Commit Graph

17990 Commits (84970da775d84a8b5e92499112e9d5392614e5ac)
 

Author SHA1 Message Date
Juliana Fajardini 84970da775 decode/ipv6: flag invalid pkt w/ wrong ip ver event
When the decoder finds a packet with wrong IP version for
IPv4|IPv6-in-IPv6 tunnels, it would set an event, but wouldn't flag the
packet invalid. This fixes that.

Bug #7964

(cherry picked from commit ee7f01c83f)
5 months ago
Juliana Fajardini c8e2301922 devguide: add chapter about exception policies
Adds a chapter indicating what are the main steps when adding exception
policies, how is it possible to extend them, as well as main aspects and
files to consider when doing so.

Task #5612

(cherry picked from commit 48b15ac152)
5 months ago
Lukas Sismis ddadef5c9b dpdk: collect port stats before device stop
Some drivers (e.g. BNXT) fail to report stats after the device is
stopped. Move stats collection (DPDKDumpCounters and PrintDPDKPortXstats)
to run before rte_eth_dev_stop() in HandleShutdown.

Also change PrintDPDKPortXstats error handling from FatalError to
graceful return since stats collection failures during shutdown
should not crash the application.

The commit removes ThreadExitPrintStats callback as the function had no
useful features after the stats were moved.

Ticket: 8252
(cherry picked from commit 27f398b5f2)
5 months ago
Philippe Antoine 324149f424 util-spm-hs: add missing deallocator
Add missing deallocator when hs_alloc_scratch fails.

Bug: #8146
(cherry picked from commit 251d10fa42)
5 months ago
Sergey Zhidkih e1cd34f84e util-spm-hs: add missing deallocator
Add missing deallocator for expr when hs_compile fails.

Bug: #8146
(cherry picked from commit 799f01f78f)
5 months ago
Sergey Zhidkih e7e510dccf hyperscan: move error logging for hs_compile
Move error logging from util-mpm-hs to reuse it in util-spm-hs as it
has proper hs_compile error handling.

Bug: #8146.
(cherry picked from commit 11073a0190)
5 months ago
Andreas Dolp a25eded66c doc/userguide: fix within-distance pointer graphics in payload-keywords doc
Redmine ticket: #8261

According to [1], the within pointer (if combined with distance)
includes the distance pointer, which is not clearly visible in the
graphic.

Fixed this in a new graphic by some GIMP arts.

PS: Special thanks to one of our team members Annika C. for initially
spotting this!

[1] https://forum.suricata.io/t/is-within-affected-by-distance/1688

(cherry picked from commit 69eb567dea)
5 months ago
Abhijeet Singh e148527e63 util/log: fix log file rotation
Fix double log file rotation in presence of both rotation flag and rotate interval

Ticket: https://redmine.openinfosecfoundation.org/issues/8153
(cherry picked from commit b145e389ab)
5 months ago
Jason Ish 0dd2ea700c lua: don't attempt to garbage collect a null value
When not sandboxed, a script can get access to the metatable and call
`.__gc` with an invalid value like nil, causing a NULL pointer dereference
in Suricata.

Ticket: #8248
(cherry picked from commit 5d61f5253d)
5 months ago
Philippe Antoine 34c93ef67d ci: update rust version to 1.93
(cherry picked from commit b944e3b1ed)
6 months ago
Philippe Antoine f5c8a8fdb9 rust: fix unnecessary_unwrap warnings
warning: called `unwrap` on `rd.pipe` after checking its variant with `is_some`
   --> src/smb/smb1.rs:858:28
    |
857 |             if rd.pipe.is_some() {
    |             -------------------- help: try: `if let Some(<item>) = rd.pipe`
858 |                 let pipe = rd.pipe.unwrap();
    |                            ^^^^^^^^^^^^^^^^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.93.0/index.html#unnecessary_unwrap
    = note: `#[warn(clippy::unnecessary_unwrap)]` on by default

(cherry picked from commit 02cb0f2ac2)
6 months ago
Juliana Fajardini 626f6efbe9 docs: use correct suricata version mentions
Found with 'git grep suricata-7'

Task #8113

(cherry picked from commit a1f088cc65)
6 months ago
Philippe Antoine fec6350544 http1: marks tx as updated when setting an event
Ticket: 8224

We sometimes set events to the last tx, so we do not have access
to the HtpTxUserData in the caller HTPHandleError

(cherry picked from commit c333b28719)
6 months ago
Victor Julien c86cefced4 detect/base64_data: reset buffer offset
When in a `base64_decode`-`base64_data` pair the decode was depending
on another match through the relative option, the `buffer_offset` would
be updated to the relative position of the previous match. During the
`base64_data` phase, a relative match would use that offset even though
the match happened in a new buffer.

