Improve multiline commands and SASL auth.
Work around missing support in crate for empty server challenge and SASL base64 data.
Ticket: #7709.
(cherry picked from commit acef961645)
In file included from decode.h:33,
from host.h:27,
from util-threshold-config.c:34:
util-threshold-config.c: In function 'SCThresholdConfInitContext':
util-debug.h:260:5: warning: '%s' directive argument is null [-Wformat-overflow=]
260 | SCLogErr(SC_LOG_WARNING, __FILE__, __FUNCTION__, __LINE__, _sc_module, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
util-threshold-config.c:190:9: note: in expansion of macro 'SCLogWarning'
190 | SCLogWarning("Error loading threshold configuration from %s", filename);
| ^~~~~~~~~~~~
util-threshold-config.c:190:66: note: format string is defined here
190 | SCLogWarning("Error loading threshold configuration from %s", filename);
| ^~
(cherry picked from commit 3a0f4dde07)
In `add-hostbit`, `remove-hostbit` and `list-hostbit` commands, the IPv6
address parsing was not using the correct variable:
from /usr/include/dirent.h:25,
from suricata-common.h:73,
from runmode-unix-socket.c:18:
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitAdd’ at runmode-unix-socket.c:1316:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitRemove’ at runmode-unix-socket.c:1403:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitList’ at runmode-unix-socket.c:1476:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
Bug: #8102.
(cherry picked from commit 874a0e8d3d)
Issue: 8035
The `luaxform` transform doesn't support the `init` function. This
commit removes that from the example and clarifies how functions in the
Lua script are used.
(cherry picked from commit b02d9bb4f1)
The engine uses p.alerts.cnt as an index to access the packet alert that
has the `pass` action for the verdict.
For IDS/IPS mode, a `pass` will always be the last signature in the
alert queue. However, that position could be either `p.alerts.cnt` or
`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
keyword or not.
This patch fix corner-case scenarios of:
- accessing an index out of boundaries
- off-by-one access
Without changing how the engine increments the alerts.cnt, as this is
used in many places, and would be a more invasive change.
It checks the two different scenarios, plus the case when there is only
a single match as a silent `pass` rule.
Bug #8021
Bug #7630
Ticket: 7980
Usage of Vec<u8> instead of Box<u8> gave the ability to callers
to grow the buffer (indefinitely)
This was regressed in 16fee33368
Additionnaly, use rust WriteZero instead of WouldBlock as a more
fitting error when cursor is full, as that error kind is the
one tested by callers.
(cherry picked from commit f2b6540c52)
Realloc alp_ctx.ctxs when a dynamic alproto is registered and
g_alproto_max increases. So dynamic alproto can be treated as
real/normal ones. And app-layer switch can be set to any value
of no/deteciton-only/yes.
Ticket: 8000
(cherry picked from commit c141c55bc6)
The install command, by default, sets 0755 if -m is not specified, so the
file python/suricata/config/defaults.py will be marked as an executable,
though it isn't.
(cherry picked from commit fcbae97a1f)
Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).
Ticket: #5974.
(cherry picked from commit acb769291a)
81ee6f5aad ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
added a workaround for valgrind warnings in pushing a string buffer
into the lua state. This is no longer needed as tested with both
address sanitizer and valgrind.
(cherry picked from commit 52fd61dffd)
SSL connp maintains all the state and certificate data that was
parsed/decoded successfully and it must retain that for later usage.
There should be just one place to free this object which is SSLStateFree
for both the directions. By freeing the connp data during parsing error,
there is room for memory errors.
This works so far because the field parsed after this cannot error out so
if there's an error parsing this, it anyway does not exist. However, this
is incorrect and leaves scope for mistakes.
Remove this extra free and treat SAN like all other TLS keywords.
Bug 7996
(cherry picked from commit b090fc61fd)
Ubuntu 20.04, distro suited at the time for 8.0.x, still contains
DPDK 19.11 in the pkg repository, so it keeps being build-tested as
opposed to the 9.0.x version.
(cherry picked from commit ee0b08692c)
DPDK Bonding API has been changed in DPDK version 23.11 where
the old *slave* API was marked as deprecated and the new *member*
API was marked as experimental.
This was unfortunately executed by marking both API variants
at the same time. The deprecated version is removed from the follow
up versions while the experimental version will become stable
in the next DPDK releases. This is based on a policy in DPDK where
an API change needs to merged in main for 1 stable release before
removing the experimental flag.
In DPDK 24.11 this has been fixed and warning supression is not
added.
Ticket: 7990
(cherry picked from commit 27383f878d)
The exclude function incorrectly performs a XOR operation. While it
works when the worker cores occupy all cores, it is not the correct
operation. For example, when a core is affined to only management
and not worker threads, the XOR operation affines it to the worker set.
(1 XOR 0 -> 1, where in fact the desired outcome is 0)
Ticket: 7976
(cherry picked from commit 8f63094744)
Issue: 8007
Highlight the change to how ether_type values are displayed. Previously,
they were displayed in network order as a decimal value.
They are now displayed in host order as a decimal value.
(cherry picked from commit 16d124cfda)
Ethertype values are now converted from network format to host format
before display occurs. Displayed values are now in hex instead of
integers.
Without this change, ethertype values such as 0xfbb7 are
displayed in decimal as: 47099 (0xb7fb).
The actual value is 64439 (0xfbb7); all logged ether_type values
will be displayed in host order in decimal format. This example
will log the ether type as 64439
Issue: 7855
(cherry picked from commit 0af7793410)
Being the stable branch, cargo update doesn't make much sense unless we
have a specific reason to update a crate. The audit check has been
left, which will alert us to crates that may need an update.
Track what attributes have been logged and skip over duplicate
attributes to avoid having duplicate fields in the JSON object, which
is invalid JSON.
This is lossy, subsequent attributes are lost.
Ticket: #7923
Victor Julien
Philippe Antoine
Pierre Chifflier
Jeff Lucovsky
Shivani Bhardwaj
Juliana Fajardini
Li Heng
Andreas Dolp
Jason Ish
Jeff Lucovsky
Amir Boussejra
Lukas Sismis