diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 69db01dfceb6..4633faf965de 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -375,10 +375,8 @@ jobs: run: cargo clippy --all-features working-directory: rust - # AlmaLinux 8 builder and distribution archive builder that some - # other builds will depend on. almalinux-8: - name: AlmaLinux 8 (Dist builder) + name: AlmaLinux 8 runs-on: ubuntu-latest container: almalinux:8 needs: [prepare-deps, prepare-cbindgen] @@ -498,21 +496,203 @@ jobs: - run: make install - run: suricatasc -h - run: suricata-update -V - - name: Preparing distribution + + centos-stream9: + name: CentOS Stream 9 + runs-on: ubuntu-latest + container: quay.io/centos/centos:stream9 + needs: [prepare-deps, debian-12-dist] + steps: + # Cache Rust stuff. + - name: Cache cargo registry + uses: actions/cache@v3.3.1 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo + + - name: Cache RPMs + uses: actions/cache@v3.3.1 + with: + path: /var/cache/dnf + key: ${{ github.job }}-dnf + - run: echo "keepcache=1" >> /etc/dnf/dnf.conf + + - name: Install system packages run: | - mkdir dist - mv suricata-*.tar.gz dist - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce - name: Uploading distribution + dnf -y install dnf-plugins-core epel-release + dnf config-manager --set-enabled crb + dnf -y install \ + autoconf \ + automake \ + cargo-vendor \ + cbindgen \ + diffutils \ + numactl-devel \ + dpdk-devel \ + file-devel \ + gcc \ + gcc-c++ \ + git \ + jansson-devel \ + jq \ + lua-devel \ + libtool \ + libyaml-devel \ + libnfnetlink-devel \ + libnetfilter_queue-devel \ + libnet-devel \ + libcap-ng-devel \ + libevent-devel \ + libmaxminddb-devel \ + libpcap-devel \ + libtool \ + lz4-devel \ + make \ + nss-devel \ + pcre2-devel \ + pkgconfig \ + python3-devel \ + python3-sphinx \ + python3-yaml \ + rust-toolset \ + sudo \ + which \ + zlib-devel + - name: Download suricata.tar.gz + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: dist - path: dist + - run: tar zxvf suricata-*.tar.gz --strip-components=1 + - name: ./configure + run: CFLAGS="${DEFAULT_CFLAGS}" ./configure + - run: make -j2 + - run: make install + - run: make install-conf + - run: suricatasc -h + - run: suricata-update -V + - name: Check if Suricata-Update example configuration files are installed + run: | + test -e /usr/local/lib/suricata/python/suricata/update/configs/disable.conf + test -e /usr/local/lib/suricata/python/suricata/update/configs/drop.conf + test -e /usr/local/lib/suricata/python/suricata/update/configs/enable.conf + test -e /usr/local/lib/suricata/python/suricata/update/configs/modify.conf + test -e /usr/local/lib/suricata/python/suricata/update/configs/threshold.in + test -e /usr/local/lib/suricata/python/suricata/update/configs/update.yaml + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + with: + name: prep + path: prep + - run: tar xf prep/suricata-verify.tar.gz + - run: python3 ./suricata-verify/run.py -q + - run: suricata-update -V + - run: suricatasc -h + + centos-stream8: + name: CentOS Stream 8 + runs-on: ubuntu-latest + container: quay.io/centos/centos:stream8 + needs: [prepare-deps, debian-12-dist] + steps: + # Cache Rust stuff. + - name: Cache cargo registry + uses: actions/cache@v3.3.1 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo + + - name: Cache RPMs + uses: actions/cache@v3.3.1 + with: + path: /var/cache/dnf + key: ${{ github.job }}-dnf + - run: echo "keepcache=1" >> /etc/dnf/dnf.conf + + - name: Install system packages + run: | + dnf -y install dnf-plugins-core epel-release + dnf config-manager --set-enabled powertools + dnf -y install \ + autoconf \ + automake \ + diffutils \ + numactl-devel \ + dpdk-devel \ + file-devel \ + gcc \ + gcc-c++ \ + git \ + jansson-devel \ + jq \ + lua-devel \ + libtool \ + libyaml-devel \ + libnfnetlink-devel \ + libnetfilter_queue-devel \ + libnet-devel \ + libcap-ng-devel \ + libevent-devel \ + libmaxminddb-devel \ + libpcap-devel \ + libtool \ + lz4-devel \ + make \ + nss-devel \ + pcre2-devel \ + pkgconfig \ + python3-devel \ + python3-sphinx \ + python3-yaml \ + rust-toolset \ + sudo \ + which \ + zlib-devel + # These packages required to build the PDF. + dnf -y install \ + texlive-latex \ + texlive-cmap \ + texlive-collection-latexrecommended \ + texlive-fncychap \ + texlive-titlesec \ + texlive-tabulary \ + texlive-framed \ + texlive-wrapfig \ + texlive-upquote \ + texlive-capt-of \ + texlive-needspace + - name: Download suricata.tar.gz + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + with: + name: dist + - run: tar zxvf suricata-*.tar.gz --strip-components=1 + - name: ./configure + run: CFLAGS="${DEFAULT_CFLAGS}" ./configure + - run: make -j2 + - run: make install + - run: make install-conf + - run: suricatasc -h + - run: suricata-update -V + - name: Check if Suricata-Update example configuration files are installed + run: | + test -e /usr/local/lib/suricata/python/suricata/update/configs/disable.conf + test -e /usr/local/lib/suricata/python/suricata/update/configs/drop.conf + test -e /usr/local/lib/suricata/python/suricata/update/configs/enable.conf + test -e /usr/local/lib/suricata/python/suricata/update/configs/modify.conf + test -e /usr/local/lib/suricata/python/suricata/update/configs/threshold.in + test -e /usr/local/lib/suricata/python/suricata/update/configs/update.yaml + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + with: + name: prep + path: prep + - run: tar xf prep/suricata-verify.tar.gz + - run: python3 ./suricata-verify/run.py -q + - run: suricata-update -V + - run: suricatasc -h centos-7: name: CentOS 7 runs-on: ubuntu-latest container: centos:7 - needs: [prepare-deps, almalinux-8] + needs: [prepare-deps, debian-12-dist] steps: - name: Cache ~/.cargo uses: actions/cache@v3.3.1 @@ -2192,6 +2372,172 @@ jobs: - run: make -j2 - run: make check + debian-12: + name: Debian 12 + runs-on: ubuntu-latest + container: debian:12 + needs: [prepare-deps] + steps: + # Cache Rust stuff. + - name: Cache cargo registry + uses: actions/cache@v3.3.1 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo + + - run: apt update + - run: | + apt -y install \ + autoconf \ + automake \ + build-essential \ + cargo \ + cbindgen \ + cmake \ + curl \ + dpdk-dev \ + git \ + jq \ + make \ + libpcre3 \ + libpcre3-dbg \ + libpcre3-dev \ + libpcre2-dev \ + libtool \ + libpcap-dev \ + libnet1-dev \ + libyaml-0-2 \ + libyaml-dev \ + libcap-ng-dev \ + libcap-ng0 \ + libmagic-dev \ + libmaxminddb-dev \ + libjansson-dev \ + libjansson4 \ + liblua5.1-dev \ + libnss3-dev \ + libnspr4-dev \ + libnuma-dev \ + liblz4-dev \ + libssl-dev \ + liblzma-dev \ + pkg-config \ + python3 \ + python3-yaml \ + rustc \ + sphinx-doc \ + sphinx-common \ + texlive-latex-base \ + texlive-fonts-recommended \ + texlive-fonts-extra \ + texlive-latex-extra \ + zlib1g \ + zlib1g-dev + - uses: actions/checkout@v3.5.3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + with: + name: prep + path: prep + - run: tar xf prep/libhtp.tar.gz + - run: tar xf prep/suricata-update.tar.gz + - run: tar xf prep/suricata-verify.tar.gz + - run: ./autogen.sh + - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests + - run: make -j2 + - run: make check + - run: make -j2 distcheck + env: + DISTCHECK_CONFIGURE_FLAGS: "--enable-unittests --enable-debug --enable-lua --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk" + - run: test -e doc/userguide/suricata.1 + - run: test -e doc/userguide/userguide.pdf + - name: Building Rust documentation + run: make doc + working-directory: rust + - name: Running suricata-verify + run: python3 ./suricata-verify/run.py -q + - run: make install + - run: suricata-update -V + - run: suricatasc -h + + debian-12-dist: + name: Debian 12 Dist Builder + runs-on: ubuntu-latest + container: debian:12 + needs: [prepare-deps] + steps: + # Cache Rust stuff. + - name: Cache cargo registry + uses: actions/cache@v3.3.1 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo + + - run: apt update + - run: | + apt -y install \ + autoconf \ + automake \ + build-essential \ + cargo \ + cbindgen \ + cmake \ + curl \ + git \ + jq \ + make \ + libpcre3 \ + libpcre3-dbg \ + libpcre3-dev \ + libpcre2-dev \ + libtool \ + libpcap-dev \ + libnet1-dev \ + libyaml-0-2 \ + libyaml-dev \ + libcap-ng-dev \ + libcap-ng0 \ + libmagic-dev \ + libjansson-dev \ + libjansson4 \ + libnss3-dev \ + libnspr4-dev \ + liblz4-dev \ + libssl-dev \ + liblzma-dev \ + pkg-config \ + python3 \ + python3-yaml \ + rustc \ + sphinx-doc \ + sphinx-common \ + texlive-latex-base \ + texlive-fonts-recommended \ + texlive-fonts-extra \ + texlive-latex-extra \ + zlib1g \ + zlib1g-dev + - uses: actions/checkout@v3.5.3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + with: + name: prep + path: prep + - run: tar xf prep/libhtp.tar.gz + - run: tar xf prep/suricata-update.tar.gz + - run: ./autogen.sh + - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure + - run: make dist + - run: test -e doc/userguide/suricata.1 + - run: test -e doc/userguide/userguide.pdf + - name: Preparing distribution + run: | + mkdir dist + mv suricata-*.tar.gz dist + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + name: Uploading distribution + with: + name: dist + path: dist + debian-11: name: Debian 11 (xdp) runs-on: ubuntu-latest diff --git a/doc/userguide/configuration/exception-policies.rst b/doc/userguide/configuration/exception-policies.rst index 10af446e5874..5944f529428a 100644 --- a/doc/userguide/configuration/exception-policies.rst +++ b/doc/userguide/configuration/exception-policies.rst @@ -45,10 +45,13 @@ also defined in the yaml file. Auto '''' -**In IPS mode**, the default behavior for all exception policies is to drop -the flow, or the packet, when the flow action is not supported. It is possible -to disable this default, by setting the exception policies' "master switch" yaml -config option to ``ignore``. +**In IPS mode**, the default behavior for most of the exception policies is to +fail close. This means droping the flow, or the packet, when the flow action is +not supported. The default policy for the midstream exception will be ignore if +midstream flows are accepted. + +It is possible to disable this default, by setting the exception policies' +"master switch" yaml config option to ``ignore``. **In IDS mode**, setting ``auto`` mode actually means disabling the ``master-switch``, or ignoring the exception policies. diff --git a/rust/src/rfb/rfb.rs b/rust/src/rfb/rfb.rs index 940417e8311b..8c3381345012 100644 --- a/rust/src/rfb/rfb.rs +++ b/rust/src/rfb/rfb.rs @@ -240,6 +240,15 @@ impl RFBState { current = rem; let chosen_security_type = request.security_type; + + if let Some(current_transaction) = self.get_current_tx() { + current_transaction.ts_security_type_selection = Some(request); + current_transaction.chosen_security_type = + Some(chosen_security_type as u32); + } else { + debug_validate_fail!("no transaction set at security type stage"); + } + match chosen_security_type { 2 => self.state = parser::RFBGlobalState::TCVncChallenge, 1 => self.state = parser::RFBGlobalState::TSClientInit, @@ -256,14 +265,6 @@ impl RFBState { return AppLayerResult::ok(); } } - - if let Some(current_transaction) = self.get_current_tx() { - current_transaction.ts_security_type_selection = Some(request); - current_transaction.chosen_security_type = - Some(chosen_security_type as u32); - } else { - debug_validate_fail!("no transaction set at security type stage"); - } } Err(Err::Incomplete(_)) => { return AppLayerResult::incomplete( @@ -274,6 +275,7 @@ impl RFBState { Err(_) => { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::MalformedMessage); + current_transaction.complete = true; } // We failed to parse the security type. // Continue the flow but stop trying to map the protocol. @@ -312,6 +314,7 @@ impl RFBState { Err(_) => { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::MalformedMessage); + current_transaction.complete = true; } // Continue the flow but stop trying to map the protocol. self.state = parser::RFBGlobalState::Skip; @@ -348,6 +351,7 @@ impl RFBState { Err(_) => { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::MalformedMessage); + current_transaction.complete = true; } // We failed to parse the client init. // Continue the flow but stop trying to map the protocol. @@ -371,6 +375,7 @@ impl RFBState { SCLogDebug!