aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,307 Commits
8 Branches
169 Tags
241 MiB
main-8.0.x
main
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.4
suricata-7.0.15
suricata-8.0.3
suricata-7.0.14
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8d62ca8fb0'
${ noResults }
Commit Graph

136 Commits (8d62ca8fb0cb2bfb34c6b6fdfbbe1b75ae710777)

Author SHA1 Message Date
Philippe Antoine e029f80af2 mqtt: limits the number of active transactions per flow 
Ticket: 4530

So, that we do not get DOS by quadratic complexity, while
looking for a new pkt_id over the ever growing list
of active transactions

(cherry picked from commit a8079dc978)
 4 years ago
Philippe Antoine eccedfb225 ssh: install app-layer events rules 
(cherry picked from commit acbe6a33a2)
 4 years ago
Victor Julien 20b379d92a smb: fix read queue exceeded event and rules 4 years ago
Victor Julien 4d53fa78e5 smb/rules: add rules for new events 
(cherry picked from commit b0354437d5)
 4 years ago
Sascha Steinbiss 084b16a63b mqtt: raise event on parse error 4 years ago
Jason Ish fca9c69bc7 smb: rules for messages in the wrong direction 
(cherry picked from commit 1e65324940)
 4 years ago
Philippe Antoine ff46cd66b7 tcp: rejects FIN+SYN packets as invalid 
Ticket: #4569

If a FIN+SYN packet is sent, the destination may keep the
connection alive instead of starting to close it.
In this case, a later SYN packet will be ignored by the
destination.

Previously, Suricata considered this a session reuse, and thus
used the sequence number of the last SYN packet, instead of
using the one of the live connection, leading to evasion.

This commit errors on FIN+SYN so that they do not get
processed as regular FIN packets.

(cherry picked from commit 6cb6225b28)
 4 years ago
Andreas Herz 88878f3d09 rules: add newer rule files to makefile for release tarball 
(cherry picked from commit c93073c246)
 5 years ago
Philippe Antoine b82f337317 ipv6: decoder event on invalid length 
From RFC 2460, section 4.5,
each fragment, except the last one, must have a length
which is a multiple of 8

(cherry picked from commit ca760e305c)
 5 years ago
Philippe Antoine 899a9b8e17 http2: decompression for files 
gzip and brotli decompression for files

(cherry picked from commit d861228214)
 5 years ago
Jeff Lucovsky 4c07af4450 decode/events: VNTAG decoder events 
(cherry picked from commit 1ddad0a0d6)
 5 years ago
Philippe Antoine 82a8124f58 decode: limits the number of decoded layers 
so as to avoid overrecursion leading to stack exhaustion

(cherry picked from commit 7500c29300)
 5 years ago
Jason Ish 8bd68478a4 rules/mqtt: renumber mqtt events to avoid conflict with ssh 
Both SSH and MQTT events were in the 2228000 range. As SSH was
added first, renumber MQTT events into the 2229000 range which is
free.
 5 years ago
Philippe Antoine caa7946888 smb: adds file overlap event against evasions 
Evasion scenario is
- a first dummy write of one byte at offset 0 is done
- the second full write of EICAR at offset 0 is then done
and does not trigger detection

The last write had the final value, and as we cannot "cancel"
the previous write, we set an event which is then transformed into
an app-layer decoder alert
 6 years ago
Jason Ish 2b1bbd08a3 rules/tls: sync with changes to the TLS events 
Sync rules with event changes in commit
01aef49cbd.
 6 years ago
Philippe Antoine 6694737fcf http2: settings from http1 upgrade 6 years ago
Philippe Antoine 1422b18a99 http2: initial support 6 years ago
Sascha Steinbiss c31360070b rust/mqtt: add MQTT parser 6 years ago
Philippe Antoine 5a98035bac rules: add SSH decoder events rules 6 years ago
Philippe Antoine 053c728871 http: adds debug check against too many warnings 6 years ago
Victor Julien 328a94206e decode/hdlc: initial support 6 years ago
Jason Ish ca5a3f0f04 dns: cleanup: remove unused events 
Removed events that are no longer used since the Rust
implementation of DNS:
- UnsolicitedResponse
- StateMemCapReached
- Flooded
 6 years ago
Jeff Lucovsky 130b8d26e7 smtp/mime: Set event when name exceeds limit 6 years ago
William Stearns 7e47fc58af rules: fix files.rules typo 6 years ago
Philippe Antoine af4f816204 http: sets compression bomb limit 7 years ago
Philippe Antoine 9cbf9ef7a4 HTTP new parser warning for Ambiguous C-L 7 years ago
Victor Julien c9c23d5cda htp: set lzma memlimit from config 7 years ago
Jason Ish e3cfc9fc4b rules: install dhcp-events.rules; order alphabetically 
Add dhcp-events.rules to Makefile.am so it gets installed.

