aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
17,781 Commits
8 Branches
163 Tags
178 MiB
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd0a513df6a'
${ noResults }
Commit Graph

483 Commits (d0a513df6a2f45657349b550e85ac78a13dbb268)

Author SHA1 Message Date
Philippe Antoine d0a513df6a detect/integers: support kibibyte unit 
Ticket: 7869
 2 months ago
Philippe Antoine be9858d3aa detect/integers: document usage of units 
Ticket: 7190
 2 months ago
Jeff Lucovsky 21707ab26c doc/from_base64: Emphasize keyword only values 
Emphasize that specifying the keyword only will result in the defaults
for each option to be used.

Issue: 7853
 2 months ago
Jason Ish 7a65ca10e2 doc/lua-detection: fix example script; remove most buffers 
- Reference rule hooks instead

Ticket: #7728
 3 months ago
Jason Ish 4791f37ca2 doc/lua-detection: update note to mention rules are enabled by default 
In 8.0, Lua rules are enabled by default.
 3 months ago
Philippe Antoine f4378eb306 doc/devguide: document app-layer protocol detection 
Ticket: 6022
 4 months ago
Jeff Lucovsky a300df4c4d detect/entropy: Clarify when entropy is logged 
Clarify when entropy values are logged and associated with non-alert log
records.
 4 months ago
Eric Leblond 751f3eef3b doc/userguide: fix some typos 4 months ago
Eric Leblond 6236574b9c doc/userguide: enrichment_key is now context_key 4 months ago
Eric Leblond 20a0575d96 doc/userguide: fix some typos 
Suggestions from Juliana.

Co-authored-by: Juliana Fajardini Reichow <jufajardini@gmail.com>
 4 months ago
Eric Leblond 40c545f8d9 doc/userguide: jsonline is now standard ndjson 4 months ago
Eric Leblond f724c75cc9 doc/userguide: improve datajson doc 4 months ago
Eric Leblond a652eee508 doc/userguide: remove left over datajson reference 4 months ago
Eric Leblond 7d28758a54 doc/userguide: improve datajson doc 
Patch adds ``remove_key`` option and clarifies the text.
 4 months ago
Eric Leblond 0ae88a408a doc/userguide: basic doc for jsonline format 4 months ago
Eric Leblond 9873c5d2e1 doc/userguide: add dataset with json 4 months ago
Victor Julien f2faba5a23 detect/config: add flow tracking doc 4 months ago
Victor Julien ecbcccf355 detect: add tcp.wscale keyword 
Allows matching on wscale option value in TCP header options.

Ticket: #7713.
 4 months ago
Jeff Lucovsky a8a3780276 doc/entropy: Document the entropy log output 4 months ago
Juliana Fajardini c5b9277474 doc/payload: fix typo, minor formatting changes 5 months ago
Juliana Fajardini 627b8900ef doc/rule-types: fix typo 5 months ago
Jason Ish 4a655053e8 mdns: add mdns parser, logger and detection 
The mDNS support is based heavily on the DNS support, reusing the
existing DNS parser where possible. This meant adding variations on
DNS, as mDNS is a little different. Mainly being that *all* mDNS
traffic is to_server, yet there is still the concept of request and
responses.

Keywords added are:
- mdns.queries.rrname
- mdns.answers.rrname
- mdns.additionals.rrname
- mdns.authorities.rrname
- mdns.response.rrname

They are mostly in-line with the DNS keywords, except
mdns.answers.rdata which is a better than that mdns.response.rrname,
as its actually looking at the rdata, and not rrnames.

mDNS has its own logger that differs from the DNS logger:

- No grouped logging

- In answers/additionals/authorities, the rdata is logged in a field
  that is named after the rdata type. For example, "txt" data is no
  longer logged in the "rdata" field, but instead a "txt" field. We
  currently already did this in DNS for fields that were not a single
  buffer, like SOA, SRV, etc. So this makes things more consistent. And
  gives query like semantics that the "grouped" object was trying to
  provide.

- Types are logged in lower case ("txt" instead of "TXT")

- Flags are logged as an array: "flags": ["aa", "z"]

Ticket: #3952
 5 months ago
Juliana Fajardini 404bb53ce9 pgsql: add query keyword 
Add the `pgsql.query` rule keyword to match on PGSQL's query
request message contents. This currently matches on the EVE field:

pgsql.request.simple_query

`pgsql.query` is a sticky buffer and can be used as a fast_pattern.

Task #6259
 5 months ago
jason taylor ca9b29c2d0 doc: update http.header_names normalization info 5 months ago
Jeff Lucovsky 77139e0cb1 doc/ftp: Document ftp.completion_code sticky buffer 
This commit adds documentation for the ftp.completion_code sticky
buffer. This is a multi-buffer match.

