Replace keyword updates a prior content with a heap allocation of the
pattern the content should be replaced with. Make sure this is freed as
well.
Bug: #7997.
(cherry picked from commit ce9c7a024e)
Ticket: 7973
Files were supported on both TCP and UDP. But file detection keywords
such as file.data made signatures loading fail if the signature
was using an app-layer protocol that enabled on udp only, even
if the signatures could run smoothly.
(cherry picked from commit c99e159341)
Simplify DecodeVXLANEnabledForPort() to only check destination port
to avoids false positives when identifying VXLAN traffic.
Per RFC 7348 §5, VXLAN identification is based solely on the outer UDP
destination port (4789), regardless of inner packet direction. The
outer UDP source port is used for load balancing via inner packet
hash and should not be considered for VXLAN detection. This ensures
correct VXLAN identification for all encapsulated traffic patterns.
Checking both source and destination ports could incorrectly classify
non-VXLAN UDP traffic as VXLAN when the source port happens to be 4789,
leading to false positives in VXLAN detection and potential decode errors.
(cherry picked from commit 7a04a032b9)
Add MT live test capability:
- multi-tenant.sh: harness that sets up and steps through MT steps
- suricata-mt.yaml: Adds MT capability to Suricata
- tenant-1.yaml: Per-tenant configuration file
(cherry picked from commit 51c9609c7c)
Fix crashes in Lua when calling tx:response_line(), tx:request_line(),
tx:request_uri_raw(), or tx:request_host() on incomplete or malformed
HTTP transactions.
These functions return bstr pointers which may be NULL. Add NULL
checks before calling bstr_ptr() and bstr_len() to avoid segfaults.
Ticket: #7829
(cherry picked from commit 9fb33bbaf6)
- Declare the profiling name variable once we know the actual size allowed
for the name instead of before. Prevents an snprintf truncation warning.
- Account for the null byte when calculating how much space is left to
avoid an snprintf format string truncation warning.
Following commit 5379b52af2
rules that use multiple times the keyword tls.cert_subject
will result in
Warning: detect: duplicate instance for tls.cert_subject
These rules likely meant to use a multi-buffer which is not the
case for tls.cert_subject (even if it was documented so).
Ticket: 7890
This is put in a new section of upgrade notes for
upgrading to 8.0.1
Added a page that explains how rules are prioritized by Suri, as well
as what main different types of inspection happen and what elements are
involved when ordering rules.
Task #5449
CC unix-manager.o
unix-manager.c:258:13: warning: Use of memory after it is freed [unix.Malloc]
258 | if (item->fd == fd) {
| ^~~~~~~~
1 warning generated.
see jq 'paths( objects | (.type == "object" and (has("additionalProperties") | not) )) | join(".")' etc/schema.json
fix and complete bittorrent on the way
Explain briefly the internals of inspection of raw data in the following order:
- Stream Engine
- Stream reassembly
- Role of Detection Engine and Applayer Parsers
- High level communication between Stream and Detection Engine
- Relevant suricata.yaml settings
alongwith some diagrams.
Ticket 4351
Add information about:
- available tables, default policies and rule ordering
- Packet layer and applayer tables and hooks
- engine analysis output
- commandline options available
- how to load firewall rules
Also, reorganize sections and content to assist the definitions.
stream-tcp.c:1938:16: warning: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'tail') [core.NullDereference]
1938 | tail->next = old_head;
| ~~~~ ^
1 warning generated.
stream-tcp.c:1982:5: warning: Potential leak of memory pointed to by 'q' [unix.Malloc]
1982 | ssn->queue_len++;
| ^~~
1 warning generated.
RFC 7323 forbids a server to respond with a timestamp option in the
SYN/ACK when the SYN didn't have a timestamp option:
A TCP MAY send the TSopt in an initial <SYN> segment (i.e., segment
containing a SYN bit and no ACK bit), and MAY send a TSopt in
<SYN,ACK> only if it received a TSopt in the initial <SYN> segment
for the connection.
Once TSopt has been successfully negotiated, that is both <SYN> and
<SYN,ACK> contain TSopt, the TSopt MUST be sent in every non-<RST>
segment for the duration of the connection, and SHOULD be sent in an
<RST> segment (see Section 5.2 for details).
However, in the real world this pattern happens on benign traffic. This
would lead to missing logs and detection, and in IPS mode such sessions
would be blocked.
This patch allows this pattern when the `stream.liberal-timestamps` is
enabled (enabled by default).
Bug #4702.
Take SEQ and ACK into account for more scenarios.
SYN on SYN_SENT
In this case the SYN packets with different SEQ and other properties are
queued up. Each packet updates the ssn to reflect the last packet to
come in. The old ssn data is added to a TcpStateQueue entry in
TcpSession::queue. If the max queue length is exceeded, the oldest entry
is evicted. The queue is actually a single linked list, where the list
head reflects the oldest entry.
SYN/ACK on SYN_SENT
In this case the first check is if the SYN/ACK matches the session. If
it doesn't, the queue is checked to see if there SYN's stored. If one is
found that matches, it is used and the session is updated to reflect
that.
SYN/ACK on SYN_RECV
SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated
from the current packet. The old settings are stored in a TcpStateQueue
entry in the TcpSession::queue.
ACK on SYN_RECV
Checks any stored SYN/ACKs before checking the session. If a queued
SYN/ACK was sound, the session is updated to match it.
Ticket: #3844.
Ticket: #7657.
Philippe Antoine
Victor Julien
Philippe Antoine
Fupeng Zhao
Juliana Fajardini
Jeff Lucovsky
Cheng Longfei
dependabot[bot]
Shivani Bhardwaj
Jason Ish
Jason Ish
Shivani Bhardwaj