Example::

        http.request_body; content:"|27|";                              \
                base64_decode:relative;                                 \
                base64_data; content:"|ff ff ff ff|"; within:16;

This use of the `buffer_offset` is incorrect as that value is relative
to a buffer and the `base64_data` points to a new buffer.

This patch addresses this by resetting DetectEngineThreadCtx::buffer_offset
before inspecting `base64_data`.

Bug: #7842.
(cherry picked from commit 5f92a6cac3)
6 months ago
Victor Julien d782b432af doc/userguide: endswith can be mixed with offset/distance/within
Bug: #5030.
(cherry picked from commit 73a873ecfe)
6 months ago
Victor Julien 9c0162c468 firewall: fix rules not loading w/o commandline opts
Firewall rules were supposed to also load when using a config like

        ##
        ## Suricata as a Firewall options (experimental)
        ##
        firewall:
          # toggle to enable firewall mode
          enabled: yes

          # Firewall rule file are in their own path and are not managed
          # by Suricata-Update.
          rule-path: /etc/suricata/firewall/

          # List of files with firewall rules. Order matters, files are loaded
          # in order and rules are applied in that order (per state, see docs)
          rule-files:
            - firewall.rules

But they were not because of a missing check.

Bug: #8206.
(cherry picked from commit 2a2b98650b)
6 months ago
Philippe Antoine c6d9b573a0 nfs: log read/write/rename whatever the nfs version
These were previously logged correctly only for nfs v3

Now, the correct opcodes are used for v2 and v4 as well

Ticket: 8222
(cherry picked from commit 1832b50506)
6 months ago
Shivani Bhardwaj 89ce3f2565 tls/subjectaltname: use byte arr instead of string
TLS parsers use x509-parser crate which parses X.509 certificates that
use ASN.1 DER encoding that can allow arbitrary byte sequences. An
attacker could inject null byte in a certificate anywhere to stump the
common language parsers terminating the string at a null byte leading to
a bypass of a possibly malicious certificate.

So far, the rust TLS parser for "subjectaltname" used a pattern that involved:
-> Get ASN.1 DER encoded raw data from the x509-parser crate
-> Convert this raw data to a decoded string (Rust)
-> Convert the Rust string to CString
-- The problem lies here. CString only accepts proper strings/byte
buffers and converts it into an owned C-compatible, null-terminated
string. However, if any null byte occurs in the string passed to the
CString then it panics.
In the rust TLS parser, this panic is handled by returning NULL.

This means that the parser will error out during the decoding of the
certificate. However, Suricata must be able to detect the null byte
injection attack being an IDS/IPS.

Hence, replace all such string patterns w.r.t. TLS SAN with a byte
array.

Bug 7887

(cherry picked from commit 1d7b0d9b7a)
6 months ago
Shivani Bhardwaj d50b1250d8 tls/sni: use byte array instead of string
Bug 7887

(cherry picked from commit 9c3ed7d31c)
6 months ago
Shivani Bhardwaj cba7fffefc tls/serial: use byte array instead of string
Bug 7887

(cherry picked from commit 24f5b7dab2)
6 months ago
Shivani Bhardwaj 8abb0d11ea tls/issuerdn: use byte array instead of string
TLS parsers use x509-parser crate which parses X.509 certificates that
use ASN.1 DER encoding that can allow arbitrary byte sequences. An
attacker could inject null byte in a certificate anywhere to stump the
common language parsers terminating the string at a null byte leading to
a bypass of a possibly malicious certificate.

So far, the rust TLS parser for "issuerdn" used a pattern that involved:
-> Get ASN.1 DER encoded raw data from the x509-parser crate
-> Convert this raw data to a decoded string (Rust)
-> Convert the Rust string to CString
-- The problem lies here. CString only accepts proper strings/byte
buffers and converts it into an owned C-compatible, null-terminated
string. However, if any null byte occurs in the string passed to the
CString then it panics.
In the rust TLS parser, this panic is handled by returning NULL.

