suricata

Commit Graph

Author	SHA1	Message	Date
Jeff Lucovsky	dd344bd07c	ftp: Move config file handling to Rust Issue: 4082 Move the configuration file handling to Rust. These changes will no longer terminate Suricata when there's an invalid value for ftp.memcap. Like earlier Suricata releases, an error message is logged "Invalid value <value> for ftp.memcap" but Suricata will no longer terminate execution. It will use a default value of "0" instead.	5 months ago
Alice Akaki	73ae6e997f	detect: add ldap.responses.dn ldap.responses.dn matches on LDAPDN from responses operations This keyword maps the following eve fields: ldap.responses[].search_result_entry.base_object ldap.responses[].bind_response.matched_dn ldap.responses[].search_result_done.matched_dn ldap.responses[].modify_response.matched_dn ldap.responses[].add_response.matched_dn ldap.responses[].del_response.matched_dn ldap.responses[].mod_dn_response.matched_dn ldap.responses[].compare_response.matched_dn ldap.responses[].extended_response.matched_dn It is a sticky buffer Supports prefiltering Ticket: #7471	5 months ago
Alice Akaki	16dcee46fc	detect: add ldap.request.dn ldap.request.dn matches on LDAPDN from request operations This keyword maps the following eve fields: ldap.request.bind_request.name ldap.request.add_request.entry ldap.request.search_request.base_object ldap.request.modify_request.object ldap.request.del_request.dn ldap.request.mod_dn_request.entry ldap.request.compare_request.entry It is a sticky buffer Supports prefiltering Ticket: #7471	5 months ago
Alice Akaki	8f807fcfcf	doc: use the ldap protocol in rule examples in the LDAP keywords documentation	5 months ago
Alice Akaki	31ee18b5be	doc: replace 'eve' with 'EVE' in the LDAP keywords documentation	5 months ago
Jason Ish	97e01a8cc8	doc/userguide: upgrade notes for Lua - Sandboxed Lua for rules - Search path changes for Lua output scripts	5 months ago
Jason Ish	c6d038b8a4	doc/userguide: document Lua base64 library Ticket: #7074	5 months ago
Victor Julien	38318438d1	doc/userguide: add lua packetlib docs	6 months ago
Victor Julien	cdd2f56cfe	doc: remove old lua packet methods	6 months ago
AlirezaPourchali	60dd0ec8a5	doc/userguide: fix typo Issue: #7540 fixed doc/userguide/performance/hyperscan.rst fixed doc/userguide/performance/runmodes.rst	6 months ago
Alice Akaki	73455179d7	detect/integers: add support for negated strings when enum is used function detect_parse_uint_enum can parse strings like !bind_request Ticket: #7513	6 months ago
Jeff Lucovsky	beec1eac2f	doc/decode-events: new: unknown event description Issue: 7129 Document the unknown ethertype event.	6 months ago
Jeff Lucovsky	e9128e66e6	doc/threshold: Threshold keyword clarifications Issue: 7129	6 months ago
Jeff Lucovsky	cfbf8fda94	doc/csum: Stream checksum validation change Describe the change of behavior between the stream.checksum-validation setting and checksum-based rule keywords.	6 months ago
Juliana Fajardini	a2905ae5d4	userguide: explain rule types and categorization Add documentation about the rule types introduced by commit `2696fda041`. Add doc tags around code definitions that are referenced in the docs. Task #https://redmine.openinfosecfoundation.org/issues/7031	6 months ago
Cole Dishington	c46308957f	flow: optionally use pkt recursion for hash If a Suricata inline IPS device is routing traffic over a non-encrypted tunnel, like IPv6 tunnels, packets in a flow will be dropped and not be matched. e.g. The following example is a Suricata inline IPS with an IPv6 tunnel: request: IPv4]ICMP] -> \|IPS\| -> IPv6]IPv4]ICMP] reply: <- \|IPS\| <- IPv6]IPv4]ICMP] Both the IPv4 request and IPv6 reply will be seen by Suricata on ingress. The flows will not be matched due to flow recursion level. Optionally use pkt recursion level in flow hash. Excluding recursion level in flow hash allows matching of packet flows and defrag on an inline IPS Suricata scenario where the IPS device is a tunnel terminator. Feature: 6260	6 months ago
Jeff Lucovsky	53abe1e5d7	doc: Add ftp.command sticky buffer Issue: 7502 This commit documents the new FTP sticky buffer "ftp.command".	6 months ago
Philippe Antoine	c5f3d33e51	detect/smtp: smtp.rcpt_to keyword Ticket: 7516 It is a sticky buffer mapping to the smtp.rcpt_to[] log field It is a multi-buffer	6 months ago
