aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,040 Commits
7 Branches
155 Tags
194 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ede94e1f66'
${ noResults }
Commit Graph

9040 Commits (ede94e1f66337e166ef811bec91e55eba9b331ea)
 

Author SHA1 Message Date
Jason Ish ede94e1f66 doc: alphabetize EXTRA_DIST 7 years ago
Jason Ish ff73d908aa doc: add window ips inline doc to extra_dist 7 years ago
Jason Ish d2142cf433 doc: make warnings errors when building man page 7 years ago
Jason Ish 01f477786e doc: link in windows ips setup page 7 years ago
Victor Julien 5bcae21653 detect: reload-rules shouldn't reload a stub 7 years ago
Victor Julien 4eaec2dff0 detect/debug: suppress noisy info messages 7 years ago
Victor Julien 8c918a4bea detect/multi-tenant: fix mix of default detect engine and tenants 7 years ago
Victor Julien 6e9d81289d detect: make detect engine types explicit 
There are 3 types of detect engine objects:
    1. normal
       The normal detection engine if no multi-tenancy is in use

    2. tenant
       A per tenant detection engine

    3. stub
       A stub (or minimal as it was called before) detect engine
       that is needed to have something in place when there are
       only tenants.

       A stub is also used in case of 'delayed detect', where we
       need a minimal detect engine to start up which is replaced
       by a full (normal type) detect engine after startup.

This patch adds a new field 'type' to the DetectEngineCtx object
to distinguish between the types. This replaces the boolean 'minimal'.
 7 years ago
Victor Julien b5bc509857 dhcp: suppress notice message at startup 7 years ago
Jason Ish d83707bef9 rust/dns - remove extra parantheses 
Removes rust compiler warning.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2521
 7 years ago
Jason Ish 7d5f8295bc yaml-loader: fix memory leak on fail include 
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/1929

If an include failed to load, either by the file not existing or
a parse error, the file pointer and yaml parser instance were
leaked.
 7 years ago
Eric Leblond ec0a7b22a5 output-json-alert: log correct dns and dnp3 tx 
Using transaction log entry is not correct to log the transaction
that did cause the alert. The tx_id in the PacketAlert is correct
so let's use that.
 7 years ago
Victor Julien d377eba254 detect/multi-tenant: fix removing of tenant id 0 7 years ago
Victor Julien f8ebcac736 unix/multi-tenant: improve (log) messages 7 years ago
Victor Julien 4866295bfb detect/tenants: fix crash when adding mapping 
When no tenants and mappings are defined in 'live' mode, adding a
mapping resulted in a crash.
 7 years ago
Victor Julien 663549d02c detect: remove lock from global keyword logic 
The global keyword registration and per thread init handling used
the lock from the DetectEngineMasterCtx. This lead to a dead lock
situation at multi-tenancy tenant reloads.

The lock was unnecessary however, as the only time the registration
list is updated is at engine initialization. At that time Suricata
is still running in a single thread. After this, the data structure
doesn't change anymore.

Bug #2516.
 7 years ago
Jacob Masen-Smith ec77632e84 Adds WinDivert support to Windows builds 
Enables IPS functionality on Windows using the open-source
(LGPLv3/GPLv2) WinDivert driver and API.

From https://www.reqrypt.org/windivert-doc.html : "WinDivert is a
user-mode capture/sniffing/modification/blocking/re-injection package
for Windows Vista, Windows Server 2008, Windows 7, and Windows 8.
WinDivert can be used to implement user-mode packet filters, packet
sniffers, firewalls, NAT, VPNs, tunneling applications, etc., without
the need to write kernel-mode code."

- adds `--windivert [filter string]` and `--windivert-forward [filter
    string]` command-line options to enable WinDivert IPS mode.
    `--windivert[-forward] true` will open a filter for all traffic. See
    https://www.reqrypt.org/windivert-doc.html#filter_language for more
    information.

Limitation: currently limited to `autofp` runmode.

Additionally:
- `tmm_modules` now zeroed during `RegisterAllModules`
- fixed Windows Vista+ `inet_ntop` call in `PrintInet`
- fixed `GetRandom` bug (nonexistent keys) on fresh Windows installs
- fixed `RandomGetClock` building on Windows builds
- Added WMI queries for MTU
 7 years ago
Jason Ish 55ad4e4ece travis: use gcc-7 on cocci build 
Catches more errors, like switch statements fall throughs
that are caught in private QA.
 7 years ago
Chris Speidel 1e8959b465 doc: fix minor typo 7 years ago
Jason Ish cf33c9975a filestore: fix truncation warnings 7 years ago
fooinha f67aa5deaa packet: gre over ip link type 7 years ago
Victor Julien 693a3df031 tls: document encrypt-handling option 
Document in sample yaml and user guide.
 7 years ago
Victor Julien 2d50fe499a tls: new config for dealing with encrypted traffic 
Much of encrypted traffic is uninteresting to Suricata. Once encrypted
communication starts, inspecting the packet payloads is generally
not interesting anymore. The default behavior is to disable the parts
of the detection engine and stream reassembly that relate to raw content
inspection.

