Commit Graph

539 Commits (f2a92035584d7428befca846cf62246c163990da)

Author SHA1 Message Date
Lukas Sismis 640d0985c2 dpdk: check for link up before full startup
ICE card (Intel E810) was not receiving packets immediatelly
after startup, Suricata workers would act as processing while
it was not. This eliminates the problem by only continuing
in the initialization if the link is already up.

The setting can be turned off manually from the configuraiton
file.

Ticket: 7381
1 year ago
Lukas Sismis cb997a64dc dpdk: replace global with per-thread mempools
It turned out that having global (interface-specific) mempool
that is shared by the threads of the interface is slower than
having individual mempools per queue for each interface.

The commit brings this change and should be user-invisible,
the config setting remains still as a number of objects of
all mempools summed (of that interface).

Ticket: 7382
1 year ago
Lukas Sismis 2ef2a9e26f dpdk: auto configure Rx/Tx descriptors and mempool size
Ticket: 7380
Ticket: 7373
1 year ago
Alfredo Cardigliano dfd9ef5784 ndpi: initial implementation of nDPI plugin
Ticket: #7231
1 year ago
Lukas Sismis 59c3b8912b util-mpm: prepare MPM codebase for ruleset caching 1 year ago
Shivani Bhardwaj 7f98683d45 stream: use max-region setting from suricata.yaml
1. Add key (commented) to suricata.yaml
2. Give the configured/default key preference, save a check
1 year ago
Jeff Lucovsky a654ad9c9a output/buffer: Change buffer-size default value
The buffer-size value that controls file output buffering defaults to
8k. To be consistent with previous logic, the default is being changed
to 0 (e.g., needed if there are old config files that don't specifically
enable the new value).
1 year ago
Jason Ish 7fdb08b7c7 af-packet: use tpacket v3 by default for ids mode
If "tpacket-v3" is not present in the configuration file, and we are
in IDS mode, default to "tpacket-v3".

Required moving the check for tpacket-v3 after the copy-mode
configuration, so the warning about tpacket-v3 in active modes has
been moved as well.

Ticket: #4798
1 year ago
Jason Ish 374762d202 af-packet: remove use-mmap option
This option is obsolete and was not used in 7.0 as tpacket-v1 support
was removed (see ticket #4796).
1 year ago
Philippe Antoine a7713db709 detect: add configurable limits for datasets
Ticket: 7615

Avoids signatures setting extreme hash sizes, which would lead to very
high memory use.

Default to allowing:
- 65536 per dataset
- 16777216 total

To override these built-in defaults:

```yaml
datasets:
  # Limits for per rule dataset instances to avoid rules using too many
  # resources.
  limits:
    # Max value for per dataset `hashsize` setting
    #single-hashsize: 65536
    # Max combined hashsize values for all datasets.
    #total-hashsizes: 16777216
```
1 year ago
Jason Ish 5871c6458c af-packet: make tpacket-v2 block size configurable
With the change of the default tpacket-v2 block size from 32k to 128k,
allow it to be configurable for users who may want to make it larger,
or revert it back to the pre 7.0.9 default of 32k.

Ticket: #7458
1 year ago
Philippe Antoine b9b797f1f4 detect: non infinite default value for inspection-recursion-limit
So that empty config are protected by this setting as was intended.

Set to unlimited for fuzz testing.
1 year ago
Jeff Lucovsky 49d4686144 main/flush: Support periodic flush logs
Issue: 3449
1 year ago
Jeff Lucovsky 92b2aebe75 conf/output: Buffering related config settings
This commit adds 2 EVE output buffering settings
- buffer-size value which specifies the amount of buffering, if any,
  for regular/file output types.
- flush-interval Specifies the cadence at which Suricata will direct
  detect threads to flush EVE output.

Issue: 3449
1 year ago
Jason Ish c3716ac56b output-lua: lua module search path configuration
By default, use an empty search path. This gives us a predictable
default. If a user needs access to external modules, the search path
must be set in the configuration file.

Ticket: #7169
1 year ago
Cole Dishington c46308957f flow: optionally use pkt recursion for hash
If a Suricata inline IPS device is routing traffic over a
non-encrypted tunnel, like IPv6 tunnels, packets in a flow
will be dropped and not be matched. e.g.