Philippe Antoine	32594766b7	detect/smtp: smtp.mail_from keyword Ticket: 7517 It is a sticky buffer mapping to the smtp.mail_from log field	6 months ago
Philippe Antoine	3d3b1ade9d	detect/smtp: smtp.helo keyword Ticket: 7515 It is a sticky buffer mapping to the smtp.helo log field	6 months ago
Jason Ish	c8b28b1512	doc/userguide: document lua hashlib	6 months ago
Alice Akaki	8416289752	detect: add ldap.responses.count ldap.responses.count matches on the number of LDAP responses This keyword maps to the eve field len(ldap.responses[]) It is an unsigned 32-bit integer Doesn't support prefiltering Ticket: #7453	6 months ago
Alice Akaki	da593abd99	detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453	6 months ago
Alice Akaki	cdb043810f	detect: add ldap.request.operation ldap.request.operation matches on Lightweight Directory Access Protocol request operations This keyword maps to the eve field ldap.request.operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453	6 months ago
Alice Akaki	078c6469a0	detect: add vlan.layers keyword vlan.layers matches on the number of VLAN layers per packet It is an unsigned 8-bit integer Valid range = [0-3] Supports prefiltering Ticket: #1065	7 months ago
Alice Akaki	b1c2643c87	detect: add vlan.id keyword vlan.id matches on Virtual Local Area Network IDs It is an unsigned 16-bit integer Valid range = [0-4095] Supports prefiltering Ticket: #1065	7 months ago
Shivani Bhardwaj	ad7ff1c91b	flow/pkts: allow matching on either direction For flow.bytes and flow.pkts keywords, allow matching in either direction. Feature 5646	7 months ago
Shivani Bhardwaj	52fd695e5a	doc: update syntax for flow.pkts & flow.bytes	7 months ago
Philippe Antoine	a499529477	doc: improve documentation about guess-applayer-tx Ticket: 7199	7 months ago
Shivani Bhardwaj	6f937c7545	doc: add guide for ticket title Explain with examples what a good ticket title looks like and why is it important to have ticket titles convey the correct issues.	7 months ago
Jeff Lucovsky	91d5b77316	doc/commit Describe how to use the git commit template. The template helps ensure that the information needed for evaluation and context is included in the commit message. Ticket: <Redmine ticket number>	7 months ago
Victor Julien	d11e8a8ee7	doc/userguide: document TCP urgent policy	8 months ago
Philippe Antoine	f426ee3ee2	detect: rename stream_log variables to better reflect their true meaning	8 months ago
Philippe Antoine	f2c3776314	detect: log app-layer metadata in alert with single tx Ticket: 7199 Uses a config parameter detect.guess-applayer-tx to enable this behavior (off by default) This feature is requested for use cases with signatures not using app-layer keywords but still targetting application layer transactions, such as pass/drop rule combination, or lua usage. This overrides the previous behavior of checking if the signature has a content match, by checking if there is only one live transaction, in addition to the config parameter being set.	8 months ago
Juliana Fajardini	6e4a501e7c	flowint: add isnotset support Similar keywords use `isnotset`, while `flowint` only accepted `notset` Opted to change the code, not only the regex, to keep the underlying code also following the same patterns. Task #7426	8 months ago
Jason Ish	289ff25f5b	requires: support requires check for keyword For example: requires: keyword foo; Will require that Suricata supports the "foo" keyword. Ticket: #7403	8 months ago
Jason Ish	820a3e51b7	requires: treat unknown requires keywords as unmet requirements For example, "requires: foo bar" is an unknown requirement, however its not tracked, nor an error as it follows the syntax. Instead, record these unknown keywords, and fail the requirements check if any are present. A future version of Suricata may have new requires keywords, for example a check for keywords. Ticket: #7418	8 months ago
Philippe Antoine	4ec90bd227	detect: absent keyword to test absence of sticky buffer Ticket: 2224 It takes an argument to match only if the buffer is absent, or it can still match if the buffer is present, but we test the absence of some content. For multi buffers, absent matches if there are 0 buffers. For file keywords, absent matches if there is no file.	8 months ago
Victor Julien	278dc24cd0	doc/userguide: document smb cache size limit options Ticket: #5672.	9 months ago
Sascha Steinbiss	285cc29ec0	redis: add automatic trimming support for streams	9 months ago
