Detection and logging skip a lot of work if PKT_STREAM_EST is not set. When
a TFO packet with data comes in the TCP state is not yet established, but
the data still needs to be considered.
So for this case set the PKT_STREAM_EST flag.
Bug #6744.
(cherry picked from commit cc2287beb4)
As we want the last tx
Ticket: 8156
The generic function AppLayerParserGetTxCnt calls for HTTP1
Transactions.size()
This function has some specific code, as we may have pre-created
a tx that we do not want to count.
This used to get the last tx by iterating over all the transactions
waiting to find the one with max index.
So, instead of using the Transactions.get function, we get the last
tx out of the VecDeque and check its index.
(cherry picked from commit af246ae7ab)
In corner cases, we assume that a midstream exception policy could be
triggered by a prior exception policy in effect. Explain this in the
docs.
Task #5830
(cherry picked from commit 0ca874b678)
While debug_validate_bug_on is still used, it does not need to be
imported directly, as that macro is marked with `macro_export`, making
it globally available to the crate.
(cherry picked from commit 50224f2ee5)
Ticket: 3220
DetectSslVersionMatch did not handle properly negation.
It could never match on a signatrue with ssl_version: !tls1.3
That is because, if we had such a signature and network traffic
with tls1.1, we were looking into DetectSslVersionData field
for tls1.1, which was not set, instead of looking at field
for tls1.3 which was set with negated flag.
Previous DetectSslVersionData was holding redundant information.
It did not need to have it for each ssl version, but just globally.
Also, it did not need to hold the version as a value in the array,
as it was redundant with the index of the array.
(cherry picked from commit c93e69830a)
If we have
- stream->last_ack 0x40021
Then, we call StreamTcpUpdateLastAck with 0x8000fc21
Then we satisfy SEQ_GT((ack), (stream)->last_ack)
But we do not satisfy SEQ_GT(ack, (stream)->base_seq))
and the new last_ack will be compared to base_seq
So, refuse to make such a big update
Ticket: 6865
(cherry picked from commit 09e50ac3f4)
The `stats.capture` object may have different properties based on the
capture method used.
This adds the ones pertaining to AF_PACKET capture.
Related to
Task #6434
(cherry picked from commit 2855574a2c)
While the counters exist, they're not present in the schema, causing
validation to fail if stats.stream-events is enabled.
Task #7858
(cherry picked from commit 025ffa6135)
The schema accounts for a stats counters group that is a subgroup of the
flows stats counters. Remove `flow_mgr`, thus.
(cherry picked from commit 173fec81f8)
Better track the state so it's known when to expect a base64 request
message. Also better validate the base64.
Ticket: #7994.
(cherry picked from commit 80d5afe91b)
Improve multiline commands and SASL auth.
Work around missing support in crate for empty server challenge and SASL base64 data.
Ticket: #7709.
(cherry picked from commit acef961645)
In file included from decode.h:33,
from host.h:27,
from util-threshold-config.c:34:
util-threshold-config.c: In function 'SCThresholdConfInitContext':
util-debug.h:260:5: warning: '%s' directive argument is null [-Wformat-overflow=]
260 | SCLogErr(SC_LOG_WARNING, __FILE__, __FUNCTION__, __LINE__, _sc_module, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
util-threshold-config.c:190:9: note: in expansion of macro 'SCLogWarning'
190 | SCLogWarning("Error loading threshold configuration from %s", filename);
| ^~~~~~~~~~~~
util-threshold-config.c:190:66: note: format string is defined here
190 | SCLogWarning("Error loading threshold configuration from %s", filename);
| ^~
(cherry picked from commit 3a0f4dde07)
In `add-hostbit`, `remove-hostbit` and `list-hostbit` commands, the IPv6
address parsing was not using the correct variable:
from /usr/include/dirent.h:25,
from suricata-common.h:73,
from runmode-unix-socket.c:18:
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitAdd’ at runmode-unix-socket.c:1316:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitRemove’ at runmode-unix-socket.c:1403:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitList’ at runmode-unix-socket.c:1476:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
Bug: #8102.
(cherry picked from commit 874a0e8d3d)
Issue: 8035
The `luaxform` transform doesn't support the `init` function. This
commit removes that from the example and clarifies how functions in the
Lua script are used.
(cherry picked from commit b02d9bb4f1)
The engine uses p.alerts.cnt as an index to access the packet alert that
has the `pass` action for the verdict.
For IDS/IPS mode, a `pass` will always be the last signature in the
alert queue. However, that position could be either `p.alerts.cnt` or
`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
keyword or not.
This patch fix corner-case scenarios of:
- accessing an index out of boundaries
- off-by-one access
Without changing how the engine increments the alerts.cnt, as this is
used in many places, and would be a more invasive change.
It checks the two different scenarios, plus the case when there is only
a single match as a silent `pass` rule.
Bug #8021
Bug #7630
Ticket: 7980
Usage of Vec<u8> instead of Box<u8> gave the ability to callers
to grow the buffer (indefinitely)
This was regressed in 16fee33368
Additionnaly, use rust WriteZero instead of WouldBlock as a more
fitting error when cursor is full, as that error kind is the
one tested by callers.
(cherry picked from commit f2b6540c52)
Realloc alp_ctx.ctxs when a dynamic alproto is registered and
g_alproto_max increases. So dynamic alproto can be treated as
real/normal ones. And app-layer switch can be set to any value
of no/deteciton-only/yes.
Ticket: 8000
(cherry picked from commit c141c55bc6)
The install command, by default, sets 0755 if -m is not specified, so the
file python/suricata/config/defaults.py will be marked as an executable,
though it isn't.
(cherry picked from commit fcbae97a1f)
Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).
Ticket: #5974.
(cherry picked from commit acb769291a)