Evasion scenario is
- a first dummy write of one byte at offset 0 is done
- the second full write of EICAR at offset 0 is then done
and does not trigger detection
The last write had the final value, and as we cannot "cancel"
the previous write, we set an event which is then transformed into
an app-layer decoder alert
TCPProtoDetect can either set f->alproto, change f->alstate
and return error.
When the original alstate gets freed, we shall set the pointer
to NULL, as it can get reused.
dnp3 is a communication between so-called master and outstation
in our terms master is a client and outstation is a server
DIR flag in dnp3 header is nonzero when a packet is from master
so if DIR is nonzero then packet is 'toserver'
This will allow Rust parsers to register for gap handing from
Rust (some Rust parsers do handle gaps, but they set the flag
from C).
(cherry picked from commit 53aa967e0b)
This is a partial backport of:
ac3cf6ff75
detect/config: set config for special cases
Allow app-layer to declare the txs are uni-directional and special
care is needed for applying config.
- Fix relative_offset keyword option to be relative in regards to the
last content match
- Change relative_offset to int32_t with bounds check to allow the full
range of the packet buffer size (uint16_t)
- Added checks for over/underflows
- Changed the offset type to uint16_t because the offset is applied to
the payload length, which is a uint16_t
- Adjusted test cases to work relative to the content match
- Added test case to verify bounds
(cherry picked from commit be3379f00e)
This commit changes the size of reporting variables to be dynamic based
on the buffer ids in use instead of a fixed value to address a SEGV when
the fixed value was less than the max buffer/type id in use.
(cherry picked from commit d911fb87b8)
These changes are in response to feature request 3063. Geneve is
very similar to VXLAN, but uses a slightly different encapsulation
scheme.
(cherry picked from commit ef9e532f07)
In case of lossy connections the NFS state would properly clean up
transactions, including file transactions. However for files the
state was never set to 'truncated', leading to files to stay 'active'.
This would lead these files staying in the NFS's state. In long running
sessions with lots of files this would lead to performance and memory
use issues.
This patch cleans truncates the file that was being transmitted when
a file transaction is being closed.
Based on 65e9a7c31c
(cherry picked from commit 44d7dd02b3)
This commit restricts the anomaly logger count. The restriction is
necessary due to state maintenance in the logger that doesn't scale
beyond a single logger.
Until that issue's solved, when multiple anomaly loggers are configured,
an error message will be emitted to highlight the restriction.
(cherry picked from commit 8e2aab7467)
Bidirectional signatures are really two signatures with one id
This needs to be handled with care when changing a linked list
(cherry picked from commit 5ac8e41a13)
This commit extends the API with a function that validates arguments
against the transforms for the SM list (if any).
(cherry picked from commit 8f1a7111ed)
This commit adds a function to pre-validate buffers. If a content
buffer contains whitespace, the validation fails.
(cherry picked from commit bc81474e3f)
This commit adds an (optional) entry for a validation function. The
validation function, if present, will be used during rule processing.
Its role is to determine if the arguments are compatible with the
transform. E.g., a content string of "this string has whitespace" is not
compatible with the `strip_whitespace` transform.
(cherry picked from commit 596875fa68)
If there is a '/' in the redis server string then we consider that
the connection should be done other a unix socket.
(cherry picked from commit e12437e31e)
Philippe Antoine
Ilya Bakhtin
Jason Ish
Emmanuel Thompson
Jeff Lucovsky
Victor Julien
Ali Jad Khalil
Antti Tönkyrä
Philippe Antoine
Eric Leblond