aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,085 Commits
8 Branches
165 Tags
219 MiB
main
main-8.0.x
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c4b56ca289'
${ noResults }
Commit Graph

546 Commits (c4b56ca28917eb460ea9eb223b9bc98fbb9ee1d8)

Author SHA1 Message Date
Victor Julien 9d5bbc3af6 detect: implement http_accept_lang sticky buffer 
Inspects Accept-Language header
 9 years ago
Victor Julien 1d1176b0d5 detect: implement http_connection sticky buffer 9 years ago
Victor Julien 5714129e32 detect: implement http referer sticky buffer 9 years ago
Victor Julien 88cfb99910 detect: http_accept sticky buffer + common code 
Implement common code to easily add more per HTTP header detection
keywords.

Implement http_accept sticky buffer. It operates on the HTTP Accept
header.
 9 years ago
Victor Julien 4f8eacdc69 disable-detect: fix needless file hashing 
When detection is running flags are set on flows to indicate if file
hashing is needed. This is based on global output settings and rules.

In the case of --disable-detection this was not happening, so all
files where hashed with all methods. This has a significant
performance impact.

This patch adds logic to set the flow flags in --disable-detect mode.
 9 years ago
Mats Klepsland d6508e640a detect: add (mpm) keyword tls_cert_serial 
Match on TLS certificate serial number using tls_cert_serial
keyword, e.g.:

alert tls any any -> any any (msg:"TLS cert serial test";
        tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1";
        sid:12345;)
 9 years ago
Victor Julien f0af133c5f flowvar: remove unused DETECT_VAR_TYPE_ALWAYS 9 years ago
Victor Julien 996112edf5 pktvars: same name pktvars, key-value vars 9 years ago
Victor Julien 0f708d427b pkt-var: abuse flowvar postmatch logic for pktvars 
Flowvars were already using a temporary store in the detect thread
ctx.

Use the same facility for pktvars. The reasons are:

1. packet is not always available, e.g. when running pcre on http
   buffers.

2. setting of vars should be done post match. Until now it was also
   possible that it is done on a partial match.
 9 years ago
Victor Julien 22f3205664 var-names: expose outside of detect engine 
Until now variable names, such as flowbit names, were local to a detect
engine. This made sense as they were only ever used in that context.

For the purpose of logging these names, this needs a different approach.
The loggers live outside of the detect engine. Also, in the case of
reloads and multi-tenancy, there are even multiple detect engines, so
it would be even more tricky to access them from the outside.

This patch brings a new approach. A any time, there is a single active
hash table mapping the variable names and their id's. For multiple
tenants the table is shared between tenants.

The table is set up in a 'staging' area, where locking makes sure that
multiple loading threads don't mess things up. Then when the preparing
of a detection engine is ready, but before the detect threads are made
aware of the new detect engine, the active varname hash is swapped with
the staging instance.

For this to work, all the mappings from the 'current' or active mapping
are added to the staging table.

After the threads have reloaded and the new detection engine is active,
the old table can be freed.

For multi tenancy things are similar. The staging area is used for
setting up until the new detection engines / tenants are applied to
the system.

This patch also changes the variable 'id'/'idx' field to uint32_t. Due
to data structure padding and alignment, this should have no practical
drawback while allowing for a lot more vars.
 9 years ago
Victor Julien 43cc06eabe detect: use engine version instead of id 
Use engine version based on global detect engine master. This is
incremented between reloads.
 9 years ago
Victor Julien 920709fe6f detect: ssh_software sticky buffer 9 years ago
Victor Julien f1ab6a6153 detect: ssh_proto stickybuffer 9 years ago
Victor Julien dfac5276b8 detect: remove unused SIGMATCH_PAYLOAD flag 9 years ago
Victor Julien fa1ef158b2 detect: small API cleanup 9 years ago
Victor Julien 5bafc64c08 detect: unify FileMatch API with other calls 9 years ago
Victor Julien fe415ae518 detect: remove DMATCH list 9 years ago
Victor Julien ad238121e3 detect: remove the AMATCH list 9 years ago
Victor Julien 775e182531 detect: remove AppLayerMatch API call 9 years ago
Victor Julien 1087495d6d detect: http_start sticky buffer 
Matches on the start of a HTTP request or response.

Uses a buffer constructed from the request line and normalized request
headers, including the Cookie header.

Or for the response side, it uses the response line plus the
normalized response headers, including the Set-Cookie header.

