[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-4.0.1-374-gd212194

OISF Git noreply at openinfosecfoundation.org
Thu Feb 1 17:03:41 UTC 2018

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".

The branch, master has been updated
       via  d2121945c93ea7db0454a2865c8696b940df477a (commit)
       via  884e05167101c680b892ababcae0caa9d503a261 (commit)
       via  7b23d305423ecc6eeb6508f9f9309dcdd0bc2b23 (commit)
       via  822faa08f8ef1365b6f1f9557cd27e93d5996403 (commit)
       via  d0f92e2a569cf437d11132be49706d941a484f09 (commit)
       via  b60065caec8298e8c42984a37197536a66741e51 (commit)
       via  8354f62b19ddef4aa49d980f614f1147ebf13a7e (commit)
       via  3c68a220929bc708cd00ad9c8b9c1691ab540157 (commit)
       via  3d0ba36ba843937f7cc1d2de4cd3b0e20e7d6b9f (commit)
       via  3fd7256af517185f166894ca437a8cdf6c8f3557 (commit)
       via  74e036d09f0dcd81b14bc59bbadc665d3da4e8fc (commit)
       via  45a38c043154f1d6c145c4efc05727e9c2aea13f (commit)
       via  472cc8ea6142e17aff92bda3fd59d55512f5bd97 (commit)
       via  fe9cac58706d05c8b0dd4a27e0df400da18ffceb (commit)
       via  72c8cd67d5414e919de03693a116f027b82fb66f (commit)
       via  9864552484bdf1c258248567033247f088a904d6 (commit)
       via  3a2431a2fb2813cf5aeb13f5ec1807d4e7d66012 (commit)
       via  6bf00ab2893f415d8cbca645cea8aef0ed5a2f66 (commit)
       via  1bd6d1c2094ad1a147b58fab3cb28cc3ff035b3b (commit)
       via  474fc60671d90c2fe6f960cef7e9ef50848071df (commit)
      from  d0ea1472639a77b4e243f7a14507eb45b5e24e9c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d2121945c93ea7db0454a2865c8696b940df477a
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date:   Thu Jan 25 08:58:01 2018 +0100

    doc: update file_data description

commit 884e05167101c680b892ababcae0caa9d503a261
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date:   Fri Jul 14 14:32:25 2017 +0200

    detect-engine-hsbd: decompress swf files
    This checks if a buffer is a swf file and try
    to decompress it, if decompression is enabled.

commit 7b23d305423ecc6eeb6508f9f9309dcdd0bc2b23
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date:   Thu Jul 23 10:39:35 2015 +0200

    util-file-decompression: add swf decompression API
    This adds a new module that permits to decompress
    swf file compressed with zlib or lzma algorithms.
    The API that performs decompression will take a compressed
    buffer and build a new decompressed buffer following the
    FWS format which represents an uncompressed file.
    The maximum buffer that can be created is up to 50mb.

commit 822faa08f8ef1365b6f1f9557cd27e93d5996403
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date:   Fri Jul 14 00:22:13 2017 +0200

    detect: set events in inspection phase
    During the inspection phase actually is not possible to catch
    an error if it occurs.
    This patch permits to store events in the detection engine
    such that we can match on events and catch them.

commit d0f92e2a569cf437d11132be49706d941a484f09
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date:   Thu Jul 13 21:37:39 2017 +0200

    app-layer-htp: add swf decompression settings
    This adds some settings needed to do swf file decompression
    under libhtp section in suricata.yaml

commit b60065caec8298e8c42984a37197536a66741e51
Author: Giuseppe Longo <glongo at stamus-networks.com>
Date:   Thu Jul 13 21:09:38 2017 +0200

    configure: check for zlib and liblzma
    This checks if zlib and libzma are installed on the system
    in order to decompress swf files.

commit 8354f62b19ddef4aa49d980f614f1147ebf13a7e
Author: Maurizio Abba <mabba at lastline.com>
Date:   Wed Jan 24 12:09:11 2018 +0000

    signal: enable SIGUSR2 after Reload when delayed-detect
    Enable SIGUSR2 Handler after the first rule reload when delayed-detect
    is enabled

commit 3c68a220929bc708cd00ad9c8b9c1691ab540157
Author: Eric Leblond <eric at regit.org>
Date:   Tue Dec 2 17:37:23 2014 +0100

    suricatasc: implement autoreconnect
    Implement a basic autoreconnect support. It tries to reconnect once
    when connection has been lost. If it fails, it discards the command
    and try again to connect at next command.

