upstream/suricata
1
0
Fork 0
mirror of https://github.com/OISF/suricata.git synced 2026-02-19 02:28:46 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
18569 commits 11 branches 167 tags 214 MiB
Commit graph

230 commits

Author SHA1 Message Date
Philippe Antoine
0d714b9624 doc/jsonschema: remove non-existing email fields 2026-02-04 10:47:38 +00:00
Philippe Antoine
81cc007a11 doc/jsonschema: remove non-existent ldap field 
Probably a duplicate typo
 2026-02-04 10:47:38 +00:00
Philippe Antoine
750ae52eac doc/jsonschema: remove obsolete insert_list_fail field 
Ticket: 5267
 2026-02-04 10:47:38 +00:00
Ofer Dagan
2371829bf1 schema: add threshold stats counters 
Add schema definitions for new threshold-related statistics:
- bitmap_alloc_fail: Count of bitmap allocation failures
- bitmap_memuse: Memory usage by detection_filter bitmaps
- memcap: Memory cap for threshold hash table
- memuse: Memory usage by threshold hash table

Task #7928
 2026-01-27 20:54:44 +00:00
Jeff Lucovsky
54bd8edf68 decode/ipv4: Create event on unknown protos 
Issue: 7146

Create an event when the IPv4 header contains an unknown IP protocol.
 2026-01-22 09:13:27 +00:00
Philippe Antoine
dd6baccabd src: doc: remove more double-space typos 
Found with git grep -E '[a-z]  [a-z]'
 2026-01-14 12:49:11 +00:00
Shivani Bhardwaj
0f92583702 flow: split elephant flow detection per dir 
The tracking for elephant flow is done per direction however, the flag
was set on the flow whenever either of the directions crossed the
rate-limit defined in the settings. Given that the tracking was already
split, it makes sense to split the detection tracking per direction as
well and allow user to have a better control via rule language.
 2025-12-23 21:59:11 +00:00
Philippe Antoine
24405a7b76 doc: http fields in json schema 
Ticket: 6075
 2025-12-11 20:39:02 +00:00
Philippe Antoine
2f39c8c099 jsonschema: remove obsolete http fields 
These were moved to array request_headers/response_headers

Ticket: 6075
 2025-12-11 20:39:02 +00:00
Philippe Antoine
cf88ed518c jsonschema: check for duplicate keys
Some checks failed
builds / Fedora (non-root, debug, clang, asan, wshadow, rust-strict, no-ja) (push) Has been cancelled
Details
builds / AlmaLinux 9 (no jansson) (push) Has been cancelled
Details
builds / AlmaLinux 9 (Minimal/Recommended Build) (push) Has been cancelled
Details
builds / Ubuntu 24.04 (cocci) (push) Has been cancelled
Details
builds / Ubuntu 24.04 (RUSTC+CARGO vars) (push) Has been cancelled
Details
builds / Ubuntu 24.04 (unittests coverage) (push) Has been cancelled
Details
builds / Ubuntu 22.04 (unix socket mode coverage) (push) Has been cancelled
Details
builds / Ubuntu 22.04 (afpacket and dpdk coverage) (push) Has been cancelled
Details
builds / Ubuntu 24.04 (pcap unix socket ASAN) (push) Has been cancelled
Details
builds / Ubuntu 24.04 (afpacket and dpdk live tests with ASAN) (push) Has been cancelled
Details
builds / Ubuntu 22.04 (fuzz corpus coverage) (push) Has been cancelled
Details
builds / Ubuntu 20.04 (-DNDEBUG) (push) Has been cancelled
Details
builds / Ubuntu 20.04 (unsupported rust) (push) Has been cancelled
Details
builds / Ubuntu 22.04 (Debug Validation) (push) Has been cancelled
Details
builds / Ubuntu 22.04 (Fuzz) (push) Has been cancelled
Details
builds / Ubuntu 22.04 (Netmap build) (push) Has been cancelled
Details
builds / Ubuntu 22.04 (Minimal/Recommended Build) (push) Has been cancelled
Details
builds / Ubuntu 22.04 (DPDK Build) (push) Has been cancelled
Details
builds / Debian 12 (xdp) (push) Has been cancelled
Details
builds / Debian 13 (xdp) (push) Has been cancelled
Details
builds / Ubuntu 22.04 Dist Builder (push) Has been cancelled
Details
builds / Debian 12 MSRV (push) Has been cancelled
Details
builds / Debian 11 (push) Has been cancelled
Details
builds / MacOS Latest (push) Has been cancelled
Details
builds / Windows MSYS2 MINGW64 (NPcap) (push) Has been cancelled
Details
builds / Windows MSYS2 MINGW64 (libpcap) (push) Has been cancelled
Details
builds / Windows MSYS2 UCRT64 (libpcap) (push) Has been cancelled
Details
builds / Windows MSYS2 MINGW64 (WinDivert) (push) Has been cancelled
Details
builds / PF_RING (push) Has been cancelled
Details
docs / Ubuntu 22.04 Dist Builder (push) Has been cancelled
Details 
Ticket: 6691

