Jason Ish [Tue, 27 Jun 2023 16:52:39 +0000 (10:52 -0600)]
log-pcap: one time errors on file open
If compression was not enabled, the open error was actually suppressed
by default by only being logged at info level, however with
compression it was logged as an error. As opening is retried as long
as it fails to open, make both log as error but wrap in a flag so the
error is logged once until success.
Jason Ish [Tue, 27 Jun 2023 16:25:24 +0000 (10:25 -0600)]
log-pcap: only open dumper after successful file open (lz4)
When LZ4 compression is enabled, open the dumper after successful open
of the file. The dump handle is what forms the check if opening the
file needs to be retried.
Philippe Antoine [Fri, 16 Jun 2023 13:28:38 +0000 (15:28 +0200)]
mime: compute full body md5
Previously, the problem was that nested headers/boundaries were not
used to compute the hash
Solution is to move up the call to the hash computation from
ProcessMimeBody to its caller ProcessMimeEntity, and add a set of
conditions to ensure that we are not in the principal headers.
Jason Ish [Mon, 26 Jun 2023 16:57:00 +0000 (10:57 -0600)]
eve/alert: warn on obsolete flags
Log a warning on obsolete flags. If the flag is to enable, do the
enable. But do not honor disable flags, as these could override the
new settings and cause hard to debug issues.
Jason Ish [Tue, 6 Jun 2023 22:04:56 +0000 (16:04 -0600)]
datasets: flag to disable "write" actions
Add a new configuration flag, "datasets.rules.allow-write" to control
if rules can contain "save" or "state" rules which allow write access
to the file system.
Jason Ish [Tue, 6 Jun 2023 21:32:18 +0000 (15:32 -0600)]
install: create runtime data directory
On installation, make sure the data directory is created. This will
usually be /var/lib/suricata/data, but otherwise follows the
autoconf/automake instructions.
This directory is for runtime state information, which for now is
datasets but may be expanded in the future. Suricata already expects
this directory to exist for "state" and "save" datasets, but it has
been up to the user to create it.
Jason Ish [Tue, 23 May 2023 21:17:59 +0000 (15:17 -0600)]
datasets: don't allow absolute or paths with directory traversal
For dataset filenames coming from rules, do not allow filenames that
are absolute or contain a directory traversal with "..". This prevents
datasets from escaping the define data-directory which may allow a bad
rule to overwrite any file that Suricata has permission to write to.
Add a new configuration option,
"datasets.rules.allow-absolute-filenames" to allow absolute filenames
in dataset rules. This will be a way to revert back to the pre 6.0.13
behavior where save/state rules could use any filename.
Shivani Bhardwaj [Tue, 23 May 2023 04:41:38 +0000 (10:11 +0530)]
smtp: handle long lines per direction
Issue:
Currently, while handling of long lines, if the line exceeded the limit,
we'd set a variable state->discard_till_lf which will be reset in the
later stages based on the data that arrives. However, because there was
one variable per state, this meant that a later stage in the other
direction could also modify it which is incorrect.
smtp: handle following cmd if LF was found in long line
If a long line had LF post the limit, it should be considered complete
and not wait for the next line to complete it. However, currently, any
following lines were skipped which could sometimes also be important
commands for the entire transaction.
Fix this by setting a flag in case we're truncating a long line but
after having found the LF character.
Before:
If the input was such that we'd enter DATA mode in the middle, the
entire data would be passed through SMTPGetLine fn and be processed with
line limits etc in place.
After:
Since we don't want any limits to be enforced on DATA, we pass it to
SMTPPreProcessCommands fn to take care of it differently from the
commands.
Cole Dishington [Wed, 24 May 2023 00:39:33 +0000 (12:39 +1200)]
decode-ipv6: Set IPv6 proto incase of ext header parsing error
Set the IPv6 packet proto before parsing the ext headers, similar to
decode-ipv4, incase of an ext header parsing error. Otherwise
rule decode-events are not triggered for packets encapsulated in IPv6.
