A DNP3 message can be a request or response, but not both. This is how
the transaction is structured.
Instead of having 2 values, "has_request" and "has_response", just
provide one field, "is_request" as a boolean.
Ticket: #7601
This is an initial 1:1 conversion which is rather simple, as DNP3 only
had one function which converted the whole transaction to a DNP3
table.
Ticket: #7601
In addition to
function init (args)
local needs = {}
needs["dnp3"] = tostring(true)
return needs
end
allow for
function init (args)
return {dnp3=true}
end
with the idea that the former will be completely removed for 8.0.
This works with all existing SV tests and as a string value, any value
is considered "truthy".
Just return NULL if tx->mime_state is NULL or if SCDetectMimeEmailGetData return 0
Fixes:
09db7c7 ("detect: add mime email.subject keyword")
90aab0d ("detect: add email.from")
Deranged v0.4.1 (a dependency of the time crate) has implemented
PartialOrd for some integer types that conflict with the
implementation in the standard library creating an ambiguity as such
implementation are global. For more info see
https://github.com/jhpratt/deranged/issues/18.
To fix, use "::from" directly, instead of using .into() which is where
we run into amgibuity.
If "tpacket-v3" is not present in the configuration file, and we are
in IDS mode, default to "tpacket-v3".
Required moving the check for tpacket-v3 after the copy-mode
configuration, so the warning about tpacket-v3 in active modes has
been moved as well.
Ticket: #4798
The stats for exception policies are only logged/ present when any of
the exception policies are enabled (which means any value other than
"auto" or "ignore" in IDS mode, or "ignore" in IPS mode).
This wasn't clearly stated in the docs.
To accompany the Exception Policy stats, also add information about any
Exception Policy triggered and for which target to the flow log event.
Task #6215
Notable changes from the previous API:
- rcode will return the rcode as an integer
- rcode_string will return the string representation
Also fixes an issue where an rcode of 0 was returned as nil.
Ticket: #7602
Ethernet metadata is missing for events triggered on flow timeout
pseudopackets. Use the first set of mac addresses stored with the
flow to fill in the ether field.
Ticket: #5486
Avoids setting a 0 snaplen in BPF, leading to an error.
Fixes: b8b6ed550a ("af-packet: delay setting default-packet-size for af-packet")
Ticket: #7618.
Ticket: 7615
Avoids signatures setting extreme hash sizes, which would lead to very
high memory use.
Default to allowing:
- 65536 per dataset
- 16777216 total
To override these built-in defaults:
```yaml
datasets:
# Limits for per rule dataset instances to avoid rules using too many
# resources.
limits:
# Max value for per dataset `hashsize` setting
#single-hashsize: 65536
# Max combined hashsize values for all datasets.
#total-hashsizes: 16777216
```
AF_PACKET needs more information about its configuration before we can
set the default packet size, so on startup, leave unset in suricata.c
if in AF_PACKET mode.
If defrag is enabled, use a default packet size of 9k for tpacket-v2.
This can still lead to truncation events, then the user can increase
their 'default-packet-size'.
Tpacket-v3 does not need an increased packet size as it will handle
any size of packet that is smaller than the configured block size
which now has a default of 128k.
9k for the snap is somewhat arbitrary but is large enough for the
common 9000 jumbo frame plus some extra headers including tpacket
headers.
Ticket: #7458
If using tpacket-v2, defrag and a user provided v2-block-size, warn if
the block size is not large enough to hold one fully defragmented
packet.
Ticket: #7458
With the change of the default tpacket-v2 block size from 32k to 128k,
allow it to be configurable for users who may want to make it larger,
or revert it back to the pre 7.0.9 default of 32k.
Ticket: #7458
Jason Ish
Alice Akaki
Binghui Niu
Philippe Antoine
Juliana Fajardini
Juliana Fajardini
Victor Julien
Joyce Yu
Shivani Bhardwaj