Commit Graph

17990 Commits (84970da775d84a8b5e92499112e9d5392614e5ac)
 

Author SHA1 Message Date
Victor Julien cf6c79ccc4 detect/luaxform: disable bytes limit during setup
During per inspection setup the buffer could already use up all the budget.

Bug #8173.

(cherry picked from commit 1f58bc1a07)
6 months ago
Victor Julien 761862f9ba lua/sandbox: allow disabling the bytes limit
Meant for setting up from C, where we may use more bytes than expected.

Bug: #8173.
(cherry picked from commit 7bc4b7d713)
6 months ago
Victor Julien 23862ea633 tcp/tfo: set PKT_STREAM_EST flag
Detection and logging skip a lot of work if PKT_STREAM_EST is not set. When
a TFO packet with data comes in the TCP state is not yet established, but
the data still needs to be considered.

So for this case set the PKT_STREAM_EST flag.

Bug #6744.

(cherry picked from commit cc2287beb4)
7 months ago
Philippe Antoine 3f0725b34c http: do not use a loop to find the tx count
As we want the last tx

Ticket: 8156

The generic function AppLayerParserGetTxCnt calls for HTTP1
Transactions.size()

This function has some specific code, as we may have pre-created
a tx that we do not want to count.
This used to get the last tx by iterating over all the transactions
waiting to find the one with max index.
So, instead of using the Transactions.get function, we get the last
tx out of the VecDeque and check its index.

(cherry picked from commit af246ae7ab)
7 months ago
Juliana Fajardini a1f59cb950 userguide: highlight exceptions interactions
In corner cases, we assume that a midstream exception policy could be
triggered by a prior exception policy in effect. Explain this in the
docs.

Task #5830

(cherry picked from commit 0ca874b678)
7 months ago
Jeff Lucovsky 8e75f21e4f doc/luaxform: Clarify luaxform calling convention
Issue: 8135

Clarify the calling convention for the Lua transform's `transform`
function.

(cherry picked from commit 845544aad3)
7 months ago
Jason Ish b3934140d8 rust: fix clippy warning for implicit cast
Fix provided by "cargo clippy --fix" for error:

error: implicitly casting the result of `from_raw_parts_mut` to `*mut [u8]`
   --> src/ftp/response.rs:107:31
    |
107 |           let _ = Box::from_raw(std::slice::from_raw_parts_mut(
    |  _______________________________^
108 | |             response.response,
109 | |             response.length,
110 | |         ));
    | |_________^ help: replace_with: `std::ptr::slice_from_raw_parts_mut(response.response, response.length)`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.92.0/index.html#cast_slice_from_raw_parts
7 months ago
Jason Ish 5db8c5cd79 rust: fix clippy warning for unused import
While debug_validate_bug_on is still used, it does not need to be
imported directly, as that macro is marked with `macro_export`, making
it globally available to the crate.

(cherry picked from commit 50224f2ee5)
7 months ago
Victor Julien fb1d52f1bd mpm: remove remaining ac-bs references
(cherry picked from commit 08d625bb10)
7 months ago
Victor Julien c9b730a123 doc/af-packet: document disable-hwtimestamp option
Ticket: #1954.
(cherry picked from commit be2c40bde7)
7 months ago
Victor Julien dccfc4fc2e af-packet: add disable-hwtimestamp option
HW timestamping is not always reliable, so add an option to disable it.

Bug: #1954.
(cherry picked from commit 18a6a079da)
7 months ago
Victor Julien 6aa4659aa2 app-layer: only register flow counter for detection-only
Other counters are never incremented if no parser is active.

(cherry picked from commit 72e4275456)
7 months ago
Victor Julien 6ba11cd1c3 unix-socket: don't doubly setup stats private area
(cherry picked from commit 33589e6079)
7 months ago
Victor Julien b5997184b7 counters: minor code cleanup
(cherry picked from commit 13d2fa6092)
7 months ago
Victor Julien dac48f54d8 counters: remove unused id var in local stats counter
Ticket: #5613.
(cherry picked from commit fd9ce24fa3)
7 months ago
Victor Julien e24f1734b6 counters: fix comment for set function
Handles u64, not a double.

(cherry picked from commit 888b415257)
7 months ago
Victor Julien 6c3fe544cf decode: register decoder.erspan and decoder.nsh counters correctly
These are regular counters, not 'max' counters.

(cherry picked from commit 2eb2926cd2)
7 months ago
Philippe Antoine 2f9762ccb1 detect/ssl: properly handle negation in ssl_version keyword
Ticket: 3220

DetectSslVersionMatch did not handle properly negation.
It could never match on a signatrue with ssl_version: !tls1.3
That is because, if we had such a signature and network traffic
with tls1.1, we were looking into DetectSslVersionData field
for tls1.1, which was not set, instead of looking at field
for tls1.3 which was set with negated flag.

