Decouple stream.bypass dependency from TLS encrypted bypass #9127

de_ctx->dport_hash_table is already set to NULL in the fn DetectPortHashFree which is called right before this setting. Remove the redundant setting.

Either the BUG_ON condition would hit or PORT_ER. Prefer to return error in case of an error as the fn expects that.

The comment seems to have come from the enum for addresses where IPv4 and IPv6 matters.

Also, add comments to clarify what's happening in the code.

We had unkonwn message type for the backend, but not the frontend messages. It's important to better identify those to improve pgsql probing functions. Related to Bug OISF#6080

Some non-pgsql traffic seen by Suricata is mistankenly identified as pgsql, as the probing function is too generic. Now, if the parser sees an unknown message type, even if it looks like pgsql, it will fail. Bug OISF#6080

With the changes in the probing_ts function, this other one could become obsolete. Remove it, and directly call `parser::parse_request` when checking for gaps, instead.

legacy map definition is removed from libbpf1.0+. update the legacy map definition to BTF defined map. Distros with < libbpf1.0 (0.5, 0.6, 0.7, 0.8) bpf_helpers.h support BTF map definition, this change does not break old libbpf and support new libpbf1.0+. Bug: OISF#6250 Signed-off-by: Vincent Li <[email protected]> Co-authored-by: Victor Julien <[email protected]>

Signed-off-by: jason taylor <[email protected]>

If the logging of the password is disabled, there isn't much point in logging the password message itself.

This commit takes care of original seconds value and prevents the useconds field from overflowing pas its maximum value. Issue: 6372

Initialize both seconds and useconds of packet timestamp from napatech timestamp format. This commit uses updated macro definitions from util-utime.h to avoid zero seconds value. Issue: 6372

Fix SCTIME_ADD_SECS zeroing subsecond part When adding s seconds to SCtime_t ts, don't zero out the ts.usecs field. Issue: 6584 Fix SCTIME_FROM_TIMESPEC garbage microseconds part When converting nanosecond to microseconds divide by 1000 instead of multiplying by 1000. Issue: 6585

Hitting the recursion limit should be rare.

This is a convinience addition to abstract away the internals of the InspectionBuffer in keyword specific detection code.

Integrate with rest of content inspect code.

Use stack local var instead of DetectEngineThreadCtx member. Instead setup a stack local struct that both counts and holds the limit. Make sure the limit is a const so we can avoid rereading it. This is part of an effort to reduce the size of the DetectEngineThreadCtx structure and reduce the number of memory writes to it. Additionally, it is part of an effect to reduce the number of places where detection tracks various forms of state.

Flatten else branches after terminating ifs.

Since recursive content matching goes through the buffer from left to right, it is possible to bail early when isdataat is part of the recursive checking. If `isdataat:50,relative` fails for offset 10, it will surely also fail for offset 20. So break inspection in such cases. The exception is for dynamic isdataat, where the value is determined by a prior byte_extract that may be updated during the recursion.

DetectEngineThreadCtx::replist is managed elsewhere.

Adjust includes to enable this.

Move reference count to top of DetectEngineThreadCtx, to move it to the same cache line as the other members that are checked first in Detect().

Move members used by DetectEngineContentInspection() to the same cache line.

Parallel builds caused issues during `cargo vendor`. So do just a single thread build. make[4]: Entering directory '/__w/suricata/suricata/rust' cbindgen --config /__w/suricata/suricata/rust/cbindgen.toml \ --quiet --output /__w/suricata/suricata/rust/dist/rust-bindings.h CARGO_HOME="/github/home/.cargo" /usr/bin/cargo vendor Blocking waiting for file lock on package cache Blocking waiting for file lock on package cache ERROR: Couldn't execute `cargo metadata` with manifest "/__w/suricata/suricata/rust/Cargo.toml": Metadata(Output { status: ExitStatus(unix_wait_status(25856)), stdout: "", stderr: " Blocking waiting for file lock on package cache\n Blocking waiting for file lock on package cache\nerror: failed to download `adler v1.0.2`\n\nCaused by:\n unable to get packages from source\n\nCaused by:\n failed to parse manifest at `/github/home/.cargo/registry/src/github.com-1ecc6299db9ec823/adler-1.0.2/Cargo.toml`\n\nCaused by:\n no targets specified in the manifest\n either src/lib.rs, src/main.rs, a [lib] section, or [[bin]] section must be present\n" }) ERROR: Couldn't generate bindings for /__w/suricata/suricata/rust. make[4]: *** [Makefile:597: dist/rust-bindings.h] Error 1 make[4]: *** Waiting for unfinished jobs....

