When adding an element to the dynamic headers table, the oldest
ones may get evicted. When multiple elements get evicted, they
should get evicted all at once with drain, instead of one by one
as there will be a massive move each time.
Ticket: #6103
(cherry picked from commit 6350736882)
As part of extra header validation, split out DNS body parsing to
avoid the overhead of parsing the header twice.
(cherry picked from commit d720ead470)
As UDP streams getting probed, a stream that does not appear to be DNS
at first, may have a single packet that does look close enough to DNS
to be picked up as DNS causing every subsequent packet to result in a
parser error.
To mitigate this, probe every incoming DNS message header for validity
before continuing onto the body. If the header doesn't validate as
DNS, just ignore the packet so no parse error is registered.
(cherry picked from commit 595700ab7e)
Accept DNS messages with an invalid opcode that are otherwise
valid. Such DNS message will create a parser event.
This is a change of behavior, previously an invalid opcode would cause
the DNS message to not be detected or parsed as DNS.
Issue: #5444
(cherry picked from commit c98c49d4ba)
Counters depended on availability of flow and tcp session, meaning
that 2 memcaps could affect the counters.
Bug: #5017.
(cherry picked from commit 36f6e05155)
Rust 1.70 has introduced some possible issues between LLVM and gcc
causing link errors that are fixed by explicitly adding -lntdll.
Thanks to https://github.com/extendr/rextendr/pull/285 for the fix.
In case LF was found for a long line way outside of the limit, we should
not need to update the delimiter len and current line len because the
line is capped at 4k and the LF was not within these 4k bytes.
So far, we store one variable in state to hold whether we want to
discard a long line till LF irrespective of direction. This means that a
long command to the client followed by a regular command w LF can be
considered as one long line which is incorrect.
Bug 6055
When a flow is in the drop flow state, don't use pseudo packets
when it is timing out. There should be no work left to do at this
point.
(cherry picked from commit 2a95154712)
Remove logic to apply flow drop, as this is now handled in the
flow engine.
However, keep the logic that frees/cleans the session state.
(cherry picked from commit d91a1e8bc6)
If npcap/wpcap is not found on Windows, try libpcap. This allows
Suricata to build without NPCap on Windows, however live capture won't
be available.
(cherry picked from commit 31ba4fd152)
Problem:
If we receive a long line w/o LF, we cap it to 4k bytes and wait until a
line with LF comes in order to consider the previous line complete. Any
data post the 4k bytes is discarded. Currently, if a line with LF comes
in after a long line, we reset all the parameters used for processing it
like the line.len and line.delim_len but we still make the call to
SMTPProcessRequest fn without even the need to process anything. Since
such a line (with len and delim_len set to 0) should not reach mime
decoder, a debug assertion triggers there in this case.
Fix:
Make sure to return early as the line has to be skipped and not
processed at all.
Bug 6019
(cherry picked from commit c0067a5fff)
Issue: 5818
This commit addresses the issue with using the address of a packed
member of a structure. The pfring timeval is within a packed structure.
(cherry picked from commit 2d28c09ea1)
This commit changes the default pf-ring cluster type to cluster-flow.
Round-robin clustering is not recommended for Suricata.
Issue: 5975
(cherry picked from commit 4f7a36ac2e)
This commit adds brief discussion for additional cluster types for use
with the pf-ring packet source.
Newly added:
- cluster_inner_flow
- cluster_inner_flow_2_tuple
- cluster_inner_flow_4_tuple
- cluster_inner_flow_5_tuple
Issue: 5975
(cherry picked from commit b1918168f9)
Jason Ish
Philippe Antoine
Victor Julien
Shivani Bhardwaj
Morris Chan
Andreas Herz
Wes Hurd
tianjinshan
Jeff Lucovsky