Victor Julien [Thu, 23 Jan 2025 15:07:08 +0000 (16:07 +0100)]
detect/iponly: use flow first flags
Instead of ip-only specific flags, reuse the FLOW_PKT_TOSERVER_FIRST and
FLOW_PKT_TOCLIENT_FIRST flags.
Fixes false positives on one sided streams that trigger a opposing flow
timeout packet at the flow's end. That pseudo packet would trigger a
match even though it shouldn't.
Eric Leblond [Fri, 29 Nov 2024 17:46:11 +0000 (18:46 +0100)]
util/debug: increase max length of message
When a signature is incorrect, its full content is logged in a
message with some other information such as rules file name. As
a result, the log message must be longer than a maximum signature
length which is 8192.
Cole Dishington [Tue, 8 Aug 2023 19:47:12 +0000 (07:47 +1200)]
flow: optionally use pkt recursion for hash
If a Suricata inline IPS device is routing traffic over a
non-encrypted tunnel, like IPv6 tunnels, packets in a flow
will be dropped and not be matched. e.g.
The following example is a Suricata inline IPS with an IPv6 tunnel:
request: IPv4]ICMP] -> |IPS| -> IPv6]IPv4]ICMP]
reply: <- |IPS| <- IPv6]IPv4]ICMP]
Both the IPv4 request and IPv6 reply will be seen by Suricata on
ingress. The flows will not be matched due to flow recursion level.
Optionally use pkt recursion level in flow hash. Excluding recursion
level in flow hash allows matching of packet flows and defrag on an
inline IPS Suricata scenario where the IPS device is a tunnel
terminator.
- debug visibility was reduced making it unusable from an external crate
- the plugins view of the log level was broken
To fix:
- make debug pub
- minor change to initialization of the log LEVEL as seen by the plugin
so its seen by the plugin. I'm not really sure why the previous
version wasn't working though, but this one does
Jason Ish [Wed, 22 Jan 2025 22:32:35 +0000 (16:32 -0600)]
lua: add "builtins" file to consolidate registration
Use a single array of built-ins and provide 2 functions for
registering them:
- SCLuaLoadBuiltIn: for loading built-in modules in sandboxed
environments.
- SCLuaRequirefBuiltIns: registers built-in modules with the standard
package tool, allows built-ins to be loaded by output scripts that are
not restricted
I hope to refactor the sandbox so they can use SCLuaRequirefBuiltIns
as well.
Philippe Antoine [Thu, 23 Jan 2025 12:31:05 +0000 (13:31 +0100)]
detect/base64: remove unused macro warning
when compiling without unit tests
detect-transform-base64.c:47:9: warning: macro is not used [-Wunused-macros]
47 | #define DETECT_TRANSFORM_FROM_BASE64_MODE_DEFAULT (uint8_t) Base64ModeRFC4648
Alice Akaki [Mon, 20 Jan 2025 18:16:26 +0000 (14:16 -0400)]
detect: add ldap.responses.count
ldap.responses.count matches on the number of LDAP responses
This keyword maps to the eve field len(ldap.responses[])
It is an unsigned 32-bit integer
Doesn't support prefiltering
Alice Akaki [Mon, 20 Jan 2025 18:12:02 +0000 (14:12 -0400)]
detect: add ldap.responses.operation
ldap.responses.operation matches on Lightweight Directory Access Protocol response operations
This keyword maps to the eve field ldap.responses[].operation
It is an unsigned 8-bit integer
Doesn't support prefiltering
Alice Akaki [Mon, 20 Jan 2025 18:06:03 +0000 (14:06 -0400)]
detect: add ldap.request.operation
ldap.request.operation matches on Lightweight Directory Access Protocol request operations
This keyword maps to the eve field ldap.request.operation
It is an unsigned 8-bit integer
Doesn't support prefiltering
Jason Ish [Mon, 20 Jan 2025 16:00:19 +0000 (10:00 -0600)]
dhcp: cleanup visibility and naming
- remove "rs_" prefix from functions that are not exported
- prefix exported functions with "SC"
- don't export functions that are only used by pointer
Jason Ish [Mon, 20 Jan 2025 15:46:09 +0000 (09:46 -0600)]
rust/applayer: clean visibility of export macros
Both the macros export_tx_data_get and export_state_data_get can
generate non-pub functions as the function they generate is only used
as a pointer during registration.
Remove "pub" and "no_mangle" from the generated functions and update
the names of the generated functions to follow Rust rules as they are
no longer exported into the global C namespace.
Jeff Lucovsky [Mon, 20 Jan 2025 14:35:01 +0000 (09:35 -0500)]
gen: Remove _AL_ usage in detect keywords
This commit removes the `_AL_` usage in detect keywords for improved
readability.
Some of the HTTP rule keywords already had counterparts without using
"_AL_". These rule keywords are the legacy content modifier keywords
that now have sticky buffer equivalents.
