aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,167 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '910a5b226c'
${ noResults }
Commit Graph

16167 Commits (910a5b226cc2807c26ea9f825c429b93c7f8442e)
 

Author SHA1 Message Date
Giuseppe Longo 910a5b226c rust/ldap: implement logger 8 months ago
Giuseppe Longo 93da339975 rust/ldap: implement app-layer 8 months ago
Giuseppe Longo ce7e190501 rust/ldap: implement types and filters 
This implementation adds types and filters specified in the LDAP RFC to
work with the ldap_parser.
Although using the parser directly would be
best, strange behavior has been observed during transaction logging.
It appears that C pointers are being overwritten, leading to incorrect
output when LDAP fields are logged.
 8 months ago
Philippe Antoine b8c12090f7 smtp: add port 465 for probing 8 months ago
Philippe Antoine eac9cd959f smtp: do not return error on NULL buffer for end of stream 8 months ago
Philippe Antoine e2d1d05878 smtp: recognize more reply codes 
Ticket: 6821
 8 months ago
Philippe Antoine 694b2797cd ftp: adds server side detection 8 months ago
Philippe Antoine cc3dde8ada smtp: adds server side detection 
Ticket: #1125
 8 months ago
mmaatuq 64d18e3cc2 imap: extend detection patterns 
Ticket: #2886

Signed-off-by: mmaatuq <mahmoudmatook.mm@gmail.com>
 8 months ago
Philippe Antoine bce8f4b853 detect/ssh: remove deprecated keywords 
Ticket: 2377
 8 months ago
Philippe Antoine 0a1062fad2 detect/mqtt: move keywords to rust 
Ticket: 4863

On the way, convert some keywords to use the first-class integer
support.
And helpers for pure rust the support for multi-buffer.

Move the C unit tests about keyword mqtt.protocol_version
to unit tests for generic integer parsing, and test version 5
instead of testing twice version 3.

Also iterate all tx's messages for reason code as is done for other
keywords.

And allow detection on empty topics.
 8 months ago
Philippe Antoine f4e7d1e217 detect: helper function for multibuffer registration 
So that rust does not need to know about SIG_FLAG_TOCLIENT value
 8 months ago
Philippe Antoine 4e074b8f38 output/alert: remove now unused include 
Including the mqtt one, now that it is almost rust only
 8 months ago
Philippe Antoine ad08309c75 mqtt: parse and store raw connect flags 
for easier later matching
 8 months ago
Philippe Antoine 9adf4224e4 rust/derive: string enumeration become case insensitive 
As needed for MQTTTypeCode which accepts both CONNECT uppercase
and unassigned lowercase
 8 months ago
Philippe Antoine 3c5ad7a23d rust/derive: transform all uppercase names the right way 
So that MQTTTypeCode::CONNECT does not become c_o_n_n_e_c_t
 8 months ago
Philippe Antoine daad7f2d41 detect/integers: harmonize parser return handling 
Ticket: 7172

When parsing an integer for a rule keyword fails, we return error
straight away, without bothering to try to free the NULL pointer.

On the way, remove some one-line wrapper around DetectUxParse
 8 months ago
Jason Ish fcc1b1067b eve/dns: make version required 
The "eve.version" field is not always logged. Update the schema to
enforce that it is, and fix it for records that don't log it.

Ticket: #7167
 8 months ago
Jason Ish 6d5022cd1e github-ci: pf-ring build 8 months ago
Jason Ish 5f516c5896 doc: add pf-ring plugin upgrade notes 
Ticket: #7162
 8 months ago
Jason Ish 4d0e09c6b2 configure: fail on --enable-pfring and --disable-shared 
Plugins can't be build using the standard autoconf/automake
methods. We can get around this by creating our own Makefiles, but
they're often less portable.

For now, fail during ./configure instead of during compile.
 8 months ago
Jason Ish b318e78b3a pf-ring: bring back command line arguments 
Bring back the pf-ring command line arguments, but instead of
initializing the pfring runmode, initialize the capture plugin runmode
with a plugin named "pfring".

Ticket: #7162
 8 months ago
Jason Ish 1173bb788e .gitignore: globally ignore .la files 
With automake and libraries, these files are creeping in.
 8 months ago
Jason Ish 155501f250 pf-ring: load plugin by default 
Ticket: #7162
 8 months ago
Jason Ish 79df4b4c89 pf-ring: add as plugin 
Ticket: #7162
 8 months ago
Jason Ish c3092b6e5a pf-ring: remove, to make room for plugin 
Ticket: #7162
 8 months ago
Victor Julien 223a4194ea config: switch default config to IEEE 1541 notation 8 months ago
Victor Julien 342aec8f1c parse/size: support IEEE 1541 size units 
Introduce KiB, MiB and GiB. They are case sensitive as a lower case 'b'
means bits in the IEEE 1541 scheme.