There is nothing Address specific going on in the preparations. Stage 1: Preprocessing happens. Sigs classified as IP Only, Masks applied, content specific limits applied, etc and sig array built. Stage 2: Sigs grouped by IPOnly, ports and protocols. Stage 3: Decoder Events SGH built. Stage 4: File flags set, sig grouping done per prefilter, etc.

The flag SIG_FLAG_MPM_NEG is set before whitelisting the rules. Make it better by checking for the flag in the beginning and return immediately.

DETECT_FLOWBITS_CMD_NOALERT is misleading as it gives an impression that noalert is a flowbit specific command that'll be used and dealt with at some point but as soon as noalert is found in the rule lang, signature flag for noalert is set and control is returned. It never gets added to cmd of the flowbits object.

Ticket: 6547

Issue: 6527 Ensure that the `map->string` memory isn't leaked following an error return from `HashListTableAdd`

Issue: 6527 Address the FP raised by cppcheck -- note that although the code corectly checks to ensure that `to_shift != &sb->reqion`, the logic was detected as a FP. Rework the code to eliminate the FP.

Add clang-format-14 as the preferred version, this is the default on Ubuntu 22.04.

Update the formatting CI job to Ubuntu 22.04 to get a newer version of clang-format, in this case clang-format-14.

TCP memory use can be higher than expected in certain configs. Ticket: OISF#6552.

Bug: OISF#6618. Fix Endace ERF to SCTime_t timestamp conversion Fix typo preventing compilation with --enable-dag

Task OISF#6309

The old DetectAppLayerMpmRegister has not been around since 4.1.x. Rename the v2 of this function to a versionless function as there is no documentation referring to what the 2 means.

Rename DetectAppLayerInspectEngineRegister2 to DetectAppLayerInspectEngineRegister as there is no other variant of this function, and the versioning with lack of supporting documentation can lead to confusion.

Version 1 of the API no longer exists.

DNS request and response messages follow the same format so there is no reason not to use the same data structure for each. While its unlikely to see fields like answers in a request, the message format does not disallow them, so it might be interesting data to have the ability to log.

This sticky buffer will allow content matching on the answer names. While ansers typically only occur in DNS responses, we allow the buffer to be used in request context as well as the request message format allows it. Feature: OISF#6496

This buffer is much like dns.query_name but allows for detection in both directions. Feature: OISF#6497

SCDnsTxGetQueryName was introduced to allow for getting the query name in responses as well as requests, so covers the functionality of rs_dns_tx_get_query_name.

With some other minor cleanups in the DNS keyword section.

Gives more detail about memory use.

Bug: OISF#6615

To avoid negative values to be misrepresented. Bug: OISF#6615.

To avoid future problems with overlapping flag values, give bytejump its own DETECT_BYTEJUMP_OFFSET_VAR flag. The values are currently not overlapping, so this patch should have no side effects.

Just one used during debugging.

This puts the logic in line with the other payload inspection functions.

Flag will be set during list(s) setup if needed.

This is called so many times that it seems to make sense that we use a function for this.

A CanceldRequest can occur after any query request, and is sent over a new connection, leading to a new flow. It won't take any reply, but, if processed by the backend, will lead to an ErrorResponse. Task OISF#6577

Add a more visible explanation of that requests, responses, frontend and and backend are, in Pgsql context, to avoid having to repeat that over different portions of the docs.

Even when on detection-only mode. So that we always have enip_tcp and enip_udp in stats and never just `enip`. Ticket: 6304

./stats/app_layer/error/modbus

Ticket: 6633

The `ConsolidatedDataRow` struct had a `length` field that wasn't truly used. Related to Bug OISF#6389

As the feature module is not available for Rust unit tests, a mock version is also provided.

