aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,037 Commits
8 Branches
163 Tags
188 MiB
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7d22993a8f'
${ noResults }
Commit Graph

11037 Commits (7d22993a8f30728ba4ed842f8438e08ac0f55721)
 

Author SHA1 Message Date
Eric Leblond fcfeeeb694 app-layer-expectation: update copyright date 6 years ago
Eric Leblond 1ddd77fae0 app-layer-expectation: clean expectation at flow end 
When a flow timeout, we can have still existing expectations that
are linked to this flow. Given that there is a delay between the
real ending of the flow and its destruction by Suricata, the
expectation should be already honored so we can assume the risk
to clean the expectations that have been triggered by the
to-be-deleted flow.
 6 years ago
Eric Leblond 6c9d1c0861 app-layer-expectation: limit number of expectations 
This patch introduces a limitation in term of number of
expectations attached to one IPPair. This is done using
a circle list so we have a FIFO approach on expectation
handling.

Circleq list code is copied from BSD code like was pre existing code
in queue.h.
 6 years ago
Eric Leblond 03e4bfeb02 app-layer-expectation: remove unused parameter 6 years ago
Jeff Lucovsky 0ae6b0b250 tests/bsize: Fuzzing test case added 
This commit adds a test case to validate the issue found during fuzz
testing.
 6 years ago
Jeff Lucovsky 5b38bc9894 detect/bsize: Ensure numeric values fit 
This commit ensures that the numeric values will not exceed the size of
the containers used to hold them.
 6 years ago
Victor Julien 095981cb2a detect/parse: fix crash on 'internal' keyword use 
When keyword __flowvar__postmatch__, an internal keyword, is used
in a rule the 'Setup' func ptr will be NULL. This caused a crash.
 6 years ago
Victor Julien 1e71eecf47 fuzz/siginit: fix leak in case of bidir sig 6 years ago
Victor Julien 5430141f7a fuzz/siginit: minor improvements 
Enable detect engine 'quiet' mode to generate less output.

Set a fake filename so that datarep doesn't hit a reachable assert.
 6 years ago
Victor Julien 13c9d0ca7e detect/pkt_data: error on unconsumed transforms 
If a rule has transforms w/o consuming them (e.g. a content keyword),
don't consider 'pkt_data' valid.
 6 years ago
Victor Julien e1c474a1b0 detect/pkt_data: code and test cleanup 6 years ago
Victor Julien 7f19da1cc0 detect: more robust against transform issues 
In case of transform issues (transform not consumed before pkt_data
for example), the code would hit an ugly BUG_ON.

Address this by a more graceful error message, that will still
invalidate the sig but not crash the engine.
 6 years ago
Sascha Steinbiss 713c379427 rfb: make sure size calculations do not overflow 
Addresses #3570 by extra checking of calculated size requests.

With the given input, the parser eventually arrived at
parser::parse_failure_reason() which parsed from the remaining four
bytes (describing the string length) that the failure string to follow
would be 4294967295 bytes long. While calculating the total size of the
data to request via AppLayerResult::incomplete(), adding the four bytes
for the parsed but not consumed string length caused the u32 length to
overflow, resulting in a much smaller value triggering the bug condition.

This problem was addressed by more careful checking of values in each step
that could overflow: one subtraction, one addition (which could overflow
the usize length values), and a final check to determine whether the result
still fit into the u32 values required by AppLayerResult::incomplete().
If so, we would safely convert the values and pass them to the result type.
If not, we simply return AppLayerResult::err() but do not erroneously and
silently request the wrong amount.
 6 years ago
Jeff Lucovsky 2823bc5aed detect/tls: Use pcre_copy_substring to avoid leak 
This commit eliminates a memory leak while parsing TLS version
information. The leak was identified through fuzzing.
 6 years ago
Victor Julien 3d969a1c7d build: wrap fuzz targets in guard to fix 'make tags' 6 years ago
Victor Julien 8cbae1371f fuzz/sigpcap: fix FPs due to missing pkt cleanup 6 years ago
Victor Julien 1aaf9a80c5 decode/vxlan: minor yaml example clarrification 6 years ago
Victor Julien e97cdb48f3 decode/teredo: implement port support 
Implement support for limiting Teredo detection and decoding to specific
UDP ports, with 3544 as the default.

