Phil Young [Thu, 12 Nov 2020 18:19:12 +0000 (13:19 -0500)]
napatech: Removed restriction on use of inline mode
Removed the unnecessary restriction on the use of inline mode only when
bypass is enabled. Now, Inline can be used independent of bypass
functionality.
Phil Young [Wed, 11 Nov 2020 19:21:39 +0000 (14:21 -0500)]
napatech: Fix potential double release of packet
This addresses readmine issue #4018. There was the potential for a packet
buffer to be released twice in response to an error condition. This
addresses this by only calling NT_NetRxRelease() when the p->ReleasePacket
is called.
We must make sure not to access the flow storage (e.g. keeping a
MacSet) before making sure we have a flow to begin with, We can,
for example, run into an alert without a flow with `ip` rules,
in which case the flow might be NULL. See Redmine issue #4109.
Jeff Lucovsky [Sun, 8 Nov 2020 15:06:19 +0000 (10:06 -0500)]
detect/file-data: Improved support for share bufs
This commit improves support for shared buffer usage, i.e., when
multiple rules share the file data (http) buffer and apply different
combinations of transforms and fast_patterns (or none).
Victor Julien [Thu, 29 Oct 2020 07:02:50 +0000 (08:02 +0100)]
github-ci: add windows build with suricata-verify
Initial attempt with a few hacks:
- npcap dlls are extracted from the installer and placed in cwd
- cbindgen is installed system wide desipte a preinstalled copy
This does not yet hook into the "prep" build from build.yaml or
support using custom support PRs/branches (SV, SU).
Victor Julien [Fri, 23 Oct 2020 05:45:50 +0000 (07:45 +0200)]
dcerpc/tcp: fix compile warning
warning: variable does not need to be mutable
--> src/dcerpc/dcerpc.rs:1036:42
|
1036 | let tx = if let Some(mut tx) = self.get_tx_by_call_id(current_call_id, core::STREAM_TOCLIENT) {
| ----^^
| |
| help: remove this `mut`
|
= note: `#[warn(unused_mut)]` on by default
warning: variable does not need to be mutable
--> src/dcerpc/dcerpc.rs:1061:30
|
1061 | Some(mut tx) => {
| ----^^
| |
| help: remove this `mut`
Angelo Mirabella [Tue, 26 May 2020 17:00:06 +0000 (18:00 +0100)]
detect/magic: fix crash on rule reloading
This changseset fixes a bug causing a segmentation fault.
When rules are reloaded and a rule using libmagic matches, suricata
crashes due to an improper reinitialization of the thread contexts.
Angelo Mirabella [Wed, 11 Mar 2020 15:11:19 +0000 (15:11 +0000)]
unix-socket: fix alert metadata logging
This changeset fixes a bug that was preventing suricata to dump
alert metadata info when running in unix-socket mode.
When running in unix-socket mode, suricata was skipping the
initialization of the output modules and, as a consequence,
the metadata output module was never invoked.
The headers table from client to server
and the one from server to client
may have different maximum sizes
(even if both endpoints have to keep both tables)
Philippe Antoine [Tue, 14 Apr 2020 08:30:33 +0000 (10:30 +0200)]
smb: adds file overlap event against evasions
Evasion scenario is
- a first dummy write of one byte at offset 0 is done
- the second full write of EICAR at offset 0 is then done
and does not trigger detection
The last write had the final value, and as we cannot "cancel"
the previous write, we set an event which is then transformed into
an app-layer decoder alert
Jeff Lucovsky [Tue, 8 Sep 2020 13:38:13 +0000 (09:38 -0400)]
detect/transform: Validator for compress-ws
This commit adds a buffer validator for compress whitespace. Buffers
containing two or more consecutive whitespace characters are invalid
with this transform.
Jeff Lucovsky [Fri, 25 Sep 2020 11:47:53 +0000 (07:47 -0400)]
log/eve: Threaded filename change: eve.N.json
This commit changes the name of the file used with threaded eve logging
to better support log rotation
Instead of using "eve.json.N" and creating potential issues with log
rotation (which also uses a ".N" suffix), the eve logs will be named
"eve.N.json" when threaded.
Jeff Lucovsky [Sat, 19 Sep 2020 12:47:56 +0000 (08:47 -0400)]
detect/rules: Increase array size to remove SEGV
This commit changes the size of reporting variables to be dynamic based
on the buffer ids in use instead of a fixed value to address a SEGV when
the fixed value was less than the max buffer/type id in use.
Philippe Antoine [Fri, 18 Sep 2020 12:44:40 +0000 (14:44 +0200)]
protodetect: rerun probing parser if pattern matched
If a pattern matches in the other direction, after
probing parser finished without finding a protocol,
we will rerun the probing parser, which will include
the newly protocol found by its pattern
This patch addresses issues discovered by redmine ticket 3896. With the
approach of finding latest record, there was a chance that no record was
found at all and consumed + needed became input length.
There exists no |05 00| identifier in the rest of the record. After
having parsed |05 00|, there was a search for another record with the
leftover data. Current data length at this point would be 997. Since the
identifier was not found in the data, we calculate the consumed bytes at
this point i.e. consumed = current_data.len() - 1 which would be 996.
Needed bytes still stay at a constant of 2. So, consumed + needed = 996
+ 2 = 998 which is lesser than initial input length of 1000 and hence
the assertion fails.
There could be two fixes to this problem.
1. Finding the latest record but making use of the last found record in
case no new record was found.
2. Always use the earliest record.
This patch takes the approach (2). It also makes sure that the gap and
current direction are the same.
Victor Julien [Sat, 19 Sep 2020 18:44:40 +0000 (20:44 +0200)]
dcerpc/tcp: implement trunc logic
When one side of the connection reaches the STREAM_DEPTH condition the
parser should be aware of this. Otherwise transactions will forever be
waiting for data in that direction.