aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,928 Commits
7 Branches
155 Tags
195 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7ce77f9351'
${ noResults }
Commit Graph

8928 Commits (7ce77f93515c60949394c2a0e735a92dd2404d31)
 

Author SHA1 Message Date
Eric Leblond 72c8cd67d5 doc: documentation update on metadata 7 years ago
Eric Leblond 9864552484 detect-metadata: add a string storage to de_ctx 
To avoid to have a lot of string allocations, we use a hash table
stored in de_ctx to point to existing string instead of duplicating
them.
 7 years ago
Eric Leblond 3a2431a2fb suricata: init output before detection 
As we need to know if we should parse the signature metadata, we
have to parse the output configuration before initializing the
detection engine.
 7 years ago
Eric Leblond 6bf00ab289 output-json-alert: conditionaly output metadata 
Metadata of the signature can now conditionaly put in the alert
events. This will allow user to get more context about the events
generated by the alert.

detect-metadata: conditional parsing

Only parses metadata if an output module will use the information.
Patch also adds a unittest to check metadata is not parsed if not
asked to.

output-json-alert: optional output keys as array

Update rule metadata configuration to have an option to output
value as array. Also adds an option to log only a series of keys
as array. This is useful in the case of some ruleset where from
instance the `tag` key is used multiple time.

(Jason Ish) rule metadata: always log as lists

After review of rule metadata, we can't make assumptions
on what should be a list or not. So log everything as a list.
 7 years ago
Eric Leblond 1bd6d1c209 detect-metadata: add unit test 7 years ago
Eric Leblond 474fc60671 detect-metadata: store metadata key value pairs 
This patch updates the Signature structure so it contains the
metadata under a key value form.
Later patch will make that dictionary available in the events.
 7 years ago
Victor Julien d0ea147263 travis/rust: update rust minimum to 1.21 
Ubuntu LTS and CentOS7/EPEL has upgraded to 1.21.

Update highest known working version to 1.23.
 7 years ago
Victor Julien 6f7e24d3f2 autogen/rust: remove Cargo.lock 
Remove Cargo.lock to avoid issues when updating Cargo.toml
 7 years ago
Victor Julien 6e82df274d rust: update dependencies 7 years ago
Victor Julien dfae3297a5 rust: don't gen C headers if Rust isn't enabled 7 years ago
Jason Ish ab939f4aaa doc: breakout eve-log section to a partial file 
Both the suricata.yaml and eve configuration sections
included the eve-log section from suricata.yaml. First,
sync these up with the actual suricata.yaml then break
it out into its own file, so only one file needs to
be kept in sync with the actual configuration file.
 7 years ago
Jason Ish 93b056d89e eve/alert: log metadata be default 
By default log metadata.

Remove toggles for individual protocol types and just use a
single toggle to control including the app-layer with the
alert.

The metadata (currently app-layer and flow) can be disabled
by setting metadata to a falsey value, but its removed
from the default configuration (but wil be in docs)
 7 years ago
Jason Ish b659222ea0 eve/metadata: log flowvars as a list of k/v pairs 
To match the pktvars output.
 7 years ago
Jason Ish 1f47f77bd5 eve/metadata: special handling for traffic-id labels 
Give traffic/id and traffic/label flowbits special handling
in the eve output. Instead of just logging them as flowbits,
give them their own top level object.

{
  "traffic": {
    "id": ["id0", "id1"],
    "label": ["label0", "label1"]
  }
}
 7 years ago
Jason Ish 0e02684634 doc: update eve-log section for metadata 7 years ago
Jason Ish 572a62f35a output-json-vars: rename to metadata 
No functional change, just rename of files and functions
to reflect the metadata event type now used.
 7 years ago
Jason Ish 34811cf69e json-vars: rename to metadata and use new metadata format 7 years ago
Jason Ish a23d54ce3e eve: netflow: global metadata config 7 years ago
Jason Ish 3eaca7c239 eve: http: global metadata config 7 years ago
Jason Ish 790ce3743b eve: flow: global metadata config 7 years ago
Jason Ish 23bbbc5818 eve: dns: global metadata config 7 years ago
Jason Ish 4a05160353 eve: alert: global metadata config 
Also, remove vars as a subtype. Adding the top level metadata
field is an eve lebel parameter, not alert now.
 7 years ago
Jason Ish 5da5fc1f7d eve: drop: global metadata config 7 years ago
Jason Ish 2247b9aad2 eve: email: respect global metadata config 7 years ago
Jason Ish 885452fc22 eve: nfs: respect global metadata config 7 years ago
Jason Ish b577f4a0c9 eve: smtp: respect global metadata config 7 years ago
Jason Ish 7f5439a300 eve: dnp3: respect global metadata config 7 years ago
Jason Ish 32da579239 eve: ssh: respect global metadata config 7 years ago
Jason Ish 88ac0f2b1a eve: tls: respect global metadata config 7 years ago
Jason Ish dd988d9934 eve: metadata setting to enable/disable metadata 
This is a top level metadata object containing flowbits,
flowints, pktvars and flowvars.

