aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,488 Commits
7 Branches
155 Tags
192 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b9aac6dd18'
${ noResults }
Commit Graph

14488 Commits (b9aac6dd18ef66930c6ab81bf45402db2c442053)
 

Author SHA1 Message Date
Jason Ish 49ba378d38 schema: fix engines section 
The definition of items is an object, not an array.
 2 years ago
Jeff Lucovsky 2dbcbb2a2a nflog/time: Fixup timestamp handling 
Issue: 5818

This commit corrects the timestamp handling for the packet to work with
the SCTime_t struct.
 2 years ago
Jason Ish 159b72c101 rust/clippy: allow derivable impls 
The latest Rust will automatically "fix" derivable default
implementation, which is nice, but makes changes that don't meet our
current MSRV, so allow derivable impls for now.
 2 years ago
Victor Julien 1726bd643c detect/app-layer-event: simplify parsing code 
Simpler and fully local parsing code.

Remove unittests that relied on previous implementation. Code
is tested by SV tests.
 2 years ago
Victor Julien 0c8646959e detect/analyzer: add transform names 2 years ago
Shivani Bhardwaj c089bbb7d7 util/mime: use uint32_t for consumed bytes 
In a case of the line buffer being over 255 bytes, the consumed bytes
would reset to 0 as it was uint8_t. Fix this integer overflow by setting
the type to uint32_t.

Redmine ticket: 5883
 2 years ago
Shivani Bhardwaj 0f3e7761da doc: add dataset examples 2 years ago
Shivani Bhardwaj 901e99fa95 detect: add comments for DETECT_SM_LIST_* types 2 years ago
Jason Ish c6c781ef67 config: put version in configuration as a proper value 
Adds a new field, "suricata-version" to the configuration file with
the major and minor version of the Suricata that generated the
configuration file.

This may be useful in the future for presenting warnings about
important changes, or even providing different defaults based on what
the user might expect.

Ticket: 5822
 2 years ago
Jeff Lucovsky 2d28c09ea1 pfring: Packet structure for ts fix 
Issue: 5818

This commit addresses the issue with using the address of a packed
member of a structure. The pfring timeval is within a packed structure.
 2 years ago
Jeff Lucovsky 056c13c417 pfring/time: Track stat output with SCTime_t 
Issue: 5818

This commit changes the datatype of the tracking value for the last time
stats were dumped.

Changing the type also eliminates a comparison between values with
different signs.
 2 years ago
Jeff Lucovsky 59ab1c20ec time: SCTime additions -- neq, initializer 
Issue: 5818

This commit adds an initializer for the SCTime_t type and a comparison
macro for "not equal".

Use them as follows:
    SCTime_t my_var = SCTIME_INITIALIZER;
    if (SCTIME_CMP_NEQ(sctime1_val, sctime2_val)) {
    }
 2 years ago
Lancer Cheng 08b17e9778 eve: add version and warning in ntlmssp 
Bug OISF#5783
 2 years ago
Lancer Cheng 6142593a69 doc: add version filed in NTLMSSP documentation 
Bug OISF#5783
 2 years ago
Lancer Cheng 9207012e4b smb: fix parser of ntlmssp negotiateflags 
Fix endian-conversion bug in function parse_ntlm_auth_nego_flags

Bug OISF#5783
 2 years ago
Jeff Lucovsky cb174e4fd9 log/thread: Consolidate threaded file tracking 
Issue: 5836

This commit removes the duplicate threaded file tracking from the log
file mechanisms.

Tracking is now consolidated with the threaded hash table.
 2 years ago
Jeff Lucovsky 99b7257ef6 log: Stop if log initialization fails at startup 
Issue: 5836

This commit modifies Suricata to fail if log initialization errors occur
during startup.
 2 years ago
Victor Julien 8746fbe07e stream: add seq min and max; use in segment compare 2 years ago
Victor Julien cbcd70537a stream: fix overlap detection 
If a in-tree segment was partly before base_seq the overlap detection
miscalculated the data offset. This lead to memcmp comparing the wrong
data.

Bug: #5881.
 2 years ago
Victor Julien ceebd6e904 stream: reuse TCP session after TFO SYN+data reject 2 years ago
Victor Julien ee76b27535 eve/stream: log tcp reuse flag in packets 2 years ago
Victor Julien 2bb1e5a38a flow: remove unused tcp reuse flow flag 2 years ago
Victor Julien 7ef57cc7cb stream: support SYN/ACK with TFO only ack'ing ISN 
Not ack'ing the data.
 2 years ago
Victor Julien 7e6154a26f stream: add counter for acks for unseen data 
This is another indicator for packet loss or strange captures.
 2 years ago
Victor Julien 37e694b5b8 eve/stream: ack unseen data 2 years ago
Victor Julien b7739bfdba stream: flag ACKs that ack segments after next_seq 
Avoid this for async streams.
 2 years ago
Victor Julien a0f0a3b48b stream: fix spurious retransmission handling 
Fix spurious retransmissions getting dropped, stalling connections in IPS
mode.