Both buffers are terminated by an extra \r\n.
 9 years ago
Victor Julien 36535efa04 detect: add http_protocol sticky buffer 
Matches on protocol field in HTTP.
 9 years ago
Victor Julien f2fc5a255f http_header: convert to use common code 9 years ago
Victor Julien aaeeae0722 detect: http_header_names sticky buffer keyword 
A sticky buffer that allows content inspection on a contructed buffer
of HTTP header names. The buffer starts with \r\n, the names are
separated by \r\n and the end of the buffer contains an extra \r\n.

E.g. \r\nHost\r\nUser-Agent\r\n\r\n

The leading \r\n is to make sure one can match on a full name in all
cases.
 9 years ago
Victor Julien cf9678d926 detect: global registery for keyword thread data 
Some keywords need a scratch space where they can do store the results
of expensive operations that remain valid for the time of a packets
journey through the detection engine.

An example is the reconstructed 'http_header' field, that is needed
in MPM, and then for each rule that manually inspects it. Storing this
data in the flow is a waste, and reconstructing multiple times on
demand as well.

This API allows for registering a keyword with an init and free function.

It it mean to be used an initialization time, when the keyword is
registered.
 9 years ago
Victor Julien a9a228a289 profiling: fix keyword profiling 9 years ago
Victor Julien 49fbd28ceb detect: cleanup built-in list id's 9 years ago
Victor Julien 40851eecf0 template: dynamic buffer 9 years ago
Victor Julien 815120896b app-layer-events: dynamic list 9 years ago
Victor Julien b68343e372 files: use dynamic list 9 years ago
Victor Julien e4bfdd53c2 cip/enip: dynamic buffer 9 years ago
Victor Julien f2393c1ae0 modbus: dynamic buffer 9 years ago
Victor Julien cfdd934aba dnp3: dynamic buffers/lists 9 years ago
Victor Julien 9ba386a141 tls: dynamic buffers 9 years ago
Victor Julien d9b3ae6cd6 dns: use dynamic buffers 9 years ago
Victor Julien 6f867c3c73 http_raw_uri: dynamic buffer 9 years ago
Victor Julien ee55aefa1c http_client_body: dynamic buffer 9 years ago
Victor Julien e7d5e845c7 http_header / http_raw_header: dynamic buffers 9 years ago
Victor Julien b694d96e22 http_stat_msg: dynamic buffer 9 years ago
Victor Julien 7e3ab4f5ea http_stat_code: dynamic buffer 9 years ago
Victor Julien 128b59d4f6 http_raw_host: dynamic buffer 9 years ago
Victor Julien 296c275e23 http_host: dynamic buffer 9 years ago
Victor Julien 67b7d9734e http_cookie: dynamic buffer 9 years ago
Victor Julien 54604c7bf2 http_user_agent: dynamic buffer 9 years ago
Victor Julien 9262fa3dcf http_response_line: dynamic buffer 9 years ago
Victor Julien 6346a074a7 http_uri: dynamic buffer 
Clean up tests
 9 years ago
Victor Julien e34102d67a http_method: make list dynamic 9 years ago
Victor Julien 6bd37611ee file_data: dynamic buffer 9 years ago
Victor Julien 7052f9b933 http_request_line: dynamic buffer 9 years ago
Victor Julien 779d40cedf detect: remove hardcoded sm_list logic from setup 
Introduce utility functions to aid this.
 9 years ago
Victor Julien f370e88135 detect: move init only Signature members to init_data 9 years ago
Victor Julien 0a5ae415b8 detect: shrink Signature::sm_arrays 
Signature::sm_arrays now only contains 'built-in' lists, and so is
sized appropriately.
 9 years ago
Victor Julien 4978a7a133 detect: reorganize id's in prep of dynamic lists 9 years ago
Victor Julien 8edc954e82 detect: get rid of Signature::sm_lists 
Instead use the lists in init_data during setup and the SigMatchData
arrays during runtime.
 9 years ago
Victor Julien bd456076a8 detect: pass SigMatchData to inspect functions 9 years ago
Victor Julien 2f87c975d4 detect: add SigMatch arg to inspect functions 9 years ago
Victor Julien cf42fbf51f detect: use InspectEngineFuncPtr in inspect engines 
Replace explicit function pointer use by InspectEngineFuncPtr typedef
 9 years ago
Victor Julien 5f7e096be4 detect: shrink inspect engine by using 'id' as state flag 9 years ago
Victor Julien 715ff60087 detect: remove unused SIG_FLAG_INIT_PAYLOAD init_flag 9 years ago
Victor Julien 5e0b0eea4b detect: remove unused flags 9 years ago
Victor Julien bfd4bc8233 detect: constify Signature/SigMatch use at runtime 9 years ago
Victor Julien be3ee5330f detect: remove alproto from keyword registration 
It was already marked as depricated and no longer in use anywhere.
 9 years ago
Victor Julien f91d490d25 detect: remove unused flow_locked hint 9 years ago
Victor Julien 810e43f373 magic: make optional 
Make libmagic optional. If installed it will be enabled by default in
configure. Use --disable-libmagic to disable.
 9 years ago
Victor Julien 3f8ee2afd3 detect-lua: unify on using 'lua' name vs 'luajit' 9 years ago
Victor Julien 0366d47608 luajit: remove unused instance counter 9 years ago
Jason Ish 1a31bded4a DNP3: dnp3_data, dnp3_func, dnp3_ind, dnp3_obj rule keywords 9 years ago
Victor Julien 0ed119068d detect-app-layer-protocol: implement prefilter 
Introduce 'Protocol detection'-only rules. These rules will only be
fully evaluated when the protocol detection completed. To allow
mixing of the app-layer-protocol keyword with other types of matches
the keyword can also inspect the flow's app-protos per packet.

