aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'suricata-7.0.8'
${ noResults }
suricata/rules
History
Victor Julien 870fe6ea19 stream: add TCP urgent handling options 
TCP urgent handling is a complex topic due to conflicting RFCs and
implementations.

Until now the URG flag and urgent pointer values were simply ignored,
leading to an effective "inline" processing of urgent data. Many
implementations however, do not default to this behavior.

Many actual implementations use the urgent mechanism to send 1 byte of
data out of band to the application.

Complicating the matter is that the way the urgent logic is handled is
generally configurable both of the OS and the app level. So from the
network it is impossible to know with confidence what the settings are.

This patch adds the following policies:

`stream.reassembly.urgent.policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- oob (out of band): treat the last byte as out of band

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

For the `oob` option, tracking of a sequence number offset is required,
as the OOB data does "consume" sequence number space. This is limited to
64k. For this reason, there is a second policy:

`stream.reassembly.urgent.oob-limit-policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

Bug: #7411.
(cherry picked from commit 6882bcb3e5)
 		8 months ago
..
Makefile.am rfb: never return error on unknown traffic 2 years ago
README.md rules/readme: document sid ranges in source tree 3 years ago
app-layer-events.rules app-layer: protocol change API 8 years ago
decoder-events.rules rules: spelling 2 years ago
dhcp-events.rules dhcp: add dhcp app-layer rules file 7 years ago
dnp3-events.rules rules: add missing classtypes for event.rules 8 years ago
dns-events.rules dns: provide events for recoverable parse errors 8 months ago
files.rules rules: spelling 2 years ago
ftp-events.rules ftp: add events for command too long 3 years ago
http-events.rules http: have a headers limit 10 months ago
http2-events.rules http2: handle reassembly for continuation frames 1 year ago
ipsec-events.rules rules/ike: fix ike event names that have changed 9 months ago
kerberos-events.rules Kerberos 5: rename weak crypto to weak encryption, and log it 7 years ago
modbus-events.rules rules/modbus: remove rule for event that not longer exists 9 months ago
mqtt-events.rules mqtt: raise event on parse error 3 years ago
nfs-events.rules nfs: limits the number of active transactions per flow 3 years ago
ntp-events.rules Add event rules for NTP events 8 years ago
quic-events.rules quic: events and rules on them 3 years ago
rfb-events.rules rfb: never return error on unknown traffic 2 years ago
smb-events.rules smb: checks against nbss records length 2 years ago
smtp-events.rules protocol-change: sets event in case of failure 3 years ago
ssh-events.rules rules: add SSH decoder events rules 5 years ago
stream-events.rules stream: add TCP urgent handling options 8 months ago
tls-events.rules rules/tls: sync with changes to the TLS events 5 years ago

README.md

Suricata Reserved SID Allocations

Unless otherwise noted, each component or protocol is allocated 1000 signature IDs.

Components

Component Start End
Decoder 2200000 2200999
Stream 2210000 2210999
Generic App-Layer 2260000 2260999

App-Layer Protocols

Protocol Start End
SMTP 2220000 2220999
HTTP 2221000 2221999
NTP 2222000 2222999
NFS 2223000 2223999
IPsec 2224000 2224999
SMB 2225000 2225999
Kerberos 2226000 2226999
DHCP 2227000 2227999
SSH 2228000 2228999
MQTT 2229000 2229999
TLS 2230000 2230999
QUIC 2231000 2231999
FTP 2232000 2232999
DNS 2240000 2240999
MODBUS 2250000 2250999
DNP3 2270000 2270999
HTTP2 2290000 2290999