]> git.ipfire.org Git - thirdparty/suricata.git/log
thirdparty/suricata.git
3 months agodetect/sdp: minor style fixup 12922/head
Victor Julien [Wed, 2 Apr 2025 08:30:01 +0000 (10:30 +0200)] 
detect/sdp: minor style fixup

3 months agodoc: add sdp sticky buffers
Giuseppe Longo [Mon, 30 Dec 2024 15:39:25 +0000 (16:39 +0100)] 
doc: add sdp sticky buffers

3 months agosdp: add sdp.media.encryption_key sticky buffer
Giuseppe Longo [Mon, 30 Dec 2024 15:38:35 +0000 (16:38 +0100)] 
sdp: add sdp.media.encryption_key sticky buffer

This adds a sticky (multi) buffer to match the "Encryption key" subfield
of the "Media description" field in both requests and responses.

Ticket #7291

3 months agosdp: add sdp.media.connection_data sticky buffer
Giuseppe Longo [Wed, 2 Oct 2024 08:25:59 +0000 (10:25 +0200)] 
sdp: add sdp.media.connection_data sticky buffer

This adds a sticky (multi) buffer to match the "Connection data"
subfield of the "Media description" field in both requests and
responses.

Ticket #7291

3 months agosdp: add sdp.media.media_info sticky buffer
Giuseppe Longo [Wed, 2 Oct 2024 08:19:44 +0000 (10:19 +0200)] 
sdp: add sdp.media.media_info sticky buffer

This adds a stick (multi) buffer to match the "Session information"
subfield of the "Media description" field in both requests and
responses.

Ticket #7291

3 months agosdp: add sdp.media.media sticky buffer
Giuseppe Longo [Wed, 2 Oct 2024 08:10:39 +0000 (10:10 +0200)] 
sdp: add sdp.media.media sticky buffer

This adds a sticky (multi) buffer to match the "Media" subfield of the
"Media description" field in both requests and responses.

Ticket #7291

3 months agosdp: add sdp.attribute sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 19:26:30 +0000 (21:26 +0200)] 
sdp: add sdp.attribute sticky buffer

This adds a sticky (multi) buffer to match the "Attribute" field in both
requests and responses.

Ticket #7291

3 months agosdp: add sdp.encryption_key sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 15:49:00 +0000 (17:49 +0200)] 
sdp: add sdp.encryption_key sticky buffer

This adds a sticky buffer to match the "Encryption key" field in both
requests and responses.

Ticket #7291

3 months agosdp: add sdp.timezone sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 13:44:59 +0000 (15:44 +0200)] 
sdp: add sdp.timezone sticky buffer

This adds a sticky bufffer to match the "Timezone" field in both
requests and responses.

Ticket #7291

3 months agosdp: add sdp.repeat_time sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 13:40:40 +0000 (15:40 +0200)] 
sdp: add sdp.repeat_time sticky buffer

This adds a sticky buffer to match the "Repeat time" field in both
requests and responses.

Ticket #7291

3 months agosdp: add sdp.time sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 13:36:32 +0000 (15:36 +0200)] 
sdp: add sdp.time sticky buffer

This adds a sticky buffer to match the "Time" field in both requests and
responses.

Ticket #7291

3 months agosdp: add sdp.bandwidth sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 13:30:07 +0000 (15:30 +0200)] 
sdp: add sdp.bandwidth sticky buffer

This adds a sticky (multi) buffer to match the "Bandwidth" field in both
requests and responses.

Ticket #7291

3 months agosdp: add sdp.connection_data sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 13:12:44 +0000 (15:12 +0200)] 
sdp: add sdp.connection_data sticky buffer

This adds a sticky buffer to match the "Connection data" field in both
requests and responses.

Ticket #7291

3 months agosdp: add sdp.phone_number sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 13:05:35 +0000 (15:05 +0200)] 
sdp: add sdp.phone_number sticky buffer

This adds a sticky buffer to match the "Phone number" field in both
requests and responses.

