[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-4.0.1-581-gba24bb8
OISF Git
noreply at openinfosecfoundation.org
Wed Mar 21 07:20:07 UTC 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".
The branch, master has been updated
via ba24bb82faa81d01ed00e4caa6262d6ce8013ffa (commit)
via cbcbc0f6b05e6dffb3f538ec1b33566be4517920 (commit)
via c130820bff1288ad6dca66ea5da0e4d4a0b5389d (commit)
via 3140e4598ad1f0960d33dbf0815eeed9c8ea1166 (commit)
via 2d34e402c017f395f225e99874f5ca4a0c3b22f9 (commit)
via d6a98aa1c3bcd72d757c884915edadb67121e762 (commit)
via 47a7ebbbc2a97c2e2ae5e1bb0dfd3853960d89c5 (commit)
via d55e4555042fe910fe32b7a78c6ef0d3a165aa6d (commit)
via fb0bfb614f60dba746152311393ac7323426e753 (commit)
via 8339ed338fcc107c70c605ce05ff6bf52cf5af41 (commit)
via 25145530987cbb54f1a7d303ca6da9a5c7ef67e6 (commit)
via 195fa9d272fb397929bf31d9c54bed9165553842 (commit)
via a357f52fa5aa9f79d061b5560afe4df0458d81fd (commit)
via 6e23ae230bb9f88411032ff494ae3343f820ac0e (commit)
via 38cc6f595fbea20b5f70a42cc7500492eb19d3b7 (commit)
via 6c7aacce9e4be2e884ab3034f496fcc770a78943 (commit)
via d4af90032e30ae7d1ad706fb19c781827656f5b6 (commit)
via 0c16cd01200a6ae576e5fdcd53506928eda632c5 (commit)
via 3f0dea582d6c08c95d00981616c76651a9a7933e (commit)
from ea1e13cb00894717eb6fba9bf6785a71955780c9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ba24bb82faa81d01ed00e4caa6262d6ce8013ffa
Author: Victor Julien <victor at inliniac.net>
Date: Tue Mar 20 15:49:00 2018 +0100
der: don't overwrite errcode
If the code has already been set it is more detailed than the more
generic 'invalid object'.
commit cbcbc0f6b05e6dffb3f538ec1b33566be4517920
Author: Jason Ish <ish at unx.ca>
Date: Wed Jan 31 15:42:42 2018 -0600
suricata-update: bundle suricata update
Add autoconf/automake support for installing suricata-update
if found in the top level suricata-update.
commit c130820bff1288ad6dca66ea5da0e4d4a0b5389d
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Tue Feb 21 12:06:17 2017 +0100
conf: user-configurable umask setting
Make umask user-configurable by setting 'umask' in suricata.yaml.
commit 3140e4598ad1f0960d33dbf0815eeed9c8ea1166
Author: Pierre Chifflier <chifflier at wzdftpd.net>
Date: Thu Mar 1 18:58:41 2018 +0100
DER parser: ensure errcode is set for every return path
commit 2d34e402c017f395f225e99874f5ca4a0c3b22f9
Author: Pierre Chifflier <chifflier at wzdftpd.net>
Date: Thu Feb 15 15:00:35 2018 +0100
DER parser: fix undefined behaviors and add missing length tests
Fix several undefined behaviors, caused by possible use or read of
uninitialized memory.
commit d6a98aa1c3bcd72d757c884915edadb67121e762
Author: Antti Tönkyrä <daedalus at pingtimeout.net>
Date: Mon Mar 19 12:18:56 2018 +0200
stream-tcp: add counters for midstream pickups
If midstream pickups are enabled this will help in discovering how
many midstream pickups are being done by Suricata.
commit 47a7ebbbc2a97c2e2ae5e1bb0dfd3853960d89c5
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Thu Dec 28 22:45:50 2017 +0100
doc: add JA3 fields to the TLS logger documentation
commit d55e4555042fe910fe32b7a78c6ef0d3a165aa6d
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Thu Dec 28 22:40:27 2017 +0100
eve: add JA3 fields to TLS JSON logger
Add JA3 object to TLS JSON logger (extended log).
commit fb0bfb614f60dba746152311393ac7323426e753
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Thu Dec 28 21:51:44 2017 +0100
doc: add documentation for Ja3GetString Lua function
commit 8339ed338fcc107c70c605ce05ff6bf52cf5af41
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Thu Dec 28 21:45:08 2017 +0100
lua: add Ja3GetString function
Add Ja3GetString() to return the content of the JA3 string buffer from the
TLS session.
Example:
function init (args)
local needs = {}
needs["protocol"] = "tls"
return needs
end
function setup (args)
filename = SCLogPath() .. "/ja3_string.log"
file = assert(io.open(filename, "a"))
end
function log (args)
ja3_string = Ja3GetString()
if ja3_string == nil then
return
end
file:write(ja3_string .. "\n")
file:flush()
end
function deinit (args)
file:close()
end
commit 25145530987cbb54f1a7d303ca6da9a5c7ef67e6
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Thu Dec 28 21:21:16 2017 +0100
doc: add documentation for Ja3GetHash Lua function
commit 195fa9d272fb397929bf31d9c54bed9165553842
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Thu Dec 28 21:06:28 2017 +0100
lua: add Ja3GetHash function
Add Ja3GetHash() to return the content of the JA3 hash buffer from the
TLS session.