And fix the one duplicate found
 2025-12-10 06:38:12 +00:00
Philippe Antoine
1df568300c doc/jsonschema: use dnp3_func instead of its alias 2025-11-26 01:13:05 +00:00
Juliana Fajardini
331bc8aeac schema: add descriptions to global memcaps/memuses 
For FTP, Host, IP Pair and HTTP.

Related to
Task #6434
 2025-11-22 13:51:21 +00:00
Juliana Fajardini
2855574a2c schema: add additional properties to stats.capture 
The `stats.capture` object may have different properties based on the
capture method used.

This adds the ones pertaining to AF_PACKET capture.

Related to
Task #6434
 2025-11-22 13:51:21 +00:00
Juliana Fajardini
12e0e51864 schema: add desc for each main stats module 
Part of the schema documentation effort.

Related to
Task #6434
 2025-11-22 13:51:21 +00:00
Juliana Fajardini
025ffa6135 schema: allow stats.stream event counters 
While the counters exist, they're not present in the schema, causing
validation to fail if stats.stream-events is enabled.

Task #7858
 2025-11-22 13:51:21 +00:00
Juliana Fajardini
173fec81f8 schema/stats: flow_mgr is actually flow.mgr 
The schema accounts for a stats counters group that is a subgroup of the
flows stats counters. Remove `flow_mgr`, thus.
 2025-11-22 13:51:21 +00:00
Philippe Antoine
85fa894425 detect: dnp3.func is now a generic integer 
Ticket: 7889
 2025-11-07 00:42:35 +00:00
Victor Julien
acb769291a exception-policy: add 'reject-both' option 
Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).

Ticket: #5974.
 2025-10-31 16:46:38 +00:00
Philippe Antoine
047f1c5080 doc: fix enip_command name in json schema 
enip.command is not a keyword nor an alias
 2025-10-16 21:33:29 +02:00
Philippe Antoine
969739d067 detect: http2.errorcode is now a generic integer 
Ticket: 7889
 2025-10-14 19:40:52 +02:00
Jason Ish
5e2dc9ace3 ike: don't log empty server objects 2025-10-06 19:56:12 +02:00
Jason Ish
2d86412f46 ike: log attributes as objects 
IKE attributes are an array of TLV style objects, this means there can
be duplicate types seen on the wire. However, Suricata logs these as a
mapping with the type as the key. This can result in the JSON
containing duplicate keys.

To address this, log the attributes as an array of objects, allow
duplicates to exist, for example:

  "client": {
    "proposals": [
      {
        "sa_life_duration": "Unknown",
        "sa_life_duration_raw": 86400,
      }
    }
  }

is now logged as:

  "client": {
    "proposals": [
      {"key": "sa_life_duration", "value": "Unknown", "raw": 86400}
    ]
  }

Also adds `"version": 2` to each IKE record to note the change of
format from previous versions.

Ticket: #7902
 2025-10-06 19:56:12 +02:00
Juliana Fajardini
426955782c schema: add descriptions to capture stats counters 
Task #6434
 2025-10-01 10:32:08 +02:00
Juliana Fajardini
3642594e14 schema: add descriptions to decoder stats counters 
Continuation of
Task #7793
 2025-10-01 10:32:08 +02:00
Juliana Fajardini
42d563f83e schema: fix typos s/ERPSAN/ERSPAN 2025-10-01 10:32:08 +02:00
Philippe Antoine
4f7fc25a1a detect/dnp3: make dnp3.ind a generic uint16 bitflags keyword 
Ticket: 6724

