Victor Julien [Wed, 11 Jan 2023 20:07:16 +0000 (21:07 +0100)]
smb: fix post-trunc chunk behavior
After a gap in a file transaction, the file tracker is truncated. However
this did not clear any stored out of order chunks from memory or stop more
chunks to be stored, leading to accumulation of a large number of chunks.
This patches fixes this be clearing the stored chunks on trunc. It also
makes sure no more chunks are stored in the tracker after the trunc.
util-strlcatu.c:45:8: error: a function definition without a prototype is deprecated in all versions of C and is not supported in C2x [-Werror,-Wdeprecated-non-prototype]
size_t strlcat(dst, src, siz)
^
1 error generated.
Victor Julien [Mon, 16 Jan 2023 18:14:28 +0000 (19:14 +0100)]
src: fix strict-prototype warnings
Tested on Fedora 37 with clang 15.
app-layer.c:1055:27: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
void AppLayerSetupCounters()
^
void
app-layer.c:1176:29: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
void AppLayerDeSetupCounters()
^
void
2 errors generated.
Philippe Antoine [Wed, 28 Dec 2022 14:57:12 +0000 (15:57 +0100)]
ftp: completely resets port_line
In the case port_line is first allocated and port_line_len is set,
Then a second request reaches memcap and frees port_line,
port_line_len should also be reset, because both will get used
by the response parsing.
Jason Ish [Fri, 13 Jan 2023 20:04:52 +0000 (14:04 -0600)]
rust: fix for loop over option
As of Rust 1.66 with strict mode enabled, a for loop over an option is
now an error. Replace the last occurrence of this pattern with an "if
let" statement.
Victor Julien [Wed, 7 Sep 2022 06:32:05 +0000 (08:32 +0200)]
tls: improve record checks
Improve unknown record handling. Inspired by Wireshark 'unknown record'
handling, we take a best effort approach for records with unknown content
types in TLS versions 1.0, 1.1 and 1.2.
Improve record length check and set 'invalid_record_length' event instead
of 'invalid_tls_header'.
Victor Julien [Fri, 5 Aug 2022 12:39:57 +0000 (14:39 +0200)]
tls: remove certificate buffering code
TCP Buffering is now done in the app-layer using the incomplete API, on
the SSL/TLS record level. TLS level fragmentation will be implemented
separately.
Victor Julien [Wed, 7 Sep 2022 07:43:19 +0000 (09:43 +0200)]
tls: streaming mode for application records
To avoid overhead of stream buffering for records we don't do
much with anyway, pass through application records instead of
buffering the entire record in the stream engine.
Victor Julien [Thu, 8 Dec 2022 19:14:43 +0000 (20:14 +0100)]
radix: fix ipv6 address parsing warning
The check meant to see if the ip address part of the ip/cidr combo
was more specific than needed wasn't fully implemented, leading to
warnings being issued on completely valid and correct input.
This patch implements the same logic as in IPv4. If the ip address
as specified is different from the ip after the mask has been applied,
a warning is displayed.
Victor Julien [Wed, 30 Nov 2022 05:44:40 +0000 (06:44 +0100)]
smb: fix file reopening issue
Fuzzing highlighted an issue where a command sequence on the same file
id triggered a logging issue:
file data for id N
close id N
file data for id N
If this happened in a single blob of data passed to the parser, the
existing file tx would be reused, the file "reopened", confusing the
file logging logic. This would trigger a debug assert.
This patch makes sure a new file tx is created for the file data
coming in after the first file tx is closed.
Shivani Bhardwaj [Mon, 31 Oct 2022 11:04:47 +0000 (16:34 +0530)]
util/base64: fix heap buffer overflow
While updating the destination pointer, we were also adding the padded
bytes which are not a part of the decoded bytes. This led to running out
of space on the destination buffer.
Fix it by only incrementing destination buffer ptr by the number of
actual bytes that were decoded.
As per RFC 4648,
Implementations MUST reject the encoded data if it contains characters
outside the base alphabet when interpreting base-encoded data, unless
the specification referring to this document explicitly states
otherwise.
Add a new mode BASE64_MODE_RFC4648, and handle input strictly as per the
specification.
smb: do not use tree id to match create request and response
As an SMB2 async response does not have a tree id, even if
the request has it.
Per spec, MessageId should be enough to identifiy a message request
and response uniquely across all messages that are sent on the same
SMB2 Protocol transport connection.
So, the tree id is redundant anyways.
Victor Julien [Thu, 24 Nov 2022 20:35:30 +0000 (21:35 +0100)]
detect: fixes to action handling; fix PASS
Fix PASS handling by setting and checking in the correct packet.
There are 3 types of packets:
1. tunnel packets (inner layer of encapsulation)
2. "root" packets (outmost layer of encapsulated packet)
3. normal packets (no encapsulation)
Tunnel packet have a pointer to their "root". The "root" is the packet
that is ultimately used by the capture method to issue a verdict:
DROP or ACCEPT (forward).
For tunnels:
DROP actions are always issued on the root packet.
The PASS action is issued on the packet currently in the detection
engine.
Non-tunnels:
DROP and PASS are both set in the current packet.
Jason Ish [Wed, 19 Oct 2022 19:07:56 +0000 (13:07 -0600)]
afpacket/netmap: warn about mixed ips, ids/tap deprecation
Suricata already logs if AF_PACKET or Netmap are running in a mixed IPS
and IDS/TAP mode. As the behavior is undefined when these modes are
mixed, it is best to deprecate and to not allow this behavior. For now
warn that it will be unsupported and fail in Suricata 8.
Victor Julien [Wed, 16 Nov 2022 09:44:13 +0000 (10:44 +0100)]
detect: apply drops to tunnel root
`PacketDrop` applied a DROP to the current packet unconditionally,
while in tunnel/encapsulated cases the DROP should have been applied
to the root packet.
Fixes: 6742ecbc9e87 ("decode: make PacketDrop use action as parameter")
Bug: #5600.
Philippe Antoine [Thu, 28 Apr 2022 14:24:46 +0000 (16:24 +0200)]
threshold: fix regex to accept by_both and by_rule
As is done in detect-threshold.c or in DETECT_RATE_REGEX
and is expected by switch (rule_type) which makes the same
for THRESHOLD_TYPE_THRESHOLD and THRESHOLD_TYPE_RATE
This describes briefly what the exception policies are, what is the
engine's behavior, what options are available and to which parts are
they implemented.
Some of these were recently introduced, some were highlited after the
applayer sections got merged. Some paragraphs seem to have been changed
due to trying to respect character limits for lines. Also includes a
typo pointed out by one of our community members via Discord.
projects / thirdparty / suricata.git / log