Example:
function init (args)
local needs = {}
needs["protocol"] = "tls"
return needs
end
function setup (args)
filename = SCLogPath() .. "/ja3_hash.log"
file = assert(io.open(filename, "a"))
end
function log (args)
ja3_hash = Ja3GetHash()
if ja3_hash == nil then
return
end
file:write(ja3_hash .. "\n")
file:flush()
end
function deinit (args)
file:close()
end
In the (useless) example above, each JA3 hash is logged to a log file.
commit a357f52fa5aa9f79d061b5560afe4df0458d81fd
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Sun Dec 10 16:47:07 2017 +0100
doc: add documentation for ja3_string keyword
commit 6e23ae230bb9f88411032ff494ae3343f820ac0e
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Sun Dec 10 16:05:37 2017 +0100
detect: add (mpm) keyword ja3_string
Match on JA3 string using ja3_string keyword, e.g:
alert tls any any -> any any (msg:"JA3 string test";
ja3_string; content:"65-68-69-102"; sid:1;)
commit 38cc6f595fbea20b5f70a42cc7500492eb19d3b7
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Sun Dec 10 16:40:58 2017 +0100
doc: add documentation for ja3_hash keyword
commit 6c7aacce9e4be2e884ab3034f496fcc770a78943
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Thu Dec 7 09:30:03 2017 +0100
detect: add (mpm) keyword ja3_hash
Match on JA3 hash using ja3_hash keyword, e.g:
alert tls any any -> any any (msg:"JA3 hash test";
ja3_hash;
content:"e7eca2baf4458d095b7f45da28c16c34";
sid:1;)
commit d4af90032e30ae7d1ad706fb19c781827656f5b6
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Tue Dec 26 13:33:05 2017 +0100
util-ja3: add function to check if JA3 is disabled
commit 0c16cd01200a6ae576e5fdcd53506928eda632c5
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Thu Nov 30 11:04:03 2017 +0100
app-layer-ssl: generate JA3 fingerprints
Decode additional fields from the client hello packet and generate
JA3 fingerprints.
commit 3f0dea582d6c08c95d00981616c76651a9a7933e
Author: Mats Klepsland <mats.klepsland at gmail.com>
Date: Mon Nov 27 12:23:57 2017 +0100
app-layer-ssl: split function into multiple smaller functions
Split 'TLSDecodeHandshakeHello' into smaller functions to make
it easier to read the code when the function grows in size.
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 3 +
Makefile.am | 5 +-
configure.ac | 7 +
doc/userguide/output/eve/eve-json-format.rst | 3 +
doc/userguide/output/eve/eve-json-output.rst | 2 +-
doc/userguide/output/lua-output.rst | 47 ++
doc/userguide/rules/index.rst | 1 +
doc/userguide/rules/ja3-keywords.rst | 36 ++
src/Makefile.am | 4 +
src/app-layer-ssl.c | 605 ++++++++++++++++++---
src/app-layer-ssl.h | 6 +
src/detect-engine-register.c | 5 +
src/detect-engine-register.h | 3 +
src/detect-lua-extensions.c | 2 +
src/detect-tls-ja3-hash.c | 258 +++++++++
...ect-tls-cert-serial.h => detect-tls-ja3-hash.h} | 10 +-
src/detect-tls-ja3-string.c | 260 +++++++++
...t-tls-cert-serial.h => detect-tls-ja3-string.h} | 10 +-
src/output-json-tls.c | 44 ++
src/output-lua.c | 2 +
src/stream-tcp.c | 3 +
src/stream-tcp.h | 2 +
src/suricata.c | 12 +
src/util-daemon.c | 2 -
src/util-decode-der.c | 154 +++++-
src/util-decode-der.h | 8 +-
src/util-error.c | 3 +-
src/util-error.h | 5 +-
src/util-ja3.c | 284 ++++++++++
src/{util-random.h => util-ja3.h} | 23 +-
src/util-lua-ja3.c | 117 ++++
src/{detect-tls-cert-serial.h => util-lua-ja3.h} | 13 +-
{python => suricata-update}/Makefile.am | 15 +-
suricata.yaml.in | 8 +
34 files changed, 1829 insertions(+), 133 deletions(-)
create mode 100644 doc/userguide/rules/ja3-keywords.rst
create mode 100644 src/detect-tls-ja3-hash.c
copy src/{detect-tls-cert-serial.h => detect-tls-ja3-hash.h} (82%)
create mode 100644 src/detect-tls-ja3-string.c
copy src/{detect-tls-cert-serial.h => detect-tls-ja3-string.h} (82%)
create mode 100644 src/util-ja3.c
copy src/{util-random.h => util-ja3.h} (60%)
create mode 100644 src/util-lua-ja3.c
copy src/{detect-tls-cert-serial.h => util-lua-ja3.h} (81%)
copy {python => suricata-update}/Makefile.am (61%)
hooks/post-receive
--
OISF
More information about the Oisf-devel
mailing list