The install command, by default, sets 0755 if -m is not specified, so the
file python/suricata/config/defaults.py will be marked as an executable,
though it isn't.
(cherry picked from commit fcbae97a1f)
Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).
Ticket: #5974.
(cherry picked from commit acb769291a)
81ee6f5aad ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
added a workaround for valgrind warnings in pushing a string buffer
into the lua state. This is no longer needed as tested with both
address sanitizer and valgrind.
(cherry picked from commit 52fd61dffd)
SSL connp maintains all the state and certificate data that was
parsed/decoded successfully and it must retain that for later usage.
There should be just one place to free this object which is SSLStateFree
for both the directions. By freeing the connp data during parsing error,
there is room for memory errors.
This works so far because the field parsed after this cannot error out so
if there's an error parsing this, it anyway does not exist. However, this
is incorrect and leaves scope for mistakes.
Remove this extra free and treat SAN like all other TLS keywords.
Bug 7996
(cherry picked from commit b090fc61fd)
Ubuntu 20.04, distro suited at the time for 8.0.x, still contains
DPDK 19.11 in the pkg repository, so it keeps being build-tested as
opposed to the 9.0.x version.
(cherry picked from commit ee0b08692c)
DPDK Bonding API has been changed in DPDK version 23.11 where
the old *slave* API was marked as deprecated and the new *member*
API was marked as experimental.
This was unfortunately executed by marking both API variants
at the same time. The deprecated version is removed from the follow
up versions while the experimental version will become stable
in the next DPDK releases. This is based on a policy in DPDK where
an API change needs to merged in main for 1 stable release before
removing the experimental flag.
In DPDK 24.11 this has been fixed and warning supression is not
added.
Ticket: 7990
(cherry picked from commit 27383f878d)
The exclude function incorrectly performs a XOR operation. While it
works when the worker cores occupy all cores, it is not the correct
operation. For example, when a core is affined to only management
and not worker threads, the XOR operation affines it to the worker set.
(1 XOR 0 -> 1, where in fact the desired outcome is 0)
Ticket: 7976
(cherry picked from commit 8f63094744)
Issue: 8007
Highlight the change to how ether_type values are displayed. Previously,
they were displayed in network order as a decimal value.
They are now displayed in host order as a decimal value.
(cherry picked from commit 16d124cfda)
Ethertype values are now converted from network format to host format
before display occurs. Displayed values are now in hex instead of
integers.
Without this change, ethertype values such as 0xfbb7 are
displayed in decimal as: 47099 (0xb7fb).
The actual value is 64439 (0xfbb7); all logged ether_type values
will be displayed in host order in decimal format. This example
will log the ether type as 64439
Issue: 7855
(cherry picked from commit 0af7793410)
Being the stable branch, cargo update doesn't make much sense unless we
have a specific reason to update a crate. The audit check has been
left, which will alert us to crates that may need an update.
Track what attributes have been logged and skip over duplicate
attributes to avoid having duplicate fields in the JSON object, which
is invalid JSON.
This is lossy, subsequent attributes are lost.
Ticket: #7923
Removed loop around assignment of pkt_mempools
to ldev_instance->dpdk_vars as it is not needed anymore.
Ticket: 7879
(cherry picked from commit 5a4d280461)
Replace keyword updates a prior content with a heap allocation of the
pattern the content should be replaced with. Make sure this is freed as
well.
Bug: #7997.
(cherry picked from commit ce9c7a024e)
Ticket: 7973
Files were supported on both TCP and UDP. But file detection keywords
such as file.data made signatures loading fail if the signature
was using an app-layer protocol that enabled on udp only, even
if the signatures could run smoothly.
(cherry picked from commit c99e159341)
Simplify DecodeVXLANEnabledForPort() to only check destination port
to avoids false positives when identifying VXLAN traffic.
Per RFC 7348 §5, VXLAN identification is based solely on the outer UDP
destination port (4789), regardless of inner packet direction. The
outer UDP source port is used for load balancing via inner packet
hash and should not be considered for VXLAN detection. This ensures
correct VXLAN identification for all encapsulated traffic patterns.
Checking both source and destination ports could incorrectly classify
non-VXLAN UDP traffic as VXLAN when the source port happens to be 4789,
leading to false positives in VXLAN detection and potential decode errors.
(cherry picked from commit 7a04a032b9)
Add MT live test capability:
- multi-tenant.sh: harness that sets up and steps through MT steps
- suricata-mt.yaml: Adds MT capability to Suricata
- tenant-1.yaml: Per-tenant configuration file
(cherry picked from commit 51c9609c7c)
Fix crashes in Lua when calling tx:response_line(), tx:request_line(),
tx:request_uri_raw(), or tx:request_host() on incomplete or malformed
HTTP transactions.
These functions return bstr pointers which may be NULL. Add NULL
checks before calling bstr_ptr() and bstr_len() to avoid segfaults.
Ticket: #7829
(cherry picked from commit 9fb33bbaf6)
Andreas Dolp
Victor Julien
Philippe Antoine
Jason Ish
Juliana Fajardini
Jeff Lucovsky
Amir Boussejra
Shivani Bhardwaj
Lukas Sismis
Jeff Lucovsky
Adam Kiripolsky
Philippe Antoine
Fupeng Zhao
Cheng Longfei