aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,387 Commits
10 Branches
154 Tags
165 MiB
dependabot/github_actions/actions/checkout-4.2.1
dependabot/github_actions/github/codeql-action-3.26.12
dependabot/github_actions/actions/upload-artifact-4.4.3
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a94ca44620'
${ noResults }
Commit Graph

14387 Commits (a94ca4462093c0b41f87a7d8433801a0abbb4390)
 

Author SHA1 Message Date
Victor Julien 64fb4066cf stream: harden tcp reuse check against RST/FIN 2 years ago
Victor Julien 0d1d288544 stream: improve SYN and SYN/ACK handling with ECN/CWR flags 2 years ago
Victor Julien 5fe2fba184 stream: fix TFO overlap detection with ECN/CWR flags 2 years ago
Victor Julien 277751051b stream: flag zero window probe packets 2 years ago
Jason Ish 6ebb643b83 conf: deprecate multiple "include" statements at same level 
The YAML spec considers duplicate keys to be an error, as do some YAML
implementations, most notably Rust's serde_yaml which would be nice to
use in the future.

Multiple include lines at the same level will still work, but a warning
will be emitted.

These can be fixed by moving to an "include" array:

include:
  - file1.yaml
  - file2.yaml

Ticket: #5939
 2 years ago
Jason Ish 6e1cd7bbea conf: fatal error if "include" is a mapping 
If a field named "include" is mapping it is not processed correctly.
Instead return a fatal error.

In our YAML, "include" has always been a reserved word, so this should
not break any known configuration.

Ticket: #5939
 2 years ago
Jason Ish 67ce33a97e conf: allow "include" to be a list of files 
In preparation for deprecating multiple "include" fields at the same
level, allow "include" to be a list of filenames.

Ticket: #5939
 2 years ago
Juliana Fajardini 31066c7c3b docs: clarify exception policy's supported values 
As flow.memcap-policy and defrag.memcap-policy do not support flow
actions, clarify that in the documentation. Also fix some typos, and
add missing values in some places where the exception policies were
explained.

Related to
Bug #5940
 2 years ago
Juliana Fajardini d4333fb959 exception/policy: use pkt action if no flow support 
Defrag memcap and flow memcap do not support flow action for the
exception policies, as there is no flow when the exception condition is
hit. In such cases, the exception policy must be considered for the
packet only, when that makes sense, or should be ignored, in case of
`bypass`.

Bug #5940
 2 years ago
Philippe Antoine d313b5d605 detect: bump detect engine version for tenant reload 
Because the engine version is used to free the old
variables and not the new ones.
As is done in DetectEngineReload.

Ticket: #5866
 2 years ago
Philippe Antoine 473ca6dcf4 detect: bytemath do not left shift more than 64 
As it is undefined behavior by C standard.
In this case, zeroes the value.

Ticket: #5900
 2 years ago
Jason Ish 60e67db452 rust: don't suppress vendor output 
There appears to be some errors happening in CI and this may be hiding
the source of the error.
 2 years ago
Jason Ish 6f14aed0e6 rust: bundle Cargo.lock 
Cargo.lock has to be provided as template, Cargo.lock.in so it can
live beside Cargo.lock in out of tree automake builds, like distcheck.

This will pin Rust dependencies even for git builds, updating
Cargo.lock will now be a manual process that we'll have to take care
of periodically.
 2 years ago
Juliana Fajardini 754d2803dd flow/manager: fix coverity divide_by_zero warning 
Updated all cases where flow_config.prealloc was used in a division.

*** CID 1524506:  Integer handling issues  (DIVIDE_BY_ZERO)
/src/flow-manager.c: 858 in FlowManager()
852                                "flow_spare_q status: %" PRIu32 "%% flows at the queue",
853                             spare_pool_len, flow_config.prealloc,
854                             spare_pool_len * 100 / flow_config.prealloc);
855
856                     /* only if we have pruned this "emergency_recovery" percentage
857                      * of flows, we will unset the emergency bit */
>>>     CID 1524506:  Integer handling issues  (DIVIDE_BY_ZERO)
>>>     In expression "spare_pool_len * 100U / flow_config.prealloc", division by expression "flow_config.prealloc" which may be zero has undefined behavior.
858                     if (spare_pool_len * 100 / flow_config.prealloc > flow_config.emergency_recovery) {
859                         emerg_over_cnt++;
860                     } else {
861                         emerg_over_cnt = 0;
862                     }

Related to
Bug #5919
 2 years ago
Jeff Lucovsky f57c11df3f content: Constrain distance/within values 
Ticket: 5740

This commit constrains the values for distance and limit to 1MB. The
constraint is enforced while parsing the keyword values.
 2 years ago
Jeff Lucovsky 35bbdf4124 doc/content: Add limits for distance/within 
Ticket: 5740
 2 years ago
jason taylor 46d09a6ba6 profiling: updated switch block to fix gcc warning 
This fixes a warning emitted by Fedora 37 when compiling
with gcc 12.2.1

Signed-off-by: jason taylor <jtfas90@gmail.com>
 2 years ago
Victor Julien 94bb6dded6 profiling: minor reformatting 2 years ago
Juliana Fajardini 5baa6c0024 flow/manager: fix prealloc unhandled division by 0 
If flow.prealloc was set to zero in our yaml config, this led to
a floating point exception in the flow manager.

