Merge branch 'master' into decouple_stream-bypass_from_tls-encrypted-…

…bypass-v1

.github/PULL_REQUEST_TEMPLATE.md

@@ -13,7 +13,11 @@ Describe changes:
 
 ### Provide values to any of the below to override the defaults.
 
-To use a pull request use a branch name like `pr/N` where `N` is the pull request number.
+To use a pull request use a branch name like `pr/N` where `N` is the
+pull request number.
+
+Alternatively, `SV_BRANCH` may also be a link to an
+OISF/suricata-verify pull-request.
 
 ```
 SV_REPO=

.github/workflows/builds.yml

@@ -117,7 +117,13 @@ jobs:
 
       - name: Fetching suricata-verify
         run: |
-          pr=$(echo "${SV_BRANCH}" | sed -n 's/^pr\/\([[:digit:]]\+\)$/\1/p')
+          # Looking for a pull request number. in the SV_BRANCH
+          # value. This could be "pr/NNN", "pull/NNN" or a link to an
+          # OISF/suricata-verify pull request.
+          pr=$(echo "${SV_BRANCH}" | sed -n \
+              -e 's/^https:\/\/github.com\/OISF\/suricata-verify\/pull\/\([0-9]*\)$/\1/p' \
+              -e 's/^pull\/\([0-9]*\)$/\1/p' \
+              -e 's/^pr\/\([0-9]*\)$/\1/p')
           if [ "${pr}" ]; then
               SV_BRANCH="refs/pull/${pr}/head"
               echo "Using suricata-verify pull-request ${SV_BRANCH}"

doc/userguide/configuration/multi-tenant.rst

@@ -4,31 +4,31 @@ Multi Tenancy
 Introduction
 ------------
 
-Multi tenancy support allows for different rule sets with different
-rule vars. These tenants can then be assigned to VLANs or interfaces
-(devices).
+Multi tenancy support allows different tenants to use different
+rule sets with different rule variables.
+
+Tenants are identified by their `selector`; a `selector` can be
+a VLAN, interface/device, or from a pcap file ("direct").
 
 YAML
 ----
 
-In the main ("master") YAML, the suricata.yaml, a new section called
-"multi-detect" should be added.
+Add a new section in the main ("master") Suricata configuration file -- ``suricata.yaml`` -- named ``multi-detect``.
 
 Settings:
 
-* enabled: yes/no -> is multi-tenancy support enabled
-* default: yes/no -> is the normal detect config a default 'fall back' tenant?
-* selector: direct (for unix socket pcap processing, see below), vlan or device
-* loaders: number of 'loader' threads, for parallel tenant loading at startup
-* tenants: list of tenants
+* `enabled`: yes/no -> is multi-tenancy support enabled
+* `selector`: direct (for unix socket pcap processing, see below), VLAN or device
+* `loaders`: number of `loader` threads, for parallel tenant loading at startup
+* `tenants`: list of tenants
 
   * id: tenant id (numeric values only)
   * yaml: separate yaml file with the tenant specific settings
 
-* mappings:
+* `mappings`:
 
-  * vlan id or device
-  * tenant id: tenant to associate with the vlan id / device
+  * VLAN id or device: The outermost VLAN is used to match.
+  * tenant id: tenant to associate with the VLAN id or device
 
 ::
 
@@ -93,12 +93,13 @@ configuration:
 
       ...
 
-vlanid
-~~~~~~
+vlan-id
+~~~~~~~
 
-Assign tenants to vlan id's.
+Assign tenants to VLAN ids. Suricata matches the outermost VLAN id with this value.
+Multiple VLANs can have the same tenant id. VLAN id values must be between 1 and 4094.
 
-Example of vlan mapping::
+Example of VLAN mapping::
 
     mappings:
     - vlan-id: 1000
@@ -110,13 +111,13 @@ Example of vlan mapping::
 
 The mappings can also be modified over the unix socket, see below.
 
-Note: can only be used if 'vlan.use-for-tracking' is enabled.
+Note: can only be used if ``vlan.use-for-tracking`` is enabled.
 
 device
 ~~~~~~
 
 Assign tenants to devices. A single tenant can be assigned to a device.
-Multiple devices can have the same tenant.
+Multiple devices can have the same tenant id.
 
 Example of device mapping::
 
@@ -152,7 +153,7 @@ Unix Socket
 Registration
 ~~~~~~~~~~~~
 
-register-tenant <id> <yaml>
+``register-tenant <id> <yaml>``
 
 Examples:
 
@@ -164,7 +165,7 @@ Examples:
   register-tenant 5 tenant-5.yaml
   register-tenant 7 tenant-7.yaml
 
-unregister-tenant <id>
+``unregister-tenant <id>``
 
 ::
 
@@ -174,8 +175,8 @@ unregister-tenant <id>
 Unix socket runmode (pcap processing)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The Unix Socket "pcap-file" command can be used to select the tenant
-to inspect the pcap against:
+The Unix Socket ``pcap-file``  command is used to associate the tenant with
+the pcap:
 
 ::
 
@@ -191,22 +192,22 @@ traffic2.pcap against tenant 2 and logs to /logs2/ and so on.
 Live traffic mode
 ~~~~~~~~~~~~~~~~~
 
-For live traffic currently only a vlan based multi-tenancy is supported.
+Multi-tenancy supports both VLAN and devices with live traffic.
 
