1331 commits

Author	SHA1	Message	Date
Shivani Bhardwaj	899eb38691	flowbits: deprecate toggle command ... toggle command is not used by any major rulesets and increases the state complexity of flowbits management. Also, all operations can be carried out with the combination of other available commands. So, remove it. Task 8595	2026-06-05 12:38:59 +00:00
Samaresh Kumar Singh	af3abf100e	doc: dhcp eve note for option 52 overload ... Document that DHCP options carried in the overloaded BOOTP sname or file fields are now merged into the EVE log option set alongside the main options area. Bug: #8538.	2026-06-05 12:38:55 +00:00
Juliana Fajardini	04cfd33c59	doc/firewall: update hooks & configuration examples	2026-06-03 18:02:20 +00:00
Philippe Antoine	daf68dc36f	http2: split progress per direction ... Ticket: 8518 Keywords that work for HTTP2 headers match now as soon as possible A push promise is now considered like a headers frame with regards to the progress (no dedicated "reserved" progress/state) http.protocol and http.stat_msg keywords are now registered at earliest progress, since these are synthetic like "HTTP/2" and not really seen on the wire. http.request_line and http.response_line match only on data, and not on headers, since we must wait the end of headers to be sure to have the full line http2.size_update now matches at headers progress as it should http2.frametype, http2.errorcode, http2.priority now match like http2.window, when the tx is complete from both sides, as a half-closed client may still send priority, rst_stream or window_update frames	2026-06-02 21:16:54 +00:00
Jason Ish	865b7243a0	http-log: remove support for http-log ... http-log was deprecated in Suricata 8, and marked for removal in Suricata 9.0. Ticket: #7232	2026-06-02 06:26:11 +00:00
Giuseppe Longo	143774220e	doc: add llmnr ... Ticket #8366	2026-06-02 06:26:10 +00:00
Jason Ish	3dc8b154f3	rust/ffi: add safe thread storage wrapper ... Add a typed ThreadStorage<T> wrapper around the thread storage bindings. Ticket: #8445	2026-06-01 15:56:57 +00:00
Jason Ish	5e0abf1572	rust/ffi: use ThreadVars wrapper in flow callbacks ... Update the flow init, update and finish callback registrations to pass the safe ThreadVars wrapper instead of a raw pointer. Ticket: #8598	2026-06-01 15:56:57 +00:00
Jason Ish	45762aa644	rust/ffi: use ThreadVars wrapper in thread init callback ... Update the thread init callback registration to pass the safe ThreadVars wrapper instead of a raw pointer. Ticket: #8598	2026-06-01 15:56:57 +00:00
Juliana Fajardini	a783007408	detect/bypass: ban bypass keyword for firewall mode ... Related to Ticket #8551	2026-05-29 15:18:49 +00:00
Juliana Fajardini	edaa912ed9	detect: ban replace keyword for firewall mode ... Ticket #8551	2026-05-29 15:18:49 +00:00
Victor Julien	0a84015214	doc/userguide: add new constructs to firewall examples	2026-05-28 20:49:58 +00:00
Victor Julien	8728f9ffc0	doc/userguide: document firewall lte rule support	2026-05-28 20:49:58 +00:00
Victor Julien	ac59883c26	doc/userguide: fix default policies for pre_* hooks ... Minor other cleanups.	2026-05-28 20:49:58 +00:00
Victor Julien	da6af0879e	doc: update firewall design ... Bring in line with recent changes.	2026-05-28 20:49:58 +00:00
Victor Julien	90a837cef3	detect/firewall: update discarded logic ... Only count alert queue overflow here, not alerts in the queue after a drop.	2026-05-28 20:49:58 +00:00
Juliana Fajardini	234172a93c	docs: add firewall stats doc ... Related to Ticket #7699	2026-05-28 20:49:58 +00:00
Juliana Fajardini	32d89072d2	docs/configuration: add firewall mode settings ... Partly related to Ticket #7699	2026-05-28 20:49:58 +00:00
Jason Ish	b366665ad8	doc: document rust thread life cycle api ... Ticket: #8605	2026-05-28 20:49:57 +00:00
jason taylor	da827322ba	doc: minor ebpf doc update for fedora/rhel ... Signed-off-by: jason taylor <jtfas90@proton.me>	2026-05-28 20:49:56 +00:00
Andreas Dolp	2f972b6759	doc: improve manpage of suricatasc ... - describe all options - describe optional socket path Redmine ticket: #8563	2026-05-19 19:37:20 +00:00
Philippe Antoine	e98d419d96	ldap: bound the number of responses ... Ticket: 8405	2026-05-16 20:42:15 +02:00
Jason Ish	029fd1be59	eve: add rule generation source to alert record ... When an alert is generated from firewall context, add an engine value of "fw", otherwise "td" (for threat detect). The engine field is only added when firewall mode is enabled. Ticket: #8456	2026-05-11 20:04:45 +00:00
Philippe Antoine	f0e246de34	detect/mqtt: reason_code keyword is now a multi-integer ... Ticket: 7929 Builds a vector of the reason code in a tx to do so, except if we use the default "any", where we do not append to the vector, but just run detection while iterating	2026-05-11 20:04:44 +00:00
