Ticket: #6279
If we have the smtp body beginning without headers, we need to
create the md5 context and right away and supply data to it.
Otherwise, on the next line being processed, md5_ctx will be
NULL but body_begin will have been reset to 0
A bad pattern in a rule that hyperscan would fail to compile would
exit Suricata. This could happen during a rule reload as well.
In case of a untrusted ruleset, this could potentially be used to
shut down the sensor.
Commit 7d0851b0c2 already blocks the only know case, but this patch
is more defensive.
Ticket: #6195.
- Use SPHINX_BUILD instead of HAVE_SPHINX_BUILD, as here we're
actually using the path of the program.
- Wrap some elements in [] as is done in modern idiomatic autoconf
We need a recent version of Sphinx to build the documentation in
7.0. Check for a minimum version of 3.4.3. If older, do not build the
docs which is the same behavior when sphinx-build is not found.
Bug: #6297
When comparing IPv6 addresses based on uint32_t chunks, one needs to
apply ntohl() conversion to the individual parts, otherwise on little
endian systems individual bytes are compared in the wrong order.
Avoid this all and leverage memcmp(), it'll short circuit on the first
differing byte and its return values tells us which address sorts lower.
Bug: #6276
When thread affinity is set, the NUMA configuration specified in
the napatech.ini configuration could be incorrect and then fail.
This fails before the recommended configuration is printed, which
is pretty unhelpful.
Previous implementation hardcoded up to 4 NUMA nodes.
We support arbitrary number of NUMA nodes now.
Note that this commit also removes the old SCLog logging
calls. But since the logic has changed, these have been replaced
directly with new code.
The WARN_UNUSED attribute has been added to ByteExtractStringUint8
in commit 6988168114. The return
value is now handled and appropriate errors printed.
Since f8474344cd, there is an extra
argument to SCLog which indicates the module and subsystem
identifier. The Napatech vendor code is missing this argument,
which is fixed here.
* Log vendor client identifier (dhcp option 60) if extended dhcp
logging is turned on. This required the `vendor_client_identifier` to
be added to the json schema. Validation done using an SV Test
* Added `requested_ip` to the json schema as well, since it was
missed. My SV test failed without it.
Feature #4587
Commit e7c0f0ad91 removed uses of atoi with a new number parsing
functions. This broke parsing ip-reputation data files that contained
trailing carriage returns as it was being included in the number
string to convert.
Bug: #6243.
Multi-tenancy uses loader threads that initialize detection engines. During
this, esp the AC family of MPM implementations, there is significant stack
usage. In most OS' threads have a lower stack size by default. In Linux, when
using the Musl C library, a thread by default gets 128KiB.
This patch does 2 things:
1. it centralizes the handling of the `threading.stack-size`. It it is not
longer handled by the runmodes, but called from the global initialization
logic.
2. it sets a minimum per thread stack size of 512k, unless `threading.stack-size`
is set.
Ticket: #6265.
Implement a new design for handling var name id's. The old logic
was aware of detection engine versions and generally didn't work
well for multi-tenancy cases. Other than memory leaks and crashes,
logging of var names worked or failed based on which tenant was
loaded last.
This patch implements a new approach, where there is a global store
of vars and their id's for the lifetime of the program.
Overall Design:
Base Store: "base"
Used during keyword registration. Operates under lock. Base is shared
between all detect engines, detect engine versions and tenants.
Each variable name is ref counted.
During the freeing of a detect engine / tenant, unregistration decreases
the ref cnt.
Base has both a string to id and a id to string hash table. String to
id is used during parsing/registration. id to string during unregistration.
Active Store Pointer (atomic)
The "active" store atomic pointer points to the active lookup store. The call
to `VarNameStoreActivate` will build a new lookup store and hot swap
the pointer.
Ensuring memory safety. During the hot swap, the pointer is replaced, so
any new call to the lookup functions will automatically use the new store.
This leaves the case of any lookup happening concurrently with the pointer
swap. For this case we add the old store to a free list. It gets a timestamp
before which it cannot be freed.
Free List
The free list contains old stores that are waiting to get removed. They
contain a timestamp that is checked before they are freed.
Bug: #6044.
Bug: #6201.
Juliana Fajardini
Philippe Antoine
Victor Julien
Jason Ish
Jeff Lucovsky
Arne Welzel
Ralph Eastwood
Yatin Kanetkar
Thomas Winter
Philippe Antoine
Shivani Bhardwaj