Ticket #7291

3 months agosdp: add sdp.email sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 13:04:10 +0000 (15:04 +0200)] 
sdp: add sdp.email sticky buffer

This adds a sticky buffer to match the "Email" field in both requests
and responses.

Ticket #7291

3 months agosdp: add sdp.uri sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 08:51:17 +0000 (10:51 +0200)] 
sdp: add sdp.uri sticky buffer

This adds a sticky buffer to match the "Uri" field in both requests and
responses.

Ticket #7291

3 months agosdp: add sdp.origin sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 08:44:42 +0000 (10:44 +0200)] 
sdp: add sdp.origin sticky buffer

This adds a sticky buffer to match the "Origin" field in both requests
and responses.

Ticket #7291

3 months agosdp: add sdp.session_info sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 07:57:36 +0000 (09:57 +0200)] 
sdp: add sdp.session_info sticky buffer

This adds a sticky buffer to match the "Session information" field in
both requests and responses.

Ticket #7291

3 months agosdp: add sdp.session_name sticky buffer
Giuseppe Longo [Mon, 30 Sep 2024 07:55:33 +0000 (09:55 +0200)] 
sdp: add sdp.session_name sticky buffer

This adds a sticky buffer to match the "Session name" field in both
requests and responses.

Ticket #7291

3 months agosdp: parse time and repeat_time multiple times
Giuseppe Longo [Tue, 15 Oct 2024 04:39:18 +0000 (06:39 +0200)] 
sdp: parse time and repeat_time multiple times

As defined in RFC4566, the time and repeat_time fields can be present
multiple times but they are currently parsed only once.

Ticket #7325

3 months agosdp: stringify structured fields
Giuseppe Longo [Fri, 4 Oct 2024 06:56:24 +0000 (08:56 +0200)] 
sdp: stringify structured fields

The current parser implementations take a field, such as connection data, and
split it into subfields for a specific structure (e.g., struct ConnectionData).
However, following this approach requires several sticky buffers to match the
whole field, which can make a rule a bit verbose and doesn't offer any advantage
for matching specific parts of a field.

With this patch, a single line is still split into pieces if it makes sense for
parsing purposes, but these pieces are then reassembled into a single string.
This way, only one sticky buffer is needed to match the entire field.

Ticket #7291

3 months agosdp: log media's encryption key
Giuseppe Longo [Fri, 4 Oct 2024 12:45:59 +0000 (14:45 +0200)] 
sdp: log media's encryption key

The encryption key subfield of the media description field is not
logged when it should be.

Ticket #7305

3 months agogithub-actions: bump actions/upload-artifact from 4.6.1 to 4.6.2
dependabot[bot] [Tue, 1 Apr 2025 19:47:09 +0000 (19:47 +0000)] 
github-actions: bump actions/upload-artifact from 4.6.1 to 4.6.2

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.1 to 4.6.2.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1...ea165f8d65b6e75b540449e92b4886f43607fa02)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 4.6.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
3 months agogithub-actions: bump actions/download-artifact from 4.1.9 to 4.2.1
dependabot[bot] [Tue, 1 Apr 2025 19:47:06 +0000 (19:47 +0000)] 
github-actions: bump actions/download-artifact from 4.1.9 to 4.2.1

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.9 to 4.2.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/cc203385981b70ca67e1cc392babf9cc229d5806...95815c38cf2ff2164869cbab79da8d1f422bc89e)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 4.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
3 months agogithub-actions: bump github/codeql-action from 3.28.10 to 3.28.13
dependabot[bot] [Tue, 1 Apr 2025 19:47:03 +0000 (19:47 +0000)] 
github-actions: bump github/codeql-action from 3.28.10 to 3.28.13

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.10 to 3.28.13.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](https://github.com/github/codeql-action/compare/v3.28.10...v3.28.13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 3.28.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
3 months agodetect: remove unneeded NULL check
Philippe Antoine [Tue, 1 Apr 2025 19:39:11 +0000 (21:39 +0200)] 
detect: remove unneeded NULL check