This means that the parser will error out during the decoding of the
certificate. However, Suricata must be able to detect the null byte
injection attack being an IDS/IPS.

Hence, replace all such string patterns w.r.t. TLS IssuerDN with a byte
array.

Bug 7887

(cherry picked from commit f025e07191)
6 months ago
Shivani Bhardwaj 3f735e6d06 tls/subject: use byte array instead of string
TLS parsers use x509-parser crate which parses X.509 certificates that
use ASN.1 DER encoding that can allow arbitrary byte sequences. An
attacker could inject null byte in a certificate anywhere to stump the
common language parsers terminating the string at a null byte leading to
a bypass of a possibly malicious certificate.

So far, the rust TLS parser for "Subject" used a pattern that involved:
-> Get ASN.1 DER encoded raw data from the x509-parser crate
-> Convert this raw data to a decoded string (Rust)
-> Convert the Rust string to CString
-- The problem lies here. CString only accepts proper strings/byte
buffers and converts it into an owned C-compatible, null-terminated
string. However, if any null byte occurs in the string passed to the
CString then it panics.
In the rust TLS parser, this panic is handled by returning NULL.

This means that the parser will error out during the decoding of the
certificate. However, Suricata must be able to detect the null byte
injection attack being an IDS/IPS.

Hence, replace all such string patterns w.r.t. TLS Subject with a byte
array.

Bug 7887

(cherry picked from commit 77c21b05d2)
6 months ago
Shivani Bhardwaj b93b5c4ae3 tls-log: add common fn to create string from arr 6 months ago
Victor Julien 9c5fda18da datasets: fix compile warnings
datasets-string.c:53:20: error: implicit conversion loses integer precision: 'unsigned long' to 'int' [-Werror,-Wshorten-64-to-32]
        return len + 2;
        ~~~~~~ ~~~~^~~
1 error generated.

(cherry picked from commit 844f6011b1)
6 months ago
Victor Julien 0ae6ee2597 rust/htp: formatting fixup
(cherry picked from commit ff3def130c)
6 months ago
Shivani Bhardwaj 563066a6dd version: start development towards 8.0.4 6 months ago
Juliana Fajardini 3bd9f773bd release: 8.0.3; update changelog 6 months ago
Victor Julien f72f458e79 rust: update lru to 0.16.3; update lock
RUSTSEC-2026-0002

Ticket: #8210.
(cherry picked from commit b1fe6a4ceb)
6 months ago
Jason Ish bdbc38bca2 dnp3: bound the maximum number of objects per tx
Default to 2048, but provide a user configuration value.

Ticket: #8181
(cherry picked from commit 2c95f1ff44)
6 months ago
Jason Ish c03a8db521 dnp3: set a bound on the number of points per message
16384 is used as the max, but a configuration parameter has been
provided. The reason for setting an upper bound is that bit flags can
create a memory amplification as we parse them into individual data
structures.

Ticket: #8181
(cherry picked from commit 3a32bb5743)
6 months ago
Jason Ish 377c8fded8 dnp3: reduce flood threshold to 32 and make configurable
Lower the number of unreplied requests from 500 to 32 to consider a
flood. At the very least this is an anomaly given the DNP3 spec mentions
that DNP3 should only have one outstanding request at a time, with an
exception for unsolicited responses, so in practice no more than 2
should be seen.

Additionally make this value configurable by introducing the max-tx
parameter.

Ticket: #8181
(cherry picked from commit a16f087b93)
6 months ago
Jason Ish 50cac2e246 dnp3: check done state, not complete state for progress
Complete is a flag used to tell if the message was completely parsed,
as not all messages may be completely parsed if we don't know all
their objects. However, they are still "done".

In the alstate-progress callback, check the done flag, not the
complete flag.

