The `app-layer-protocol` keyword inconsistently checks whether the
alproto is ALPROTO_UNKNOWN. In the regular match function it isn't
checked, in the prefilter function its checked for all but the "either"
mode.
This leads to false positives for negated matching, as an expression
like "!tls" will match if checked against ALPROTO_UNKNOWN.
This patch adds the checking everywhere. The keyword returns no match as
long as the alproto is ALPROTO_UNKNOWN.
Bug: #7241.
base64 crate is updated to the latest version 0.22.1. This came with
several API changes which are applied to the code. The old calls have
been replaced with the newer calls.
This was done following the availability of better fns to directly
decode into slices/vectors as needed and also that previous version was
too old.
Along with this change, update the Cargo.lock.in to reflect all changes
in the package versions.
Task 7219
Remove the ThreadExitPrintStats callback, this is the only logger that
was actually using it, and this logger is marked for deprecation. This
allows us to remove the callback from the registration signature.
Ticket: #7227
Remove the callback to print stats on thread exit. The counter value
was never being used and this helps us get rid of this callback
altogether as their is only one other usage of it.
Ticket: #7227
Using OutputCtx results in the low level output-tx packet logger being
aware of Suricata's higher level loggers that use OutputCtx, for the
low level logger this is purely opaque data that may not be an
OutputCtx for custom loggers.
Ticket: #7227
Rename OutputRegisterFlowLogger to SCOutputRegisterFlowLogger and
document in the header file.
Mark other functions in the header file as part of the internal API.
Ticket: #7227
Rename OutputRegisterPacketLogger to SCOutputRegisterPacketLogger as
its part of the public API and document its parameters.
Comment on the other functions in the header that they are part of the
internal API.
Ticket: #7227
Loggers need an ID uniquely identify them for profiling. To help with
loggers registered at runtime (library, plugins), provide a
LOGGER_USER that can be used. It won't provide per-logger details if
they have more than one, but will provide a total for all their
registered loggers.
Ticket: #7227
PgsqlTransactionState has a variant named "Init" which is a little too
generic to export to C. Fortunately this method doesn't need to be
exposed to C, instead remove it as it was only called by
rs_pgsql_tx_get_alstate_progress which also doesn't need to be public
or expose to C.
Ticket: #7227
The use of OutputCtx as the data type for initdata was leaking Eve
submodule logic into the low level packet logger. Instead use void *,
as the packet logging module is not concerned with the type of data
here.
Also document this initdata parameter.
Ticket: #7227
A library/plugin user wanting to register a custom flow logger must
include "output-flow.h", however that depends on some other includes.
One train of thought with respect to include files in libraries, is
that they should include all their dependencies on behalf of the
user. To make a custom flow logger just a little easier, include
"flow.h" and "decode.h".
Ticket: #7227
The use of OutputCtx as the data type for initdata was leaking Eve
submodule logic into the low level flow logger. Instead use void *, as
the flow logging module is not concerned with the type of data here.
Also document this initdata parameter.
Ticket: #7227
The initdata argument to OutputFlowThreadInit was always NULL, remove
it. Internally the ThreadInit functions still get initdata, but this
is the data provided when that logging instance was registered.
Ticket: #7227
We have different types of checks, all in a single list.
Adding a title of sorts to each group in the hopes of highlighting
their purposes.
When we add new items to the json schema, many times we don't add their
descriptions, while this would be the perfect time to also do that.
They have updated their docs domain, leading to the link we had
returning a 404.
Also checked the other links. Although some seem to only contain old
traffic, they all still work.
This ensures that the correct spelling of the `security_result` EVE
field for RFB (as opposed to `security-result`) is also reflected in the
documentation.
Ticket: #7210
The lookup function was not taking into account that we can have
an IPv4 or an IPv6 address as parameters and that this addresses
need to be converted to Suricata internal storage.
By using the already defined dedicated parsing function, we are
fixing the issue.
Issue: #6969
Victor Julien
Philippe Antoine
Shivani Bhardwaj
dependabot[bot]
Jason Ish
Juliana Fajardini
Sascha Steinbiss
Juliana Fajardini
Eric Leblond