Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).
Ticket: #5974.
(cherry picked from commit 4905f38470)
The `stats.capture` object may have different properties based on the
capture method used.
This adds the ones pertaining to AF_PACKET capture.
Related to
Task #6434
(cherry-picked from commit 2855574a2c)
While the counters exist, they're not present in the schema, causing
validation to fail if stats.stream-events is enabled.
Task #7858
(cherry picked from commit 025ffa6135)
The schema accounts for a stats counters group that is a subgroup of the
flows stats counters. Remove `flow_mgr`, thus.
(cherry-picked from commit 173fec81f8)
To accompany the Exception Policy stats, also add information about any
Exception Policy triggered and for which target to the flow log event.
Task #6215
(cherry picked from commit 08e928988f)
Add stats counters for when there is an exception policy applied in case
of a session picked up midstream.
Task #5816
(cherry picked from commit caf590d51f)
We will register stats counters for all policies, even though for now
Suri only uses one possible configuration policy at a time. The idea is
that this could change in the near future, so we want to have this
ready.
Task #5816
(cherry picked from commit 657419b53e)
If TCP urgent handling is set to the OOB processing, the number of OOB
bytes is tracked for SEQ offset calculations. If this offset is
non-zero, add the field to the flow record.
Ticket: #7411.
(cherry picked from commit 779f9d8ba3)
TCP urgent handling is a complex topic due to conflicting RFCs and
implementations.
Until now the URG flag and urgent pointer values were simply ignored,
leading to an effective "inline" processing of urgent data. Many
implementations however, do not default to this behavior.
Many actual implementations use the urgent mechanism to send 1 byte of
data out of band to the application.
Complicating the matter is that the way the urgent logic is handled is
generally configurable both of the OS and the app level. So from the
network it is impossible to know with confidence what the settings are.
This patch adds the following policies:
`stream.reassembly.urgent.policy`:
- drop: drop URG packets before they affect the stream engine
- inline: ignore the urgent pointer and process all data inline
- oob (out of band): treat the last byte as out of band
- gap: skip the last byte, but do no adjust sequence offsets, leading to
gaps in the data
For the `oob` option, tracking of a sequence number offset is required,
as the OOB data does "consume" sequence number space. This is limited to
64k. For this reason, there is a second policy:
`stream.reassembly.urgent.oob-limit-policy`:
- drop: drop URG packets before they affect the stream engine
- inline: ignore the urgent pointer and process all data inline
- gap: skip the last byte, but do no adjust sequence offsets, leading to
gaps in the data
Bug: #7411.
(cherry picked from commit 6882bcb3e5)
If rrname, rdata or mname are truncated, set a flag field like
'rrname_truncated: true' to indicate that the name is truncated.
Ticket: #7280
(cherry picked from commit 37f4c52b22)
Ticket: 7199
Uses a config parameter detect.guess-applayer-tx to enable
this behavior (off by default)
This feature is requested for use cases with signatures not
using app-layer keywords but still targetting application
layer transactions, such as pass/drop rule combination,
or lua usage.
This overrides the previous behavior of checking if the signature
has a content match, by checking if there is only one live
transaction, in addition to the config parameter being set.
(cherry picked from commit f2c3776314)
The "eve.version" field is not always logged. Update the schema to
enforce that it is, and fix it for records that don't log it.
Ticket: #7167
(cherry picked from commit fcc1b1067b)
New suricata-verify test listens on loopback interface, resulting
in the capture and in_iface fields in the stats and event objects.
(cherry picked from commit f9cf87a003)
A CanceldRequest can occur after any query request, and is sent over a
new connection, leading to a new flow. It won't take any reply, but, if
processed by the backend, will lead to an ErrorResponse.
Task #6577
(cherry picked from commit 30ac77ce65)
* Log vendor client identifier (dhcp option 60) if extended dhcp
logging is turned on. This required the `vendor_client_identifier` to
be added to the json schema. Validation done using an SV Test
* Added `requested_ip` to the json schema as well, since it was
missed. My SV test failed without it.
Feature #4587
Victor Julien
Juliana Fajardini
Juliana Fajardini
Jason Ish
Philippe Antoine
Sascha Steinbiss
Arne Welzel
Jeff Lucovsky
Yatin Kanetkar
Jeff Lucovsky
Eric Leblond