Commit Graph

14469 Commits (5925b63d82883dda61bac9b0a8e6dfc6f9da5755)
 

Author SHA1 Message Date
Jason Ish 5925b63d82 rust: update x509-parser to 0.15.0 3 years ago
Shivani Bhardwaj 6190913a46 util/mime: disable assertion check until resolution 3 years ago
Victor Julien 5890a8a8ab detect: register multi-buffer keywords
Register the keywords that use multi buffer support as such, so that
rule parsing can set them up with multi-instance support.

Ticket: #5784.
3 years ago
Victor Julien ad88efc2d8 detect: support multi buffer matching
Multi buffer matching is implemented as a way for a rule to match
on multiple buffers within the same transaction.

Before this patch a rule like:

    dns.query; content:"example"; dns.query; content:".com";

would be equivalent to:

    dns.query; content:"example"; content:".com";

If a DNS query would request more than one name, e.g.:

    DNS: [example.net][something.com]

Eeach would be inspected to have both patterns present. Otherwise,
it would not be a match. So the rule above would not match, as neither
example.net and somthing.com satisfy both conditions at the same time.

This patch changes this behavior. Instead of the above, each time the
sticky buffer is specified, it creates a separate detection unit. Each
buffer is a "multi buffer" sticky buffer will now be evaluated against
each "instance" of the sticky buffer.

To continue with the above example:

    DNS: [example.net] <- matches 'dns.query; content:"example";'
    DNS: [something.com] <- matches 'dns.query; content:".com"'

So this would now be a match.

To make sure both patterns match in a single query string, the expression
'dns.query; content:"example"; content:".com";' still works for this.

This patch doesn't yet enable the behavior for the keywords. That is
done in a follow up patch.

To be able to implement this the internal storage of parsed rules
is changed. Until this patch and array of lists was used, where the
index was the buffer id (e.g. http_uri, dns_query). Therefore there
was only one list of matches per buffer id. As a side effect this
array was always very sparsely populated as many buffers could not
be mixed.

This patch changes the internal representation. The new array is densely
packed:

    dns.query; content:"1"; dns.query; bsize:1; content:"2";

    [type: dns_query][list: content:"1";]
    [type: dns_query][list: bsize:1; content:"2";]

The new scheme allows for multiple instances of the same buffer.
These lists are then translated into multiple inspection engines
during the final setup of the rule.

Ticket: #5784.
3 years ago
Jason Ish 1c6644ef4e detect: fix setting of flag for rule reload
As part of 6d8b50b748, the settings of
THV_CAPTURE_INJECT_PKT ended up in a location unreachable by capture
methods that did not have PktAcqBreakLoop.

Instead, always call TmThreadsCaptureBreakLoop which handles the logic
for how the read loop should be broken.

This fixes the case where read threads won't "break" for rule reloads
until packets are seen.

Ticket: #6021
3 years ago
Lukas Sismis f961d3bb95 runmodes: introduce unknown engine mode
Querying an engine mode with an unknown value signals a bug when
the engine mode has not been determined but is already queried by
other functions.

Ticket: #5959
3 years ago
Lukas Sismis 8f1c39bb1c policy: postpone evaluation of exception policy after setting the engine mode
Master exception policy queried engine mode earlier than it was
determined from the configuration file/command line. As a result it
used the default (IDS) mode. However, the engine mode could have been
reconfigured later on to the IPS mode. This lead into an undefined behavior
as master exception policy behaves according to the configured engine mode.

Ticket: #5960
3 years ago
Lukas Sismis 5a6d5702a4 bpf: refactor the BPF code and postpone querying of the engine mode
BPF codebase queried engine mode earlier than it was determined from
the configuration file/command line. As a result it used the default (IDS)
mode where it could've been configured later on to the IPS mode.
This could lead into an undefined behavior as some Suricata modules behave
according to the engine mode.

PF-Ring, Netmap and AF-Packet all shared almost identical code for
determining the engine mode. It was put into one common function.
Omitted the usage of SCStrdup function in PF-Ring module as it is
uppercased during thread initialization phase.

