Commit Graph

15587 Commits (suricata-7.0.11)
 

Author SHA1 Message Date
Victor Julien 8fdbb0b17d doc/userguide: give pcre1 to pcre2 proper heading
(cherry picked from commit c83e3285ae)
1 year ago
Victor Julien b3fa19fe28 detect: implement 'alert' keyword as a companion to 'noalert'
This can be used to implement alert then pass logic.

Add support for alert-then-pass to alert handling routines.

Ticket: #5466.
(cherry picked from commit d5fb8204b6)
1 year ago
Victor Julien 5bcbbf3569 detect: set ACTION_ALERT for rules that should alert
Replaces default "alert" logic and removed SIG_FLAG_NOALERT.

Instead, "noalert" unsets ACTION_ALERT. Same for flowbits:noalert and
friends.

In signature ordering rules w/o action are sorted as if they have 'alert',
which is the same behavior as before, but now implemented explicitly.

Ticket: #5466.
(cherry picked from commit 92581dbc06)
1 year ago
Shivani Bhardwaj 1f69d6cded detect/flowbits: remove DETECT_FLOWBITS_CMD_NOALERT
DETECT_FLOWBITS_CMD_NOALERT is misleading as it gives an impression that
noalert is a flowbit specific command that'll be used and dealt with at
some point but as soon as noalert is found in the rule lang, signature
flag for noalert is set and control is returned. It never gets added to
cmd of the flowbits object.

(cherry picked from commit 75471dd69b)
1 year ago
Victor Julien 6fbcab4af1 detect/alert: minor loop cleanup
(cherry picked from commit 8f72a04973)
1 year ago
Victor Julien c016843e97 detect/noalert: minor cleanup
(cherry picked from commit 44e7fdc3ca)
1 year ago
Shivani Bhardwaj 270e49da60 changelog: update 7.0.6 CVEs and titles 1 year ago
Shivani Bhardwaj 561d2d32c6 version: start development towards 7.0.7 1 year ago
Shivani Bhardwaj 9db8668166 release: 7.0.6; update changelog 1 year ago
Philippe Antoine c82fa5ca0d http2: do not expand duplicate headers
Ticket: 7104

As this can cause a big mamory allocation due to the quadratic
nature of the HPACK compression.

(cherry picked from commit 5bd17934df)
1 year ago
Philippe Antoine a753cdbe84 modbus: abort flow parsing on flood
Ticket: 6987

Let's not spend more resources for a flow which is trying to
make us do it...

(cherry picked from commit 37509e8e0e)
1 year ago
Victor Julien aab7f35c76 defrag: don't use completed tracker
When a Tracker is set up for a IPID, frags come in for it and it's
reassembled and complete, the `DefragTracker::remove` flag is set. This
is mean to tell the hash cleanup code to recyle the tracker and to let
the lookup code skip the tracker during lookup.

A logic error lead to the following scenario:

1. there are sufficient frag trackers to make sure the hash table is
   filled with trackers
2. frags for a Packet with IPID X are processed correctly (X1)
3. frags for a new Packet that also has IPID X come in quickly after the
   first (X2).
4. during the lookup, the frag for X2 hashes to a hash row that holds
   more than one tracker
5. as the trackers in hash row are evaluated, it finds the tracker for
   X1, but since the `remove` bit is not checked, it is returned as the
   tracker for X2.
6. reassembly fails, as the tracker is already complete

The logic error is that only for the first tracker in a row the `remove`
bit was checked, leading to reuse to a closed tracker if there were more
trackers in the hash row.

Ticket: #7042.
1 year ago
Philippe Antoine b47c351d70 detect: add to signature mask for decode events
Ticket: 6291
(cherry picked from commit 0a953fe1ce)
1 year ago
Philippe Antoine 0ed4d29d42 detect: fix check for app_layer events
Ticket: 7106
(cherry picked from commit 4e584ed201)
1 year ago
Lukas Sismis 7cc86938fc doc: port user install and build instruction from master-6.0.x
Ticket: #6685
(cherry picked from commit bd9608771e)
1 year ago
Lukas Sismis 2101573c14 github-ci: add minimal build for Ubuntu and AlmaLinux
(cherry picked from commit cd7c35eb5a)
1 year ago
Lukas Sismis 8216b5b229 github-ci: remove gosu from installed packages
(cherry picked from commit 6d663ec885)
1 year ago
Lukas Sismis 77997941ae doc: update eBPF compilation instructions
Ticket: #6599
(cherry picked from commit 521d1cb8e7)
1 year ago
Jason Ish 82b502ec25 rust/ike: prefix never read field names with _
New warning from rustc.

