This avoids looping over partly duplicate segments that cause
output data corruption by logging parts of the stream data multiple
times.
For data with GAPs now add a indicator '[4 bytes missing]' similar
to how Wireshark does it.
Bug: #6553.
(cherry picked from commit 43858f70ad)
As stream frame is not always created,
hence the first frame is not always a stream frame :
If stream frame is not enabled, it does not get created,
and other enabled frames may be created first.
See use of FrameConfigTypeIsEnabled
This resulted that this other frame got its length updated
on stream end, which led to false positives.
Also checking FRAME_STREAM_TYPE is more consistent.
Not a clean cherry-pick as AppLayerFrameGetLastOpenByType
does not exist in main7
Ticket: 7213
warning: first doc comment paragraph is too long
--> src/detect/iprep.rs:57:1
|
57 | / /// value matching is done use `DetectUintData` logic.
58 | | /// isset matching is done using special `DetectUintData` value ">= 0"
59 | | /// isnotset matching bypasses `DetectUintData` and is handled directly
60 | | /// in the match function (in C).
| |_
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#too_long_first_doc_paragraph
= note: `#[warn(clippy::too_long_first_doc_paragraph)]` on by default
help: add an empty line
(cherry picked from commit dc3c048b49)
warning: you seem to be trying to use `match` for destructuring a single pattern. Consider using `if let`
--> src/dcerpc/log.rs:36:33
|
36 | DCERPC_TYPE_BIND => match &state.bind {
| _________________________________^
37 | | Some(bind) => {
38 | | jsb.open_array("interfaces")?;
39 | | for uuid in &bind.uuid_list {
... |
51 | | None => {}
52 | | },
| |_____________^
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#single_match
= note: `#[warn(clippy::single_match)]` on by default
(cherry picked from commit 2a984e3b13)
Don't return true for negated protocol check if no protocol has been
evaluated due to ALPROTO_UNKNOWN in the packet direction.
This leads to false positives for negated matching, as an expression
like "!tls" will match if checked against ALPROTO_UNKNOWN.
This patch readds missing check. The keyword returns no match as
long as the alproto is ALPROTO_UNKNOWN.
Fixes: bf9bbdd612 ("detect: fix app-layer-protocol keyword for HTTP")
Ticket: #7242.
Ticket: 6634
That means take only the first client hello into account.
This way, we do not end with ja3 string with 9 commas...
(cherry picked from commit 84735251b5)
warning: this `match` can be collapsed into the outer `match`
help: the outer pattern can be modified to include the inner pattern
(cherry picked from commit 42e5e556e5)
warning: can be more succinctly written as a byte str
--> src/mime/smtp.rs:762:37
|
762 | mime_smtp_find_url_strings(ctx, &[b'\n']);
| ^^^^^^^^ help: try: `b"\n"`
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#byte_char_slices
= note: `#[warn(clippy::byte_char_slices)]` on by default
(cherry picked from commit 564f685eea)
This ensures that the correct spelling of the `security_result` EVE
field for RFB (as opposed to `security-result`) is also reflected in the
documentation.
Ticket: #7210
(cherry picked from commit cb14e44780)
A typo caused a slightly different key (`security-result`) to be used
for the case in which the result was `FAIL`. This commit addresses this
by ensuring the same string is used for all cases.
Ticket: #7198
The lookup function was not taking into account that we can have
an IPv4 or an IPv6 address as parameters and that this addresses
need to be converted to Suricata internal storage.
By using the already defined dedicated parsing function, we are
fixing the issue.
Issue: #6969
(cherry picked from commit 4668c95513)
It was brought to my attention by GLongo that Pgsql parser handled eof
diffrently for requests and responses, and apparently there isn't a good
reason for such a difference therefore, apply same logic used for
rs_pgsql_parse_request for checking for eof when parsing a response.
(cherry picked from commit ce1556cefd)
Before, the JsonBuilder object for the pgsql event was being created
from the C-side function that actually called the Rust logger.
This resulted that if another module - such as the Json Alert called the
PGSQL logger, we wouldn't have the `pgsql` key present in the log output
- only its inner fields.
Bug #6983
(cherry picked from commit 69e26de197)
Don't set an ACK value if ACK flag is no longer set. This avoids a bogus
`pkt_broken_ack` event set.
Fixes: ebf465a11b ("tcp: do not assign TCP flags to pseudopackets")
Ticket: #7158.