Previous DetectSslVersionData was holding redundant information.
It did not need to have it for each ssl version, but just globally.
Also, it did not need to hold the version as a value in the array,
as it was redundant with the index of the array.

(cherry picked from commit c93e69830a)
7 months ago
Juliana Fajardini c2e82ece8b devguide: update backports policy for Suricata 7.0
Also remove mentions to `master` and `6.0x`.

Task #7937

(cherry picked from commit 6c06ab6144)
7 months ago
Philippe Antoine 92dae73657 stream/tcp: check new last_ack stays within base_seq bounds
If we have
- stream->last_ack 0x40021
Then, we call StreamTcpUpdateLastAck with 0x8000fc21

Then we satisfy SEQ_GT((ack), (stream)->last_ack)
But we do not satisfy SEQ_GT(ack, (stream)->base_seq))

and the new last_ack will be compared to base_seq

So, refuse to make such a big update

Ticket: 6865
(cherry picked from commit 09e50ac3f4)
8 months ago
Juliana Fajardini 3b018b1aff schema: add descriptions to global memcaps/memuses
For FTP, Host, IP Pair and HTTP.

Related to
Task #6434

(cherry picked from commit 331bc8aeac)
8 months ago
Juliana Fajardini 9531f8791e schema: add additional properties to stats.capture
The `stats.capture` object may have different properties based on the
capture method used.

This adds the ones pertaining to AF_PACKET capture.

Related to
Task #6434

(cherry picked from commit 2855574a2c)
8 months ago
Juliana Fajardini 707815068e schema: add desc for each main stats module
Part of the schema documentation effort.

Related to
Task #6434

(cherry picked from commit 12e0e51864)
8 months ago
Juliana Fajardini 7bd22f492d schema: allow stats.stream event counters
While the counters exist, they're not present in the schema, causing
validation to fail if stats.stream-events is enabled.

Task #7858

(cherry picked from commit 025ffa6135)
8 months ago
Juliana Fajardini 4824df3bef schema/stats: flow_mgr is actually flow.mgr
The schema accounts for a stats counters group that is a subgroup of the
flows stats counters. Remove `flow_mgr`, thus.

(cherry picked from commit 173fec81f8)
8 months ago
Juliana Fajardini a7631217de doc: remove remaining references to pruned flows
These were removed with a5587fec2e but these mentions went under the
radar.

(cherry picked from commit 1647081b29)
8 months ago
Jhonny Sousa 07c7f91094 nfs: Fix NFSv2 STATFS procedure parsing
Ticket: #5140
(cherry picked from commit 257ed82dbd)
8 months ago
Victor Julien 8d933536a8 pop3: AUTH command handling improvements
Better track the state so it's known when to expect a base64 request
message. Also better validate the base64.

Ticket: #7994.
(cherry picked from commit 80d5afe91b)
8 months ago
Philippe Antoine f1e1acfcb5 pop3: count retr_data into consumed
for later AppLayerResult::incomplete

Fixes: acef961645 ("pop3: improve parsing")

https://issues.oss-fuzz.com/u/1/issues/451112373

Ticket: 7994
(cherry picked from commit 3babd68af4)
8 months ago
Victor Julien 20f14726e3 pop3: improve parsing
Improve multiline commands and SASL auth.

Work around missing support in crate for empty server challenge and SASL base64 data.

Ticket: #7709.
(cherry picked from commit acef961645)
8 months ago
Philippe Antoine 4b365af118 file: fix hash computation for small multipart files
Ticket: 8119

Fixes: f68e2f5537 ("files: append data on closing even with
FILE_NOSTORE")

(cherry picked from commit 8b9a779a16)
8 months ago
Pierre Chifflier d0e56b1b9d configure: fix binary crate name in hint message if bindgen is not found
(cherry picked from commit 459e2599c7)
8 months ago
Victor Julien 26d576d8fd thresholds: fix unittest compile warning
In file included from decode.h:33,
                 from host.h:27,
                 from util-threshold-config.c:34:
util-threshold-config.c: In function 'SCThresholdConfInitContext':
util-debug.h:260:5: warning: '%s' directive argument is null [-Wformat-overflow=]
  260 |     SCLogErr(SC_LOG_WARNING, __FILE__, __FUNCTION__, __LINE__, _sc_module, __VA_ARGS__)
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
util-threshold-config.c:190:9: note: in expansion of macro 'SCLogWarning'
  190 |         SCLogWarning("Error loading threshold configuration from %s", filename);
      |         ^~~~~~~~~~~~
util-threshold-config.c:190:66: note: format string is defined here
  190 |         SCLogWarning("Error loading threshold configuration from %s", filename);
      |                                                                  ^~

