Commit Graph

13137 Commits (1b65af2867ab21e8255558c849f4e6105b517eb4)
 

Author SHA1 Message Date
Juliana Fajardini 29b5f68bf0 assorted: fix low hanging typos 4 years ago
Juliana Fajardini 1956dc3d5d userguide: explain alert queue behavior and stats
Added sections along packet-alert-max config section explaining
packet alert queue overflow (when Suri reaches packet alert max), when
alerts are discarded etc.

Since from the user perspective it shouldn't matter how we process the
alert queue, the term "replace" is used, even though there's not exactly
a replacing action happening, with the queue bein pre-processed before
being appended to the Packet.

Also described the associated stats and added an explanation on when to
change packet-alert-max.

Task #5178
4 years ago
Juliana Fajardini 877b32c1e4 detect/stats: log out total of suppressed alerts
Related to
Task #4943
Task #5179
4 years ago
Juliana Fajardini 8616c90fe7 detect/stats: log out total of discarded alerts
Add a counter to our stats log with the total of alerts that have been
discarded due to packet alert queue overflow.

Task #5179
4 years ago
Juliana Fajardini 9b275d3878 detect/alert: move apply-action-flow code to func
Trying to clean PacketAlertFinalize a bit more.
4 years ago
Juliana Fajardini e4e688a9b0 detect/alert: remove unused functions
Since we now only copy the PacketAlerts to the Packet's queue after
processing them, we no longer do packet alert appending from
detect-engine-alert, nor do we remove PacketAlerts from the queue (if
they're discarded by overflow or thresholding, they're not copied to the
final alert queue).

Task #4943
4 years ago
Juliana Fajardini 185b43edff detect/alert: preprocess then append alert queue
Do all alert queue processing before actually appending
the PacketAlerts to the Packet's alert queue.

Task #4943
4 years ago
Juliana Fajardini a85340b1ab detect/alert: use tx id in alert if frame has it
Task #4943
4 years ago
Juliana Fajardini aa547a8de3 detect/engine: use alert queue from det_ctx
Task #4943
4 years ago
Juliana Fajardini 88805f03ee detect/alert: add infra for new alert queue
Initial work to bring part of the alert queue processing to
DetectEngineThreadCtx.

Task #4943
4 years ago
Juliana Fajardini 49542d0f1b doc/userguide: explain packet-alert-max config
Task #4207
4 years ago
Juliana Fajardini 3ace577d54 decode: make packet_alert_max configurable
The maximum of possible alerts triggered by a unique packet was
hardcoded to 15. With usage of 'noalert' rules, that limit could be
reached somewhat easily. Make that configurable via suricata.yaml.

Conf Bug#4941

Task #4207
4 years ago
Jason Ish e319d31c14 template(rust): convert transaction list to vecdeque
Allows for more efficient removal from front of the list.

Ticket: #5298
4 years ago
Jason Ish 9b0b2beac1 pgsql: convert transaction list to vecdeque
Allows for more efficient removal from front of the list.

Ticket: #5297
4 years ago
Jason Ish 2db84726ad http2: convert transaction list to vecdeque
Allows for more efficient removal from front of the list.

Ticket: #5296
4 years ago
Jason Ish 4e0ad5e0bd rdp: convert transaction list to vecdeque
Allows for more efficient removal from front of the list.

Ticket: #5295
4 years ago
Jason Ish 3b422e25f3 mqtt: convert transaction list to vecdeque
Allows for more efficient removal from front.

Ticket: #5294
4 years ago
Jason Ish 3189414788 dns: convert transaction list to vecdeque
Allows for more efficient removal from front of the list.

Ticket: #5277
4 years ago
Jason Ish 7b11b4d3a1 app-layer: more generic state trait
Instead of a method that is required to return a slice of transactions,
use 2 methods, one to return the number of transactions in the
collection, and another to get a transaction by its index in the
collection.

This allows for the transaction collection to not be a contiguous array
and instead can be a VecDeque, or possibly another collection type that
supports retrieval by index.

