aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
15,036 Commits
7 Branches
161 Tags
174 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'suricata-7.0.2'
${ noResults }
Commit Graph

15036 Commits (suricata-7.0.2)
 

Author SHA1 Message Date
Victor Julien da8b024b99 detect/quic: add quic.sni sticky buffer 4 years ago
Victor Julien 7b836af1b2 quic: log sni; reduce number of transactions 
Only create transactions for long headers.

Store SNI in tx, log it.
 4 years ago
Victor Julien cf4ddab6f4 doc/quic: update for new quic.version logic 4 years ago
Victor Julien ccab28aad3 quic: log version as string 
Log as Q043, Q044, Q045, Q046. If the version is not supported/recognized,
log the 4 bytes as hex.

Only log for txs based on long headers.
 4 years ago
Victor Julien 24a21af4ab quic: redo quic.version; parser cleanups 
Reimplement quic.version as sticky buffer.

Removed unused parts of the parser.

Set unidirectional tx flag to fix double matching.
 4 years ago
Emmanuel Thompson 6641efb74f doc/quic: Add documentation for QUIC keywords 4 years ago
Emmanuel Thompson 9ad60e7661 doc/quic: Add quic to eve json format 4 years ago
Emmanuel Thompson 7e51987263 quic: Add QUIC App Layer 
Parses quic and logs a CYU hash for gquic frames
 4 years ago
Andreas Dolp f714484591 Doc: Fix typos in documentation of suricata.yaml. 4 years ago
Sam Muhammed c4bd3cd70e nfs4_records: add unittests 
Add unittests for setclientid, readdir records
Task #4866
 4 years ago
Pierre Chifflier c61cbd9b35 rust: simplify bits parser annotations 4 years ago
Pierre Chifflier 1b25bcbb13 rust/smb: simplify bits parser annotations 4 years ago
Pierre Chifflier 4d6aa6d532 rust: add 'bits' combinator to simplify nom bits parsers 
Add a specialized version of the 'bits' nom combinator so adding
bits-level parsers does not require type annotations.
 4 years ago
Philippe Antoine 23fb139e00 detect: do not upgrade base64 decode when fuzzing 
As fuzzing will put a very big value, and then
ThreadCtxDoInit will try to allocate it,
ending in out of memory
 4 years ago
Victor Julien ca29d33c69 proto-detect: set flags in packet direction for UDP 4 years ago
Victor Julien 449cc82943 proto-detect: fix UDP not setting alproto_ts/tc 
This would lead to the `app-layer-protocol` keyword not matching correctly.
 4 years ago
Philippe Antoine 0cfdec1266 detect: xor transform 
Ticket: 3285

The xor transform applies xor decoding to a buffer, with a key
specified as an option in hexadecimal. Arbitrary key sizes are
accepted.
 4 years ago
Philippe Antoine 1d4fe38ccb detect: adds test with invalid uint mode << 4 years ago
Philippe Antoine 2012b14470 detect: use generic functions for icode parsing 4 years ago
Philippe Antoine e2370d6861 fuzz: cleans all flow after one run 
Makes the fuzz target more stateless

And manages to find bugs on the FlowFree path
 4 years ago
Philippe Antoine add1a0f561 fuzz: use parsed rules in sigpcap target 
Ticket: 4125

As commit d21a252238
But for sigpcap target as well
 4 years ago
Philippe Antoine 529678d501 dns: wrap with HAVE_LUA 
This is just code style, to minimize the compiled code.
 4 years ago
Philippe Antoine 6885b66883 fuzz: enable template protocols 
Ticket: 4125
 4 years ago
Philippe Antoine ed11e32076 enip: fix too restrictive check in probing parser 
As is shown later in the code, enip_len can be
ENIP_LEN_REGISTER_SESSION which is 4, which is
smaller than sizeof(ENIPEncapHdr) which is 24
 4 years ago
Philippe Antoine 09c84d0c26 fuzz: use fuzzing confyaml for protodetect target 
As is done for other targets,
so that all app-layer protocols are enabled,
even the ones disabled by default such as enip

And resets protocol detection every time we try
so that probing_parser_toserver_alproto_masks are fresh.
 4 years ago
Jason Ish cda11b8d97 doc/update: mention change of default rule path 4 years ago
Jason Ish 8071d8239e doc: update rule section to current default 
Update the rule section to better describe whats seen in a default
install of Suricata including a link to the rule management section.
 4 years ago
Jason Ish 9d7a497cc1 rule-path: always use $localstatedir/lib/suricata/rules 
Always use the same path for default-rule-path whether or not
Suricata-Update will be installed as part of the Suricata install or
not.

This provides consistency, and maps better to our recommendation that
Suricata-Update be used to manage rules.

