nfs: rename nfs3 to nfs 
Since the parser now also does nfs2, the name nfs3 became confusing.
As it's still in beta, we can rename so this patch renames all 'nfs3'
logic to simply 'nfs'.
 8 years ago
Victor Julien 28cdf7b628 nfs3: create file tx for read on request 
This is done so that we can add creds to it.
 8 years ago
Victor Julien 7e0d9619ac nfs3: add readdirplus path 8 years ago
Victor Julien 41376da03c nfs: log more rpc 8 years ago
Victor Julien 9edbb6f235 nfs: split record parsers into different files 8 years ago
Victor Julien 25edac7666 nfs3: fill bytes corner case 8 years ago
Victor Julien 2a29f79960 nfs: fix rust data type declaration 8 years ago
Victor Julien 5153271b87 nfs2: basic record parsing and tracking 8 years ago
Victor Julien c7e10c73f9 nfs3: support NFS over UDP 8 years ago
Victor Julien d9f87cec3d nfs3: probing parsers in both directions 8 years ago
Victor Julien 8fe32f943b nfs3: search for next record if needed after GAP 8 years ago
Victor Julien 58af39131f rust/nfs: handle GAPs 
In normal records it will try to continue parsing.

GAP 'data' will be passed to file api as '0's. New call is used
so that the file API does know it is dealing with a GAP. Such
files are flagged as truncated at the end of the file and no
checksums are calculated.
 8 years ago
Victor Julien a116c16019 nfs3: parse mkdir and rmdir request records 8 years ago
Victor Julien 1a2985ed76 app-layer: remove checks 
Now that app-layer parser registrations are validated at startup,
a number of runtime checks are no longer necessary. So remove them.
 8 years ago
Victor Julien e930513125 app-layer: detect state registrations are mandatory 8 years ago
Victor Julien ed172985ca app-layer: validate registration 8 years ago
Victor Julien d090cd2edf dcerpc/udp: add missing tx support 8 years ago
Jason Ish 6bddc4d3e0 python: use python path found during configure 
Also look for Python under more names. For example, on OpenBSD
if you just install Python 2, you will only get a python2.7
executable.
 8 years ago
Selivanov Pavel 5162b58260 Fixed small typo: double sudo 8 years ago
Jason Ish 30be9f0b5d stream: don't do protocol detection on gap 
A gap notification has no data.

Also, break out the gap handling into its own code block to
simplify the conditional statements.
 8 years ago
Victor Julien b582cdef31 hyperscan: unittests compiler warning fixes 8 years ago
Jason Ish c473c56eed rust/dns: fix panic on rrnames with bad chars 
Check for erros in the UTF-8 conversion, on error, print the
the printable chars as chars, and print non printable chars
as \xHEX.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2148
 8 years ago
Jason Ish ecc63481c6 rust/dns: fix tcp message length verification 
And add Rust unit tests to check length validation.

Redmine issue 2144:
https://redmine.openinfosecfoundation.org/issues/2144
 8 years ago
Eric Leblond 26eb49d721 bypass: add explicit flag in stream engine 
TCP reassembly is now deactivated more frequently and triggering a
bypass on it is resulting in missing some alerts due forgetting
about packet based signature.

So this patch is introducing a dedicated flag that can be set in
the app layer and transmitted in the streaming to trigger bypass.

It is currently used by the SSL app layer to trigger bypass when
the stream becomes encrypted.
 8 years ago
Jason Ish 70808a4f1d rust/dns: support gaps in TCP DNS 8 years ago
Jason Ish f1ba406d39 travis: add rust 1.7.0 build 
One build with Rust 1.7.0, our oldest that we'll support as its
whats bundled with Ubuntu 16.04. Create another build that will use
the latest stable.
 8 years ago
Jason Ish 4bdb722371 rust/dns: fix unit tests on Rust 1.7.0 8 years ago
Jason Ish 2aebfbce94 rust/dns: support txt records 8 years ago
Jason Ish 26914cd59a rust/dns: copy over dns unit tests 
Only the tests that make sense were copied over, those testing
correlation of responses to requests were not.

Also, remove compiler warning when not built with
unit tests.
 8 years ago
Jason Ish fafa75035f rust: don't fail distcheck if cargo-vendor not found 
Allow distcheck to pass if cargo vendor is not found by not
failing out. It is not required to successfully build a dist
tarball, the Rust sources will just not be vendored in.

Also don't fail out make dist if Python is not installed. A build
will still be successful is Python is available on the end
build system.
 8 years ago
Eric Leblond 5be44eb500 output-json-alert: don't decref used object 
In the unlikely case of a allocation error we will still use the
existing object so it should not be decref and freed.
 8 years ago
Eric Leblond f4374ffd0b doc: some more info about alert format 8 years ago
Eric Leblond f5ad6a2095 doc: document target keyword 8 years ago
Eric Leblond 0c3a3101b1 alert-prelude: correctly set Source and Target 
IDMEF alert contains two entities named Source and Target that are
defined using common language:
* "The Source class contains information about the possible source(s) of
   the event(s) that generated an alert."
* "The Target class contains information about the possible target(s) of
   the event(s) that generated an alert."

Previous alerts event were not following that so we can updated the code
when we know the direction thanks to the metadata field.
 8 years ago
Eric Leblond f0e8062b2b alert-prelude: fix warnings on callback type 8 years ago