Although the `prune-flows` option was removed with a5587fec2eb,
when documentation for the suricata.yaml config file was added with b252b0d, this option was also included - as has remained until now.
Jeff Lucovsky [Mon, 10 Jun 2024 20:04:38 +0000 (16:04 -0400)]
config: Update reference keys
Issue: 4974
1. Use https instead of http everywhere
2. Organize and annotate references by
- Referenced by ET/Open and ET/Pro
- URL resolves and works as intended (to provide supplemental
information regarding a reference value, e.g., bug id, cve
value)
- URL no longer resolves
- URL resolves but doesn't work as intended (to provide
supplemental information)
- Not referenced by ET/Open nor ET/Pro
- URL resolves and works as intended (to provide supplemental
information regarding a reference value, e.g., bug id, cve
value)
- URL no longer resolves
- URL resolves but doesn't work as intended (to provide
supplemental information)
DCERPC/TCP tends to return the same values for invalid and incomplete
headers. As a result of this, invalid headers and any traffic following
it is buffered and processed later on assumed to be valid DCERPC traffic.
Fix this by clearly defining error and incomplete data and taking
appropriate actions.
warning: first doc comment paragraph is too long
--> src/detect/iprep.rs:57:1
|
57 | / /// value matching is done use `DetectUintData` logic.
58 | | /// isset matching is done using special `DetectUintData` value ">= 0"
59 | | /// isnotset matching bypasses `DetectUintData` and is handled directly
60 | | /// in the match function (in C).
| |_
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#too_long_first_doc_paragraph
= note: `#[warn(clippy::too_long_first_doc_paragraph)]` on by default
help: add an empty line
warning: you seem to be trying to use `match` for destructuring a single pattern. Consider using `if let`
--> src/dcerpc/log.rs:36:33
|
36 | DCERPC_TYPE_BIND => match &state.bind {
| _________________________________^
37 | | Some(bind) => {
38 | | jsb.open_array("interfaces")?;
39 | | for uuid in &bind.uuid_list {
... |
51 | | None => {}
52 | | },
| |_____________^
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#single_match
= note: `#[warn(clippy::single_match)]` on by default
Philippe Antoine [Wed, 14 Aug 2024 14:17:36 +0000 (16:17 +0200)]
frames: do not rely on FRAME_STREAM_ID
As it is not always the first frame to be created :
if it is not enabled, it does not get created, and other enabled
frames may be created first. see use of FrameConfigTypeIsEnabled
This resulted that this other frame got its length updated
on stream end, which led to false positives.
Resorting on FRAME_STREAM_TYPE is more consistent.
Victor Julien [Wed, 31 Jul 2024 11:58:29 +0000 (13:58 +0200)]
dcerpc: don't reuse completed tx
In the DCERPC over TCP pcap, logging and rule matching is disrupted by adding a simple rule:
alert tcp any any -> any any (flow:to_server,established; \
dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; \
dce_stub_data; content:"|42 77 4E 6F 64 65 49 50 2E 65 78 65 20|"; \
content:!"|00|"; within:100; distance:97; sid:1; rev:1; )
Works: alert + 3 dcerpc records.
But when adding a trivial rule:
alert tcp any any -> any any (flow:to_server,established; \
dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; \
dce_stub_data; content:"|42 77 4E 6F 64 65 49 50 2E 65 78 65 20|"; \
content:!"|00|"; within:100; distance:97; sid:1; rev:1; )
alert tcp any any -> any any (dsize:3; sid:2; rev:1; )
The alert for sid:1 disappears and also there is one dcerpc event less.
In the single rule case we can aggressively free the transactions, as there
is only an sgh in the toserver direction.
This means that when we encounter the 2nd REQUEST, the first 2 transactions
have already been processed and freed. So for the 2nd REQUEST we open a new
TX and run inspection and logging on it.
When the 2nd rule is added, it adds toclient sgh as well. This means that we
will now slightly delay the freeing of the transactions.
As a consequence we still have the TX for the first REQUEST when the 2nd REQUEST
is parsed. This leads to the 2nd REQUEST re-using the TX. Since the TX is
already marked as inspected, it means the toserver rule now no longer matches.
Also we're not logging this TX correctly now.
This commit fixes the issue by not "finding" a TX that as already been
marked complete in the search direction.
Victor Julien [Fri, 6 Sep 2024 11:14:48 +0000 (13:14 +0200)]
detect/app-layer-proto: don't run detection on ALPROTO_UNKNOWN
The `app-layer-protocol` keyword inconsistently checks whether the
alproto is ALPROTO_UNKNOWN. In the regular match function it isn't
checked, in the prefilter function its checked for all but the "either"
mode.
This leads to false positives for negated matching, as an expression
like "!tls" will match if checked against ALPROTO_UNKNOWN.
This patch adds the checking everywhere. The keyword returns no match as
long as the alproto is ALPROTO_UNKNOWN.
Shivani Bhardwaj [Thu, 29 Aug 2024 08:08:57 +0000 (13:38 +0530)]
rust/base64: upgrade crate to latest
base64 crate is updated to the latest version 0.22.1. This came with
several API changes which are applied to the code. The old calls have
been replaced with the newer calls.
This was done following the availability of better fns to directly
decode into slices/vectors as needed and also that previous version was
too old.
