Replace implementation of the legacy `filemagic` keyword by the
implementation for the `file.magic` variant. This leads to better
performance and hooks the rules into the detection engine better.
Remove unittests that depended on the old logic.
Ticket: #6194.
(cherry picked from commit 1f22b51848)
Data on RST packets is not invalid, but also shouldn't be used
in reassembly.
RFC 1122:
4.2.2.12 RST Segment: RFC-793 Section 3.4
A TCP SHOULD allow a received RST segment to include data.
DISCUSSION
It has been suggested that a RST segment could contain
ASCII text that encoded and explained the cause of the
RST. No standard has yet been established for such
data.
RST data will be presented to the detection engine per packet,
but will not be part of stream reassembly.
Bug: #6244.
(cherry picked from commit b63374bf5f)
Bringing info that was only in our Redmine wiki to our documentation,
and update package to Suricata-6.0, now that the stable points to
Suricata 7.
Task #6231
(cherry picked from commit 4fd3205bf0)
The `field action` portion seemed to be comprised of a more generic
section that followed it. Also formatted the section for lines to be
within the character limit.
(cherry picked from commit 9900bdc162)
So far, if only the starting request was a DCERPC request, it would be
considered DCERPC traffic. Since ALTER_CONTEXT is a valid request type,
it should be accepted too.
Reported and patch proposed in the following Redmine ticket by
InterNALXz.
Bug 6191
(cherry picked from commit 8770431986)
If an exception policy wasn't set up individually, use the GetDefault
function to pick one. This will check for the master switch option and
handle 'auto' cases.
Instead of deciding what the auto value should be when we are parsing
the master switch, leave that for when some of the other policies is to
be set via the master switch, when since this can change for specific
exception policies - like for midstream, for instance.
Update exceptions policies documentation to clarify that the default
configuration in IPS when midstream is enabled is `ignore`, not
`drop-flow`.
Bug #6169
(cherry picked from commit e306bc6ecc)
If the master exception policy was set to 'auto' in IDS mode, instead of
just setting the master switch to the default in this case, which is
'ignore', the engine would switch a warning saying that auto wasn't a
valid config and then set the policy to ignore.
This makes 'auto' work for the master switch in IDS, removes function
for setting IPS option and handles the valid IDS options directly from
the function that parses the master policy, as this was the only place
where the function was still called.
Bug #6149
(cherry picked from commit feb47f9a89)
We were always setting it to ignore, due to bug 5825.
The engine will now issue an initialization error if an invalid value
is passed in the configuration file for midstream exception policy.
'pass-packet' or 'drop-packet' are never valid, as the midstream policy
concerns the whole flow, not making sense for just a packet.
If midstream is enabled, only two actual config values are allowed:
'ignore' and 'pass-flow', both in IDS and in IPS mode. In default mode
('auto' or if no policy is defined), midstream-policy is set to
'ignore'. All other values will lead to initialization error.
In IDS mode, 'drop-flow' will also lead to initialization error.
Part of
Bug #5825
(cherry picked from commit 69d3750aaf)
Use a mix of SCLogConfig, Warning and Info.
This mix works as follows: when something unnexpected for the user
happens - for instance, the engine ignoring an invalid config value, we
use warning. For indicating the value for the master switch, which
happens only once, we use Info. For all the other cases, we use
SCLogConfig.
It is possible that SCLogConfig isn't showing at the moment, this is a
possible bug to investigate further.
Related to
Bug #5825
(cherry picked from commit 69311ab02f)
Get the enum values from the config file. Update the new extracted
functions. Post-process the config values based on runmode and policy.
Also handle 'auto' enum value in these.
Related to
Bug #5825
(cherry picked from commit 7f8536b81c)
As the midstream exception policy has its own specific scenarios, have a
dedicated function to parse and process its config values, and check for
midstream enabled when needed.
Related to
Bug #5825
(cherry picked from commit f97af0c0b1)
Some exception policies can only be applied to the triggering packet or
only make sense considering the whole flow. Highlight such cases in the
table showing each exception policy.
Related to
Bug #5825
(cherry picked from commit c0db25d055)
The different interactions between midstream pick-up sessions and the
exception policy can be quite difficult to visualize. Add a section for
that in the userguide.
Related to
Bug #5825
(cherry picked from commit 0c2922f02e)
7a044a99ee removed the lines that incremented these defrag
counters, but kept the entities themselves. This commit removes counters
that we judge too complex to maintain, given the current state of the
code, and re-adds incrementing max_hit (memcap related).
Related to
Task #5816
(cherry picked from commit a37a88dcd5)
In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior
regardless of being in IDS or IPS mode.
This meant that (at least) the 'flow.action' was changed to drop when we
hit an exception policy in IDS mode.
Bug #6109
(cherry picked from commit 8f324e3b3d)
This allows all traffic Exception Policies to be set from one
configuration point. All exception policy options are available in IPS
mode. Bypass, pass and auto (disabled) are also available in iDS mode
Exception Policies set up individually will overwrite this setup for the
given traffic exception.
Task #5219
(cherry picked from commit 0d9289014b)
For certain edge case handling for spaces, spaces were handled
particularly in the remainder processing functions. Make sure that now
that as per RFC 2045, util-base64 would skip over any invalid char, the
edge cases in MIME processor also be handled the same way.
This completes the work done in e46b033.
Ticket 6135
Ticket 6207
(cherry picked from commit 789353bc1e)
The destination buffer should be able to hold at least 3 Bytes during
the processing of the last block of data. If it cannot hold at least 3
Bytes, then that may lead to dynamic buffer overflow while decoding.
(cherry picked from commit 62d782156c)
Just like the check for destination buffer size done previously for
complete data, it should also be done for the trailing data to avoid
goind out of bounds.
(cherry picked from commit 0e8b451699)
Padding bytes for the last remainder data should be as follows:
Case | Remainder bytes | Padding
----------------------------------------------
I | 1 | 3
II | 2 | 2
III | 3 | 1
However, we calculate the decoded_bytes with the formula:
decoded_bytes = ASCII_BLOCK - padding
this means for Case I when padding is 3 bytes, the decoded_bytes would
be 0. This is incorrect for any trailing data. In any of the above
cases, if the parsing was successful, there should at least be 1 decoded
byte.
(cherry picked from commit 095c335c72)
RFC 2045 states that any invalid character should be skipped over, this
is the RFC used by mime handler in Suricata code to deal with base64
encoded data.
So far, only spaces were skipped as a part of implementation of this
RFC, extend it to also skip over any other invalid character. Add
corresponding test.
(cherry picked from commit e46b0337e5)
We only try to parse a small subset of what is possible in
RFB. Currently we only understand some standard auth schemes
and stop parsing when the server-client handshake is complete.
Since in IPS mode returning an error from the parser causes
drops that are likely uncalled for, we do not want to return
errors when we simply do not understand what happens in the
traffic. This addresses Redmine #5912.
Bug: #5915.
(cherry picked from commit 1f8a5874fb)
Victor Julien
jason taylor
Juliana Fajardini
Shivani Bhardwaj
Philippe Antoine
Jeff Lucovsky
Cole Dishington
Sascha Steinbiss