The following example is a Suricata inline IPS with an IPv6 tunnel:
request: IPv4]ICMP] -> |IPS| -> IPv6]IPv4]ICMP]
reply:              <- |IPS| <- IPv6]IPv4]ICMP]
Both the IPv4 request and IPv6 reply will be seen by Suricata on
ingress. The flows will not be matched due to flow recursion level.

Optionally use pkt recursion level in flow hash. Excluding recursion
level in flow hash allows matching of packet flows and defrag on an
inline IPS Suricata scenario where the IPS device is a tunnel
terminator.

Feature: 6260
1 year ago
Philippe Antoine bdcb593738 detect: improve tx_id guessing for unidirectional protocols
So we get:
1. request arrives - buffered due to not ackd
2. response arrives, acks request - request is now parsed, response isn't
3. ack for response, response parsed. Then detect runs for request,
generates alert. We now have 2 txs. txid will be 0 from AppLayerParserGetTransactionInspectId

But txid 1 is unidirectional in the other way, so we can use txid 0
metadata for logging

Ticket: 7449
2 years ago
Victor Julien 6882bcb3e5 stream: add TCP urgent handling options
TCP urgent handling is a complex topic due to conflicting RFCs and
implementations.

Until now the URG flag and urgent pointer values were simply ignored,
leading to an effective "inline" processing of urgent data. Many
implementations however, do not default to this behavior.

Many actual implementations use the urgent mechanism to send 1 byte of
data out of band to the application.

Complicating the matter is that the way the urgent logic is handled is
generally configurable both of the OS and the app level. So from the
network it is impossible to know with confidence what the settings are.

This patch adds the following policies:

`stream.reassembly.urgent.policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- oob (out of band): treat the last byte as out of band

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

For the `oob` option, tracking of a sequence number offset is required,
as the OOB data does "consume" sequence number space. This is limited to
64k. For this reason, there is a second policy:

`stream.reassembly.urgent.oob-limit-policy`:

- drop: drop URG packets before they affect the stream engine

- inline: ignore the urgent pointer and process all data inline

- gap: skip the last byte, but do no adjust sequence offsets, leading to
       gaps in the data

Bug: #7411.
2 years ago
Philippe Antoine f426ee3ee2 detect: rename stream_log variables
to better reflect their true meaning
2 years ago
Philippe Antoine f2c3776314 detect: log app-layer metadata in alert with single tx
Ticket: 7199

Uses a config parameter detect.guess-applayer-tx to enable
this behavior (off by default)

This feature is requested for use cases with signatures not
using app-layer keywords but still targetting application
layer transactions, such as pass/drop rule combination,
or lua usage.

This overrides the previous behavior of checking if the signature
has a content match, by checking if there is only one live
transaction, in addition to the config parameter being set.
2 years ago
Pierre Chifflier 3341907125 ldap: add port 3268 (used by Active Directory) 2 years ago
Adam Kiripolsky 175e690222 dpdk/hw_offload: add support for vlan stripping
Utilize DPDK API for hardware vlan stripping if supported by NIC.

Ticket: 7330
2 years ago
Sascha Steinbiss 285cc29ec0 redis: add automatic trimming support for streams 2 years ago
Sascha Steinbiss d3d9f1c395 redis: implement XADD stream support
Ticket: #7082
2 years ago
Jason Ish cc519beb91 suricata.yaml: add missing custom tls fields
Also update the suricata.yaml in the userguide.
2 years ago
Juliana Fajardini 55b922ceed tls/conf: clarify usage of custom vs extended logs
Since enabling custom logging will replace the extended logging, thus
possibly leading to certain fields disappearing from the logs, mention
this aspect.