Sascha Steinbiss	d3d9f1c395	redis: implement XADD stream support Ticket: #7082	9 months ago
Juliana Fajardini	1860aa81e6	userguide: fix integer keyword matches list format List wasn't being properly rendered.	9 months ago
Jason Ish	cc519beb91	suricata.yaml: add missing custom tls fields Also update the suricata.yaml in the userguide.	9 months ago
Juliana Fajardini	55b922ceed	tls/conf: clarify usage of custom vs extended logs Since enabling custom logging will replace the extended logging, thus possibly leading to certain fields disappearing from the logs, mention this aspect. Related to Bug #7333	9 months ago
Jeff Lucovsky	1e0d3435db	doc: add napatech plugin upgrade notes Issue: 7165	10 months ago
Jason Ish	6ae5ae701b	doc/userguide: generate eve documentation Add EVE documentation for QUIC and Pgsql to their respective sections of the userguide. Also add a complete EVE reference as an appendix. Other protocols can be done, but its a manual process to document in the schema, then add the glue to pull them into the documentation. The documentation is generated during "make dist", or if it doesn't exist, "conf.py" will attempt to generate the eve documentation for building on Readthedocs.	10 months ago
Philippe Antoine	bb714c9178	http: have a headers limit Ticket: 7191 So as to avoid quadratic complexity in libhtp. Make the limit configurable from suricata.yaml, and have an event when network traffic goes over the limit.	10 months ago
Philippe Antoine	e47598110a	detect/datasets: implement unset command Ticket: 7195 Otherwise, Suricata aborted on such a rule	10 months ago
Juliana Fajardini	18e0d23ed3	docs: remove mentions to Suricata-6 Task #7262	10 months ago
Juliana Fajardini	d1d1c8cdac	doc/conf/yaml: replace underscore with dashes Use sed + regex to replace all occurrences of suricata.yaml terms that used underscore for their up-to-date dash version. Also search for such terms in the eve-log.yaml partials file, as that is referenced in the configuration section. commands used: sed -i 's/\(^ [a-z]\)_\([a-z]:\)/\1-\2/g' sed -i 's/\(^ [a-z]\)_\([a-z]\)_\([a-z]*:\)/\1-\2-\3/g' Some other instances were found manually. Task #7260	10 months ago
Philippe Antoine	7ab833471e	doc/rfb: mention accidental fix for security_result log Ticket: 7198	10 months ago
Giuseppe Longo	036b68b0a9	doc: add new sip keywords	10 months ago
Juliana Fajardini	ef63aa50e2	doc/configuration: improve emergency-recovery docs When removing mentions to `prune-flows` a few inconsistencies for how we write and refer to `emergency-recovery` were left behind, still.	10 months ago
Philippe Antoine	de9413c654	detect: safety for app-layer logging of stream-only rules If a stream-only rule matches, and we find a tx where we want to log the app-layer data, store into the tx data that we already logged, so that we do not log again the app-layer metadata Ticket: 7085	10 months ago
jason taylor	f46a8776ec	doc: add note about big endian for icmp_seq match	10 months ago
Juliana Fajardini	1420c83a87	doc/configuration: remove mention to prune-flows Although the `prune-flows` option was removed with `a5587fec2e`, when documentation for the suricata.yaml config file was added with `b252b0d`, this option was also included - as has remained until now.	10 months ago
Jeff Lucovsky	8064847fc6	doc: Document reference config setting Issue: 4974	10 months ago
Philippe Antoine	0ebb84538e	http2: add frames support Ticket: 5743 Why ? To add detection capabilities	11 months ago
Jason Ish	685baa9680	output-filedata: rename and document registration function Prefix registration function and pointer function type with SC, as well as document. Ticket: #7227	11 months ago
Jason Ish	b51eeb3ab5	output-file: rename and document registration function Rename OutputRegisterFileLogger to SCOutputRegisterFileLogger, add function documentation and include in userguide. Ticket: #7227	11 months ago
Jason Ish	14b648f286	output-streaming: rename and document registration Prefix the registration function and types with "SC", and add function documentation. Ticket: #7227	11 months ago
Jason Ish	1ebf33b3c9	output-tx: rename and document transaction logger registration Rename OutputRegisterTxLogger to SCOutputRegisterTxLogger to make it part of the public API as well as document. Ticket: #7227	11 months ago
