-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decouple stream.bypass dependency from TLS encrypted bypass #9127
Decouple stream.bypass dependency from TLS encrypted bypass #9127
Commits on Dec 5, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 6076b9e - Browse repository at this point
Copy the full SHA 6076b9eView commit details -
detect: remove redundant null setting
de_ctx->dport_hash_table is already set to NULL in the fn DetectPortHashFree which is called right before this setting. Remove the redundant setting.
Configuration menu - View commit details
-
Copy full SHA for 945ec4b - Browse repository at this point
Copy the full SHA 945ec4bView commit details -
Configuration menu - View commit details
-
Copy full SHA for d8a887e - Browse repository at this point
Copy the full SHA d8a887eView commit details -
detect/port: remove BUG_ON in favor of PORT_ER
Either the BUG_ON condition would hit or PORT_ER. Prefer to return error in case of an error as the fn expects that.
Configuration menu - View commit details
-
Copy full SHA for 8960a86 - Browse repository at this point
Copy the full SHA 8960a86View commit details -
detect: remove misleading comment
The comment seems to have come from the enum for addresses where IPv4 and IPv6 matters.
Configuration menu - View commit details
-
Copy full SHA for 77eb85e - Browse repository at this point
Copy the full SHA 77eb85eView commit details -
detect-engine: use ports only after edge case handling
Also, add comments to clarify what's happening in the code.
Configuration menu - View commit details
-
Copy full SHA for c1bf955 - Browse repository at this point
Copy the full SHA c1bf955View commit details -
pgsql: add unknonwn frontend message type
We had unkonwn message type for the backend, but not the frontend messages. It's important to better identify those to improve pgsql probing functions. Related to Bug OISF#6080
Configuration menu - View commit details
-
Copy full SHA for 1ac5d97 - Browse repository at this point
Copy the full SHA 1ac5d97View commit details -
Some non-pgsql traffic seen by Suricata is mistankenly identified as pgsql, as the probing function is too generic. Now, if the parser sees an unknown message type, even if it looks like pgsql, it will fail. Bug OISF#6080
Configuration menu - View commit details
-
Copy full SHA for 4f85d06 - Browse repository at this point
Copy the full SHA 4f85d06View commit details -
Configuration menu - View commit details
-
Copy full SHA for afd6e4d - Browse repository at this point
Copy the full SHA afd6e4dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 53d29f6 - Browse repository at this point
Copy the full SHA 53d29f6View commit details -
pgsql: remove probe_ts function
With the changes in the probing_ts function, this other one could become obsolete. Remove it, and directly call `parser::parse_request` when checking for gaps, instead.
Configuration menu - View commit details
-
Copy full SHA for 9aeeac5 - Browse repository at this point
Copy the full SHA 9aeeac5View commit details -
ebpf: Update eBPF map to BTF defined map
legacy map definition is removed from libbpf1.0+. update the legacy map definition to BTF defined map. Distros with < libbpf1.0 (0.5, 0.6, 0.7, 0.8) bpf_helpers.h support BTF map definition, this change does not break old libbpf and support new libpbf1.0+. Bug: OISF#6250 Signed-off-by: Vincent Li <[email protected]> Co-authored-by: Victor Julien <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 64d12aa - Browse repository at this point
Copy the full SHA 64d12aaView commit details
Commits on Dec 6, 2023
-
doc: add file.name information to http keyword doc
Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bbc17b1 - Browse repository at this point
Copy the full SHA bbc17b1View commit details -
doc: add file.name information to ftp keyword doc
Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bb1f757 - Browse repository at this point
Copy the full SHA bb1f757View commit details -
doc: update ftp keyword doc example rule format
Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e4077b8 - Browse repository at this point
Copy the full SHA e4077b8View commit details -
doc: add file.name information to smb keyword doc
Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 327ba73 - Browse repository at this point
Copy the full SHA 327ba73View commit details -
doc: add file.name information to nfs keyword doc
Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9d1ad01 - Browse repository at this point
Copy the full SHA 9d1ad01View commit details -
doc: add file.name information to smtp keyword doc
Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fc81c99 - Browse repository at this point
Copy the full SHA fc81c99View commit details -
pgsql: don't log password msg if password disabled
If the logging of the password is disabled, there isn't much point in logging the password message itself.
Configuration menu - View commit details
-
Copy full SHA for bdec2d8 - Browse repository at this point
Copy the full SHA bdec2d8View commit details
Commits on Dec 7, 2023
-
util/time: Prevent usecs overflow
This commit takes care of original seconds value and prevents the useconds field from overflowing pas its maximum value. Issue: 6372
Configuration menu - View commit details
-
Copy full SHA for d3095ac - Browse repository at this point
Copy the full SHA d3095acView commit details -
napatech: Fix packet timestamps
Initialize both seconds and useconds of packet timestamp from napatech timestamp format. This commit uses updated macro definitions from util-utime.h to avoid zero seconds value. Issue: 6372
Configuration menu - View commit details
-
Copy full SHA for 417806c - Browse repository at this point
Copy the full SHA 417806cView commit details -
util/time: Improve usecs handling in time macros
Fix SCTIME_ADD_SECS zeroing subsecond part When adding s seconds to SCtime_t ts, don't zero out the ts.usecs field. Issue: 6584 Fix SCTIME_FROM_TIMESPEC garbage microseconds part When converting nanosecond to microseconds divide by 1000 instead of multiplying by 1000. Issue: 6585
Configuration menu - View commit details
-
Copy full SHA for 0850e3d - Browse repository at this point
Copy the full SHA 0850e3dView commit details -
Configuration menu - View commit details
-
Copy full SHA for a7c9028 - Browse repository at this point
Copy the full SHA a7c9028View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0ba4b29 - Browse repository at this point
Copy the full SHA 0ba4b29View commit details -
Configuration menu - View commit details
-
Copy full SHA for b1fa975 - Browse repository at this point
Copy the full SHA b1fa975View commit details -
detect/content-inspect: assist branch prediction
Hitting the recursion limit should be rare.
Configuration menu - View commit details
-
Copy full SHA for 1f265d9 - Browse repository at this point
Copy the full SHA 1f265d9View commit details -
Configuration menu - View commit details
-
Copy full SHA for b357532 - Browse repository at this point
Copy the full SHA b357532View commit details -
detect/content-inspect: add entry for InspectionBuffer
This is a convinience addition to abstract away the internals of the InspectionBuffer in keyword specific detection code.
Configuration menu - View commit details
-
Copy full SHA for d73cce4 - Browse repository at this point
Copy the full SHA d73cce4View commit details -
Configuration menu - View commit details
-
Copy full SHA for c9ab95c - Browse repository at this point
Copy the full SHA c9ab95cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6a01f40 - Browse repository at this point
Copy the full SHA 6a01f40View commit details -
detect/base64: move content inspection logic
Integrate with rest of content inspect code.
Configuration menu - View commit details
-
Copy full SHA for e9b33c4 - Browse repository at this point
Copy the full SHA e9b33c4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 97f78e1 - Browse repository at this point
Copy the full SHA 97f78e1View commit details -
detect/content-inspect: localize recursion counting
Use stack local var instead of DetectEngineThreadCtx member. Instead setup a stack local struct that both counts and holds the limit. Make sure the limit is a const so we can avoid rereading it. This is part of an effort to reduce the size of the DetectEngineThreadCtx structure and reduce the number of memory writes to it. Additionally, it is part of an effect to reduce the number of places where detection tracks various forms of state.
Configuration menu - View commit details
-
Copy full SHA for 4cce7ba - Browse repository at this point
Copy the full SHA 4cce7baView commit details -
detect/content-inspect: flatten branches
Flatten else branches after terminating ifs.
Configuration menu - View commit details
-
Copy full SHA for c19d11f - Browse repository at this point
Copy the full SHA c19d11fView commit details -
detect/isdataat: optimize recursion mismatches
Since recursive content matching goes through the buffer from left to right, it is possible to bail early when isdataat is part of the recursive checking. If `isdataat:50,relative` fails for offset 10, it will surely also fail for offset 20. So break inspection in such cases. The exception is for dynamic isdataat, where the value is determined by a prior byte_extract that may be updated during the recursion.
Configuration menu - View commit details
-
Copy full SHA for 6db0256 - Browse repository at this point
Copy the full SHA 6db0256View commit details -
detect/payload: remove unneeded pointer reset
DetectEngineThreadCtx::replist is managed elsewhere.
Configuration menu - View commit details
-
Copy full SHA for e2fbcf9 - Browse repository at this point
Copy the full SHA e2fbcf9View commit details -
detect/bytemath: pass match ctx directly
Adjust includes to enable this.
