Commit Graph

1324 Commits (6af634b19b36891d282c628a155345f9b37cbed9)

Author SHA1 Message Date
Lukas Sismis e0f2cdf7c3 hs: prune stale MPM cache files
Hyperscan MPM can cache the compiled contexts to files.
This however grows as rulesets change and leads to bloating
the system. This addition prunes the stale cache files based
on their modified file timestamp.

Part of this work incorporates new model for MPM cache stats
to split it out from the cache save function and aggregate
cache-related stats in one place (newly added pruning).

Ticket: 7893
(cherry picked from commit 15c83be61a)

hs: suppress TOCTOU stat use

To explain a bit more the TOCTOU issue found, we can consider
a case where Suricata starts to prune, yet externally somebody also
starts erasing cache files.
Right after Suricata checks the file age with the stat function,
somebody may delete or update the file of our interest.

Suricata aging decision doesn't reflect the actual state of the file.
This commit additionally adds a check for noent failure of the unlink operation
(considered as a success). The code can still delete a file that is recently
updated but was considered stale.

In the documentation-following deployments this should not happen anyway as
one cache folder should only be used by a single Suricata instance (and within
Suricata instance only one thread handles cache eviction).
Additionally, the `stat` and `unlink` command are immediatelly followed, making
this scenario extra unlikely.

Additional comment in the code explains problems of using fstat and potential
issues on Windows.

Ticket: 8244
(cherry picked from commit 0fe0390a2f)

hs/cache: cleaner and more detailed output

Reduce logging level of a minor informational message.

Split tracking of pruning by age and by version and log those
separately, where the logging only appears if something has been
removed.

Ticket: 8323
(cherry picked from commit 569ba3d26f)

hs: remove redundant file handle in HSLoadCache

HSLoadCache opened the cache file but never used the resulting handle
for reading. The actual read was done by HSReadStream which opened
the same file independently.

Removed the unused fopen/fclose pair and flattened the control flow.

Ticket: 8326
(cherry picked from commit d754b28717)

hs: use binary mode for cache file I/O

HSSaveCache wrote serialized Hyperscan databases using text mode ("w")
while HSReadStream already read them with binary mode ("rb").
Matched file reading modes to the binary format and simplified
write-size check.

Ticket: 8326
(cherry picked from commit 0cdc77b707)

hs: warn about the same cache directory

This is especially relevant for multi-instance simultaneous setups
as we might risk read/write races.

(cherry picked from commit 56c1552c3e)

hs: validate cached database against current HS installation

After deserializing a cached Hyperscan database, verify that its
version, CPU features, and mode match the current Hyperscan
installation by comparing hs_database_info output against a
reference database. Reject loading incompatible caches.

Ticket: 8326
(cherry picked from commit 2e7b12dda4)

hs: include HS platform info in cache file hash

Hash Hyperscan installation info (version, CPU features, mode)
into the cache filename. A Hyperscan upgrade or platform change
would now produce a different filename, so stale caches from an
older installation are never opened.

Ticket: 8326
(cherry picked from commit d640719413)

hs: address coverity warning in a reference string

Move the locking mechanism outside of the getter function and hold the
lock until the reference string is no longer reused.

** CID 1682023:       Concurrent data access violations  (MISSING_LOCK)
/src/util-mpm-hs-cache.c: 139           in HSGetReferenceDbInfo()

(cherry picked from commit 6ec9e5c957)
1 month ago
Philippe Antoine 354d0b2a5c doc/stream: explain absent reassembly.depth means unlimited
Ticket: 8343
2 months ago
Philippe Antoine 984c69b5d6 doc: be more precise for decompress transforms
Ticket: 7846
(cherry picked from commit 1e0f344ab7)
2 months ago
Jason Ish f2def20eb1 doc: add more public datasets
Add:
- UNSW-NB15
- CIC-IDS2017
- CSE-CIC-IDS2018
- CIC-DDoS2019

Update formatting for better display.

(cherry picked from commit 66473f6ad7)
2 months ago
Victor Julien de64874e86 doc/userguide: add missing ipopts values
(cherry picked from commit 7e6fd09e90)
2 months ago
Victor Julien 046ee16062 doc: fix dcerpc.opnum documentation
Docs were claiming greater than, less than, etc. support even though this was never supported.

Fixes: 51be8f0238 ("doc/dcerpc: add proto keywords")

Ticket: #8330.
(cherry picked from commit 2480f8c038)
2 months ago
Sven Cuyt 1b504d0650 doc/userguide: add link to differences-from-snort
Ticket: #8031.
(cherry picked from commit 1246f1cf8c)
2 months ago
Sven Cuyt 8dd1653e91 doc/userguide: fix table showing example payload
Ticket: #8031.
(cherry picked from commit a0cc534471)
2 months ago
Sven Cuyt f83b169d4a doc/userguide: add example with non-zero offset for relative isdataat
Ticket: #8031.
(cherry picked from commit 2d662538e5)
2 months ago
Victor Julien abd08a21c8 doc/userguide: explain isdataat absolute vs relative difference
Ticket: #8031.
(cherry picked from commit 7c5285e5e6)
2 months ago
Juliana Fajardini fbd2832c81 userguide: fix Deprecations, warn about syslog
The Deprecation note on Syslog was partly conveying the opposite
message, and we were missing a deprecation notice on the Syslog output
section.

