To fix a null ptr deref:
Program received signal SIGSEGV, Segmentation fault.
__strcmp_avx2_rtm () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:115
115 ../sysdeps/x86_64/multiarch/strcmp-avx2.S: No such file or directory.
(gdb) bt
#0 __strcmp_avx2_rtm () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:115
#1 0x000055555568afec in AffinitySetupLoadFromConfig () at util-affinity.c:183
#2 0x0000555555748785 in RunModeInitializeThreadSettings () at runmodes.c:1000
#3 0x0000555555682f51 in SuricataMain (argc=19, argv=<optimized out>) at suricata.c:2979
#4 0x00007ffff6829d90 in __libc_start_call_main (main=main@entry=0x55555567fa20 <main>, argc=argc@entry=19, argv=argv@entry=0x7fffffffe168) at ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x00007ffff6829e40 in __libc_start_main_impl (main=0x55555567fa20 <main>, argc=19, argv=0x7fffffffe168, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe158) at ../csu/libc-start.c:392
#6 0x000055555567f955 in _start ()
(gdb) f 1
#1 0x000055555568afec in AffinitySetupLoadFromConfig () at util-affinity.c:183
183 if (strcmp(affinity->val, "decode-cpu-set") == 0 ||
(gdb) p affinity->val
$1 = 0x0
Introduce KiB, MiB and GiB. They are case sensitive as a lower case 'b'
means bits in the IEEE 1541 scheme.
KiB = 1024
MiB = 1048576
GiB = 1073741824
Ticket: #1457.
(cherry picked from commit 342aec8f1c)
Left the error messages untouched in the backport. So this is more
quietly supporting the new units.
This commit adds the null output device; to use, set the filetype
to "nullsink" for each output that should discard and never persist
logs/alerts/etc.
This is implemented as an "internal eve output plugin" just like the
syslog eve output type.
(cherry picked from commit ad96382cf2)
While debug_validate_bug_on is still used, it does not need to be
imported directly, as that macro is marked with `macro_export`, making
it globally available to the crate.
(cherry picked from commit 50224f2ee5)
Ticket: 3220
DetectSslVersionMatch did not handle properly negation.
It could never match on a signatrue with ssl_version: !tls1.3
That is because, if we had such a signature and network traffic
with tls1.1, we were looking into DetectSslVersionData field
for tls1.1, which was not set, instead of looking at field
for tls1.3 which was set with negated flag.
Previous DetectSslVersionData was holding redundant information.
It did not need to have it for each ssl version, but just globally.
Also, it did not need to hold the version as a value in the array,
as it was redundant with the index of the array.
(cherry picked from commit c93e69830a)
Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).
Ticket: #5974.
(cherry picked from commit 4905f38470)
The `stats.capture` object may have different properties based on the
capture method used.
This adds the ones pertaining to AF_PACKET capture.
Related to
Task #6434
(cherry-picked from commit 2855574a2c)
While the counters exist, they're not present in the schema, causing
validation to fail if stats.stream-events is enabled.
Task #7858
(cherry picked from commit 025ffa6135)
The schema accounts for a stats counters group that is a subgroup of the
flows stats counters. Remove `flow_mgr`, thus.
(cherry-picked from commit 173fec81f8)
In `add-hostbit`, `remove-hostbit` and `list-hostbit` commands, the IPv6
address parsing was not using the correct variable:
from /usr/include/dirent.h:25,
from suricata-common.h:73,
from runmode-unix-socket.c:18:
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitAdd’ at runmode-unix-socket.c:1316:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitRemove’ at runmode-unix-socket.c:1403:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitList’ at runmode-unix-socket.c:1476:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
Bug: #8102.
(cherry picked from commit 874a0e8d3d)
In file included from decode.h:33,
from host.h:27,
from util-threshold-config.c:34:
util-threshold-config.c: In function 'SCThresholdConfInitContext':
util-debug.h:260:5: warning: '%s' directive argument is null [-Wformat-overflow=]
260 | SCLogErr(SC_LOG_WARNING, __FILE__, __FUNCTION__, __LINE__, _sc_module, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
util-threshold-config.c:190:9: note: in expansion of macro 'SCLogWarning'
190 | SCLogWarning("Error loading threshold configuration from %s", filename);
| ^~~~~~~~~~~~
util-threshold-config.c:190:66: note: format string is defined here
190 | SCLogWarning("Error loading threshold configuration from %s", filename);
| ^~
(cherry picked from commit 3a0f4dde07)
The engine uses p.alerts.cnt as an index to access the packet alert that
has the `pass` action for the verdict.
For IDS/IPS mode, a `pass` will always be the last signature in the
alert queue. However, that position could be either `p.alerts.cnt` or
`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
keyword or not.
This patch fix corner-case scenarios of:
- accessing an index out of boundaries
- off-by-one access
Without changing how the engine increments the alerts.cnt, as this is
used in many places, and would be a more invasive change.
It checks the two different scenarios, plus the case when there is only
a single match as a silent `pass` rule.
Bug #8021
Bug #7630
81ee6f5aad ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
added a workaround for valgrind warnings in pushing a string buffer
into the lua state. This is no longer needed as tested with both
address sanitizer and valgrind.
(cherry picked from commit 52fd61dffd)
Ubuntu 20.04, supported distro for 7.0.x, still contains
DPDK 19.11 in the pkg repository, so it keeps being build-tested as
opposed to the 9.0.x version.
(cherry picked from commit ee0b08692c)
DPDK Bonding API has been changed in DPDK version 23.11 where
the old *slave* API was marked as deprecated and the new *member*
API was marked as experimental.
This was unfortunately executed by marking both API variants
at the same time. The deprecated version is removed from the follow
up versions while the experimental version will become stable
in the next DPDK releases. This is based on a policy in DPDK where
an API change needs to merged in main for 1 stable release before
removing the experimental flag.
In DPDK 24.11 this has been fixed and warning supression is not
added.
Ticket: 8013
(cherry picked from commit 27383f878d)
The exclude function incorrectly performs a XOR operation. While it
works when the worker cores occupy all cores, it is not the correct
operation. For example, when a core is affined to only management
and not worker threads, the XOR operation affines it to the worker set.
(1 XOR 0 -> 1, where in fact the desired outcome is 0)
Ticket: 7977
(cherry picked from commit 8f63094744)
Track what attributes have been logged and skip over duplicate
attributes to avoid having duplicate fields in the JSON object, which
is invalid JSON.
This is lossy, subsequent attributes are lost.
Ticket: #7923
(cherry picked from commit 35464150de)
Replace keyword updates a prior content with a heap allocation of the
pattern the content should be replaced with. Make sure this is freed as
well.
Bug: #7997.
(cherry picked from commit ce9c7a024e)
Giuseppe Longo
Jason Ish
Victor Julien
Jeff Lucovsky
Juliana Fajardini
Philippe Antoine
Shivani Bhardwaj
Lukas Sismis