Commit Graph

15500 Commits (2d6708f1ff1e57f83f2dd9994173e8ee62e00616)
 

Author SHA1 Message Date
dependabot[bot] 07ec8b202e github-actions: bump github/codeql-action from 3.24.3 to 3.24.5
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.24.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](https://github.com/github/codeql-action/compare/v3.24.3...v3.24.5)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2 years ago
Jason Ish 089dd6e761 build: don't build the lib example by default
Don't build the library example by default as it is not needed by most
users.
2 years ago
Jason Ish 5ed3f905ac examples/lib: work with bundled libhtp
The simple example Makefile.am was unconditionally including
$(HTP_LDADD) which might be empty resulting in "../.." ending up in the
Makefile causing the build to fail.

Instead, also make HTP_LDADD a conditional, so we can only include it
when actually set, and its only set when libhtp is bundled.

The reason this Makefile needs to include the path components "../.."
is because the HTP_LDADD value is relative to the top level "src/"
directory.
2 years ago
Victor Julien 69f0e85785 af-xdp: suppress cppcheck false positive
As the cppcheck test suite does as well:
https://github.com/danmar/cppcheck/blob/main/test/cfg/posix.c#L311

Requires cppcheck --inline-suppr option to be used.
2 years ago
Victor Julien eb1d0c2cc2 detect: fix memory leak in error handling
Pointed out by cppcheck:

src/detect-parse.c:1544:9: error: Memory leak: sig.init_data [memleak]
        SCFree(sig);
        ^

Bug: #6527.
2 years ago
Victor Julien 78703bbc86 detect/address: avoid cppcheck false positive
src/detect-engine-address.c:1386:5: error: Memory leak: map.string [memleak]
    return true;
    ^

Seems cppcheck looses track of the pointer after the unnecessary cast to
void.

Bug: #6527.
2 years ago
Hadiqa Alamdar Bukhari 6c193b1a3d dns: add missing dns keywords to schema.json
Found and added missing dns fields in schema.json after manual code review.
Added description to these newly added dns fields.
Feature #5642
2 years ago
Lukas Sismis ebf465a11b tcp: do not assign TCP flags to pseudopackets
Previously pseudopackets were assigned with ACK flag which falsely turned
"SYN" flows to "SYN/ACK" flows when Suricata ran with raw content-matching
rules. The problem occured during the flow timeout or Suricata shutdown,
essentially, when the flow was being kicked out (with a pseudopacket).

When Suricata ran without raw content-matching rules (the ruleset did not
contain content matching keywords or it only contained keywords that are
app-layer content-matching) then raw stream reassembly tracking is turned off
(SignatureHasStreamContent()).
This in turn disabled a check in StreamNeedsReassembly() and the right edge
was not checked with the raw stream progress. In turn, it did not generate
a pseudopacket that would go through the detection engine. Suricata with
raw content-matching keywords would therefore on a flow with SYN packet only
return STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION which would generate
the pseudopacket.

In Suricata versions <= 6.0.x, the flow output was correct because
only the commit 1bb6f44ff0 started to
differentiate the right edge calculation between the raw and application
layer streams. The older Suricata versions used only the application layer
right edge equation and therefore did not generate a pseudopacket.

Ticket: #6733
2 years ago
Lukas Sismis 2a085ccb83 dpdk: remove redundant port checks and set copy iface socket id correctly
The function to retrieve port ID from the port name was used multiple times.
This commit removes the redundant usage of the function.

Additionally, in the DeviceConfigureIPS(), the socket ID was wrongly retrieved
for the original interface and not for the out port interface.
2 years ago
Lukas Sismis 9185ca8f38 dpdk: add a user warning on the change of RX/TX descriptors
Ticket: #6739
2 years ago
Lukas Sismis e5f7a9ad55 dpdk: refactor log messages to have the same error format 2 years ago
Lukas Sismis 63016aaa7b dpdk: split out the configure function into smaller ones 2 years ago
Lukas Sismis 0b35c42b05 dpdk: add missing SCEnter macros to functions with SCReturns 2 years ago
Lukas Sismis 4b0704db55 hugepages: run hugepage check only on DPDK runmode and on Linux
Previous implementation allowed FreeBSD to enter into the hugepage
analysis. It then failed with an error message because hugepage/
NUMA node paths that are used in the codebase to retrieve info about
the system are not the same with the structure in Linux.

Additionally, the messages were logged on error level. It has been
demoted to info level because the whole hugepage analysis checkup is
only for informational purposes and does not affect Suricata operation.

The hugepage analysis and the hugepage snapshots are now limited to
only run in the DPDK runmode.