("Invalid state for request: {}", self.state); if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::ConfusedState); + current_transaction.complete = true; } self.state = parser::RFBGlobalState::Skip; return AppLayerResult::ok(); @@ -479,6 +484,7 @@ impl RFBState { Err(_) => { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::MalformedMessage); + current_transaction.complete = true; } // Continue the flow but stop trying to map the protocol. self.state = parser::RFBGlobalState::Skip; @@ -511,6 +517,7 @@ impl RFBState { if let Some(current_transaction) = self.get_current_tx() { current_transaction .set_event(RFBEvent::UnimplementedSecurityType); + current_transaction.complete = true; } else { debug_validate_fail!( "no transaction set at security type stage" @@ -542,6 +549,7 @@ impl RFBState { Err(_) => { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::MalformedMessage); + current_transaction.complete = true; } // Continue the flow but stop trying to map the protocol. self.state = parser::RFBGlobalState::Skip; @@ -579,6 +587,7 @@ impl RFBState { Err(_) => { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::MalformedMessage); + current_transaction.complete = true; } // Continue the flow but stop trying to map the protocol. self.state = parser::RFBGlobalState::Skip; @@ -614,6 +623,7 @@ impl RFBState { } else { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::UnknownSecurityResult); + current_transaction.complete = true; } // Continue the flow but stop trying to map the protocol. self.state = parser::RFBGlobalState::Skip; @@ -629,6 +639,7 @@ impl RFBState { Err(_) => { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::MalformedMessage); + current_transaction.complete = true; } // Continue the flow but stop trying to map the protocol. self.state = parser::RFBGlobalState::Skip; @@ -655,6 +666,7 @@ impl RFBState { Err(_) => { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::MalformedMessage); + current_transaction.complete = true; } // Continue the flow but stop trying to map the protocol. self.state = parser::RFBGlobalState::Skip; @@ -695,6 +707,7 @@ impl RFBState { Err(_) => { if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::MalformedMessage); + current_transaction.complete = true; } // Continue the flow but stop trying to map the protocol. self.state = parser::RFBGlobalState::Skip; @@ -718,6 +731,7 @@ impl RFBState { SCLogDebug!("Invalid state for response: {}", self.state); if let Some(current_transaction) = self.get_current_tx() { current_transaction.set_event(RFBEvent::ConfusedState); + current_transaction.complete = true; } self.state = parser::RFBGlobalState::Skip; return AppLayerResult::ok(); diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c index d346f0179576..6c8ba0fba975 100644 --- a/src/util-exception-policy.c +++ b/src/util-exception-policy.c @@ -174,6 +174,7 @@ static enum ExceptionPolicy ExceptionPolicyConfigValueParse( return policy; } +/* Select an exception policy in case the configuration value was set to 'auto' */ static enum ExceptionPolicy ExceptionPolicyPickAuto(bool midstream_enabled, bool support_flow) { enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; @@ -190,10 +191,8 @@ static enum ExceptionPolicy ExceptionPolicyPickAuto(bool midstream_enabled, bool static enum ExceptionPolicy ExceptionPolicyMasterParse(const char *value) { enum ExceptionPolicy policy = ExceptionPolicyConfigValueParse("exception-policy", value); - if (policy == EXCEPTION_POLICY_AUTO) { - policy = ExceptionPolicyPickAuto(false, true); - } else if (!EngineModeIsIPS() && - (policy == EXCEPTION_POLICY_DROP_PACKET || policy == EXCEPTION_POLICY_DROP_FLOW)) { + if (!EngineModeIsIPS() && + (policy == EXCEPTION_POLICY_DROP_PACKET || policy == EXCEPTION_POLICY_DROP_FLOW)) { policy = EXCEPTION_POLICY_NOT_SET; } g_eps_have_exception_policy = true; @@ -209,6 +208,11 @@ static enum ExceptionPolicy ExceptionPolicyGetDefault( enum ExceptionPolicy p = EXCEPTION_POLICY_NOT_SET; if (g_eps_have_exception_policy) { p = GetMasterExceptionPolicy(option); + + if (p == EXCEPTION_POLICY_AUTO) { + p = ExceptionPolicyPickAuto(midstream, support_flow); + } + if (!support_flow) { p = PickPacketAction(option, p); } @@ -277,7 +281,7 @@ enum ExceptionPolicy ExceptionPolicyMidstreamParse(bool midstream_enabled) } } } else { - policy = ExceptionPolicyPickAuto(midstream_enabled, true); + policy = ExceptionPolicyGetDefault("stream.midstream-policy", true, midstream_enabled); } if (policy == EXCEPTION_POLICY_PASS_PACKET || policy == EXCEPTION_POLICY_DROP_PACKET) {