aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
13,280 Commits
8 Branches
154 Tags
166 MiB
dependabot/github_actions/github/codeql-action-3.26.13
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c57052181c'
${ noResults }
Commit Graph

13280 Commits (c57052181c9e9fd9ec54f7b1ca4740f4be6cdece)
 

Author SHA1 Message Date
Philippe Antoine c57052181c snmp: rustfmt detect.rs 2 years ago
Philippe Antoine c7214be99b snmp: adds usm keyword 
as is logged

Ticker: #5416
 2 years ago
Victor Julien 4adab8f271 github/codeowners: update 2 years ago
Philippe Antoine 5a31b3508d ftp: optimized tx iterator 
To be more efficient with larger number of transactions.

Ticket: #5314
 2 years ago
Victor Julien 6d3140bc01 mime: remove unused length fields 2 years ago
Victor Julien 816bbeb7dc fuzz/mime: fix call conditions and args 
The SMTP parser should not supply lines w/o EOL chars to the mime
parser unless its in the BODY parsing stage. Mimic this in the fuzz
target by testing the state for inputs that have no EOL.

Additionally, make sure the delim cnt reflects the missing EOL.
 2 years ago
Victor Julien d81582c4a2 mime: fix corner case 
Fix a corner case where a base64 sequence including a space was followed
by a newline in the input data.
 2 years ago
Victor Julien 5805ed47f5 mime: add base64 related debug messages 2 years ago
Victor Julien 41c2c1ed5a mime: improved empty line handling 
Make sure a new body is not set up on empty lines unless it is
a body that is not encoded as base64/quoted printable.
 2 years ago
Victor Julien 074cfb5c68 mime: fix and cleanup tests 
Line count check was failing after recent delim handling updates.
 2 years ago
Victor Julien 6e2c066ce1 smtp: fix passing a wrong delim len around 2 years ago
Victor Julien b82b8825e7 mime: properly pass full lines to non-decoded body 
Use actual delim count and make sure we also pass on empty lines
(so delim(s) only).
 2 years ago
Victor Julien 0d6ab727c5 mime/base64: fix final data not getting processed 
If the last data of the body was not a multple of 4 and not padded
to be a multiple of 4, it would not be processed.
 2 years ago
Victor Julien 100d821a9f stream: fix GAP check 
Gap check would consider a GAP when the current data was in fact
exactly not a gap, but next segment(s) were already available.
 2 years ago
Victor Julien 29ec1b1e7b mime: minor code cleanup 2 years ago
Victor Julien 0871029d17 mime: remove unused 'linerem' logic 2 years ago
Victor Julien 5953a7d2eb smtp/mime: fix parsing edge case 
Correctly track "remaining" bytes after partial base64 decoding.

Add comment clarifications and debug validation checks.
 2 years ago
Victor Julien a38f2f2a52 smtp: skip preprocessing for mime headers 
Mime parser doesn't expect partial lines, which preprocessing can
provide. Add a check to let mime headers be handled by regular line
parsing.
 2 years ago
Victor Julien 929faae6d4 eve/schema: add drop.udplen, email fields 2 years ago
Juliana Fajardini 2544be4672 source/pcap: fix infinite loop if interface goes down 
When in live-pcap mode, if the sniffed interface went down and up again,
Suri would enter an infinite and keep running, while not registering new
events. This fixes that behavior by allowing Suri to retry to open the
pcap in case of a retry on an already activated capture
('PCAP_ERROR_ACTIVATED').

This change is based on Zhiyuan Liao's work.

Bug #3846
 2 years ago
dependabot[bot] dc6fff2cca github-actions: bump ossf/scorecard-action from 1.1.1 to 1.1.2 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.1.1 to 1.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](3e15ea8318...ce330fde6b)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2 years ago
Philippe Antoine 585e5e0d3c detect: impose limits on pcrexform 
As is done for pcre keyword

Ticket: #5409
 2 years ago
Juliana Fajardini 45b7aad2b5 devguide: incorporate contribution process page 
That page existed only in our redmine. Updated and added a few things,
like a paragraph about our expectations for feature contributors.

Also updated links, contacts and some other processes that may have
changed since last edition.

Added some section labels in related documents, for ease of referencing.

Task #4929
 2 years ago
Victor Julien a89840929b detect: set drop reason for rule based drops 
Call `PacketDrop` with drop reason for drops, keep old logic
in place for the rest.
 2 years ago
Victor Julien ad14e71efe stream: suppress exception policy debug message 2 years ago
Victor Julien 046287c2b5 detect/filestore: clean up stream flag handling 2 years ago
Victor Julien 7ced8de6c4 github/workflows: add cargo for all Ubuntu jobs 2 years ago
Victor Julien 3617be326c eve/schema: add pcap_filename field 2 years ago
Victor Julien 71ef62bfc5 file: consistently track size of gaps 
Until now only the size of gaps counted in the regular append, not
close and open.