As spotted by cppcheck

fd is set only once, and DetectFlowSetup bails early if it is NULL

Fixes: c272a646c5ae ("detect: SigMatchAppendSMToList can fail")
4 months agorust/conf: rust format 12907/head
Jason Ish [Tue, 1 Apr 2025 16:55:18 +0000 (10:55 -0600)] 
rust/conf: rust format

4 months agorust/conf: use generated bindings to SCConf API
Jason Ish [Tue, 1 Apr 2025 16:42:52 +0000 (10:42 -0600)] 
rust/conf: use generated bindings to SCConf API

4 months agoconf: prefix conf API with SC
Jason Ish [Tue, 1 Apr 2025 16:04:19 +0000 (10:04 -0600)] 
conf: prefix conf API with SC

4 months agothreads/lib: fix coverity check for unchecked return code
Jason Ish [Tue, 1 Apr 2025 15:31:07 +0000 (09:31 -0600)] 
threads/lib: fix coverity check for unchecked return code

In thread startup, return error of TmThreadsWaitForUnpause() fails.
Fixed coverity check as in all other places the return value of this
function is checked and acted on.

4 months agorust/rdp: namespace and visibility cleanups
Jason Ish [Tue, 1 Apr 2025 15:16:11 +0000 (09:16 -0600)] 
rust/rdp: namespace and visibility cleanups

Ticket: #7498

4 months agorust/smb: namespace and visibility cleanups
Jason Ish [Tue, 1 Apr 2025 14:56:21 +0000 (08:56 -0600)] 
rust/smb: namespace and visibility cleanups

Ticket: #7498

4 months agodoc/entropy: Add documentation for the entropy keyword
Jeff Lucovsky [Tue, 1 Apr 2025 12:14:31 +0000 (08:14 -0400)] 
doc/entropy: Add documentation for the entropy keyword

This commits adds documentation for the entropy keyword.
The entropy keyword calculates the Shannon entropy value for content
with the calculated value used to determine whether an alert occurs.

4 months agodetect/entropy: Use entropy matching when needed
Jeff Lucovsky [Wed, 5 Feb 2025 21:38:03 +0000 (16:38 -0500)] 
detect/entropy: Use entropy matching when needed

This commit causes the content inspection engine to recognize and
invoke the entropy "match" function when the entropy keyword is used.

Issue: 4162

4 months agodetect/entropy: Add entropy keyword
Jeff Lucovsky [Wed, 5 Feb 2025 20:53:30 +0000 (15:53 -0500)] 
detect/entropy: Add entropy keyword

This commit adds keyword/build support for the entropy keyword. The
entropy keyword compares an entropy value with a value calculated
according to the Shannon entropy on the available content.

Issue: 4162

4 months agorust/detect: Add entropy support
Jeff Lucovsky [Wed, 5 Feb 2025 20:46:10 +0000 (15:46 -0500)] 
rust/detect: Add entropy support

This commit adds
- Parser for the entropy keyword
- Calculation of content the Shannon entropy value

Issue: 4162

The entropy keyword syntax is the keyword entropy followed by options
and the entropy value for comparison.

The minimum entropy keyword specification is:
entropy: value <entropy-spec>

This results in the calculated entropy value being compared with
<entropy-spec> with the equality operator.

Calculated entropy values are between 0.0 and 8.0, inclusive.

A match occurs when the values and operator agree. This example matches
if the calculated and entropy value are the same.

When entropy keyword options are specified, all options and "value" must
be comma-separated. Options and value may be specified in any order.

Options have default values:
- bytes is equal to the current content length
- offset is 0
- comparison with value is equality

entropy: [bytes <byteval>] [offset <offsetval>] value <entropy-spec>

Using default values:
entropy: bytes 0, offset 0, value =<entropy-spec>

<entropy-spec> is: <operator> (see below) and a value, e.g., "< 4.1"

