Before, even if there were no outputs, all the arguments
were evaluated, which could turn expensive
All variables which are used only in certain build configurations
are now prefixed by underscore to avoid warnings
(cherry picked from commit ef5755338f)
Actual code will completely discard TCP analysis of a packet that
don't have the ACK bit set but have a ACK value set. This will be
for example the case of all SYN packets that have a ACK value.
Problem is that these type of packets are legit for the operating
systems and for the RFC. The consequence is that an attacker
sending a SYN packet with a non null ACK value will open succesfully
a TCP session to its target and this session will have no protocol
discovery, no TCP streaming and no application layer analysis.
Result is a quasi full evasion of the TCP stream that will only
appear in the flow log if this log is enable or alert on tcp-pkt
signature that are uncommon.
The patch is updating the code to only discard packets that do not
have the SYN flag set. This prevents the evasion and complies with the
RFC that states that the ACK bit should always be set once the
TCP session is established.
This addresses CVE-2021-35063.
Fixes: fa692df37 ("stream: reject broken ACK packets")
Bug: #4513.
Buffers with transforms are based on the non-transformed "base"
buffer, with a new ID assigned and the transform callbacks added.
This patch stores the id of the original buffer in the new buffer
inspect and prefilter structures. This way the buffers with and
without transforms can share some of the logic are progression
of file and body inspection trackers.
Related tickets: #4361#4199#3616
(cherry picked from commit 975062cf40)
Fix handling of file progress tracking for regular file.data along
with transform combinations for the part of the implementation that
uses the File API.
This is done by implementing the 'base id' logic.
Related tickets: #4361#4199#3616
(cherry picked from commit 54ad7de9ce)
Fix multi inspect buffer API causing cleanup logic in the single
inspect buffer paths. This could lead to a buffer overrun in the
"to clear" logic.
Multi buffers now use InspectionBufferSetupMulti instead of
InspectionBuffer. This is enforced by a check in debug validation.
Simplify the multi inspect buffer setup code and update the callers.
(cherry picked from commit 3dc50322db)
If a parser exceeds 1024 buffers we stop processing them and
set a detect event instead. This is to avoid parser bugs as well as
crafted bad traffic leading to resources starvation due to excessive
loops.
(cherry picked from commit e611adf3dc)
As part of commit ea15282f47,
some initialization was moved to happen even in unix socket mode,
however, this initialization does setup some loggers that can only have
one instance enabled (anomaly, drop, file-store).
This will cause these loggers to error out on the first pcap, but work
on subsequent runs of the pcap as some deinitialization is done after
each pcap.
This fix just runs the post pcap-file deinitialization routine to
reset some of the initialization done on startup, like is done after
running each pcap in unix socket mode.
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4225
Additionally this prevents alerts from being logged two times
on the first run of a pcap through the unix socket:
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4434
(cherry picked from commit 488d5fb342)
When adding the alert to a drop record make sure the add the highest
priority.
It would until now add all drops from high to low prio, effectively
overwriting the record each time.
Ticket #4397
(cherry picked from commit 398ebf9345)
This commit improves performance when parsing threshold.config by
removing a loop-invariant to create a one-time object with the parsed
address(es).
Then, as needed, copies of this object are made as the suppression
rule(s) are processed.
(cherry picked from commit 02ceac8b8d)
This commit adds a function to make a deep copy of a DetectThresholdData
object.
The function is used when parsing threshold.config items to make a
one-time object and then add copies as needed.
(cherry picked from commit e873632a28)
Currently the ICMP emergency-bypassed value defined in suricata.conf is
overwriting the UDP value rather than correctly setting it for ICMP.
This commit corrects this bug so that the ICMP value can be set as
expected.
(cherry picked from commit 7fb56a9075)
Fix a 'skipped' transaction early in the list leading to all further
transactions getting skipped, even if they were fully processed and
ready to be cleaned up.
(cherry picked from commit 8baef60d60)
Sync to latest ET open and introduce inappropriate as a classification
to replace something some find inappropriate.
(cherry picked from commit f037f6f4ff)
Move initialization of filestore global counter to PreRunInit,
so they get registered during program initialization, or as
required in unix-socket mode, initialized for each file run.
Fixes Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4216
(cherry picked from commit 0aed5e188b)
Set "done flag" only if parsers for both directions are not found in a
case of midstream parsers from other direction are tried if nothing is found
for the initial one. "done flag" must be set if nothing is found in both
directions. Otherwise processing of incomplete data is terminated at the very
first try.
(cherry picked from commit 5285163d8f)
This commit corrects the validation check between the number of
variables used and the number of specified capture groups.
(cherry picked from commit 469d5bb214)
The old compare macro would compare all bytes of an address, even
when for IPv4 addresses the additional bytes were not in use. This
made the logic vulnerable to mistakes like in issue #4280.
(cherry picked from commit 6bfc5afa23)
Improper reuse of the address data structure between loading
different lines in the iprep file would lead to the host using
a malformed address.
(cherry picked from commit 7b03e6837e)
When Suricata was build with ebpf support and when it was started
in NFQ mode, it was crashing at exit because it was trying to free
the device extension.
This patch fixes the issue by only trigger the eBPF related code
when Suricata is running in AFP_PACKET mode.
(cherry picked from commit 85327890f5)
Jason Ish
Philippe Antoine
Shivani Bhardwaj
Eric Leblond
Victor Julien
Corey Thomas
Jeff Lucovsky
Luke Coughlan
Ilya Bakhtin
Eric Leblond