KiB = 1024
MiB = 1048576
GiB = 1073741824

Ticket: #1457.
 8 months ago
Victor Julien 0e03691fdb parse/size: fix unit test checks 8 months ago
Jason Ish ca6e73830c suricata.yaml: set dns log version to 3; link to docs 
Missed in the original PR, but update the commented out version to
reflect the default, and a link to the upgrade notes.
 8 months ago
Victor Julien 855cc89636 profiling: allow absolute paths 
Ticket #6490.
 8 months ago
Victor Julien a404fd26af tcp: fix 'broken ack' on flow timeout 
Don't set an ACK value if ACK flag is no longer set. This avoids a bogus
`pkt_broken_ack` event set.

Fixes: ebf465a11b ("tcp: do not assign TCP flags to pseudopackets")

Ticket: #7158.
 8 months ago
Shivani Bhardwaj f2de3e01cb src: remove truncate fn and glue code 
truncate fn is only active and used by dcerpc and smb parsers. In case
stream depth is reached for any side, truncate fn is supposed to set the
tx entity (request/response) in the same direction as complete so the
other side is not forever waiting for data.

However, whether the stream depth is reached is already checked by
AppLayerParserGetStateProgress fn which is called by:
- DetectTx
- DetectEngineInspectBufferGeneric
- AppLayerParserSetTransactionInspectId
- OutputTxLog
- AppLayerParserTransactionsCleanup

and, in such a case, StateGetProgressCompletionStatus is returned for
the respective direction. This fn following efc9a7a, always returns 1
as long as the direction is valid meaning that the progress for the
current direction is marked complete. So, there is no need for the additional
callback to mark the entities as done in case of depth or a gap.
Remove all such glue code and callbacks for truncate fns.

Bug 7044
 8 months ago
Shivani Bhardwaj 80159eb519 applayer: remove truncation logic 
as its functionality is already covered by the generic code.
This removes APP_LAYER_PARSER_TRUNC_TC and APP_LAYER_PARSER_TRUNC_TS
flags as well as FlowGetDisruptionFlags sets STREAM_DEPTH flag in case
the respective stream depth was reached. This flag tells that whether
all the open files should be truncated or not.

Bug 7044
 8 months ago
Philippe Antoine 090079cdd8 decode: fix -Wshorten-64-to-32 warnings 
Ticket: #6186
 8 months ago
Philippe Antoine eeb290384a flow: fix -Wshorten-64-to-32 warnings 
Ticket: #6186
 8 months ago
Philippe Antoine 9c0875b2a4 features: fix -Wshorten-64-to-32 warnings 
Ticket: #6186
 8 months ago
Philippe Antoine b5140c43ca counters: fix -Wshorten-64-to-32 warnings 
Ticket: #6186
 8 months ago
Philippe Antoine e0fd59a20d doc: state that payload-length includes the gaps 8 months ago
Philippe Antoine d28c646662 output/dcerpc: call jb_get_mark just before jb_open_object 8 months ago
Jason Ish 4d3d57249a doc: update dns section of the eve format documentation 8 months ago
Jason Ish d3c08b9643 doc: upgrade guide for dns logging changes 
Bug: #6281
 8 months ago
Jason Ish b32f6bf381 eve/dns: allow version to be set with environment variable 
There is no sane way to set override the DNS eve version in Suricata
tests without using a copy of the configuration file, and many of the
tests by design use the configuration file of the Suricata under test,
so making a copy would break this assumption.

To get around this, respect the SURICATA_EVE_DNS_VERSION environment
variable as a way to set the version if not explicitly set in the
configuration file.
 8 months ago
Jason Ish 575e5b471f dns: add v3 dns logging 
DNS v3 logging fixes the discrepancies between request and response
logging with the main difference being queries always being placed in an
array.

Bug: #6281
 8 months ago
Jason Ish df656324ba dns: new v3 style logging for alerts 
V3 style DNS logging fixes the discrepancies between request and
response logging better dns records and alert records.

The main change is that queries and answers are always logged as
arrays, and header fields are not logged in array items.

For alerts this means that answers are now logged as arrays, queries
already were.

DNS records will get this new format as well, but with a configuration
parameter.

Bug: #6281
 8 months ago
Nathan Scrivens 9ecc3573a7 dns: parse and populate OPT rdata struct 
Feature: 7017
Add DNSRDataOPT struct and DNSRData enum type OPT.
Add OPT parsing function and test function.
Add DNSRData OPT type to lua.rs match.
Log OPT rdata.
 8 months ago
Nathan Scrivens 4598ca164d dns log: add additional section 
Feature: 7011
dns_log_json_answer: log additional section records.
update schema.json with new "additionals" section.
 8 months ago
Nathan Scrivens 1cd89640ef dns parsing: add additional section 
Feature: 7011
Add additionals to DNSMessage struct.
Add parsing logic to populate additional section data.
Patch dns tests to account for additional section parsing.
 8 months ago
Sascha Steinbiss 53c62432c6 doc: update MQTT configuration 8 months ago
Sascha Steinbiss e047ad25e2 mqtt: run rustfmt 8 months ago