The following operators are available from the float crate:
    - =  (default): Match when calculated entropy value equals specified entropy value
    - <  Match when calculated entropy value is strictly less than specified entropy value
    - <= Match when calculated entropy value is less than or equal to specified entropy value
    - >  Match when calculated entropy value is strictly greater than specified entropy value
    - >= Match when calculated entropy value is greater than or equal to specified entropy value
    - != Match when calculated entropy value is not equal to specified entropy value
    - x-y Match when calculated entropy value is in the range, exclusive
    - !x-y Match when calculated entropy value is not in the range, exclusive

4 months agofloat: General purpose floating point functions
Jeff Lucovsky [Wed, 5 Feb 2025 15:40:49 +0000 (10:40 -0500)] 
float: General purpose floating point functions

Issue: 4162

This commit adds a floating-point analog to `uint.rs` targeted
initially to be used by the forthcoming entropy keyword.

4 months agodoc: add http library supported fns 12891/head
Shivani Bhardwaj [Tue, 1 Apr 2025 06:18:13 +0000 (11:48 +0530)] 
doc: add http library supported fns

Task 7604

4 months agodoc: remove http cookie ua from list of buffers
Shivani Bhardwaj [Mon, 31 Mar 2025 12:28:15 +0000 (17:58 +0530)] 
doc: remove http cookie ua from list of buffers

as they are available via library using the tx
- tx:request_header("Cookie")
- tx:response_header("Cookie")
- tx:request_header("User-Agent")

4 months agolua: convert http fns into suricata.http lib
Shivani Bhardwaj [Wed, 26 Mar 2025 06:20:25 +0000 (11:50 +0530)] 
lua: convert http fns into suricata.http lib

Expose the existing lua fns through the library as suricata.http module.
All existing fns are accessible like before with a transaction.

Task 7604

4 months agoutil/lua: change arg name to reflect correctness
Shivani Bhardwaj [Wed, 26 Mar 2025 06:04:11 +0000 (11:34 +0530)] 
util/lua: change arg name to reflect correctness

lua fns do not care about the argument count, they work with the index of
the item in the stack. Before library, there was just one item on the stack
so it worked out, however, with the library, the first item in the stack is
the library userdata, so, the fn would fail with the existing hard coded
setting of 1 for argc which can easily be confused with the number of
arguments passed to the fn.

4 months agogithub-ci: add test for custom lib example
Jason Ish [Mon, 31 Mar 2025 19:13:09 +0000 (13:13 -0600)] 
github-ci: add test for custom lib example

Ticket: #7240

4 months agoexamples/lib: include cleanup
Jason Ish [Tue, 14 Jan 2025 22:26:21 +0000 (16:26 -0600)] 
examples/lib: include cleanup

Requires tm-threads.h.

Ticket: #7240

4 months agoexamples/lib: use packet setter functions
Jason Ish [Wed, 9 Oct 2024 21:21:32 +0000 (15:21 -0600)] 
examples/lib: use packet setter functions

Instead of direct field access.

Ticket: #7240

4 months agopacket: add set functions for some packet fields
Jason Ish [Wed, 9 Oct 2024 18:30:43 +0000 (12:30 -0600)] 
packet: add set functions for some packet fields

- SCPacketSetReleasePacket
- SCPacketSetLiveDevice
- SCPacketSetDatalink
- SCPacketSetTime
- SCPacketSetSource

Prevents direct access by library users and provides more ABI
stability.

Ticket: #7240

4 months agolib: remove TmModuleLibHandlePacket
Jason Ish [Mon, 7 Oct 2024 22:08:59 +0000 (16:08 -0600)] 
lib: remove TmModuleLibHandlePacket

This is better handled directly in the library user program so the
user has more control of the Packet structure, before and after
handling.

Ticket: #7240

4 months agoexamples/lib: use a main loop to wait for exit
Jason Ish [Fri, 4 Oct 2024 22:28:05 +0000 (16:28 -0600)] 
examples/lib: use a main loop to wait for exit

Instead of immediately entering shutdown, use SuricataMainLoop to wait
for the end of the pcap.

Ticket: #7240

4 months agolib: remove SCRunModeLibDestroyWorker
Jason Ish [Fri, 4 Oct 2024 22:27:28 +0000 (16:27 -0600)] 
lib: remove SCRunModeLibDestroyWorker

This was a one line wrapper around SCTmThreadsSlotPktAcqLoopFinish, so
library users can call that directly instead.

