suricata

Commit Graph

Author	SHA1	Message	Date
Juliana Fajardini	21b13c5d2f	decode/ipv6: actually set ipv6 pkt too small event The event exists, but it was never set. Disabled the existing rule, to avoid flooding. Bug #7963	2 months ago
Fupeng Zhao	e79d735374	decode/etag: ETag 802.1BR decoder Ticket: #3953.	2 months ago
Jason Ish	d78f2c9a4e	af-packet: add event for packets truncated by af-packet Ticket: #7458	8 months ago
Jeff Lucovsky	123b36b9f5	decode/ethertype: Event on unknown ethertype Issue: 7129 Create a decode/engine event if unknown ethertypes are observed.	10 months ago
Victor Julien	d936a970ed	rules: spelling	3 years ago
Victor Julien	0303bb1f9c	decoder: mention removal of udp.hlen_invalid sig	3 years ago
Shivani Bhardwaj	487f59df4c	rules/decoder: fix sid for udp.len_invalid rule	3 years ago
Shivani Bhardwaj	b5b05b8fce	rules/decoder: add udp.len_invalid rule	3 years ago
Lukas Sismis	d18e52ed93	decode-udp: Allow shorter UDP packets than the remaining payload length If the packet is shorter than IP payload length we no longer flag it as an invalid UDP packet. UDP packet can be therefore shorter than IP payload. Keyword "udp.hlen_invalid" became outdated as we no longer flag short UDP packets as invalid. Redmine ticket: #5693	3 years ago
Philippe Antoine	e1c0725e05	doc: fix typo lenght/length	4 years ago
Philippe Antoine	ca760e305c	ipv6: decoder event on invalid length From RFC 2460, section 4.5, each fragment, except the last one, must have a length which is a multiple of 8	4 years ago
Jeff Lucovsky	1ddad0a0d6	decode/events: VNTAG decoder events	5 years ago
Philippe Antoine	7500c29300	decode: limits the number of decoded layers so as to avoid overrecursion leading to stack exhaustion	5 years ago
Victor Julien	328a94206e	decode/hdlc: initial support	6 years ago
Jason Ish	275e8f280d	rules: add mpls packet too small decoder rule	7 years ago
Victor Julien	fa2ce043cf	ipv6: disable zero len padN rule by default	7 years ago
Victor Julien	d5f7acd860	decoder: implement IEEE802.1AH	8 years ago
Andreas Herz	2aad2d605d	rules: add missing classtypes for event.rules	9 years ago
Jason Ish	b454aa46c6	defrag: use frag_pkt_too_large instead of frag_too_large The rules were using the wrong decoder event type, which was only set in the unlikely event of a complete overlap, which really had nothing to do with being too large. Remove FRAG_TOO_LARGE as its no longer being used, an overlap event is already set in the case where this event would be set.	9 years ago
Victor Julien	82282a9e68	mpls: add missing event type + rule	9 years ago
Jason Ish	95015a3f6d	decode: support Cisco Fabric Path / DCE Cisco Fabric Path is ethernet wrapped in an ethernet like header with 2 extra bytes. The ethernet type is in the same location so the ethernet decoder can be used with some validation for the extra length.	9 years ago
Eric Leblond	ab3aed7d25	decode: update icmpv6 message handling This patch adds two new events relative to icmpv6. One for packets using unassigned icmpv6 type. The second one for packets using private experimentation type. Icmpv6 type table taken from http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2	10 years ago
Victor Julien	928957f0a3	decode: add ERSPANv1 decoder Only allow v1 to be parsed as thats what is tested. Take vlan_id from the ERSPAN layer.	11 years ago
Victor Julien	04ccfda639	pcap: implement LINKTYPE_NULL Implement LINKTYPE_NULL for pcap live and pcap file. From: http://www.tcpdump.org/linktypes.html "BSD loopback encapsulation; the link layer header is a 4-byte field, in host byte order, containing a PF_ value from socket.h for the network-layer protocol of the packet. Note that ``host byte order'' is the byte order of the machine on which the packets are captured, and the PF_ values are for the OS of the machine on which the packets are captured; if a live capture is being done, ``host byte order'' is the byte order of the machine capturing the packets, and the PF_ values are those of the OS of the machine capturing the packets, but if a ``savefile'' is being read, the byte order and PF_ values are not necessarily those of the machine reading the capture file." Feature ticket #1445	11 years ago