Ticket: #5957
3 years ago
Jeff Lucovsky 22485b368e source/nfq: Improve retry counter limit name
The NFQ verdict retry is based on attempts, not time; thus, we rename
the token controlling it to reflect that.
3 years ago
Jeff Lucovsky b470b55635 nfq: Ensure packet release function set
Issue: 5916

This commit ensures that the packet release function is set in
case the packet is released early.
3 years ago
Jeff Lucovsky 804c442568 general/typo: Correct typo
Issue: 5916
3 years ago
William Correia e378aa8d15 modbus: bump crate version
sawp 0.12 is available and addresses future compilation failures in
dependent crates.
Updated modbus test case to expect 12 bytes needed instead of 15. This
aligns with expectations as the test case slices 3 bytes off the end of
a 12 byte message so needing 12 bytes is correct.

Ticket #5989
3 years ago
Jeff Lucovsky 61783c4e42 pfring: Prefix messages with interface name
This commit modifies the log messages to follow the style of AF_PACKET
(and others). When the interface name is part of the message, the
message will be structured as: "<iface-name>: <message>"

Issue: 5975
3 years ago
Jeff Lucovsky 0ad6d4358f add to doc/pfring: Document additional cluster types 3 years ago
Jeff Lucovsky e26e7b4f0a gen: Typo correction
This commit fixes various typos in the pf-ring source modules.

Issue: 5975
3 years ago
Jeff Lucovsky 4f7a36ac2e config/pf-ring: Change default cluster type: cluster_flow
This commit changes the default pf-ring cluster type to cluster-flow.
Round-robin clustering is not recommended for Suricata.

Issue: 5975
3 years ago
Jeff Lucovsky b21a4ded6e config/pf-ring: Recognize and set add'l cluster types
This commit extends the pf-ring config parser to recognize the
additional cluster types:
- cluster_inner_flow
- cluster_inner_flow_2_tuple
- cluster_inner_flow_4_tuple
- cluster_inner_flow_5_tuple

Issue: 5975
3 years ago
Jeff Lucovsky 0ac3bee423 pf-ring: Add add'l cluster types
This commit adds preprocessor values for additional pf-ring
cluster-types:
- CLUSTER_INNER_FLOW
- CLUSTER_INNER_FLOW_2_TUPLE
- CLUSTER_INNER_FLOW_4_TUPLE
- CLUSTER_INNER_FLOW_5_TUPLE

Issue: 5975
3 years ago
Jeff Lucovsky 62f4049705 config/pfring: Document add'l pf-ring cluster types
This commit adds additional cluster-types for use with the pf-ring
packet source.

Issue: 5975
3 years ago
Jeff Lucovsky b1918168f9 doc/pfring: Document additional cluster types
This commit adds brief discussion for additional cluster types for use
with the pf-ring packet source.

Newly added:
- cluster_inner_flow
- cluster_inner_flow_2_tuple
- cluster_inner_flow_4_tuple
- cluster_inner_flow_5_tuple

Issue: 5975
3 years ago
Juliana Fajardini 1665f71a68 flow: make exc policy work w/ simulated flowmemcap
Exception policy wouldn't be applied if we were in the context of a
simulated flow memcap hit.

Bug #5998
3 years ago
Jason Ish b4f0d3c741 rust: update der-parser to 8.2.0
Minimal modifications required on the Suricata side, mainly for fields
becoming private and needing an accessor instead.

Note: As the kerberos parser still depends on der-parser 6.0, we still
have to depend on that so it is depended on, but renamed to
der-parser6. There is not an udpated kerberos-parser yet that uses
der-parser 8.2.0.

Ticket: #5991
3 years ago
Philippe Antoine 59734d16a1 detect: use http.connection to client
Ticket: #5746
3 years ago
Jason Ish 3d9fc3bf1d rust: update snmp-parser to 0.9.0
Updating snmp-parser required directly depending on the asn1-rs crate
for the Oid type, as snmp-parser does not re-export this type anymore.