Victor Julien	2f9573f84c	doc: address config conversion note ... Message is: ``` Converting `source_suffix = '.rst'` to `source_suffix = {'.rst': 'restructuredtext'}`. ```	2026-05-10 21:12:29 +00:00
Jason Ish	91b9dda0bf	doc: document flow life cycle callback API ... Document for C and Rust, as the C documentation was missing. Ticket: #8446	2026-05-09 04:17:38 +00:00
Jason Ish	899e9f045e	ntp: expose logged fields to lua ... This includes: - version - mode - stratum - reference_id Ticket: #8533	2026-05-06 12:38:50 +00:00
Philippe Antoine	54c02e1301	stats: replace dashes by underscores in app-layer protocols ... Ticket: 6502 Forbid dashes in json keys for better use by processing tools	2026-05-04 20:27:37 +00:00
Philippe Antoine	d030ea7f29	output: rename reject-target to reject_target ... Ticket: 6502 Forbid dashes in json keys for better use by processing tools	2026-05-04 20:27:37 +00:00
Jeff Lucovsky	1721ba1ba5	doc/subslice: Document the subslice transform ... Add documentation for the subslice transform. Issue: 7672	2026-04-28 12:18:42 +00:00
Philippe Antoine	64f003190d	doc: move more rules to dedicated css container ... Ticket: 8372 Also remove dead code from script checking the rules	2026-04-26 15:21:01 +00:00
Philippe Antoine	5f9e436c3f	detect/dcerpc: support generic integer for opnum keyword ... Ticket: 8179	2026-04-21 07:20:31 +00:00
Jason Ish	713e4eb900	ntp: convert reference_id to buffer and add keyword ... Store the NTP reference ID as raw network-order bytes so it can be exposed as a sticky buffer and matched with payload keywords. The reference ID is often a 4 character string, or an IP address and not just an integer identifier. Updates the log reference ID to be a string of colon separated hex digits as this matches what tshark does. Ticket: #8488	2026-04-16 18:25:15 -06:00
Jason Ish	991e7f3b1d	ntp: add ntp.mode keyword ... This keyword also accepts strings for known mode names. Ticket: #8429	2026-04-16 16:14:50 -06:00
Jason Ish	c10c482290	ntp: add ntp.stratum keyword ... Ticket: #8431	2026-04-16 16:14:50 -06:00
Jason Ish	ec344fe68d	ntp: add ntp.version keyword ... SNMP was used as a template. Ticket: #8430	2026-04-16 16:14:50 -06:00
Jason Ish	31b967b089	ntp: add transaction logging ... Adds basic NTP transaction logging for the current supported message types. Includes small cleanups around reference ID. Ticket: #8425	2026-04-16 16:10:34 -06:00
Victor Julien	670fdabd32	detect/snmp: add snmp.trap_type keyword ... Implemented as a U8 integer keyword. Ticket: #8482.	2026-04-16 05:58:16 +00:00
Jason Ish	eb46d0129e	rust/ffi: add eve callback handler ... Wrap the EVE callback handler with a Rust friendly variant that allows the user to register a callback as a closure which is provided an already wrapped JsonBuilder object. Ticket: #8477	2026-04-16 05:58:15 +00:00
Philippe Antoine	bcbec8d615	doc: fix eol content in http rules	2026-04-16 05:58:14 +00:00
Philippe Antoine	e65643909a	doc: move more examples to container:: example-rule ... Ticket: 8372 And fix another bad rule	2026-04-16 05:58:14 +00:00
Philippe Antoine	72e13c9774	doc: do not highlight bad transactional rule ... As stated, it will refuse to load. Ticket: 8372	2026-04-16 05:58:14 +00:00
Philippe Antoine	15f45be672	doc: fix rules ... Ticket: 8372 Somes rules in the doc had typos, fix them so suricata can load them when you copy/paste the doc	2026-04-16 05:58:14 +00:00
Jason Ish	a11aaadd86	plugins: add --plugin command line option to load plugins ... Add --plugin <PATH> to load an additional plugin from the command line. This is more convenient than "--set plugins.X" especially when you may already have a plugins loaded and you want to load an additional one. Ticket: 8463	2026-04-13 05:01:53 +00:00
Victor Julien	6c3169cee0	doc/userguide: add ether and arp to intro	2026-03-31 05:34:16 +00:00
Victor Julien	6298c47145	doc/userguide: improve protocol docs	2026-03-31 05:34:16 +00:00
Victor Julien	e6381a3c22	doc/userguide: add note on rule reloads ... Cannot be combined with --firewall-rules-exclusive	2026-03-31 05:34:16 +00:00
Victor Julien	f99b86beab	doc/userguide: document L2 firewall handling of ARP	2026-03-31 05:34:16 +00:00
Victor Julien	2e2132a16f	doc/userguide: improve pkthdr docs	2026-03-31 05:34:16 +00:00
Victor Julien	61a7f47a69	detect: add ether.hdr keyword ... Sticky buffer to inspect the ethernet header. Example rule: alert ether any any -> any any ( \ ether.hdr; content:"|08 06|"; offset:12; depth:2; \ sid:1;) Ticket: #8327.	2026-03-31 05:34:16 +00:00