Ticket: 6799
When we find an overlong banner, we get into the state just
waiting for end of line, and we just want to skip the bytes
until then.
Returning AppLayerResult::incomplete made TCP engine retain
the bytes and grow the buffer that we parsed again and again...
(cherry picked from commit 271ed2008b)
Ticket: 6578
When a protocol such as SSH sets no_inspection, we still have to
flush the current streams and packets that contain clear-text
for detection.
(cherry picked from commit cc3b4b01ec)
Ticket: #6305
When running FlowWorkerStreamTCPUpdate, one of the dequeued packet
may set the flow action to drop, without updating the not-pseudo
packet action, as is done usually with a previous call to
FlowHandlePacketUpdate
(cherry picked from commit 4c4f7ff1a2)
Ticket: 6787
To do pointer arithmetic, we need to use uint8_t* pointer :
Pointer arithmetic in C is automatically scaled according
to the size of the data type.
Also simplifies the loop condition
(cherry picked from commit d2db8bfdca)
Issue: 6837
When using netmap pipes (with lb, for example), avoid direct hardware
related IOCTLs that will fail (not supported with pipes).
(cherry picked from commit af529a56a9)
Capture plugins need to be registered before LiveDeviceFinalize,
otherwise Suricata errors before the plugin gets a chance to load.
Bug: #6811
(cherry picked from commit 25d0e0b68c)
Move the zero'ing to the thread module array InitGlobal in an effort
to fix capture modules.
At some point device validation moved to a point in startup before
plugins are loaded meaning that capture plugins could not be
used. Moving plugin registration early enough caused some of their
registration to be wiped out as clearing the array was done after.
Bug: #6811
(cherry picked from commit 96e61b043c)
Ticket: 6796
Similar to commit for detection
9240ae250c
We only have more logging to do if the app update was fresh,
ie if p->app_update_direction != 0
If we have data acknowledged in one direction,
and then many packets in the other direction,
the APP_UPDATED flow flags did not get reset because we did not
run detection yet in this direction,
but there is nothing more to do after the first packet in the
other direction.
(cherry picked from commit c41540f839)
Our code handles Uint ranges as exclusive, but for bsize, our
documentation stated that they're inclusive.
Cf. from uint.rs:
DetectUintMode::DetectUintModeRange => {
if val > x.arg1 && val < x.arg2 {
return true;
}
}
Task #6708
(cherry picked from commit 244a35d539)
Previous implementation allowed FreeBSD to enter into the hugepage
analysis. It then failed with an error message because hugepage/
NUMA node paths that are used in the codebase to retrieve info about
the system are not the same with the structure in Linux.
Additionally, the messages were logged on error level. It has been
demoted to info level because the whole hugepage analysis checkup is
only for informational purposes and does not affect Suricata operation.
The hugepage analysis and the hugepage snapshots are now limited to
only run in the DPDK runmode.
Ticket: #6760
Ticket: #6762
(cherry picked from commit 4b0704db55)
Fix leak of configuration data on exit. Also, in single mode set
thread count to one instead of the CPU count.
Bug: #4734
(cherry picked from commit 5f0853599b)
Issue: 6527
Address the FP raised by cppcheck -- note that although the code
corectly checks to ensure that `to_shift != &sb->reqion`, the logic was
detected as a FP. Rework the code to eliminate the FP.
(cherry picked from commit 40e3514e7a)
src/detect-engine-address.c:1386:5: error: Memory leak: map.string [memleak]
return true;
^
Seems cppcheck looses track of the pointer after the unnecessary cast to
void.
Bug: #6527.
(cherry picked from commit 78703bbc86)
src/runmode-unix-socket.c:547:9: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
snprintf(tstr, sizeof(tstr), "%d", cfile->tenant_id);
^
src/runmode-unix-socket.c:1040:5: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
snprintf(prefix, sizeof(prefix), "multi-detect.%d", tenant_id);
^
src/runmode-unix-socket.c:1189:5: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
snprintf(prefix, sizeof(prefix), "multi-detect.%d", tenant_id);
^
(cherry picked from commit 872f007a14)
Previously pseudopackets were assigned with ACK flag which falsely turned
"SYN" flows to "SYN/ACK" flows when Suricata ran with raw content-matching
rules. The problem occured during the flow timeout or Suricata shutdown,
essentially, when the flow was being kicked out (with a pseudopacket).
When Suricata ran without raw content-matching rules (the ruleset did not
contain content matching keywords or it only contained keywords that are
app-layer content-matching) then raw stream reassembly tracking is turned off
(SignatureHasStreamContent()).
This in turn disabled a check in StreamNeedsReassembly() and the right edge
was not checked with the raw stream progress. In turn, it did not generate
a pseudopacket that would go through the detection engine. Suricata with
raw content-matching keywords would therefore on a flow with SYN packet only
return STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION which would generate
the pseudopacket.