Along with this change, update the Cargo.lock.in to reflect all changes
in the package versions.
Jason Ish [Thu, 29 Aug 2024 20:35:50 +0000 (14:35 -0600)]
log-tlslog: remove ThreadExitPrintStats callback
Remove the ThreadExitPrintStats callback, this is the only logger that
was actually using it, and this logger is marked for deprecation. This
allows us to remove the callback from the registration signature.
Jason Ish [Thu, 29 Aug 2024 20:33:42 +0000 (14:33 -0600)]
tlsstore: remove ThreadExitPrintStats callback
Remove the callback to print stats on thread exit. The counter value
was never being used and this helps us get rid of this callback
altogether as their is only one other usage of it.
Jason Ish [Wed, 28 Aug 2024 23:17:50 +0000 (17:17 -0600)]
output-tx: use void * instead of OutputCtx
Using OutputCtx results in the low level output-tx packet logger being
aware of Suricata's higher level loggers that use OutputCtx, for the
low level logger this is purely opaque data that may not be an
OutputCtx for custom loggers.
Jason Ish [Wed, 28 Aug 2024 14:55:35 +0000 (08:55 -0600)]
profiling: create a LOGGER_USER id
Loggers need an ID uniquely identify them for profiling. To help with
loggers registered at runtime (library, plugins), provide a
LOGGER_USER that can be used. It won't provide per-logger details if
they have more than one, but will provide a total for all their
registered loggers.
Jason Ish [Mon, 26 Aug 2024 22:02:05 +0000 (16:02 -0600)]
pgsql: don't expose PgsqlTransactionState to C
PgsqlTransactionState has a variant named "Init" which is a little too
generic to export to C. Fortunately this method doesn't need to be
exposed to C, instead remove it as it was only called by
rs_pgsql_tx_get_alstate_progress which also doesn't need to be public
or expose to C.
Jason Ish [Mon, 26 Aug 2024 21:54:53 +0000 (15:54 -0600)]
output-packet: use void * instead of OutputCtx * for initdata
The use of OutputCtx as the data type for initdata was leaking Eve
submodule logic into the low level packet logger. Instead use void *,
as the packet logging module is not concerned with the type of data
here.
Jason Ish [Fri, 15 Sep 2023 20:49:11 +0000 (14:49 -0600)]
output-flow.h: include flow.h and decode.h
A library/plugin user wanting to register a custom flow logger must
include "output-flow.h", however that depends on some other includes.
One train of thought with respect to include files in libraries, is
that they should include all their dependencies on behalf of the
user. To make a custom flow logger just a little easier, include
"flow.h" and "decode.h".
Jason Ish [Mon, 26 Aug 2024 21:45:07 +0000 (15:45 -0600)]
output-flow: use void * instead of OutputCtx * for initdata
The use of OutputCtx as the data type for initdata was leaking Eve
submodule logic into the low level flow logger. Instead use void *, as
the flow logging module is not concerned with the type of data here.
Jason Ish [Mon, 26 Aug 2024 21:37:42 +0000 (15:37 -0600)]
output-flow: remove unused initdata argument
The initdata argument to OutputFlowThreadInit was always NULL, remove
it. Internally the ThreadInit functions still get initdata, but this
is the data provided when that logging instance was registered.
Sascha Steinbiss [Wed, 14 Aug 2024 08:11:48 +0000 (10:11 +0200)]
userguide: fix spelling of `security_result` EVE field
This ensures that the correct spelling of the `security_result` EVE
field for RFB (as opposed to `security-result`) is also reflected in the
documentation.
Eric Leblond [Fri, 19 Apr 2024 15:07:48 +0000 (17:07 +0200)]
datasets: fix parsing of ip4 in ip6
The lookup function was not taking into account that we can have
an IPv4 or an IPv6 address as parameters and that this addresses
need to be converted to Suricata internal storage.
By using the already defined dedicated parsing function, we are
fixing the issue.
Giuseppe Longo [Tue, 6 Aug 2024 18:39:46 +0000 (20:39 +0200)]
rust/ldap: handle GAPs
Following the same logic as for PGSQL, if there is a gap in an LDAP request or
response, the parser tries to sync up again by checking if the message can be
parsed and effectively parses it on the next call.
Giuseppe Longo [Thu, 18 Jul 2024 14:00:59 +0000 (16:00 +0200)]
rust/ldap: enable parser for udp
This introduces a new parser registration function for LDAP/UDP, and update
ldap configuration in order to be able to enable/disable a single parser
independently (such as dns).
Also, GAPs are accepted only for TCP parser and not for UDP.
While not incorrect, the previous wording made the sentence almost
paradoxical. While at it, also highlight a side effect that might not be
so clear to users.
Philippe Antoine [Wed, 31 Jul 2024 12:10:17 +0000 (14:10 +0200)]
rust: fix byte_char_slices clippy warnings
warning: can be more succinctly written as a byte str
--> src/mime/smtp.rs:762:37
|
762 | mime_smtp_find_url_strings(ctx, &[b'\n']);
| ^^^^^^^^ help: try: `b"\n"`
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#byte_char_slices
= note: `#[warn(clippy::byte_char_slices)]` on by default
projects / thirdparty / suricata.git / log
