[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-4.0.1-374-gd212194
OISF Git
noreply at openinfosecfoundation.org
Thu Feb 1 17:03:41 UTC 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".
The branch, master has been updated
via d2121945c93ea7db0454a2865c8696b940df477a (commit)
via 884e05167101c680b892ababcae0caa9d503a261 (commit)
via 7b23d305423ecc6eeb6508f9f9309dcdd0bc2b23 (commit)
via 822faa08f8ef1365b6f1f9557cd27e93d5996403 (commit)
via d0f92e2a569cf437d11132be49706d941a484f09 (commit)
via b60065caec8298e8c42984a37197536a66741e51 (commit)
via 8354f62b19ddef4aa49d980f614f1147ebf13a7e (commit)
via 3c68a220929bc708cd00ad9c8b9c1691ab540157 (commit)
via 3d0ba36ba843937f7cc1d2de4cd3b0e20e7d6b9f (commit)
via 3fd7256af517185f166894ca437a8cdf6c8f3557 (commit)
via 74e036d09f0dcd81b14bc59bbadc665d3da4e8fc (commit)
via 45a38c043154f1d6c145c4efc05727e9c2aea13f (commit)
via 472cc8ea6142e17aff92bda3fd59d55512f5bd97 (commit)
via fe9cac58706d05c8b0dd4a27e0df400da18ffceb (commit)
via 72c8cd67d5414e919de03693a116f027b82fb66f (commit)
via 9864552484bdf1c258248567033247f088a904d6 (commit)
via 3a2431a2fb2813cf5aeb13f5ec1807d4e7d66012 (commit)
via 6bf00ab2893f415d8cbca645cea8aef0ed5a2f66 (commit)
via 1bd6d1c2094ad1a147b58fab3cb28cc3ff035b3b (commit)
via 474fc60671d90c2fe6f960cef7e9ef50848071df (commit)
from d0ea1472639a77b4e243f7a14507eb45b5e24e9c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d2121945c93ea7db0454a2865c8696b940df477a
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date: Thu Jan 25 08:58:01 2018 +0100
doc: update file_data description
commit 884e05167101c680b892ababcae0caa9d503a261
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date: Fri Jul 14 14:32:25 2017 +0200
detect-engine-hsbd: decompress swf files
This checks if a buffer is a swf file and try
to decompress it, if decompression is enabled.
commit 7b23d305423ecc6eeb6508f9f9309dcdd0bc2b23
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date: Thu Jul 23 10:39:35 2015 +0200
util-file-decompression: add swf decompression API
This adds a new module that permits to decompress
swf file compressed with zlib or lzma algorithms.
The API that performs decompression will take a compressed
buffer and build a new decompressed buffer following the
FWS format which represents an uncompressed file.
The maximum buffer that can be created is up to 50mb.
commit 822faa08f8ef1365b6f1f9557cd27e93d5996403
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date: Fri Jul 14 00:22:13 2017 +0200
detect: set events in inspection phase
During the inspection phase actually is not possible to catch
an error if it occurs.
This patch permits to store events in the detection engine
such that we can match on events and catch them.
commit d0f92e2a569cf437d11132be49706d941a484f09
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date: Thu Jul 13 21:37:39 2017 +0200
app-layer-htp: add swf decompression settings
This adds some settings needed to do swf file decompression
under libhtp section in suricata.yaml
commit b60065caec8298e8c42984a37197536a66741e51
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date: Thu Jul 13 21:09:38 2017 +0200
configure: check for zlib and liblzma
This checks if zlib and libzma are installed on the system
in order to decompress swf files.
commit 8354f62b19ddef4aa49d980f614f1147ebf13a7e
Author: Maurizio Abba <mabba at lastline.com>
Date: Wed Jan 24 12:09:11 2018 +0000
signal: enable SIGUSR2 after Reload when delayed-detect
Enable SIGUSR2 Handler after the first rule reload when delayed-detect
is enabled
commit 3c68a220929bc708cd00ad9c8b9c1691ab540157
Author: Eric Leblond <eric at regit.org>
Date: Tue Dec 2 17:37:23 2014 +0100
suricatasc: implement autoreconnect
Implement a basic autoreconnect support. It tries to reconnect once
when connection has been lost. If it fails, it discards the command
and try again to connect at next command.