Bug: #5392.
 2 years ago
Victor Julien fc566037b4 eve/schema: add new flow fields 2 years ago
Victor Julien 1594e41b06 stream: remove unused TCP_LISTEN 
Keep the values the same so we might be able to bring it back
w/o issues.
 2 years ago
Victor Julien e05b6f44e3 counter: tcp liberal counter 2 years ago
Victor Julien 0ebe372607 stream: after missing segments, be liberal on RST 
This avoids long lasting inactive flows because in the most likely
case the RST did in fact end the connection. However Suricata may
still consider it to be "established".
 2 years ago
Victor Julien b0993d6fd8 flow: add various flow counters 
Add flow.end state counters

Add active TCP sessions counter

Add flow.active counter

Add flow.total counter

Ticket: #1478.
 2 years ago
Victor Julien aa31d2193f counters: add StatsDecr 2 years ago
Victor Julien 88edc8630c flow/manager: add flow.mgr.rows_sec counter 2 years ago
Victor Julien f271fb4575 flow/recycler: bring back pthread_cond_t sleep 
Bug #4379.
 2 years ago
Victor Julien 633e6cf09e flow/recycler: minor code cleanups 2 years ago
Victor Julien 73138809e2 flow/manager: move counters into util func 2 years ago
Victor Julien 0c048d3e5c flow/manager: minor code cleanups 2 years ago
Victor Julien 7f4e120a97 flow/manager: remove debug and dead code 2 years ago
Victor Julien e6ac2e4e8a flow/manager: sleep handled by pthread_cond_t again 
Use only in live mode to allow FM to respond quickly to time
increases in offline mode.

Bug #4379.
 2 years ago
Victor Julien 39141a8836 time: add timeradd implementation 
timeradd isn't available on MinGW.
 2 years ago
Victor Julien e9d2417e0f flow/manager: adaptive hash eviction timing 
The flow manager scans the hash table in chunks based on the flow timeout
settings. In the default config this will lead to a full hash pass every
240 seconds. Under pressure, this will lead to a large amount of memory
still in use by flows waiting to be evicted, or evicted flows waiting to
be freed.

This patch implements a new adaptive logic to the timing and amount of
work that is done by the flow manager. It takes the memcap budgets and
calculates the proportion of the memcap budgets in use. It takes the max
in-use percentage, and adapts the flow manager behavior based on that.

The memcaps considered are:
    flow, stream, stream-reassembly and app-layer-http

The percentage in use, is inversely applies to the time the flow manager
takes for a full hash pass. In addition, it is also applied to the chunk
size and the sleep time.

Example: tcp.reassembly_memuse is at 90% of the memcap and normal flow
hash pass is 240s. Hash pass time will be:

    240 * (100 - 90) / 100 = 24s

Chunk size and sleep time will automatically be updated for this.

Adds various counters.

Bug: #4650.
Bug: #4808.
 2 years ago
Michael Tremer f50af12068 stream: tcp: Handle retransmitted SYN with TSval 
For connections that use TCP timestamps for which the first SYN packet
does not reach the server, any replies to retransmitted SYNs will be
tropped.

This is happening in StateSynSentValidateTimestamp, where the timestamp
value in a SYN-ACK packet must match the one from the SYN packet.
However, since the server never received the first SYN packet, it will
respond with an updated timestamp from any of the following SYN packets.

The timestamp value inside suricata is not being updated at any time
which should happen. This patch fixes that problem.

Bug: #4376.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2 years ago
Victor Julien 8109b0017e detect/dcerpc: simplify keyword validation 
Now that the engine understands the relation between SMB and DCERPC better
we can get rid of some of the special case handling in keywords.
 2 years ago
Victor Julien 8d20b40cdd detect/content: fix FNs due to bad depth calc 
When trying to propegate the depth/offset, within/distance chains
a logic error would set too a restrictive depth on a pattern that
followed more than one "unchained" patterns.

Bug: #5162.
 2 years ago
Victor Julien 50d02ebc05 detect/content: simplify int bounds checking 
Use a macro to validate the ranges for overflows. This removes
the clutter of all the checks and warnings, and also no longer
puts the state machine in an undefined state when hitting such
a condition.
 2 years ago
Victor Julien a83f02d4cd detect/dcerpc: apply dcerpc to smb as well 
So 'alert dcerpc' also matches if the DCERPC is over SMB.

Explicitly refuse smb keywords for the 'dcerpc' app proto setting:
`alert dceprc ... smb.share; ...` is rejected.

Remove a now useless special case in the stateless rule processing
matching for dcerpc/smb.

Bug: #5208.
 2 years ago
Philippe Antoine e692530021 event: only sets APPLAYER_UNEXPECTED_PROTOCOL once 
If f->alproto == ALPROTO_UNKNOWN, we do not know the new protocol
yet, so we do not set the event yet.
 2 years ago