Shivani Bhardwaj [Thu, 28 Aug 2025 02:36:44 +0000 (08:06 +0530)]
stream: remove incorrect defensive check
As a part of the commit d096b98 a defensive check was added stating that
the stream must have EOF flag set if it is in TCP_CLOSING state or
above. However, this led to a false positive reported by oss-fuzz whose
analysis showed that this does not hold true for TCP_CLOSING state. It
does hold true only for TCP_CLOSED or if packet has PKT_PSEUDO_STREAM_END
set.
TCP_CLOSING state correspond to an established flow hence the correct
course of action is to remove the assertion.
Bug 7636
Co-authored-by: Philippe Antoine <pantoine@oisf.net>
Charlie Vigue [Tue, 22 Jul 2025 08:55:45 +0000 (08:55 +0000)]
util: Fix a hash table collision bug
In util-hash.c there was some behavior that is unexpected and likely
incorrect. To see this behavior, create a hash table 32 entries wide
and use the default hash function. Then add a short string “abc”,
observe the string is stored properly. Now remove a string “iln”, and
observe string “abc” is no longer in the table.
This is because the hash function is not properly handling collisions in
some edge cases.
Includes new unit test:
- UT verifies that the hash function generates a collision for
the selected test data. This must be true for the bug to be present.
Then UT demonstrates the bug by adding two items to the hash table
that collide, and then removing one of them 2x. The bug is that the
other value is removed as well.
Jeff Lucovsky [Sun, 17 Aug 2025 14:23:44 +0000 (10:23 -0400)]
detect/from_base64: Support keyword w/no opts
Issue: 7853
Support the use of `from_base64` with no optional values. In this case,
the default values for:
- mode RFC4648
- offset: 0
- bytes: buffer size
will be used.
Jason Ish [Thu, 7 Aug 2025 15:21:31 +0000 (09:21 -0600)]
rust: fix mismatched_lifetime_syntaxes warning
Fix new warning present in Rust 1.89.
warning: hiding a lifetime that's elided elsewhere is confusing
--> src/ldap/types.rs:191:30
= help: the same lifetime is referred to in inconsistent ways, making the signature confusing
= note: `#[warn(mismatched_lifetime_syntaxes)]` on by default
help: use `'_` for type paths
engine/analyzer: write rule failure report to correct file
The failure report was always just written to rules_fast_pattern.txt. In
case that setting is disabled or there's nothing fast-pattern related,
the report should be written to the usual rules_analysis.txt.
engine/analyzer: check if file pointer exists before writing
de_ctx->ea->fp_engine_analysis_fp is only initialized if
engine-analysis.rules-fast-pattern is enabled in the configuration. If
this config param is missing, this leads to segfault.
Remove unused rule prefilter-related stats counters that aren't in use.
94644ac9604c (detect: move non-pf rules into special prefilter engines)
removed the logic that made use of and incremented the stats counters:
- det_ctx->counter_fnonmpm_list
- det_ctx->counter_nonmpm_list
Some code was left, registering them, and mentioning them in the
json schema.
- cleanup usage and documentation around needs
- mentiond that rule hooks are used instead of "needs" keywords with
link with rule hooks (which is still in the firewall-design doc)
Jason Ish [Tue, 29 Jul 2025 14:28:21 +0000 (08:28 -0600)]
github-ci: add almalinux 10 build
Based on the current AlmaLinux 9 build, with plugin tests, etc.
Remove cppclean as its not installed and was previously disabled with
commit 2d308c000d58dbf5323599fc7f1694e14f1f375b.
hyperscan: prevent LTO opmitizing out hash calculation
Since cached_hash was updated through reference (hash), it seems
LTO did not notice this and optimized the whole code block, returning
zero.
This in turn caused all caches to have the same name and to overwrite.
On subsequent runs, only the last cache was loaded for all SGHs
causing wrong MPM assignment.
Jason Ish [Tue, 22 Jul 2025 14:29:08 +0000 (08:29 -0600)]
github-ci: add flto build
Ubuntu and Fedora packing system build with -flto=auto by default, so
update one test to use -flto=auto. Also build with -O2 as that
combination can cause issues such as
https://redmine.openinfosecfoundation.org/issues/7824.
Philippe Antoine [Tue, 15 Apr 2025 10:34:37 +0000 (12:34 +0200)]
http2: forbid data on stream 0
Ticket: 7658
Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.
RFC 9113 section 6.1 states:
If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
of type PROTOCOL_ERROR.