Issue: 7507
 5 months ago
Jeff Lucovsky 53c8a0f8f1 doc: Document luaxform transform 
Issue: 2290
 5 months ago
Jeff Lucovsky aec2513799 doc/ftp: Document ftp.reply_received 
Add documentation for the ftp.reply_received keyword.
 5 months ago
Jeff Lucovsky 0b02b1d2d1 doc/ftp: Document ftp.mode keyword 
Document the ftp.mode keyword
Fixup a typo in the ftp.reply keyword section.

Issue: 7505
 5 months ago
Philippe Antoine daabab7381 doc/ssh: document hooks 
Ticket: 7607
 6 months ago
Jeff Lucovsky ff59f215d6 doc/ftp: Document ftp.dynamic_port keyword 
Document the sticky buffer for ftp.dynamic_port
 6 months ago
Jason Ish be483dc873 doc/userguide: document that lua dns rules need hooks 
And remove the old "keywords" that a lua Rule can register with for
DNS.
 6 months ago
Philippe Antoine 8757ad5fd3 detect/dns: support string for dns.rrtype 
Ticket: 6723
 6 months ago
Philippe Antoine 44a6f7f8ca detect/dns: support string for dns.rcode 
Ticket: 6723
 6 months ago
Alice Akaki bda0890834 detect: add email.received keyword 
email.received matches on MIME EMAIL Received
This keyword maps to the EVE field email.received[]
It is a sticky buffer
Supports multiple buffer matching
Supports prefiltering

Ticket: #7599
 6 months ago
James deb761367d doc: Update bypass docs to use new keyword format 
Ticket: #7143

Update documentation to reflect new sticky buffer keyword format
 6 months ago
Victor Julien e3c6554ee6 detect/app-layer-protocol: allow matching on 'unknown' 6 months ago
Alice Akaki ca429ef5e3 detect: add email.url keyword 
email.url matches on URLs extracted from an email
This keyword maps to the EVE field email.url[]
Supports multiple buffer matching
Supports prefiltering

Ticket: #7597
 6 months ago
Victor Julien 57c73880db lua: enable lua rules by default 
Now that sandboxing is in place, lua rule support is enabled by default.
 6 months ago
Alice Akaki d4ec5b9765 detect: add ldap.responses.attribute_type 
ldap.responses.attribute_type matches on LDAP attribute type/description
This keyword maps the eve field ldap.responses[].search_result_entry.attributes[].type
It is a sticky buffer
Supports multiple buffer matching
Supports prefiltering

Ticket: #7533
 6 months ago
Alice Akaki 75fb352bde detect: add ldap.request.attribute_type 
ldap.request.attribute_type matches on LDAP attribute type/description
This keyword maps the following eve fields:
ldap.request.search_request.attributes[]
ldap.request.modify_request.changes[].modification.attribute_type
ldap.request.add_request.attributes[].name
ldap.request.compare_request.attribute_value_assertion.description
It is a sticky buffer
Supports multiple buffer matching
Supports prefiltering

Ticket: #7533
 6 months ago
Jeff Lucovsky 88c38fc4a0 doc/ftp: Document the ftp.reply keyword 
Issue: 7508
 6 months ago
Eric Leblond ed20e7cfe4 doc/userguide: doc domain and tld transforms 6 months ago
Victor Julien 6f5fd77cb9 detect/app-layer-state: keyword for protocol state 
Allow matching on the app-layer protocol state.
 6 months ago
Jeff Lucovsky 590c8f6131 doc/ftp: Add ftp.command_data 
This commits adds documentation for the ftp.command_data rule keyword
that includes usage examples.
 7 months ago
Philippe Antoine 90666c7da1 doc/sdp: fix doc to match real keywords names 
Ticket: 7291
 7 months ago
Alice Akaki 341369f203 detect: add email.x_mailer keyword 
email.x_mailer matches on MIME EMAIL X-Mailer
This keyword maps to the EVE field email.x_mailer
It is a sticky buffer
Supports prefiltering

Ticket: #7598
 7 months ago
Alice Akaki 52e12410ed detect: add email.message_id keyword 
email.message_id matches on MIME EMAIL Message-Id
This keyword maps to the EVE field email.message_id
It is a sticky buffer
Supports prefiltering

Ticket: #7593
 7 months ago
Giuseppe Longo 330241b162 doc: add sdp sticky buffers 7 months ago
Jeff Lucovsky ed2a81dc05 doc/entropy: Add documentation for the entropy keyword 
This commits adds documentation for the entropy keyword.
The entropy keyword calculates the Shannon entropy value for content
with the calculated value used to determine whether an alert occurs.
 7 months ago
Shivani Bhardwaj 5ba0ccaf4b doc: remove http cookie ua from list of buffers 
as they are available via library using the tx
- tx:request_header("Cookie")
- tx:response_header("Cookie")
- tx:request_header("User-Agent")
 7 months ago