Add a new rule keyword "requires" that allows a rule to require specific Suricata versions and/or Suricata features to be enabled. Example: requires: feature geoip, version >= 7.0.0, version < 8; requires: version >= 7.0.3 < 8 requires: version >= 7.0.3 < 8 | >= 8.0.3 Feature: OISF#5972 Co-authored-by: Philippe Antoine <[email protected]>

Add a "pre-scan" rule parse that will check for requires statement. It will return a special error code (-4) if the requires fails due to missing requirements. Syntactic errors will also abort parsing here. Feature: OISF#5972

During the pre-scan for "requires", also parse the SID if possible. If the rule fails high level parsing (syntax), the SID will not be parsed. But every keyword other than "sid" and "requires" should expect to be provided with a parsed sid.

Rule skipped is a count of the number of rules that are skipped due to missing requirements. Feature: OISF#6637

Issue: 6387 This commit moves the configuration logic to Rust.

This could be justified from a semantic point of view, and also can help in bringing more attention to where this information is, as it is less hidden, now. Also add Dev Guide as one of our resources in our Readme.

This section seemed to aim both at PR reviewers and PR authors at the same time, even though some info is probably of low value for contributors. Created new section for PR reviewers and maintainers, and kept the info for PR authors separated. Also highlighted information on requested changes and stale PRs.

If a commit introduces code that changes Suricata behavior, the related documentation changes should go in a separate commit, but refer to the same ticket number. This reduces the chances of said changes being lost if there are backports while still keeping the backporting process a bit less bulky, for each commit. Related to Task OISF#6568

Task OISF#6568

Update the list of active branches to include 7 renaming and new master, link to backports document.

Sphinx and RtD sometimes render lists in weird ways. The communication channels list barely looked like one, at all...

As clippy began to complain about jsonbuilder.rs

Ticket: 6656

Have these options documented, so that whoever writes rule-related documentation can easily know what they could use to make the doc look better.

As this keyword has 4 mandatory arguments, and some examples had only three... Ticket: 6629

Found by oss-fuzz with quadfuzz. Cf https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63113 According to PostgreSQL documentation the maximum number of rows can be the maximum of tuples that can fit onto max u32 pages - 4,294,967,295 (cf https://www.postgresql.org/docs/current/limits.html). Some rough calculations for that indicate that this could go over max u32, so updating the data_row data type to u64. Bug OISF#6389

When reading a pcap, packet time can move much faster than wall clock time. This would trigger many more profile syncs than before. As the sync is using a lock to synchronize with other threads, this is an expensive operation. Bug: OISF#6619. Fixes: b591813 ("profiling/rules: reduce sync logic scope")

Hint compiler about this.

No need to put it into a per ctx flag.

Remove u16 cast. Remove debug assert for u16 size. In 83ed2c3 the input was changed to u32

pcre2_match_data is created per thread when needed.

All matching is done as part of content inspection.

Test mixing of negation, endswith and depth.

Option meant for testing performance of rule engine w/o prefilter optimizations.

Fix offset calculation on sigs with negative distance. Can lead to FN in certain cases. Bug: OISF#6661.

Add most common condition first.

Update frame prototype as well, to match already returned true/false values.

Added nothing over alproto check already in place.

Don't loop multiple times over the per group sig array.

Most of the time FlowGetFlowFromHash will succeed.

Use jb_append_string_from_bytes() as it works better than BytesToString+jb_append_string when logging binary data. Bug: OISF#6664.

To avoid costly string operations.

Ticket: 6546

The shutdown(2) syscall would always return ENOTCONN for FreeBSD 11, FreeBSD 12, FreeBSD 13 and FreeBSD 14. It could do some action on the socket in the kernel in FreeBSD 10 and before, did not test.

