Commit Graph

16925 Commits (09db7c7ac128c51ce4a40d5c3bd3f7cbbfee9fe3)
 

Author SHA1 Message Date
Alice Akaki 09db7c7ac1 detect: add mime email.subject keyword
email.subject matches on MIME EMAIL SUBJECT
This keyword maps to the EVE field email.subject
It is a sticky buffer
Supports prefiltering

Ticket: #7595
4 months ago
Jason Ish 7fdb08b7c7 af-packet: use tpacket v3 by default for ids mode
If "tpacket-v3" is not present in the configuration file, and we are
in IDS mode, default to "tpacket-v3".

Required moving the check for tpacket-v3 after the copy-mode
configuration, so the warning about tpacket-v3 in active modes has
been moved as well.

Ticket: #4798
4 months ago
Jason Ish 374762d202 af-packet: remove use-mmap option
This option is obsolete and was not used in 7.0 as tpacket-v1 support
was removed (see ticket #4796).
4 months ago
Jason Ish 51f7b5924d af-packet: remove build conditional for tpacket-v3
All kernels on supported distrubtions should now support tpacket-v3,
so only enable af-packet if v2 and v3 are available.
4 months ago
Juliana Fajardini c595bfed87 pgsql/parser: use fn for length parsing...
... there was still one parser missing this conversion.
4 months ago
Juliana Fajardini 0d2bea9bab util/exception: fix coverity warning
CID 1644862:  Control flow issues  (UNREACHABLE)

In ExceptionPolicyTargetFlagToString, a statement cannot be reached
(line 113).
4 months ago
Juliana Fajardini a9b2a62ee4 userguide/exceptions: clarify when stats are logged
The stats for exception policies are only logged/ present when any of
the exception policies are enabled (which means any value other than
"auto" or "ignore" in IDS mode, or "ignore" in IPS mode).

This wasn't clearly stated in the docs.
4 months ago
Juliana Fajardini 08e928988f flow/output: log triggered exception policies
To accompany the Exception Policy stats, also add information about any
Exception Policy triggered and for which target to the flow log event.

Task #6215
4 months ago
Victor Julien 45500acdc4 tls: implement alert parser
Fatal alerts set the tx state to 'finished'.

Add event for malformed alerts.
4 months ago
Jason Ish 7568b8020d dns: stop renaming DNSTransaction to RSDNSTransaction
Not needed anymore as there is no DNSTransaction in the C src to
conflict.
4 months ago
Jason Ish a6b116bcbe lua: document new suricata.dns lua library
Ticket: #7602
4 months ago
Jason Ish 1206c1c5af lua: convert dns function into suricata.dns lib
Notable changes from the previous API:
- rcode will return the rcode as an integer
- rcode_string will return the string representation

Also fixes an issue where an rcode of 0 was returned as nil.

Ticket: #7602
4 months ago
Alice Akaki 90aab0d62f detect: add email.from
email.from matches on MIME EMAIL FROM
This keyword maps to the EVE field email.from
It is a sticky buffer
Supports prefiltering

Ticket: #7592
4 months ago
Alice Akaki 90cf59ac71 rustfmt: rust/src/mime/smtp.rs 4 months ago
Joyce Yu 1c50de4ad0 Eve: use mac addresses from flow for flow timeout
Ethernet metadata is missing for events triggered on flow timeout
pseudopackets. Use the first set of mac addresses stored with the
flow to fill in the ether field.

Ticket: #5486
4 months ago
Joyce Yu dac0d6371e Doc: update eve-json-output ethernet description
Document getting mac addresses from flow when flow timeout.
4 months ago
Victor Julien 749ffbd06a af-packet: use actual snaplen in bpf
Avoids setting a 0 snaplen in BPF, leading to an error.

Fixes: b8b6ed550a ("af-packet: delay setting default-packet-size for af-packet")

Ticket: #7618.
4 months ago
Victor Julien c6fdf99cec datasets: work around scan-build warning
datasets.c:493:27: warning: Dereference of null pointer [core.NullDereference]
  493 |     DEBUG_VALIDATE_BUG_ON(set->hash->config.hash_size != hashsize);
      |                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-validate.h:95:44: note: expanded from macro 'DEBUG_VALIDATE_BUG_ON'
   95 | #define DEBUG_VALIDATE_BUG_ON(exp) BUG_ON((exp))
      |                                            ^~~
./suricata-common.h:307:36: note: expanded from macro 'BUG_ON'
  307 |         #define BUG_ON(x) assert(!(x))
      |                                    ^
/usr/include/assert.h:109:7: note: expanded from macro 'assert'
  109 |     ((expr)                                                             \
      |       ^~~~
1 warning generated.
4 months ago
Shivani Bhardwaj be372ce39d doc: explain priority port setting
Ticket 7329
4 months ago
Shivani Bhardwaj 040c694256 doc: format and align suricata.yaml section 4 months ago
Juliana Fajardini 3985b24e1b upgrade: list inspection recursion default limit
As the yaml indicated before that if no value was specified there were
no limits, and now there will be one.
5 months ago
Juliana Fajardini e1f9e66af0 doc/upgrade: add datasets hash size limit note 5 months ago
Philippe Antoine a7713db709 detect: add configurable limits for datasets
Ticket: 7615

Avoids signatures setting extreme hash sizes, which would lead to very
high memory use.