Configuration menu - View commit details
-
Copy full SHA for 5359170 - Browse repository at this point
Copy the full SHA 5359170View commit details -
detect: optimize struct layout
Move reference count to top of DetectEngineThreadCtx, to move it to the same cache line as the other members that are checked first in Detect().
Configuration menu - View commit details
-
Copy full SHA for 0014077 - Browse repository at this point
Copy the full SHA 0014077View commit details -
detect/content-inspect: optimize struct layout
Move members used by DetectEngineContentInspection() to the same cache line.
Configuration menu - View commit details
-
Copy full SHA for 06c8095 - Browse repository at this point
Copy the full SHA 06c8095View commit details -
Configuration menu - View commit details
-
Copy full SHA for 332c2ea - Browse repository at this point
Copy the full SHA 332c2eaView commit details -
github/action: fix Debian 12 intermittent failures
Parallel builds caused issues during `cargo vendor`. So do just a single thread build. make[4]: Entering directory '/__w/suricata/suricata/rust' cbindgen --config /__w/suricata/suricata/rust/cbindgen.toml \ --quiet --output /__w/suricata/suricata/rust/dist/rust-bindings.h CARGO_HOME="/github/home/.cargo" /usr/bin/cargo vendor Blocking waiting for file lock on package cache Blocking waiting for file lock on package cache ERROR: Couldn't execute `cargo metadata` with manifest "/__w/suricata/suricata/rust/Cargo.toml": Metadata(Output { status: ExitStatus(unix_wait_status(25856)), stdout: "", stderr: " Blocking waiting for file lock on package cache\n Blocking waiting for file lock on package cache\nerror: failed to download `adler v1.0.2`\n\nCaused by:\n unable to get packages from source\n\nCaused by:\n failed to parse manifest at `/github/home/.cargo/registry/src/github.com-1ecc6299db9ec823/adler-1.0.2/Cargo.toml`\n\nCaused by:\n no targets specified in the manifest\n either src/lib.rs, src/main.rs, a [lib] section, or [[bin]] section must be present\n" }) ERROR: Couldn't generate bindings for /__w/suricata/suricata/rust. make[4]: *** [Makefile:597: dist/rust-bindings.h] Error 1 make[4]: *** Waiting for unfinished jobs....
Configuration menu - View commit details
-
Copy full SHA for c82d934 - Browse repository at this point
Copy the full SHA c82d934View commit details
Commits on Dec 11, 2023
-
Configuration menu - View commit details
-
Copy full SHA for b9540df - Browse repository at this point
Copy the full SHA b9540dfView commit details -
detect: rename SigAddressPrepare fns to SigPrepare
There is nothing Address specific going on in the preparations. Stage 1: Preprocessing happens. Sigs classified as IP Only, Masks applied, content specific limits applied, etc and sig array built. Stage 2: Sigs grouped by IPOnly, ports and protocols. Stage 3: Decoder Events SGH built. Stage 4: File flags set, sig grouping done per prefilter, etc.
Configuration menu - View commit details
-
Copy full SHA for bd41b31 - Browse repository at this point
Copy the full SHA bd41b31View commit details -
Configuration menu - View commit details
-
Copy full SHA for 47c9a14 - Browse repository at this point
Copy the full SHA 47c9a14View commit details -
detect-engine: use flag SIG_FLAG_MPM_NEG
The flag SIG_FLAG_MPM_NEG is set before whitelisting the rules. Make it better by checking for the flag in the beginning and return immediately.
Configuration menu - View commit details
-
Copy full SHA for 3485880 - Browse repository at this point
Copy the full SHA 3485880View commit details -
detect/flowbits: remove DETECT_FLOWBITS_CMD_NOALERT
DETECT_FLOWBITS_CMD_NOALERT is misleading as it gives an impression that noalert is a flowbit specific command that'll be used and dealt with at some point but as soon as noalert is found in the rule lang, signature flag for noalert is set and control is returned. It never gets added to cmd of the flowbits object.
Configuration menu - View commit details
-
Copy full SHA for 75471dd - Browse repository at this point
Copy the full SHA 75471ddView commit details
Commits on Dec 13, 2023
-
http2: do not have leading space for response line
Ticket: 6547
Configuration menu - View commit details
-
Copy full SHA for 1b5e04b - Browse repository at this point
Copy the full SHA 1b5e04bView commit details -
cppcheck/detect: Address cppcheck memory leak
Issue: 6527 Ensure that the `map->string` memory isn't leaked following an error return from `HashListTableAdd`
Configuration menu - View commit details
-
Copy full SHA for 8b2fd43 - Browse repository at this point
Copy the full SHA 8b2fd43View commit details -
cppcheck: Address cpcheck report of an FP
Issue: 6527 Address the FP raised by cppcheck -- note that although the code corectly checks to ensure that `to_shift != &sb->reqion`, the logic was detected as a FP. Rework the code to eliminate the FP.
Configuration menu - View commit details
-
Copy full SHA for 40e3514 - Browse repository at this point
Copy the full SHA 40e3514View commit details -
clang-format.sh: prefer clang-format-14
Add clang-format-14 as the preferred version, this is the default on Ubuntu 22.04.
Configuration menu - View commit details
-
Copy full SHA for 5ebae1e - Browse repository at this point
Copy the full SHA 5ebae1eView commit details -
github-ci/formatting: update to Ubuntu 22.04
Update the formatting CI job to Ubuntu 22.04 to get a newer version of clang-format, in this case clang-format-14.
Configuration menu - View commit details
-
Copy full SHA for 9307150 - Browse repository at this point
Copy the full SHA 9307150View commit details -
doc/userguide: update guidance on 5 to 6 upgrading
TCP memory use can be higher than expected in certain configs. Ticket: OISF#6552.
Configuration menu - View commit details
-
Copy full SHA for 3456dea - Browse repository at this point
Copy the full SHA 3456deaView commit details -
endace: Fix source-dag timestamps
Bug: OISF#6618. Fix Endace ERF to SCTime_t timestamp conversion Fix typo preventing compilation with --enable-dag
Configuration menu - View commit details
-
Copy full SHA for 879db3d - Browse repository at this point
Copy the full SHA 879db3dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 774f05d - Browse repository at this point
Copy the full SHA 774f05dView commit details -
detect: rename DetectAppLayerMpmRegister2 to DetectAppLayerMpmRegister
The old DetectAppLayerMpmRegister has not been around since 4.1.x. Rename the v2 of this function to a versionless function as there is no documentation referring to what the 2 means.
Configuration menu - View commit details
-
Copy full SHA for 50be098 - Browse repository at this point
Copy the full SHA 50be098View commit details -
detect: rename DetectAppLayerInspectEngineRegister2
Rename DetectAppLayerInspectEngineRegister2 to DetectAppLayerInspectEngineRegister as there is no other variant of this function, and the versioning with lack of supporting documentation can lead to confusion.
Configuration menu - View commit details
-
Copy full SHA for b11bb1c - Browse repository at this point
Copy the full SHA b11bb1cView commit details -
detect: rename InspectEngineFuncPtr2 to InspectEngineFuncPtr
Version 1 of the API no longer exists.
Configuration menu - View commit details
-
Copy full SHA for 66ff23f - Browse repository at this point
Copy the full SHA 66ff23fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 4620776 - Browse repository at this point
Copy the full SHA 4620776View commit details -
Configuration menu - View commit details
-
Copy full SHA for e2d7a7f - Browse repository at this point
Copy the full SHA e2d7a7fView commit details -
dns: consolidate DNSRequest and DNSResponse to DNSMessage
DNS request and response messages follow the same format so there is no reason not to use the same data structure for each. While its unlikely to see fields like answers in a request, the message format does not disallow them, so it might be interesting data to have the ability to log.
Configuration menu - View commit details
-
Copy full SHA for 9464d0b - Browse repository at this point
Copy the full SHA 9464d0bView commit details -
dns: add dns.answer.name keyword
This sticky buffer will allow content matching on the answer names. While ansers typically only occur in DNS responses, we allow the buffer to be used in request context as well as the request message format allows it. Feature: OISF#6496
Configuration menu - View commit details
-
Copy full SHA for 5f99abb - Browse repository at this point
Copy the full SHA 5f99abbView commit details -
dns: add dns.query.name sticky buffer
This buffer is much like dns.query_name but allows for detection in both directions. Feature: OISF#6497
Configuration menu - View commit details
-
Copy full SHA for 482325e - Browse repository at this point
Copy the full SHA 482325eView commit details -
dns: replace usage of rs_dns_tx_get_query_name with SCDnsTxGetQueryName
SCDnsTxGetQueryName was introduced to allow for getting the query name in responses as well as requests, so covers the functionality of rs_dns_tx_get_query_name.