Allows operations such as negation
 2025-09-25 15:49:11 +02:00
Fupeng Zhao
e79d735374 decode/etag: ETag 802.1BR decoder 
Ticket: #3953.
 2025-09-20 09:08:37 +02:00
Philippe Antoine
dae9264120 doc: really enforce more the completeness of json schema 
Completes commit f1f32a39ee

End better describe exception_policy
 2025-09-17 09:23:55 +02:00
Philippe Antoine
2028a3f9f8 doc: complete json schema with integer keywords 2025-09-13 08:40:10 +02:00
Philippe Antoine
f1f32a39ee doc: enforce more the completenes of json schema 
see jq 'paths( objects | (.type == "object" and (has("additionalProperties") | not) )) | join(".")' etc/schema.json

fix and complete bittorrent on the way
 2025-09-13 08:40:10 +02:00
Philippe Antoine
421fb8ac31 doc/ldap: complete json schema 2025-09-13 08:40:10 +02:00
Jeff Lucovsky
17e7387ff4 doc/fileinfo: Document fileinfo context/usage 
Issue: 6498
 2025-09-08 18:47:12 +02:00
Juliana Fajardini
8f9f414866 schema: document stats.detect counters 
... that were missing.

Task #7795
 2025-09-03 08:32:47 +02:00
Juliana Fajardini
051715a7eb schema/description: capitalize initial letters 
For existing descriptions that weren't like that, yet.
 2025-08-29 09:09:47 +02:00
Juliana Fajardini
1d27e268d1 schema: add descriptions for flow stats counters 
Task #7794
 2025-08-29 09:09:47 +02:00
Juliana Fajardini
49629f7cb6 schema/decoder: add descriptions for stats counters 
Task #7793
 2025-08-22 09:45:39 +02:00
Juliana Fajardini
342c649186 schema/arp: fix invalid pkt event output 
Task #7857
 2025-08-22 09:45:39 +02:00
Juliana Fajardini
a8453d73cd detect: remove unused non-pf stats counters 
Remove unused rule prefilter-related stats counters that aren't in use.

94644ac960 (detect: move non-pf rules into special prefilter engines)
removed the logic that made use of and incremented the stats counters:
- det_ctx->counter_fnonmpm_list
- det_ctx->counter_nonmpm_list

Some code was left, registering them, and mentioning them in the
json schema.

Ticket #7834
 2025-08-05 11:26:29 +02:00
Philippe Antoine
fe9da8acd6 http2: do not log empty objects for request or response 
Ticket: 7741
 2025-08-01 10:54:15 -06:00
Jeff Lucovsky
97b03b4076 doc/netflow: Discuss netflow 
Add discussion for netflow configuration, event type and fields
contained in netflow records.

Issue: 5139
 2025-07-10 19:36:37 +02:00
Philippe Antoine
f4378eb306 doc/devguide: document app-layer protocol detection 
Ticket: 6022
 2025-06-27 04:11:47 +02:00
Philippe Antoine
68827a4ace schema: document kerberos fields 
Ticket: 6566
 2025-06-27 04:11:45 +02:00
Jason Ish
ddb77d061e eve/schema: map mdns properties that have keywords 
Also add descriptions for the EVE index.
 2025-06-21 21:32:53 +02:00
Juliana Fajardini
cbe621fb09 decode: add stats counters for ipv4/ipv6 over ipv4 
These existed for ipv6 over ipv6, and ipv4 over ipv6, but not for the
ipv4 counterpart.

Task #7758
 2025-06-21 21:32:48 +02:00
Eric Leblond
23f643a4a7 eve/schema: fix ordering 2025-06-11 20:49:18 +02:00
Eric Leblond
b03d4f8e1a datajson: output context to "context" 
Using `alert.extra` was not really reflecting the nature of what
was added. So renaming it to `alert.context`.
 2025-06-11 20:49:18 +02:00
Eric Leblond
61ac7b46c1 eve/schema: remove reference to datajson 2025-06-11 20:49:18 +02:00
Eric Leblond
e2d8217934 eve/schema: document datajson output 2025-06-11 20:49:18 +02:00
Eric Leblond
0e88e36020 eve/schema: pktvars is a container 
It can contain any vars so need addition properties.
 2025-06-11 20:49:18 +02:00
Alice Akaki
3065374314 json/schema: link file.name to email.attachment 
As a Suricata keyword.

Ticket: #7683
 2025-06-11 10:18:52 -03:00