Ticket #5278
4 years ago
Juliana Fajardini bbd9a2ff1a pgsql: apply clippy fixes 4 years ago
Juliana Fajardini 0fc9ade7a9 pgsql: fix uint overflow and optimizations
Fuzzers found a possible integer overflow bug when parsing response
messages. To fix that, removed the case where we incremented the parsed
field length and created a new message type for situations where Suri
parsers an Unknown message. This is good because there may happen that
an unknown message to Suri is valid, and in this case, we would still be
able to log it.

Philippe Antoine found the bug while fuzzing with rust debug assertions.

Bug #5016
4 years ago
Juliana Fajardini 8daa79513a pgsql: fix clippy is_null usage warning 4 years ago
Sascha Steinbiss 5ec6f3ba51 util: add unit tests for CIDRFromMask() 4 years ago
Sascha Steinbiss 394356f73c detect: make int CIDRFromMask() work on big endian platforms 4 years ago
Philippe Antoine d2f00ac824 dcerpc: use wrappingadd for padding parsing
As we compute a modulo, we can safely wrap around even if there
is an overflow

Ticket: #5301
4 years ago
Victor Julien 07d0ae04d3 logopenfile: fix minor format string warning
cppcheck:

src/util-logopenfile.c:743:13: warning: %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
            snprintf(threaded_name, len, "%s.%d.%s", tname, unique_id, ext);
            ^
src/util-logopenfile.c:752:9: warning: %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
        snprintf(threaded_name, len, "%s.%d", original_name, unique_id);
        ^

Bug: #5291.
4 years ago
Victor Julien 1e13f72785 ja3: fix minor format string warning
cppcheck:

src/util-ja3.c:197:28: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
        (*buffer)->used += snprintf((*buffer)->data, (*buffer)->size, "%d",
                           ^
src/util-ja3.c:201:28: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
        (*buffer)->used += snprintf((*buffer)->data + (*buffer)->used,
                           ^

Bug: #5291.
4 years ago
Victor Julien 3dfbf0bf11 log-pcap: remove redundant check
Check is always true but confuses cppcheck:

src/log-pcap.c:1224:32: warning: Either the condition 'filename' is redundant or there is possible null pointer dereference: filename. [nullPointerRedundantCheck]
    if ((pl->prefix = SCStrdup(filename)) == NULL) {
                               ^
src/log-pcap.c:1421:9: note: Assuming that condition 'filename' is not redundant
    if (filename) {
        ^
src/log-pcap.c:1224:32: note: Null pointer dereference
    if ((pl->prefix = SCStrdup(filename)) == NULL) {
                               ^

Bug: #5291.
4 years ago
Victor Julien fedced209d af-packet/v2: use proper type for ring
cppcheck:

src/source-af-packet.c:1762:19: warning: Size of pointer 'v2' used instead of size of its data. This is likely to lead to a buffer overflow. You probably intend to write 'sizeof(*v2)'. [pointerSize]
        ptv->ring.v2 = SCMalloc(ptv->req.v2.tp_frame_nr * sizeof (union thdr *));
                  ^
src/source-af-packet.c:1767:26: warning: Size of pointer 'v2' used instead of size of its data. This is likely to lead to a buffer overflow. You probably intend to write 'sizeof(*v2)'. [pointerSize]
        memset(ptv->ring.v2, 0, ptv->req.v2.tp_frame_nr * sizeof (union thdr *));
                         ^

scan-build:

CC       source-af-packet.o
source-af-packet.c:1762:24: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'union thdr *' [unix.MallocSizeof]
        ptv->ring.v2 = SCMalloc(ptv->req.v2.tp_frame_nr * sizeof (union thdr *));
                       ^~~~~~~~                           ~~~~~~~~~~~~~~~~~~~~~
./util-mem.h:35:18: note: expanded from macro 'SCMalloc'
                 ^~~~~~
1 warning generated.