Configuration menu - View commit details
-
Copy full SHA for f91122e - Browse repository at this point
Copy the full SHA f91122eView commit details -
doc/userguide: document dns.query.name, dns.answer.name
With some other minor cleanups in the DNS keyword section.
Configuration menu - View commit details
-
Copy full SHA for c1a8dbc - Browse repository at this point
Copy the full SHA c1a8dbcView commit details -
Configuration menu - View commit details
-
Copy full SHA for 97744b7 - Browse repository at this point
Copy the full SHA 97744b7View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7d95c4c - Browse repository at this point
Copy the full SHA 7d95c4cView commit details
Commits on Dec 14, 2023
-
eve/stream: add sb main region size; segment count
Gives more detail about memory use.
Configuration menu - View commit details
-
Copy full SHA for 0ab32be - Browse repository at this point
Copy the full SHA 0ab32beView commit details -
Configuration menu - View commit details
-
Copy full SHA for b8440a0 - Browse repository at this point
Copy the full SHA b8440a0View commit details -
detect/analyzer: print int keyword values correctly
To avoid negative values to be misrepresented. Bug: OISF#6615.
Configuration menu - View commit details
-
Copy full SHA for de5b8ae - Browse repository at this point
Copy the full SHA de5b8aeView commit details -
detect/bytejump: don't reuse content flag
To avoid future problems with overlapping flag values, give bytejump its own DETECT_BYTEJUMP_OFFSET_VAR flag. The values are currently not overlapping, so this patch should have no side effects.
Configuration menu - View commit details
-
Copy full SHA for 1014520 - Browse repository at this point
Copy the full SHA 1014520View commit details -
Configuration menu - View commit details
-
Copy full SHA for fb497bf - Browse repository at this point
Copy the full SHA fb497bfView commit details -
detect/bytemath: bump length to uint32_t
This puts the logic in line with the other payload inspection functions.
Configuration menu - View commit details
-
Copy full SHA for 83ed2c3 - Browse repository at this point
Copy the full SHA 83ed2c3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 804a40e - Browse repository at this point
Copy the full SHA 804a40eView commit details -
detect/byte: remove unneeded SIG_FLAG_APPLAYER sets
Flag will be set during list(s) setup if needed.
Configuration menu - View commit details
-
Copy full SHA for 3ba8e2d - Browse repository at this point
Copy the full SHA 3ba8e2dView commit details
Commits on Dec 15, 2023
-
pgsql: extract length validation into function
This is called so many times that it seems to make sense that we use a function for this.
Configuration menu - View commit details
-
Copy full SHA for 7fa8bbf - Browse repository at this point
Copy the full SHA 7fa8bbfView commit details -
Configuration menu - View commit details
-
Copy full SHA for 7dcc2e7 - Browse repository at this point
Copy the full SHA 7dcc2e7View commit details -
pgsql: add cancel request message
A CanceldRequest can occur after any query request, and is sent over a new connection, leading to a new flow. It won't take any reply, but, if processed by the backend, will lead to an ErrorResponse. Task OISF#6577
Configuration menu - View commit details
-
Copy full SHA for 30ac77c - Browse repository at this point
Copy the full SHA 30ac77cView commit details -
userguide/eve: explain pgsql requests & responses
Add a more visible explanation of that requests, responses, frontend and and backend are, in Pgsql context, to avoid having to repeat that over different portions of the docs.
Configuration menu - View commit details
-
Copy full SHA for bba3d4f - Browse repository at this point
Copy the full SHA bba3d4fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 467c3f2 - Browse repository at this point
Copy the full SHA 467c3f2View commit details
Commits on Dec 19, 2023
-
stats: always use tcp/udp prefix
Even when on detection-only mode. So that we always have enip_tcp and enip_udp in stats and never just `enip`. Ticket: 6304
Configuration menu - View commit details
-
Copy full SHA for 4bcdc79 - Browse repository at this point
Copy the full SHA 4bcdc79View commit details -
schema: adds missing modbus field
./stats/app_layer/error/modbus
Configuration menu - View commit details
-
Copy full SHA for f714678 - Browse repository at this point
Copy the full SHA f714678View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3103505 - Browse repository at this point
Copy the full SHA 3103505View commit details -
pgsql: remove unused msg field
The `ConsolidatedDataRow` struct had a `length` field that wasn't truly used. Related to Bug OISF#6389
Configuration menu - View commit details
-
Copy full SHA for 1afb485 - Browse repository at this point
Copy the full SHA 1afb485View commit details -
feature: provide a Rust binding to the feature API
As the feature module is not available for Rust unit tests, a mock version is also provided.
Configuration menu - View commit details
-
Copy full SHA for 15ed51f - Browse repository at this point
Copy the full SHA 15ed51fView commit details -
requires: add requires keyword
Add a new rule keyword "requires" that allows a rule to require specific Suricata versions and/or Suricata features to be enabled. Example: requires: feature geoip, version >= 7.0.0, version < 8; requires: version >= 7.0.3 < 8 requires: version >= 7.0.3 < 8 | >= 8.0.3 Feature: OISF#5972 Co-authored-by: Philippe Antoine <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5d5b050 - Browse repository at this point
Copy the full SHA 5d5b050View commit details -
requires: pre-scan rule for requires expressions
Add a "pre-scan" rule parse that will check for requires statement. It will return a special error code (-4) if the requires fails due to missing requirements. Syntactic errors will also abort parsing here. Feature: OISF#5972
Configuration menu - View commit details
-
Copy full SHA for 435c031 - Browse repository at this point
Copy the full SHA 435c031View commit details -
detect-parse: parse sid in pre-scan
During the pre-scan for "requires", also parse the SID if possible. If the rule fails high level parsing (syntax), the SID will not be parsed. But every keyword other than "sid" and "requires" should expect to be provided with a parsed sid.
Configuration menu - View commit details
-
Copy full SHA for 71bbba9 - Browse repository at this point
Copy the full SHA 71bbba9View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5cc872f - Browse repository at this point
Copy the full SHA 5cc872fView commit details -
Rule skipped is a count of the number of rules that are skipped due to missing requirements. Feature: OISF#6637
Configuration menu - View commit details
-
Copy full SHA for b453eea - Browse repository at this point
Copy the full SHA b453eeaView commit details
Commits on Dec 28, 2023
-
Issue: 6387 This commit moves the configuration logic to Rust.
Configuration menu - View commit details
-
Copy full SHA for f12e026 - Browse repository at this point
Copy the full SHA f12e026View commit details
Commits on Jan 4, 2024
-
devguide: make 'contributing' a chapter
This could be justified from a semantic point of view, and also can help in bringing more attention to where this information is, as it is less hidden, now. Also add Dev Guide as one of our resources in our Readme.
Configuration menu - View commit details
-
Copy full SHA for 08eb67f - Browse repository at this point
Copy the full SHA 08eb67fView commit details -
devguide: reorganize pr-workflow section
This section seemed to aim both at PR reviewers and PR authors at the same time, even though some info is probably of low value for contributors. Created new section for PR reviewers and maintainers, and kept the info for PR authors separated. Also highlighted information on requested changes and stale PRs.
Configuration menu - View commit details
-
Copy full SHA for 71e4ca8 - Browse repository at this point
Copy the full SHA 71e4ca8View commit details -
devguide: doc from behavior changes needs ticket #
If a commit introduces code that changes Suricata behavior, the related documentation changes should go in a separate commit, but refer to the same ticket number. This reduces the chances of said changes being lost if there are backports while still keeping the backporting process a bit less bulky, for each commit. Related to Task OISF#6568
Configuration menu - View commit details
-
Copy full SHA for de8bffd - Browse repository at this point
Copy the full SHA de8bffdView commit details -
Configuration menu - View commit details
-
Copy full SHA for 9fbdfd2 - Browse repository at this point
Copy the full SHA 9fbdfd2View commit details -
devguide: update branches, refer to backports guide
Update the list of active branches to include 7 renaming and new master, link to backports document.
Configuration menu - View commit details
-
Copy full SHA for d15877b - Browse repository at this point
Copy the full SHA d15877bView commit details -
devguide: fix main channels list
Sphinx and RtD sometimes render lists in weird ways. The communication channels list barely looked like one, at all...