Which will be optimized away by the compiler

using panic! instead with a string message

warning: this is a decimal constant --> src/mqtt/parser.rs:888:19 | 888 | 0x00, 06, /* Topic Length: 6 */ | ^^ |

warning: calls to `push` immediately after creation --> src/pgsql/parser.rs:1179:9 | 1179 | / let mut database_param: Vec<PgsqlParameter> = Vec::new(); 1180 | | database_param.push(database); | |______________________________________^ help: consider using the `vec![]` macro: `let database_param: Vec<PgsqlParameter> = vec![..];`

warning: you seem to be trying to use `match` for destructuring a single pattern. Consider using `if let` --> src/http2/parser.rs:882:17 | 882 | / match ctx.value { 883 | | Some(_) => { 884 | | panic!("Unexpected value"); 885 | | } 886 | | None => {} 887 | | } | |_________________^

error: this match could be written as a `let` statement --> src/nfs/nfs3_records.rs:747:9 | 747 | / match result { 748 | | (r, request) => { 749 | | assert_eq!(r.len(), 0); 750 | | assert_eq!(request.handle, expected_handle); 751 | | assert_eq!(request.name_vec, br#"bln"#); 752 | | } 753 | | } | |_________^

fixes unused_unit warning: unneeded unit expression --> src/bittorrent_dht/parser.rs:590:5 | 590 | / #[test_case( 591 | | b"", 592 | | "Error: discovered Dict but expected EOF" ; 593 | | "test parse bittorrent dht packet err 1" 594 | | )] | |______^

When running Suricata in XDP bypass mode (bypass: yes), Suricata started up with error: Error: threads: thread "FB" failed to start in time: flags 0003 "FB" thread does not transition from THV_INIT_DONE to THV_RUNNING. Set "FB" thread THV_RUNNING state in BypassedFlowManager(). Bug: OISF#6254 Signed-off-by: Vincent Li <[email protected]>

Factor out dns.authorities to a definition.

Issue: 6347

Issue: 6347 Remove sguil-mode pcap logging capability.

Issue: 6347

Issue: 6605 Flash decompression will remain so the deprecation notice is not needed.

sig_array_size can easily be calculated with length and is only used at one place for debugging purposes. Remove it from the DetectEngineCtx struct to avoid making it unnecessarily heavy.

It is used like bool so much so that nothing needs to be changed even after changing its type.

Bug: OISF#6667. Fix compiler warnings for function pointer parameters missing const with --enable-dag

Previous integration of hugepage analysis only fetched data from /proc/meminfo. However this proved to be often deceiving mainly for providing only global information and not taking into account different hugepage sizes (e.g. 1GB hugepages) and different NUMA nodes. Ticket: OISF#6419

When the packet load is low, Suricata can run in interrupt mode. This more resembles the classic approach of processing packets - CPU cores run low and only fetch packets on interrupt. Ticket: OISF#5839

Remove references that are mentioning Suricata 3 or less As a note - only one Suricata 4 reference found: (suricata-yaml.rst:"In 4.1.x") Fast pattern selection criteria can be internally found by inspecting SupportFastPatternForSigMatchList and SigTableSetup functions. Ticket: OISF#6570

The description of behavior when midstream is enabled and exception policy is set to ignore wasn't descriptive enough. Fix typos.

Ticket: OISF#5075 Signed-off-by: jason taylor <[email protected]>

Signed-off-by: jason taylor <[email protected]>

"sigerror_ok" and "sigerror_requires" were not being reset after each rule which could lead to a rule load error being incorrectly tracked as skipped rather than failed. Also initialize "skippedsigs" to 0 along with "goodsigs" and "badsigs", while not directly related to this issue, could also throw off some stats. Ticket: OISF#6710

Move to libhtp to the 0.5.x branch instead of 0.5.45.

When a TCP flow packet has not led to app-layer updates, it is useless to run DetectRunTx, as there cannot be new matches. This happens for instance, when one side sends in a row multiple packets which are not acked (and thus not parsed in IDS mode). Doing so requires to move up the call to AppLayerParserSetTransactionInspectId so that it is run the same times DetectRunTx is run, and not in the case where the transaction was not updated. Ticket: 6299

Ticket: OISF#6299 Simply because it is faster (just linear). This is for merging match_array into tx_candidates

If flags are zero, there is nothing to store and remember. Stored signatures will be reused on a later packet, and qsorted (which may be expensive), with newer matches candidates. Avoiding to store, leads to avoid the call to qsort.

