Commit Graph

16808 Commits (7e4de3d1b9d5cc90169acf5bdbf508c6bc54cbaf)
 

Author SHA1 Message Date
Victor Julien 5928adc852 detect: remove unused arg from get detect tx 1 year ago
Victor Julien ce948040a1 detect: don't cast void on void func 1 year ago
Victor Julien 1b541c31cb detect: remove unused args from detect flag storing 1 year ago
Victor Julien 322d3a4021 detect/mpm: fix chop flag passed on incorrectly 1 year ago
Victor Julien 7b878a3805 autoconf: don't pretent we can build w/o autoconf.h
Helps tooling like cppcheck and clang-tidy.
1 year ago
Victor Julien a8ba1e9896 macros: provide fallbacks for common macros
These are set by our build-system, but some tools like cppcheck don't use that.
1 year ago
Eric Leblond 22a71e7317 af-packet: code cleaning
clang-tidy did detect the -1 return value was not compatible with
TmEcode enum.
1 year ago
Jason Ish 0165830c70 github-ci: update actions/cache
The version we have been using will be deprecated soon.

https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down
1 year ago
AlirezaPourchali 60dd0ec8a5 doc/userguide: fix typo
Issue: #7540

fixed doc/userguide/performance/hyperscan.rst
fixed doc/userguide/performance/runmodes.rst
1 year ago
Alice Akaki 73455179d7 detect/integers: add support for negated strings when enum is used
function detect_parse_uint_enum can parse strings like !bind_request

Ticket: #7513
1 year ago
Philippe Antoine ef044b208c dcerpc: prevent integer underflow
in case a fragment has a length lesser than DCERPC_HDR_LEN

Fixes: 9daf8528b7 ("dcerpc: tidy up code")

Ticket: 7548
1 year ago
Adam Kiripolsky d9a6d5dc46 dpdk/rss: add rte_flow rss support for mlx5
The configuration of this rule is the same as for ixgbe driver except
the hash function is not RTE_ETH_HASH_FUNCTION_DEFAULT but
RTE_ETH_HASH_FUNCTION_TOEPLITZ.

The syntax in dpdk-testpmd for this rule with attributes:
	port index == 0
	used rx queue indices == 0 1 2 3
	<hash_key> == 6d5a symmetric hash key
is as follows:
"flow create 0 ingress pattern eth / end actions rss types ipv4 ipv6
end queues 0 1 2 3 end key <hash_key> key_len 40 func toeplitz / end"

Ticket: 7337
1 year ago
Adam Kiripolsky 97750bf5b5 dpdk/rss: add rte_flow rss support for ice
ice driver requires 2 rte_flow rules for matching and
redistributing incoming traffic with RSS.

The rules set up by iceDeviceSetRSSFlowIPv4() and
iceDeviceSetRSSFlowIPv6() are different only in the pattern
("pattern eth / ipv4 / end" or "pattern eth / ipv6 / end"
in dpdk-testpmd syntax) and in the hash type (ipv4 src dst / ipv6 src
dst). ice will match all ipv4 or ipv6 traffic independently of
following l4 protocol. The rules can not have queues configured,
implicitly they will use all queues available.
The hash function is set to RTE_ETH_HASH_FUNCTION_TOEPLITZ.
The hash key can not be set.

The syntax in dpdk-testpmd for rule to match all ipv4 traffic
with attributes:
	port index == 0
is as follows:
"flow create 0 ingress pattern eth / ipv4 / end actions rss types ipv4
end queues end func toeplitz / end"
(queues need to be set to NULL)

Ticket: 7337
1 year ago
Adam Kiripolsky 2296b3ba76 dpdk/rss: add rte_flow rss support for ixgbe
ixgbe driver requires different configuration of RSS rte_flow
rule than i40e, with just one generic rule matching all traffic.

The generic rule configured by DeviceCreateRSSFlowGeneric() has pattern
equivalent to "pattern eth / end" in dpdk-testpmd syntax. The rule must
have rx queues configured. The rule hashes traffic to different queues
based on ipv4 and ipv6 hash types (ipv4 src dst / ipv6 src dst).
The hash key is 40 bytes long  symmetric hash key. ixgbe does not
support any other hash function than RTE_ETH_HASH_FUNCTION_DEFAULT.

The syntax in dpdk-testpmd for this rule with attributes:
	port index == 0
	used rx queue indices == 0 1 2 3
	<hash_key> == 6d5a symmetric hash key
is as follows:
"flow create 0 ingress pattern eth / end actions rss types ipv4 ipv6
end queues 0 1 2 3 end key <hash_key> key_len 40 func default / end"

Ticket: 7337
1 year ago
Adam Kiripolsky ffe0cf88e4 dpdk/rss: move and change rss rte_flow functions
Move and adjust the base of  RSS configuration from util-dpdk-i40e.c to
a new file that can be later utilized by other cards.

