Keywords registration should provide a desc and a link to the
documentation. This patch adds desc and/or url for on most keywords
missing that.
This allows better output for list-keywords command line which
is then use in Suricata Language Server.
Ticket: 7658
Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.
RFC 9113 section 6.1 states:
If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
of type PROTOCOL_ERROR.
Instead of enabling signal handlers by default, require the user of
the library to opt-in. This is done with the call to
SCEnableDefaultSignalHandlers, which sets a flag to add the default
signal handlers.
This seems like the least invasive way to do this at this time, but it
will require some re-thinking for 9.0, especially if migrate globals
to engine instances, signal handling will need to be re-thought.
Ticket: #6814
Configuration option `threads: auto` in DPDK's interface node
overassigns available threads to the interface.
Commit 4dfd44d3 changed the signedness of the remaining threads counter,
which caused surpass of the counter initialization.
The if-clause is switched to first initialize and then use the counter.
Ticket: 7798
Have htp follow Suricata versioning so we don't have to worry about
version updates as it changes.
For example, between 8.0.0-beta1 and 8.0.0-rc1 there were changes to
the htp, however the version stayed at 2.0.0 making it impossible to
publish these changes to crates.io.
The condition data_offset == NULL can never be true: data_offset has
already been validated as non-NULL a few lines earlier. The guard seems
to have been intended for the offset argument, yet throughout the
codebase offset is never passed as NULL. (In the unit tests, offset is
NULL, but those tests pass the value parameter as NULL, which causes the
function to return before offset is dereferenced.)
Remove the pointless check to simplify control flow and silence
static-analysis warnings.
No functional change.
Bug 7767
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.
Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.
Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.
Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.
SMTP parser can handle multiple command lines per direction. Appropriate calls
to trigger raw stream inspection have been added on succesful parsing of each
request line and response line.
For the requests, the call to trigger inspection has been added in the
beginning rather than the completion of transactions. This does not
affect the inspection as it is actually triggered in the following call.
This covers the case for anomaly as well. There are two benefits for
this:
- immediate inspection for anomalous data
- flushing of the anomalous data making next data's inspection cleaner
Bug 7783
to build the correct behavior. As a part of ab01a1b, in order to match
the behavior in master, the calls for triggering raw stream inspection
were made when communication in one direction for a transaction was
completed. However, it was incorrect to do so. Reliable inspection
requires any request line/response line to be completed.
Bug 7783
- Replaced strtoul/strtoull with ByteExtractString* for safer and more consistent parsing.
- Allowed max-dump to be set to 0, and correctly apply a core dump limit of 0, maintaining behavior consistent with the commented default in suricata.yaml.in.
- Added and registered unit tests to validate the updated logic.
Ticket: #7212
When no CPU set is explicitly defined, switch from
UtilCpuGetNumProcessorsConfigured() (which counts all existing CPU
cores, even offline ones) to UtilCpuGetNumProcessorsOnline() (only
the available cores).
If Suricata initializes more threads than online CPUs it oversubscribes
the system. As Suricata does not support any runtime live reconfiguration
Suricata initializes only as many cores as online CPU cores.
Ticket: 7790
CID 1593187: (#1 of 1): Data race condition (MISSING_LOCK)
2. missing_lock: Accessing (*p).nfq_v.mark without holding lock Packet_.persistent.tunnel_lock. Elsewhere, NFQPacketVars_.mark is written to with Packet_.persistent.tunnel_lock held 2 out of 5 times (2 of these accesses strongly imply that it is necessary).
No concurrency happening on non-tunnel packet, so no locking needed.
lock_acquire: Calling pthread_mutex_lock acquires lock PktPoolLockedStack_.mutex.
87 SCMutexLock(&my_pool->return_stack.mutex);
CID 1554228: (#1 of 1): Indefinite wait (BAD_CHECK_OF_WAIT_COND)
dead_wait: A wait is performed without ensuring that the condition is not already satisfied while holding lock PktPoolLockedStack_.mutex. This can cause a deadlock if the notification happens before the lock is acquired.
Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups.
lock_acquire: Calling pthread_mutex_lock acquires lock ThreadVars_.ctrl_mutex.
725 SCCtrlMutexLock(th_v->ctrl_mutex);
CID 1554214: (#1 of 1): Indefinite wait (BAD_CHECK_OF_WAIT_COND)
dead_wait: A wait is performed without ensuring that the condition is not already satisfied while holding lock ThreadVars_.ctrl_mutex. This can cause a deadlock if the notification happens before the lock is acquired.
Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups.
In flow manager and recycler timed condition wait loops.
First check loop break conditions before entiring the timed wait.
CID 1638284: (#1 of 1): Indefinite wait (BAD_CHECK_OF_WAIT_COND)
dead_wait: A wait is performed without ensuring that the condition is not already satisfied while holding lock flow_manager_ctrl_mutex. This can cause a deadlock if the notification happens before the lock is acquired.
CID 1638293: (#1 of 1): Indefinite wait (BAD_CHECK_OF_WAIT_COND)
dead_wait: A wait is performed without ensuring that the condition is not already satisfied while holding lock flow_recycler_ctrl_mutex. This can cause a deadlock if the notification happens before the lock is acquired.
CID 1554235: (#1 of 1): Data race condition (MISSING_LOCK)
missing_lock: Accessing defragtracker_spare_q.len without holding lock DefragTrackerStack_.m. Elsewhere, DefragTrackerStack_.len is written to with DefragTrackerStack_.m held 2 out of 2 times.
To assist coverity, which got confused:
CID 1649393: (#1 of 1): Data race condition (MISSING_LOCK)
missing_lock: Accessing sets without holding lock sets_lock. Elsewhere, sets is written to with sets_lock held 2 out of 3 times.
Jason Ish
Jeff Lucovsky
Eric Leblond
Shivani Bhardwaj
Shivani Bhardwaj
Philippe Antoine
dependabot[bot]
Lukas Sismis
Boris Tonofa
Fupeng Zhao
Victor Julien