suricata

Commit Graph

Author	SHA1	Message	Date
Victor Julien	db563ed4b0	tls: check SSL3/TLS version per record Set event if SSL3/TLS record isn't within the acceptable range.	12 years ago
Victor Julien	c5f43785f1	tls/heartbleed: add rule for invalid encrypted hb Add rule to tls-events.rules to match on the invalid encrypted heartbeat.	12 years ago
Pierre Chifflier	d476c654ee	TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.	12 years ago
Eric Leblond	e00b5ca191	classification: add category to some stream rules All stream events signatures deserve a category.	12 years ago
Victor Julien	3ec6bcf284	Make sure tls-events is part of the dist Added it to Makefile.am so it will be part of the dist created by make distcheck.	12 years ago
Victor Julien	df10559d80	dns: fix message of decoder rule 2240008 The message now reflects that the rule matches on: app-layer-event:dns.state_memcap_reached;	12 years ago
Victor Julien	fdca557e01	ipv4 decoder: set 'invalid' event on icmpv6 ICMPv6 on IPv4 is invalid, so if we encounter this we set an event and flag the packet as invalid. Ticket #1105.	12 years ago
Victor Julien	657b83d238	dns: add event for when memcap is reached Raise event if state-memcap is reached for a flow.	12 years ago
Victor Julien	61cdd9be6b	dns: detect case of request flooding In the case where DNS requests are sent over the same flow w/o a reply being received, we now set an event in the flow and refuse to add more transactions to the state. This protects the DNS handling from getting overloaded slowing down everything. A new option to configure this behaviour was added: app-layer: protocols: dnsudp: enabled: yes detection-ports: udp: toserver: 53 request-flood: 750 The request-flood parameter can be 0 (disabling this feature) or a positive integer. It defaults to 500. This means that if 500 unreplied requests are seen in a row an event is set. Rule 2240007 was added to dns-events.rules to match on this.	12 years ago
Victor Julien	cb15000387	http: add new events for invalid host header and host part of uri	12 years ago
Victor Julien	85f13c4e28	http: update http rules	12 years ago
Anoop Saldanha	cd7f0273a2	Add decoder event rule for tls event "invalid_ssl_record", which will now be available "app-layer-event:tls.invalid_ssl_record".	12 years ago
Victor Julien	fb16cf1a5a	vlan: add rule for new 'too many layers' event	12 years ago
Victor Julien	6229bfab5e	DNS: rename dns.rules to dns-events.rules, include it in yaml	13 years ago
Victor Julien	4f20f72f4d	DNS: add event rules file	13 years ago
Victor Julien	4c6463f378	stream: handle extra different SYN/ACK Until now, when processing the TCP 3 way handshake (3whs), retransmissions of SYN/ACKs are silently accepted, unless they are different somehow. If the SEQ or ACK values are different they are considered wrong and events are set. The stream events rules will match on this. In some cases, this is wrong. If the client missed the SYN/ACK, the server may send a different one with a different SEQ. This commit deals with this. As it is impossible to predict which one the client will accept, each is added to a list. Then on receiving the final ACK from the 3whs, the list is checked and the state is updated according to the queued SYN/ACK.	13 years ago
Victor Julien	1eed3f2233	ipv6: add event for ipv6 packet with icmpv4 header	13 years ago
Victor Julien	150b0c5ae0	ipv6: add option to detect HOP/DST headers with only padding. Detect unknown DST/HOP opts.	13 years ago
Victor Julien	9f519e95a2	http: add event for libhtp detection of request port not matching tcp port.	13 years ago
Victor Julien	e1321f9ae6	stream: change how retransmissions are handled and detected.	13 years ago
Victor Julien	3f6ecff260	stream: disable retransmission packet before last ack sig as it is fairly common in regular traffic	13 years ago
Victor Julien	bc37cb6b8e	stream: detect retransmissions on closewait and finwait2 states	13 years ago
Victor Julien	9094eb4783	stream: ignore ack value if ack flag is not set. Add stream.pkt_broken_ack event for when ack value is not 0 and ack flag not set.	13 years ago
Victor Julien	6f76ac176d	stream: add option to match on overlapping data Set event on overlapping data segments that have different data. Add stream-events option stream-event:reassembly_overlap_different_data and add an example rule. Issue 603.	13 years ago
Eric Leblond	def0270de7	decode: decode IPv6-in-IPv6 This patch adds decoding of IPv6-in-IPv6. It also adds some events for invalid packets. This patch should fix #514.	13 years ago
Eric Leblond	09fa0b9542	Add support for IPv4-in-IPv6 This patch adds support for IPv4-in-IPv6 and should fix #462.	13 years ago
Victor Julien	c44f4c13fc	stream: improve TCP flags handling	13 years ago
Victor Julien	e3764b90c3	tls: debug compilation fixes, new tls decoder rule for tls.error_message_encountered event.	14 years ago
Victor Julien	b976ff228a	ipv6: fix an AH header parsing issue. Add decoder event for non-null reserved fields.	14 years ago
Victor Julien	887b4e0b6a	Disable some stream rules by default, fix sid no typo.	14 years ago
Victor Julien	e624c56c83	Add TLS decoder event rule file.	14 years ago
Victor Julien	374947c354	ipv6: properly deal with packets containing a FH header that has offset 0 and no more frags flag set.	14 years ago
Victor Julien	aded3c5578	http: 'HTTP Host header ambiguous' after libhtp update. It now fires if hostname is present both in URL and Host header and the 2 are not equal.	14 years ago
Victor Julien	e21d8cdf01	file extract: improve multipart parsing and set events on some error conditions.	14 years ago
Victor Julien	93df717aa9	Add files.rules to the dist.	14 years ago
Victor Julien	93d121bf21	Update app layer events for HTTP now that libhtp has fixes for some response errors.	14 years ago
Victor Julien	ea34aeff3d	Add missing Makefile.am files for rules/ and doc/ dir.	14 years ago
Victor Julien	132d9d1789	Add http-events.rules with an example rule for each HTTP event.	14 years ago
Victor Julien	5a1a443701	Add example smtp decoding events rules file.	14 years ago
Victor Julien	fd4e1460cf	Add checksum validation rules to decoder events rules.	14 years ago
Victor Julien	ddfa5c49c6	Stream engine: gap handling Set a stream event for stream gaps. Add a (disabled by default) signature to the stream-event.rules.	14 years ago
Victor Julien	b3e1679321	file handling: add example files.rules file Adding a rule file with various examples for using the fileext, filename, filemagic and filestore keywords.	14 years ago
Victor Julien	d9ad1b00b3	Clean up SID allocation for decoder and stream rules.	14 years ago
Eric Leblond	552c6731b2	Add signature file for stream events. This patch adds a rules/stream-events.rules file which contains alert related to all stream events.	14 years ago
Victor Julien	83c3f15812	Minor fixes in defrag engine, shrink DefragTracker_ structure.	15 years ago
Jason Ish	0385f72669	Use separate frag decoder events for IPv4 and IPv6.	15 years ago
Jason Ish	de1c40c44f	Set decoder event on fragment overlaps.	15 years ago
Jason Ish	6da9c64a28	Set decoder event when re-assembled fragments would exceed max IP packet size.	15 years ago
Victor Julien	6a048f2d69	Include initial version of decoder-event rules.	15 years ago

49 Commits (f828793f8f6f3dfeee5c320e8c000ef27ddc72d2)