Jason Ish [Mon, 30 Jun 2025 21:55:21 +0000 (15:55 -0600)]
lib: opt-in signal handlers
Instead of enabling signal handlers by default, require the user of
the library to opt-in. This is done with the call to
SCEnableDefaultSignalHandlers, which sets a flag to add the default
signal handlers.
This seems like the least invasive way to do this at this time, but it
will require some re-thinking for 9.0, especially if migrate globals
to engine instances, signal handling will need to be re-thought.
Configuration option `threads: auto` in DPDK's interface node
overassigns available threads to the interface.
Commit 4dfd44d3 changed the signedness of the remaining threads counter,
which caused surpass of the counter initialization.
The if-clause is switched to first initialize and then use the counter.
Jason Ish [Mon, 30 Jun 2025 14:56:55 +0000 (08:56 -0600)]
rust/htp: follow suricata versioning
Have htp follow Suricata versioning so we don't have to worry about
version updates as it changes.
For example, between 8.0.0-beta1 and 8.0.0-rc1 there were changes to
the htp, however the version stayed at 2.0.0 making it impossible to
publish these changes to crates.io.
Boris Tonofa [Mon, 30 Jun 2025 13:39:47 +0000 (16:39 +0300)]
detect-bytetest: remove meaningless NULL check on data_offset
The condition data_offset == NULL can never be true: data_offset has
already been validated as non-NULL a few lines earlier. The guard seems
to have been intended for the offset argument, yet throughout the
codebase offset is never passed as NULL. (In the unit tests, offset is
NULL, but those tests pass the value parameter as NULL, which causes the
function to return before offset is dereferenced.)
Remove the pointless check to simplify control flow and silence
static-analysis warnings.
Shivani Bhardwaj [Mon, 30 Jun 2025 10:24:35 +0000 (15:54 +0530)]
smtp: trigger raw stream inspection
Internals
---------
Suricata's stream engine returns data for inspection to the detection
engine from the stream when the chunk size is reached.
Bug
---
Inspection triggered only in the specified chunk sizes may be too late
when it comes to inspection of smaller protocol specific data which
could result in delayed inspection, incorrect data logged with a transaction
and logs misindicating the pkt that triggered an alert.
Fix
---
Fix this by making an explicit call from all respective applayer parsers to
trigger raw stream inspection which shall make the data available for inspection
in the following call of the stream engine. This needs to happen per direction
on the completion of an entity like a request or a response.
Important notes
---------------
1. The above mentioned behavior with and without this patch is
affected internally by the following conditions.
- inspection depth
- stream depth
In these special cases, the inspection window will be affected and
Suricata may not consider all the data that could be expected to be
inspected.
2. This only applies to applayer protocols running over TCP.
3. The inspection window is only considered up to the ACK'd data.
4. This entire issue is about IDS mode only.
SMTP parser can handle multiple command lines per direction. Appropriate calls
to trigger raw stream inspection have been added on succesful parsing of each
request line and response line.
For the requests, the call to trigger inspection has been added in the
beginning rather than the completion of transactions. This does not
affect the inspection as it is actually triggered in the following call.
This covers the case for anomaly as well. There are two benefits for
this:
- immediate inspection for anomalous data
- flushing of the anomalous data making next data's inspection cleaner
to build the correct behavior. As a part of ab01a1b, in order to match
the behavior in master, the calls for triggering raw stream inspection
were made when communication in one direction for a transaction was
completed. However, it was incorrect to do so. Reliable inspection
requires any request line/response line to be completed.
Fupeng Zhao [Thu, 19 Jun 2025 06:03:50 +0000 (14:03 +0800)]
util/coredump: refactor parsing and respect zero core dump limit
- Replaced strtoul/strtoull with ByteExtractString* for safer and more consistent parsing.
- Allowed max-dump to be set to 0, and correctly apply a core dump limit of 0, maintaining behavior consistent with the commented default in suricata.yaml.in.
- Added and registered unit tests to validate the updated logic.
Lukas Sismis [Wed, 25 Jun 2025 09:18:56 +0000 (11:18 +0200)]
affinity: initialize CPU sets with online CPUs only
When no CPU set is explicitly defined, switch from
UtilCpuGetNumProcessorsConfigured() (which counts all existing CPU
cores, even offline ones) to UtilCpuGetNumProcessorsOnline() (only
the available cores).
If Suricata initializes more threads than online CPUs it oversubscribes
the system. As Suricata does not support any runtime live reconfiguration
Suricata initializes only as many cores as online CPU cores.
projects / thirdparty / suricata.git / log