commit 3d0ba36ba843937f7cc1d2de4cd3b0e20e7d6b9f
Author: Eric Leblond <eric at regit.org>
Date:   Fri Mar 20 14:23:12 2015 +0100

    unix socket: protocol v0.2
    This patch updates the unix socket protocol. Messages send from
    the server and the client have now a '\n' at the end. This allows
    both sides to detect easily the end of a command.
    As a side effect, this fixes the problem of long answer in
    suricatasc. There is now a limit at the arbitrary value of 65536.
    Backward compatility is preserved as a client with the older
    version of the protocol can still connect to a Suricata with
    version 2 of the protocol.

commit 3fd7256af517185f166894ca437a8cdf6c8f3557
Author: Jason Ish <ish at unx.ca>
Date:   Tue Jan 30 12:27:38 2018 -0600

    setup-app-layer-detect: update for changes in detect

commit 74e036d09f0dcd81b14bc59bbadc665d3da4e8fc
Author: Jason Ish <ish at unx.ca>
Date:   Tue Jan 30 15:09:17 2018 -0600

    doc: update eve/alert/metadata configuration

commit 45a38c043154f1d6c145c4efc05727e9c2aea13f
Author: Jason Ish <ish at unx.ca>
Date:   Tue Jan 30 15:40:26 2018 -0600

    eve/alert: new metadata configuration (sane defaults)
    Under eve/alert, introduce a new metadata configuration
    section. If no provided, or simply yes defaults will be used.
    Otherwise this a map with fields that can be toggled on and
    off. The defaults are:
      - eve-log:
            - alert:
                  app-layer: true
                  flow: true
                    raw: false
                    metadata: true
    To enable something that is disabled by default, or to disable
    something that is enabled by default, only that key need to
    be changed, everything else will keep its default value.

commit 472cc8ea6142e17aff92bda3fd59d55512f5bd97
Author: Jason Ish <ish at unx.ca>
Date:   Tue Jan 30 15:22:10 2018 -0600

    conf: new function: ConfNodeHasChildren
    Test if a configuration node has any children, indicating
    that it is a non-empty map or sequence.

commit fe9cac58706d05c8b0dd4a27e0df400da18ffceb
Author: Martin Natano <martin.natano at radarservices.com>
Date:   Fri Aug 11 18:11:09 2017 +0200

    eve/alert: include rule text in alert output
    For SIEM analysis it is often useful to refer to the actual rules to
    find out why a specific alert has been triggered when the signature
    message does not convey enough information.
    Turn on the new rule flag to include the rule text in eve alert output.
    The feature is turned off by default.
    With a rule like this:
        alert dns $HOME_NET any -> any (msg:"Google DNS server contacted"; sid:42;)
    The eve alert output might look something like this (pretty-printed for
          "timestamp": "2017-08-14T12:35:05.830812+0200",
          "flow_id": 1919856770919772,
          "in_iface": "eth0",
          "event_type": "alert",
          "src_ip": "",
          "src_port": 50968,
          "dest_ip": "",
          "dest_port": 53,
          "proto": "UDP",
          "alert": {
            "action": "allowed",
            "gid": 1,
            "signature_id": 42,
            "rev": 0,
            "signature": "Google DNS server contacted",
            "category": "",
            "severity": 3,
            "rule": "alert dns $HOME_NET any -> any (msg:\"Google DNS server contacted\"; sid:43;)"
          "app_proto": "dns",
          "flow": {
            "pkts_toserver": 1,
            "pkts_toclient": 0,
            "bytes_toserver": 81,
            "bytes_toclient": 0,
            "start": "2017-08-14T12:35:05.830812+0200"
    Feature #2020

commit 72c8cd67d5414e919de03693a116f027b82fb66f
Author: Eric Leblond <eric at regit.org>
Date:   Thu Oct 26 10:31:46 2017 +0200

    doc: documentation update on metadata

commit 9864552484bdf1c258248567033247f088a904d6
Author: Eric Leblond <eric at regit.org>
Date:   Sat Nov 4 11:10:15 2017 -0400

    detect-metadata: add a string storage to de_ctx
    To avoid to have a lot of string allocations, we use a hash table
    stored in de_ctx to point to existing string instead of duplicating

commit 3a2431a2fb2813cf5aeb13f5ec1807d4e7d66012
Author: Eric Leblond <eric at regit.org>
Date:   Sat Nov 4 11:06:16 2017 -0400

    suricata: init output before detection
    As we need to know if we should parse the signature metadata, we
    have to parse the output configuration before initializing the
    detection engine.