The other option is to allow dead code, however this is more explicit,
and when they are read, its obvious they should be renamed.
1 year ago
Jason Ish 192ef5bb90 rust: fix clippy lint for legacy_numeric_constants
https://rust-lang.github.io/rust-clippy/master/index.html#legacy_numeric_constants
1 year ago
Jason Ish 97409fe37b rust: rename .cargo/config to .cargo/config.toml
Addresses this warning from the Rust compiler:

warning: `../rust/.cargo/config` is deprecated in favor of `config.toml`
note: if you need to support cargo 1.38 or earlier, you can symlink `config` to `config.toml`
(cherry picked from commit 8560564657)
1 year ago
Jason Ish 9c9181ee19 cargo: use default-features instead of default_features
"default_features" is being deprecated in Rust 2024.
1 year ago
Jason Ish d88eb343af rust: simply matches with unwrap_or_default
New default clippy warning:
https://rust-lang.github.io/rust-clippy/master/index.html#manual_unwrap_or_default
1 year ago
Eric Leblond 5d8ac12236 profiling: check packet flag first
This fixes the state handling and simplify the logic.

(cherry picked from commit b128a75973)
1 year ago
Eric Leblond 8baa505c72 profiling: add option to active rules profiling at start
When replaying a pcap file, it is not possible to get rules
profiling because it has to be activated from the unix socket.
This patch adds a new option to be able to activate profiling
collection at start so a pcap run can get rules profiling
information.

(cherry picked from commit eecb3440e2)
1 year ago
Philippe Antoine 897fc4ccea smtp: respect quotes for to and cc logging
When splitting the field over commas, skip the commas
which are innside quotes

Ticket: 7060

Not a direct backport, but heavily inspired by new rust code
handling it
1 year ago
Philippe Antoine b9cd802e86 eve/schema: complete and reorder smtp fields
received and cc were missing

(cherry picked from commit 8d4699fbba)
1 year ago
Philippe Antoine 7f0a53dc24 smtp: exit data mode if data command was rejected
And the server was advertising pipelining.

Ticket: 6906
(cherry picked from commit ed895c04ff)
1 year ago
Jeff Lucovsky ffca7658a2 output/ja4: Log ja4 hashes iff configured
This commit allows ja4 hashes to be logged iff enabled in the tls/quic
section of the outputs.

With the default setting ("off"), ja4 hashes will only be logged in
alerts when the signatures uses the ja4.hash keyword.

When enabled, ja4 hashes will be inclued in quic and tls logs.

- tls:
     ja4: on
- quic:
     ja4: on

Issue: 7010
1 year ago
Jeff Lucovsky 1f5e10a49c output/ja4: Restrict ja4 hashes to alerts
This commit restricts ja4 hash output to alerts; ja4 hashes will not be
in tls or quic events.

Issue: 7010
1 year ago
Jeff Lucovsky 247fc2bfb6 tests/ja4: config message when ja4 auto enabled
Issue: 7010

This commit displays a config message when JA4 is enabled due to rule
usage.
1 year ago
Sascha Steinbiss 93fd349b3f ja4: implement for TLS and QUIC
Ticket: OISF#6379
(cherry picked from commit 120313f4da)
1 year ago
Sascha Steinbiss f48b48da65 ja3: make feature compile time configurable
(cherry picked from commit 9d0db71ebf)
1 year ago
Sascha Steinbiss d2436eb454 suricata: initialize feature tracking earlier
This gives app layer code a chance to access feature
information.

(cherry picked from commit 32f23b6d2f)
1 year ago
jason taylor 00c7473a00 doc: add source verification docs
Ticket: #6908

Signed-off-by: jason taylor <jtfas90@gmail.com>
(cherry picked from commit 47d6c3a3ab)
1 year ago
Victor Julien 9dc9fbee0b github-actions: bump scan-build to Ubuntu 24.04 / clang 18
(cherry picked from commit e0411878fc)
1 year ago
Victor Julien e64ef0269f detect/tls.store: fix direction check
STREAM_* flags are invalid for `Flow::flags`.

Fixes: dfcb429524 ("detect/cert: Use client side certs")
(cherry picked from commit 032bc04a1e)
1 year ago
Alexey Simakov 0d929a44f8 util/radix-tree: fix potential dereference of nullptr
Fix potential dereferece of nullptr in case of
unsuccessful allocation of memory leak for tree nodes

Bug: #7049
(cherry picked from commit a8217d288a)
1 year ago
Victor Julien 3a7f083f3c output/lua: handle registration error
Use error message instead of info message.

