Commit Graph

17894 Commits (7dbae32eda0118fefccee25c53134242d0df8d76)
 

Author SHA1 Message Date
Andreas Dolp 7dbae32eda python/Makefile.am: fix file permissions of python/suricata/config/defaults.py
The install command, by default, sets 0755 if -m is not specified, so the
file python/suricata/config/defaults.py will be marked as an executable,
though it isn't.

(cherry picked from commit fcbae97a1f)
6 months ago
Victor Julien d3aa4dd85e exception-policy: rename 'reject-both' to 'rejectboth'
To align it with the rule action.

(cherry picked from commit ec65fd430e)
6 months ago
Victor Julien 879561859b doc/userguide: document reject-both expection policy
Ticket: #5974.
(cherry picked from commit 0c4a8fd183)
6 months ago
Victor Julien 4905f38470 exception-policy: add 'reject-both' option
Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).

Ticket: #5974.
(cherry picked from commit acb769291a)
6 months ago
Philippe Antoine 647bfad14d output/jsonbuilder: helper function SCJbSetPrintAsciiString
To replace C PrintStringsToBuffer and avoid a stack alloc
+ copy

Ticket: 8004
(cherry picked from commit 7447651fa0)
6 months ago
Victor Julien d364b04a59 lua: remove luajit pushlstring workaround
81ee6f5aad ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
added a workaround for valgrind warnings in pushing a string buffer
into the lua state. This is no longer needed as tested with both
address sanitizer and valgrind.

(cherry picked from commit 52fd61dffd)
6 months ago
Jason Ish 88077adbe0 doc/devguide: document eve callback
Document the callback for adding additional data to EVE.

Ticket: #4708
(cherry picked from commit cdd4ea0f11)
6 months ago
Jason Ish 8de8019e03 doc/devguide: document eve file types
Ticket: #4708
(cherry picked from commit 9fffc09ad7)
6 months ago
Juliana Fajardini 183cd8a2d2 output/eve: fix typos
To accompany documentation work done in

Task #4708

(cherry picked from commit 6b75b937ff)
6 months ago
Jason Ish 8eb349e08d requirements.txt: update to suricata-update 1.3.7 6 months ago
Philippe Antoine 02ef2655f9 util/var: add NULL check in VarNameStoreRegister
And check return value in entropy keyword setup

(cherry picked from commit 854201703e)
6 months ago
Philippe Antoine c935f08cd9 detect: fix null deref with entropy keyword
Ticket: 7959

Usage of entropy with base64_data led to NULL dereference

(cherry picked from commit 6d703af505)
6 months ago
Jeff Lucovsky ee3900f92d detect/ip.src: Allow use with transforms
This commit registers ip.src/ip.dst properly so they can be used with
transforms.

Issue: 8015
(cherry picked from commit 7e0d6f4a1e)
6 months ago
Amir Boussejra f30989e8c9 flow-timeout: Use yaml config value for CAPTURE_BYPASSED flow
Instead of non configurable constant FLOW_BYPASSED_TIMEOUT

Ticket: #8014
(cherry picked from commit 56c8db6cb6)
6 months ago
Shivani Bhardwaj a6f9ca15b9 applayer/tls: do not free SAN for decoding error
SSL connp maintains all the state and certificate data that was
parsed/decoded successfully and it must retain that for later usage.
There should be just one place to free this object which is SSLStateFree
for both the directions. By freeing the connp data during parsing error,
there is room for memory errors.
This works so far because the field parsed after this cannot error out so
if there's an error parsing this, it anyway does not exist. However, this
is incorrect and leaves scope for mistakes.

Remove this extra free and treat SAN like all other TLS keywords.

Bug 7996

(cherry picked from commit b090fc61fd)
6 months ago
Lukas Sismis 64fa747b6a github-ci: build-test DPDK v23.11.x and v24.11.x
Ticket: 7978
(cherry picked from commit 7ca95eeec0)
6 months ago
Lukas Sismis 1f0b3dad24 github-ci: bump up tested DPDK versions
Ubuntu 20.04, distro suited at the time for 8.0.x, still contains
DPDK 19.11 in the pkg repository, so it keeps being build-tested as
opposed to the 9.0.x version.