Especially sets transactions to complete when we get a response without having seen the request, so that the transactions end up getting cleaned (instead of living/leaking in the state). Also try to set the event on the relevant transaction, instead of creating a new transaction just for the purpose of having the event. Ticket: OISF#6299

Fixing single_match and manual_find intertwined with SCLogDebug

So that we can write enip.revision: 0x203 Ticket: 6645

Ticket: 6646

Ticket: 6647 Allows keywords using integers to use strings in signature parsing based on a rust enumeration with a derive.

Ticket: 6648 Like &0x40=0x40 to test for a specific bit set

Ticket: 6628 Document the generic detection capabilities for integer keywords. and make every integer keyword pointing to this section.

Our code handles Uint ranges as exclusive, but for bsize, our documentation stated that they're inclusive. Cf. from uint.rs: DetectUintMode::DetectUintModeRange => { if val > x.arg1 && val < x.arg2 { return true; } } Task OISF#6708

StreamingBuffer is not required to find the intersecting regions, so, don't pass it as a param to the fn.

Ticket: 5446 That means it can accept ranges

port is not used and logically makes sense to not be in this struct as this struct is already referenced by DetectPort itself as a part of SigGroupHead.

Present scenario ---------------- Currently, as a part of setting signature count per SGH, a max_idx is passed which could be as high as the highest signature number (internal ID). Issue ----- Not every SGH needs to evaluate all the signatures while setting the signature count or while creating the match_array. In a nonideal scenario, when say, there are 2 SGHs and one SGH has 2 signatures and the other one has 60k, given the current scheme of evaluating max_idx, the max_idx will be set to 60k, and this shall later be passed on to SigGroupHeadSetSigCnt or SigGroupHeadBuildMatchArra which shall traverse over all the 60k sigs for either SGHs. Other info ---------- This is a very fast operation as the internal arithmetic is done bitwise. Patch ----- The functions SigGroupHeadSetSigCnt and SigGroupHeadBuildMatchArray can be optimized by storing the max signature id (internal) per SGH (which also seemed to be the initial intention as per fn comments). As a result of this, the sig_array is only walked up until the max sig id of that respective SGH.

Errors when a detection engine gets 65k filestore signatures to avoid the hard limit to have 65k filestore per signature group head Ticket: OISF#6393

Ticket: 5926 HTTP2 continuation frames are defined in RFC 9113. They allow header blocks to be split over multiple HTTP2 frames. For Suricata to process correctly these header blocks, it must do the reassembly of the payload of these HTTP2 frames. Otherwise, we get incomplete decoding for headers names and/or values while decoding a single frame. Design is to add a field to the HTTP2 state, as the RFC states that these continuation frames form a discrete unit : > Field blocks MUST be transmitted as a contiguous sequence of frames, > with no interleaved frames of any other type or from any other stream. So, we do not have to duplicate this reassembly field per stream id. Another design choice is to wait for the reassembly to be complete before doing any decoding, to avoid quadratic complexity on partially decoding of the data.

instead of keeping a NULL pointer in an array Ticket: OISF#5921

Ticket: OISF#5921 Co-authored-by: Jason Ish <[email protected]>

Ticket: OISF#6477

Ticket: 6477 So as to avoid ending up with too many empty transactions. This happens when Suricata sees a DATA command in the current transaction but did not have a confirmation response for it. Then, if Suricata receives another DATA command, it will create another new transaction, even if the previous one is empty. And so, a malicious client can create many empty transactions by just sending a repeated amount of DATA commands without having a confirmation code for them. Suricata cannot use state->current_command == SMTP_COMMAND_DATA to prevent this attack and needs to resort to a new boolean is_data because the malicious client may send another dummy command after each DATA command. This patch leaves only one call to SMTPTransactionCreate

Ticket: OISF#6441 This keyword and the response one use a multiple inspection buffer. But the different instances point to the same memory address that comes from HttpHeaderGetBufferSpace and is not owned by the transaction, and is rebuilt, which is a functional bug in itself. As it gets crafted, it can get reallocated if one header is over 1024 bytes, while the previous freed pointer will still get used for the previous headers.