Ticket: #7240

4 months agoexamples/lib: create threadvars from main thread
Jason Ish [Mon, 30 Sep 2024 22:34:04 +0000 (16:34 -0600)] 
examples/lib: create threadvars from main thread

This also allows us to remove the sleep, as the ThreadVars are now
guaranteed to be created before PostInit.

Ticket: #7240

4 months agoexamples/lib: update library example for ips drop
Jason Ish [Thu, 12 Sep 2024 20:25:01 +0000 (14:25 -0600)] 
examples/lib: update library example for ips drop

Add a release packet callback where the action can be checked for drop.

Ticket: #7240

4 months agorunmodes: typedef runmode enum and use as type
Jason Ish [Mon, 26 Aug 2024 20:18:22 +0000 (14:18 -0600)] 
runmodes: typedef runmode enum and use as type

Also remove function to set the library mode. This is easy enough to
do with SCRunmodeSet, and we don't want to add a specific setter for
each and every runmode.

Ticket: #7240

4 months agolib: reorganize to avoid static prototypes
Jason Ish [Fri, 23 Aug 2024 20:54:24 +0000 (14:54 -0600)] 
lib: reorganize to avoid static prototypes

Ticket: #7240

4 months agolib: consistent naming style
Jason Ish [Fri, 23 Aug 2024 20:52:34 +0000 (14:52 -0600)] 
lib: consistent naming style

And add SC prefix.

Ticket: #7240

4 months agothreads: refactor TmThreadsSlotPktAcqLoop for user threads
Jason Ish [Fri, 23 Aug 2024 18:49:20 +0000 (12:49 -0600)] 
threads: refactor TmThreadsSlotPktAcqLoop for user threads

Refactor TmThreadsSlotPktAcqLoop for user provided thread by breaking
out the init and finish code into their own functions.

For user provided threads, Suricata should not "drive" the thread, but
the setup and finish code is the same.

The finish function is exported so it can be called by the user
application when its receive loop or equivalent is done.

Also remove obsolete comment.

Ticket: #7240

4 months agolib: take pointer to LiveDevice, not name
Jason Ish [Mon, 3 Jun 2024 23:04:10 +0000 (17:04 -0600)] 
lib: take pointer to LiveDevice, not name

In the library capture example, show how the packet counter can be
updated.

Ticket: #7240

4 months agolib: remove global worker id variable
Jason Ish [Wed, 24 Apr 2024 22:47:11 +0000 (16:47 -0600)] 
lib: remove global worker id variable

Update ThreadVars creation in lib mode to have the worker_id provided
by the user.

Ticket: #7240

4 months agolib: rename threadvars creation function
Jason Ish [Wed, 24 Apr 2024 22:10:15 +0000 (16:10 -0600)] 
lib: rename threadvars creation function

Also use a proper return type (ThreadVars *).

Ticket: #7240

4 months agoexamples/lib: better command line handling
Jason Ish [Thu, 18 Apr 2024 22:53:47 +0000 (16:53 -0600)] 
examples/lib: better command line handling

Use the more conventional "--" command line handling to separate the
arguments. The first set will be passed to Suricata, and the args
after "--" will be handled by the example. Currently this is a single
PCAP filename, but will be extended to a list of PCAP filenames.

Also hard code logging to the current directory.

Ticket: #7240

4 months agothreads: don't attempt to join threads with an id of 0
Jason Ish [Thu, 18 Apr 2024 06:33:09 +0000 (00:33 -0600)] 
threads: don't attempt to join threads with an id of 0

Worker threads not created by Suricata, but instead a library user
should not be joined, as Suricata does not have access to their thread
handle, and it may in-fact be an unjoinable thread, such as the main
process.

When the thread ID is 0, assume the thread is "externally" managed,
but still mark is as dead to satisfy Suricata's view of the thread.