(cherry picked from commit 621fe38dbf)
1 year ago
Victor Julien b5e52587d5 output/streaming: suppress noisy start up message
(cherry picked from commit 3b1fecbab1)
1 year ago
Victor Julien b6520aaf80 github-action: remove end of life CentOS 8 stream
(cherry picked from commit 130d75f025)
1 year ago
Eric Leblond e58f3185c5 eve: revert ethernet addresses when needed
EVE logging has a direction parameter that can cause the logging
of an application layer to be done in a direction that is not linked
to the packet. As a result the source IP addres could be assigned the
MAC address of the destination IP and reverse.

This patch addresses this by propagating the direction to the ethernet
logging function and using it there to define the correct mapping.

Issue #6405

(cherry picked from commit 21916b9743)
1 year ago
Victor Julien f3b2e9618d threads: give threads more time to get ready
In certain conditions, it can take a long time for threads to start up.
For example in af-packet, setting up the socket, rings, etc has been
observed to take close to half a second per thread, and since the
threads go one by one in a preset order, this means the start up can
take a lot of time if there are many threads. The old logic would just
allow a hard coded 60s. This was not always enough when the number of
threads was high.

This patch makes the wait time take the number of threads into account.
It adds a second of time budget to the base 60s for each thread.

So as an example, if a system has 112 af-packet threads, it would wait
172 seconds (60 + 112) for the threads to get ready.

Ticket: #7048.
(cherry picked from commit 41b9836b11)
1 year ago
Victor Julien 183a6f20d2 threads: optimize start up check
When starting a large amount of threads, the loop was inefficient. It
would loop over the threads and if one wasn't yet ready it would sleep a
bit and then reevaluate all the threads. This reevaluation of threads
already checked was inefficient, and could lead to the time budget
running out.

This patch splits the check, and keeps track of the threads that have
already passed. This avoids the rescanning of already checked threads.

(cherry picked from commit 85fd4b2ec7)
1 year ago
Shivani Bhardwaj ee3485e7c8 detect/port: remove SigGroupHead* ops
The functions in detect-engine-port.c are only being used at the time of
parsing the ports from rules initially. Since there are no SGHs at that
point, remove the ops related to them too.

(cherry picked from commit e14fefe24a)
1 year ago
Shivani Bhardwaj e1ed0bea39 detect/port: clang fmt changes 1 year ago
Shivani Bhardwaj 3850992c23 detect/port: handle range and upper boundary ports
So far, if a port was found to be single which was earlier a part of the
range, port + 1 was added to the list to honor the range that it was a
part of. But, this is incorrect in case the port is 65535 or if the port
was found to be of range when it was earlier a single port.

Bug 6896

(cherry picked from commit 4227e52c4b)
1 year ago
Shivani Bhardwaj 528d1f1adf detect/port: fix grouping of ports w gaps
If a single port happens before a range port, the port groups created
were incorrect. Fix it to use smarter range check.

For example, given,
80:80 - SGH1
100:120 - SGH2

Range created should be
80:80 - SGH1
100:120 - SGH2

Bug 6881

(cherry picked from commit 7d937db5cb)
1 year ago
Shivani Bhardwaj e9d9db6c83 detect/port: handle single port that is range too
If a port point is single but later on also a part of a range, it ends
up only creating the port groups for single points and not the range.
Fix it by adding the port next to current single one to unique points
and marking it a range port.

Bug 6843

(cherry picked from commit 632ca75dd3)
1 year ago
Shivani Bhardwaj c284b4c4ae util/interval-tree: fix coverity warning
Fix Coverity warning

** CID 1592992:  Incorrect expression  (COPY_PASTE_ERROR)
/src/util-port-interval-tree.c: 255 in SCPortIntervalFindOverlaps()

________________________________________________________________________________________________________
*** CID 1592992:  Incorrect expression  (COPY_PASTE_ERROR)
/src/util-port-interval-tree.c: 255 in SCPortIntervalFindOverlaps()
249                      * will be sorted, insert any new ports to the end of the list
250                      * and avoid walking the entire list */
251                     if (*list == NULL) {
252                         *list = new_port;
253                         (*list)->last = new_port;
254                     } else if (((*list)->last->port != new_port->port) &&
>>>     CID 1592992:  Incorrect expression  (COPY_PASTE_ERROR)
>>>     "port" in "(*list)->last->port2 != new_port->port" looks like a copy-paste error.
255                                ((*list)->last->port2 != new_port->port)) {
256                         DEBUG_VALIDATE_BUG_ON(new_port->port < (*list)->last->port);
257                         (*list)->last->next = new_port;
258                         new_port->prev = (*list)->last;
259                         (*list)->last = new_port;
260                     } else {

The code does not generate two port ranges that are same other than the
cases where port == port2 which is why it worked so far. Fix it.

Bug 6839

(cherry picked from commit 2d6708f1ff)
1 year ago