(cherry picked from commit ee0b08692c)
6 months ago
Lukas Sismis 7c08dea05c dpdk: supress a warning of the bond function
DPDK Bonding API has been changed in DPDK version 23.11 where
the old *slave* API was marked as deprecated and the new *member*
API was marked as experimental.
This was unfortunately executed by marking both API variants
at the same time. The deprecated version is removed from the follow
up versions while the experimental version will become stable
in the next DPDK releases. This is based on a policy in DPDK where
an API change needs to merged in main for 1 stable release before
removing the experimental flag.

In DPDK 24.11 this has been fixed and warning supression is not
added.

Ticket: 7990
(cherry picked from commit 27383f878d)
6 months ago
Lukas Sismis 5b8f14a67f dpdk: fix the CPU exclude logic
The exclude function incorrectly performs a XOR operation. While it
works when the worker cores occupy all cores, it is not the correct
operation. For example, when a core is affined to only management
and not worker threads, the XOR operation affines it to the worker set.
(1 XOR 0 -> 1, where in fact the desired outcome is 0)

Ticket: 7976
(cherry picked from commit 8f63094744)
6 months ago
Victor Julien 84c3fdc5f4 doc/userguide: add rule hooks to protocol doc
Ticket #7662.

(cherry picked from commit be5c83ed53)
6 months ago
Victor Julien da9d0fbad6 doc/userguide: add xbits tx scope support
Ticket #7680.

(cherry picked from commit 480e664b4c)
6 months ago
Jeff Lucovsky a1f5c67211 doc/output: Highlight ethertype value change
Issue: 8007

Highlight the change to how ether_type values are displayed. Previously,
they were displayed in network order as a decimal value.

They are now displayed in host order as a decimal value.

(cherry picked from commit 16d124cfda)
6 months ago
Jeff Lucovsky e8261f4c55 output: Display ethertype properly
Ethertype values are now converted from network format to host format
before display occurs. Displayed values are now in hex instead of
integers.

Without this change, ethertype values such as 0xfbb7 are
displayed in decimal as: 47099 (0xb7fb).

The actual value is 64439 (0xfbb7); all logged ether_type values
will be displayed in host order in decimal format. This example
will log the ether type as 64439

Issue: 7855
(cherry picked from commit 0af7793410)
6 months ago
Victor Julien 24b5bee821 pcap-log: fix bpf-filter not set for multi mode
Bug: #8002.
(cherry picked from commit 2f633be1a9)
6 months ago
Jason Ish 7e3b646707 ci: remove cargo update test
Being the stable branch, cargo update doesn't make much sense unless we
have a specific reason to update a crate. The audit check has been
left, which will alert us to crates that may need an update.
6 months ago
Jason Ish a4f722fca0 doc/userguide: add a known issues page
The idea of this page is to track known issues on a release branch
that we do not plan to fix.
6 months ago
Jason Ish 35464150de ike: don't log duplicate attributes
Track what attributes have been logged and skip over duplicate
attributes to avoid having duplicate fields in the JSON object, which
is invalid JSON.

This is lossy, subsequent attributes are lost.

Ticket: #7923
6 months ago
Jason Ish 7e6084e44f ike/detect: info log message should be debug
(cherry picked from commit b543e28402)
6 months ago
Philippe Antoine 77057e1cd8 http2: add INTERNAL_ERROR for http2.error_code keyword 6 months ago
Philippe Antoine 77d5c7c324 http2: fix parsing of goaway frames
There was a last stream id before the error code
As per section 6.8 of RFC 7540

Ticket: 7991
(cherry picked from commit 9a4a29e218)
6 months ago
Andreas Dolp 3e071d73c6 doc: fix typo duplicate 'of'
Thanks to catenacyber

(cherry picked from commit 37d748d441)
6 months ago
Andreas Dolp 58c46937ee doc: fix typo /var/run/suricata in file permissions docs.
(cherry picked from commit 375b5dd306)
6 months ago
Andreas Dolp c92eb0131a doc: fix typo and missing newline in rules/ssh_keywords.
(cherry picked from commit cc590b54c7)
6 months ago
Andreas Dolp 62d2a69f8a doc: fix doc syntax error in rate_filter example.
(cherry picked from commit 228abb7da0)
6 months ago
Adam Kiripolsky e3433c75fc dpdk: fix assignment of pkt_mempools to ldev
Removed loop around assignment of pkt_mempools
to ldev_instance->dpdk_vars as it is not needed anymore.

