aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,085 Commits
8 Branches
165 Tags
218 MiB
main
main-8.0.x
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c4b56ca289'
${ noResults }
Commit Graph

7925 Commits (c4b56ca28917eb460ea9eb223b9bc98fbb9ee1d8)

Author SHA1 Message Date
Pierre Chifflier d6b9c0294a Add krb5_cname and krb5_sname detection keywords 8 years ago
Pierre Chifflier 0bd81ff838 Add krb5_msg_type detection keyword 8 years ago
Pierre Chifflier 1e5f5d405f Kerberos 5: add support for TCP as well 8 years ago
Pierre Chifflier fd175f2bfb Add logger for Kerberos 5 metadata 8 years ago
Pierre Chifflier 77f0c11c9e Add Kerberos 5 application layer 8 years ago
Eric Leblond 325f336f63 util-random: fix detection of getrandom failure 8 years ago
Eric Leblond 851efd9c60 util-random: workaround getrandom unavailability 
getrandom syscall availability is detected at runtime. So it is
possible that the build is done on a box that supports it but
the run is done on a system with no availability. So a workaround
solution is needed to fix this case.

Also we have seen some issue in docker environment where the build
is detecting getrandom but where it does not work at runtime.

For both reasons, the code is updated to have a call to a fallback
function if ever the getrandom call returns that the syscall is
not available.
 8 years ago
Jason Ish 95481a9176 eve/json/xff - remove check for flow being NULL. 
Fix Coverity issue:
** CID 1435535:  Null pointer dereferences  (REVERSE_INULL)
/src/output-json-file.c: 212 in JsonBuildFileInfoRecord()

Where we check a variable for being NULL, when all paths to the
code show that it can't be NULL.
 8 years ago
Victor Julien 26b61bad90 htp: cleanup and fix test 8 years ago
Victor Julien 08af5ddd88 http: add tests for header folding 
To test for https://github.com/OISF/libhtp/issues/159
 8 years ago
Victor Julien 953dceece2 http: clean up unittest 8 years ago
Victor Julien d0a8310fcf pcap-log: don't divide by 0 on no traffic 8 years ago
Jason Ish 0d51ebc71a eve/alert: use eve-level xff config by default 
The alert section can still have an xff configuration which
will take priority over the eve level xff config.
 8 years ago
Jason Ish e3645bd9ae eve/alert: separate xff and metadata configuration 
Put xff setup and metadata setup into their own
functions.
 8 years ago
Jason Ish 36ec1281b2 eve/files: use eve-level xff config by default 
The files section can still have an xff configuration which
will take priority over the eve level xff config.
 8 years ago
Jason Ish 6607ee8489 eve/http: use eve-level xff config by default 
The http section can still have an xff configuration which
will take priority over the eve level xff config.
 8 years ago
Jason Ish 576584152c eve: use eve-level xff configuration 
If an "xff" configuration section exists on the eve object,
parse and save it for child loggers to use.
 8 years ago
Jason Ish 781a7e1089 xff: HttpXFFGetCfg - allow conf to be NULL 
The code fully handles conf being NULL, and we have other functions
where conf can be NULL.
 8 years ago
Maurizio Abba 2543930d74 xff: Use XFF configuration in eve and filestore 
XFF configuration is already set in app-layer-htp-xff, and in
output-json-alert. Extending XFF configuration to files and HTTP allow
to get the same behavior as for alerts.