Ticket: #6760
Ticket: #6762
2 years ago
Lukas Sismis f88bd2dd3f errors: add SC_ENOENT error 2 years ago
Victor Julien 124a8dea20 detect/mpm: don't test for impossible condition
Functions can't get called with NULL signature or NULL
Signature::init_data.
2 years ago
Victor Julien 962b505aa6 detect/iponly: code cleanups
Constify and flatten branches.
2 years ago
Victor Julien 976d8e65ae detect/iponly: move parsing only fields to init_data
IP-only parse results were not used at runtime.
2 years ago
Victor Julien 872f007a14 runmode/unix-socket: fix cppcheck warnings
src/runmode-unix-socket.c:547:9: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
        snprintf(tstr, sizeof(tstr), "%d", cfile->tenant_id);
        ^
src/runmode-unix-socket.c:1040:5: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
    snprintf(prefix, sizeof(prefix), "multi-detect.%d", tenant_id);
    ^
src/runmode-unix-socket.c:1189:5: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
    snprintf(prefix, sizeof(prefix), "multi-detect.%d", tenant_id);
    ^
2 years ago
dependabot[bot] 92980a11a3 github-actions: bump github/codeql-action from 3.24.1 to 3.24.3
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.1 to 3.24.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](https://github.com/github/codeql-action/compare/v3.24.1...v3.24.3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2 years ago
Jason Ish d526919cd7 build: remove autoconf.h from dist
We were including "autoconf.h" in our dist releases, however this file
is generated by ./configure. This can be problematic in out of tree
builds as the one included in the dist, not the generated one may be
used.

Also using "autoconf.h" instead of <autoconf.h> so it is searched for
relative to the file including it which is necessary if a library/plugin
does something like "#include "suricata/foo.h".
2 years ago
Jason Ish 2421b024f2 examples: program linking against library
Provide an example of an extremely simple application that links
against Suricata. This provides a Makefile integrated with the
Suricata build system for in-tree building, as well as an example
Makefile for building out of tree.

Currently this application just wraps SuricataMain and does nothing
else.
2 years ago
Jason Ish 6d792f017b examples/plugin: simplify Makefile
Simplify the Makefile by avoiding automake and providing our own
Makefile.in that is suitable for in-tree builds of the plugin and can
also serve as an example for standalone plugins.

But the bigger benefit of this is to allow building the example plugin
even with --disable-shared provided to configure, as this is just a
phony limitation imposed by automake/libtool.
2 years ago
Jeff Lucovsky 1fdf3f644e napatech: Close streams on hard errors
Issue: 5172

This commit forces the current stream to be closed when a hard error
occurs.

Without this commit, a hard error will force a 2nd connection
the stream that raised the error.

With this commit, the stream with the hard error is closed before
opening another connection to the stream.

Verified with the Python snippet in the redmine issue.
2 years ago
Jason Ish f7114b7fe3 cocci/run-check: log if parallel command is not found
If CONCURRENCY_LEVEL was set, the script would log a concurrency level
even if the parallel command was not available. Not log if parallel is
not available and set concurrency to 1.
2 years ago
Jason Ish 6198ea5a91 github-ci: use all cpus for coccinelle checks
Also put "cocci" in the job name and install parallel so the script can
actually run with concurrency.
2 years ago
Shivani Bhardwaj 487ba82fb9 eve/stats: add description for applayer flows
Ticket 6434
2 years ago
Shivani Bhardwaj 8817514bea eve/stats: add description for expectations
Ticket 6434
2 years ago
Shivani Bhardwaj 1816e98ef0 eve/stats: add description for applayer errors
Ticket 6434
2 years ago
Shivani Bhardwaj 5a1a32ba5b eve/stats: add description for common fields
Ticket 6434
2 years ago
Shivani Bhardwaj 7477307181 multi-tenant: remove futile mutex lock
No shared resource is being changed when the lock is held, it is
immediately unlocked. So, remove it.
2 years ago
Arne Welzel 08db0f302b stats: Add unittest for basic stats serialization
Main purpose is to validate that the 30 of bond0.30 isn't expanded into
a nested object during serialization.
2 years ago
Arne Welzel b8b8aa69b4 stats: Do not expand dots of tm_name
When an interface with dots is used, per worker stats are nested by the
dot-separated-components of the interface due to the usage of
OutputStats2Json().

Prevent this by using OutputStats2Json() on a per-thread specific object
and setting this object into the threads object using the
json_object_set_new() which won't do the dot expansion.