Bug: #5291.
4 years ago
Victor Julien 69b8b48b94 detect/pcre: assist code analyzer around pointer logic
cppcheck:

src/detect-pcre.c:381:27: warning: Either the condition 'pcap' is redundant or there is overflow in pointer subtraction. [nullPointerArithmeticRedundantCheck]
            cut_capture = MIN((pcap - regexstr), (fcap - regexstr));
                          ^
src/detect-pcre.c:378:18: note: Assuming that condition 'pcap' is not redundant
        else if (pcap && !fcap)
                 ^
src/detect-pcre.c:381:27: note: Null pointer subtraction
            cut_capture = MIN((pcap - regexstr), (fcap - regexstr));
                          ^

Bug: #5291.
4 years ago
Victor Julien 3bc50df9c3 device: avoid uninit var warning
cppcheck:

src/util-device.c:455:17: error: Uninitialized variables: *ndev.dev, *ndev.tenant_id_set, *ndev.id, *ndev.next, *ndev.tenant_id, *ndev.offload_orig [uninitvar]
        *ldev = *ndev;
                ^
src/util-device.c:618:36: note: Calling function 'LiveDeviceForEach', 2nd argument '&ndev' value is <Uninit>
    while(LiveDeviceForEach(&ldev, &ndev)) {
                                   ^
src/util-device.c:455:17: note: Uninitialized variables: *ndev.dev, *ndev.tenant_id_set, *ndev.id, *ndev.next, *ndev.tenant_id, *ndev.offload_orig
        *ldev = *ndev;
                ^

Bug: #5291.
4 years ago
Victor Julien 7e2ed11a11 detect: fix bad BUG_ON pattern
cppcheck:

src/detect-engine-uint.c:73:13: warning: Conversion of string literal "unknown mode" to bool always evaluates to true. [incorrectStringBooleanError]
            BUG_ON("unknown mode");
            ^
src/detect-engine-uint.c:328:13: warning: Conversion of string literal "unknown mode" to bool always evaluates to true. [incorrectStringBooleanError]
            BUG_ON("unknown mode");
            ^
src/detect-pcre.c:291:25: warning: Conversion of string literal "Impossible captype" to bool always evaluates to true. [incorrectStringBooleanError]
                        BUG_ON("Impossible captype");
                        ^

Bug: #5291.
4 years ago
Victor Julien 2f48e432cd time: fix warning in timestring creation
cppcheck:

src/util-time.c:255:18: warning: Either the condition 'str!=NULL' is redundant or there is possible null pointer dereference: str. [nullPointerRedundantCheck]
        snprintf(str, size, "ts-error");
                 ^
src/util-time.c:252:48: note: Assuming that condition 'str!=NULL' is not redundant
    if (likely(t != NULL && fmt != NULL && str != NULL)) {
                                               ^
src/util-time.c:255:18: note: Null pointer dereference
        snprintf(str, size, "ts-error");
                 ^

Only `t` could possibly be NULL if `localtime_r` fails elsewhere.

Bug: #5291.
4 years ago
Victor Julien 4fcb8740e7 detect/multi-tentancy: minor format string fixes
cppcheck:

src/detect-engine.c:3643:5: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
    snprintf(prefix, sizeof(prefix), "multi-detect.%d", tenant_id);
    ^
src/detect-engine.c:3707:5: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
    snprintf(prefix, sizeof(prefix), "multi-detect.%d.reload.%d", tenant_id, reload_cnt);
    ^
src/detect-engine.c:4086:17: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
                snprintf(prefix, sizeof(prefix), "multi-detect.%d", tenant_id);
                ^

Bug: #5291.
4 years ago
Victor Julien 5a0bbb5289 reference: remove useless var reset
cppcheck:

src/util-reference-config.c:179:9: warning: Assignment of function parameter has no effect outside the function. Did you forget dereferencing it? [uselessAssignmentPtrArg]
        fd = NULL;
        ^