(cherry picked from commit 3a0f4dde07)
8 months ago
Victor Julien 3f88e5c64c unix-socket/hostbits: fix ipv6 address parsing
In `add-hostbit`, `remove-hostbit` and `list-hostbit` commands, the IPv6
address parsing was not using the correct variable:

                 from /usr/include/dirent.h:25,
                 from suricata-common.h:73,
                 from runmode-unix-socket.c:18:
In function ‘inet_pton’,
    inlined from ‘UnixSocketHostbitAdd’ at runmode-unix-socket.c:1316:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
   56 |   return __glibc_fortify (inet_pton, __sz, sizeof (char),
      |          ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
    inlined from ‘UnixSocketHostbitRemove’ at runmode-unix-socket.c:1403:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
   56 |   return __glibc_fortify (inet_pton, __sz, sizeof (char),
      |          ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
    inlined from ‘UnixSocketHostbitList’ at runmode-unix-socket.c:1476:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
   56 |   return __glibc_fortify (inet_pton, __sz, sizeof (char),
      |          ^~~~~~~~~~~~~~~

Bug: #8102.
(cherry picked from commit 874a0e8d3d)
8 months ago
Philippe Antoine da8e37b2b8 fuzz/conf: bail out on long sequence of scalars
Ticket: 8105
(cherry picked from commit 9d164d8794)
8 months ago
Jeff Lucovsky dc2faaa895 nfs: Support EXCLUSIVE4_1 flag
Issue: 8006

Support the EXCLUSIVE4_1 create mode added to NFS 4.1

(cherry picked from commit e1bf5cb1f3)
8 months ago
Philippe Antoine f8f3cfd6d1 util/time: fix TimeDifferenceMicros microseconds computation
Ticket: 8073

Currently only used in pcap logging for flushing

(cherry picked from commit b21c93d789)
8 months ago
Jeff Lucovsky 9fa7756ba7 doc/luaxform: Remove init function from example
Issue: 8035

The `luaxform` transform doesn't support the `init` function. This
commit removes that from the example and clarifies how functions in the
Lua script are used.

(cherry picked from commit b02d9bb4f1)
8 months ago
Shivani Bhardwaj 2cfc2f4dc0 version: start development towards 8.0.3 8 months ago
Shivani Bhardwaj 79db7b1ad4 release: 8.0.2; update changelog 9 months ago
Juliana Fajardini 482e5eac92 output/alert: fix alert index access for verdict
The engine uses p.alerts.cnt as an index to access the packet alert that
has the `pass` action for the verdict.
For IDS/IPS mode, a `pass` will always be the last signature in the
alert queue. However, that position could be either `p.alerts.cnt` or
`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
keyword or not.
This patch fix corner-case scenarios of:
- accessing an index out of boundaries
- off-by-one access
Without changing how the engine increments the alerts.cnt, as this is
used in many places, and would be a more invasive change.
It checks the two different scenarios, plus the case when there is only
a single match as a silent `pass` rule.

Bug #8021
Bug #7630
9 months ago
Philippe Antoine efe7aeb145 output/http: log content-type like other headers
Ticket: 8056

Avoid stack allocation.
Do not handle null and ; especially

(cherry picked from commit b8411fcc8d)
9 months ago
Philippe Antoine 8999eb1f93 unix-socket: return after closing on too long
Avoids later use after free

Ticket: 8063
(cherry picked from commit acc051ac94)
9 months ago
Philippe Antoine ad446c9006 util/swf: move allocation from stack to heap
As it can overflow the stack

Ticket: 8055
(cherry picked from commit a84addb771)
9 months ago
Philippe Antoine 00f04daa3a htp: bound decompression
Ticket: 7980

Usage of Vec<u8> instead of Box<u8> gave the ability to callers
to grow the buffer (indefinitely)
This was regressed in 16fee33368

Additionnaly, use rust WriteZero instead of WouldBlock as a more
fitting error when cursor is full, as that error kind is the
one tested by callers.

(cherry picked from commit f2b6540c52)
9 months ago
Li Heng 002bd1f1ee snmp: can be set to detection-only
Realloc alp_ctx.ctxs when a dynamic alproto is registered and
g_alproto_max increases. So dynamic alproto can be treated as
real/normal ones. And app-layer switch can be set to any value
of no/deteciton-only/yes.

Ticket: 8000
(cherry picked from commit c141c55bc6)
9 months ago
Andreas Dolp 7dbae32eda python/Makefile.am: fix file permissions of python/suricata/config/defaults.py
The install command, by default, sets 0755 if -m is not specified, so the
file python/suricata/config/defaults.py will be marked as an executable,
though it isn't.

(cherry picked from commit fcbae97a1f)
9 months ago
Victor Julien d3aa4dd85e exception-policy: rename 'reject-both' to 'rejectboth'
To align it with the rule action.

(cherry picked from commit ec65fd430e)
9 months ago
Victor Julien 879561859b doc/userguide: document reject-both expection policy
Ticket: #5974.
(cherry picked from commit 0c4a8fd183)
9 months ago
Victor Julien 4905f38470 exception-policy: add 'reject-both' option
Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).

Ticket: #5974.
(cherry picked from commit acb769291a)
9 months ago