Configuration menu - View commit details
-
Copy full SHA for fc2acf8 - Browse repository at this point
Copy the full SHA fc2acf8View commit details -
rust: allow clippy::items_after_test_module
As clippy began to complain about jsonbuilder.rs
Configuration menu - View commit details
-
Copy full SHA for 673d13d - Browse repository at this point
Copy the full SHA 673d13dView commit details -
detect: case-insensitive comparison for requires
Ticket: 6656
Configuration menu - View commit details
-
Copy full SHA for d321838 - Browse repository at this point
Copy the full SHA d321838View commit details -
devguide: explain example-rule container usage
Have these options documented, so that whoever writes rule-related documentation can easily know what they could use to make the doc look better.
Configuration menu - View commit details
-
Copy full SHA for a37fa62 - Browse repository at this point
Copy the full SHA a37fa62View commit details
Commits on Jan 8, 2024
-
As this keyword has 4 mandatory arguments, and some examples had only three... Ticket: 6629
Configuration menu - View commit details
-
Copy full SHA for 4933b81 - Browse repository at this point
Copy the full SHA 4933b81View commit details -
pgsql: fix u16 overflow in query data_row
Found by oss-fuzz with quadfuzz. Cf https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63113 According to PostgreSQL documentation the maximum number of rows can be the maximum of tuples that can fit onto max u32 pages - 4,294,967,295 (cf https://www.postgresql.org/docs/current/limits.html). Some rough calculations for that indicate that this could go over max u32, so updating the data_row data type to u64. Bug OISF#6389
Configuration menu - View commit details
-
Copy full SHA for 8d3de85 - Browse repository at this point
Copy the full SHA 8d3de85View commit details -
detect/profiling: improve pcap reading performance
When reading a pcap, packet time can move much faster than wall clock time. This would trigger many more profile syncs than before. As the sync is using a lock to synchronize with other threads, this is an expensive operation. Bug: OISF#6619. Fixes: b591813 ("profiling/rules: reduce sync logic scope")
Configuration menu - View commit details
-
Copy full SHA for bcb2b50 - Browse repository at this point
Copy the full SHA bcb2b50View commit details -
detect/content-inspect: use of replace keyword is rare
Hint compiler about this.
Configuration menu - View commit details
-
Copy full SHA for e3f2b34 - Browse repository at this point
Copy the full SHA e3f2b34View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9dc35fb - Browse repository at this point
Copy the full SHA 9dc35fbView commit details -
Configuration menu - View commit details
-
Copy full SHA for 18dfa69 - Browse repository at this point
Copy the full SHA 18dfa69View commit details -
detect/pcre: localize match limit option parsing
No need to put it into a per ctx flag.
Configuration menu - View commit details
-
Copy full SHA for eca6639 - Browse repository at this point
Copy the full SHA eca6639View commit details -
detect/bytemath: fix u32 buffer size logic
Remove u16 cast. Remove debug assert for u16 size. In 83ed2c3 the input was changed to u32
Configuration menu - View commit details
-
Copy full SHA for 3e8db97 - Browse repository at this point
Copy the full SHA 3e8db97View commit details -
detect/pcre: remove unused match member
pcre2_match_data is created per thread when needed.
Configuration menu - View commit details
-
Copy full SHA for f2e9c25 - Browse repository at this point
Copy the full SHA f2e9c25View commit details -
detect/bytetest: remove unused Match function
All matching is done as part of content inspection.
Configuration menu - View commit details
-
Copy full SHA for fd75aca - Browse repository at this point
Copy the full SHA fd75acaView commit details -
detect/content-inspect: add negation tests
Test mixing of negation, endswith and depth.
Configuration menu - View commit details
-
Copy full SHA for 222dcf7 - Browse repository at this point
Copy the full SHA 222dcf7View commit details -
detect: implement --qa-skip-prefilter
Option meant for testing performance of rule engine w/o prefilter optimizations.
Configuration menu - View commit details
-
Copy full SHA for bd66504 - Browse repository at this point
Copy the full SHA bd66504View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4558c5c - Browse repository at this point
Copy the full SHA 4558c5cView commit details -
Configuration menu - View commit details
-
Copy full SHA for ea5cf44 - Browse repository at this point
Copy the full SHA ea5cf44View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4a6a3dc - Browse repository at this point
Copy the full SHA 4a6a3dcView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0172c01 - Browse repository at this point
Copy the full SHA 0172c01View commit details -
Configuration menu - View commit details
-
Copy full SHA for 18eafb6 - Browse repository at this point
Copy the full SHA 18eafb6View commit details -
detect/content: fix offset for negative distance
Fix offset calculation on sigs with negative distance. Can lead to FN in certain cases. Bug: OISF#6661.
Configuration menu - View commit details
-
Copy full SHA for 2911656 - Browse repository at this point
Copy the full SHA 2911656View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2b3ec34 - Browse repository at this point
Copy the full SHA 2b3ec34View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4f0f7b1 - Browse repository at this point
Copy the full SHA 4f0f7b1View commit details -
Configuration menu - View commit details
-
Copy full SHA for e06d2c4 - Browse repository at this point
Copy the full SHA e06d2c4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 88cc999 - Browse repository at this point
Copy the full SHA 88cc999View commit details -
app-layer: micro optimization for AppProtoEquals
Add most common condition first.
Configuration menu - View commit details
-
Copy full SHA for fd4ca53 - Browse repository at this point
Copy the full SHA fd4ca53View commit details -
Configuration menu - View commit details
-
Copy full SHA for e4550be - Browse repository at this point
Copy the full SHA e4550beView commit details -
Configuration menu - View commit details
-
Copy full SHA for 91f153f - Browse repository at this point
Copy the full SHA 91f153fView commit details -
Configuration menu - View commit details
-
Copy full SHA for db24842 - Browse repository at this point
Copy the full SHA db24842View commit details -
Configuration menu - View commit details
-
Copy full SHA for 11bf60a - Browse repository at this point
Copy the full SHA 11bf60aView commit details -
Configuration menu - View commit details
-
Copy full SHA for aad403d - Browse repository at this point
Copy the full SHA aad403dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 96aee64 - Browse repository at this point
Copy the full SHA 96aee64View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7b2d6b6 - Browse repository at this point
Copy the full SHA 7b2d6b6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5c6089f - Browse repository at this point
Copy the full SHA 5c6089fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 72841be - Browse repository at this point
Copy the full SHA 72841beView commit details -
detect/rule-header: use bool type
Update frame prototype as well, to match already returned true/false values.
Configuration menu - View commit details
-
Copy full SHA for 44a8bf4 - Browse repository at this point
Copy the full SHA 44a8bf4View commit details -
detect: remove DCERPC mask logic
Added nothing over alproto check already in place.
Configuration menu - View commit details
-
Copy full SHA for 3b8ed93 - Browse repository at this point
Copy the full SHA 3b8ed93View commit details -
detect: consolidate per rule group file loops
Don't loop multiple times over the per group sig array.
Configuration menu - View commit details
-
Copy full SHA for 75c1b7f - Browse repository at this point
Copy the full SHA 75c1b7fView commit details -
Most of the time FlowGetFlowFromHash will succeed.
Configuration menu - View commit details
-
Copy full SHA for 609cac5 - Browse repository at this point
Copy the full SHA 609cac5View commit details -
eve/email: improve logging binary data
Use jb_append_string_from_bytes() as it works better than BytesToString+jb_append_string when logging binary data. Bug: OISF#6664.
Configuration menu - View commit details
-
Copy full SHA for f5565f4 - Browse repository at this point
Copy the full SHA f5565f4View commit details -
eve/http: use numeric status code by default
To avoid costly string operations.
Configuration menu - View commit details
-
Copy full SHA for 9a14d7a - Browse repository at this point
Copy the full SHA 9a14d7aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1dcf69b - Browse repository at this point
Copy the full SHA 1dcf69bView commit details
Commits on Jan 15, 2024
-
detect: strip_pseudo_headers transform
Ticket: 6546
Configuration menu - View commit details
-
Copy full SHA for adf5e6d - Browse repository at this point
Copy the full SHA adf5e6dView commit details -
ipfw: close(2) instead shutdown(2) of the divert(4) socket
The shutdown(2) syscall would always return ENOTCONN for FreeBSD 11, FreeBSD 12, FreeBSD 13 and FreeBSD 14. It could do some action on the socket in the kernel in FreeBSD 10 and before, did not test.