Extend the configuration of filestore json to let filestore metafile
dump be aware of xff. This is available only if write-fileinfo is set
to yes and file-store version is 2.
 8 years ago
Elazar Broad 6ba02cac50 Fix segfault when the protocol is anything other than HTTP 
When a file is transferred over anything other than HTTP, the previously hard-coded HTTP protocol would trigger a non-existent index into htp_list_array_get(), causing a segfault. This patch mimics the logic in detect-lua-extensions.c.
 8 years ago
Mats Klepsland 2d2c01e772 detect-tls-cert-fingerprint: fix typo in unittest 8 years ago
Mats Klepsland 4671d57d7a detect-tls-cert-fingerprint: fix failing unittest 
Fix unittest that failed with the content validation callback.
 8 years ago
Mats Klepsland f36d578ee0 detect-tls-ja3-hash: add setup callback to lowercase content 
Add setup callback that lowercase the content that follows 'ja3_hash'.
 8 years ago
Mats Klepsland 5b954212f7 detect-tls-ja3-hash: add warning if nocase is used 8 years ago
Mats Klepsland 2501d48ac8 detect-tls-cert-serial: add warning if nocase is used 8 years ago
Mats Klepsland 2c5d5bbdaa detect-tls-cert-fingerprint: add warning if nocase is used 8 years ago
Mats Klepsland 4c9d448fa1 detect-tls-ja3-hash: add content validation callback 
Validate that the content that follows the 'ja3_hash' keyword has
the correct length.
 8 years ago
Mats Klepsland 52d9d45747 detect-tls-cert-fingerprint: add setup callback to lowercase content 
Add setup callback that lowercase the content that follows
'tls_cert_fingerprint'.
 8 years ago
Mats Klepsland f788719348 detect-tls-cert-fingerprint: add content validation callback 
Validate that the content that follows the 'tls_cert_fingerprint'
keyword is on the correct form and has the correct length.
 8 years ago
Mats Klepsland 6cf4c3c26e detect-tls-cert-serial: add setup callback to uppercase content 
Add setup callback that uppercase the content that follows
'tls_cert_serial'.
 8 years ago
Mats Klepsland 321603de37 detect-engine: add DetectEngineCtx to setup callback function 
Add detect engine context as variable to setup callback function
in 'DetectBufferTypeRegisterSetupCallback'.
 8 years ago
Mats Klepsland 48a5ea9df0 detect-tls-cert-serial: add content validation callback 
Validate that the content that follows the 'tls_cert_serial' keyword
is on the correct form. If it's longer than two bytes it should be
separated by colons.
 8 years ago
Max Fillinger b85a0b188b Add an option for compressing pcap-log files 
Introduces the option 'outputs.pcap-log.compression' which can be set
to 'none' or 'lz4', plus options to set the compression level and to
enable checksums. SCFmemopen is used to make pcap_dump() write to a
buffer which is then compressed using liblz4.
 8 years ago
Eric Leblond 6062c27eb7 af-packet: kill some white spaces 8 years ago
Eric Leblond 75b6972cfd util-ioctl: fix a typo in setter message 8 years ago
Eric Leblond f53e687bb8 af-packet: dump counters when timeout occurs 
When traffic is becoming null (mainly seen in tests) we reach the
situation where there is timeouts in the poll on the socket and
only that. Existing code is then just looping on the poll and
the result is that the packet iface counters are not updated.

This patch calls the dump counter function to be sure to get
the counter right faster (and not only right at exit).
 8 years ago
Victor Julien 8a5710307d hyperscan: don't abort on payloads > 64k 
SPM API was recently updated to accept 32 bit length fields instead of
16 bits. This could trigger a BUG_ON in the hyperscan implementation.
 8 years ago
Victor Julien a5de9968dd gcc8: fix format truncation warnings 8 years ago
Victor Julien 5faaa5dceb file_data/http: inspect cleanup 8 years ago
Eric Leblond 1d0727d85f stream-tcp: fix stream depth computation 
The stream depth computation was partly done with the stream_config
depth instead of using the value in the TCP session. As a result,
some configuration were resulting in abnormal behavior.

In particular, when stream depth was 0 and the file store depth was
not 0, Suricata was stopping the streaming on the flow as soon as
the filestore was started.