commit 3d0ba36ba843937f7cc1d2de4cd3b0e20e7d6b9f
Author: Eric Leblond <eric at regit.org>
Date: Fri Mar 20 14:23:12 2015 +0100
unix socket: protocol v0.2
This patch updates the unix socket protocol. Messages send from
the server and the client have now a '\n' at the end. This allows
both sides to detect easily the end of a command.
As a side effect, this fixes the problem of long answer in
suricatasc. There is now a limit at the arbitrary value of 65536.
Backward compatility is preserved as a client with the older
version of the protocol can still connect to a Suricata with
version 2 of the protocol.
commit 3fd7256af517185f166894ca437a8cdf6c8f3557
Author: Jason Ish <ish at unx.ca>
Date: Tue Jan 30 12:27:38 2018 -0600
setup-app-layer-detect: update for changes in detect
commit 74e036d09f0dcd81b14bc59bbadc665d3da4e8fc
Author: Jason Ish <ish at unx.ca>
Date: Tue Jan 30 15:09:17 2018 -0600
doc: update eve/alert/metadata configuration
commit 45a38c043154f1d6c145c4efc05727e9c2aea13f
Author: Jason Ish <ish at unx.ca>
Date: Tue Jan 30 15:40:26 2018 -0600
eve/alert: new metadata configuration (sane defaults)
Under eve/alert, introduce a new metadata configuration
section. If no provided, or simply yes defaults will be used.
Otherwise this a map with fields that can be toggled on and
off. The defaults are:
outputs:
- eve-log:
types:
- alert:
metadata:
app-layer: true
flow: true
rule:
raw: false
metadata: true
To enable something that is disabled by default, or to disable
something that is enabled by default, only that key need to
be changed, everything else will keep its default value.
commit 472cc8ea6142e17aff92bda3fd59d55512f5bd97
Author: Jason Ish <ish at unx.ca>
Date: Tue Jan 30 15:22:10 2018 -0600
conf: new function: ConfNodeHasChildren
Test if a configuration node has any children, indicating
that it is a non-empty map or sequence.
commit fe9cac58706d05c8b0dd4a27e0df400da18ffceb
Author: Martin Natano <martin.natano at radarservices.com>
Date: Fri Aug 11 18:11:09 2017 +0200
eve/alert: include rule text in alert output
For SIEM analysis it is often useful to refer to the actual rules to
find out why a specific alert has been triggered when the signature
message does not convey enough information.
Turn on the new rule flag to include the rule text in eve alert output.
The feature is turned off by default.
With a rule like this:
alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;)
The eve alert output might look something like this (pretty-printed for
readability):
{
"timestamp": "2017-08-14T12:35:05.830812+0200",
"flow_id": 1919856770919772,
"in_iface": "eth0",
"event_type": "alert",
"src_ip": "10.20.30.40",
"src_port": 50968,
"dest_ip": "8.8.8.8",
"dest_port": 53,
"proto": "UDP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 42,
"rev": 0,
"signature": "Google DNS server contacted",
"category": "",
"severity": 3,
"rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)"
},
"app_proto": "dns",
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 0,
"bytes_toserver": 81,
"bytes_toclient": 0,
"start": "2017-08-14T12:35:05.830812+0200"
}
}
Feature #2020
commit 72c8cd67d5414e919de03693a116f027b82fb66f
Author: Eric Leblond <eric at regit.org>
Date: Thu Oct 26 10:31:46 2017 +0200
doc: documentation update on metadata
commit 9864552484bdf1c258248567033247f088a904d6
Author: Eric Leblond <eric at regit.org>
Date: Sat Nov 4 11:10:15 2017 -0400
detect-metadata: add a string storage to de_ctx
To avoid to have a lot of string allocations, we use a hash table
stored in de_ctx to point to existing string instead of duplicating
them.