Configuration menu - View commit details
-
Copy full SHA for b239e88 - Browse repository at this point
Copy the full SHA b239e88View commit details -
rust: fix assertions_on_constants for assert!(true)
Which will be optimized away by the compiler
Configuration menu - View commit details
-
Copy full SHA for c49463c - Browse repository at this point
Copy the full SHA c49463cView commit details -
rust: fix assertions_on_constants for assert!(false)
using panic! instead with a string message
Configuration menu - View commit details
-
Copy full SHA for a8199bf - Browse repository at this point
Copy the full SHA a8199bfView commit details -
rust: fix zero_prefixed_literal
warning: this is a decimal constant --> src/mqtt/parser.rs:888:19 | 888 | 0x00, 06, /* Topic Length: 6 */ | ^^ |
Configuration menu - View commit details
-
Copy full SHA for 85329f5 - Browse repository at this point
Copy the full SHA 85329f5View commit details -
warning: calls to `push` immediately after creation --> src/pgsql/parser.rs:1179:9 | 1179 | / let mut database_param: Vec<PgsqlParameter> = Vec::new(); 1180 | | database_param.push(database); | |______________________________________^ help: consider using the `vec![]` macro: `let database_param: Vec<PgsqlParameter> = vec![..];`
Configuration menu - View commit details
-
Copy full SHA for 9a84681 - Browse repository at this point
Copy the full SHA 9a84681View commit details -
warning: you seem to be trying to use `match` for destructuring a single pattern. Consider using `if let` --> src/http2/parser.rs:882:17 | 882 | / match ctx.value { 883 | | Some(_) => { 884 | | panic!("Unexpected value"); 885 | | } 886 | | None => {} 887 | | } | |_________________^
Configuration menu - View commit details
-
Copy full SHA for b141eb9 - Browse repository at this point
Copy the full SHA b141eb9View commit details -
error: this match could be written as a `let` statement --> src/nfs/nfs3_records.rs:747:9 | 747 | / match result { 748 | | (r, request) => { 749 | | assert_eq!(r.len(), 0); 750 | | assert_eq!(request.handle, expected_handle); 751 | | assert_eq!(request.name_vec, br#"bln"#); 752 | | } 753 | | } | |_________^
Configuration menu - View commit details
-
Copy full SHA for 259cdf1 - Browse repository at this point
Copy the full SHA 259cdf1View commit details -
Configuration menu - View commit details
-
Copy full SHA for bedd485 - Browse repository at this point
Copy the full SHA bedd485View commit details -
fixes unused_unit warning: unneeded unit expression --> src/bittorrent_dht/parser.rs:590:5 | 590 | / #[test_case( 591 | | b"", 592 | | "Error: discovered Dict but expected EOF" ; 593 | | "test parse bittorrent dht packet err 1" 594 | | )] | |______^
Configuration menu - View commit details
-
Copy full SHA for 6896a93 - Browse repository at this point
Copy the full SHA 6896a93View commit details
Commits on Jan 17, 2024
-
flow-bypass: Set bypass thread to running state
When running Suricata in XDP bypass mode (bypass: yes), Suricata started up with error: Error: threads: thread "FB" failed to start in time: flags 0003 "FB" thread does not transition from THV_INIT_DONE to THV_RUNNING. Set "FB" thread THV_RUNNING state in BypassedFlowManager(). Bug: OISF#6254 Signed-off-by: Vincent Li <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f80d26d - Browse repository at this point
Copy the full SHA f80d26dView commit details -
eve/schema: allow authorities in dns.answers in alert
Factor out dns.authorities to a definition.
Configuration menu - View commit details
-
Copy full SHA for 90ae3a2 - Browse repository at this point
Copy the full SHA 90ae3a2View commit details -
Configuration menu - View commit details
-
Copy full SHA for ff609f5 - Browse repository at this point
Copy the full SHA ff609f5View commit details -
Issue: 6347 Remove sguil-mode pcap logging capability.
Configuration menu - View commit details
-
Copy full SHA for 9101878 - Browse repository at this point
Copy the full SHA 9101878View commit details -
doc/pcap-log: Remove squil documentation
Issue: 6347
Configuration menu - View commit details
-
Copy full SHA for 58f882d - Browse repository at this point
Copy the full SHA 58f882dView commit details -
htp/swf: Remove flash deprecation notice
Issue: 6605 Flash decompression will remain so the deprecation notice is not needed.
Configuration menu - View commit details
-
Copy full SHA for 995f5fc - Browse repository at this point
Copy the full SHA 995f5fcView commit details -
Configuration menu - View commit details
-
Copy full SHA for 778820b - Browse repository at this point
Copy the full SHA 778820bView commit details -
detect: remove unneeded size in DetectEngineCtx
sig_array_size can easily be calculated with length and is only used at one place for debugging purposes. Remove it from the DetectEngineCtx struct to avoid making it unnecessarily heavy.
Configuration menu - View commit details
-
Copy full SHA for 588af05 - Browse repository at this point
Copy the full SHA 588af05View commit details -
detect: make SigMatch.is_last bool
It is used like bool so much so that nothing needs to be changed even after changing its type.
Configuration menu - View commit details
-
Copy full SHA for 26b81ca - Browse repository at this point
Copy the full SHA 26b81caView commit details
Commits on Jan 19, 2024
-
source/erf-dag: compiler warnings
Bug: OISF#6667. Fix compiler warnings for function pointer parameters missing const with --enable-dag
Configuration menu - View commit details
-
Copy full SHA for c28cc93 - Browse repository at this point
Copy the full SHA c28cc93View commit details -
dpdk: rework hugepage hints to use per-numa information
Previous integration of hugepage analysis only fetched data from /proc/meminfo. However this proved to be often deceiving mainly for providing only global information and not taking into account different hugepage sizes (e.g. 1GB hugepages) and different NUMA nodes. Ticket: OISF#6419
Configuration menu - View commit details
-
Copy full SHA for ca6f7c2 - Browse repository at this point
Copy the full SHA ca6f7c2View commit details -
dpdk: add interrupt (power-saving) mode
When the packet load is low, Suricata can run in interrupt mode. This more resembles the classic approach of processing packets - CPU cores run low and only fetch packets on interrupt. Ticket: OISF#5839
Configuration menu - View commit details
-
Copy full SHA for 2a28980 - Browse repository at this point
Copy the full SHA 2a28980View commit details -
doc: remove references to prehistoric versions
Remove references that are mentioning Suricata 3 or less As a note - only one Suricata 4 reference found: (suricata-yaml.rst:"In 4.1.x") Fast pattern selection criteria can be internally found by inspecting SupportFastPatternForSigMatchList and SigTableSetup functions. Ticket: OISF#6570
Configuration menu - View commit details
-
Copy full SHA for 6e4cc79 - Browse repository at this point
Copy the full SHA 6e4cc79View commit details -
userguide: clarify midstream exception policy
The description of behavior when midstream is enabled and exception policy is set to ignore wasn't descriptive enough. Fix typos.
Configuration menu - View commit details
-
Copy full SHA for df64448 - Browse repository at this point
Copy the full SHA df64448View commit details -
Ticket: OISF#5075 Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 415722d - Browse repository at this point
Copy the full SHA 415722dView commit details -
Configuration menu - View commit details
-
Copy full SHA for a4901a1 - Browse repository at this point
Copy the full SHA a4901a1View commit details -
rust: fix rustfmt warnings for smb detect
Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bfc0790 - Browse repository at this point
Copy the full SHA bfc0790View commit details -
detect: update smb.version keyword
Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3cb7112 - Browse repository at this point
Copy the full SHA 3cb7112View commit details
Commits on Jan 24, 2024
-
detect/requires: reset sigerror flags for each rule
"sigerror_ok" and "sigerror_requires" were not being reset after each rule which could lead to a rule load error being incorrectly tracked as skipped rather than failed. Also initialize "skippedsigs" to 0 along with "goodsigs" and "badsigs", while not directly related to this issue, could also throw off some stats. Ticket: OISF#6710
Configuration menu - View commit details
-
Copy full SHA for de3cbe4 - Browse repository at this point
Copy the full SHA de3cbe4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 8bf8131 - Browse repository at this point
Copy the full SHA 8bf8131View commit details
Commits on Jan 25, 2024
-
requirements: use libhtp 0.5.x
Move to libhtp to the 0.5.x branch instead of 0.5.45.