If the next PDU is already in the slice next, do not use it and restrict ourselves to the length of this PDU. Avoids overconsumption of memory by quadratic complexity, when having many small PDUS in one big chunk being parsed Ticket: OISF#6411

A next PDU may already be in the slice to parse. Do not skip its parsing, ie do not use rest, but take just the length of the pdu

Ticket: 6481 Instead of just setting the old transactions to a drop state so that they get later cleaned up by Suricata, fail creating new ones. This is because one call to app-layer parsing can create many transactions, and quadratic complexity could happen in one single app-layer parsing because of find_or_create_tx

As flagged critical by codescan

error: writing `&Vec` instead of `&[_]` involves a new object where a slice will do --> src/dns/log.rs:371:29 | 371 | pub fn dns_print_addr(addr: &Vec<u8>) -> std::string::String { | ^^^^^^^^ help: change this to: `&[u8]` | = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#ptr_arg

Add not-needed SCCalloc return check to satisfy our Cocci malloc checks as it can't see that the caller immediately checks the return value of this simple wrapper around SCCalloc.

Fix memory leak at util-decode-mime:MimeDecInitParser, which root cause is not-freeing allocated memory for mimeMsg Bug: OISF#6745

Issue: 6755 When NetmapOpen encounters an error opening the netmap device, it'll retry a bit. When the retry limit is reached, it'll shutdown Suricata. This commit ensures that the device list lock is not held when before closing all open devices before terminating Suricata.

Issue: 6712

Issue: 6712 Remove multiple occurrences of libjansson installation packages.

A dead lock could occur at start up, where a loader thread would get stuck on it's condition variable, while the main thread was polling the loaders task results. The vector to the dead lock is as follows: main loader DetectEngineMultiTenantSetup -DetectLoaderSetupLoadTenant --DetectLoaderQueueTask ---lock loader ---add task ---unlock loader lock loader check/exec tasks unlock loader ---wake up threads lock ctrl mutx cond wait ctrl unlock ctrl -DetectLoadersSync --lock loader --check tasks --unlock loader Between the main thread unlocking the loader and waking up the threads, it is possible that the loader has already moved ahead but not yet entered its conditional wait. The main thread sends its condition signal, but since the loader isn't yet waiting on it the signal is ignored. Then when the loader does enter its conditional wait, the signal is not sent again. This patch updates the logic to send signals much more often. It also makes sure that the signal is sent under lock, as the API requires. Bug: OISF#6766.

Add GitHub actions to perform: - cargo audit: catch new warnings in dependendent packages - cargo update: catch updated dependencies that depend on a new MSRV than we use

CentOS 7 requires older actions due to newer GitHub actions depending on a newer glibc. So move to its own workflow file so the main builds can move forward to newer versions of actions.

GitHub action Linux runners now have 4 cores, instead of hardcoding the number, use nproc to determine how many cores are available and use them.

Multiple uploads can no longer use the same name, so give the cbindgen artifact its own name of "cbindgen". Requires an additional download for each build depending on this cbindgen artifact.

Previously only enabled in build.yml, apply cancen-in-progress to all workflow files.

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.1 to 4.0.1. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@d9f34f8...e0b68c6) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](github/codeql-action@v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Add the CodeQL security-extended suite to the CodeQL workflow configuration.

Signed-off-by: jason taylor <[email protected]>

Ensure that the mutex protecting the condition variable is held before signaling it. This ensures that the thread(s) awaiting the signal are notified. Issue: 6569

Ticket: 6773

removing function unused parameter tx_id in HTPFileOpen And using directly tx instead of its id in HTPFileOpenWithRange

Ticket: OISF#6737

Ticket: 6741

Ticket: 6748

To match that we'll now request CVE ID's ourselves as well, and we can do it for reported issues as well. See also: https://forum.suricata.io/t/security-new-cve-policy/4473

- authors.yml - codeql.yml - scan-build.yml

The CentOS 7 build requires older GitHub actions, try to make dependabot ignore these older versions.

As we don't have a Cargo.toml and a Cargo.lock, dependabot for Rust hasn't been working correctly. Disable, as we now have our own cargo audit and update workflows.

Dependabot is always getting flagged as a new author even tho it uses a consistent author of: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> But this doesn't work with plain grep. Fix by telling grep to treat the value as a fixed string instead of a regular expression.

Direction flag was checked against wrong field, leading to undefined behavior. Bug: OISF#6778.