If no ports are specified, the old behaviour of detecting/decoding on any
port is still in place. This can also be forced by specifying 'any' as the
port setting.
 6 years ago
Shivani Bhardwaj 0e4f261224 Use StringParse* for all parsers and configurations 6 years ago
Shivani Bhardwaj c4c734541a Use appropriate ByteExtractString* functions 6 years ago
Shivani Bhardwaj 6b2c7d5be8 util: Add StringParse* functions 
StringParse* functions would perform a stricter check compared to
ByteExtractString* functions. These new functions shall also check if
any extra characters follow the extracted numeric value in addition to
the checks performed by ByteExtractString* and return -1 in that case.
This is particularly important in parser, configuration and setup functions.
 6 years ago
Philippe Antoine 293eebd999 fuzz: remove obsolete AFL code 6 years ago
Victor Julien 19fe8d9894 ci: add fuzztargets and afl build test 6 years ago
Philippe Antoine bf60959d84 fuzz: simpler way to force usage of CXX linker 6 years ago
Philippe Antoine 440bb4d600 fuzz: remove decodeder fuzz target 
As we removed decodeder function
 6 years ago
Philippe Antoine e15f3db474 configure: right test for AFLFUZZ_PERSISTANT_MODE 6 years ago
Philippe Antoine 66181ed2e4 ci: enables fuzz targets in one build 
github workflow wih debian
 6 years ago
Victor Julien e500c59b99 stream/tcp: fix STREAM_HAS_SEEN_DATA macro 
The macro would not return true for smaller TCP streams, leading to
cases where the app-layer was not notified of EOF.
 6 years ago
Victor Julien 1618fb1b97 stream/tcp: clean up stream flags 6 years ago
Pierre Chifflier 01aef49cbd rust/x509: map decoding errors to decoder events 6 years ago
Pierre Chifflier 333fcc43e7 ssl/tls: call rs_cstring_free for strings allocated in Rust 6 years ago
Pierre Chifflier 36d2e257c6 rust/x509: use the raw serial number so leading zeros are not removed 6 years ago
Pierre Chifflier 1d9f37a60e DER: remove the C parser for DER 6 years ago
Pierre Chifflier d92321d8b1 ssl/tls: use the rust decoder to decode X.509 certificates 6 years ago
Pierre Chifflier 10d9deec9f rust: add common function to exchange CString objects from/to C 6 years ago
Jeff Lucovsky e0bd79670c detect: byte-test convert neg_op flag to a bool 
Only 8 flags are permitted so convert one of them to a struct member. I
choose neg_op
 6 years ago
Jeff Lucovsky 313c23a26b detect: Add unittests to exercise bitmask 6 years ago
Jeff Lucovsky d12950c9e4 detect: fixup incorrect comments, indentation 6 years ago
Jeff Lucovsky 31ed9786f6 detect: byte_test impl for bitmask 
This commit implements byte_test's bitmask feature.
 6 years ago
Jeff Lucovsky 4ad6c5421a doc: fix documentation typos 6 years ago
Jeff Lucovsky bc01392e93 doc: Update byte_test documentation 6 years ago
Sascha Steinbiss 26123e05f2 rfb: use more idiomatic Rust code 
Using 'if let Some()...' makes the code in these many checks more
concise and readable.
 6 years ago
Victor Julien b85539b2ab stream/tcp: fix fast open off by one 
With data on SYN the sequence number used for the first data
was off by one, leading to the next segments to appear to come
after a one byte gap.
 6 years ago
Philippe Antoine f51d7d8947 fuzz: check tcp splitting evasions in protocol detection 6 years ago
Philippe Antoine 9eddaa038e fuzz: enable AFLFUZZ_PERSISTANT_MODE for libfuzzer targets 6 years ago
Philippe Antoine ac35118ebe fuzz: use env variable to restrict app layer 6 years ago
Philippe Antoine 600b0d7c55 fuzz: adds eight fuzz targets 
And ways to compile them with enable-fuzztargets at configure time
Adds utility function in util-unittest-helper
 6 years ago
Frank Honza 1c8943dedd add RFB parser 
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
 6 years ago
Victor Julien b4d75b7448 output/anomaly: minor code cleanups 6 years ago
Victor Julien 4d21b03575 detect/app-layer-event: code cleanups 6 years ago