While updating the destination pointer, we were also adding the padded
bytes which are not a part of the decoded bytes. This led to running out
of space on the destination buffer.
Fix it by only incrementing destination buffer ptr by the number of
actual bytes that were decoded.
Ticket 5623
Ticket 5694
As per RFC 4648,
Implementations MUST reject the encoded data if it contains characters
outside the base alphabet when interpreting base-encoded data, unless
the specification referring to this document explicitly states
otherwise.
Add a new mode BASE64_MODE_RFC4648, and handle input strictly as per the
specification.
Bug 5223
(cherry picked from commit dad52f133d)
As an SMB2 async response does not have a tree id, even if
the request has it.
Per spec, MessageId should be enough to identifiy a message request
and response uniquely across all messages that are sent on the same
SMB2 Protocol transport connection.
So, the tree id is redundant anyways.
Ticket: #5508
(cherry picked from commit e94920b49f)
This is to make sure the files buffers are properly managed even
when there are no rules or when there are no file.data rules.
Bug: #5703.
(cherry picked from commit e601ebdfd8)
Fix PASS handling by setting and checking in the correct packet.
There are 3 types of packets:
1. tunnel packets (inner layer of encapsulation)
2. "root" packets (outmost layer of encapsulated packet)
3. normal packets (no encapsulation)
Tunnel packet have a pointer to their "root". The "root" is the packet
that is ultimately used by the capture method to issue a verdict:
DROP or ACCEPT (forward).
For tunnels:
DROP actions are always issued on the root packet.
The PASS action is issued on the packet currently in the detection
engine.
Non-tunnels:
DROP and PASS are both set in the current packet.
Bug: #5697.
If a protocol change was requested, the target did not handle
it as Suricata, as the target is meant to handle only one
app-layer protocol.
(cherry picked from commit ca054f7264)
It was not enough to set Cursor position to 0,
also its inner Vec should be cleared.
This way, a new input gets written at the beginning of the
Cursor and its inner Vec...
Ticket: #5691
(cherry picked from commit 086b28da3d)
Suricata already logs if AF_PACKET or Netmap are running in a mixed IPS
and IDS/TAP mode. As the behavior is undefined when these modes are
mixed, it is best to deprecate and to not allow this behavior. For now
warn that it will be unsupported and fail in Suricata 8.
Ticket: 5587
(cherry picked from commit 0c00f28ebc)
This commit modifies the Netmap packet handling to use API version 14.
@bmeeks8 contributed many changes instrumental to this effort.
(cherry picked from commit ca7d097225)
This commit adds another system include file based on autoconf to the
common Suricata include file for convenience.
(cherry picked from commit 3496e543af)
`PacketDrop` applied a DROP to the current packet unconditionally,
while in tunnel/encapsulated cases the DROP should have been applied
to the root packet.
Fixes: 6742ecbc9e ("decode: make PacketDrop use action as parameter")
Bug: #5600.
As is done in detect-threshold.c or in DETECT_RATE_REGEX
and is expected by switch (rule_type) which makes the same
for THRESHOLD_TYPE_THRESHOLD and THRESHOLD_TYPE_RATE
Ticket: #5327
(cherry picked from commit a2f857ed90)
This describes briefly what the exception policies are, what is the
engine's behavior, what options are available and to which parts are
they implemented.
Task #5475
Task #5515
Some of these were recently introduced, some were highlited after the
applayer sections got merged. Some paragraphs seem to have been changed
due to trying to respect character limits for lines. Also includes a
typo pointed out by one of our community members via Discord.
For ICMPv4 error messages the vlan ids were always considered,
even if the 'vlan.use-for-tracking' option was disabled.
Ticket: #5330
(cherry picked from commit ce2775d331)