Ticket: #7240

4 months ago.gitignore: add more files
Jason Ish [Mon, 31 Mar 2025 18:34:04 +0000 (12:34 -0600)] 
.gitignore: add more files

- the generated binaries for lib examples
- LSP files
- man pages

4 months agoexamples: rename lib capture example to custom
Jason Ish [Wed, 10 Apr 2024 16:58:56 +0000 (10:58 -0600)] 
examples: rename lib capture example to custom

To keep the simple example simple, move the lib based capture method
example to its own example.

Ticket: #7240

4 months agolibsuricata: add library runmode
Angelo Mirabella [Wed, 3 Apr 2024 08:06:39 +0000 (01:06 -0700)] 
libsuricata: add library runmode

Add library source and runmode modules. Reorganized
library example to create a worker thread and replay a pcap
file using the library mode.
No API layer is added at this stage.

Edits by Jason Ish:
- fix guard
- add copyright/license headers

Ticket: #7240

4 months agodoc/exceptions: change stats counters names
Juliana Fajardini [Mon, 24 Mar 2025 20:49:53 +0000 (13:49 -0700)] 
doc/exceptions: change stats counters names

As we've changed them for more search-friendly ones.

Related to
Task #7185

4 months agoexceptions: move midstream stats to common counter
Juliana Fajardini [Mon, 24 Mar 2025 19:34:31 +0000 (12:34 -0700)] 
exceptions: move midstream stats to common counter

Part of making the exception policy stats counters more search
friendly.

Task #7185

4 months agoexceptions: move reassembly memcap stats to common counter
Juliana Fajardini [Mon, 24 Mar 2025 19:29:40 +0000 (12:29 -0700)] 
exceptions: move reassembly memcap stats to common counter

Part of making the exception policy stats counters more search
friendly.

Task #7185

4 months agoexceptions: move ssn memcap stats to common counter
Juliana Fajardini [Mon, 24 Mar 2025 19:24:14 +0000 (12:24 -0700)] 
exceptions: move ssn memcap stats to common counter

Part of making the exception policy stats counters more search
friendly.

Task #7185

4 months agoexceptions: move flow memcap stats to common counter
Juliana Fajardini [Mon, 24 Mar 2025 19:16:52 +0000 (12:16 -0700)] 
exceptions: move flow memcap stats to common counter

Part of making the exception policy stats counters more search
friendly.

Task #7185

4 months agoexceptions: move defrag stats to common counter
Juliana Fajardini [Mon, 24 Mar 2025 19:05:20 +0000 (12:05 -0700)] 
exceptions: move defrag stats to common counter

Part of making the exception policy stats counters more search
friendly.

Task #7185

4 months agoexceptions: move app_layer stats to common counter
Juliana Fajardini [Mon, 24 Mar 2025 19:03:33 +0000 (12:03 -0700)] 
exceptions: move app_layer stats to common counter

Part of making the exception policy stats counters more search
friendly.

Task #7185

4 months agooutput: Add linktype name
Jeff Lucovsky [Sat, 8 Jun 2024 14:37:14 +0000 (10:37 -0400)] 
output: Add linktype name

Issue: 6954

This commit adds the linktype name to the output stream. The name is
determined from the pcap utility function pcap_datalink_val_to_name

4 months agooutput/datalink: Use Rust-based linktype hashmap
Jeff Lucovsky [Sat, 19 Oct 2024 12:07:01 +0000 (08:07 -0400)] 
output/datalink: Use Rust-based linktype hashmap

Use the hasmap to gather linktype display names.

Issue: 6954

4 months agodecode/datalink: Add datalink value/name logic
Jeff Lucovsky [Sat, 19 Oct 2024 12:02:20 +0000 (08:02 -0400)] 
decode/datalink: Add datalink value/name logic

Issue: 6954

Add Rust based logic that maintains a hash map of link type values and
their associated output names.

4 months agogithub-ci: use git cli command for netmap instead of action 12888/head
Jason Ish [Mon, 31 Mar 2025 16:14:47 +0000 (10:14 -0600)] 
github-ci: use git cli command for netmap instead of action

This action hits API limits often, however our other uses of git clone
do not seem to, so try use git clone here instead of the github
action.

