aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
15,248 Commits
7 Branches
155 Tags
194 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'de5b8ae0b4'
${ noResults }
Commit Graph

1325 Commits (de5b8ae0b45636352e641cff7eeb4f1fc89c8129)

Author SHA1 Message Date
Victor Julien b8440a0917 jsonbuilder: add set_int for signed ints 
Bug: #6615
 1 year ago
Jason Ish f91122e0e8 dns: replace usage of rs_dns_tx_get_query_name with SCDnsTxGetQueryName 
SCDnsTxGetQueryName was introduced to allow for getting the query name
in responses as well as requests, so covers the functionality of
rs_dns_tx_get_query_name.
 1 year ago
Jason Ish 482325e28b dns: add dns.query.name sticky buffer 
This buffer is much like dns.query_name but allows for detection in both
directions.

Feature: #6497
 1 year ago
Jason Ish 5f99abb0cb dns: add dns.answer.name keyword 
This sticky buffer will allow content matching on the answer names.
While ansers typically only occur in DNS responses, we allow the buffer
to be used in request context as well as the request message format
allows it.

Feature: #6496
 1 year ago
Jason Ish 9464d0b14a dns: consolidate DNSRequest and DNSResponse to DNSMessage 
DNS request and response messages follow the same format so there is
no reason not to use the same data structure for each. While its
unlikely to see fields like answers in a request, the message format
does not disallow them, so it might be interesting data to have the
ability to log.
 1 year ago
Jason Ish e2d7a7f877 dns: rustfmt with latest stable 1 year ago
Jason Ish 4620776a30 rustfmt: replace deprecated fn_args_layout with fn_params_layout 1 year ago
Philippe Antoine 1b5e04bee3 http2: do not have leading space for response line 
Ticket: 6547
 1 year ago
Juliana Fajardini bdec2d8ea8 pgsql: don't log password msg if password disabled 
If the logging of the password is disabled, there isn't much point in
logging the password message itself.
 1 year ago
Juliana Fajardini 9aeeac532e pgsql: remove probe_ts function 
With the changes in the probing_ts function, this other one could become
obsolete. Remove it, and directly call `parser::parse_request` when
checking for gaps, instead.
 1 year ago
Juliana Fajardini 53d29f652a pgsql: remove unused error handling call 1 year ago
Juliana Fajardini afd6e4dc41 pgsql: don't log unknown message type 1 year ago
Juliana Fajardini 4f85d06192 pgsql: fix probing functions 
Some non-pgsql traffic seen by Suricata is mistankenly identified as
pgsql, as the probing function is too generic. Now, if the parser sees
an unknown message type, even if it looks like pgsql, it will fail.

Bug #6080
 1 year ago
Juliana Fajardini 1ac5d97259 pgsql: add unknonwn frontend message type 
We had unkonwn message type for the backend, but not the frontend
messages. It's important to better identify those to improve pgsql
probing functions.

Related to
Bug #6080
 1 year ago
Victor Julien d3ccff5822 detect/asn1: handle in PMATCH 
Since the asn1 keyword is processing payload data, move the handling of
the keyword into the PMATCH with content inspection.

Use u32 as buffer length in the Rust FFI
 1 year ago
Victor Julien 132fe57ac6 rust: add copyright header to common.rs 1 year ago
Philippe Antoine e38b9de6a2 output/krb5: have krb5 properties in alerts 
Ticket: 5977
 1 year ago
Philippe Antoine 8a09bff0aa output/tftp: have tftp properties in alerts 
Ticket: 6501
 1 year ago
Philippe Antoine 0b6b015e26 output/alert: rewrite code for app-layer properties 
Especially fix setup-app-layer script to not forget this part

This allows, for simple loggers, to have a unique definition
of the actual logging function with the jsonbuilder.
This way, alerts, files, and app-layer event can share the code
to output the same data.

Ticket: #3827
 1 year ago
Philippe Antoine 90c17652a3 rust: remove unused 
Ticket: #4083
 1 year ago
Sascha Steinbiss 0c55fe3515 detect: add mqtt.connect.protocolstring 
Ticket:  OISF#6396
 1 year ago
Philippe Antoine e3cd0d073f http2: app-layer event for userinfo in uri 
Ticket: #6426

as per RFC 9113
":authority" MUST NOT include the deprecated userinfo subcomponent
for "http" or "https" schemed URIs.
 1 year ago
Philippe Antoine 6249722589 http2: normalize host when there is user info 
Ticket: 6479
 1 year ago
Philippe Antoine b6cd66f41d http2: update brotli crate 
Fixes debug assertion found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63144
 1 year ago
Philippe Antoine 46a46e5b1f http2: event on mismatch between authority and host 
Ticket: #6425
 1 year ago
Philippe Antoine ae72ce77fa detect: parse units for integers 
Ticket: #6423