In Suricata versions <= 6.0.x, the flow output was correct because
only the commit 1bb6f44ff0 started to
differentiate the right edge calculation between the raw and application
layer streams. The older Suricata versions used only the application layer
right edge equation and therefore did not generate a pseudopacket.
Ticket: #6734
(cherry picked from commit ebf465a11b)
A dead lock could occur at start up, where a loader thread would
get stuck on it's condition variable, while the main thread was
polling the loaders task results.
The vector to the dead lock is as follows:
main loader
DetectEngineMultiTenantSetup
-DetectLoaderSetupLoadTenant
--DetectLoaderQueueTask
---lock loader
---add task
---unlock loader
lock loader
check/exec tasks
unlock loader
---wake up threads
lock ctrl mutx
cond wait ctrl
unlock ctrl
-DetectLoadersSync
--lock loader
--check tasks
--unlock loader
Between the main thread unlocking the loader and waking up the
threads, it is possible that the loader has already moved ahead
but not yet entered its conditional wait. The main thread sends
its condition signal, but since the loader isn't yet waiting on
it the signal is ignored. Then when the loader does enter its
conditional wait, the signal is not sent again.
This patch updates the logic to send signals much more often.
It also makes sure that the signal is sent under lock, as the
API requires.
Bug: #6768.
Co-authored-by: Shivani Bhardwaj <shivani@oisf.net>
When an interface with dots is used, per worker stats are nested by the
dot-separated-components of the interface due to the usage of
OutputStats2Json().
Prevent this by using OutputStats2Json() on a per-thread specific object
and setting this object into the threads object using the
json_object_set_new() which won't do the dot expansion.
This was tested by creating an interface with dots in the name
and checking the stats.
ip link add name a.b.c type dummy
With Suricata 7.0.2, sniffing on the a.b.c interface results in the
following worker stats format:
"threads": {
"W#01-a": {
"b": {
"c": {
"capture": {
"kernel_packets": 0,
After this fix, the output looks as follows:
"threads": {
"W#01-a.b.c": {
"capture": {
"kernel_packets": 0,
Ticket: #6732
(cherry picked from commit b8b8aa69b4)
The runtime complexity of insertion sort is approx. O(h*n)^2 where
h is the size of the HOME_NET and n is the number of ip only rules
that use the HOME_NET.
Replacing this with qsort significantly improves rule load time when
a large HOME_NET is used in combination with a moderate amount of ip
only rules.
(cherry picked from commit 17f9d7aecc)
Ensure that the mutex protecting the condition variable is held before
signaling it. This ensures that the thread(s) awaiting the signal are
notified.
Issue: 6569
(cherry picked from commit 2a1a70b308)
Issue: 6755
When NetmapOpen encounters an error opening the netmap device, it'll
retry a bit. When the retry limit is reached, it'll shutdown Suricata.
This commit ensures that the device list lock is not held when before
closing all open devices before terminating Suricata.
(cherry picked from commit 364adeeb04)
Fix memory leak at util-decode-mime:MimeDecInitParser, which
root cause is not-freeing allocated memory for mimeMsg
Bug: #6745
(cherry picked from commit 231c892bef)
Ticket: 6617
So that rules with keyword like `filestore:to_server,flow`
only store the files to server and not the ones to client...
Directionality only worked with the default scope, ie the
current file, and not the scope tx or scope flow.
For non-default scope, tx or flow, both directions were stored
whatever the directionality specified.
For these non-default scopes, this commit keeps a default
of both directions, but use only one direction if specified.
Need to split flag FLOWFILE_STORE per direction, so that Suricata
can retain this (optional) directional info from the filestore
keyword.
Fixes: 79499e4769 ("app-layer: move files into transactions")
(cherry picked from commit 63caa0b40a)
Errors when a detection engine gets 65k filestore signatures to
avoid the hard limit to have 65k filestore per signature group
head
Ticket: #6393
(cherry picked from commit db99c45d23)
Add not-needed SCCalloc return check to satisfy our Cocci malloc
checks as it can't see that the caller immediately checks the return
value of this simple wrapper around SCCalloc.
(cherry picked from commit f800ed0f90)
error: writing `&Vec` instead of `&[_]` involves a new object where a slice will do
--> src/dns/log.rs:371:29
|
371 | pub fn dns_print_addr(addr: &Vec<u8>) -> std::string::String {
| ^^^^^^^^ help: change this to: `&[u8]`
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#ptr_arg
(cherry picked from commit 68b0052018)
Shivani Bhardwaj
Philippe Antoine
Victor Julien
Jonathan Perkins
Lukas Sismis
Jeff Lucovsky
Jason Ish
Juliana Fajardini
Lukas Sismis
Jeff Lucovsky
Arne Welzel
Simon Dugas
Alexey Simakov
Philippe Antoine