Ticket: 7879
(cherry picked from commit 5a4d280461)
6 months ago
Philippe Antoine c8897f4407 scripts: setup app layer rustfmt mod.rs last
Otherwise rustfmt complains that parser.rs does not exist yet

(cherry picked from commit f7f8fbc116)
6 months ago
Victor Julien c12680de1b detect/content: don't leak replace memory
Replace keyword updates a prior content with a heap allocation of the
pattern the content should be replaced with. Make sure this is freed as
well.

Bug: #7997.
(cherry picked from commit ce9c7a024e)
6 months ago
Victor Julien f9cddc004c output: fix long logline test
Fixes: 023a2fe9ab ("unittests: fix format-truncation warning")
(cherry picked from commit b7650a45fa)
6 months ago
Victor Julien 76d6c75634 unittests: disable LogCustomFormatTest01 for MinGW
Test was previously not run so it was missed that it fails.

(cherry picked from commit c8cb029de9)
6 months ago
Victor Julien 62793c573f unittests: don't leak memory with --list-unittests
(cherry picked from commit 57d1f20dfa)
6 months ago
Philippe Antoine 89cbaa7153 detect/files: support protocols only over udp
Ticket: 7973

Files were supported on both TCP and UDP. But file detection keywords
such as file.data made signatures loading fail if the signature
was using an app-layer protocol that enabled on udp only, even
if the signatures could run smoothly.

(cherry picked from commit c99e159341)
6 months ago
Fupeng Zhao 693ca03379 decoder/vxlan: fix VXLAN port detection per RFC 7348
Simplify DecodeVXLANEnabledForPort() to only check destination port
to avoids false positives when identifying VXLAN traffic.

Per RFC 7348 §5, VXLAN identification is based solely on the outer UDP
destination port (4789), regardless of inner packet direction. The
outer UDP source port is used for load balancing via inner packet
hash and should not be considered for VXLAN detection. This ensures
correct VXLAN identification for all encapsulated traffic patterns.

Checking both source and destination ports could incorrectly classify
non-VXLAN UDP traffic as VXLAN when the source port happens to be 4789,
leading to false positives in VXLAN detection and potential decode errors.

(cherry picked from commit 7a04a032b9)
6 months ago
Juliana Fajardini 9a66ac0696 doc/install: fix minor typo 7 months ago
Juliana Fajardini c045a61d53 doc: remove outdated GITGUIDE 7 months ago
Philippe Antoine eef5794e5a mime: retain some stateful data for quoted-printable
In case a sequence like =3D is split over 2 calls to SCSmtpMimeParseLine

Ticket: 7950
(cherry picked from commit 56e08c9134)
7 months ago
Jeff Lucovsky 4e120c0a2d ci/mt: Include MT tests in CI workflows
Add the MT live tests to the CI workflow.

(cherry picked from commit 846eb44a9d)
7 months ago
Jeff Lucovsky 3420968d93 mt/ci: Add MT live test
Add MT live test capability:
- multi-tenant.sh: harness that sets up and steps through MT steps
- suricata-mt.yaml: Adds MT capability to Suricata
- tenant-1.yaml: Per-tenant configuration file

(cherry picked from commit 51c9609c7c)
7 months ago
Victor Julien ef91b8544c github-actions: add validate cherry-pick line check 7 months ago
Cheng Longfei e13fe6a90d lua: fix null dereference in tx HTTP accessor functions
Fix crashes in Lua when calling tx:response_line(), tx:request_line(),
tx:request_uri_raw(), or tx:request_host() on incomplete or malformed
HTTP transactions.

These functions return bstr pointers which may be NULL. Add NULL
checks before calling bstr_ptr() and bstr_len() to avoid segfaults.

Ticket: #7829
(cherry picked from commit 9fb33bbaf6)
7 months ago
Philippe Antoine dae9264120 doc: really enforce more the completeness of json schema
Completes commit f1f32a39ee

End better describe exception_policy
7 months ago