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.24.0 to 3.24.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](github/codeql-action@v2.24.0...v3.24.1) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

This commit improves the mqtt parsing of frames to handle multiple PDUs. Issue: 6592

Rework locking logic to avoid the following coverity warning. ** CID 1591966: Concurrent data access violations (MISSING_LOCK) /src/detect-engine-loader.c: 475 in DetectLoadersSync() 474 SCCtrlMutexLock(loader->tv->ctrl_mutex); >>> CID 1591966: Concurrent data access violations (MISSING_LOCK) >>> Accessing "loader->tv" without holding lock "DetectLoaderControl_.m". Elsewhere, "DetectLoaderControl_.tv" is written to with "DetectLoaderControl_.m" held 1 out of 1 times (1 of these accesses strongly imply that it is necessary). 475 pthread_cond_broadcast(loader->tv->ctrl_cond); 476 SCCtrlMutexUnlock(loader->tv->ctrl_mutex); The warning itself is harmless.

Ticket: 6617 So that rules with keyword like `filestore:to_server,flow` only store the files to server and not the ones to client... Directionality only worked with the default scope, ie the current file, and not the scope tx or scope flow. For non-default scope, tx or flow, both directions were stored whatever the directionality specified. For these non-default scopes, this commit keeps a default of both directions, but use only one direction if specified. Need to split flag FLOWFILE_STORE per direction, so that Suricata can retain this (optional) directional info from the filestore keyword. Fixes: 79499e4 ("app-layer: move files into transactions")

The runtime complexity of insertion sort is approx. O(h*n)^2 where h is the size of the HOME_NET and n is the number of ip only rules that use the HOME_NET. Replacing this with qsort significantly improves rule load time when a large HOME_NET is used in combination with a moderate amount of ip only rules.

When an interface with dots is used, per worker stats are nested by the dot-separated-components of the interface due to the usage of OutputStats2Json(). Prevent this by using OutputStats2Json() on a per-thread specific object and setting this object into the threads object using the json_object_set_new() which won't do the dot expansion. This was tested by creating an interface with dots in the name and checking the stats. ip link add name a.b.c type dummy With Suricata 7.0.2, sniffing on the a.b.c interface results in the following worker stats format: "threads": { "W#01-a": { "b": { "c": { "capture": { "kernel_packets": 0, After this fix, the output looks as follows: "threads": { "W#01-a.b.c": { "capture": { "kernel_packets": 0, Ticket: OISF#6732

Main purpose is to validate that the 30 of bond0.30 isn't expanded into a nested object during serialization.

No shared resource is being changed when the lock is held, it is immediately unlocked. So, remove it.

Ticket 6434

Also put "cocci" in the job name and install parallel so the script can actually run with concurrency.

If CONCURRENCY_LEVEL was set, the script would log a concurrency level even if the parallel command was not available. Not log if parallel is not available and set concurrency to 1.

Decouple app.protocols.tls.encryption-handling and stream.bypass. There's no apparent reason why encrypted TLS bypass traffic should depend on stream bypass, as these are unrelated features.

Update documentation to reflect the new features and changes.

…n.org/issues/6788

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Decouple stream.bypass dependency from TLS encrypted bypass #9127

Decouple stream.bypass dependency from TLS encrypted bypass #9127

Commits on Dec 5, 2023

Commits on Dec 6, 2023

Commits on Dec 7, 2023

Commits on Dec 11, 2023

Commits on Dec 13, 2023

Commits on Dec 14, 2023

Commits on Dec 15, 2023

Commits on Dec 19, 2023

Commits on Dec 28, 2023

Commits on Jan 4, 2024

Commits on Jan 8, 2024

Commits on Jan 15, 2024

Commits on Jan 17, 2024

Commits on Jan 19, 2024

Commits on Jan 24, 2024

Commits on Jan 25, 2024

Commits on Jan 30, 2024

Commits on Feb 6, 2024

Commits on Feb 9, 2024

Commits on Feb 10, 2024

Commits on Feb 12, 2024

Commits on Feb 13, 2024

Commits on Feb 14, 2024

Commits on Feb 15, 2024

Commits on Feb 19, 2024