Implement prefilter for the 'PD-only' rules.
 9 years ago
Victor Julien 43aed70976 detect: during detection sgh is read only so turn into const 9 years ago
Mats Klepsland 1fea52dd8a detect: add keyword tls_cert_valid 
Add keyword to check if TLS certificate is valid.
 9 years ago
Mats Klepsland f22c9d9781 detect: add keyword tls_cert_expired 
Add keyword to check if TLS certificate is expired.
 9 years ago
kwong a3ffebd835 Adding SCADA EtherNet/IP and CIP protocol support 
Add support for the ENIP/CIP Industrial protocol

This is an app layer implementation which uses the "enip" protocol
and "cip_service" and "enip_command" keywords

Implements AFL entry points
 9 years ago
Victor Julien 798ba010ca prefilter: use array of engines per sgh 
Instead of the linked list of engines setup an array
with the engines. This should provide better locality.

Also shrink the engine structure so that we can fit
2 on a cacheline.

Remove the FreeFunc from the runtime engines. Engines
now have a 'gid' (global id) that can be used to look
up the registered Free function.
 9 years ago
Victor Julien 5f994756e6 detect-engine: improved inspect engines 
Inspect engines are called per signature per sigmatch list. Most
wrap around DetectEngineContentInspection, but it's more generic.

Until now, the inspect engines were setup in a large per ipproto,
per alproto, per direction table. For stateful inspection each
engine needed a global flag.

This approach had a number of issues:
1. inefficient: each inspection round walked the table and then
   checked if the inspect engine was even needed for the current
   rule.
2. clumsy registration with global flag registration.
3. global flag space was approaching the need for 64 bits
4. duplicate registration for alprotos supporting both TCP and
   TCP (DNS).

This patch introduces a new approach.

First, it does away with the per ipproto engines. This wasn't used.

Second, it adds a per signature list of inspect engine containing
only those engines that actually apply to the rule.

Third, it gets rid of the global flags and replaces it with flags
assigned per rule per engine.
 9 years ago
Victor Julien f1e3840516 http_response_body: implement keyword with mpm 
Implemented as 'stickybuffer'.
 9 years ago
Victor Julien 4c98b6cef3 http_request_line: implement keyword and mpm 
Implemented as 'stickybuffer'.

Move all logic into the keyword file and remove bad tests that tested
URI instead of request line.
 9 years ago
Victor Julien 5b2e36a1b0 mpm: add App Layer MPM registery 
Register keywords globally at start up.

Create a map of the registery per detection engine. This we need because
the sgh_mpm_context value is set per detect engine.

Remove APP_MPMS_MAX.
 9 years ago
Victor Julien 125603871b detect: config opt to enable keyword prefilters 9 years ago
Victor Julien 9bb12ccb27 prefilter: move payload engines into separate list 9 years ago
Victor Julien 14b0537f95 prefilter: implement basic prefilter priority order 9 years ago
Victor Julien 31ad0a133b prefilter: engine for tcp flags keyword 
If there are many rules for TCP flags these rules would be inspected
against each TCP packet. Even though the flags check is not expensive,
the combined cost of inspecting multiple rules against each and every
packet is high.