RSS configuration can be configured via rte_flow rules. This is useful
for possible future features such as specific header offload
(vxlan, nvgre) also implemented via rte_flow rules, as rte_flow
rules can be chained via groups and priorities.

i40e uses multiple different rte_flow rules to setup RSS. At first,
function DeviceSetRSSFlowQueues() is used to setup rx queues.
This rule matches all types of traffic, so the equivalent
to dpdk-testpmd pattern would be "pattern end"
This rule can not contain hash types (ipv4, ipv6 etc.) nor hash key.
The hash function used here is RTE_ETH_HASH_FUNCTION_DEFAULT.

The syntax in dpdk-testpmd for this rule with attributes:
	port index == 0
	used rx queue indices == 0 1 2 3
is as follows:
"flow create 0 ingress pattern end actions rss queues 0 1 2 3 end
func default / end"

The other rules configured by i40eDeviceSetRSSFlowIPv4() and
i40eDeviceSetRSSFlowIPv6() match specific type of traffic by l4 protocol
(none, TCP, UDP, SCTP). For example, pattern to match l3 ipv4 with l4
tcp traffic in dpdk-testpmd syntax would be equivalent of
"pattern eth / ipv4 / tcp / end".
These rules can not have rx queues configured, but have hash types
(l3 src and dst address). This means that the traffic distribution
is affected only by l3 addresses, independent of the l4 specifics.

Also these pattern matching rules have symmetric 6d5a
hash key configured. The length of the key is dependent on DPDK version.
The hash function (either RTE_ETH_HASH_FUNCTION_SYMMETRIC_TOEPLITZ or
RTE_ETH_HASH_FUNCTION_TOEPLITZ, depending on DPKD version) used
in these rules hashes symmetricaly due to the symmetric hash key.

The syntax in dpdk-testpmd for rule to match ipv4-tcp traffic with
attributes:
	port index == 0
	<hash_key> == 52 bytes long 6d5a symmetric hash key
is as follows:
"flow create 0 ingress pattern eth / ipv4 / tcp / end actions rss types
ipv4-tcp l3-src-only l3-dst-only end queues end key <hash_key>
key_len 52 func toeplitz / end"
(queues need to be set to NULL)

Ticket: 7337
1 year ago
Philippe Antoine e47f4f997d fuzz: init reverse before calling AppLayerProtoDetectGetProto
Completes commit fec06f8ac3

The 2 callers in suricata itself already do that
1 year ago
Victor Julien a533f44915 af-packet: clean up IPS config check
Don't emmit generic error statements on things that are not errors. Instead,
for cases where (part of) the config is missing, use the defaults and log
only a more detailed explanation at the 'config' level.

Minor code cleanups.
1 year ago
dependabot[bot] d4330ef149 github-actions: bump actions/upload-artifact from 4.5.0 to 4.6.0
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.5.0 to 4.6.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](6f51ac03b9...65c4c4a1dd)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
1 year ago
dependabot[bot] 7692926036 github-actions: bump github/codeql-action from 3.28.0 to 3.28.8
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.0 to 3.28.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](https://github.com/github/codeql-action/compare/v3.28.0...v3.28.8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
1 year ago
dependabot[bot] b6e59258be
github-actions: bump codecov/codecov-action from 5.1.2 to 5.3.1
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.1.2 to 5.3.1.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](1e68e06f1d...13ce06bfc6)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
1 year ago
Jeff Lucovsky cbda276aeb output: Log ethernet type
Issue 7129

When configured with the existing "ethernet" switch, include the ether
type in the output.

This is most useful with anomaly records indicating unknown ethertypes.
1 year ago
Jeff Lucovsky beec1eac2f doc/decode-events: new: unknown event description
Issue: 7129

Document the unknown ethertype event.
1 year ago
Jeff Lucovsky e9128e66e6 doc/threshold: Threshold keyword clarifications
Issue: 7129
1 year ago
Jeff Lucovsky 123b36b9f5 decode/ethertype: Event on unknown ethertype
Issue: 7129

Create a decode/engine event if unknown ethertypes are observed.
1 year ago
Philippe Antoine d9ac7489db http: remove obsolete comment
In preparation of libhtp rust
1 year ago
Philippe Antoine 4d2a3c0057 http: minor cleanups for unit tests
In preparation of libhtp rust

Mainly adding some const
1 year ago
Philippe Antoine 0d4f2e1a09 http: minor cleanups for log
In preparation of libhtp rust

Mainly adding some const
1 year ago
Philippe Antoine 44a363f2f9 http: minor cleanups for lua
In preparation of libhtp rust

Mainly adding some const
1 year ago
Ilya Bakhtin fec06f8ac3 protodetect: simplify code since DCERPC UDP detection is improved
Protocol detection code is simplified. Removed dependency on explicit
alproto constants from the common part of code that must not be aware of
the each specific protocol features.

Ticket - 7111
1 year ago
Ilya Bakhtin 27f0db7526 protodetect/dcerpc: improve DCERPC UDP probing parser
Several additional checks are added to the probing parser to avoid false
detection of DNS as DCERPC

Ticket - 7111
1 year ago
Victor Julien dc44f5e1d2 detect: remove unused SignatureInitData member 1 year ago
Victor Julien 022941d780 detect/prefilter: fix prefilter setup
If `prefilter` is used it should override automatic fast pattern
selection.