(cherry picked from commit 926fde859e)
2 months ago
Philippe Antoine 254ba73e65 detect/transforms: add zlib_deflate transform
Ticket: 7846
(cherry picked from commit 539e4ee665)
2 months ago
Philippe Antoine 609a289e46 detect/transforms: add gunzip transform
Ticket: 7846
(cherry picked from commit dbea660729)
2 months ago
Jason Ish 49a418df46 userguide/Makefile: don't add "install" to EXTRA_DIST
Adding the directory "install" to EXTRA_DIST, actually triggers make
to run "make install", which is not what we want. Instead, avoid this
magic keyword and list the files in the install directory
individually.

If the user doesn't have permission to install files to the prefix,
like "/usr", then "make dist" can fail. Worse, even they do have
permission to write into the prefix, a "make dist" will install files
there when it shouldn't.

Ticket: #8279
(cherry picked from commit 2defd5ae5a)
2 months ago
Juliana Fajardini c8e2301922 devguide: add chapter about exception policies
Adds a chapter indicating what are the main steps when adding exception
policies, how is it possible to extend them, as well as main aspects and
files to consider when doing so.

Task #5612

(cherry picked from commit 48b15ac152)
2 months ago
Andreas Dolp a25eded66c doc/userguide: fix within-distance pointer graphics in payload-keywords doc
Redmine ticket: #8261

According to [1], the within pointer (if combined with distance)
includes the distance pointer, which is not clearly visible in the
graphic.

Fixed this in a new graphic by some GIMP arts.

PS: Special thanks to one of our team members Annika C. for initially
spotting this!

[1] https://forum.suricata.io/t/is-within-affected-by-distance/1688

(cherry picked from commit 69eb567dea)
3 months ago
Juliana Fajardini 626f6efbe9 docs: use correct suricata version mentions
Found with 'git grep suricata-7'

Task #8113

(cherry picked from commit a1f088cc65)
3 months ago
Victor Julien d782b432af doc/userguide: endswith can be mixed with offset/distance/within
Bug: #5030.
(cherry picked from commit 73a873ecfe)
3 months ago
Jason Ish bdbc38bca2 dnp3: bound the maximum number of objects per tx
Default to 2048, but provide a user configuration value.

Ticket: #8181
(cherry picked from commit 2c95f1ff44)
3 months ago
Jason Ish c03a8db521 dnp3: set a bound on the number of points per message
16384 is used as the max, but a configuration parameter has been
provided. The reason for setting an upper bound is that bit flags can
create a memory amplification as we parse them into individual data
structures.

Ticket: #8181
(cherry picked from commit 3a32bb5743)
3 months ago
Jason Ish 377c8fded8 dnp3: reduce flood threshold to 32 and make configurable
Lower the number of unreplied requests from 500 to 32 to consider a
flood. At the very least this is an anomaly given the DNP3 spec mentions
that DNP3 should only have one outstanding request at a time, with an
exception for unsolicited responses, so in practice no more than 2
should be seen.

Additionally make this value configurable by introducing the max-tx
parameter.

Ticket: #8181
(cherry picked from commit a16f087b93)
3 months ago
Shivani Bhardwaj 70655fa01e doc: add dcerpc.max-stub-size config param
(cherry picked from commit 6702791a9c)
3 months ago
Juliana Fajardini a1f59cb950 userguide: highlight exceptions interactions
In corner cases, we assume that a midstream exception policy could be
triggered by a prior exception policy in effect. Explain this in the
docs.

Task #5830

(cherry picked from commit 0ca874b678)
4 months ago
Jeff Lucovsky 8e75f21e4f doc/luaxform: Clarify luaxform calling convention
Issue: 8135

Clarify the calling convention for the Lua transform's `transform`
function.

(cherry picked from commit 845544aad3)
4 months ago
Victor Julien fb1d52f1bd mpm: remove remaining ac-bs references
(cherry picked from commit 08d625bb10)
4 months ago
Victor Julien c9b730a123 doc/af-packet: document disable-hwtimestamp option
Ticket: #1954.
(cherry picked from commit be2c40bde7)
4 months ago
Philippe Antoine 2f9762ccb1 detect/ssl: properly handle negation in ssl_version keyword
Ticket: 3220

DetectSslVersionMatch did not handle properly negation.
It could never match on a signatrue with ssl_version: !tls1.3
That is because, if we had such a signature and network traffic
with tls1.1, we were looking into DetectSslVersionData field
for tls1.1, which was not set, instead of looking at field
for tls1.3 which was set with negated flag.

