Ticket: 4972
As is done in detect-lua-extensions.
We can have a flow with alproto unknown, no state, and therefore
cannot run AppLayerParserGetTx which could try to run a NULL
function
(cherry picked from commit dccf2e4c30)
Ticket: 4972
Completes commit c3a220647
DETECT_CONFIG is added as DETECT_SM_LIST_POSTMATCH and not
as DETECT_SM_LIST_MATCH as other keywords handled in SignatureCreateMask
(cherry picked from commit 00da0d3420)
If there is more data than a header, but not enough for a complete DNS
message, the hostname parser could return an error causing the probe to
fail on valid DNS messages.
So only parse the complete message if we have enough input data. This is
reliable for TCP as DNS messages are prefixed, but for UDP its just
going to be the size of the input buffer presented to the parser, so
incomplete could still happen.
Ticket #5034
(cherry picked from commit 27679a12aa)
The DNS name parser will error out with an error even if the
error is incomplete. Instead of manually generating errors,
use '?' to let the nom error ripple up the error handling chain.
The reason this wasn't done in the first place is this code
predates the ? operator, or we were not aware of it at the time.
This prevents the case where probing fails when there is enough data to
parse the header, but not enough to complete name parser. In such a case
a parse error is returned (instead of incomplete) resulting in the
payload not being detected as DNS.
Ticket #5034
(cherry picked from commit 0623ada24d)
To recognize a protocol, Suricata first looks for
patterns, which can be confirmed by a probing parser.
If this does not work, Suricata can try to run
some probing parsers on some ports.
This is the case for SMB.
This commit makes handling the confirming and the probing
paser differently even if they share much code.
The confirmation parser knows that a pattern has been found.
So, it must not do the midstream case of looking for this
pattern in the whole buffer, but only check it at the beginning.
But it must reverse direction if needed.
Ticket #4849
Backported manually by jason.ish@oisf.net.
(cherry picked from commit 464ff80c6a)
Ticket: 4857
If a pattern such as GET is seen ine the beginning of the
file transferred over ftp-data, this flow will get recognized
as HTTP, and a HTTP state will be created during parsing.
Thus, we cannot override directly alproto's values
This solves the segfault, but not the logical bug that the flow
should be classified as FTP-DATA instead of HTTP
(cherry picked from commit dd32238667)
The warning message suggests that the configuration section doesn't
exist if when it does, but the "enabled" flag is not set. Clarify the
warning message that the enable status is not set.
Allow limiting in-flight out or order data chunks per size or count.
Implemented for read and writes separately:
app-layer.protocols.smb.max-write-queue-size
app-layer.protocols.smb.max-write-queue-cnt
app-layer.protocols.smb.max-read-queue-size
app-layer.protocols.smb.max-read-queue-cnt
(cherry picked from commit 4be8334c9e)
This is a minimal backport of 5618273ef4
to address ticket 5018.
Uses the "complete" version of take instead of the macro which is thre
streaming variant.
Ticket #5018
If an SMB record is seen in the wrong direction, set an event on the PDU
frame and don't process the record in the state.
No error is returned, so the next record will be processed.
(cherry picked from commit 2341f47755)
The bits were being parsed in the order they're displayed in Wireshark,
rather than the order they were being seen on the wire, resulting in
direction and async being 0 more often than they should be.
Instead of bits, take the 4 bytes as an le_u32 and just use bit masks to
extract what we need into a struct, I think its easier to reason about
this way when comparing to the Microsoft documentation.
(cherry picked from commit 7b659489c8)
Fix parsing of content like "|aa b cc|" which was parsed as "|aa bc|"
without error or warning. This will now fail out, requiring all hex
values to be 2 chars.
Ticket #5201
(cherry picked from commit 8d1e4a1d0b)
If there is a space following a keyword that does not expect a value,
the rule fails to load due to improper value evaluation.
e.g. Space after "set" command
alert http any any -> any any (http.user_agent; dataset:set ,ua-seen,type string,save datasets.csv; sid:1;)
gives error
[ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - dataset action "" is not supported.
Fix this by handling values correctly for such cases.
(cherry picked from commit 6d2a2a0731)
Since:
9551cd0535 ("threading: don't pass locked flow between threads")
`MoveToWorkQueue()` unconditionally unlocks the flow. This allows simpler
locking handling, including of tcp reuse flows.
The simpler logic also fixes a scenario where TCP reuse flows got "unlocked"
twice, once in `FlowGetFlowFromHash()` and once in `MoveToWorkQueue()`.
Bug: #5248.
Coverity: 1494354.
(cherry picked from commit 57533d3e47)
Issue: 4550
This commit modifies the "stack trace on signal" to propagate the
original signal received instead of always raising SIGABRT.
(cherry picked from commit a3443845fb)
Issue: 4973
This commit makes stack-trace on fault configurable by
adding "--enable-libunwind" as a configure option.
By default, or if "--enable-libunwind=no" is specified, the libunwind
library will not be configured.
When "--enable-libunwind=yes" is specified, libunwind will be used iff
it can be found in one of the standard library locations.
This commit adds a signal handler for SIGSEGV when configured. The
signal handler emits a one line stack trace using SCLogError. The intent
is to provide diagnostic information in deployments where core files are
not possible.
The diagnostic message is from the offending thread and includes the
stack trace; each frame includes the symbol + offset.
(cherry picked from commit 7f0f463b64)
This commit adds a configuration setting to enable a stack trace message
if Suricata receives a signal that terminates execution, such as
SIGSEGV, SIGABRT.
(cherry picked from commit 163f70be9d)
This commit adds an error code for the diagnostic code used for
diagnostic messages following unexpected termination due to signals..
(cherry picked from commit 501c870a2c)
This commit adds support for enabling libunwind -- a library that can be
used to display stack information.
Libunwind is enabled and used by Suricata if present during
configuration. A diagnostic message is displayed if libunwind
cannot be found.
(cherry picked from commit 303dd29b50)
The current code doesn't cover all rows when more than one flow manager is
used. It leaves a single row between ftd->max and ftd->min of the next
manager orphaned. As an example:
hash_size=1000
flowmgr_number=3
range=333
instance ftd->min ftd->max
0 0 333
1 334 666
2 667 1000
Rows not covered: 333, 666
(cherry picked from commit 8ef066318d)
With this check, on the first packet of a certificate presenting
a length of 16Mbytes, we only allocate up to 65Kb
When we get to the point where need more than 65Kb, we realloc
to the true size.
With this check, it makes it more expensive for an attacket to use
this allocation as a way to trigger ressource exhaustion...
(cherry picked from commit 862e84877f)
As is done for other targets,
so that all app-layer protocols are enabled,
even the ones disabled by default such as enip
And resets protocol detection every time we try
so that probing_parser_toserver_alproto_masks are fresh.
(cherry picked from commit 09c84d0c26)
Ticket: 4948
This is not the perfect solution, but it prevents to trigger
the assert, and keep the assert.
A better solution would need to create transaction from
the reponse parsing, in case a later command was buffered and
not answered. But this would not be enough as NoNewTx prevents
the creation of a new transaction for RSET...
(cherry picked from commit 4247605d87)
Instead of closing files in both direction when receiving a close request,
close only toserver files for the request and close toclient on receiving
a response.
(cherry picked from commit b336882008)
Philippe Antoine
Jason Ish
Victor Julien
Sascha Steinbiss
Shivani Bhardwaj
Jeff Lucovsky
Arne Welzel
Steven Ottenhoff