aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,994 Commits
7 Branches
161 Tags
173 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'suricata-7.0.1'
${ noResults }
Commit Graph

14994 Commits (suricata-7.0.1)
 

Author SHA1 Message Date
Pierre Chifflier ce9efc34c7 rust/pgsql: convert parsers to nom7 functions 4 years ago
Philippe Antoine e8060990d1 detect: fix possible leak found by coverity 
Conditions to create the leak are likely not reachable,
but this is still a bad pattern.
 4 years ago
Catena cyber cc746b4594
ci: adds scorecard analysis GitHub workflow 4 years ago
Juliana Fajardini 579d7dcc01 pgsql: add initial support 
- add nom parsers for decoding most messages from StartupPhase and
SimpleQuery subprotocols
- add unittests
- tests/fuzz: add pgsql to confyaml

Feature: #4241
 4 years ago
Juliana Fajardini 4c743b809c rust/applayer: add function for upgrading to TLS 4 years ago
Shivani Bhardwaj 8918f53f6b smtp: use AppLayerResult instead of buffering 
Also, remove tests that check for the removed buffers and any middle
states while parsing and buffering.

Ticket 4907
 4 years ago
Victor Julien e02b52c895 quic: add quic.ua for matching user agent 4 years ago
Victor Julien 4c13b73c4d quic: log user agent when available 4 years ago
Victor Julien da8b024b99 detect/quic: add quic.sni sticky buffer 4 years ago
Victor Julien 7b836af1b2 quic: log sni; reduce number of transactions 
Only create transactions for long headers.

Store SNI in tx, log it.
 4 years ago
Victor Julien cf4ddab6f4 doc/quic: update for new quic.version logic 4 years ago
Victor Julien ccab28aad3 quic: log version as string 
Log as Q043, Q044, Q045, Q046. If the version is not supported/recognized,
log the 4 bytes as hex.

Only log for txs based on long headers.
 4 years ago
Victor Julien 24a21af4ab quic: redo quic.version; parser cleanups 
Reimplement quic.version as sticky buffer.

Removed unused parts of the parser.

Set unidirectional tx flag to fix double matching.
 4 years ago
Emmanuel Thompson 6641efb74f doc/quic: Add documentation for QUIC keywords 4 years ago
Emmanuel Thompson 9ad60e7661 doc/quic: Add quic to eve json format 4 years ago
Emmanuel Thompson 7e51987263 quic: Add QUIC App Layer 
Parses quic and logs a CYU hash for gquic frames
 4 years ago
Andreas Dolp f714484591 Doc: Fix typos in documentation of suricata.yaml. 4 years ago
Sam Muhammed c4bd3cd70e nfs4_records: add unittests 
Add unittests for setclientid, readdir records
Task #4866
 4 years ago
Pierre Chifflier c61cbd9b35 rust: simplify bits parser annotations 4 years ago
Pierre Chifflier 1b25bcbb13 rust/smb: simplify bits parser annotations 4 years ago
Pierre Chifflier 4d6aa6d532 rust: add 'bits' combinator to simplify nom bits parsers 
Add a specialized version of the 'bits' nom combinator so adding
bits-level parsers does not require type annotations.
 4 years ago
Philippe Antoine 23fb139e00 detect: do not upgrade base64 decode when fuzzing 
As fuzzing will put a very big value, and then
ThreadCtxDoInit will try to allocate it,
ending in out of memory
 4 years ago
Victor Julien ca29d33c69 proto-detect: set flags in packet direction for UDP 4 years ago
Victor Julien 449cc82943 proto-detect: fix UDP not setting alproto_ts/tc 
This would lead to the `app-layer-protocol` keyword not matching correctly.
 4 years ago
Philippe Antoine 0cfdec1266 detect: xor transform 
Ticket: 3285

The xor transform applies xor decoding to a buffer, with a key
specified as an option in hexadecimal. Arbitrary key sizes are
accepted.
 4 years ago
Philippe Antoine 1d4fe38ccb detect: adds test with invalid uint mode << 4 years ago
Philippe Antoine 2012b14470 detect: use generic functions for icode parsing 4 years ago
Philippe Antoine e2370d6861 fuzz: cleans all flow after one run 
Makes the fuzz target more stateless

And manages to find bugs on the FlowFree path
 4 years ago
Philippe Antoine add1a0f561 fuzz: use parsed rules in sigpcap target 
Ticket: 4125