4 months agodetect: SC prefix for extern pub Rust functions
Jason Ish [Mon, 31 Mar 2025 15:59:16 +0000 (09:59 -0600)] 
detect: SC prefix for extern pub Rust functions

Ticket: #7498

4 months agosnmp: rust naming and visibility cleanups
Jason Ish [Mon, 31 Mar 2025 15:50:33 +0000 (09:50 -0600)] 
snmp: rust naming and visibility cleanups

Ticket: #7498

4 months agodpdk: adjust auto mempool calculation when no TX queues set
Lukas Sismis [Sat, 29 Mar 2025 12:36:51 +0000 (13:36 +0100)] 
dpdk: adjust auto mempool calculation when no TX queues set

4 months agodpdk: allow zero TX queues when running in IDS mode
Lukas Sismis [Sat, 29 Mar 2025 12:31:15 +0000 (13:31 +0100)] 
dpdk: allow zero TX queues when running in IDS mode

When running in non-forwarding (IDS) mode, it is not required
to create TX queues for the interface.
This can be acheived by setting tx-descriptors configuration
field to 0.

Ticket: 7633

4 months agodocs: double quote technical terms in DPDK section
Lukas Sismis [Sat, 29 Mar 2025 12:27:08 +0000 (13:27 +0100)] 
docs: double quote technical terms in DPDK section

4 months agodpdk: NULL freed variables
Lukas Sismis [Tue, 25 Mar 2025 11:31:48 +0000 (12:31 +0100)] 
dpdk: NULL freed variables

The DPDKDeviceResourcesDeinit function now accepts second-level
reference to NULL the provided variable after deinitialization..

4 months agodpdk: document vlan stripping offload
Lukas Sismis [Wed, 5 Feb 2025 09:45:17 +0000 (10:45 +0100)] 
dpdk: document vlan stripping offload

Ticket: 5838

4 months agodpdk: check for link up before full startup
Lukas Sismis [Tue, 4 Feb 2025 10:13:42 +0000 (11:13 +0100)] 
dpdk: check for link up before full startup

ICE card (Intel E810) was not receiving packets immediatelly
after startup, Suricata workers would act as processing while
it was not. This eliminates the problem by only continuing
in the initialization if the link is already up.

The setting can be turned off manually from the configuraiton
file.

Ticket: 7381

4 months agodpdk: use default iface-copy value if not specified
Lukas Sismis [Tue, 4 Feb 2025 09:17:46 +0000 (10:17 +0100)] 
dpdk: use default iface-copy value if not specified

Ticket: 7374

4 months agodpdk: replace global with per-thread mempools
Lukas Sismis [Thu, 20 Jul 2023 07:42:06 +0000 (09:42 +0200)] 
dpdk: replace global with per-thread mempools

It turned out that having global (interface-specific) mempool
that is shared by the threads of the interface is slower than
having individual mempools per queue for each interface.

The commit brings this change and should be user-invisible,
the config setting remains still as a number of objects of
all mempools summed (of that interface).

Ticket: 7382

4 months agodpdk: remove mempool pointer from the thread structure
Lukas Sismis [Mon, 27 Jan 2025 13:45:58 +0000 (14:45 +0100)] 
dpdk: remove mempool pointer from the thread structure

4 months agodpdk: auto configure Rx/Tx descriptors and mempool size
Lukas Sismis [Mon, 27 Jan 2025 13:26:23 +0000 (14:26 +0100)] 
dpdk: auto configure Rx/Tx descriptors and mempool size

Ticket: 7380
Ticket: 7373

4 months agodetect: allow rule which need both directions to match 12875/head
Philippe Antoine [Thu, 18 Jan 2024 13:15:14 +0000 (14:15 +0100)] 
detect: allow rule which need both directions to match

Ticket: 5665

This is done with `alert ip any any => any any`
The => operator means that we will need both directions

4 months agondpi: ignore packets that have a different proto than the flow
Jason Ish [Thu, 27 Mar 2025 21:32:40 +0000 (15:32 -0600)] 
ndpi: ignore packets that have a different proto than the flow

This can happen when the flow is UDP, but an ICMP unreachable is
returned, which gets assigned to the same flow.