-The master yaml needs to have the selector set to "vlan".
+In the master configuration yaml file, specify ``device`` or ``vlan`` for the ``selector`` setting.
 
 Registration
 ~~~~~~~~~~~~
 
-Tenants can be mapped to vlan id's.
+Tenants can be mapped to vlan ids.
 
-register-tenant-handler <tenant id> vlan <vlan id>
+``register-tenant-handler <tenant id> vlan <vlan id>``
 
 ::
 
   register-tenant-handler 1 vlan 1000
 
-unregister-tenant-handler <tenant id> vlan <vlan id>
+``unregister-tenant-handler <tenant id> vlan <vlan id>``
 
 ::
 

doc/userguide/security.rst

@@ -7,21 +7,21 @@ data. This combination deserves extra security precautions that we
 discuss below.
 
 Additionally, supply chain attacks, particularly around rule
-distribution could potentially target Suricata installations.
+distribution, could potentially target Suricata installations.
 
 Running as a User Other Than Root
 ---------------------------------
 
 .. note:: If using the Suricata RPMs, either from the OISF COPR repo,
-          or the EPEL repo the following is already configured for
+          or the EPEL repo, the following is already configured for
           you. The only thing you might want to do is add your
           management user to the ``suricata`` group.
 
 Many Suricata examples and guides will show Suricata running as the
 *root* user, particularly when running on live traffic. As Suricata
 generally needs low level read (and in IPS write) access to network
 traffic, it is required that Suricata starts as root, however Suricata
-does have the ability to drop down to a non-root user after startup
+does have the ability to drop down to a non-root user after startup,
 which could limit the impact of a security vulnerability in Suricata
 itself.
 
@@ -31,7 +31,7 @@ itself.
 Create User
 ~~~~~~~~~~~
 
-Before running as a non-root user you have to choose, and possibly
+Before running as a non-root user, you need to choose and possibly
 create the user and group that will Suricata will run as. Typically
 this user would be a sytem user with the name ``suricata``. Such a
 user can be created with the following command::
@@ -124,8 +124,9 @@ Containers
 ----------
 
 Containers such as Docker and Podman are other methods to provide
-isolation between Suricata and host machine running Suricata, however
-we still recommend running as a non-root user even in containers.
+isolation between Suricata and the host machine running Suricata.
+However, we still recommend running as a non-root user, even in
+containers.
 
 Capabilities
 ~~~~~~~~~~~~
@@ -141,5 +142,5 @@ Podman
 Unfortunately Suricata will not work with *rootless* Podman, this is
 due to Suricata's requirement to start with root privileges to gain
 access to the network interfaces. However, if started with the above
-capabilities, and configured to run as a non-root user it will drop
+capabilities, and configured to run as a non-root user, it will drop
 root privileges before processing network data.

doc/userguide/unix-socket.rst

@@ -42,11 +42,13 @@ example to write custom scripts:
 
 Commands in standard running mode
 ---------------------------------
-You may need to install ``suricatasc`` if you have not done so, running the following command from python/suricatasc
+Runnable script for suricatasc is available in `python/bin` directory of suricata. You can
+run it with the following commands.
 
 ::
 
-  sudo python setup.py install
+  cd python
+  sudo ./bin/suricatasc
 
 The set of existing commands is the following:
 

python/Makefile.am

@@ -26,7 +26,7 @@ install-exec-local:
 	install -d -m 0755 "$(DESTDIR)$(prefix)/lib/suricata/python/suricatasc"
 	install -d -m 0755 "$(DESTDIR)$(prefix)/bin"
 	for src in $(LIBS); do \
-		install $(srcdir)/$$src "$(DESTDIR)$(prefix)/lib/suricata/python/$$src"; \
+		install -m 0644 $(srcdir)/$$src "$(DESTDIR)$(prefix)/lib/suricata/python/$$src"; \
 	done
 	install suricata/config/defaults.py \
 		"$(DESTDIR)$(prefix)/lib/suricata/python/suricata/config/defaults.py"

python/bin/suricatasc

@@ -1,6 +1,6 @@
 #! /usr/bin/env python
 #
-# Copyright(C) 2013-2022 Open Information Security Foundation
+# Copyright(C) 2013-2023 Open Information Security Foundation
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -69,8 +69,16 @@ except SuricataReturnException as err:
     sys.exit(1)
 
 if args.command:
-    (command, arguments) = sc.parse_command(args.command)
-    res = sc.send_command(command, arguments)
+    try:
+        (command, arguments) = sc.parse_command(args.command)
+    except SuricataCommandException as err:
+        print(err.value)
+        sys.exit(1)
+    try:
+        res = sc.send_command(command, arguments)
+    except (SuricataCommandException, SuricataReturnException) as err:
+        print(err.value)
+        sys.exit(1)
     print(json.dumps(res))
     sc.close()
     if res['return'] == 'OK':