For these, "_AL_" was removed and a suffix was added to the #define:
src/detect-engine-register.h:151: DETECT_HTTP_COOKIE_CM
src/detect-engine-register.h:153: DETECT_HTTP_METHOD_CM
src/detect-engine-register.h:161: DETECT_HTTP_HEADER_CM
src/detect-engine-register.h:173: DETECT_HTTP_RAW_HEADER_CM
src/detect-engine-register.h:175: DETECT_HTTP_URI_CM
src/detect-engine-register.h:179: DETECT_HTTP_STAT_MSG_CM
src/detect-engine-register.h:181: DETECT_HTTP_STAT_CODE_CM
src/detect-engine-register.h:185: DETECT_HTTP_HOST_CM
Jason Ish [Fri, 10 Jan 2025 21:40:26 +0000 (15:40 -0600)]
lua/datasets: rework to be a "required" module
Re-work the Lua dataset lib to be required into a user script like:
local dataset = require("suricata.data")
The main difference from loading it into global space is providing a
custom require function (as we removed it in the sandbox) and load it on
demand, returning a table to the module.
Victor Julien [Thu, 11 Apr 2024 14:10:34 +0000 (16:10 +0200)]
detect/lua: add support for datasets
dataset.new
create a dataset object in lua
<dataset>:get
gets a reference to an existing dataset
<dataset>:add
returns 1 if a new entry was added
returns 0 if entry was already in the set
Example:
```
function init (args)
local needs = {}
needs["packet"] = tostring(true)
return needs
end
function thread_init (args)
conn_new, dataset.new()
ret, err conn_new:get("conn-seen")
if err ~= nil then
SCLogWarning("dataset warning: " .. err)
return 0
end
end
function match (args)
ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
str = ipver .. ":<" .. srcip .. ">:<" .. dstip .. ">:" .. dp
ret, err = conn_new:add(str, #str);
if ret == 1 then
SCLogInfo(str .. " => " .. ret)
end
return ret
end
```
Shivani Bhardwaj [Fri, 29 Nov 2024 08:31:12 +0000 (14:01 +0530)]
flow/pkts: make syntax cleaner and compact
Currently, the syntax includes direction as a part of the keyword which
is against how usually keywords are done. By making direction as a
mandatory argument, it is possible to make the syntax cleaner and the
implementation more compact and easily extendable.
Pros:
- Registration table sees lesser entries if newer options are added
- If the options have to be extended, it can be done trivially
- In accordance w existing keyword implementations
Note that this commit also retains the existing direction specific
keywords.
Victor Julien [Fri, 29 Nov 2024 13:37:08 +0000 (14:37 +0100)]
stream: RST no longer acks all data
Since forever (1578ef1e3e8a24d0cc615430c4e6bec1fefdad28) a valid RST
would update the internal `last_ack` representation to include all
unack'd data. This was originally done to make sure the unACK'd data was
inspected/processed at flow timeout.
It was observed however, that if GAPs existed in this unACK'd data, a
GAP could be reported in the stats and a GAP event would be raised. This
doesn't make sense, as missing segments in the unACK'd part of the
stream are completely normal. Segments simply do not all arrive in
order.
It turns out that the original behavior of updating `last_ack` to
include all unACK'd data is no longer needed.
For raw stream inspection, the detection engine will already include the
unACK'd data on flow end.
For app-layer updates the unACK'd data is often harmful, as the data
often has GAPs. Parser like the http parser would report these GAPs and
could also get confused about the post-GAP data being a new transaction
including a file. This lead to many reported errors and fantom txs and
files.
Since the GAP detection uses `last_ack` to determine GAPs, not moving
`last_ack` addresses the GAP false positives.
Victor Julien [Wed, 18 Sep 2024 09:50:59 +0000 (11:50 +0200)]
threads: align struct to CLS to avoid false sharing
Since `Thread` objects are part of a big allocation, more than one
Thread could be on a single cache line, leading to false sharing. Atomic
updates to one `Thread` could then lead to poor performance accessing
another `Thread`. Align to CLS (cache line size) to avoid this.
Victor Julien [Tue, 17 Sep 2024 09:02:00 +0000 (11:02 +0200)]
threads: fine grained locking for Thread
Until now many accesses to the Thread structure required taking a global
lock, leading to performance issues. In practice this only happened in
offline mode.
This patch adds a finer grained locking scheme. It assumes that the
Thread object itself cannot disappear, and adds a spinlock to protect
updates to the structure.
Additionally, the `pktts` field is made an atomic, so that it can be
read w/o taking the spinlock. Updates to it are still done under lock.
Victor Julien [Wed, 18 Sep 2024 10:21:42 +0000 (12:21 +0200)]
threads: use sleeping threads for minimum time a bit longer
If a thread doesn't receive packets for a while the packet timestamp
will no longer be used to determine a reasonable minimum timestamp for
flow timeout handling.
To avoid issues with the minimum timestamp to be set a bit too
aggressively, increase the time a thread can be inactive.
Victor Julien [Sun, 15 Sep 2024 17:15:56 +0000 (19:15 +0200)]
time: thread time update after flow update
The flow worker needs to get the opportunity to run the flow update
before globally making it's current timestamp available. This is to
avoid another thread using the time to evict the flow that is about to
get a legitimate update.
projects / thirdparty / suricata.git / log