Jason Ish	bb128e3959	devguide: more on low level logging Use the extending/output section to introduce the low level logging API. Ticket: #7227	11 months ago
Juliana Fajardini	f3e1095244	userguide: update Security Onion docs reference They have updated their docs domain, leading to the link we had returning a 404. Also checked the other links. Although some seem to only contain old traffic, they all still work.	11 months ago
Sascha Steinbiss	cb14e44780	userguide: fix spelling of `security_result` EVE field This ensures that the correct spelling of the `security_result` EVE field for RFB (as opposed to `security-result`) is also reflected in the documentation. Ticket: #7210	11 months ago
Shivani Bhardwaj	1345c6d1cb	doc/file-extraction: fix highlight syntax	11 months ago
Juliana Fajardini	682b199ea0	userguide: expand documentation for rule profiling The page about performance and rule profiling showed the table generated by rules profiling but didn't inform how to achieve nor find it. Task #4359	11 months ago
Jason Ish	15fe844ae7	syslog: deprecate The standalone syslog output is now deprecated for Suricata 8. Display a warning on use and add notes to the userguide. Ticket: #6544	11 months ago
Jason Ish	5853fb922d	tls-log: deprecate tls-log is now deprecated and will be removed in Suricata 9.0. Display a deprecation notice on use, and add notes to the user guide. Ticket: #6542	11 months ago
Jason Ish	ab26323a96	http-log: deprecate http-log is now deprecated and will be removed in Suricata 9.0. Display a deprecation notice on use, and add notes to the userguide. Issue: #6543	11 months ago
Victor Julien	688bd538cf	pcap: implement pcap-file-buffer-size option Allows easy specification of buffer size on the commandline. Ticket: #7155.	11 months ago
Juliana Fajardini	246acc7140	userguide: clarify flow:stateless explanation While not incorrect, the previous wording made the sentence almost paradoxical. While at it, also highlight a side effect that might not be so clear to users. Related to Bug #6976	12 months ago
Philippe Antoine	62a186ceef	detect/rfb: move keywords to rust Ticket: 7178 On the way, convert rfb.secresult to a generic integer with enumeration cf ticket 6723	12 months ago
Victor Julien	fa9cae3899	doc/userguide: document logging changes from 6 to 7 Minor other logging related improvements like clarifying language and improving formatting for pdf output.	12 months ago
Philippe Antoine	0b2ed97f36	ssh: frames support Ticket: 5734 Adds frames for SSH records, that come after banner, and before the data is encrypted. These records may contain cipher lists for instance.	1 year ago
Giuseppe Longo	70ed9f91d8	doc: add ldap protocol	1 year ago
Philippe Antoine	bce8f4b853	detect/ssh: remove deprecated keywords Ticket: 2377	1 year ago
Philippe Antoine	0a1062fad2	detect/mqtt: move keywords to rust Ticket: 4863 On the way, convert some keywords to use the first-class integer support. And helpers for pure rust the support for multi-buffer. Move the C unit tests about keyword mqtt.protocol_version to unit tests for generic integer parsing, and test version 5 instead of testing twice version 3. Also iterate all tx's messages for reason code as is done for other keywords. And allow detection on empty topics.	1 year ago
Jason Ish	5f516c5896	doc: add pf-ring plugin upgrade notes Ticket: #7162	1 year ago
Philippe Antoine	e0fd59a20d	doc: state that payload-length includes the gaps	1 year ago
Jason Ish	4d3d57249a	doc: update dns section of the eve format documentation	1 year ago
Jason Ish	d3c08b9643	doc: upgrade guide for dns logging changes Bug: #6281	1 year ago
Sascha Steinbiss	53c62432c6	doc: update MQTT configuration	1 year ago
Shivani Bhardwaj	c66f1f4488	doc: add note about datasets string memcaps Bug 3910	1 year ago
Victor Julien	afc318737a	doc/userguide: document threshold backoff type	1 year ago
Victor Julien	e362a01f8d	doc/userguide: document new threshold config options	1 year ago
Victor Julien	405491c3fc	detect/detection_filter: add support for track by_flow	1 year ago
Victor Julien	3f04af7c7f	doc: add thresholding by_flow	1 year ago
Jeff Lucovsky	01e20c91fb	doc/transform: Correct typo	1 year ago
Jeff Lucovsky	d205ff82d0	doc/transform: Describe the from_base64 transform Issue: 6487 Document the new transform and indicate that it's the preferred way to perform base64 decoding (preferred over base64_decode)	1 year ago