commit 3a2431a2fb2813cf5aeb13f5ec1807d4e7d66012
Author: Eric Leblond <eric at regit.org>
Date: Sat Nov 4 11:06:16 2017 -0400
suricata: init output before detection
As we need to know if we should parse the signature metadata, we
have to parse the output configuration before initializing the
detection engine.
commit 6bf00ab2893f415d8cbca645cea8aef0ed5a2f66
Author: Eric Leblond <eric at regit.org>
Date: Fri Apr 21 19:42:04 2017 +0200
output-json-alert: conditionaly output metadata
Metadata of the signature can now conditionaly put in the alert
events. This will allow user to get more context about the events
generated by the alert.
detect-metadata: conditional parsing
Only parses metadata if an output module will use the information.
Patch also adds a unittest to check metadata is not parsed if not
asked to.
output-json-alert: optional output keys as array
Update rule metadata configuration to have an option to output
value as array. Also adds an option to log only a series of keys
as array. This is useful in the case of some ruleset where from
instance the `tag` key is used multiple time.
(Jason Ish) rule metadata: always log as lists
After review of rule metadata, we can't make assumptions
on what should be a list or not. So log everything as a list.
commit 1bd6d1c2094ad1a147b58fab3cb28cc3ff035b3b
Author: Eric Leblond <eric at regit.org>
Date: Wed Oct 25 21:46:05 2017 +0200
detect-metadata: add unit test
commit 474fc60671d90c2fe6f960cef7e9ef50848071df
Author: Eric Leblond <eric at regit.org>
Date: Wed Dec 14 17:59:23 2016 +0100
detect-metadata: store metadata key value pairs
This patch updates the Signature structure so it contains the
metadata under a key value form.
Later patch will make that dictionary available in the events.
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 73 +
doc/userguide/output/eve/eve-json-output.rst | 45 +-
doc/userguide/partials/eve-log.yaml | 33 +-
doc/userguide/rules/http-keywords.rst | 20 +
doc/userguide/rules/meta.rst | 10 +-
scripts/setup-app-layer-detect.sh | 37 -
scripts/suricatasc/src/suricatasc.py | 35 +-
src/Makefile.am | 2 +
src/app-layer-htp.c | 46 +
src/app-layer-htp.h | 12 +
src/conf.c | 43 +
src/conf.h | 1 +
src/detect-app-layer-event.c | 49 +-
src/detect-app-layer-event.h | 3 +
src/detect-engine-hsbd.c | 42 +
src/detect-engine.c | 69 +
src/detect-engine.h | 4 +
src/detect-metadata.c | 252 +++-
src/detect-metadata.h | 14 +
src/detect-parse.c | 41 +-
src/detect.h | 47 +-
src/output-json-alert.c | 107 +-
src/output-json-alert.h | 3 +-
src/output-json-drop.c | 4 +-
src/suricata.c | 5 +-
src/tests/detect-engine-hsbd.c | 1428 ++++++++++++++++++++
src/unix-manager.c | 115 +-
src/util-file-decompression.c | 214 +++
...{app-layer-tftp.h => util-file-decompression.h} | 34 +-
src/util-file-swf-decompression.c | 183 +++
src/util-file-swf-decompression.h | 42 +
suricata.yaml.in | 14 +
32 files changed, 2869 insertions(+), 158 deletions(-)
create mode 100644 src/tests/detect-engine-hsbd.c
create mode 100644 src/util-file-decompression.c
copy src/{app-layer-tftp.h => util-file-decompression.h} (51%)
create mode 100644 src/util-file-swf-decompression.c
create mode 100644 src/util-file-swf-decompression.h
hooks/post-receive
--
OISF
More information about the Oisf-devel
mailing list