Bug: #5291.
4 years ago
Victor Julien 2965d809a4 runmodes: minor format string fixes
cppcheck:

src/util-runmodes.c:210:9: warning: %u in format string (no. 2) requires 'unsigned int' but the argument type is 'signed int'. [invalidPrintfArgType_uint]
        snprintf(tname, sizeof(tname), "%s#%02u", thread_name_workers, thread+1);
        ^
src/util-runmodes.c:211:9: warning: %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'. [invalidPrintfArgType_uint]
        snprintf(qname, sizeof(qname), "pickup%u", thread+1);
        ^
src/util-runmodes.c:455:9: warning: %u in format string (no. 2) requires 'unsigned int' but the argument type is 'signed int'. [invalidPrintfArgType_uint]
        snprintf(tname, sizeof(tname), "%s#%02u", thread_name_workers, thread+1);
        ^
src/util-runmodes.c:457:9: warning: %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'. [invalidPrintfArgType_uint]
        snprintf(qname, sizeof(qname), "pickup%u", thread+1);
        ^

src/runmode-erf-file.c:188:9: warning: %u in format string (no. 2) requires 'unsigned int' but the argument type is 'signed int'. [invalidPrintfArgType_uint]
        snprintf(tname, sizeof(tname), "%s#%02u", thread_name_workers, thread+1);
        ^
src/runmode-erf-file.c:189:9: warning: %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'. [invalidPrintfArgType_uint]
        snprintf(qname, sizeof(qname), "pickup%u", thread+1);
        ^
src/runmode-pcap-file.c:201:9: warning: %u in format string (no. 2) requires 'unsigned int' but the argument type is 'signed int'. [invalidPrintfArgType_uint]
        snprintf(tname, sizeof(tname), "%s#%02u", thread_name_workers, thread+1);
        ^
src/runmode-pcap-file.c:202:9: warning: %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'. [invalidPrintfArgType_uint]
        snprintf(qname, sizeof(qname), "pickup%u", thread+1);
        ^

Bug: #5291.
4 years ago
Victor Julien a8d3cd6eb4 mpm/ac-ks: address int handling issues
cppcheck:

src/util-mpm-ac-ks.c:1452:5: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
    printf("Total states in the state table:    %d\n", ctx->state_count);
    ^
src/util-mpm-ac-ks.c:606:34: error: Signed integer overflow for expression '1<<31'. [integerOverflow]
        encoded_next_state |= (1 << 31);
                                 ^

Bug: #5291.
4 years ago
Victor Julien 9c672a805f classification: remove useless clear
cppcheck:

src/util-classification-config.c:189:9: warning: Assignment of function parameter has no effect outside the function. Did you forget dereferencing it? [uselessAssignmentPtrArg]
        fd = NULL;
        ^

Bug: #5291.
4 years ago
Victor Julien 27e9a871d0 detect/content-inspect: code cleanup
Rearrange code slightly to make it more clear that `found` cannot
be NULL further down the loop.

cppcheck:

src/detect-engine-content-inspection.c:316:50: warning: Either the condition 'found!=NULL' is redundant or there is overflow in pointer subtraction. [nullPointerArithmeticRedundantCheck]
                match_offset = (uint32_t)((found - buffer) + cd->content_len);
                                                 ^
src/detect-engine-content-inspection.c:308:30: note: Assuming that condition 'found!=NULL' is not redundant
            } else if (found != NULL && (cd->flags & DETECT_CONTENT_NEGATED)) {
                             ^
src/detect-engine-content-inspection.c:316:50: note: Null pointer subtraction
                match_offset = (uint32_t)((found - buffer) + cd->content_len);
                                                 ^

Bug: #5291.
4 years ago
Victor Julien a0847e6c69 detect/analyzer: minor format string fixes
cppcheck flagged this as:

src/detect-engine-analyzer.c:1359:13: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
            fprintf(rule_engine_analysis_FD, "    Rule contains %d content options, %d http content options, %d pcre options, and %d pcre options with http modifiers.\n", rule_content, rule_content_http, rule_pcre, rule_pcre_http);
            ^
src/detect-engine-analyzer.c:1359:13: warning: %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
            fprintf(rule_engine_analysis_FD, "    Rule contains %d content options, %d http content options, %d pcre options, and %d pcre options with http modifiers.\n", rule_content, rule_content_http, rule_pcre, rule_pcre_http);
            ^
src/detect-engine-analyzer.c:1359:13: warning: %d in format string (no. 3) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
            fprintf(rule_engine_analysis_FD, "    Rule contains %d content options, %d http content options, %d pcre options, and %d pcre options with http modifiers.\n", rule_content, rule_content_http, rule_pcre, rule_pcre_http);
            ^
src/detect-engine-analyzer.c:1359:13: warning: %d in format string (no. 4) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
            fprintf(rule_engine_analysis_FD, "    Rule contains %d content options, %d http content options, %d pcre options, and %d pcre options with http modifiers.\n", rule_content, rule_content_http, rule_pcre, rule_pcre_http);
            ^