(cherry picked from commit a404fd26af)
The "eve.version" field is not always logged. Update the schema to
enforce that it is, and fix it for records that don't log it.
Ticket: #7167
(cherry picked from commit fcc1b1067b)
Ticket: 7206
Cbindgen 0.27 now handles extern blocks as extern "C" blocks.
The way to differentiate them is to use a special comment
before the block.
(cherry picked from commit 304271e63a)
Fixes clippy lint:
error: doc list item missing indentation
--> src/dcerpc/dcerpc.rs:511:9
|
511 | /// description: direction of the flow
| ^
|
= help: if this is supposed to be its own paragraph, add a blank line
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#doc_lazy_continuation
Fixes clippy lint for collapsible_match.
error: this `match` can be collapsed into the outer `if let`
--> src/conf.rs:85:9
|
85 | / match val {
86 | | "1" | "yes" | "true" | "on" => {
87 | | return true;
88 | | },
89 | | _ => {},
90 | | }
| |_________^
|
help: the outer pattern can be modified to include the inner pattern
--> src/conf.rs:84:17
|
84 | if let Some(val) = conf_get(key) {
| ^^^ replace this binding
85 | match val {
86 | "1" | "yes" | "true" | "on" => {
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ with this pattern
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match
error: this `match` can be collapsed into the outer `match`
--> src/dcerpc/detect.rs:215:20
|
215 | Some(x) => match x {
| ____________________^
216 | | DCERPC_TYPE_REQUEST | DCERPC_TYPE_RESPONSE => {}
217 | | _ => {
218 | | return 0;
219 | | }
220 | | },
| |_________^
|
help: the outer pattern can be modified to include the inner pattern
--> src/dcerpc/detect.rs:215:14
|
215 | Some(x) => match x {
| ^ replace this binding
216 | DCERPC_TYPE_REQUEST | DCERPC_TYPE_RESPONSE => {}
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ with this pattern
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match
Ticket: 7172
When parsing an integer for a rule keyword fails, we return error
straight away, without bothering to try to free the NULL pointer.
On the way, remove some one-line wrapper around DetectUxParse
(cherry picked from commit daad7f2d41)
Getting clock through Time Stamp Counter (TSC) can be precise and fast,
however only for a short duration of time.
The implementation across CPUs seems to vary. The original idea is to
increment the counter with every tick. Then dividing the delta of CPU ticks
by the CPU frequency can return the time that passed.
However, the CPU clock/frequency can change over time, resulting in uneven
incrementation of TSC. On some CPUs this is handled by extra logic.
As a result, obtaining time through this method might drift from the real
time.
This commit therefore substitues TSC time retrieval by the standard system
call wrapped in GetTime function - on Linux it is gettimeofday.
Ticket: 7116
(cherry picked from commit 35dffc6b32)
For TCP streams, app proto stream reassembly can start earlier, instead
of waiting and queueing up data before doing so.
Task #7018
Related to
Bug #7004
(cherry picked from commit bb45ac71ef)
Don't assume the ntlmssp version field is always present if the flag is
set. Instead keep track of the offsets of the data of the various blobs
and see if there is space for the version.
Inspired by how Wireshark does the parsing.
Bug: #7121.
(cherry picked from commit f59c43b1c7)
THashInitConfig may not allocate array and increase memuse.
Such a failure leads to THashShutdown which should not decrease
the memuse.
Ticket: 7135
(cherry picked from commit eeec609ac8)
Implement special "isset" and "isnotset" modes.
"isset" matches if an IP address is part of an iprep category with any
value.
It is internally implemented as ">=,0", which should always be true if
there is a value to evaluate, as valid reputation values are 0-127.
"isnotset" matches if an IP address is not part of an iprep category.
Internally it is implemented outside the uint support.
Ticket: #6857.
(cherry picked from commit 83976a4cd4)
Ticket: 6390
This can happen with keyword filestore:both,flow
If one direction does not have a signature group with a filestore,
the file is set to nostore on opening, until a signature in
the other direction tries to set it to store.
Subsequent files will be stored in both directions as flow flags
are now set.
(cherry picked from commit 5f35035928)
Victor Julien
Philippe Antoine
Sascha Steinbiss
Eric Leblond
Juliana Fajardini
Juliana Fajardini
Jason Ish
Jeff Lucovsky
Lukas Sismis