Philippe Antoine	c9ce43b31e	output: configurable payload_length field for alerts Ticket: 7098	1 year ago
Victor Julien	3d059611c3	detect: add tls.alpn keyword Ticket: #7108.	1 year ago
Victor Julien	c79a382e42	eve/tls: log ALPN for client and server Part of the extended logging. Logs `client_alpns` and `server_alpns` arrays in the tls object. Ticket: #7055.	1 year ago
Philippe Antoine	ae72376ebe	detect/snmp: move keywords to rust Ticket: 4863 On the way, convert unit test DetectSNMPCommunityTest to a SV test. And also, make snmp.pdu_type use a generic uint32 for detection, allowing operators, instead of just equality.	1 year ago
Lukas Sismis	bd9608771e	doc: port user install and build instruction from master-6.0.x Ticket: #6686	1 year ago
Lukas Sismis	521d1cb8e7	doc: update eBPF compilation instructions Ticket: #6599	1 year ago
Victor Julien	8b42182fee	doc/userguide: document iprep isset/isnotset	1 year ago
Victor Julien	2f74d435d3	doc/userguide: add more operators to iprep	1 year ago
Victor Julien	50ef646d45	doc/userguide: add noalert/alert keyword docs	1 year ago
Victor Julien	c83e3285ae	doc/userguide: give pcre1 to pcre2 proper heading	1 year ago
Juliana Fajardini	43b998aa73	userguide/upgrade: add note about alerts' increase With triggering stream reassembly early, since for certain types of rules there may be more alerts triggered - even in IPS mode, make this clear in the upgrading section. Bug #7026	1 year ago
Philippe Antoine	82c03f72c3	enip: convert to rust Ticket: 3958 - transactions are now bidirectional - there is a logger - gap support is improved with probing for resync - frames support - app-layer events - enip_command keyword accepts now string enumeration as values. - add enip.status keyword - add keywords : enip.product_name, enip.protocol_version, enip.revision, enip.identity_status, enip.state, enip.serial, enip.product_code, enip.device_type, enip.vendor_id, enip.capabilities, enip.cip_attribute, enip.cip_class, enip.cip_instance, enip.cip_status, enip.cip_extendedstatus	1 year ago
Victor Julien	17b32f98d7	doc/userguide: fix rule container typo Fixes: `8781e9352a` ("doc/userguide: add documentation for SMTP frames")	1 year ago
Victor Julien	8781e9352a	doc/userguide: add documentation for SMTP frames	1 year ago
Juliana Fajardini	aeb200e001	devguide: highlight commit message example Although we have the example for a commit message in our Code Submission Process sub-chapter, seems that people still oversee it a lot. It was suggested that we put it in a note-box, to make it more visible.	1 year ago
Jason Ish	3eb8c728fd	doc: update lua sandbox docs for allowed packages/functions	1 year ago
Jason Ish	bc011f2205	lua: use rust crate to vendor (bundle) lua Remove lua-dev(el) from all CI tests.	1 year ago
Jo Johnson	ba6a976e06	doc: Initial doc for lua sandbox	1 year ago
Jo Johnson	712496bb3f	lua: Remove luajit support lua 5.4 support is not available in luajit Ticket: #4776	1 year ago
Jo Johnson	586c92d9d5	lua: require lua 5.4 github-ci: Disable lua on debian 10 as it doesn't have Lua 5.4. Ticket: #4776	1 year ago
jason taylor	47d6c3a3ab	doc: add source verification docs Ticket: #6908 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
Shivani Bhardwaj	719fda3967	doc: add description about tls.subjectaltname Feature 5234	1 year ago
Philippe Antoine	2c305ba37e	pop3: protocol detection Ticket: #6366	1 year ago
Philippe Antoine	7582b18a9f	http: configures libhtp to allow spaces in uri Ticket: #2881	1 year ago
Giuseppe Longo	8a171c9d74	doc: add arp changes	1 year ago
Philippe Antoine	fcdd7f000a	detect: add options to app-layer-protocol keyword Ticket: 4921 app-layer-protocol keyword accept an optional mode to precise which protocol we want to match: toclient, toserver, final, or original	1 year ago
Philippe Antoine	715bf048ee	frames: rust API makes tx_id explicit And set it right for SIP and websocket, so that relevant tx app-layer metadata gets logged. Ticket: 6973	1 year ago
Shivani Bhardwaj	6d92596548	doc: add note about fast_pattern w base64_data Bug 5220	1 year ago
jason taylor	abb74245cc	doc: update normalization notes Ticket: #6781 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	5dacf4d92b	doc: add http.connection ref and fix location Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
Victor Julien	fcca5c7514	detect/iprep: update doc about 0 value A value of 0 was already allowed by the rule parser, but didn't actually work. Bug: #6834.	1 year ago