Configuration menu - View commit details
-
Copy full SHA for c3b3c11 - Browse repository at this point
Copy the full SHA c3b3c11View commit details
Commits on Jan 30, 2024
-
detect: avoids case of useless detection on txs
When a TCP flow packet has not led to app-layer updates, it is useless to run DetectRunTx, as there cannot be new matches. This happens for instance, when one side sends in a row multiple packets which are not acked (and thus not parsed in IDS mode). Doing so requires to move up the call to AppLayerParserSetTransactionInspectId so that it is run the same times DetectRunTx is run, and not in the case where the transaction was not updated. Ticket: 6299
Configuration menu - View commit details
-
Copy full SHA for 9240ae2 - Browse repository at this point
Copy the full SHA 9240ae2View commit details -
detect: merge sorted lists instead of qsort
Ticket: OISF#6299 Simply because it is faster (just linear). This is for merging match_array into tx_candidates
Configuration menu - View commit details
-
Copy full SHA for 5bb8800 - Browse repository at this point
Copy the full SHA 5bb8800View commit details -
detect: do not store state without flags
If flags are zero, there is nothing to store and remember. Stored signatures will be reused on a later packet, and qsorted (which may be expensive), with newer matches candidates. Avoiding to store, leads to avoid the call to qsort.
Configuration menu - View commit details
-
Copy full SHA for 2fb5059 - Browse repository at this point
Copy the full SHA 2fb5059View commit details -
mqtt: fix logic when setting event
Especially sets transactions to complete when we get a response without having seen the request, so that the transactions end up getting cleaned (instead of living/leaking in the state). Also try to set the event on the relevant transaction, instead of creating a new transaction just for the purpose of having the event. Ticket: OISF#6299
Configuration menu - View commit details
-
Copy full SHA for 89936b6 - Browse repository at this point
Copy the full SHA 89936b6View commit details -
Fixing single_match and manual_find intertwined with SCLogDebug
Configuration menu - View commit details
-
Copy full SHA for 38db51b - Browse repository at this point
Copy the full SHA 38db51bView commit details -
Configuration menu - View commit details
-
Copy full SHA for d73ccd0 - Browse repository at this point
Copy the full SHA d73ccd0View commit details -
detect: integer keywords now support hexadecimal
So that we can write enip.revision: 0x203 Ticket: 6645
Configuration menu - View commit details
-
Copy full SHA for 3b65a2b - Browse repository at this point
Copy the full SHA 3b65a2bView commit details -
detect: integer keywords now accept negated ranges
Ticket: 6646
Configuration menu - View commit details
-
Copy full SHA for 06c5dd3 - Browse repository at this point
Copy the full SHA 06c5dd3View commit details -
detect/integer: rust derive for enumerations
Ticket: 6647 Allows keywords using integers to use strings in signature parsing based on a rust enumeration with a derive.
Configuration menu - View commit details
-
Copy full SHA for 370ac05 - Browse repository at this point
Copy the full SHA 370ac05View commit details -
detect: integer keywords now accept bitmasks
Ticket: 6648 Like &0x40=0x40 to test for a specific bit set
Configuration menu - View commit details
-
Copy full SHA for d05f3ac - Browse repository at this point
Copy the full SHA d05f3acView commit details -
Ticket: 6628 Document the generic detection capabilities for integer keywords. and make every integer keyword pointing to this section.
Configuration menu - View commit details
-
Copy full SHA for b8bc2c7 - Browse repository at this point
Copy the full SHA b8bc2c7View commit details -
userguide: fix explanation about bsize ranges
Our code handles Uint ranges as exclusive, but for bsize, our documentation stated that they're inclusive. Cf. from uint.rs: DetectUintMode::DetectUintModeRange => { if val > x.arg1 && val < x.arg2 { return true; } } Task OISF#6708
Configuration menu - View commit details
-
Copy full SHA for 244a35d - Browse repository at this point
Copy the full SHA 244a35dView commit details
Commits on Feb 6, 2024
-
util/streaming-buffer: remove unneeded fn param
StreamingBuffer is not required to find the intersecting regions, so, don't pass it as a param to the fn.
Configuration menu - View commit details
-
Copy full SHA for 8fc0faf - Browse repository at this point
Copy the full SHA 8fc0fafView commit details -
detect: dns.opcode as first-class integer
Ticket: 5446 That means it can accept ranges
Configuration menu - View commit details
-
Copy full SHA for f6e1a20 - Browse repository at this point
Copy the full SHA f6e1a20View commit details -
Configuration menu - View commit details
-
Copy full SHA for 6de885c - Browse repository at this point
Copy the full SHA 6de885cView commit details -
detect: remove unused port in SigGroupHeadInitData
port is not used and logically makes sense to not be in this struct as this struct is already referenced by DetectPort itself as a part of SigGroupHead.
Configuration menu - View commit details
-
Copy full SHA for 264101b - Browse repository at this point
Copy the full SHA 264101bView commit details -
detect/engine: set max sig ID per SGH
Present scenario ---------------- Currently, as a part of setting signature count per SGH, a max_idx is passed which could be as high as the highest signature number (internal ID). Issue ----- Not every SGH needs to evaluate all the signatures while setting the signature count or while creating the match_array. In a nonideal scenario, when say, there are 2 SGHs and one SGH has 2 signatures and the other one has 60k, given the current scheme of evaluating max_idx, the max_idx will be set to 60k, and this shall later be passed on to SigGroupHeadSetSigCnt or SigGroupHeadBuildMatchArra which shall traverse over all the 60k sigs for either SGHs. Other info ---------- This is a very fast operation as the internal arithmetic is done bitwise. Patch ----- The functions SigGroupHeadSetSigCnt and SigGroupHeadBuildMatchArray can be optimized by storing the max signature id (internal) per SGH (which also seemed to be the initial intention as per fn comments). As a result of this, the sig_array is only walked up until the max sig id of that respective SGH.
Configuration menu - View commit details
-
Copy full SHA for 395c74d - Browse repository at this point
Copy the full SHA 395c74dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 7f89aaf - Browse repository at this point
Copy the full SHA 7f89aafView commit details -
detect: errors on 65k filestore signatures
Errors when a detection engine gets 65k filestore signatures to avoid the hard limit to have 65k filestore per signature group head Ticket: OISF#6393
Configuration menu - View commit details
-
Copy full SHA for db99c45 - Browse repository at this point
Copy the full SHA db99c45View commit details -
http2: handle reassembly for continuation frames
Ticket: 5926 HTTP2 continuation frames are defined in RFC 9113. They allow header blocks to be split over multiple HTTP2 frames. For Suricata to process correctly these header blocks, it must do the reassembly of the payload of these HTTP2 frames. Otherwise, we get incomplete decoding for headers names and/or values while decoding a single frame. Design is to add a field to the HTTP2 state, as the RFC states that these continuation frames form a discrete unit : > Field blocks MUST be transmitted as a contiguous sequence of frames, > with no interleaved frames of any other type or from any other stream. So, we do not have to duplicate this reassembly field per stream id. Another design choice is to wait for the reassembly to be complete before doing any decoding, to avoid quadratic complexity on partially decoding of the data.
Configuration menu - View commit details
-
Copy full SHA for aff54f2 - Browse repository at this point
Copy the full SHA aff54f2View commit details -
http1: remove transactions from their list
instead of keeping a NULL pointer in an array Ticket: OISF#5921
Configuration menu - View commit details
-
Copy full SHA for 8f63a8f - Browse repository at this point
Copy the full SHA 8f63a8fView commit details -
http1: configurable max number of live tx per flow
Ticket: OISF#5921 Co-authored-by: Jason Ish <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4175680 - Browse repository at this point
Copy the full SHA 4175680View commit details -
Configuration menu - View commit details
-
Copy full SHA for 8f73a0a - Browse repository at this point
Copy the full SHA 8f73a0aView commit details -
smtp: avoid creating empty transaction
Ticket: 6477 So as to avoid ending up with too many empty transactions. This happens when Suricata sees a DATA command in the current transaction but did not have a confirmation response for it. Then, if Suricata receives another DATA command, it will create another new transaction, even if the previous one is empty. And so, a malicious client can create many empty transactions by just sending a repeated amount of DATA commands without having a confirmation code for them. Suricata cannot use state->current_command == SMTP_COMMAND_DATA to prevent this attack and needs to resort to a new boolean is_data because the malicious client may send another dummy command after each DATA command. This patch leaves only one call to SMTPTransactionCreate
Configuration menu - View commit details
-
Copy full SHA for 61f2e4e - Browse repository at this point
Copy the full SHA 61f2e4eView commit details -
detect: fixes use-after-free with http.request_header
Ticket: OISF#6441 This keyword and the response one use a multiple inspection buffer. But the different instances point to the same memory address that comes from HttpHeaderGetBufferSpace and is not owned by the transaction, and is rebuilt, which is a functional bug in itself. As it gets crafted, it can get reallocated if one header is over 1024 bytes, while the previous freed pointer will still get used for the previous headers.