Enabling it at the top level enables it for all log types.
 7 years ago
Jason Ish 5138f99c58 eve: top level metadata object 
Contains:
- flowbits (as array)
- flowints (map)
- flowvars (map)
- pktvars (map)
 7 years ago
Victor Julien 6f339abdf0 htp: minor debug addition 7 years ago
Victor Julien e86be22737 htp: remove unused field from tx state 7 years ago
Victor Julien c63b1ce2c6 htp: remove used body operation field 7 years ago
Victor Julien 07cbbfb0d1 htp: code cleanups 7 years ago
Victor Julien 9ca71beb03 htp: remove usused file flags 7 years ago
Victor Julien daeba48f77 htp: remove usused flags 7 years ago
Victor Julien c0d26de665 stream: improve overlap detection 
Improve detection of overlapping different data. Keep some data around
even if it was already ACK'd to check if packets have overlap.
 7 years ago
Victor Julien e64941144e htp: allow HTTP pickup of response data 
Now that libhtp can pick up sessions that start with a response
we can enable support for it as well.
 7 years ago
Victor Julien 49927024c6 http: add tests for malformed response lines 7 years ago
Victor Julien ca67408e79 stream: set event for suspected data injection during 3whs 
This rule will match on the STREAM_3WHS_ACK_DATA_INJECT, that is
set if we're:
- in IPS mode
- get a data packet from the server
- that matches the exact SEQ/ACK expectations for the 3whs

The action of the rule is set to drop as the stream engine will drop.
So the rule action is actually not needed, but for consistency it
is drop.
 7 years ago
Victor Julien d1adf5f7e9 stream: handle data on incomplete 3whs 
If we have only seen the SYN and SYN/ACK of the 3whs, accept from
server data if it perfectly matches the SEQ/ACK expectations. This
might happen in 2 scenarios:

1. packet loss: if we lost the final ACK, we may get data that fits
   this pattern (e.g. a SMTP EHLO message).

2. MOTS/MITM packet injection: an attacker can send a data packet
   together with its SYN/ACK packet. The client due to timing almost
   certainly gets the SYN/ACK before considering the data packet,
   and will respond with the final ACK before processing the data
   packet.

In IDS mode we will accept the data packet and rely on the reassembly
engine to warn us if the packet was indeed injected.

In IPS mode we will drop the packet. In the packet loss case we will
rely on retransmissions to get the session back up and running. For
the injection case we blocked this injection attempt.
 7 years ago
Victor Julien e1ef57c848 stream: still inspect packets dropped by stream 
The detect engine would bypass packets that are set as dropped. This
seems sane, as these packets are going to be dropped anyway.

However, it lead to the following corner case: stream events that
triggered the drop could not be matched on the rules. The packet
with the event wouldn't make it to the detect engine due to the bypass.

This patch changes the logic to not bypass DROP packets anymore.
Packets that are dropped by the stream engine will set the no payload
inspection flag, so avoid needless cost.
 7 years ago
Victor Julien 700781c53b enip: support gaps 
Due to a bug in the GAP handling the TCP layer the parser would already
get data after GAPs before.
 7 years ago
Victor Julien 89dc05d4a6 stream/app-layer: fix GAP handling issue 
Fix case where data after GAP was processed as in order data by app-layer.
This happened even if protocol parser did not register to accept GAPs.
 7 years ago
Victor Julien 251156e253 pcre: don't leak memory in data extraction 7 years ago
Pascal Delalande 80f2fbac6e rust/tftp: eve logging with rust 7 years ago
Clement Galland b9cf49e933 rust/tftp: add tftp parsing and logging 
TFTP parsing and logging written in Rust.
Log on eve.json the type of request (read or write), the name of the file and
the mode.

Example of output:
    "tftp":{"packet":"read","file":"rfc1350.txt","mode":"octet"}
 7 years ago
Pascal Delalande 0ff60f65ec doc: update filestore for file hash extraction 
Update for extraction based on md5, sha1 and sha256
 7 years ago
Victor Julien e8939335ea rust/nfs: explicitly handle GAPs from C 
It seems that Rust optimizes this code in such a way that it
passes the null ptr along as real data.

    if buf.as_ptr().is_null() && input_len > 0 {
 7 years ago