email_ctx->fields only gets populated when smtp.custom setting is on.
The fn EveEmailLogJSONCustom is called when either
1. smtp.extended setting is on or,
2. email_ctx->fields is populated which means smtp.custom setting is on
In case neither of these are set in suricata.yaml, no call should
ideally be made to the fn EveEmailLogJSONCustom.
However, it turns out that email_ctx->fields is unset and then set only
after the smtp config was found. This leads to email_ctx->fields
sometimes contain value even when no config was given to the smtp
section and can lead to unexpected output.
Fix this by using SCCalloc while initializing OutputJsonEmailCtx struct
instead of SCMalloc.
Bug 6380
Although we have an updated version of instructions for installation
from git, our install guide was only referring to RedMine, which is less
up-to-date.
Kept that reference, since it might still be useful for non-Ubuntu
cases.
Ticket: #6104
The approach in master branch is to change the prototype of
SigMatchAppendSMToList so that it allocates itself the new SigMatch
This approach requires to change all the 100-ish calls to
SigMatchAppendSMToList and is thus quite a big change.
For branch 7, we still wanted to avoid the buffer overflow, but
did not want such an intrusive change, and still wanted to make
the signature invalid. Instead of changing the prototype of the
function, we make it return early, and set a flag in the signature
which can be later checked by SigValidate
Consolidate a few items into a resources section, and add few more
items, most importantly the bug tracker as it can't currently be found
from our GitHub presence.
While Suricata initializes, the device must be started to e.g.
apply rte_flow rules on some devices. But in the meantime, the
NIC started receiving packets but accounted those as missed.
Stats reset was added to better represent true packet drop.
To better represent port stats of Suricata stop the device
right after Suricata is deemed to shut down.
While Suricata deinitialization happened, the device kept
receiving packets. But because Suricata was no longer
interested in the packets, the device accounted these packets
as missed and it could have alter true stats of Suricata.
With the current layout and fn calls, it was seen that once in the
beginning after the MTU was found and displayed to the user, when the
threads spawned, each thread displayed MTU info as a part of
AFPPeersListAdd fn. This happened in AF_PACKET IPS mode and led to
excessive MTU logs.
Save this info in the LiveDevice struct and avoid calling the unneeded
fns later on.
Bug 5831
The fn GetIfaceMaxPacketSize now uses LiveDevice object as a param
instead of a string. This was done to keep the logic of checking for the
device to this function itself instead of having callers first determine
whether the device exists or not.
This also falls in line with the changes made to avoid excessive MTU
logs in the following commit.
Related to redmine ticket 5831.
Includes from an "include" array were being loaded into the wrong
parent as the logic for array handing in include context was not
updated.
If we are descending into an array in include context, pass through
the current parent so the included configuration is included where it
is expected.
Bug: #6300
Ticket: #6279
If we have the smtp body beginning without headers, we need to
create the md5 context and right away and supply data to it.
Otherwise, on the next line being processed, md5_ctx will be
NULL but body_begin will have been reset to 0
A bad pattern in a rule that hyperscan would fail to compile would
exit Suricata. This could happen during a rule reload as well.
In case of a untrusted ruleset, this could potentially be used to
shut down the sensor.
Commit 7d0851b0c2 already blocks the only know case, but this patch
is more defensive.
Ticket: #6195.
- Use SPHINX_BUILD instead of HAVE_SPHINX_BUILD, as here we're
actually using the path of the program.
- Wrap some elements in [] as is done in modern idiomatic autoconf
We need a recent version of Sphinx to build the documentation in
7.0. Check for a minimum version of 3.4.3. If older, do not build the
docs which is the same behavior when sphinx-build is not found.
Bug: #6297
When comparing IPv6 addresses based on uint32_t chunks, one needs to
apply ntohl() conversion to the individual parts, otherwise on little
endian systems individual bytes are compared in the wrong order.
Avoid this all and leverage memcmp(), it'll short circuit on the first
differing byte and its return values tells us which address sorts lower.
Bug: #6276
When thread affinity is set, the NUMA configuration specified in
the napatech.ini configuration could be incorrect and then fail.
This fails before the recommended configuration is printed, which
is pretty unhelpful.
Previous implementation hardcoded up to 4 NUMA nodes.
We support arbitrary number of NUMA nodes now.
Note that this commit also removes the old SCLog logging
calls. But since the logic has changed, these have been replaced
directly with new code.
The WARN_UNUSED attribute has been added to ByteExtractStringUint8
in commit 6988168114. The return
value is now handled and appropriate errors printed.
Juliana Fajardini
Philippe Antoine
Shivani Bhardwaj
Travis Green
Jason Ish
Jeff Lucovsky
Lukas Sismis
Victor Julien
Arne Welzel
Ralph Eastwood