This patch implements a prefilter engine for flags. If a rule group
has rules looking for specific flags and engine for that flag or
flags combination is set up. This way those rules are only inspected
if the flag is actually present in the packet.
 9 years ago
Victor Julien 8798bf48b2 profiling: support prefilter engines 9 years ago
Victor Julien 56239690d0 prefilter: implement prefilter keyword 
Introduce prefilter keyword to force a keyword to be used as prefilter.

e.g.
alert tcp any any -> any any (content:"A"; flags:R; prefilter; sid:1;)
alert tcp any any -> any any (content:"A"; flags:R; sid:2;)
alert tcp any any -> any any (content:"A"; dsize:1; prefilter; sid:3;)
alert tcp any any -> any any (content:"A"; dsize:1; sid:4;)

In sid 2 and 4 the content keyword is used in the MPM engine.
In sid 1 and 3 the flags and dsize keywords will be used.
 9 years ago
Victor Julien 85cb749e8b detect cleanup: remove sgh mpm_ctx pointers 9 years ago
Victor Julien 82d3c0b520 sgh: remove unused flags 9 years ago
Victor Julien 9ff5703c49 packet/stream: mpm prefilter engine 9 years ago
Victor Julien 5bcdbe3922 prefilter: introduce prefilter engines 
Introduce abstraction layer for prefilter engines.
 9 years ago
Victor Julien 3dad824fb2 detect: rename SignatureNonMpmStore 
New name is SignatureNonPrefilterStore to reflect that it's not just
about MPM anymore.
 9 years ago
Victor Julien 17bc0299fe detect: rename non_mpm lists/vars to non_pf 
Rename to non_pf: non prefilter.
 9 years ago
Victor Julien bb0cd0e883 prefilter: rename PatternMatcherQueue datatype 
In preparation of the introduction of more general purpose prefilter
engines, rename PatternMatcherQueue to PrefilterRuleStore. The new
engines will fill this structure a similar way to the current mpm
prefilters.
 9 years ago
Giuseppe Longo 07564c4e41 detect: add bypass keyword 
This adds a new keyword which permits to call the
bypass callback when a sig is matched.

The callback must be called when the match of the sig
is complete.
 9 years ago
Mats Klepsland dc8e0b3cf2 detect: add detect engine for tls validity keywords 
Add detect engine for tls validity keywords (tls_cert_notbefore and
tls_cert_notafter).
 9 years ago
Mats Klepsland ea5696812f detect: add tls_cert_notbefore and tls_cert_notafter keywords 
Detection plugin for TLS certificate fields notBefore and notAfter.

Supports equal to, less than, greater than, and range operations
for both keywords. Dates can be represented as either ISO 8601 or
epoch (Unix time).

Examples:
alert tls [...] tls_cert_notafter:1445852105; [...]
alert tls [...] tls_cert_notbefore:<2015-10-22T23:59:59; [...]
alert tls [...] tls_cert_notbefore:>2015-10-22; [...]
alert tls [...] tls_cert_notafter:2000-10-22<>2020-05-15; [...]
 9 years ago
Duarte Silva 89eb935f73 file-hashing: added support for SHA-256 file hashing 9 years ago
Duarte Silva a6d928e269 file-hashing: added support for SHA-1 file hashing 9 years ago
Duarte Silva 188b382c46 file-hashing: common code added 
Moved and adapted code from detect-filemd5 to util-detect-file-hash,
generalised code to work with SHA-1 and SHA-256 and added necessary
flags and other constants.
 9 years ago
Mats Klepsland 4172c4c8ac tls: add (mpm) keyword tls_cert_subject 
This keyword is a replacement for tls.subject.
 9 years ago
Mats Klepsland 9b2717799c tls: add (mpm) keyword tls_cert_issuer 
This keyword is a replacement for tls.issuerdn.
 9 years ago
Victor Julien 215d0d54c7 detect: optimize rule address parsing 
Many rules have the same address vars, so instead of parsing them
each time use a hash to store the string and the parsed result.

Rules now reference the stored result in the hash table.
 9 years ago
Victor Julien 99dce740ef detect: mark alproto in keyword reg deprecated 
No existing code uses it, and it had been useless for some time.
 9 years ago
Victor Julien e43ce0a9ec file: switch to streaming buffer API 
Make the file storage use the streaming buffer API.

As the individual file chunks were not needed by themselves, this
approach uses a chunkless implementation.
 10 years ago