Reported-by: Pascal Delalande <pdl35@free.fr>
 8 years ago
Eric Leblond 1012fc4466 file: update logger API to log direction 
By adding the flow direction to the logger we can have an accurate
logging of fileinfo events that has source and destination IP
correctly set.
 8 years ago
Eric Leblond 2515c8927b app-layer-ftp: fill direction of transfer 
This is required to return the file when asked with one direction.
 8 years ago
Maurizio Abba d2bf7a3ba9 detect: fix buffer length to uint32 
There is a difference in the size of the buffer length as passed from
the content buffers (cfr HttpReassembledBody.buffer_len) and the buflen
variable passed to mpm primitives. This can cause a misdetection
whenever the bufferlen is multiple of 65536 (as uint16(X*65536) == 0).
Increasing the buflen variable type to uint32 solves the issue (this
does not cause any issue with primitives, they all accept uint32).
 8 years ago
Victor Julien 2e8fd612a6 files: properly close files on flow timeout 
If a file transfer stops on flow timeout, it won't be closed or
truncated. This patch makes sure that in such cases the files
are indeed truncated. This fixes the filestore-v2 output module,
as that requires a sha256 for storing the partial file correctly.
 8 years ago
Victor Julien 81c0b53d3f flow: track flow for ip proto 41 8 years ago
Victor Julien 8c75a022ea eve/netflow: only log response record if we've seen response pkts 8 years ago
Victor Julien c662383b53 flow: track flow for ICMP 
Change packet layout to allow for expected counterpart type.
 8 years ago
Victor Julien 708aad3f4a unified2: address strict aliasing issue 8 years ago
Victor Julien 7ce77f9351 decode/ipv6: expose addr as 'struct in6_addr' as well 8 years ago
Victor Julien 49b02f8f1b mingw: minor compile warning fixes 8 years ago
Giuseppe Longo 28849509b2 tests/detect-engine-hsbd: deinit det_ctx threads 8 years ago
Giuseppe Longo c620fc3dc4 detect-engine: free events 
Events are stored in a detection engine but actually
they are not freed.
 8 years ago
Victor Julien f461be75c5 smb: use inspect API v2 for smb keywords 
Simplies code and supports transforms.
 8 years ago
Victor Julien 3854c304d8 mpm/hs: fix minor coverity warning 
CID 1428797 (#1 of 1): Unchecked return value (CHECKED_RETURN)
    check_return: Calling HashTableAdd without checking return value
    (as is done elsewhere 5 out of 6 times).
 8 years ago
Victor Julien e834d94fd2 detect/pktvar: clean up keyword parsing 8 years ago
Alexander Gozman 10a360280f Print syslog format with SCLogDebug() instead of printf() 8 years ago
Mats Klepsland 21078521f8 app-layer-ssl: remove possibility to overflow HAS_SPACE macro 8 years ago
Mats Klepsland 598ef96b7b app-layer-ssl: really fix CID 1433623 8 years ago
Mats Klepsland 900c27e235 app-layer-ssl: fix use-after-free (CID 1433623) 
Ja3BufferAddValue frees the buffer on error, so there is no point
in doing it twice (use-after-free).
 8 years ago
Mats Klepsland fc0e339467 app-layer-ssl: fix use-after-free (CID 14336229) 
Nullify JA3 buffer on free to avoid use-after-free vulnerability.
 8 years ago
Victor Julien 3b474ac599 tls: work around coverity warnings 8 years ago
Alexander Gozman 5c1a2b53f9 Bug #2466: map SC_LOG_CONFIG level to syslogs LOG_DEBUG 8 years ago
Mats Klepsland 7f0cfc0717 app-layer-ssl: use BIT_U32 for flags 8 years ago
Mats Klepsland 3e597512ea app-layer-tls-handshake: remove since it is no longer needed 
Remove this file and all its content, since the functionality
was reimplemented in app-layer-ssl.
 8 years ago
Mats Klepsland e93fef5c44 app-layer-ssl: reimplement function for decoding certificates 
Do a complete rewrite of the function for decoding the SSL/TLS
certificate from the handshake.
 8 years ago
Mats Klepsland d9ddae4592 tls: replace variable in header file with TAILQ_EMPTY() 
Use TAILQ_EMPTY to check if a certificate exists instead of
setting two variables in the app-layer-ssl header file for
that purpose only.
 8 years ago
Victor Julien f201a3761f rust: remove multi level 'experimental' 
Don't treat 'external' parsers as more experimental. All parsers
depend on crates to some extend, and all have C glue code. So the
distinction doesn't really make sense.
 8 years ago
Pierre Chifflier bf66948ad7 IKEv2: suppress some debug output 8 years ago
Pierre Chifflier 4e4cf00c07 Remove the 'experimental' mark for IKEv2 8 years ago
Pierre Chifflier d94346282c Add logger for IKEv2 8 years ago
Pierre Chifflier c99b9462d7 Add new parser: IKEv2 
Add a new parser for Internet Key Exchange version (IKEv2), defined in
RFC 7296.
The IKEv2 parser itself is external. The embedded code includes the
parser state and associated variables, the state machine, and the
detection code.