jason taylor	aa919f8081	doc: update flowbits information Ticket: #6991 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
Giuseppe Longo	4f1e71bb4e	doc: add sdp update	1 year ago
Juliana Fajardini	bb59124063	yaml: unify 0 stats counter config option terms When we added feature #5976 (`72146b969`), we overlook that we also have a config stats option for the human-readable stats logs to output 0 counters. Due to not seeing this before, we now have two different setting names for basically the same thing, but in different logs: - zero-valued-counters for EVE - null-values for stats.log This ensures we use the same terminology, and change the recently added one to `null-values`, as this one has been around for longer. Task #6962	1 year ago
Philippe Antoine	44b6aa5e4b	app-layer: websockets protocol support Ticket: 2695	1 year ago
Sascha Steinbiss	120313f4da	ja4: implement for TLS and QUIC Ticket: OISF#6379	1 year ago
Jeff Lucovsky	7a5a1e2560	doc: Describe noalert keyword Issue: 6685	1 year ago
Juliana Fajardini	72146b969c	eve/stats: allow hiding counters whose valued is 0 Some stats can be quite verbose if logging all zero valued-counters. This allows users to disable logging such counters. Default is still true, as that's the expected behavior for the engine. Task #5976	1 year ago
Juliana Fajardini	514e8b8b04	userguide: document exception policy stats Configuration options and defaults, existing counters etc. Related to Task #5816	1 year ago
Juliana Fajardini	94b111283d	userguide: highlight exception policy effects Some exception policies can only be applied to entire flows or individual packets, for some exception scenarios. Make this easier to read, in the documentation. Related to Task #5816	1 year ago
jason taylor	7de16809ef	doc: update http keyword listing order Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	8b3db3c3b5	doc: update file.name keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	49dba7bb94	doc: update file.data keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	bee3aa9709	doc: update http.response_header keyword Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	dcb548106e	doc: update http.request_header keyword Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	3f5d228b9e	doc: update http.host http.host.raw keyword Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	739dfe5e5e	doc: update http.location keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	9ddd8cf9e0	doc: update http.server keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	3af98f3b92	doc: update http.response_body keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	64760e2e75	doc: update http.response_line keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	566bc0d39c	doc: update http.stat_msg keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	271321249f	doc: update http.stat_code keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	71d8488cb5	doc: update http.request_body keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	c2783e9391	doc: update http.header_names keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	5eadbc2ff0	doc: update http.start keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	7e65554462	doc: update http.referer keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	876dfb99ca	doc: update http.content_len keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	8ff06c1bc0	doc: update http.content_type keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	b2854486dd	doc: update http.connection keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	75436dff9c	doc: update http.accept_lang keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	f6375e487e	doc: update http.accept_enc keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	7e3288f5a7	doc: update http keyword normalization notes Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	9e87d89d2e	doc: update http.accept keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	8307168ae7	doc: update http.user_agent keyword Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	75c4cdfa1c	doc: update http.cookie keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	7a28874c8d	doc: update http.header keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	b3af723486	doc: remove legacy description/duplicated data Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	292b3eb9b3	doc: update http.request_line keyword information Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	c7f351bd6e	doc: update http.protocol keyword documentation Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	2d0ceedeba	doc: update urilen keyword documentation ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	ef118aa582	doc: remove legacy uricontent information ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	96e8c10276	doc: update http.uri and http.uri.raw keywords ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	bf192926a8	doc: update http.method keyword ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	0cce5ba447	doc: add http keyword links ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	fd46175203	doc: update http primer information ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
jason taylor	54fd35c5b4	doc: remove legacy tables and image references ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
Victor Julien	34f53f85bc	systemd: reimplement sd_notify logic using UNIX socket One of the lessons of the XZ backdoor story was that just linking to libsystemd to call sd_notify is discouraged by the systemd project: Lennart Poettering: "PSA: In context of the xzpocalypse we now added an example reimplementation of sd_notify() to our man page: https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html#Notes It's pretty comprehensive (i.e. uses it for reload notification too), but still relatively short. In the past, I have been telling anyone who wanted to listen that if all you want is sd_notify() then don't bother linking to libsystemd, since the protocol is stable and should be considered the API, not our C wrapper around it. After all, the protocol is so trivial" From: https://mastodon.social/@pid_eins/112202687764571433 This commit takes the example code and uses it to reimplement the notify logic. The code is enabled if Linux is detected in configure. Since the code won't do anything if the NOTIFY_SOCKET env var isn't set, this should also work fine on systems w/o systemd. Ticket: #6913.	1 year ago
Jason Ish	51bf1c3510	docs/userguide: use a consistent date for reproducible builds By default, when Sphinx generates the man pages, the current date will be embedded in them. This can be set to a specific date with the "today" variable. Typically the date embedded in manpages in the release date. To achieve this, attempt to use the environment variable, RELEASE_DATE to set the "today" variable, reverting back to the empty string if not set. It is up to our build system to properly set this date. Ticket: #6911	1 year ago
Jason Ish	4c16032f63	docs/conf.py: fix python escape warning /home/jason/oisf/dev/suricata/master/doc/userguide/conf.py:74: SyntaxWarning: invalid escape sequence '\(' "AC_INIT\(\[suricata\],\s\[(.)?\]\)",	1 year ago
Jason Ish	8284df3ed4	devguide: add an upgrade section Add an upgrade section to the devguide. This should cover any changes to APIs that users might be using from plugins or as a library user.	1 year ago
Hadiqa Alamdar Bukhari	3aa313d0c5	dns: add dns.rcode keyword dns.rcode matches the rcode header field in DNS messages It's an unsigned integer valid ranges = [0-15] Does not support prefilter Supports matches in both flow directions Task #6621	1 year ago
Juliana Fajardini	7b2bef1bc6	devguide: add chapter and short intro to libsuricata With this, we intend to make more users aware of this use case, and that we are working towards this. Related to Task #2693	1 year ago
Hadiqa Alamdar Bukhari	4b81851097	dns: add dns.rrtype keyword It matches the rrtype field in DNS It's an unsigned integer match valid ranges = [0-65535] Does not support prefilter Supports flow in both directions Feature #6666	1 year ago
Giuseppe Longo	3dc24a967a	doc: add upgrade section for 8	1 year ago
Giuseppe Longo	add95002b9	suricata.yaml: define SIP_PORTS	1 year ago
Philippe Antoine	e22217bda8	doc: there is no right shift for integer bitmasks Ticket: 6628	1 year ago
Lukas Sismis	356f9ffa13	doc: mention the limited number of RX/TX descriptors on Intel NICs Ticket: 6748	1 year ago
jason taylor	e891ef3d4e	doc: add pcap file logging variable details Signed-off-by: jason taylor <jtfas90@gmail.com>	1 year ago
Jeff Lucovsky	ee6208be9d	config/nss: Remove libnspr/libnss traces Issue: 6712	1 year ago