There are several reasons why benign spurious retransmissions can happen,
with the most obvious one that an ACK is lost so the sender retransmits
while the receiver has ACK'd it. If Suricata sees the ACK but afterwards
it gets lost, we can get in this condition. Packet loss can have a wide
range of causes here, including packets reaching a host but getting
dropped in the NIC queue or kernel queues due to resource constraints.

So these packets are no longer an "error" in this patch.

Next to this, the accuracy of the spurious retransmission has been
improved. Use SEQ macros to compare sequence numbers. Only use base_seq
if reassembly is still enabled for a stream.

A special case is added for cases where a segment is before last_ack
but after base_seq, which can happen when protocol detection isn't
finished yet. In this case the segment is tagged as spurious, but still
processed. This way we can check for overlaps.

Bug: #5875.
 2 years ago
Victor Julien 01b7ccc224 stream: add liberal timetamps option 
Linux is slightly more permissive wrt timestamps than many
other OS'. To avoid many events/issues with linux hosts, add an
option to allow for this slightly more permissive behavior.

Ideally the host-os config would be used, but in practice this
setting is rarely set up correctly, if at all.

This option is enabled by default.
 2 years ago
Victor Julien d79a926085 stream: D-SACK detection and logging 
RFC 2883 specifies a special use of SACKs to indicate a host has
received a segment it considers a spurious retransmission.
 2 years ago
Victor Julien 6a2fdc456b stream: Dup-ACK detection 
Modeled after Wiresharks Dup-ACK detection.
 2 years ago
Victor Julien 76225bf9ac stream: fix next_seq updates after temporary gap 
On every accepted packet in established state, update next_seq if
packet seq+len is larger than existing next_seq. This allows it to
catch up after large gaps that are filled again a bit later.

Bug: #5877.
 2 years ago
Victor Julien 83a16a7a89 eve/stream: per packet stream engine logging 
Debug facility to get a per packet view into the stream engine's state.

Logs after a packet has been processed in the stream engine, so the view
into the state includes the updates based on the current packet.

Marked as experimental so it can be changed w/o notice.

Bug: #5876.
 2 years ago
Victor Julien 3948b160c7 stream: implement config option for SYN queue 
Default to allowing 10 SYNs to not trigger an event on a connection
attempt that times out.
 2 years ago
Victor Julien d03773840b stream: track packet flags in packet 
These flags can then later be used by stream logging.
 2 years ago
Victor Julien 551fb80150 stream: improve first FIN next_seq update 
For accepted FIN packets, always update next_seq. This helps track the
FIN sequence.

Bug: #5877.
 2 years ago
Victor Julien 80a012a787 stream: improve FIN next_seq handling 
Update next_seq to SEQ + payload_len + 1, so retransmission checks
work better.

Bug: #5877.
 2 years ago
Victor Julien 20df715e64 stream: set next_seq before last_ack 
next_seq sometimes depends on last_ack in cases of packet loss
catch up, so first update it.

Bug: #5877.
 2 years ago
Victor Julien 67af94f2e0 stream/tcp: fix wrong ACK trigger FIN1 to FIN2 
An ACK that ACK'd older data while still being in-window could
lead to FIN_WAIT1 to FIN_WAIT2 state transition. Detect this
case and generally harden the check.

Bug: #5877.
 2 years ago
Victor Julien 7bfee147ef stream: SYN queue support 
Support case where there are multiple SYN retransmits, where
each has a new timestamp.

Before this patch, Suricata would only accept a SYN/ACK that
matches the last timestamp. However, observed behavior is that
the server may choose to only respond to the first. In IPS mode
this could lead to a connection timing out as Suricata drops
the SYN/ACK it considers wrong, and the server continues to
retransmit it.

This patch reuses the SYN/ACK queuing logic to keep a list
of SYN packets and their window, timestamp, wscale and sackok
settings. Then when the SYN/ACK arrives, it is first evaluated
against the normal session state. But if it fails due to a
timestamp mismatch, it will look for queued SYN's and see if
any of them match the timestamp. If one does, the ssn is updated
to use that SYN and the SYN/ACK is accepted.

Bug: #5856.
 2 years ago
Victor Julien 449ed75547 stream: fix direction macro to be used in conditions 2 years ago
Victor Julien 3bbed8c1d4 stream: minor code cleanup 2 years ago
Victor Julien 9a34997d71 flow: fix comment typo 2 years ago
Victor Julien 65f28b075f stream: turn session bool into flag 2 years ago
Victor Julien aa7d58b0c7 stream: turn session flags into u32 
Due to gaps/padding the size of the struct won't change.
 2 years ago
Victor Julien dd8e8fd7c3 stream/config: optimize stream config structure layout 2 years ago
Victor Julien 23dd34dd8a stream/config: turn async_oneside into bool 2 years ago
Victor Julien 0a831b5ea2 stream: minor code cleanups in ACK validation 2 years ago
Victor Julien 15637ecce4 stream: remove unused macros 2 years ago
Victor Julien 58c1f14f17 stream: remove usused thread pseudo packet queue 2 years ago
Victor Julien 435ca5bbf0 stream: remove unused packetqueue argument 2 years ago