Ticket: #5992
3 years ago
Jason Ish 0d6628c64e rust: update cargo.lock
Update Cargo.lock, most importantly the Nom 5.1.3 update which will
prevent future breakage by Rustc.
3 years ago
Victor Julien 0b15b73c9c stream: minor const cleanup 3 years ago
Victor Julien 5903ca624e stream: simplify raw stream progress catch up
Don't use TCP window, but use last ACK instead.
3 years ago
Victor Julien 62b998cc06 stream: clear SYN queue on state change
Bug: #5907.
3 years ago
Victor Julien cb66a1e636 github-ci: add padding check to scan-build 3 years ago
Victor Julien 47fe88b79b ftp: rearrange command struct to be more compact
./app-layer-ftp.h:92:16: warning: Excessive padding in 'struct FtpCommand_' (11 padding bytes, where 3 is optimal). Optimal fields order: command_name, command, command_length, consider reordering the fields or adding explicit padding members [optin.performance.Padding]
typedef struct FtpCommand_ {
        ~~~~~~~^~~~~~~~~~~~~
3 years ago
Victor Julien afd57dc845 detect: remove unused thread ctx members 3 years ago
Victor Julien 4f1d61169c detect: make DetectEngineCtx more compact 3 years ago
Victor Julien 0ff28a482b detect: remove unused group counters 3 years ago
Victor Julien 9f0bea5410 detect: remove DetectEngineCtx members
Members were set but not checked.
3 years ago
Victor Julien 9ce967da53 detect: remove unused field 3 years ago
Victor Julien 3480d57103 threading: reduce padding in affinity 3 years ago
Victor Julien d0d6ca4c6e github-ci: add more scan-build checks
Explicitly disable:
security.insecureAPI.DeprecatedOrUnsafeBufferHandling
optin.performance.Padding
3 years ago
Victor Julien 9586aed43b scan-build: fix potential 0 size allocation warnings 3 years ago
Victor Julien 0265c13550 src: fix extern max_pending_packets type 3 years ago
Victor Julien fb237e8de3 github-ci: add dpdk, nfqueue, nflog to scan-build 3 years ago
Victor Julien c1714294cb streaming: improve error handling 3 years ago
Victor Julien 59df740e85 output: work around scan-build fp
runmodes.c:541:13: warning: Use of memory after it is freed [unix.Malloc]
        if (output->output_ctx != NULL && output->output_ctx->DeInit != NULL)
            ^~~~~~~~~~~~~~~~~~
1 warning generated.
3 years ago
Victor Julien 0af599f5fa log/pcap: work around scan-build fp
log-pcap.c:1008:24: warning: Use of memory after it is freed [unix.Malloc]
            if (remove(pf->filename) != 0) {
                       ^~~~~~~~~~~~
1 warning generated.
3 years ago
Victor Julien fc000a6d81 af/xdp: fix memory leaks on thread init failure
source-af-xdp.c:675:21: warning: Potential leak of memory pointed to by 'ptv' [unix.Malloc]
        SCReturnInt(TM_ECODE_FAILED);
                    ^~~~~~~~~~~~~~~
./util-debug.h:275:48: note: expanded from macro 'SCReturnInt'
 #define SCReturnInt(x)                  return x
                                                ^
1 warning generated.
3 years ago
Victor Julien ea67a2edd2 dpdk: fix scan-build warnings
runmode-dpdk.c:204:18: warning: Result of 'calloc' is converted to a pointer of type 'char *', which is incompatible with sizeof operand type 'ptrdiff_t' [unix.MallocSizeof]
    args->argv = SCCalloc(capacity, sizeof(ptrdiff_t)); // alloc array of pointers
                 ^~~~~~~~           ~~~~~~~~~~~~~~~~~
./util-mem.h:36:18: note: expanded from macro 'SCCalloc'
 #define SCCalloc calloc
                  ^~~~~~
runmode-dpdk.c:278:16: warning: Result of 'malloc' is converted to a pointer of type 'char *', which is incompatible with sizeof operand type 'char **' [unix.MallocSizeof]
    eal_argv = SCMalloc(args.argc * sizeof(args.argv));
               ^~~~~~~~             ~~~~~~~~~~~~~~~~~
./util-mem.h:35:18: note: expanded from macro 'SCMalloc'
 #define SCMalloc malloc
                  ^~~~~~
2 warnings generated.
3 years ago
Victor Julien e717c2e0ec github-ci: remove debian 9 as it is EOL 3 years ago
Jason Ish 915f487a1c github-ci: update Fedora 36 cov build to Fedora 38
As Fedora 36 will be EOL in a month.
3 years ago
Jason Ish bcbceb13f8 github-ci: update non-root build to Fedora 37
As Fedora 36 will be EOL in a month.
3 years ago
Jason Ish b0bc95d7c1 github-ci: add Fedora 38 builds 3 years ago
Jason Ish 3974142b41 github-ci: use cbindgen from packages on almalinux:9
AlmaLinux 9 has cbindgen available from the package repositories.
3 years ago