Victor Julien	0bb2b15491	ipv6: check for MLD messages with HL not 1 MLD messages should have a hop limit of 1 only. All others are invalid. Written at MLD talk of Enno Rey, Antonios Atlasis & Jayson Salazar during Deepsec 2014.	11 years ago
Jason Ish	55c45ac91d	Fix MPLS decoder rules.	11 years ago
Jason Ish	65f40cbeaa	Don't default to ethernet, ethernet should be preceded by a pseudowire. If the payload type can't be determined, raise an alert.	11 years ago
Jason Ish	348b0e0e9f	Set decoder events for labels that shouldn't be seen on the wire. Add unit tests to test for mpls decoder events.	11 years ago
Victor Julien	7c05685421	ipv6: set event on unsupported nh If a next header / protocol is encountered that we can't handle (yet) set an event. Disabled the rule by default. decode-event:ipv6.unknown_next_header;	11 years ago
Victor Julien	bbcdb657da	ipv6: more robust ipv6 exthdr handling Skip past Shim6, HIP and Mobility header. Detect data after 'none' header. decode-event:ipv6.data_after_none_header;	11 years ago
Victor Julien	938602c55e	ipv6: detect frag header reserved field non-zero Frag Header length field is reserved, and should be set to 0. decode-event:ipv6.fh_non_zero_reserved_field;	11 years ago
Victor Julien	8c19e5ff63	ipv6: make exthdr parsing more robust Improve data length checks. Detect PadN option with 0 length.	11 years ago
Victor Julien	abee95ca4f	ipv6: set flag on type 0 routing header Type 0 Routing headers are deprecated per RFC 5095. This patch sets an decode event flag that can be matched on through: decode-event:ipv6.rh_type_0;	11 years ago
Victor Julien	fdca557e01	ipv4 decoder: set 'invalid' event on icmpv6 ICMPv6 on IPv4 is invalid, so if we encounter this we set an event and flag the packet as invalid. Ticket #1105.	12 years ago
Victor Julien	fb16cf1a5a	vlan: add rule for new 'too many layers' event	12 years ago
Victor Julien	1eed3f2233	ipv6: add event for ipv6 packet with icmpv4 header	13 years ago
Victor Julien	150b0c5ae0	ipv6: add option to detect HOP/DST headers with only padding. Detect unknown DST/HOP opts.	13 years ago
Eric Leblond	def0270de7	decode: decode IPv6-in-IPv6 This patch adds decoding of IPv6-in-IPv6. It also adds some events for invalid packets. This patch should fix #514.	13 years ago
Eric Leblond	09fa0b9542	Add support for IPv4-in-IPv6 This patch adds support for IPv4-in-IPv6 and should fix #462.	13 years ago
Victor Julien	b976ff228a	ipv6: fix an AH header parsing issue. Add decoder event for non-null reserved fields.	14 years ago
Victor Julien	374947c354	ipv6: properly deal with packets containing a FH header that has offset 0 and no more frags flag set.	14 years ago
Victor Julien	fd4e1460cf	Add checksum validation rules to decoder events rules.	14 years ago
Victor Julien	d9ad1b00b3	Clean up SID allocation for decoder and stream rules.	14 years ago
Victor Julien	83c3f15812	Minor fixes in defrag engine, shrink DefragTracker_ structure.	15 years ago
Jason Ish	0385f72669	Use separate frag decoder events for IPv4 and IPv6.	15 years ago
Jason Ish	de1c40c44f	Set decoder event on fragment overlaps.	15 years ago
Jason Ish	6da9c64a28	Set decoder event when re-assembled fragments would exceed max IP packet size.	15 years ago
Victor Julien	6a048f2d69	Include initial version of decoder-event rules.	15 years ago

48 Commits (8fe513d43324cd66fcdf67fc2df78d12be264ff2)