Bug: #5919.
 2 years ago
Philippe Antoine 4f7426fdcf enip: optimized tx iterator 
As for SMTP, having a linked list.

Ticket: #5927
 2 years ago
Philippe Antoine e15daf6a4b dnp3: optimized tx iterator 
As for SMTP, having a linked list.

Ticket: #5927
 2 years ago
Philippe Antoine f5f215dae7 smtp: optimized tx iterator 
To be more efficient with larger number of transactions.
As was done for FTP.

Ticket: #5927
 2 years ago
Jason Ish 744759b0c9 source-xf-xdp: update for deprecated function in libbpf 
libbpf 0.8 deprecates bpf_get_link_xpd_id, and 1.0 removes it. Add
./configure check to see if this method is available and use it if so,
otherwise use the deprecated method which is not available on older
but still supported Linux distributions.

Ticket: #5924
 2 years ago
Jason Ish d4418034d1 rust: update aes and aes-gcm crates 
Addresses RUSTSEC-2021-0059, RUSTSEC-2021-0060.
 2 years ago
Victor Julien ba7db2583b detect/urilen: fix applying urilen as depth 
If urilen induced depth was set, later DetectContentPropagateLimits()
would apply a wrong depth setting, leading to a false negative in
some cases.

Bug: #5929.
 2 years ago
Victor Julien 50dba4665d detect/urilen: support HTTP/2 
Ticket: #5931.
 2 years ago
Victor Julien 09348564f0 eve/drop: don't log drops unless packet is dropped 
In pass/drop combinations where the pass rule took precendence over
the drop, a "drop" false positive could still be logged due to the
storing of the drop record in the packet drop alert store.

Bug: #5867.
 2 years ago
Victor Julien 9b4fb63a7b detect/mpm: minor code cleanups 2 years ago
Victor Julien d518416f0d detect: apply within as depth where possible 
The rule lang allows for within and distance to act as depth/offset,
but internally this was not handle the same way. This patch converts
within/distance w/o a prior pattern to depth/within.
 2 years ago
Victor Julien 5254a88e1e detect/offset: minor code cleanups 2 years ago
Victor Julien 33bee20d3d detect/content: refactor limit propagation 2 years ago
Victor Julien 8831ae9be7 detect/distance: minor code cleanups 2 years ago
Victor Julien c945eff66e detect/within: minor code cleanups 2 years ago
Victor Julien 8de2948df8 detect/analyzer: fix lists names 
Simpler names that lead to cleaner json.
 2 years ago
Victor Julien 325000ca2b detect/analyzer: add byte_test/byte_jump detail 2 years ago
Victor Julien 105dd636cb detect/analyzer: add content relative_next flag 2 years ago
Victor Julien 2b85ab0ba1 detect/analyzer: add more pcre detail 2 years ago
Victor Julien e624328deb detect: split mpm per alproto for file.data & others 
Instead of a shared mpm context for just "file.data" or "file.magic"
use per alproto mpms. This way http file.data rules won't affect smb
file.data performance.

Ticket: #4378.
 2 years ago
Victor Julien a806445abf mpm factory: include alproto 
In preparation of spliting out mpm's for keywords shared by
multiple protocols, like file.data.
 2 years ago
Philippe Antoine 416a780f69 jsonschema: do not enforce keys for alert metadata 
As this is a free field and can have any key based on a rule
 2 years ago
Philippe Antoine 8f9cd8ff1a doc: security.limit-noproc upgrade note 
Ticket: #5621
 2 years ago
Lukas Sismis 4f3e1279f5 github-ci: Add Netmap build to GH actions 
Issue: #5803
 2 years ago
Jason Ish 0533737726 smtp: apply suricata.yaml defaults to in-code defaults 
Currently the default suricata.yaml sets some values that do not
reflect the default values in the code. As most users are probably
using a default suricata.yaml, make the code have the same defaults as
in suricata.yaml:

- mime.decode-mime: false -> true
- mime.decode-base64: false -> true
- mime.decode-quoted-printable: false -> true
- mime.extract-urls: false -> true

Issue: #5823
 2 years ago
Jason Ish 3a44197183 schema: add "message_id" to email 2 years ago
Jason Ish 3d92990c6f conf: document ConfGetChildValueBool 2 years ago
Gabriel Lima Luz b43357eb26 detect-lua: Convert unittests to FAIL/PASS API 
Ticket: 4051
 2 years ago
Jason Ish bdd889899f source-xdp: only allow busy poll if headers support it 
Wrap the enabling of busy poll in a compile time conditional checking
for the required defines to be set. While we have runtime support for
kernels less than 5.11, we also need a compile time check as the headers
may be old as well.

Issue: 5855
 2 years ago
Jason Ish b734676617 github-ci: add Debian 11 builder with XDP 2 years ago
Jason Ish bf079c9214 schema: fix optional 
"optional" is not part of jsonschema. Instead an array named "required"
is used to list all field names that are required.
 2 years ago
Jason Ish 49ba378d38 schema: fix engines section 
The definition of items is an object, not an array.
 2 years ago