Default to allowing:
- 65536 per dataset
- 16777216 total

To override these built-in defaults:

```yaml
datasets:
  # Limits for per rule dataset instances to avoid rules using too many
  # resources.
  limits:
    # Max value for per dataset `hashsize` setting
    #single-hashsize: 65536
    # Max combined hashsize values for all datasets.
    #total-hashsizes: 16777216
```
5 months ago
Victor Julien d32a39ca4b datasets: improve default hashsize handling
Make hashsize default local to dataset code, instead of relying on the
thash code.

Use the same default value as before.
5 months ago
Jason Ish c6d18fc871 doc/userguide: af-packet upgrade notes
Add note about increased block size and how to change it back to old
defaults if needed.

Ticket: #7458
5 months ago
Jason Ish b8b6ed550a af-packet: delay setting default-packet-size for af-packet
AF_PACKET needs more information about its configuration before we can
set the default packet size, so on startup, leave unset in suricata.c
if in AF_PACKET mode.

If defrag is enabled, use a default packet size of 9k for tpacket-v2.
This can still lead to truncation events, then the user can increase
their 'default-packet-size'.

Tpacket-v3 does not need an increased packet size as it will handle
any size of packet that is smaller than the configured block size
which now has a default of 128k.

9k for the snap is somewhat arbitrary but is large enough for the
common 9000 jumbo frame plus some extra headers including tpacket
headers.

Ticket: #7458
5 months ago
Jason Ish 8c7ac89791 af-packet: warn that tpacket-v3 is better for non-inline usage
Ticket: #7458
5 months ago
Jason Ish d78f2c9a4e af-packet: add event for packets truncated by af-packet
Ticket: #7458
5 months ago
Jason Ish 9f96975d55 af-packet: warn if v3 block size is not large enough for defrag
If using tpacket-v3 and defrag, warn if the block size is not large
enough for a fully defragmented packet.

Ticket: #7458
5 months ago
Jason Ish 320ef7b617 af-packet: warn if v2 block size not large enough for defrag
If using tpacket-v2, defrag and a user provided v2-block-size, warn if
the block size is not large enough to hold one fully defragmented
packet.

Ticket: #7458
5 months ago
Jason Ish 5871c6458c af-packet: make tpacket-v2 block size configurable
With the change of the default tpacket-v2 block size from 32k to 128k,
allow it to be configurable for users who may want to make it larger,
or revert it back to the pre 7.0.9 default of 32k.

Ticket: #7458
5 months ago
Jason Ish c342b054f4 af-packet: increase default block size
Increase the default block size from 32k to 128k. This allows for a
fully defragmented packet to fit in the buffer.

Ticket: #7458
5 months ago
Jason Ish 808502d5ca af-packet: warn if defrag not suitable for mode
AF_PACKET defrag should not be used for inline modes. Its possible that
a packet received could be larger than can be set when defrag is
enabled, so warn if disabled for inline use.

Likewise, warn if defrag is disabled for IDS use, or non-inline mode.

Ticket: #7458
5 months ago
Jason Ish 25d0fba912 af-packet: check defrag value even if cluster-type not set
If cluster-type was not set we default to "cluster_flow" with defrag
always on. Instead check for defrag value and disable defrag if disabled
by the user.

Ticket: #7458
5 months ago
Philippe Antoine 32d0bd2bbb detect: limit base64_decode `bytes` to 64KiB
Ticket: 7613

Avoids potential large per-thread memory allocation. A buffer with the
size of the largest decode_base64 buffer size setting would be allocated
per thread. As this was a u32, it could mean a per-thread 4GiB memory
allocation.

64KiB was already the built-in default for cases where bytes size wasn't
specified.
5 months ago
Philippe Antoine b9b797f1f4 detect: non infinite default value for inspection-recursion-limit
So that empty config are protected by this setting as was intended.

Set to unlimited for fuzz testing.
5 months ago
Philippe Antoine b14c67cbdf detect/pcre: avoid infinite loop after negated pcre
Ticket: 7526

The usage of negated pcre, followed by other relative payload
content keywords could lead to an infinite loop.

This is because regular (not negated) pcre can test multiple
occurences, but negated pcre should be tried only once.
5 months ago
Jason Ish 66e47a1983 rust: pin once_cell to work with Rust 1.67.1
Clap uses once_cell which recently released v1.20 which updated its
MSRV to 1.70. Locally pin once_cell to 1.20.3 to maintain our MSRV.
5 months ago
Victor Julien 559e4ce062 pcap: skip pcap-config if pkgconfig in use 5 months ago
Victor Julien 2aceb9b76f detect/action: minor action parsing cleanup
Preparation for explicit action scope parsing.
5 months ago
Victor Julien fa9dbe3970 detect/loader: minor code cleanup 5 months ago
Victor Julien ce26159a03 detect: constify rule file and lines in parsing and analyzer 5 months ago
Victor Julien c65756a38c tls: fix handshake handling being too strict
e.g. server hello done has no data
5 months ago
Victor Julien f5e4c52f44 app-layer: constify AppLayerGetProtoByName 5 months ago
Victor Julien b5cd1e578b detect/tls: don't double register tls_validity generic list 5 months ago
Victor Julien c1155e473d detect/nfs: don't double register nfs_request generic list 5 months ago
Victor Julien 7cafdfac11 detect: don't register duplicate app inspect engines 5 months ago
Victor Julien b649252059 detect/analyzer: add policy
Example output:

    "match_policy": {
        "actions": [
            "alert",
            "drop"
        ],
        "scope": "flow"
    },
5 months ago
Victor Julien 609a59a529 smtp/events: set direction on rules
Several rules matched on both directions even if events are set in a single direction.
5 months ago
Jason Ish 3658d502ff github-ci: don't run builds on PR if only docs changed 5 months ago