There is no need to include Cargo.toml in the distribution,
it is always generated from Cargo.toml.in during
./configure.
(cherry picked from commit c6f168eb98)
In some cases a SBB could be seen as overlapping with the requested
offset, when it was in fact precisely before it. In some special cases
this could lead to the stream engine not progressing the 'raw' progress.
(cherry picked from commit 2c050187a3)
Close all prior transactions in the direction of the GAP, except the
file xfers. Those use their own logic described below.
After a GAP all normal transactions are closed. File transactions
are left open as they can handle GAPs in principle. However, the
GAP might have contained the closing of a file and therefore it
may remain active until the end of the flow.
This patch introduces a time based heuristic for these transactions.
After the GAP all file transactions are stamped with the current
timestamp. If 60 seconds later a file has seen no update, its marked
as closed.
This is meant to fix resource starvation issues observed in long
running SMB sessions where packet loss was causing GAPs. Due to the
similarity of the NFS and SMB parsers, this issue is fixed for NFS
as well in this patch.
Bug #3424.
Bug #3425.
(cherry picked from commit f68c255f09)
Using the run-as configuration option with the nflog capture method
results in the following error during the startup of suricata:
[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed
This is because SCDropMainThreadCaps does not have any capabilities
defined for the nflog runmode (unlike other runmodes). Therefore, apply
the same capabilities to the nflog runmode that are already defined for
the nfqueue runmode. This has been confirmed to allow suricata start
and drop its privileges in the nflog runmode.
Fixes redmine issue #3265.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
(cherry picked from commit 1262ecbde0)
Better handle case where pcap file receive thread fails to initialize. Allow
initialize to complete, but terminate the thread quickly. Delay exiting
unix socket runmode as late as possible.
(cherry picked from commit c0ab45aa6f)
These tests are covered by Github actions and removing
them may speed up the Travis builds to get results sooner.
Its still worth keeping some of these builds as they test
more compile time options than the Github Actions currently
do.
Backport of 222a81f85d.
Rust 1.40 in strict mode will now fail the build on the
presence of unnecessary parentheses.
warning: unnecessary parentheses around type
--> src/smb/smb2_ioctl.rs:41:12
|
41 | -> (&mut SMBTransaction)
| ^^^^^^^^^^^^^^^^^^^^^ help: remove these parentheses
|
= note: `#[warn(unused_parens)]` on by default
(cherry picked from commit 5ee8323028)
After a GAP all normal transactions are closed. File transactions
are left open as they can handle GAPs in principle. However, the
GAP might have contained the closing of a file and therefore it
may remain active until the end of the flow.
This patch introduces a time based heuristic for these transactions.
After the GAP all file transactions are stamped with the current
timestamp. If 60 seconds later a file has seen no update, its marked
as closed.
This is meant to fix resource starvation issues observed in long
running SMB sessions where packet loss was causing GAPs.
As the action runs natively on 18.04 we were not explicitly
setting a container, but this means we're using what GitHub
provides us as a default state which might be broken. Instead
use the standard Ubuntu 18.04 container.
(cherry picked from commit b9515671be)
Currently all failures in IPv4 option decode are ignore with
respect to continuing to handle the packet.
Change this to fail, and abort handling the packet if the
option length is invalid.
Ticket 3328:
https://redmine.openinfosecfoundation.org/issues/3328
(cherry picked from commit df8db1ddb0)
The return value from the options decoder in TCP and IPv4 is ignored.
This commit changes the return type of the function to `void` and
modifies existing return points to return without a value.
When an error occurs, the packet state is being set to indicate whether
it's valid or not and the existing return value is never used.
(cherry picked from commit 8e464530ef)
Fix evasion posibility by rejecting packets with a broken ACK field.
These packets have a non-0 ACK field, but do not have a ACK flag set.
Bug #3324.
Reported-by: Nicolas Adba
(cherry picked from commit fa692df37a)
RST injection during the SYN_SENT state could trick Suricata into marking
a session as CLOSED. The way this was done is: using invalid TSECR value
in RST+ACK packet. The ACK was needed to force Linux into considering the
TSECR value and compare it to the TSVAL from the SYN packet.
The second works only against Windows. The client would not use a TSVAL
but the RST packet would. Windows will reject this, but Suricata considered
the RST valid and triggered the CLOSED logic.
This patch addresses both. When the SYN packet used timestamp support
the timestamp of incoming packet is validated. Otherwise, packet responding
should not have a timestamp.
Bug #3286
Reported-by: Nicolas Adba
(cherry picked from commit 9f0294fadc)
A BUG_ON statement would seemingly randomly trigger during the threading
shutdown logic. After a packet thread reached the THV_RUNNING_DONE state,
it would sometimes still receive flow timeout packets which would then
remain unprocessed.
1 main: TmThreadDisableReceiveThreads(); <- stop capturing packets
2 worker: -> TmThreadTimeoutLoop (THV_FLOW_LOOP) phase starts
3 main: FlowForceReassembly(); <- inject packets from flow engine
4 main: TmThreadDisablePacketThreads(); <- then disable packet threads
5 main: -> checks if 'worker' is ready processing packets
6 main: -> sends THV_KILL to worker
7 worker: breaks out of TmThreadTimeoutLoop and changes to THV_RUNNING_DONE.
Part of the problem was with (5) above. When checking if the worker was
already done with its work, TmThreadDisablePacketThreads would not consider
the injected flow timeout packets. The second part of the problem was with (7),
where the worker checked if it was ready with the TmThreadTimeoutLoop in a
thread unsafe way.
As a result TmThreadDisablePacketThreads would not wait long enough for the
worker(s) to finish its work and move the threads to the THV_RUNNING_DONE
phase by issuing the THV_KILL command.
When waiting for packet processing threads to process all in-flight packets,
also consider the 'stream_pq'. This will have received the flow timeout
packets.
Bug #1871.
(cherry picked from commit fe9aeed0f0)
Victor Julien
Jason Ish
vanlink
Timo Sigurdsson
Danny Browning
Jeff Lucovsky
Fabrice Fontaine