Fix match array reset depending on prefilter matches for the
current run. If there were none, the match array of the previous
packet was used. This could lead to inspection of rules from the
wrong rule group.
Loading rules with iprep keyword cause
memory leaks due to missing frees.
Direct leak of 8 byte(s) in 4 object(s) allocated from:
#0 0x7f81c862bd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x7f81c6afea69 in pcre_get_substring (/lib/x86_64-linux-gnu/libpcre.so.3+0x27a69)
#2 0x43206f7420676e68 (<unknown module>)
SUMMARY: AddressSanitizer: 8 byte(s) leaked in 4 allocation(s).
Require distutils to install the Python tools. Update the logic
to only install suricatactl (and suricatasc) if Python and
distutils are found. Suricata-Update will only be installed if
bundled, and python-distutils and python-yaml are found.
When looking for Python, prefer "python3" over "python2" and
"python".
Also add information about the Python path and version to the
./configure summary.
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2808
The `set_event` function requires that the transaction is already
inserted, or the event set is silently lost.
When parsing first IKEv2 message, first insert transaction, prepare
values, and borrow back inserted transaction to update it.
The regular expression was accepting something like
"flowbits:!isset,isma;" without complaining even if it is not
correct and don't have the expected result.
So far the suricatactl parser was unclear about the options to use and
did not well display the required and optional param difference. Fix
that to make it legible for any user.
Before
```
└─ $ ▶ ./bin/suricatactl filestore -h
usage: suricatactl filestore [-h] {prune} ...
positional arguments:
{prune}
optional arguments:
-h, --help show this help message and exit
└─ $ ▶ ./bin/suricatactl filestore prune -h
usage: suricatactl filestore prune [-h] [-d DIRECTORY] [--age AGE] [-n] [-v]
[-q]
optional arguments:
-h, --help show this help message and exit
-d DIRECTORY, --directory DIRECTORY
filestore directory
--age AGE prune files older than age
-n, --dry-run only print what would happen
-v, --verbose increase verbosity
-q, --quiet be quiet, log warnings and errors only
```
After
```
└─ $ ▶ ./bin/suricatactl filestore -h
usage: suricatactl filestore [-h] {prune} ...
positional arguments:
{prune} sub-command help
prune Remove files in specified directory older than specified age
optional arguments:
-h, --help show this help message and exit
└─ $ ▶ ./bin/suricatactl filestore prune -h
usage: suricatactl filestore prune [-h] -d DIRECTORY [--age AGE] [-n] [-v]
[-q]
optional arguments:
-h, --help show this help message and exit
-n, --dry-run only print what would happen
-v, --verbose increase verbosity
-q, --quiet be quiet, log warnings and errors only
required arguments:
-d DIRECTORY, --directory DIRECTORY
filestore directory
--age AGE prune files older than age, units: s, m, h, d
```
Pylint is a tool to make sure we do not regress the support for Python
3. The following conventions, warnings, errors, refactors have been
fixed.
W0301: Unnecessary semicolon (unnecessary-semicolon)
C0303: Trailing whitespace (trailing-whitespace)
W1401: Anomalous backslash in string
C0103: Variable name doesn't conform to snake_case naming style
R1705: Unnecessary "elif" after "return"
W1201: Specify string format arguments as logging function parameters
W0611: Unused import
R1710: Either all return statements in a function should return an expression, or none of them should
W0612: Unused variable
C0103: Method name doesn't conform to snake_case naming style
R0201: Method could be a function
Call to suricatactl was failing with Python3 with the following error:
```
Traceback (most recent call last):
File "bin/suricatactl", line 40, in <module>
sys.exit(main())
File "./suricata/ctl/main.py", line 50, in main
args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'
```
Fix this by making it run with Py3 just like it does with Py2.
Closes redmine ticket #2793
In low memory or memcap reached conditions a crash could happen in
inline stream detection.
The crash had the following path:
A packet would come in and it's data was added to the stream. Due
to earlier packet loss, the stream buffer uses a stream buffer block
tree to track the data blocks. When trying to add the current packets
block to the tree, the memory limit was reached and the add fails.
A bit later in the pipeline for the same packet, the inline stream
mpm inspection function gets the data to inspect. For inline mode
this is the current packet + stream data before and after the packet,
if available.
The code looking up the packets data in the stream would not
consider the possibility that the stream block returned wasn't
the right one. The tree search returns either the correct or the
next block. In adjusting the returned block to add the extra stream
data it would miscalculate offsets leading to a corrupt pointer to the
data.
This patch more carefully checks the result of the lookup, and
falls back to simply inspecting the packet payload if the lookup
didn't produce the expected result.
Bug 2842.
Reported-by: Ad Schellevis <ad@opnsense.org>
Victor Julien
Jeff Lucovsky
jason taylor
Giuseppe Longo
Eric Leblond
Jason Ish
Pierre Chifflier
Bryant Smith
Shivani Bhardwaj