Victor Julien [Tue, 28 Sep 2021 10:28:54 +0000 (12:28 +0200)]
detect: fix FNs in case of too many prefilter engines
Fix FNs in case of too many prefilter engines. A transaction was tracking
which engines have run using a u64 bit array. The engines 'local_id' was
used to set and check this bit. However the bit checking code didn't
handle int types correctly, leading to an incorrect left shift result of
a u32 to a u64 bit value.
This commit addresses that by fixing the int handling.
This is only a partial fix however. It's not hard to craft a ruleset that
exceeds the 63-bit space available. A more complete fix is in:
932cf0b6a6ad ("detect: track prefilter by progress, not engine")
However this seems like a too high risk change for a backport into
5.0.
This patch does issue a warning if the condition is detected at start
up, and `-T` does error out on it.
Victor Julien [Fri, 3 Sep 2021 15:04:02 +0000 (17:04 +0200)]
detect: unify alert handling; fix bugs
Unify handling of signature matches between various rule types and
between noalert and regular rules.
"noalert" sigs are added to the alert queue initially, but removed
from it after handling their actions. This way all actions are applied
from a single place.
Make sure flow drop and pass are mutually exclusive.
The above addresses issue with pass and drops not getting applied
correctly in various cases.
Victor Julien [Wed, 21 Apr 2021 13:20:49 +0000 (15:20 +0200)]
app-layer/pd: only consider actual available data
For size limit checks consider only available data at the stream start
and before any GAPS.
The old check would consider too much data if there were temporary gaps,
like when a data packet was in-window but (far) ahead of the expected
segment.
Eric Leblond [Fri, 28 May 2021 09:38:18 +0000 (11:38 +0200)]
stream/tcp: avoid evasion linked to ACK handling
Actual code will completely discard TCP analysis of a packet that
don't have the ACK bit set but have a ACK value set. This will be
for example the case of all SYN packets that have a ACK value.
Problem is that these type of packets are legit for the operating
systems and for the RFC. The consequence is that an attacker
sending a SYN packet with a non null ACK value will open succesfully
a TCP session to its target and this session will have no protocol
discovery, no TCP streaming and no application layer analysis.
Result is a quasi full evasion of the TCP stream that will only
appear in the flow log if this log is enable or alert on tcp-pkt
signature that are uncommon.
The patch is updating the code to only discard packets that do not
have the SYN flag set. This prevents the evasion and complies with the
RFC that states that the ACK bit should always be set once the
TCP session is established.
Victor Julien [Thu, 25 Feb 2021 19:06:40 +0000 (20:06 +0100)]
detect: track base id for xform buffers
Buffers with transforms are based on the non-transformed "base"
buffer, with a new ID assigned and the transform callbacks added.
This patch stores the id of the original buffer in the new buffer
inspect and prefilter structures. This way the buffers with and
without transforms can share some of the logic are progression
of file and body inspection trackers.
Fix handling of file progress tracking for regular file.data along
with transform combinations for the part of the implementation that
uses the File API.
Victor Julien [Thu, 13 May 2021 06:06:11 +0000 (08:06 +0200)]
detect: set event if max inspect buffers exceeded
If a parser exceeds 1024 buffers we stop processing them and
set a detect event instead. This is to avoid parser bugs as well as
crafted bad traffic leading to resources starvation due to excessive
loops.
Jason Ish [Thu, 25 Feb 2021 17:16:28 +0000 (11:16 -0600)]
unix-socket: reset to ready state on startup
As part of commit ea15282f47c6ff781533e3a063f9c903dd6f1afb,
some initialization was moved to happen even in unix socket mode,
however, this initialization does setup some loggers that can only have
one instance enabled (anomaly, drop, file-store).
This will cause these loggers to error out on the first pcap, but work
on subsequent runs of the pcap as some deinitialization is done after
each pcap.
This fix just runs the post pcap-file deinitialization routine to
reset some of the initialization done on startup, like is done after
running each pcap in unix socket mode.
Luke Coughlan [Mon, 26 Apr 2021 12:05:15 +0000 (13:05 +0100)]
flow/bypass: Properly set the ICMP emergency-bypassed value
Currently the ICMP emergency-bypassed value defined in suricata.conf is
overwriting the UDP value rather than correctly setting it for ICMP.
This commit corrects this bug so that the ICMP value can be set as
expected.
Victor Julien [Mon, 1 Feb 2021 21:23:47 +0000 (22:23 +0100)]
app-layer: fix transaction cleanup
Fix a 'skipped' transaction early in the list leading to all further
transactions getting skipped, even if they were fully processed and
ready to be cleaned up.
Jason Ish [Fri, 18 Dec 2020 17:34:30 +0000 (11:34 -0600)]
filestore: fix global counter init in unix socket mode
Move initialization of filestore global counter to PreRunInit,
so they get registered during program initialization, or as
required in unix-socket mode, initialized for each file run.
Ilya Bakhtin [Mon, 15 Feb 2021 17:36:46 +0000 (18:36 +0100)]
protodetect: improve midstream handling
Set "done flag" only if parsers for both directions are not found in a
case of midstream parsers from other direction are tried if nothing is found
for the initial one. "done flag" must be set if nothing is found in both
directions. Otherwise processing of incomplete data is terminated at the very
first try.
Victor Julien [Sat, 13 Feb 2021 16:10:15 +0000 (17:10 +0100)]
host: improve compare logic
The old compare macro would compare all bytes of an address, even
when for IPv4 addresses the additional bytes were not in use. This
made the logic vulnerable to mistakes like in issue #4280.
Eric Leblond [Sun, 24 Jan 2021 21:40:02 +0000 (22:40 +0100)]
suricata: avoid at exit crash in nfq mode
When Suricata was build with ebpf support and when it was started
in NFQ mode, it was crashing at exit because it was trying to free
the device extension.
This patch fixes the issue by only trigger the eBPF related code
when Suricata is running in AFP_PACKET mode.
Jeff Lucovsky [Sat, 16 Jan 2021 14:34:20 +0000 (09:34 -0500)]
rust/json: Rework scope for short-lived vars
This commit corrects scope issues identified during CI with
FC32/strict-rust:
"this `CString` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
"
Jason Ish [Wed, 30 Dec 2020 19:32:53 +0000 (13:32 -0600)]
mime: postpone md5 calculation to parse complete
Instead of calculating the MD5 at the end of every part, only
compute it when parsing is complete.
With libnss, the hash never updates after the first HASH_End, so
the md5 of only the first part of the body is logged, rather than
the md5 of all the parts.
Jason Ish [Thu, 10 Dec 2020 15:48:06 +0000 (09:48 -0600)]
github-ci: use a unique id for the commit check cargo cache
All builds have been using the same cache id for ~/.cargo which
could lead us to conflict situations which is what I think we are
seeing with the commit-check job.
Uses "cargo doc --no-deps" to build the documentation just for
our Suricata package. Without --no-deps, documentation will be
build for all our dependencies as well.
The generated documentation will end up in target/doc as HTML.
projects / thirdparty / suricata.git / log