Probably should have been done as part of
55852d0de3.

Ticket #4912.
 4 years ago
Victor Julien 44c9241b6a telnet: initial support with frames 
Bootstrapped using setup script. Basic option parsing for purpose
of tagging frames.
 4 years ago
Victor Julien fc4279de85 htp: improve request/response size accuracy 4 years ago
Victor Julien 52ad906d31 htp: implement basic request/response frames 4 years ago
Victor Julien af797b5926 ssl: implement frames for SSLv3 and TLS 4 years ago
Jason Ish 3cdefd5f8b smb: use derive AppLayerFrameType 4 years ago
Victor Julien 0c9fdf8f4f smb: implement frames 
SMB1 record parsing code simplification.

Frames:

    nbss.pdu
    nbss.hdr
    nbss.data

    smb1.pdu
    smb1.hdr
    smb1.data

    smb2.pdu
    smb2.hdr
    smb2.data

    smb3.pdu
    smb3.hdr
    smb3.data

The smb* frames are created for valid SMB records.
 4 years ago
Victor Julien a492d94826 detect/frames: implement 'frame' keyword 
Implement a special sticky buffer to select frames for inspection.

This keyword takes an argument to specify the per protocol frame type:

    alert <app proto name> ... frame:<specific frame name>

Or it can specify both in the keyword:

    alert tcp ... frame:<app proto name>.<specific frame name>

The latter is useful in some cases like http, where "http" applies to
both HTTP and HTTP/2.

    alert http ... frame:http1.request;
    alert http1 ... frame:request;

Examples:

    tls.pdu
    smb.smb2.hdr
    smb.smb3.data

Consider a rule like:

    alert tcp ... flow:to_server; content:"|ff|SMB"; content:"some smb 1 issue";

this will scan all toserver TCP traffic, where it will only be limited by a port,
depending on how rules are grouped.

With this work we'll be able to do:

    alert smb ... flow:to_server; frame:smb1.data; content:"some smb 1 issue";

This rule will only inspect the data portion of SMB1 frames. It will not affect
any other protocol, and it won't need special patterns to "search" for the
SMB1 frame in the raw stream.
 4 years ago
Victor Julien 02f98796a7 detect/frames: limit mixing frames and other detection 
Don't allow mixing of payload/stream/tx and frame keywords. Initial
support is only for 'pure' frame inspection.
 4 years ago
Victor Julien 3cbe33de57 detect/analyzer: add frame support 4 years ago
Victor Julien f6f124f283 detect/engine: support frames 
Implement the low level detect engine support for inspecting frames,
including MPM, transforms and inspect API's.
 4 years ago
Victor Julien c0ec3984fa eve/alert: add support for logging frame 
If detection was done in a frame, the frame will be added to the
eve.alert output.
 4 years ago
Victor Julien 60bfade351 eve: implement frame logging 
This is mostly to assist development and QA. It produces too much data
for practical use.
 4 years ago
Jason Ish 8a40b7b42e cbindgen: ignore frames module 4 years ago
Jason Ish de870e2fbf rust: derive macro for app-layer frame type 4 years ago
Jason Ish 0ece208074 rust/applayer: create trait for app-layer frame types 4 years ago
Jason Ish cb7f7a7e08 app/frames: implement rust API 4 years ago
Victor Julien a27ee49c73 app-layer: move app_progress forward on errors as well 
In case of APP_LAYER_ERROR still move the app_progress forward.
This helps validation of frame offsets and should be harmless
otherwise.
 4 years ago
Victor Julien 1556e86c7d app/frames: initial support 
The idea of stream frames is that the applayer parsers can tag PDUs and
other arbitrary frames in the stream while parsing. These frames can then
be inspected from the rule language. This will allow rules that are more
precise and less costly.

The frames are stored per direction in the `AppLayerParserState` and will only
be initialized when actual frames are in use. The per direction storage has a
fixed size static portion and dynamic support for a larger number. This is done
for effeciency.

When the Stream Buffer slides, frames are updated as they use offsets relative
to the stream. A negative offset is used for frames that started before the
current window.

Frames have events to inspect/log parser errors that don't fit the TX model.

Frame id starts at 1. So implementations can keep track of frame ids where 0
is not set.

Frames affect TCP window sliding. The frames keep a "left edge" which
signifies how much data to keep for frames that are still in progress.
 4 years ago
Victor Julien e6f49e5a05 app/frames: implement name to id API for frames 4 years ago
Victor Julien eeee740e84 stream: add util function to get 'usable' data 4 years ago
Philippe Antoine a6cb539054 ci: do not use ppa for cocci 
As this version segfaults
 4 years ago
Pierre Chifflier 3e19ccdc0c rust/http2: convert parser to nom7 functions (HTTP2 ranges) 4 years ago