Also order the rule files alphabetically for easier review.
 7 years ago
Philippe Antoine b5f3e03209 New app layer event for invalid http request line 
Handles logs from libhtp even if case of error
 7 years ago
Philippe Antoine 8a339e73d3 http: adds an event for double encoded uri 7 years ago
Philippe Antoine 3e12066819 http: adds events for each libhtp log 
Fixes #997
 7 years ago
Philippe Antoine b6b7778e2d http: adds event for header repetition 7 years ago
Jason Ish 275e8f280d rules: add mpls packet too small decoder rule 7 years ago
Philippe Antoine a1c6e091ac http: new event for auth unrecognized 
activates libhtp auth parsing
Fixes #984
 7 years ago
Pierre Chifflier 27b0775d27 rules: fix event names for ikev2 (weak authentication and DH parameters) 7 years ago
Victor Julien fa2ce043cf ipv6: disable zero len padN rule by default 8 years ago
Victor Julien 631ee383bb flow/stream: 'wrong thread' as stream event & counter 
Set event at most once per flow, for the first 'wrong' packet.

Add 'tcp.pkt_on_wrong_thread' counter. This is incremented for each
'wrong' packet. Note that the first packet for a flow determines
what thread is 'correct'.
 8 years ago
Victor Julien 17ced4fb7f smb: add smb-events.rules to dist 8 years ago
Victor Julien 843d0b7a10 stream: support RST getting lost/ignored 
In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'.
However, the target of the RST may not have received it, or may not
have accepted it. Also, the RST may have been injected, so the supposed
sender may not actually be aware of the RST that was sent in it's name.

In this case the previous behavior was to switch the state to CLOSED and
accept no further TCP updates or stream reassembly.

This patch changes this. It still switches the state to CLOSED, as this
is by far the most likely to be correct. However, it will reconsider
the state if the receiver continues to talk.

To do this on each state change the previous state will be recorded in
TcpSession::pstate. If a non-RST packet is received after a RST, this
TcpSession::pstate is used to try to continue the conversation.

If the (supposed) sender of the RST is also continueing the conversation
as normal, it's highly likely it didn't send the RST. In this case
a stream event is generated.

Ticket: #2501

Reported-By: Kirill Shipulin
 8 years ago
Victor Julien d0cded2523 http: set events for too many layers of compression 
libhtp would already issue warnings, but these were not mapped
to events yet.
 8 years ago
Jason Ish c052e23348 dhcp: add dhcp app-layer rules file 8 years ago
Pierre Chifflier 5037051161 Kerberos 5: rename weak crypto to weak encryption, and log it 8 years ago
Pierre Chifflier 6ae53a1869 Add event rules for Kerberos 5 8 years ago
Jason Ish 7bf490062c rules: install to $datadir/suricata/rules 
Common /usr/share/suricata/rules or /usr/local/share/suricata/rules.

The rules provided by the distribution are installed here as part
of the Suricata install process so will always be installed, even
without the use of install-rules.
 8 years ago
Pascal Delalande e3c5784dd5 doc: minor updates (tls custom, TODO removal, ftp/smb file rules) 8 years ago
Pierre Chifflier d16397ce61 Add rules for IKEv2 events 8 years ago
Victor Julien 1d4aac1d4d smb1: set event on empty/malformed dialect 8 years ago
Victor Julien 75d7c9d64a rust/smb: initial support 
Implement SMB app-layer parser for SMB1/2/3. Features:
- file extraction
- eve logging
- existing dce keyword support
- smb_share/smb_named_pipe keyword support (stickybuffers)
- auth meta data extraction (ntlmssp, kerberos5)
 8 years ago
Victor Julien ca67408e79 stream: set event for suspected data injection during 3whs 
This rule will match on the STREAM_3WHS_ACK_DATA_INJECT, that is
set if we're:
- in IPS mode
- get a data packet from the server
- that matches the exact SEQ/ACK expectations for the 3whs

The action of the rule is set to drop as the stream engine will drop.
So the rule action is actually not needed, but for consistency it
is drop.
 8 years ago
Pascal Delalande 0ff60f65ec doc: update filestore for file hash extraction 
Update for extraction based on md5, sha1 and sha256
 8 years ago