Victor Julien [Mon, 30 Jan 2023 10:27:37 +0000 (11:27 +0100)]
flow: enforce flow assumption
Enforce assumption that packets in ThreadVars::decode_pq have no flow
attached to it because this is only true for packets while they are
in the FlowWorker.
Victor Julien [Fri, 27 Jan 2023 19:47:46 +0000 (20:47 +0100)]
flow: remove use_cnt
Packets only ever reference the flow while holding its lock. This
means than any code possibly evicting the flow will have to wait
for the existing users to complete their work. Therefore the use_cnt
serves no function anymore and can be removed.
Jason Ish [Wed, 25 Jan 2023 17:53:08 +0000 (11:53 -0600)]
smb: fix duplicate interface logging
An array of interfaces was being logged without creating an array,
resulting in duplicate "interface" objects being logged. Instead put
these interfaces into an array like already done elsewhere.
Jason Ish [Wed, 25 Jan 2023 17:52:07 +0000 (11:52 -0600)]
eve: remove dcerpc.interface from schema
Looks like this was due to an error in the dcerpc logging where the
interfaces should have been logged to the "interfaces" array that was
already defined.
Jason Ish [Wed, 25 Jan 2023 18:02:27 +0000 (12:02 -0600)]
smb: remove duplicate tree_id logging
Remove the second occurrence of tree_id logging which appears to
always be a duplicate of the first tree_id logged, even though they
come from different data structures.
Jason Ish [Fri, 27 Jan 2023 05:03:22 +0000 (23:03 -0600)]
tls: fix date logging for dates before 1970
The Rust time crate used by the x509-parser crate represents dates
before 1970 as negative numbers which do not survive the conversion to
SCTime_t and formatting with the current time formatting functions.
Instead of fixing our formatting functions to handle such dates,
create a Rust function for logging TLS dates directly to JSON using
the time crate that handles such dates properly.
Also add a FFI function for formatting to a provided C buffer for the
legacy tls-log.
Philippe Antoine [Mon, 14 Mar 2022 10:55:08 +0000 (11:55 +0100)]
ftp: adds a config option ftp-hash for autofp-scheduler
This allows ftp-data and ftp flows to be processed by the same
thread. Otherwise, there may be a concurrency issue where the
would-be ftp-data flow is first processed, and thus not recognized
as such. And the ftp flow gets processed later and the expectation
coming from it is never found.
To do so, the flow hash gets used as usual, except for flows that
may be either ftp or ftp-data, that is either one port is 21, or
both ports are high ones.
Jason Ish [Mon, 23 Jan 2023 17:21:09 +0000 (11:21 -0600)]
rust/derive: allow event name to be set as attribute
When deriving AppLayerEvent, allow the event name to be set with the
"name" attribute in cases where the transformed name is not suitable.
This allows us to use enum variant names like
"FtpEventRequestCommandTooLong" for direct use in C, but is also a
name that doesn't transform well to an event name in rules, where we
want to see "request_command_too_long".
Jason Ish [Mon, 17 Oct 2022 21:10:48 +0000 (15:10 -0600)]
suricata: allow additional include files on command line
Add a new command line option, --include. This will merge additional
configuration files into the configuration specified in the main
suricata.yaml. It can be provided multiple times and the files will be
included in the order they appear on the command line.
Jason Ish [Tue, 24 Jan 2023 22:57:47 +0000 (16:57 -0600)]
config: allow fully qualified overrides
Allow configuration parameters to be overrided usually a fully
qualified name such as:
vars.address-groups.HOME_NET: "7.1.2.0/24"
In configuration files (including "include" files). This allows the
overriding of a specific value deeply nested in the configuration
without having to redefine the complete top-layer object.
Fix payload_len calculation post removal of the condition that returned
error code if the length to the decode fn did not match the length of
header from the UDP packet.
Lukas Sismis [Fri, 18 Nov 2022 15:13:58 +0000 (16:13 +0100)]
decode-udp: Allow shorter UDP packets than the remaining payload length
If the packet is shorter than IP payload length we no longer flag it as an
invalid UDP packet. UDP packet can be therefore shorter than IP payload.
Keyword "udp.hlen_invalid" became outdated as we no longer flag short UDP
packets as invalid.
Function http2_range_open expects to be called only when
tx.file_range is nil. One condition to ensure this is to check
that we are beginning the files contents. The filetracker field
file_open is not fit for this, as it may be reset to false.
Jason Ish [Tue, 24 Jan 2023 22:27:00 +0000 (16:27 -0600)]
log-pcap: fix inverse logic error
We shouldn't early initialize when *offline*. Instead this accidentally
delayed initializing when if an online mode, however its likely not to
have been noticed as delaying initializing in online mode is supported
as well.
Philippe Antoine [Thu, 15 Sep 2022 13:26:46 +0000 (15:26 +0200)]
test: do not output non ascii character
The unit test for content |aa bz| transforms in place the string
str to replace the 2 characters aa by one character 0xaa
Then, when z is not recognized as a valid hexadeicmal character,
the whole modified string is printed out, inclusing the non-ascii
0xaa
Philippe Antoine [Mon, 25 Jul 2022 08:33:42 +0000 (10:33 +0200)]
detect: config keyword transaction logic fix
When the keyword config:logging disable,type tx is used,
OutputTxLog checks a flag to skip the transaction without logging
it, but AppLayerParserTransactionsCleanup waits for the
transaction to be marked as logged to clean it.
So, OutputTxLog now marks the tx as logged, so that it can
get cleaned away.
exceptions: ignore policy if stream.midstream=true
Set the engine to ignore the stream.midstream-policy if stream.midstream
is enabled.
If we had both stream.midstream AND stream.midstream_policy enabled,
this could lead to midstream flows being dropped (or bypassed, or...)
instead of being accepted by the engine, as it was probably meant when
the user enabled midstream flows.
This allows all traffic Exception Policies to be set from one
configuration point. All exception policy options are available in IPS
mode. Bypass, pass and auto (disabled) are also available in iDS mode
Exception Policies set up individually will overwrite this setup for the
given traffic exception.
Jason Ish [Sun, 15 Jan 2023 16:05:29 +0000 (10:05 -0600)]
dns: never return error on UDP DNS
UDP parsers should never return error as it should indicate to Suricata
that an unrecoverable error has occurred. UDP being record based for
the most part is almost always recoverable, at least for protocols like
DNS.
Jason Ish [Wed, 21 Dec 2022 01:30:29 +0000 (19:30 -0600)]
dns: validate header on every incoming message
As UDP streams getting probed, a stream that does not appear to be DNS
at first, may have a single packet that does look close enough to DNS
to be picked up as DNS causing every subsequent packet to result in a
parser error.
To mitigate this, probe every incoming DNS message header for validity
before continuing onto the body. If the header doesn't validate as
DNS, just ignore the packet so no parse error is registered.
Lukas Sismis [Wed, 28 Dec 2022 04:49:02 +0000 (11:49 +0700)]
runmodes: Determine engine's copy-mode as early as possible
Configuration and behavior of HTP app layer depends on the copy
mode of Suricata engine. Copy mode was set after the app layer setup.
Decision of engine's copy mode operation is now made earlier.
Lukas Sismis [Wed, 19 Oct 2022 21:17:49 +0000 (23:17 +0200)]
runmodes: change function prototype of runmode init functions
Commit contains prototype changes of RunModeSetLiveCaptureAutoFp and
RunModeSetLiveCaptureWorkers functions to move the IPS enable logic
out of suricata.c file.
projects / thirdparty / suricata.git / log
