The engine uses p.alerts.cnt as an index to access the packet alert that
has the `pass` action for the verdict.
For IDS/IPS mode, a `pass` will always be the last signature in the
alert queue. However, that position could be either `p.alerts.cnt` or
`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
keyword or not.
This patch fix corner-case scenarios of:
- accessing an index out of boundaries
- off-by-one access
Without changing how the engine increments the alerts.cnt, as this is
used in many places, and would be a more invasive change.
It checks the two different scenarios, plus the case when there is only
a single match as a silent `pass` rule.
Usage of Vec<u8> instead of Box<u8> gave the ability to callers
to grow the buffer (indefinitely)
This was regressed in 16fee333687d9fac72a1cf5d37ff08bfb780b3ed
Additionnaly, use rust WriteZero instead of WouldBlock as a more
fitting error when cursor is full, as that error kind is the
one tested by callers.
Li Heng [Fri, 31 Oct 2025 02:01:17 +0000 (10:01 +0800)]
snmp: can be set to detection-only
Realloc alp_ctx.ctxs when a dynamic alproto is registered and
g_alproto_max increases. So dynamic alproto can be treated as
real/normal ones. And app-layer switch can be set to any value
of no/deteciton-only/yes.
Andreas Dolp [Wed, 29 Oct 2025 20:43:04 +0000 (21:43 +0100)]
python/Makefile.am: fix file permissions of python/suricata/config/defaults.py
The install command, by default, sets 0755 if -m is not specified, so the
file python/suricata/config/defaults.py will be marked as an executable,
though it isn't.
Victor Julien [Fri, 31 Oct 2025 08:38:55 +0000 (09:38 +0100)]
lua: remove luajit pushlstring workaround
81ee6f5aadeb ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
added a workaround for valgrind warnings in pushing a string buffer
into the lua state. This is no longer needed as tested with both
address sanitizer and valgrind.
Shivani Bhardwaj [Sat, 11 Oct 2025 08:45:37 +0000 (14:15 +0530)]
applayer/tls: do not free SAN for decoding error
SSL connp maintains all the state and certificate data that was
parsed/decoded successfully and it must retain that for later usage.
There should be just one place to free this object which is SSLStateFree
for both the directions. By freeing the connp data during parsing error,
there is room for memory errors.
This works so far because the field parsed after this cannot error out so
if there's an error parsing this, it anyway does not exist. However, this
is incorrect and leaves scope for mistakes.
Remove this extra free and treat SAN like all other TLS keywords.
Lukas Sismis [Sun, 3 Nov 2024 19:09:55 +0000 (20:09 +0100)]
github-ci: bump up tested DPDK versions
Ubuntu 20.04, distro suited at the time for 8.0.x, still contains
DPDK 19.11 in the pkg repository, so it keeps being build-tested as
opposed to the 9.0.x version.
DPDK Bonding API has been changed in DPDK version 23.11 where
the old *slave* API was marked as deprecated and the new *member*
API was marked as experimental.
This was unfortunately executed by marking both API variants
at the same time. The deprecated version is removed from the follow
up versions while the experimental version will become stable
in the next DPDK releases. This is based on a policy in DPDK where
an API change needs to merged in main for 1 stable release before
removing the experimental flag.
In DPDK 24.11 this has been fixed and warning supression is not
added.
The exclude function incorrectly performs a XOR operation. While it
works when the worker cores occupy all cores, it is not the correct
operation. For example, when a core is affined to only management
and not worker threads, the XOR operation affines it to the worker set.
(1 XOR 0 -> 1, where in fact the desired outcome is 0)
Jeff Lucovsky [Fri, 3 Oct 2025 14:18:03 +0000 (10:18 -0400)]
output: Display ethertype properly
Ethertype values are now converted from network format to host format
before display occurs. Displayed values are now in hex instead of
integers.
Without this change, ethertype values such as 0xfbb7 are
displayed in decimal as: 47099 (0xb7fb).
The actual value is 64439 (0xfbb7); all logged ether_type values
will be displayed in host order in decimal format. This example
will log the ether type as 64439
Jason Ish [Sun, 19 Oct 2025 01:00:51 +0000 (19:00 -0600)]
ci: remove cargo update test
Being the stable branch, cargo update doesn't make much sense unless we
have a specific reason to update a crate. The audit check has been
left, which will alert us to crates that may need an update.
Philippe Antoine [Mon, 22 Sep 2025 13:41:39 +0000 (15:41 +0200)]
detect/files: support protocols only over udp
Ticket: 7973
Files were supported on both TCP and UDP. But file detection keywords
such as file.data made signatures loading fail if the signature
was using an app-layer protocol that enabled on udp only, even
if the signatures could run smoothly.
Fupeng Zhao [Tue, 24 Jun 2025 06:27:26 +0000 (14:27 +0800)]
decoder/vxlan: fix VXLAN port detection per RFC 7348
Simplify DecodeVXLANEnabledForPort() to only check destination port
to avoids false positives when identifying VXLAN traffic.
Per RFC 7348 §5, VXLAN identification is based solely on the outer UDP
destination port (4789), regardless of inner packet direction. The
outer UDP source port is used for load balancing via inner packet
hash and should not be considered for VXLAN detection. This ensures
correct VXLAN identification for all encapsulated traffic patterns.