Previous DetectSslVersionData was holding redundant information.
It did not need to have it for each ssl version, but just globally.
Also, it did not need to hold the version as a value in the array,
as it was redundant with the index of the array.

(cherry picked from commit c93e69830a)
4 months ago
Juliana Fajardini c2e82ece8b devguide: update backports policy for Suricata 7.0
Also remove mentions to `master` and `6.0x`.

Task #7937

(cherry picked from commit 6c06ab6144)
5 months ago
Juliana Fajardini a7631217de doc: remove remaining references to pruned flows
These were removed with a5587fec2e but these mentions went under the
radar.

(cherry picked from commit 1647081b29)
5 months ago
Jeff Lucovsky 9fa7756ba7 doc/luaxform: Remove init function from example
Issue: 8035

The `luaxform` transform doesn't support the `init` function. This
commit removes that from the example and clarifies how functions in the
Lua script are used.

(cherry picked from commit b02d9bb4f1)
5 months ago
Victor Julien d3aa4dd85e exception-policy: rename 'reject-both' to 'rejectboth'
To align it with the rule action.

(cherry picked from commit ec65fd430e)
6 months ago
Victor Julien 879561859b doc/userguide: document reject-both expection policy
Ticket: #5974.
(cherry picked from commit 0c4a8fd183)
6 months ago
Jason Ish 88077adbe0 doc/devguide: document eve callback
Document the callback for adding additional data to EVE.

Ticket: #4708
(cherry picked from commit cdd4ea0f11)
6 months ago
Jason Ish 8de8019e03 doc/devguide: document eve file types
Ticket: #4708
(cherry picked from commit 9fffc09ad7)
6 months ago
Victor Julien 84c3fdc5f4 doc/userguide: add rule hooks to protocol doc
Ticket #7662.

(cherry picked from commit be5c83ed53)
6 months ago
Victor Julien da9d0fbad6 doc/userguide: add xbits tx scope support
Ticket #7680.

(cherry picked from commit 480e664b4c)
6 months ago
Jeff Lucovsky a1f5c67211 doc/output: Highlight ethertype value change
Issue: 8007

Highlight the change to how ether_type values are displayed. Previously,
they were displayed in network order as a decimal value.

They are now displayed in host order as a decimal value.

(cherry picked from commit 16d124cfda)
6 months ago
Jason Ish a4f722fca0 doc/userguide: add a known issues page
The idea of this page is to track known issues on a release branch
that we do not plan to fix.
6 months ago
Andreas Dolp 58c46937ee doc: fix typo /var/run/suricata in file permissions docs.
(cherry picked from commit 375b5dd306)
6 months ago
Andreas Dolp c92eb0131a doc: fix typo and missing newline in rules/ssh_keywords.
(cherry picked from commit cc590b54c7)
6 months ago
Andreas Dolp 62d2a69f8a doc: fix doc syntax error in rate_filter example.
(cherry picked from commit 228abb7da0)
6 months ago
Juliana Fajardini 9a66ac0696 doc/install: fix minor typo 7 months ago
Juliana Fajardini c045a61d53 doc: remove outdated GITGUIDE 7 months ago
Victor Julien 46203de0e9 doc: adjust for master to main rename 7 months ago
Victor Julien e62eb00459 doc/userguide: add ips chapter; add concept
Move setup guides into the new chapter as well.

Explain `stream.inline` logic.

Ticket: #5513.
Ticket: #6284.
7 months ago
Philippe Antoine 9146fc8957 doc: upgrade note about keyword tls.cert_subject
Following commit 5379b52af2
rules that use multiple times the keyword tls.cert_subject
will result in

Warning: detect: duplicate instance for tls.cert_subject

These rules likely meant to use a multi-buffer which is not the
case for tls.cert_subject (even if it was documented so).

Ticket: 7890

This is put in a new section of upgrade notes for
upgrading to 8.0.1
7 months ago
Juliana Fajardini 27e165f760 doc/rules/index: keep rule types doc near the end
As this chapter is more meta than about rule keywords, keep it by the
end of the index, to have some semantic separation from the other
sections.
7 months ago
Juliana Fajardini d5810a42e1 userguide: document how suricata processes rules
Added a page that explains how rules are prioritized by Suri, as well
as what main different types of inspection happen and what elements are
involved when ordering rules.

Task #5449
7 months ago
Shivani Bhardwaj b21f737aee doc: add doc on internals of inspection of raw data
Explain briefly the internals of inspection of raw data in the following order:
- Stream Engine
- Stream reassembly
- Role of Detection Engine and Applayer Parsers
- High level communication between Stream and Detection Engine
- Relevant suricata.yaml settings

alongwith some diagrams.

Ticket 4351
7 months ago
Shivani Bhardwaj 9ed5ac7669 doc: make firewall table names consistent 8 months ago