Configuration menu - View commit details
-
Copy full SHA for bc422c1 - Browse repository at this point
Copy the full SHA bc422c1View commit details -
pgsql: parse auth message within its bound
If the next PDU is already in the slice next, do not use it and restrict ourselves to the length of this PDU. Avoids overconsumption of memory by quadratic complexity, when having many small PDUS in one big chunk being parsed Ticket: OISF#6411
Configuration menu - View commit details
-
Copy full SHA for f52c033 - Browse repository at this point
Copy the full SHA f52c033View commit details -
pgsql: parse only PDU when type is unknown
A next PDU may already be in the slice to parse. Do not skip its parsing, ie do not use rest, but take just the length of the pdu
Configuration menu - View commit details
-
Copy full SHA for 86de7cf - Browse repository at this point
Copy the full SHA 86de7cfView commit details -
http2: limit number of concurrent transactions
Ticket: 6481 Instead of just setting the old transactions to a drop state so that they get later cleaned up by Suricata, fail creating new ones. This is because one call to app-layer parsing can create many transactions, and quadratic complexity could happen in one single app-layer parsing because of find_or_create_tx
Configuration menu - View commit details
-
Copy full SHA for 80abc22 - Browse repository at this point
Copy the full SHA 80abc22View commit details
Commits on Feb 9, 2024
-
ci: authors check using OISF repo
As flagged critical by codescan
Configuration menu - View commit details
-
Copy full SHA for 7f5e98e - Browse repository at this point
Copy the full SHA 7f5e98eView commit details -
rust: fix clippy ptr_arg warnings
error: writing `&Vec` instead of `&[_]` involves a new object where a slice will do --> src/dns/log.rs:371:29 | 371 | pub fn dns_print_addr(addr: &Vec<u8>) -> std::string::String { | ^^^^^^^^ help: change this to: `&[u8]` | = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#ptr_arg
Configuration menu - View commit details
-
Copy full SHA for 68b0052 - Browse repository at this point
Copy the full SHA 68b0052View commit details -
detect-http: add superfluous alloc check for cocci
Add not-needed SCCalloc return check to satisfy our Cocci malloc checks as it can't see that the caller immediately checks the return value of this simple wrapper around SCCalloc.
Configuration menu - View commit details
-
Copy full SHA for f800ed0 - Browse repository at this point
Copy the full SHA f800ed0View commit details -
Configuration menu - View commit details
-
Copy full SHA for b48ec8a - Browse repository at this point
Copy the full SHA b48ec8aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 7e4dba7 - Browse repository at this point
Copy the full SHA 7e4dba7View commit details
Commits on Feb 10, 2024
-
Fix memory leak at util-decode-mime:MimeDecInitParser, which root cause is not-freeing allocated memory for mimeMsg Bug: OISF#6745
Configuration menu - View commit details
-
Copy full SHA for 231c892 - Browse repository at this point
Copy the full SHA 231c892View commit details -
netmap: Release lock to avoid deadlock
Issue: 6755 When NetmapOpen encounters an error opening the netmap device, it'll retry a bit. When the retry limit is reached, it'll shutdown Suricata. This commit ensures that the device list lock is not held when before closing all open devices before terminating Suricata.
Configuration menu - View commit details
-
Copy full SHA for 364adee - Browse repository at this point
Copy the full SHA 364adeeView commit details -
config/nss: Remove libnspr/libnss traces
Issue: 6712
Configuration menu - View commit details
-
Copy full SHA for ee6208b - Browse repository at this point
Copy the full SHA ee6208bView commit details -
config/jansson: Remove excess libjansson mentions
Issue: 6712 Remove multiple occurrences of libjansson installation packages.
Configuration menu - View commit details
-
Copy full SHA for 9fe00ff - Browse repository at this point
Copy the full SHA 9fe00ffView commit details
Commits on Feb 12, 2024
-
multi-tenant: fix loader dead lock
A dead lock could occur at start up, where a loader thread would get stuck on it's condition variable, while the main thread was polling the loaders task results. The vector to the dead lock is as follows: main loader DetectEngineMultiTenantSetup -DetectLoaderSetupLoadTenant --DetectLoaderQueueTask ---lock loader ---add task ---unlock loader lock loader check/exec tasks unlock loader ---wake up threads lock ctrl mutx cond wait ctrl unlock ctrl -DetectLoadersSync --lock loader --check tasks --unlock loader Between the main thread unlocking the loader and waking up the threads, it is possible that the loader has already moved ahead but not yet entered its conditional wait. The main thread sends its condition signal, but since the loader isn't yet waiting on it the signal is ignored. Then when the loader does enter its conditional wait, the signal is not sent again. This patch updates the logic to send signals much more often. It also makes sure that the signal is sent under lock, as the API requires. Bug: OISF#6766.
Configuration menu - View commit details
-
Copy full SHA for 7956fa5 - Browse repository at this point
Copy the full SHA 7956fa5View commit details -
rust: weekly cargo audit and update
Add GitHub actions to perform: - cargo audit: catch new warnings in dependendent packages - cargo update: catch updated dependencies that depend on a new MSRV than we use
Configuration menu - View commit details
-
Copy full SHA for edfda9f - Browse repository at this point
Copy the full SHA edfda9fView commit details
Commits on Feb 13, 2024
-
github-ci: move centos-7 build to its own workflow
CentOS 7 requires older actions due to newer GitHub actions depending on a newer glibc. So move to its own workflow file so the main builds can move forward to newer versions of actions.
Configuration menu - View commit details
-
Copy full SHA for 6922fef - Browse repository at this point
Copy the full SHA 6922fefView commit details -
github-ci: use all cores available
GitHub action Linux runners now have 4 cores, instead of hardcoding the number, use nproc to determine how many cores are available and use them.
Configuration menu - View commit details
-
Copy full SHA for 8522256 - Browse repository at this point
Copy the full SHA 8522256View commit details -
github-ci: update {download,upload} artifact actions
Multiple uploads can no longer use the same name, so give the cbindgen artifact its own name of "cbindgen". Requires an additional download for each build depending on this cbindgen artifact.
Configuration menu - View commit details
-
Copy full SHA for 5bfaeb3 - Browse repository at this point
Copy the full SHA 5bfaeb3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 32d55fe - Browse repository at this point
Copy the full SHA 32d55feView commit details -
Configuration menu - View commit details
-
Copy full SHA for e786297 - Browse repository at this point
Copy the full SHA e786297View commit details -
Configuration menu - View commit details
-
Copy full SHA for 49834ea - Browse repository at this point
Copy the full SHA 49834eaView commit details -
Configuration menu - View commit details
-
Copy full SHA for d5a3bfc - Browse repository at this point
Copy the full SHA d5a3bfcView commit details -
github-ci: cancel previous job for all workflows
Previously only enabled in build.yml, apply cancen-in-progress to all workflow files.
Configuration menu - View commit details
-
Copy full SHA for 7c98134 - Browse repository at this point
Copy the full SHA 7c98134View commit details -
github-actions: bump codecov/codecov-action from 3.1.1 to 4.0.1
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.1 to 4.0.1. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@d9f34f8...e0b68c6) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for be07d96 - Browse repository at this point
Copy the full SHA be07d96View commit details -
github-actions: bump github/codeql-action from 2 to 3
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](github/codeql-action@v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7881e85 - Browse repository at this point
Copy the full SHA 7881e85View commit details
Commits on Feb 14, 2024
-
codeql: add security-extended query suite
Add the CodeQL security-extended suite to the CodeQL workflow configuration.
Configuration menu - View commit details
-
Copy full SHA for f9a4e9c - Browse repository at this point
Copy the full SHA f9a4e9cView commit details -
doc: add pcap file logging variable details
Signed-off-by: jason taylor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e891ef3 - Browse repository at this point
Copy the full SHA e891ef3View commit details -
threads/mutex: Ensure mutex held before signaling
Ensure that the mutex protecting the condition variable is held before signaling it. This ensures that the thread(s) awaiting the signal are notified. Issue: 6569
Configuration menu - View commit details
-
Copy full SHA for 2a1a70b - Browse repository at this point
Copy the full SHA 2a1a70bView commit details -
app-layer/template: use a max number of txs
Ticket: 6773
Configuration menu - View commit details
-
Copy full SHA for c99d93c - Browse repository at this point
Copy the full SHA c99d93cView commit details -
removing function unused parameter tx_id in HTPFileOpen And using directly tx instead of its id in HTPFileOpenWithRange
Configuration menu - View commit details
-
Copy full SHA for 3a7a4cd - Browse repository at this point
Copy the full SHA 3a7a4cdView commit details -
Configuration menu - View commit details
-
Copy full SHA for cc2eb2d - Browse repository at this point
Copy the full SHA cc2eb2dView commit details -
Configuration menu - View commit details
-
Copy full SHA for c65ff35 - Browse repository at this point
Copy the full SHA c65ff35View commit details -
Configuration menu - View commit details
-
Copy full SHA for 356f9ff - Browse repository at this point
Copy the full SHA 356f9ffView commit details -
security: update policy wrt CVE ID's
To match that we'll now request CVE ID's ourselves as well, and we can do it for reported issues as well. See also: https://forum.suricata.io/t/security-new-cve-policy/4473
Configuration menu - View commit details
-
Copy full SHA for abbd507 - Browse repository at this point
Copy the full SHA abbd507View commit details -
github-ci: apply read-only permissions to more workflows
- authors.yml - codeql.yml - scan-build.yml
Configuration menu - View commit details
-
Copy full SHA for a87943d - Browse repository at this point
Copy the full SHA a87943dView commit details -
dependabot: ignore actions/{cache,checkout} v3
The CentOS 7 build requires older GitHub actions, try to make dependabot ignore these older versions.
