suricata

Commit Graph

Author	SHA1	Message	Date
Victor Julien	2c0e434bb8	detect: pass de_ctx to DetectBufferSetActiveList	3 years ago
Victor Julien	c15d511064	frames: enable only used frames Enable only frames that are actually used. Ticket: #4979.	3 years ago
Victor Julien	39d9b3adbe	frames: implement generic <alproto>.stream frames Add a hard coded <alproto>.stream option for all stream data for a protocol. Starts at stream offset 0 or at the point of a protocol upgrade in case of STARTTLS or CONNECT.	3 years ago
Victor Julien	b31ffde6f4	output: remove error codes from output	3 years ago
Victor Julien	e250ef6402	debug: remove empty header	3 years ago
Victor Julien	f5408ec2d7	detect/frame: fix frame detect registration Rewrite keyword parser. Duplicate short names could lead to buffer confusion and memory leaks. Bug: #5238.	4 years ago
Victor Julien	c96d22e8a1	frames: support UDP frames UDP frames point to the UDP packet payloads. The frames are removed after each packet. Ticket: #4983.	4 years ago
Victor Julien	a492d94826	detect/frames: implement 'frame' keyword Implement a special sticky buffer to select frames for inspection. This keyword takes an argument to specify the per protocol frame type: alert <app proto name> ... frame:<specific frame name> Or it can specify both in the keyword: alert tcp ... frame:<app proto name>.<specific frame name> The latter is useful in some cases like http, where "http" applies to both HTTP and HTTP/2. alert http ... frame:http1.request; alert http1 ... frame:request; Examples: tls.pdu smb.smb2.hdr smb.smb3.data Consider a rule like: alert tcp ... flow:to_server; content:"\|ff\|SMB"; content:"some smb 1 issue"; this will scan all toserver TCP traffic, where it will only be limited by a port, depending on how rules are grouped. With this work we'll be able to do: alert smb ... flow:to_server; frame:smb1.data; content:"some smb 1 issue"; This rule will only inspect the data portion of SMB1 frames. It will not affect any other protocol, and it won't need special patterns to "search" for the SMB1 frame in the raw stream.	4 years ago

8 Commits (d40dca5e55286c57e9a83018975022c4f08bf6d1)