Ticket: 5243
When switching from SMTP to TLS, and getting HTTP1 instead of
expected TLS, and HTTP1 requesting upgrade to HTTP2, we do not
overwrite the alproto_orig value so as not to have type confusion
in AppLayerParserStateProtoCleanup
(cherry picked from commit cedffdf14c)
Otherwise, if we log a first app_layer_event, then reset
with AppLayerDecoderEventsResetEvents for a new packet,
then get another event, it does not get logged
Ticket: #5391
(cherry picked from commit b0298dd046)
The SMTP parser should not supply lines w/o EOL chars to the mime
parser unless its in the BODY parsing stage. Mimic this in the fuzz
target by testing the state for inputs that have no EOL.
Additionally, make sure the delim cnt reflects the missing EOL.
(cherry picked from commit 816bbeb7dc)
Make sure a new body is not set up on empty lines unless it is
a body that is not encoded as base64/quoted printable.
(cherry picked from commit 41c2c1ed5a)
If the last data of the body was not a multple of 4 and not padded
to be a multiple of 4, it would not be processed.
(cherry picked from commit 0d6ab727c5)
Gap check would consider a GAP when the current data was in fact
exactly not a gap, but next segment(s) were already available.
(cherry picked from commit 100d821a9f)
Mime parser doesn't expect partial lines, which preprocessing can
provide. Add a check to let mime headers be handled by regular line
parsing.
(cherry picked from commit a38f2f2a52)
Lots of tests still use SigMatchSignatures as their main detection
entry function, which bypassed some logic. Make it match main logic
more closely.
(cherry picked from commit e36b9b89a1)
SigTestDropFlow04 was incorrectly expecting an alert in the packet
following a "drop" packet. The first drop is applied to the flow, so
it should lead to the 2nd packet being dropped before inspection is
run.
Clean up the test as well.
(cherry picked from commit 3874d08015)
Adds a framework for setting exception policies. These would be called
when the engine reaches some kind of exception condition, like hitting
a memcap or some traffic processing error.
The policy gives control over what should happen next: drop the packet,
drop the packet and flow, bypass, etc.
Implements the policy for:
stream: If stream session or reassembly memcaps are hit call the
memcap policy on the packet and flow.
flow: Apply policy when memcap is reached and no flow could be
freed up.
defrag: Apply policy when no tracker could be picked up.
app-layer: Apply ppolicy if a parser reaches an error state.
All options default to 'ignore', which means the default behavior
is unchanged.
Adds commandline options: add simulation options for exceptions. These
are only exposed if compiled with `--enable-debug`.
Ticket: #5214.
Ticket: #5215.
Ticket: #5216.
Ticket: #5218.
Ticket: #5194.
(cherry picked from commit 8580499ded)
Enforcing flow drops is now done earlier in the detection engine and
moved out of the IP-only engine where it didn't belong.
(cherry picked from commit 802c1ffee3)
In some situations bypass callback is called on already bypassed
flow. This allocates FlowBypassInfo structure for the flow but
does not check if the flow already has one.
Issue: #5368
(cherry picked from commit 05797c45bb)
AF-Packet bypass function in some situations allocates EBPF bypass data
for an already bypassed flow and assigns it to the flow without any checks
Issue: #5368
(cherry picked from commit 8845c07a90)
Due to the TIMEVAL_DIFF_SEC calculating the delta into an unsigned
integer, it would underflow to a high positive value leading to
and incorrect result if the packet timestamp was below the timestamp
for the threshold entry. In normal conditions this shouldn't happen,
but in offline mode each thread has its own concept of time which
might differ significantly based on the pcap. In this case the
overflow would be very common.
Changing it to a signed value calculation triggered fuzz undefined
behavior if the packet timeval was very high, so this patch takes a
new approach where it no longer calculates a diff but sets up the
"seconds" value we compare against as a timeval itself, and uses
that to compare.
Fixes: 9fafc1031c ("time: Add TIMEVAL_EARLIER and TIMEVAL_DIFF_SEC macros.")
Fixes: 82dc61f4c3 ("detect/threshold: Refactor threshold calculation to handle by_rule and by_both.")
Uses add `timeradd` specific version where available.
Bug: #5386.
(cherry picked from commit df2e408d96)
In the case of midstream SYN/ACK pickup, we reverse the flow based on
the SYN/ACK. If we then later get traffic that appears to be in the
reverse direction based on the app-layer, we would reverse it again.
This isn't correct. When we have the SYN/ACK we know the flow's real
direction.
(cherry picked from commit fea374626a)
Now that the engine understands the relation between SMB and DCERPC better
we can get rid of some of the special case handling in keywords.
(cherry picked from commit 84e26d670e)
So 'alert dcerpc' also matches if the DCERPC is over SMB.
Explicitly refuse smb keywords for the 'dcerpc' app proto setting:
`alert dceprc ... smb.share; ...` is rejected.
Remove a now useless special case in the stateless rule processing
matching for dcerpc/smb.
Bug: #5208.
(cherry picked from commit 7d38f5667d)
For connections that use TCP timestamps for which the first SYN packet
does not reach the server, any replies to retransmitted SYNs will be
tropped.
This is happening in StateSynSentValidateTimestamp, where the timestamp
value in a SYN-ACK packet must match the one from the SYN packet.
However, since the server never received the first SYN packet, it will
respond with an updated timestamp from any of the following SYN packets.
The timestamp value inside suricata is not being updated at any time
which should happen. This patch fixes that problem.
Bug: #4376.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
(cherry picked from commit f50af12068)
When trying to propegate the depth/offset, within/distance chains
a logic error would set too a restrictive depth on a pattern that
followed more than one "unchained" patterns.
Bug: #5162.
(cherry picked from commit 8d20b40cdd)
Use a macro to validate the ranges for overflows. This removes
the clutter of all the checks and warnings, and also no longer
puts the state machine in an undefined state when hitting such
a condition.
(cherry picked from commit 50d02ebc05)
Rules that look like they should be IP-only but contain a negated rule
address are now marked with an LIKE_IPONLY flag. This is so they are
treated like IPONLY rules with respect to flow action, but don't
interfere with other IPONLY processing like using the radix tree.
Ticket: #5361
(cherry picked from commit c8a5207083)
Jason Ish
Philippe Antoine
Philippe Antoine
Eric Leblond
Victor Julien
Victor Julien
Lukas Sismis
Michael Tremer