Philippe Antoine [Wed, 31 May 2023 12:53:28 +0000 (14:53 +0200)]
http2: avoid quadratic complexity in headers
When adding an element to the dynamic headers table, the oldest
ones may get evicted. When multiple elements get evicted, they
should get evicted all at once with drain, instead of one by one
as there will be a massive move each time.
Jason Ish [Wed, 21 Dec 2022 01:30:29 +0000 (19:30 -0600)]
dns: validate header on every incoming message
As UDP streams getting probed, a stream that does not appear to be DNS
at first, may have a single packet that does look close enough to DNS
to be picked up as DNS causing every subsequent packet to result in a
parser error.
To mitigate this, probe every incoming DNS message header for validity
before continuing onto the body. If the header doesn't validate as
DNS, just ignore the packet so no parse error is registered.
In case LF was found for a long line way outside of the limit, we should
not need to update the delimiter len and current line len because the
line is capped at 4k and the LF was not within these 4k bytes.
So far, we store one variable in state to hold whether we want to
discard a long line till LF irrespective of direction. This means that a
long command to the client followed by a regular command w LF can be
considered as one long line which is incorrect.
Problem:
If we receive a long line w/o LF, we cap it to 4k bytes and wait until a
line with LF comes in order to consider the previous line complete. Any
data post the 4k bytes is discarded. Currently, if a line with LF comes
in after a long line, we reset all the parameters used for processing it
like the line.len and line.delim_len but we still make the call to
SMTPProcessRequest fn without even the need to process anything. Since
such a line (with len and delim_len set to 0) should not reach mime
decoder, a debug assertion triggers there in this case.
Fix:
Make sure to return early as the line has to be skipped and not
processed at all.
Lukas Sismis [Thu, 30 Mar 2023 08:59:40 +0000 (10:59 +0200)]
bpf: refactor the BPF code and postpone querying of the engine mode
BPF codebase queried engine mode earlier than it was determined from
the configuration file/command line. As a result it used the default (IDS)
mode where it could've been configured later on to the IPS mode.
This could lead into an undefined behavior as some Suricata modules behave
according to the engine mode.
PF-Ring, Netmap and AF-Packet all shared almost identical code for
determining the engine mode. It was put into one common function.
Omitted the usage of SCStrdup function in PF-Ring module as it is
uppercased during thread initialization phase.
Jason Ish [Mon, 1 May 2023 16:50:40 +0000 (10:50 -0600)]
detect: fix setting of flag for rule reload
As part of 6d8b50b748844e9de6010cde5a6b139148c0e937, the settings of
THV_CAPTURE_INJECT_PKT ended up in a location unreachable by capture
methods that did not have PktAcqBreakLoop.
Instead, always call TmThreadsCaptureBreakLoop which handles the logic
for how the read loop should be broken.
This fixes the case where read threads won't "break" for rule reloads
until packets are seen.
Victor Julien [Fri, 21 Apr 2023 08:21:17 +0000 (10:21 +0200)]
stream: fix minor scan-build warning
stream-tcp.c:134:14: warning: Value stored to 'presize' during its initialization is never read [deadcode.DeadStores]
uint64_t presize = SC_ATOMIC_GET(st_memuse);
^~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
Victor Julien [Fri, 21 Apr 2023 12:12:36 +0000 (14:12 +0200)]
mime: address scan-build warnings
util-decode-mime.c:189:31: warning: Use of memory after it is freed [unix.Malloc]
lastSibling->next = entity->child;
~~~~~~~~~~~~~~~~~ ^
util-decode-mime.c:827:24: warning: Potential leak of memory pointed to by 'val' [unix.Malloc]
state->hname = NULL;
^~~~
/usr/lib/llvm-16/lib/clang/16/include/stddef.h:89:24: note: expanded from macro 'NULL'
# define NULL ((void*)0)
^
2 warnings generated.
Improve error handling and add assert to avoid these warnings.
projects / thirdparty / suricata.git / log
