Ticket: 7206
Cbindgen 0.27 now handles extern blocks as extern "C" blocks.
The way to differentiate them is to use a special comment
before the block.
(cherry picked from commit 304271e63a)
Fixes clippy lint:
error: doc list item missing indentation
--> src/dcerpc/dcerpc.rs:511:9
|
511 | /// description: direction of the flow
| ^
|
= help: if this is supposed to be its own paragraph, add a blank line
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#doc_lazy_continuation
Fixes clippy lint for collapsible_match.
error: this `match` can be collapsed into the outer `if let`
--> src/conf.rs:85:9
|
85 | / match val {
86 | | "1" | "yes" | "true" | "on" => {
87 | | return true;
88 | | },
89 | | _ => {},
90 | | }
| |_________^
|
help: the outer pattern can be modified to include the inner pattern
--> src/conf.rs:84:17
|
84 | if let Some(val) = conf_get(key) {
| ^^^ replace this binding
85 | match val {
86 | "1" | "yes" | "true" | "on" => {
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ with this pattern
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match
error: this `match` can be collapsed into the outer `match`
--> src/dcerpc/detect.rs:215:20
|
215 | Some(x) => match x {
| ____________________^
216 | | DCERPC_TYPE_REQUEST | DCERPC_TYPE_RESPONSE => {}
217 | | _ => {
218 | | return 0;
219 | | }
220 | | },
| |_________^
|
help: the outer pattern can be modified to include the inner pattern
--> src/dcerpc/detect.rs:215:14
|
215 | Some(x) => match x {
| ^ replace this binding
216 | DCERPC_TYPE_REQUEST | DCERPC_TYPE_RESPONSE => {}
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ with this pattern
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match
Ticket: 7172
When parsing an integer for a rule keyword fails, we return error
straight away, without bothering to try to free the NULL pointer.
On the way, remove some one-line wrapper around DetectUxParse
(cherry picked from commit daad7f2d41)
Getting clock through Time Stamp Counter (TSC) can be precise and fast,
however only for a short duration of time.
The implementation across CPUs seems to vary. The original idea is to
increment the counter with every tick. Then dividing the delta of CPU ticks
by the CPU frequency can return the time that passed.
However, the CPU clock/frequency can change over time, resulting in uneven
incrementation of TSC. On some CPUs this is handled by extra logic.
As a result, obtaining time through this method might drift from the real
time.
This commit therefore substitues TSC time retrieval by the standard system
call wrapped in GetTime function - on Linux it is gettimeofday.
Ticket: 7116
(cherry picked from commit 35dffc6b32)
For TCP streams, app proto stream reassembly can start earlier, instead
of waiting and queueing up data before doing so.
Task #7018
Related to
Bug #7004
(cherry picked from commit bb45ac71ef)
Don't assume the ntlmssp version field is always present if the flag is
set. Instead keep track of the offsets of the data of the various blobs
and see if there is space for the version.
Inspired by how Wireshark does the parsing.
Bug: #7121.
(cherry picked from commit f59c43b1c7)
THashInitConfig may not allocate array and increase memuse.
Such a failure leads to THashShutdown which should not decrease
the memuse.
Ticket: 7135
(cherry picked from commit eeec609ac8)
Implement special "isset" and "isnotset" modes.
"isset" matches if an IP address is part of an iprep category with any
value.
It is internally implemented as ">=,0", which should always be true if
there is a value to evaluate, as valid reputation values are 0-127.
"isnotset" matches if an IP address is not part of an iprep category.
Internally it is implemented outside the uint support.
Ticket: #6857.
(cherry picked from commit 83976a4cd4)
Ticket: 6390
This can happen with keyword filestore:both,flow
If one direction does not have a signature group with a filestore,
the file is set to nostore on opening, until a signature in
the other direction tries to set it to store.
Subsequent files will be stored in both directions as flow flags
are now set.
(cherry picked from commit 5f35035928)
This can be used to implement alert then pass logic.
Add support for alert-then-pass to alert handling routines.
Ticket: #5466.
(cherry picked from commit d5fb8204b6)
Replaces default "alert" logic and removed SIG_FLAG_NOALERT.
Instead, "noalert" unsets ACTION_ALERT. Same for flowbits:noalert and
friends.
In signature ordering rules w/o action are sorted as if they have 'alert',
which is the same behavior as before, but now implemented explicitly.
Ticket: #5466.
(cherry picked from commit 92581dbc06)
DETECT_FLOWBITS_CMD_NOALERT is misleading as it gives an impression that
noalert is a flowbit specific command that'll be used and dealt with at
some point but as soon as noalert is found in the rule lang, signature
flag for noalert is set and control is returned. It never gets added to
cmd of the flowbits object.
(cherry picked from commit 75471dd69b)
When a Tracker is set up for a IPID, frags come in for it and it's
reassembled and complete, the `DefragTracker::remove` flag is set. This
is mean to tell the hash cleanup code to recyle the tracker and to let
the lookup code skip the tracker during lookup.
A logic error lead to the following scenario:
1. there are sufficient frag trackers to make sure the hash table is
filled with trackers
2. frags for a Packet with IPID X are processed correctly (X1)
3. frags for a new Packet that also has IPID X come in quickly after the
first (X2).
4. during the lookup, the frag for X2 hashes to a hash row that holds
more than one tracker
5. as the trackers in hash row are evaluated, it finds the tracker for
X1, but since the `remove` bit is not checked, it is returned as the
tracker for X2.
6. reassembly fails, as the tracker is already complete
The logic error is that only for the first tracker in a row the `remove`
bit was checked, leading to reuse to a closed tracker if there were more
trackers in the hash row.
Ticket: #7042.
New warning from rustc.
The other option is to allow dead code, however this is more explicit,
and when they are read, its obvious they should be renamed.
Addresses this warning from the Rust compiler:
warning: `../rust/.cargo/config` is deprecated in favor of `config.toml`
note: if you need to support cargo 1.38 or earlier, you can symlink `config` to `config.toml`
(cherry picked from commit 8560564657)
Victor Julien
Philippe Antoine
Jason Ish
Jeff Lucovsky
Lukas Sismis
Juliana Fajardini
Shivani Bhardwaj