The parser looks the first two messages of a connection, and analyzes
the client and server proposals to check the cryptographic parameters.
 8 years ago
Victor Julien 1e56cfe08e threshold: don't touch globals after init 
Don't free/reinit pcre globals per tenant. Others may be using them
at the same time, or try to free/reinit them at the same time.
 8 years ago
Mats Klepsland efdc592172 detect-tls-sni: use *_Register2 API functions 
Use *_Register2 API functions when registering 'tls_sni' detection
keyword.
 8 years ago
Mats Klepsland b479d1d47c detect-tls-cert-serial: use *_Register2 API functions 
Use *_Register2 API functions when registering 'tls_cert_serial'
detection keyword.
 8 years ago
Mats Klepsland 5c96e1df95 detect-tls-cert-subject: use *_Register2 API functions 
Use *_Register2 API functions when registering 'tls_cert_subject'
detection keyword.
 8 years ago
Mats Klepsland b1dd41c9cd detect-tls-cert-issuer: use *_Register2 API functions 
Use *_Register2 API functions when registering 'tls_cert_issuer'
detection keyword.
 8 years ago
Mats Klepsland c3a329d6e9 detect-tls-cert-fingerprint: use *_Register2 API functions 
Use *_Register2 API functions when registering 'tls_cert_fingerprint'
detection keyword.
 8 years ago
Antoine LUONG 56e7afc4f7 prelude: swap msg and class_msg in Prelude alert 8 years ago
Antoine LUONG caa2903f1f prelude: fix duplicated analyzer in Prelude alert 8 years ago
Danny Browning 697a5a1978 pcap/file: fix missing files stopping engine #2451 
https://redmine.openinfosecfoundation.org/issues/2451

When a missing (or empty named) file is passed to source-pcap-file while
using unix socket, the pcap processing thread will incorrectly be stopped,
and no longer available for subsequent files.
 8 years ago
Alexander Gozman 2cf2387e31 rules: optimize bidir rules with same src/dst 
As an optimization, reset bidirectional flag for rules with same src and dst.
If one created bidirectional rule like 'alert tcp any any <> any any ...',
the rule was checked twice (for each packet in every direction). This is
suboptimal and may give duplicated alerts. To avoid this, bidirectional
rules are now checked for the same src and dst (addresses and ports) and
if it's the case, the rule is treated as unidirectional and a corresponding
message is logged.
 8 years ago
Victor Julien ba24bb82fa der: don't overwrite errcode 
If the code has already been set it is more detailed than the more
generic 'invalid object'.
 8 years ago
Mats Klepsland c130820bff conf: user-configurable umask setting 
Make umask user-configurable by setting 'umask' in suricata.yaml.
 8 years ago
Pierre Chifflier 3140e4598a DER parser: ensure errcode is set for every return path 8 years ago
Pierre Chifflier 2d34e402c0 DER parser: fix undefined behaviors and add missing length tests 
Fix several undefined behaviors, caused by possible use or read of
uninitialized memory.
 8 years ago
Antti Tönkyrä d6a98aa1c3 stream-tcp: add counters for midstream pickups 
If midstream pickups are enabled this will help in discovering how
many midstream pickups are being done by Suricata.
 8 years ago
Mats Klepsland d55e455504 eve: add JA3 fields to TLS JSON logger 
Add JA3 object to TLS JSON logger (extended log).
 8 years ago
Mats Klepsland 8339ed338f lua: add Ja3GetString function 
Add Ja3GetString() to return the content of the JA3 string buffer from the
TLS session.