Checking both source and destination ports could incorrectly classify
non-VXLAN UDP traffic as VXLAN when the source port happens to be 4789,
leading to false positives in VXLAN detection and potential decode errors.
Jeff Lucovsky [Sat, 27 Sep 2025 12:00:15 +0000 (08:00 -0400)]
mt/ci: Add MT live test
Add MT live test capability:
- multi-tenant.sh: harness that sets up and steps through MT steps
- suricata-mt.yaml: Adds MT capability to Suricata
- tenant-1.yaml: Per-tenant configuration file
lua: fix null dereference in tx HTTP accessor functions
Fix crashes in Lua when calling tx:response_line(), tx:request_line(),
tx:request_uri_raw(), or tx:request_host() on incomplete or malformed
HTTP transactions.
These functions return bstr pointers which may be NULL. Add NULL
checks before calling bstr_ptr() and bstr_len() to avoid segfaults.
Added a page that explains how rules are prioritized by Suri, as well
as what main different types of inspection happen and what elements are
involved when ordering rules.
Victor Julien [Wed, 10 Sep 2025 14:06:11 +0000 (16:06 +0200)]
unix-socket: address scan-build warning
CC unix-manager.o
unix-manager.c:258:13: warning: Use of memory after it is freed [unix.Malloc]
258 | if (item->fd == fd) {
| ^~~~~~~~
1 warning generated.
Shivani Bhardwaj [Fri, 20 Jun 2025 09:57:27 +0000 (15:27 +0530)]
doc: add doc on internals of inspection of raw data
Explain briefly the internals of inspection of raw data in the following order:
- Stream Engine
- Stream reassembly
- Role of Detection Engine and Applayer Parsers
- High level communication between Stream and Detection Engine
- Relevant suricata.yaml settings
Add information about:
- available tables, default policies and rule ordering
- Packet layer and applayer tables and hooks
- engine analysis output
- commandline options available
- how to load firewall rules
Also, reorganize sections and content to assist the definitions.
Victor Julien [Wed, 3 Sep 2025 16:38:11 +0000 (18:38 +0200)]
stream: workaround scan-build warnings
stream-tcp.c:1938:16: warning: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'tail') [core.NullDereference]
1938 | tail->next = old_head;
| ~~~~ ^
1 warning generated.
stream-tcp.c:1982:5: warning: Potential leak of memory pointed to by 'q' [unix.Malloc]
1982 | ssn->queue_len++;
| ^~~
1 warning generated.
Victor Julien [Mon, 1 Sep 2025 12:51:56 +0000 (14:51 +0200)]
stream: add more liberal timestamp behavior in 3WHS
RFC 7323 forbids a server to respond with a timestamp option in the
SYN/ACK when the SYN didn't have a timestamp option:
A TCP MAY send the TSopt in an initial <SYN> segment (i.e., segment
containing a SYN bit and no ACK bit), and MAY send a TSopt in
<SYN,ACK> only if it received a TSopt in the initial <SYN> segment
for the connection.
Once TSopt has been successfully negotiated, that is both <SYN> and
<SYN,ACK> contain TSopt, the TSopt MUST be sent in every non-<RST>
segment for the duration of the connection, and SHOULD be sent in an
<RST> segment (see Section 5.2 for details).
However, in the real world this pattern happens on benign traffic. This
would lead to missing logs and detection, and in IPS mode such sessions
would be blocked.
This patch allows this pattern when the `stream.liberal-timestamps` is
enabled (enabled by default).
Victor Julien [Wed, 20 Aug 2025 10:43:27 +0000 (12:43 +0200)]
stream: improve SYN and SYN/ACK retransmission handling
Take SEQ and ACK into account for more scenarios.
SYN on SYN_SENT
In this case the SYN packets with different SEQ and other properties are
queued up. Each packet updates the ssn to reflect the last packet to
come in. The old ssn data is added to a TcpStateQueue entry in
TcpSession::queue. If the max queue length is exceeded, the oldest entry
is evicted. The queue is actually a single linked list, where the list
head reflects the oldest entry.
SYN/ACK on SYN_SENT
In this case the first check is if the SYN/ACK matches the session. If
it doesn't, the queue is checked to see if there SYN's stored. If one is
found that matches, it is used and the session is updated to reflect
that.
SYN/ACK on SYN_RECV
SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated
from the current packet. The old settings are stored in a TcpStateQueue
entry in the TcpSession::queue.
ACK on SYN_RECV
Checks any stored SYN/ACKs before checking the session. If a queued
SYN/ACK was sound, the session is updated to match it.
Thomas Winter [Wed, 9 Apr 2025 03:17:08 +0000 (15:17 +1200)]
decode/pppoe: Don't mark expected PPP protos as unsupported
After upgrading from 7.0.6 to 7.0.8, regular ppp packets are getting
dropped when ppp rules in decoder-events.rules were set as drop.
This was caused by commit a8f35806 ("detect: fix decoder only events").
Previously these rules would not be alerted or dropped.
It turns out several PPP protocols in a switch statement were falling
into the PPP_UNSUP_PROTO case. This has always been the case, I assume
the intention was that they don't get further inspected for size and
other decode errors hence unsupported.
But really some of the protocols are fundamentally required for a PPP
connection to take place.
Change some types that we know should be allowed to pass this.
projects / thirdparty / suricata.git / log