Configuration menu - View commit details
-
Copy full SHA for c7cb3e9 - Browse repository at this point
Copy the full SHA c7cb3e9View commit details -
dependabot: disable rust checks
As we don't have a Cargo.toml and a Cargo.lock, dependabot for Rust hasn't been working correctly. Disable, as we now have our own cargo audit and update workflows.
Configuration menu - View commit details
-
Copy full SHA for 5c686af - Browse repository at this point
Copy the full SHA 5c686afView commit details -
github-ci: fix authors check with special characters
Dependabot is always getting flagged as a new author even tho it uses a consistent author of: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> But this doesn't work with plain grep. Fix by telling grep to treat the value as a fixed string instead of a regular expression.
Configuration menu - View commit details
-
Copy full SHA for 2242d10 - Browse repository at this point
Copy the full SHA 2242d10View commit details -
detect/tls.certs: fix direction handling
Direction flag was checked against wrong field, leading to undefined behavior. Bug: OISF#6778.
Configuration menu - View commit details
-
Copy full SHA for 3c06457 - Browse repository at this point
Copy the full SHA 3c06457View commit details -
github-actions: bump github/codeql-action from 2.24.0 to 3.24.1
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.24.0 to 3.24.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](github/codeql-action@v2.24.0...v3.24.1) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fa98c48 - Browse repository at this point
Copy the full SHA fa98c48View commit details -
mqtt: Improve frame parsing w/mult. PDUs
This commit improves the mqtt parsing of frames to handle multiple PDUs. Issue: 6592
Configuration menu - View commit details
-
Copy full SHA for f9a20da - Browse repository at this point
Copy the full SHA f9a20daView commit details -
multi-tenant: fix coverity warning
Rework locking logic to avoid the following coverity warning. ** CID 1591966: Concurrent data access violations (MISSING_LOCK) /src/detect-engine-loader.c: 475 in DetectLoadersSync() 474 SCCtrlMutexLock(loader->tv->ctrl_mutex); >>> CID 1591966: Concurrent data access violations (MISSING_LOCK) >>> Accessing "loader->tv" without holding lock "DetectLoaderControl_.m". Elsewhere, "DetectLoaderControl_.tv" is written to with "DetectLoaderControl_.m" held 1 out of 1 times (1 of these accesses strongly imply that it is necessary). 475 pthread_cond_broadcast(loader->tv->ctrl_cond); 476 SCCtrlMutexUnlock(loader->tv->ctrl_mutex); The warning itself is harmless.
Configuration menu - View commit details
-
Copy full SHA for 2d7c3d8 - Browse repository at this point
Copy the full SHA 2d7c3d8View commit details -
Configuration menu - View commit details
-
Copy full SHA for 41a6211 - Browse repository at this point
Copy the full SHA 41a6211View commit details -
detect: respect directionality for filestore
Ticket: 6617 So that rules with keyword like `filestore:to_server,flow` only store the files to server and not the ones to client... Directionality only worked with the default scope, ie the current file, and not the scope tx or scope flow. For non-default scope, tx or flow, both directions were stored whatever the directionality specified. For these non-default scopes, this commit keeps a default of both directions, but use only one direction if specified. Need to split flag FLOWFILE_STORE per direction, so that Suricata can retain this (optional) directional info from the filestore keyword. Fixes: 79499e4 ("app-layer: move files into transactions")
Configuration menu - View commit details
-
Copy full SHA for 63caa0b - Browse repository at this point
Copy the full SHA 63caa0bView commit details -
detect-engine-iponly: improve ip list performance
The runtime complexity of insertion sort is approx. O(h*n)^2 where h is the size of the HOME_NET and n is the number of ip only rules that use the HOME_NET. Replacing this with qsort significantly improves rule load time when a large HOME_NET is used in combination with a moderate amount of ip only rules.
Configuration menu - View commit details
-
Copy full SHA for 17f9d7a - Browse repository at this point
Copy the full SHA 17f9d7aView commit details -
stats: Do not expand dots of tm_name
When an interface with dots is used, per worker stats are nested by the dot-separated-components of the interface due to the usage of OutputStats2Json(). Prevent this by using OutputStats2Json() on a per-thread specific object and setting this object into the threads object using the json_object_set_new() which won't do the dot expansion. This was tested by creating an interface with dots in the name and checking the stats. ip link add name a.b.c type dummy With Suricata 7.0.2, sniffing on the a.b.c interface results in the following worker stats format: "threads": { "W#01-a": { "b": { "c": { "capture": { "kernel_packets": 0, After this fix, the output looks as follows: "threads": { "W#01-a.b.c": { "capture": { "kernel_packets": 0, Ticket: OISF#6732
Configuration menu - View commit details
-
Copy full SHA for b8b8aa6 - Browse repository at this point
Copy the full SHA b8b8aa6View commit details -
stats: Add unittest for basic stats serialization
Main purpose is to validate that the 30 of bond0.30 isn't expanded into a nested object during serialization.
Configuration menu - View commit details
-
Copy full SHA for 08db0f3 - Browse repository at this point
Copy the full SHA 08db0f3View commit details
Commits on Feb 15, 2024
-
multi-tenant: remove futile mutex lock
No shared resource is being changed when the lock is held, it is immediately unlocked. So, remove it.
Configuration menu - View commit details
-
Copy full SHA for 7477307 - Browse repository at this point
Copy the full SHA 7477307View commit details -
eve/stats: add description for common fields
Ticket 6434
Configuration menu - View commit details
-
Copy full SHA for 5a1a32b - Browse repository at this point
Copy the full SHA 5a1a32bView commit details -
eve/stats: add description for applayer errors
Ticket 6434
Configuration menu - View commit details
-
Copy full SHA for 1816e98 - Browse repository at this point
Copy the full SHA 1816e98View commit details -
eve/stats: add description for expectations
Ticket 6434
Configuration menu - View commit details
-
Copy full SHA for 8817514 - Browse repository at this point
Copy the full SHA 8817514View commit details -
eve/stats: add description for applayer flows
Ticket 6434
Configuration menu - View commit details
-
Copy full SHA for 487ba82 - Browse repository at this point
Copy the full SHA 487ba82View commit details -
github-ci: use all cpus for coccinelle checks
Also put "cocci" in the job name and install parallel so the script can actually run with concurrency.
Configuration menu - View commit details
-
Copy full SHA for 6198ea5 - Browse repository at this point
Copy the full SHA 6198ea5View commit details -
cocci/run-check: log if parallel command is not found
If CONCURRENCY_LEVEL was set, the script would log a concurrency level even if the parallel command was not available. Not log if parallel is not available and set concurrency to 1.
Configuration menu - View commit details
-
Copy full SHA for f7114b7 - Browse repository at this point
Copy the full SHA f7114b7View commit details
Commits on Feb 19, 2024
-
stream: decouple stream.bypass dependency from tls bypass
Decouple app.protocols.tls.encryption-handling and stream.bypass. There's no apparent reason why encrypted TLS bypass traffic should depend on stream bypass, as these are unrelated features.
Configuration menu - View commit details
-
Copy full SHA for 1c11a19 - Browse repository at this point
Copy the full SHA 1c11a19View commit details -
userguide: update encrypted traffic bypass
Update documentation to reflect the new features and changes.
Configuration menu - View commit details
-
Copy full SHA for 6bddaef - Browse repository at this point
Copy the full SHA 6bddaefView commit details -
Configuration menu - View commit details
-
Copy full SHA for 84afef8 - Browse repository at this point
Copy the full SHA 84afef8View commit details