Example:

  function init (args)
      local needs = {}
      needs["protocol"] = "tls"
      return needs
  end

  function setup (args)
      filename = SCLogPath() .. "/ja3_string.log"
      file = assert(io.open(filename, "a"))
  end

  function log (args)
      ja3_string = Ja3GetString()
      if ja3_string == nil then
          return
      end

      file:write(ja3_string .. "\n")
      file:flush()
  end

  function deinit (args)
      file:close()
  end
 8 years ago
Mats Klepsland 195fa9d272 lua: add Ja3GetHash function 
Add Ja3GetHash() to return the content of the JA3 hash buffer from the
TLS session.

Example:

  function init (args)
      local needs = {}
      needs["protocol"] = "tls"
      return needs
  end

  function setup (args)
      filename = SCLogPath() .. "/ja3_hash.log"
      file = assert(io.open(filename, "a"))
  end

  function log (args)
      ja3_hash = Ja3GetHash()
      if ja3_hash == nil then
          return
      end

      file:write(ja3_hash .. "\n")
      file:flush()
  end

  function deinit (args)
      file:close()
  end

In the (useless) example above, each JA3 hash is logged to a log file.
 8 years ago
Mats Klepsland 6e23ae230b detect: add (mpm) keyword ja3_string 
Match on JA3 string using ja3_string keyword, e.g:

alert tls any any -> any any (msg:"JA3 string test";
        ja3_string; content:"65-68-69-102"; sid:1;)
 8 years ago
Mats Klepsland 6c7aacce9e detect: add (mpm) keyword ja3_hash 
Match on JA3 hash using ja3_hash keyword, e.g:

alert tls any any -> any any (msg:"JA3 hash test";
        ja3_hash;
        content:"e7eca2baf4458d095b7f45da28c16c34";
        sid:1;)
 8 years ago
Mats Klepsland d4af90032e util-ja3: add function to check if JA3 is disabled 8 years ago
Mats Klepsland 0c16cd0120 app-layer-ssl: generate JA3 fingerprints 
Decode additional fields from the client hello packet and generate
JA3 fingerprints.
 8 years ago
Mats Klepsland 3f0dea582d app-layer-ssl: split function into multiple smaller functions 
Split 'TLSDecodeHandshakeHello' into smaller functions to make
it easier to read the code when the function grows in size.
 8 years ago
Victor Julien c60decd678 rust/dns: default to eve log version 2 for rust 8 years ago
Jason Ish 27fd521420 eve/dns/v2: support eve/dns v2 in rust 8 years ago
Jason Ish 57d9574839 rust/json: expose more of jansson to rust 8 years ago
Jason Ish dfdfc478ab eve/dns-v2: only log responses for enabled types 
This changes the logic a bit for v2, checking the rrtype of the
query to see if the response should be logged.
 8 years ago
Jason Ish 769f972185 eve/dns-v2: log authorities as a list 
Log the authorities just like the answers, as a list under
the authorities key.
 8 years ago
Giuseppe Longo 92db7be502 output-json-alert: add dns info 
This changes LogQuery and LogAnswer functions
returning a json object instead of writing it in a log file.
In this way it's possible to reuse them to add dns info
into an alert.

The following is an alert record with dns:

{
  "timestamp": "2017-07-31T15:01:17.885281+0200",
  "event_type": "alert",
  "src_ip": "8.8.8.8",
  ...
  "dns": {
    "query": [
      {
        "type": "query",
        "id": 25394,
        "rrname": "notifications.google.com",
        "rrtype": "A",
        "tx_id": 0
      }
    ],
    "answer": {
      "type": "answer",
      "id": 25394,
      "rcode": "NOERROR",
      "answers": [
        {
          "rrname": "notifications.google.com",
          "rrtype": "CNAME",
          "ttl": 3599,
          "rdata": "plus.l.google.com"
        },
        {
          "rrname": "plus.l.google.com",
          "rrtype": "A",
          "ttl": 299,
          "rdata": "216.58.205.174"
        }
      ]
    }
  }
}
 8 years ago