Bug: #5291.
4 years ago
Victor Julien f8a0f3d9b9 detect/address: remove useless checks
Cppcheck flagged this:

src/detect-engine-address.c:1035:48: warning: Either the condition 'ghn!=NULL' is redundant or there is possible null pointer dereference: gh. [nullPointerRedundantCheck]
    int r = DetectAddressIsCompleteIPSpaceIPv4(gh->ipv4_head);
                                               ^
src/detect-engine-address.c:1297:17: note: Assuming that condition 'ghn!=NULL' is not redundant
        if (ghn != NULL) {
                ^
src/detect-engine-address.c:1283:44: note: Calling function 'DetectAddressIsCompleteIPSpace', 1st argument 'ghn' value is 0
        if (DetectAddressIsCompleteIPSpace(ghn)) {
                                           ^
src/detect-engine-address.c:1035:48: note: Null pointer dereference
    int r = DetectAddressIsCompleteIPSpaceIPv4(gh->ipv4_head);
                                               ^

Cleanup code could only be reached with non-NULL pointers, so simplify checks.

Bug: #5291.
4 years ago
Victor Julien bad9005161 detect/ipv6: remove useless code
Remove useless allocation and free.

Found by cppcheck as a potential issue:

src/detect-engine-address-ipv6.c:385:12: warning: Either the condition 'tmp!=NULL' is redundant or there is possible null pointer dereference: tmp. [nullPointerRedundantCheck]
    memset(tmp,0,sizeof(DetectAddress));
           ^
src/detect-engine-address-ipv6.c:525:13: note: Assuming that condition 'tmp!=NULL' is not redundant
    if (tmp != NULL)
            ^
src/detect-engine-address-ipv6.c:385:12: note: Null pointer dereference
    memset(tmp,0,sizeof(DetectAddress));
           ^

But code turned out not to do anything, so removed.

Bug: #5291.
4 years ago
Victor Julien ea2d0ecf08 datasets: fix cppcheck warning
src/datasets.c:107:17: error: Uninitialized variable: hash [uninitvar]
    memcpy(out, hash, outs);
                ^
src/datasets.c:93:26: note: Assuming condition is false
    for (x = 0, i = 0; i < ins; i+=2, x++) {
                         ^
src/datasets.c:107:17: note: Uninitialized variable: hash
    memcpy(out, hash, outs);
                ^

Bug: #5291.
4 years ago
Victor Julien 4bb00964ac detect: fix rule inspection order
Fix rules from the 'match' list getting added to the tx candidates list
unsorted. In some cases this could lead to the same sid getting inspected
twice leading to a DEBUG_VALIDATION_BUG_ON trigger.

Bug: #5144.
4 years ago
Victor Julien c40df43609 stream: improve flow end payload logging
Use all available data, including un-ACK'd, when in flow timeout
mode.

Bug: #5276.
4 years ago
Victor Julien b50d5eb8c8 eve/alert: add pkt_src/pcap_cnt to tunnel
Makes it easier to correlate an alert to the original packet.
4 years ago
Victor Julien 9336ab5dcd eve: add pkt_src
This will tell the user if a record was generated based on a real packet,
a flow timeout packet or others.
4 years ago
dependabot[bot] ddf9c9dcad github-actions: bump actions/checkout from 3.0.1 to 3.0.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](dcd71f6466...2541b1294d)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
4 years ago
dependabot[bot] e65b096bf0 github-actions: bump codecov/codecov-action from 3.0.0 to 3.1.0
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](e3c560433a...81cd2dc814)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
4 years ago
Victor Julien 3d6e733aa7 stream/unittests: fix failures after last_ack fix
Work around many tests not setting up stream completely or correctly.
4 years ago