Related to
Bug #7333
2 years ago
Shivani Bhardwaj 37fa2a6775 detect: rename port whitelisting to priority
This was done following the fact that this setting was historically
named incorrectly. The purpose of the setting was always to define the
ports that will be prioritized and have rule groups associated w them on
priority. Rename all occurences of this to correctly reflect the purpose
of the setting.
2 years ago
Jeff Lucovsky 792f5e1d57 napatech: load plugin by default
Issue: 7165
2 years ago
Philippe Antoine bb714c9178 http: have a headers limit
Ticket: 7191

So as to avoid quadratic complexity in libhtp.
Make the limit configurable from suricata.yaml,
and have an event when network traffic goes over the limit.
2 years ago
Philippe Antoine de9413c654 detect: safety for app-layer logging of stream-only rules
If a stream-only rule matches, and we find a tx where we
want to log the app-layer data, store into the tx data that
we already logged, so that we do not log again the app-layer metadata

Ticket: 7085
2 years ago
Jeff Lucovsky 9bc468e63a alert/reference: Optionally add reference(s)
Issue: 4974

Optionally include rule references with the alert. Since there can be
multiple reference keywords, they are collected into an array.
2 years ago
Jason Ish 15fe844ae7 syslog: deprecate
The standalone syslog output is now deprecated for Suricata 8. Display
a warning on use and add notes to the userguide.

Ticket: #6544
2 years ago
Jason Ish 5853fb922d tls-log: deprecate
tls-log is now deprecated and will be removed in Suricata 9.0. Display
a deprecation notice on use, and add notes to the user guide.

Ticket: #6542
2 years ago
Jason Ish ab26323a96 http-log: deprecate
http-log is now deprecated and will be removed in Suricata
9.0. Display a deprecation notice on use, and add notes to the
userguide.

Issue: #6543
2 years ago
Victor Julien 688bd538cf pcap: implement pcap-file-buffer-size option
Allows easy specification of buffer size on the commandline.

Ticket: #7155.
2 years ago
Giuseppe Longo edf70276d6 rust/ldap: enable parser for udp
This introduces a new parser registration function for LDAP/UDP, and update
ldap configuration in order to be able to enable/disable a single parser
independently (such as dns).
Also, GAPs are accepted only for TCP parser and not for UDP.

Ticket #7203
2 years ago
Philippe Antoine 1e82e20c65 doh: implement dns over http2 app-proto
Ticket: 5773
2 years ago
Giuseppe Longo 910a5b226c rust/ldap: implement logger 2 years ago
Giuseppe Longo 93da339975 rust/ldap: implement app-layer 2 years ago
Jason Ish 155501f250 pf-ring: load plugin by default
Ticket: #7162
2 years ago
Victor Julien 223a4194ea config: switch default config to IEEE 1541 notation 2 years ago
Jason Ish ca6e73830c suricata.yaml: set dns log version to 3; link to docs
Missed in the original PR, but update the commented out version to
reflect the default, and a link to the upgrade notes.
2 years ago
Philippe Antoine e0fd59a20d doc: state that payload-length includes the gaps 2 years ago
Sascha Steinbiss ad02040860 mqtt: enable limiting of logged message length
Ticket: #6984
2 years ago
Victor Julien 7d4fcc311c detect/threshold: make hash size and memcap configurable 2 years ago
Philippe Antoine c9ce43b31e output: configurable payload_length field for alerts
Ticket: 7098
2 years ago
Eric Leblond eecb3440e2 profiling: add option to active rules profiling at start
When replaying a pcap file, it is not possible to get rules
profiling because it has to be activated from the unix socket.
This patch adds a new option to be able to activate profiling
collection at start so a pcap run can get rules profiling
information.
2 years ago
Philippe Antoine 82c03f72c3 enip: convert to rust
Ticket: 3958

- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- frames support
- app-layer events
- enip_command keyword accepts now string enumeration as values.
- add enip.status keyword
- add keywords :
    enip.product_name, enip.protocol_version, enip.revision,
    enip.identity_status, enip.state, enip.serial, enip.product_code,
    enip.device_type, enip.vendor_id, enip.capabilities,
    enip.cip_attribute, enip.cip_class, enip.cip_instance,
    enip.cip_status, enip.cip_extendedstatus
2 years ago
Jo Johnson 712496bb3f lua: Remove luajit support
lua 5.4 support is not available in luajit

Ticket: #4776
2 years ago
Shivani Bhardwaj 232c44eb4a output/json: log tls subjectaltname
Feature 5234
2 years ago