Philippe Antoine	8f73a0ac55	smtp: config limit maximum number of live transactions Ticket: #6477	1 year ago
Philippe Antoine	4175680a8a	http1: configurable max number of live tx per flow Ticket: #5921 Co-authored-by: Jason Ish <jason.ish@oisf.net>	1 year ago
Philippe Antoine	f6e1a20215	detect: dns.opcode as first-class integer Ticket: 5446 That means it can accept ranges	1 year ago
Juliana Fajardini	244a35d539	userguide: fix explanation about bsize ranges Our code handles Uint ranges as exclusive, but for bsize, our documentation stated that they're inclusive. Cf. from uint.rs: DetectUintMode::DetectUintModeRange => { if val > x.arg1 && val < x.arg2 { return true; } } Task #6708	2 years ago
Philippe Antoine	b8bc2c7e0f	doc: integer keywords Ticket: 6628 Document the generic detection capabilities for integer keywords. and make every integer keyword pointing to this section.	2 years ago
Jason Ish	8bf8131c31	doc: note what version "requires" was added in	2 years ago
jason taylor	3cb7112aa5	detect: update smb.version keyword Signed-off-by: jason taylor <jtfas90@gmail.com>	2 years ago
Eloy Pérez González	a4901a1f70	smb: add smb.keyword documentation	2 years ago
Juliana Fajardini	df6444822e	userguide: clarify midstream exception policy The description of behavior when midstream is enabled and exception policy is set to ignore wasn't descriptive enough. Fix typos.	2 years ago
Lukas Sismis	6e4cc79b39	doc: remove references to prehistoric versions Remove references that are mentioning Suricata 3 or less As a note - only one Suricata 4 reference found: (suricata-yaml.rst:"In 4.1.x") Fast pattern selection criteria can be internally found by inspecting SupportFastPatternForSigMatchList and SigTableSetup functions. Ticket: #6570	2 years ago
Lukas Sismis	2a2898053c	dpdk: add interrupt (power-saving) mode When the packet load is low, Suricata can run in interrupt mode. This more resembles the classic approach of processing packets - CPU cores run low and only fetch packets on interrupt. Ticket: #5839	2 years ago
Lukas Sismis	ca6f7c2d00	dpdk: rework hugepage hints to use per-numa information Previous integration of hugepage analysis only fetched data from /proc/meminfo. However this proved to be often deceiving mainly for providing only global information and not taking into account different hugepage sizes (e.g. 1GB hugepages) and different NUMA nodes. Ticket: #6419	2 years ago
Jeff Lucovsky	58f882db94	doc/pcap-log: Remove squil documentation Issue: 6347	2 years ago
Philippe Antoine	adf5e6da7b	detect: strip_pseudo_headers transform Ticket: 6546	2 years ago
Philippe Antoine	4933b817aa	doc: fix byte_test examples As this keyword has 4 mandatory arguments, and some examples had only three... Ticket: 6629	2 years ago
Juliana Fajardini	a37fa62710	devguide: explain example-rule container usage Have these options documented, so that whoever writes rule-related documentation can easily know what they could use to make the doc look better.	2 years ago
Juliana Fajardini	fc2acf8cb0	devguide: fix main channels list Sphinx and RtD sometimes render lists in weird ways. The communication channels list barely looked like one, at all...	2 years ago
Juliana Fajardini	d15877b2c0	devguide: update branches, refer to backports guide Update the list of active branches to include 7 renaming and new master, link to backports document.	2 years ago
Juliana Fajardini	9fbdfd219c	devguide: add chapter with backports guide Task #6568	2 years ago
Juliana Fajardini	de8bffd244	devguide: doc from behavior changes needs ticket # If a commit introduces code that changes Suricata behavior, the related documentation changes should go in a separate commit, but refer to the same ticket number. This reduces the chances of said changes being lost if there are backports while still keeping the backporting process a bit less bulky, for each commit. Related to Task #6568	2 years ago
Juliana Fajardini	71e4ca81ef	devguide: reorganize pr-workflow section This section seemed to aim both at PR reviewers and PR authors at the same time, even though some info is probably of low value for contributors. Created new section for PR reviewers and maintainers, and kept the info for PR authors separated. Also highlighted information on requested changes and stale PRs.	2 years ago

... 2 3 4 5 6 ...

1236 Commits (suricata-8.0.0-rc1)