Especially for filesize, instead of just a number, a signature
can use a number and a unit such as kb, mb or Gb
 1 year ago
Daniel Olatunji 54de0450f4 rust: remove cbindgen:ignore on frames module 
This directive is no longer required, and does
mess up the rustdoc description of the module.
 1 year ago
Daniel Olatunji 5c0af0b203 rust/doc: add docstring to rust module files. 
Issue: #4584
 1 year ago
Philippe Antoine 14a4c6c696 rust: update brotli decompressor crate 
cf https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59687
 1 year ago
Philippe Antoine 9157070907 quic: v2 support per rfc 9369 
Ticket: #4968
 1 year ago
Yatin Kanetkar b67ff4badf dhcp: Log Vendor Client Identifier (dhcp option 60) 
* Log vendor client identifier (dhcp option 60) if extended dhcp
logging is turned on. This required the `vendor_client_identifier` to
be added to the json schema. Validation done using an SV Test
* Added `requested_ip` to the json schema as well, since it was
missed. My SV test failed without it.

Feature #4587
 2 years ago
Philippe Antoine 5bdbc1a313 rdp: do not use zero-bit bitflag 
cf https://docs.rs/bitflags/latest/bitflags/#zero-bit-flags

As warned by clippy 1.72.0
 2 years ago
Philippe Antoine b235e85c68 rust: fix clippy warnings for version 1.72.0 
Includes using the right prototype for C SRepCatGetByShortname
 2 years ago
Victor Julien 89f1837625 rust: update cargo.lock 2 years ago
Shivani Bhardwaj 8770431986 dcerpc: accept ALTER_CONTEXT as a valid request 
So far, if only the starting request was a DCERPC request, it would be
considered DCERPC traffic. Since ALTER_CONTEXT is a valid request type,
it should be accepted too.

Reported and patch proposed in the following Redmine ticket by
InterNALXz.

Bug 6191
 2 years ago
Victor Julien 389f166d78 file: remove FILE_USE_DETECT flag 
All implementations were converted to use the logic, so the flag itself
can be removed.
 2 years ago
Shivani Bhardwaj d4e674b390 rust: fix clippy warnings 2 years ago
Victor Julien 0068b81269 rust: update cargo.lock 2 years ago
Philippe Antoine 60db5e981c http2: do not append data after closing file 
Ticket: #6211

Completes commit 02dece5db5

Once a http2 stream has end of stream flag, we close the file.
If we see new data frames with this stream id, the new_chunk
function should ignore them as the file was already closed.
 2 years ago
Jeff Lucovsky 690b65ae88 detect/byte_math: Permit var name for bytes value 
Issue: 6145

Modifications to permit a variable name to be used for the byte_math
bytes value.
 2 years ago
Philippe Antoine 02dece5db5 http2: file tracker is initialized when file is closed 
Ticket: #6130

This avoids quadratic complexity by having http2_range_key_get
looking in a growing number of frames
 2 years ago
Sascha Steinbiss 1521b77edd rfb: also set unimplemented auth types 2 years ago
Sascha Steinbiss 1606aca881 rfb: ensure logging of incompletely parsed txs 2 years ago
Sascha Steinbiss 1f8a5874fb rfb: never return error on unknown traffic 
We only try to parse a small subset of what is possible in
RFB. Currently we only understand some standard auth schemes
and stop parsing when the server-client handshake is complete.
Since in IPS mode returning an error from the parser causes
drops that are likely uncalled for, we do not want to return
errors when we simply do not understand what happens in the
traffic. This addresses Redmine #5912.

Bug: #5912.
 2 years ago
Sascha Steinbiss 836fff3679 rfb: add myself as contributor 2 years ago
Sascha Steinbiss bd1fbf392e rfb: be more strict parsing the version 2 years ago
Philippe Antoine d40dca5e55 dcerpc: maximum number of live transactions also for UDP 
Ticket: #6129

Avoids that quadratic complexity gets too bad
 2 years ago
Jason Ish 68d0d6ca24 rust: fix unit test link error on Rust 1.70 
Rust 1.70 appears to now link code on both branches of `if cfg!(test)`
now causing Rust unit tests to fail as that pattern was used to
disable functions only available when linked with the Suricata C code.

To work-around this issue, provide two versions of the `new` function,
one for unit tests and one when running as an application.
 2 years ago
Philippe Antoine 7256ec8a6e detect/http2: do not escape ':' in header name or value 
for keywords http.request_header and http.response_header

Ticket: #5780
 2 years ago
Philippe Antoine 4c466ec5f4 rust/pgsql: remove unused/unconstructed enum variants 2 years ago