Effect of classification on Suricata's working is minimal. Impact
of adding undefined classtypes is large: rules will fail to load
completely. This also leads multiple lines of log output per rule,
which in a large ruleset can lead to excessive output.
This patch changes the classtype keyword behavior. Instead of erroring
and invalidating a rule, we will merely warn.
The undefined classtype is then defined with a default priority,
so other rules using the classtype will not also warn. This way
there will be just a single warning per missing classtype.
Detect duplicate instances and use the one with the highest
priority.
Use new priority flag to make the logic around explicit priority
sets easier to follow.
Minor code cleanups. Also clean up unittests.
Introduce Signature init_flag to indicate priority has been set.
This will be needed in a follow-up classtype update.
Detect duplicate priority instances in a keyword, and use the
highest priority in the rule. Do issue a warning in this case.
As the file prune is now moved to the flow worker, the file
prune is run later, meaning the first file has not yet
been pruned from the file container list.
Adjust test to look for a second file, and check the
flags on that file.
For commit addressing bug 2490.
If a keyword like filemd5 was being used without a filestore,
or a file output enabled, it would be pruned before detection
had a chance to match.
Consolidate file pruning to the end of the flow worker so files
are available for detection even when a file output is not
enabled.
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2490
At the startup, if the default log dir provided either by command line
options or suricat.yaml is not writable, the error comes quite later.
This patch makes suricata exit if there is such an error in the
beginning itself.
Closes redmine ticket #2386.
In file included from suricata-common.h:471,
from app-layer-enip-common.c:27:
app-layer-enip-common.c: In function ‘DecodeCIPRequestPathPDU’:
util-debug.h:222:31: warning: ‘req_path_class8’ may be used uninitialized in this function [-Wmaybe-uninitialized]
int _sc_log_ret = snprintf(_sc_log_msg, SC_LOG_MAX_LOG_MSG_LEN, __VA_ARGS__); \
^~~~~~~~
app-layer-enip-common.c:589:13: note: ‘req_path_class8’ was declared here
uint8_t req_path_class8;
^~~~~~~~~~~~~~~
app-layer-enip-common.c:607:9: warning: ‘segment’ may be used uninitialized in this function [-Wmaybe-uninitialized]
switch (segment)
^~~~~~
app-layer-enip-common.c: In function ‘DecodeCIPResponsePDU’:
app-layer-enip-common.c:773:13: warning: ‘service’ may be used uninitialized in this function [-Wmaybe-uninitialized]
service &= 0x7f; //strip off top bit to get service code. Responses have first bit as 1
^~
app-layer-enip-common.c: In function ‘DecodeCIPRequestPDU’:
app-layer-enip-common.c:503:25: warning: ‘path_size’ may be used uninitialized in this function [-Wmaybe-uninitialized]
offset += path_size * sizeof(uint16_t); //move offset past pathsize
~~~~~~~~~~^~~~~~~~~~~~~~~~~~
app-layer-enip-common.c:506:5: warning: ‘service’ may be used uninitialized in this function [-Wmaybe-uninitialized]
switch (service)
^~~~~~
Bug #3139.
Improve warnings when eve.stats can't work because of the global config
missing or disabled.
Issue warning if global config is missing but stats are still enabled due
to the legacy stats.log.
Issue clearer warning when stats are disabled and unix socket dump-counters
command is issued.
Warnings include links to docs.
Bug #2465.
bzero(3): The bzero() function is deprecated (marked as LEGACY in
POSIX.1-2001); use memset(3) in new programs. POSIX.1-2008 removes
the specification of bzero().
Use memset instead.
Replace index by strchr and rindex by strrchr.
index(3) states "POSIX.1-2008 removes the specifications of index() and
rindex(), recommending strchr(3) and strrchr(3) instead."
Add index/rindex to banned function check so they don't get reintroduced.
Bug #1443.
OpenSSL uses 30, so this seems a reasonable limit.
Set a smaller limit than before to reduce the resources spent on
specially crafted input designed to be maximally expensive.
Set and Sequence parsers would pass on max available data instead
of the size of their object.
Malformed data could trigger massive recursion this way, leading
to spending much more resources than necessary.
Found using AFL.
Bug #3185.
Field is at data+1 offset, not +3. Also makes sure we always stay
within checked data bounds.
Reported-by: Sirko Höer -- Code Intelligence for DCSO.
Bug #3176.
Before re-assembling, check that the first fragment is large
enough to contain the IPv4 or IPv6 header to prevent
an out of bounds read (IPv4) or write (IPv6).
Reported-by: Sirko Höer -- Code Intelligence for DCSO.
Bug #3171.
Restructure code to make it clearer that either 'basic', 'extended'
or 'custom' is being printed, by creating one function for each of
the possibilities.