As commit d21a252238
But for sigpcap target as well
 4 years ago
Philippe Antoine 529678d501 dns: wrap with HAVE_LUA 
This is just code style, to minimize the compiled code.
 4 years ago
Philippe Antoine 6885b66883 fuzz: enable template protocols 
Ticket: 4125
 4 years ago
Philippe Antoine ed11e32076 enip: fix too restrictive check in probing parser 
As is shown later in the code, enip_len can be
ENIP_LEN_REGISTER_SESSION which is 4, which is
smaller than sizeof(ENIPEncapHdr) which is 24
 4 years ago
Philippe Antoine 09c84d0c26 fuzz: use fuzzing confyaml for protodetect target 
As is done for other targets,
so that all app-layer protocols are enabled,
even the ones disabled by default such as enip

And resets protocol detection every time we try
so that probing_parser_toserver_alproto_masks are fresh.
 4 years ago
Jason Ish cda11b8d97 doc/update: mention change of default rule path 4 years ago
Jason Ish 8071d8239e doc: update rule section to current default 
Update the rule section to better describe whats seen in a default
install of Suricata including a link to the rule management section.
 4 years ago
Jason Ish 9d7a497cc1 rule-path: always use $localstatedir/lib/suricata/rules 
Always use the same path for default-rule-path whether or not
Suricata-Update will be installed as part of the Suricata install or
not.

This provides consistency, and maps better to our recommendation that
Suricata-Update be used to manage rules.

Probably should have been done as part of
55852d0de3.

Ticket #4912.
 4 years ago
Victor Julien 44c9241b6a telnet: initial support with frames 
Bootstrapped using setup script. Basic option parsing for purpose
of tagging frames.
 4 years ago
Victor Julien fc4279de85 htp: improve request/response size accuracy 4 years ago
Victor Julien 52ad906d31 htp: implement basic request/response frames 4 years ago
Victor Julien af797b5926 ssl: implement frames for SSLv3 and TLS 4 years ago
Jason Ish 3cdefd5f8b smb: use derive AppLayerFrameType 4 years ago
Victor Julien 0c9fdf8f4f smb: implement frames 
SMB1 record parsing code simplification.

Frames:

    nbss.pdu
    nbss.hdr
    nbss.data

    smb1.pdu
    smb1.hdr
    smb1.data

    smb2.pdu
    smb2.hdr
    smb2.data

    smb3.pdu
    smb3.hdr
    smb3.data

The smb* frames are created for valid SMB records.
 4 years ago
Victor Julien a492d94826 detect/frames: implement 'frame' keyword 
Implement a special sticky buffer to select frames for inspection.

This keyword takes an argument to specify the per protocol frame type:

    alert <app proto name> ... frame:<specific frame name>

Or it can specify both in the keyword:

    alert tcp ... frame:<app proto name>.<specific frame name>

The latter is useful in some cases like http, where "http" applies to
both HTTP and HTTP/2.

    alert http ... frame:http1.request;
    alert http1 ... frame:request;

Examples:

    tls.pdu
    smb.smb2.hdr
    smb.smb3.data

Consider a rule like:

    alert tcp ... flow:to_server; content:"|ff|SMB"; content:"some smb 1 issue";

this will scan all toserver TCP traffic, where it will only be limited by a port,
depending on how rules are grouped.

With this work we'll be able to do:

    alert smb ... flow:to_server; frame:smb1.data; content:"some smb 1 issue";

This rule will only inspect the data portion of SMB1 frames. It will not affect
any other protocol, and it won't need special patterns to "search" for the
SMB1 frame in the raw stream.
 4 years ago
Victor Julien 02f98796a7 detect/frames: limit mixing frames and other detection 
Don't allow mixing of payload/stream/tx and frame keywords. Initial
support is only for 'pure' frame inspection.
 4 years ago
Victor Julien 3cbe33de57 detect/analyzer: add frame support 4 years ago
Victor Julien f6f124f283 detect/engine: support frames 
Implement the low level detect engine support for inspecting frames,
including MPM, transforms and inspect API's.
 4 years ago
Victor Julien c0ec3984fa eve/alert: add support for logging frame 
If detection was done in a frame, the frame will be added to the
eve.alert output.
 4 years ago
Victor Julien 60bfade351 eve: implement frame logging 
This is mostly to assist development and QA. It produces too much data
for practical use.
 4 years ago
Jason Ish 8a40b7b42e cbindgen: ignore frames module 4 years ago
Jason Ish de870e2fbf rust: derive macro for app-layer frame type 4 years ago