Bug 5458 states that the reject action is no longer working. While SV
tests that use the reject action still pass, it indeed seems that a
regression has happened with commit aa93984, because while the
function that applies rule actions to the flow (RuleActionToFlow) does
check for the reject action, the newly added function PacketApply
SignatureActions only checks for ACTION_DROP or ACTION_PASS when
deciding to call RuleActionToFlow.
Bug #5458
A Packet may be dropped due to several different reasons. This change
adds action as a parameter, so we can update the packet action when we
drop it, instead of setting it to drop.
Related to
Bug #5458
When building with the following options:
./configure CC=clang --enable-luajit --enable-geoip --enable-unittests
There is a build failure:
runmode-unittests.c:234:9: error: implicit declaration of function 'LuajitSetupStatesPool' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
if (LuajitSetupStatesPool() != 0) {
As an SMB2 async response does not have a tree id, even if
the request has it.
Per spec, MessageId should be enough to identifiy a message request
and response uniquely across all messages that are sent on the same
SMB2 Protocol transport connection.
So, the tree id is redundant anyways.
Ticket: #5508
Our unittests were only covering sig parsing for alert actions. As in
environments without LibNet the reject action will not work, we must
ensure that our parser properly fails in such cases, instead of silently
accepting an unsupported action.
Added tests for the reject and drop action.
Task #5496
sphinx-build 5.1.1 and above throws a warning which is treated as an
error while building.
Invalid configuration value found: 'language = None'. Update your configuration to a valid language code. Falling back to 'en' (English).
MIME parsing was setting flag on URL to indicate their
estimated type. This patch attach the information to
the email object so the user can extract interesting
email directly:
```
"email": {
"status": "PARSE_DONE",
"from": "Eric Leblond <regit@regit.org>",
"to": [
"eric@regit.org"
],
"has_ipv6_url": false,
"has_ipv4_url": false,
"has_exe_url": true,
"url": [
"http://www.toto.com",
"http://perdu.com.",
"https://hacke.me/pown.exe"
]
}
```
As state fields can grow abitrarily, and this can lead to DOS
by quadratic complexity (CPU time and disk space)
Adds a direction field to retain all the information in the
transaction.
Also checks array vendor_ids had at least one element before
logging it.
Ticket: #5455
Instead of using distutils/setuptools for installing the Python code,
just install it into our own Python directory.
Distutils is being removed from Python, and setuptools doesn't work well
when trying to install into your own location. For our usage its just
simpler to install with make.
In addition to removing the configure check for distutils, also remove
the check for pyyaml. This lets the user install pyyaml after Suricata
is installed, and Suricata-Update does handle this case gracefully.
Issue: #5313
Also logs if the ticket encryption is weak.
It is different from the encryption used for the rest of the
packet, and this allows to detect kerberoasting attack.
Ticket: #5442
kerberos parser crate is also used by other procotols : nfs and
smb. These protocols use an older der_parser crate version.
Upgrading der_parser will simplify the code further.
flow-util.c: In function 'FlowEndCountersRegister':
flow-util.c:294:34: warning: 'name' may be used uninitialized in this function [-Wmaybe-uninitialized]
294 | fec->flow_tcp_state[i] = StatsRegisterCounter(name, t);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~