The tls app-layer parser also had a crude option to affect this behavior:
set 'no-reassemble' to true went much further than the default behavior.
It disabled the TCP reassembly on the flow completely, disabled all
inspection on the flow and enabled bypass if available.

This patch adds a new option: full inspection. This continues to treat
a TLS session as any other, so without any limits to inspection.

The new option is implemented in a new config option 'encrypt-handling',
that replaces 'no-reassemble'. The new option has 3 values:
'default', 'full' and 'bypass'. Default is the current default behavior,
'bypass' is the current 'no-reassemble = true' behavior and 'full'
is the new full inspection mode.
 7 years ago
Victor Julien e6a009ae7f detect/stream_size: code cleanups 7 years ago
Victor Julien f30f038179 detect/stream_size: apply rule to packets & stream 
The use of stream_size in combination with raw content matches is an
indication that the rule needs to be evaluated per packet, not just
per reassembled stream chunk.
 7 years ago
Victor Julien c677e07d3e kerberos: minor doc updates, add author 7 years ago
Victor Julien b61e9c2173 dhcp: add author 7 years ago
Jason Ish fb85822730 dhcp: update user guide 7 years ago
Jason Ish c052e23348 dhcp: add dhcp app-layer rules file 7 years ago
Jason Ish 9210d8743b rust/dhcp: Rust based DHCP decoder and logger. 
This is a DHCP decoder and logger written in Rust. Unlike most
parsers, this one is stateless so responses are not matched
up to requests by Suricata. However, the output does contain
enough fields to match them up in post-processing.

Rules are included to alert of malformed or truncated options.
 7 years ago
Jason Ish 1b0b74dc16 rust: a Rust ConfNode wrapper. 
A Rust wrapper around the C ConfNode object. Currenlty only exposes
ConfGetChildValueBool and ConfGetChildValue.
 7 years ago
Jason Ish 05e20c5c57 eve: check if enabled before attempting to setup 
Before setting up a sub eve-logger, check that it is enabled. This
allows us to set "enabled: no" for loggers that are not registered
with the system without generating an error. An example of this
is loggers that are only available with Rust.
 7 years ago
Jason Ish 2ec3381600 rust/app-layer: macros to export de_state functions 
These macros generate the extern "C" functions for transactions
structs that need provide functions for setting and getting
the de_state. The idea is to provide macros do avoid code
duplication and make it simpler to create an app-layer.

A trait would be the correct solution, but it doesn't look like
you can use traits to export extern "C" functions.
 7 years ago
Jason Ish da4912dfe7 rust: add get_tx_iterator to parser registration 7 years ago
Jason Ish 14843a7b43 app-layer-register: add GetTxIterator 
Add a field to set the GetTxIterator function to the AppLayerParser
registration struct.
 7 years ago
Jason Ish 9fc1250ca8 app-layer-detect-proto: remove unnecessary gotos 7 years ago
Pierre Chifflier e9ae62ed05 Kerberos 5: properly handle TCP buffering 7 years ago
Pierre Chifflier c51ff32adb Document Kerberos 5 parsing events 7 years ago
Pierre Chifflier 1076c7cd47 Add krb5_err_code detection keyword 7 years ago
Pierre Chifflier d6b9c0294a Add krb5_cname and krb5_sname detection keywords 7 years ago
Pierre Chifflier 0bd81ff838 Add krb5_msg_type detection keyword 7 years ago
Pierre Chifflier 5037051161 Kerberos 5: rename weak crypto to weak encryption, and log it 7 years ago
Pierre Chifflier 6ae53a1869 Add event rules for Kerberos 5 7 years ago
Pierre Chifflier 3a017f61b0 Kerberos 5: pretty-print error code when logging 7 years ago
Pierre Chifflier 52f5c7914f Log Kerberos 5 errors 7 years ago
Pierre Chifflier 1e5f5d405f Kerberos 5: add support for TCP as well 7 years ago
Pierre Chifflier 645ba17509 Kerberos: check version in probing function 7 years ago
Pierre Chifflier fd175f2bfb Add logger for Kerberos 5 metadata 7 years ago
Pierre Chifflier 77f0c11c9e Add Kerberos 5 application layer 7 years ago
Eric Leblond 325f336f63 util-random: fix detection of getrandom failure 7 years ago