This was tested by creating an interface with dots in the name
and checking the stats.

    ip link add name a.b.c type dummy

With Suricata 7.0.2, sniffing on the a.b.c interface results in the
following worker stats format:

    "threads": {
      "W#01-a": {
        "b": {
          "c": {
            "capture": {
              "kernel_packets": 0,

After this fix, the output looks as follows:

    "threads": {
      "W#01-a.b.c": {
        "capture": {
          "kernel_packets": 0,

Ticket: #6732
2 years ago
Simon Dugas 17f9d7aecc detect-engine-iponly: improve ip list performance
The runtime complexity of insertion sort is approx. O(h*n)^2 where
h is the size of the HOME_NET and n is the number of ip only rules
that use the HOME_NET.

Replacing this with qsort significantly improves rule load time when
a large HOME_NET is used in combination with a moderate amount of ip
only rules.
2 years ago
Philippe Antoine 63caa0b40a detect: respect directionality for filestore
Ticket: 6617

So that rules with keyword like `filestore:to_server,flow`
only store the files to server and not the ones to client...

Directionality only worked with the default scope, ie the
current file, and not the scope tx or scope flow.
For non-default scope, tx or flow, both directions were stored
whatever the directionality specified.

For these non-default scopes, this commit keeps a default
of both directions, but use only one direction if specified.

Need to split flag FLOWFILE_STORE per direction, so that Suricata
can retain this (optional) directional info from the filestore
keyword.

Fixes: 79499e4769 ("app-layer: move files into transactions")
2 years ago
Philippe Antoine 41a621178f ci: right sha for authors check 2 years ago
Victor Julien 2d7c3d8d59 multi-tenant: fix coverity warning
Rework locking logic to avoid the following coverity warning.

** CID 1591966:  Concurrent data access violations  (MISSING_LOCK)
/src/detect-engine-loader.c: 475 in DetectLoadersSync()

    474                     SCCtrlMutexLock(loader->tv->ctrl_mutex);
    >>>     CID 1591966:  Concurrent data access violations  (MISSING_LOCK)
    >>>     Accessing "loader->tv" without holding lock "DetectLoaderControl_.m". Elsewhere, "DetectLoaderControl_.tv" is written to with "DetectLoaderControl_.m" held 1 out of 1 times (1 of these accesses strongly imply that it is necessary).
    475                     pthread_cond_broadcast(loader->tv->ctrl_cond);
    476                     SCCtrlMutexUnlock(loader->tv->ctrl_mutex);

The warning itself is harmless.
2 years ago
Jeff Lucovsky f9a20dafc6 mqtt: Improve frame parsing w/mult. PDUs
This commit improves the mqtt parsing of frames to handle multiple PDUs.

Issue: 6592
2 years ago
dependabot[bot] fa98c48e65 github-actions: bump github/codeql-action from 2.24.0 to 3.24.1
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.24.0 to 3.24.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](https://github.com/github/codeql-action/compare/v2.24.0...v3.24.1)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2 years ago
Victor Julien 3c06457b74 detect/tls.certs: fix direction handling
Direction flag was checked against wrong field, leading to undefined behavior.

Bug: #6778.
2 years ago
Jason Ish 2242d10fa0 github-ci: fix authors check with special characters
Dependabot is always getting flagged as a new author even tho it uses
a consistent author of:

dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

But this doesn't work with plain grep. Fix by telling grep to treat
the value as a fixed string instead of a regular expression.
2 years ago
Jason Ish 5c686af149 dependabot: disable rust checks
As we don't have a Cargo.toml and a Cargo.lock, dependabot for Rust
hasn't been working correctly. Disable, as we now have our own cargo
audit and update workflows.
2 years ago
Jason Ish c7cb3e92a6 dependabot: ignore actions/{cache,checkout} v3
The CentOS 7 build requires older GitHub actions, try to make
dependabot ignore these older versions.
2 years ago
Jason Ish a87943d9bf github-ci: apply read-only permissions to more workflows
- authors.yml
- codeql.yml
- scan-build.yml
2 years ago
Victor Julien abbd507b5c security: update policy wrt CVE ID's
To match that we'll now request CVE ID's ourselves as well,
and we can do it for reported issues as well.

See also:
https://forum.suricata.io/t/security-new-cve-policy/4473
2 years ago
Lukas Sismis 356f9ffa13 doc: mention the limited number of RX/TX descriptors on Intel NICs
Ticket: 6748
2 years ago
Lukas Sismis c65ff35819 dpdk: max cache size should be lower than one of the constraints
Ticket: 6741
2 years ago
Lukas Sismis cc2eb2d8b7 dpdk: sanitize integer overflow in the configuration
Ticket: #6737
2 years ago
Philippe Antoine 3a7a4cd581 http: code simplification
removing function unused parameter tx_id in HTPFileOpen
And using directly tx instead of its id in HTPFileOpenWithRange
2 years ago
Philippe Antoine c99d93c257 app-layer/template: use a max number of txs
Ticket: 6773
2 years ago