Fixes: d6b56929d3 ("detect: set mpm/prefilter during signature parsing")

Ticket: #7523.
1 year ago
Philippe Antoine c00e13772e fuzz: better init for signature parsing target
Fixes https://issues.oss-fuzz.com/u/1/issues/391975646
1 year ago
Shivani Bhardwaj c73299a298 dcerpc/tcp: add frames support
Frames of the following types have been added for toserver direction:
1. Pdu: The entire Protocol Data Unit
2. Hdr: Header of the request
3. Data: PDU data

Feature 4904
1 year ago
Shivani Bhardwaj d3551393f0 applayer: remove complex unittest
as it is now covered by the suricata-verify test
dcerpc-request-http-response.
1 year ago
Shivani Bhardwaj 9daf8528b7 dcerpc: tidy up code
- remove unneeded variables
- remove unnecessary tracking of bytes in state
- modify calculations as indicated by failing tests
1 year ago
Shivani Bhardwaj 4790da1825 dcerpc: remove fragmented data tests
With the introduction of AppLayerResult::incomplete API, fragmented data
is no longer handled fully in the dcerpc code. Given that these code
paths are already covered by the following s-v tests, these tests can now be
safely removed.
- dce-gap-handling
- dcerpc-dce-iface-*

Ticket 5699
1 year ago
Shivani Bhardwaj 74de1042a9 dcerpc: use AppLayerResult::incomplete API
Instead of own internal mechanism of buffering in case of fragmented
data, use AppLayerResult::incomplete API to let the AppLayer Parser take
care of it. This makes the memory use more efficient.
Remove any unneeded variables and code with the introduction of this
API.

Ticket 5699
1 year ago
Shivani Bhardwaj fc88e61c7f dcerpc: save version info in tx
to make it available for logging.
1 year ago
Shivani Bhardwaj 0d6017d174 dcerpc: do not assume an upper bound on data
TCP data can be presented to the protocol parser in any way e.g. one
byte at a time, single complete PDU, fragmented PDU, multiple PDUs at
once. A limit of 1MB can be easily reached in some of such scenarios.
Remove the check that rejects data that is more than 1MB.
1 year ago
Shivani Bhardwaj 84d7055056 app-layer: update flow counter if an alproto is detected
If alproto for the current direction was not detected but the opposite
side was successfully detected, if the Pattern Matching and Pattern
Probing on the flow was also successfully done and the current
direction's alproto is still unknown, a decoder event is set to indicate
that the protocol detection only happened in one direction.

This event is set after having sent the current data to the applayer
parser. Now, the respective applayer parser may or may not successfully
parse the data. However, the alproto on flow is already set from the
other direction so there will be a flow event generated by Suricata. In
order to keep this consistent with the stats, also make sure to
increment the flow counter when the decode event is set so that the flow
counter is incremented irrespective of the parsing status reported by
the applayer parser.

This patch makes stats for several specific applayer flow count equal to
the number of flow events logged for those specific applayer protocols.

Bug 7238
1 year ago
Jeff Lucovsky cfbf8fda94 doc/csum: Stream checksum validation change
Describe the change of behavior between the stream.checksum-validation
setting and checksum-based rule keywords.
1 year ago
Jeff Lucovsky 758da982f0 detect/csum: rm interaction btw stream setting/csum
Issue: 7467

Stream checksum validation no longer has a side effect of setting
PKT_IGNORE_CHECKSUM and thus, no longer affects csum keyword checks.
1 year ago
Victor Julien 3f3964555e detect/iponly: use flow first flags
Instead of ip-only specific flags, reuse the FLOW_PKT_TOSERVER_FIRST and
FLOW_PKT_TOCLIENT_FIRST flags.

Fixes false positives on one sided streams that trigger a opposing flow
timeout packet at the flow's end. That pseudo packet would trigger a
match even though it shouldn't.

Ticket: #7521.
1 year ago
Eric Leblond 8230cb5672 util/debug: increase max length of message
When a signature is incorrect, its full content is logged in a
message with some other information such as rules file name. As
a result, the log message must be longer than a maximum signature
length which is 8192.

Ticket: 7419
1 year ago
Juliana Fajardini a2905ae5d4 userguide: explain rule types and categorization
Add documentation about the rule types introduced by commit
2696fda041.

Add doc tags around code definitions that are referenced in the docs.

Task #https://redmine.openinfosecfoundation.org/issues/7031
1 year ago
Philippe Antoine 72c08cb94e http: htp_headers_t alias for htp_table_t
In preparation of libhtp rust
1 year ago
Philippe Antoine 439d3766d7 http: minor cleanups for detect
In preparation of libhtp rust

Mainly adding some const
1 year ago
Philippe Antoine 46c054da3f http: minor cleanups for output-json-http
In preparation of libhtp rust

Mainly using htp_header_value_ptr and htp_header_value_len
when possible
1 year ago
Philippe Antoine 9f99bde1f9 http: minor cleanups for htp-xff.c
In preparation of libhtp rust
1 year ago