commit 6bf00ab2893f415d8cbca645cea8aef0ed5a2f66
Author: Eric Leblond <eric at regit.org>
Date:   Fri Apr 21 19:42:04 2017 +0200

    output-json-alert: conditionaly output metadata
    Metadata of the signature can now conditionaly put in the alert
    events. This will allow user to get more context about the events
    generated by the alert.
    detect-metadata: conditional parsing
    Only parses metadata if an output module will use the information.
    Patch also adds a unittest to check metadata is not parsed if not
    asked to.
    output-json-alert: optional output keys as array
    Update rule metadata configuration to have an option to output
    value as array. Also adds an option to log only a series of keys
    as array. This is useful in the case of some ruleset where from
    instance the `tag` key is used multiple time.
    (Jason Ish) rule metadata: always log as lists
    After review of rule metadata, we can't make assumptions
    on what should be a list or not. So log everything as a list.

commit 1bd6d1c2094ad1a147b58fab3cb28cc3ff035b3b
Author: Eric Leblond <eric at regit.org>
Date:   Wed Oct 25 21:46:05 2017 +0200

    detect-metadata: add unit test

commit 474fc60671d90c2fe6f960cef7e9ef50848071df
Author: Eric Leblond <eric at regit.org>
Date:   Wed Dec 14 17:59:23 2016 +0100

    detect-metadata: store metadata key value pairs
    This patch updates the Signature structure so it contains the
    metadata under a key value form.
    Later patch will make that dictionary available in the events.


Summary of changes:
 configure.ac                                       |   73 +
 doc/userguide/output/eve/eve-json-output.rst       |   45 +-
 doc/userguide/partials/eve-log.yaml                |   33 +-
 doc/userguide/rules/http-keywords.rst              |   20 +
 doc/userguide/rules/meta.rst                       |   10 +-
 scripts/setup-app-layer-detect.sh                  |   37 -
 scripts/suricatasc/src/suricatasc.py               |   35 +-
 src/Makefile.am                                    |    2 +
 src/app-layer-htp.c                                |   46 +
 src/app-layer-htp.h                                |   12 +
 src/conf.c                                         |   43 +
 src/conf.h                                         |    1 +
 src/detect-app-layer-event.c                       |   49 +-
 src/detect-app-layer-event.h                       |    3 +
 src/detect-engine-hsbd.c                           |   42 +
 src/detect-engine.c                                |   69 +
 src/detect-engine.h                                |    4 +
 src/detect-metadata.c                              |  252 +++-
 src/detect-metadata.h                              |   14 +
 src/detect-parse.c                                 |   41 +-
 src/detect.h                                       |   47 +-
 src/output-json-alert.c                            |  107 +-
 src/output-json-alert.h                            |    3 +-
 src/output-json-drop.c                             |    4 +-
 src/suricata.c                                     |    5 +-
 src/tests/detect-engine-hsbd.c                     | 1428 ++++++++++++++++++++
 src/unix-manager.c                                 |  115 +-
 src/util-file-decompression.c                      |  214 +++
 ...{app-layer-tftp.h => util-file-decompression.h} |   34 +-
 src/util-file-swf-decompression.c                  |  183 +++
 src/util-file-swf-decompression.h                  |   42 +
 suricata.yaml.in                                   |   14 +
 32 files changed, 2869 insertions(+), 158 deletions(-)
 create mode 100644 src/tests/detect-engine-hsbd.c
 create mode 100644 src/util-file-decompression.c
 copy src/{app-layer-tftp.h => util-file-decompression.h} (51%)
 create mode 100644 src/util-file-swf-decompression.c
 create mode 100644 src/util-file-swf-decompression.h


More information about the Oisf-devel mailing list