Reference: https://github.com/ntop/nDPI/issues/2762

4 months agodoc/ndpi: move ndpi docs to new plugins section
Jason Ish [Fri, 24 Jan 2025 16:51:45 +0000 (10:51 -0600)] 
doc/ndpi: move ndpi docs to new plugins section

Moves the nDPI documentation to an nDPI page in the plugins
section. Remove the duplication of installation and setup
documentation.

Includes some minor cleanups.

4 months agondpi: fix memory in keyword setup
Jason Ish [Fri, 24 Jan 2025 17:18:54 +0000 (11:18 -0600)] 
ndpi: fix memory in keyword setup

- remove duplicate calls to ndpi_init_detection_module
- cleanup ndpi_init_detection_module when no longer needed

4 months agodetect: split new keyword id from registration
Jason Ish [Fri, 17 Jan 2025 20:46:07 +0000 (14:46 -0600)] 
detect: split new keyword id from registration

Split DetectHelperKeywordRegister into 2 functions, one for acquiring
a new keyword ID, and another to perform the registration.

This makes it easier to do the traditional C keyword initialization
with a dynamic ID.

4 months agoeve/schema: add top level ndpi object
Jason Ish [Wed, 15 Jan 2025 21:25:20 +0000 (15:25 -0600)] 
eve/schema: add top level ndpi object

The format is left free-form, as its controled by a plugin.

4 months agogithub-ci: add ndpi build to the centos-stream9 build
Jason Ish [Wed, 15 Jan 2025 18:04:02 +0000 (12:04 -0600)] 
github-ci: add ndpi build to the centos-stream9 build

- Download and build nDPI
- Enable nDPI during Suricata ./configure
- Test that the plugin was built and installed

4 months agondpi: initial implementation of nDPI plugin
Alfredo Cardigliano [Mon, 4 Nov 2024 09:25:31 +0000 (10:25 +0100)] 
ndpi: initial implementation of nDPI plugin

Ticket: #7231

4 months agodetect: add email.date keyword
Alice Akaki [Fri, 28 Mar 2025 20:06:01 +0000 (16:06 -0400)] 
detect: add email.date keyword

email.date matches on MIME EMAIL DATE
This keyword maps to the EVE field email.date
It is a sticky buffer
Supports prefiltering

Ticket: #7591

4 months agomime/email: log date and subject fields
Alice Akaki [Fri, 28 Mar 2025 20:06:26 +0000 (16:06 -0400)] 
mime/email: log date and subject fields

4 months agodetect: per tx detect flags to a u8 progress value 12862/head
Victor Julien [Mon, 24 Mar 2025 10:20:39 +0000 (11:20 +0100)] 
detect: per tx detect flags to a u8 progress value

Reduce per tx space for tracking detection/prefilter progress. Instead
of a per direction u64 of flags, where each bit reflected a progress
value, use a simple u8 to track the linear progression through the
progress values. Use an offset to allow 0 to mean no value.

Add flags field as well to track "skip detect" and "inspect complete".

4 months agoapp-layer: add helper for AppLayerTxData cleanup
Victor Julien [Sat, 22 Mar 2025 09:18:43 +0000 (10:18 +0100)] 
app-layer: add helper for AppLayerTxData cleanup

4 months agodoc/tls: add more detail on tls.random
Victor Julien [Mon, 24 Mar 2025 12:25:25 +0000 (13:25 +0100)] 
doc/tls: add more detail on tls.random

4 months agodetect: reorder struct
Victor Julien [Thu, 27 Feb 2025 10:37:14 +0000 (11:37 +0100)] 
detect: reorder struct

4 months agolandlock: add read/write permission to MPM cache directory
Lukas Sismis [Wed, 26 Mar 2025 12:52:29 +0000 (19:52 +0700)] 
landlock: add read/write permission to MPM cache directory