For protocols with multi buffer inspection there could be multiple times
the same sid would be queued into the candidates queue. This triggered
a debug validation check.
W/o debug validation this would lead to duplicate work and possibly multiple
alerts where a single one would be appropriate.
Bug: 5419.
Add tls.random keyword that matches on the 32 bytes of the TLS
random field for client as well as server.
Add tls.random_time keyword that matches on the first 4 bytes of the TLS
random field for client as well as server.
Add tls.random_bytes keyword that matches on the last 28 bytes of the TLS
random field for client as well as server.
All these are sticky buffers.
Feature 5190
Previous adaptive model would have a large time range when scanning the
hash when not so busy. In the default case it would take up to 4 minutes
for a full hash scan. In case of sudden increase in business, where the
hash would fill up rapidily during a few seconds, the flow manager would
be forced to suddenly consider a much larger slice of the hash leading
to a burst of work. This burst would increase pressure on the rest of the
system leading to packet loss as the worker threads would be overloaded
with flow housekeeping tasks.
This patch reduces the max scan time to 10 seconds, and ramps up quickly
to increase the slice of the hash scanned.
Before, if an invalid value was passed as exception policy, Suricata
would log a warning and set the exception policy to "ignore". This is a
very different result, than, say, dropping or bypassing a midstream flow.
Task #5504
When doing a DCERPC request, we can use the context id to log the
interface that is used. Doing that we can see in one single event
what is the DCERPC interface and opnum that are used. This allows
to have all the information needed to resolve the request to a
function call.
Feature #5413.
Bug 5458 states that the reject action is no longer working. While SV
tests that use the reject action still pass, it indeed seems that a
regression has happened with commit aa93984, because while the
function that applies rule actions to the flow (RuleActionToFlow) does
check for the reject action, the newly added function PacketApply
SignatureActions only checks for ACTION_DROP or ACTION_PASS when
deciding to call RuleActionToFlow.
Bug #5458
A Packet may be dropped due to several different reasons. This change
adds action as a parameter, so we can update the packet action when we
drop it, instead of setting it to drop.
Related to
Bug #5458
When building with the following options:
./configure CC=clang --enable-luajit --enable-geoip --enable-unittests
There is a build failure:
runmode-unittests.c:234:9: error: implicit declaration of function 'LuajitSetupStatesPool' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
if (LuajitSetupStatesPool() != 0) {
As an SMB2 async response does not have a tree id, even if
the request has it.
Per spec, MessageId should be enough to identifiy a message request
and response uniquely across all messages that are sent on the same
SMB2 Protocol transport connection.
So, the tree id is redundant anyways.
Ticket: #5508
Our unittests were only covering sig parsing for alert actions. As in
environments without LibNet the reject action will not work, we must
ensure that our parser properly fails in such cases, instead of silently
accepting an unsupported action.
Added tests for the reject and drop action.
Task #5496
sphinx-build 5.1.1 and above throws a warning which is treated as an
error while building.
Invalid configuration value found: 'language = None'. Update your configuration to a valid language code. Falling back to 'en' (English).
MIME parsing was setting flag on URL to indicate their
estimated type. This patch attach the information to
the email object so the user can extract interesting
email directly:
```
"email": {
"status": "PARSE_DONE",
"from": "Eric Leblond <regit@regit.org>",
"to": [
"eric@regit.org"
],
"has_ipv6_url": false,
"has_ipv4_url": false,
"has_exe_url": true,
"url": [
"http://www.toto.com",
"http://perdu.com.",
"https://hacke.me/pown.exe"
]
}
```
As state fields can grow abitrarily, and this can lead to DOS
by quadratic complexity (CPU time and disk space)
Adds a direction field to retain all the information in the
transaction.
Also checks array vendor_ids had at least one element before
logging it.
Ticket: #5455
Instead of using distutils/setuptools for installing the Python code,
just install it into our own Python directory.
Distutils is being removed from Python, and setuptools doesn't work well
when trying to install into your own location. For our usage its just
simpler to install with make.
In addition to removing the configure check for distutils, also remove
the check for pyyaml. This lets the user install pyyaml after Suricata
is installed, and Suricata-Update does handle this case gracefully.
Issue: #5313
Victor Julien
Shivani Bhardwaj
Philippe Antoine
Juliana Fajardini
Eric Leblond
jason taylor
dependabot[bot]
Philippe Antoine
Jason Ish
Benjamin Wilkins