Ticket: #8181
(cherry picked from commit d61eef9a8a)
6 months ago
Philippe Antoine b24db73f77 dcerpc: use saturating_add to count fragments
And do not overflow if we have traffic with more than 65K fragments

(cherry picked from commit a48200b9e5)
6 months ago
Shivani Bhardwaj 70655fa01e doc: add dcerpc.max-stub-size config param
(cherry picked from commit 6702791a9c)
6 months ago
Shivani Bhardwaj 39d8c302af dcerpc: add upper limit on stub data
DCERPC parsers had no upper bounds when it came to extending the stub
data buffer. Traffic can be crafted to bypass some internal parser
conditions to create an indefinite buffering in the stub_data array that
can make Suricata crash.

Add a default limit of 1MiB and make it configurable for the user.

Security 8182

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
(cherry picked from commit e412215af9)
6 months ago
Philippe Antoine 018a377f74 http: limit the number of folded lines per header
Ticket: 8201

Limits the quadratic complexity if each packet, restarting the
header parsing, just adds a new folded line.
This was previously bounded by the configurable max header length

(cherry picked from commit fa5a4a994a)
6 months ago
Shivani Bhardwaj 549d7bf606 detect/alert: check alert queue capacity before expanding
So far, the alert queue was expanded by doubling in size w/o any
boundary checks in place. This led to situations where doubling
the alert_queue_capacity meant overflow of the very same value
stored in det_ctx.
This led to heap-use-after-free in some conditions where
det_ctx->alert_queue_capacity overflowed.

Fix this by capping the max of alert_queue_capacity by checking if its
expansion could result in an overflow.

Security 8190

(cherry picked from commit ac1eb39418)
6 months ago
Philippe Antoine 0dddac7278 http: do not use recursion in decompression
just loop and iterate

Ticket: 8185
(cherry picked from commit f2a45c4216)
6 months ago
Philippe Antoine 17c8eb496d output: use tx iterator for finding alert http xff
Ticket: 8156

Allows better performance.

(cherry picked from commit ab2e128176)
6 months ago
Philippe Antoine 754c4e9bde output: optimize loop for finding alert http xff
Ticket: 8156

In case of non-tx alerts, we try to loop over all the txs to find
the xff header. Do not start from tx_id 0, but from min_id
as AppLayerParserTransactionsCleanup to skip txs that were freed

(cherry picked from commit 3b1a6c1711)
6 months ago
Philippe Antoine d767dfadcd datasets: allocates on the heap if string base64 is long
Ticket: 8110
(cherry picked from commit d6bc718e30)
6 months ago
Philippe Antoine 32a1b9ae6a datasets: explicitly errors on too long string
Also avoids stack allocation

Ticket: 8110
(cherry picked from commit 0eff242137)
6 months ago
Victor Julien a81f8b7811 eve/tls: log client version if no server hello seen
Bug: #5713.
(cherry picked from commit 4cdf0a0549)
6 months ago
Shivani Bhardwaj 5eb629cbd6 detect/xbits: parse keywords w strtok_r
Ticket: 4820

Forward ported by Victor Julien from
2c5eead479 ("detect/xbits: parse keywords w strtok_r")

(cherry picked from commit 926ef4c49a)
6 months ago
Victor Julien 91c07f10bd frames: add --list-app-layer-frames option
Lists frames per ip proto and app-layer proto.

Ticket: #8174.
(cherry picked from commit 7ac5d7428e)
6 months ago
Jason Ish 98959d932a rust/psl: update to 2.1.175
Update to get the most recent Mozilla public suffix list.

Ticket: #8148
6 months ago
Giuseppe Longo 183b826223 flow: swap MACs when flow direction is swapped
When FlowSwap() reverses the direction of a flow, the MAC address sets
stored in the flow also need to be swapped to maintain consistency with
the new direction. Previously, MAC addresses were not swapped along with
other flow properties like packet/byte counters.

Ticket #8172

(cherry picked from commit f1b9669ed5)
6 months ago
Giuseppe Longo c677dc4b6f util/macset: fix code style
Code style fixed using clang-format.

Ticket #8172

(cherry picked from commit 8050738fea)
6 months ago
Victor Julien 8f91524c0f detect/luaxform: fix allowed lua rules check
Meant to be enabled by default, but wasn't.

(cherry picked from commit da87bd61d0)
6 months ago
Victor Julien d4217060ee detect/lua: exclude script setup from the max-bytes limit
Make sure the script can use all bytes configured. So exclude setup like
input buffers that are put on the lua state before script is executed.

Bug #8173.

(cherry picked from commit d7866495c2)
6 months ago