When having many transactions in a single parsing call...
Fix has overhead of having one more field in the mqtt state.
Completes commit a8079dc978
Ticket: #5399
(cherry picked from commit e160917bcf)
Allows users to find balance between completeness of decoding
and increases resource consumption, which can DOS suricata.
(cherry picked from commit e42094f238)
Ticket: 4530
So, that we do not get DOS by quadratic complexity, while
looking for a new pkt_id over the ever growing list
of active transactions
(cherry picked from commit a8079dc978)
Before 6.0.6 if hex content was incomplete, Suricata didn't error out.
With 6.0.6 incomplete hex was detected and errored on which is a
breaking change in a release branch. Instead, only emit a warning
unless strict content checking has been requested.
To enable strict behaviour on incomplete content hex in a rule,
"--strict-rule-keywords=content" can be used on the command line.
Issue: #5546
Add a new setup return code, -4 which will print the error, but not
error out in test mode. This is to support allowing incomplete hex, as
there is no context as to which rule had the issue.
For context:
- -3: error ok, no message
- -2: error not ok, no message
- -4: error ok, message
For protocols with multi buffer inspection there could be multiple times
the same sid would be queued into the candidates queue. This triggered
a debug validation check.
W/o debug validation this would lead to duplicate work and possibly multiple
alerts where a single one would be appropriate.
Bug: 5419.
(cherry picked from commit 1bff888947)
This enables the usage of 'reject' as an exception policy. As for both
IPS and IDS modes the intended result of sending a reject packet is to
reject the related flow, this will effectively mean setting the reject
action to the packet that triggered the exception condition, and then
dropping the associated flow.
Task #5503
(cherry picked from commit bbd968c738)
Added them in the configuration section so folks can be more aware of
them, while a more complete documentation isn't around.
Related to
Task #5475
(cherry picked from commit ef54f36e34)
We had two sections under the suricata.yaml configuration section
describing settings for application layer parsers. This merges them into
one and also fixes a few subsection title levels.
Task #5364
(cherry picked from commit 0cc040cf61)
This allows to set a midstream-policy that can:
- fail closed (stream.midstream-policy=drop-flow)
- fail open (stream.midstream-policy=pass-flow)
- bypass stream (stream.midstream-policy=bypass)
- do nothing (default behavior)
Usage and behavior:
If stream.midstream-policy is set then if Suricata identifies a midstream flow
it will apply the corresponding action associated with the policy.
No setting means Suricata will not apply such policies, either inspecting the
flow (if stream.midstream=true) or ignoring it stream.midstream=false.
Task #5468
(cherry picked from commit aa5bb2c329)
Make sure that when the policy is to drop the flow, we set no inspection
for payload and packet and disable applayer inspection as well.
Task #5468
(cherry picked from commit 242b8f7d65)
Instead of using distutils/setuptools for installing the Python code,
just install it into our own Python directory.
Distutils is being removed from Python, and setuptools doesn't work well
when trying to install into your own location. For our usage its just
simpler to install with make.
In addition to removing the configure check for distutils, also remove
the check for pyyaml. This lets the user install pyyaml after Suricata
is installed, and Suricata-Update does handle this case gracefully.
Issue: #5313
(cherry picked from commit 9a1d6af858)
sphinx-build 5.1.1 and above throws a warning which is treated as an
error while building.
Invalid configuration value found: 'language = None'. Update your configuration to a valid language code. Falling back to 'en' (English).
(cherry picked from commit 2c4d6b33ae)
Before, if an invalid value was passed as exception policy, Suricata
would log a warning and set the exception policy to "ignore". This is a
very different result, than, say, dropping or bypassing a midstream flow.
Task #5504
(cherry picked from commit 58ef3cde7a)
Our unittests were only covering sig parsing for alert actions. As in
environments without LibNet the reject action will not work, we must
ensure that our parser properly fails in such cases, instead of silently
accepting an unsupported action.
Added tests for the reject and drop action.
Task #5496
(cherry picked from commit c81b78fd1c)
For testing purposes. Meant to simulate a reallocation failure when
dynamically growing the alert queue in DetectEngineThreadCtx, so we can
check that Suri's behavior doesn't break under such circumstances.
Task #5319
(cherry picked from commit 58928b249d)
Add unittests to check that packet flags are correctly updated after
detection finds drop or reject rules that match.
Related to
Bug #5458
(cherry picked from commit f897761ecb)
Bug 5458 states that the reject action is no longer working. While SV
tests that use the reject action still pass, it indeed seems that a
regression has happened with commit aa93984, because while the
function that applies rule actions to the flow (RuleActionToFlow) does
check for the reject action, the newly added function PacketApply
SignatureActions only checks for ACTION_DROP or ACTION_PASS when
deciding to call RuleActionToFlow.
Bug #5458
(cherry picked from commit 1f54e8611a)
A Packet may be dropped due to several different reasons. This change
adds action as a parameter, so we can update the packet action when we
drop it, instead of setting it to drop.
Related to
Bug #5458
(cherry picked from commit 1774ff18a6)
When in live-pcap mode, if the sniffed interface went down and up again,
Suri would enter an infinite and keep running, while not registering new
events. This fixes that behavior by allowing Suri to retry to open the
pcap in case of a retry on an already activated capture
('PCAP_ERROR_ACTIVATED').
This change is based on Zhiyuan Liao's work.
Bug #3846
(cherry picked from commit 2544be4672)
alert_queue_overflow and alerts_suppressed were not being
reinitialized when there was a reload of Suricata rules, leading to
non-valid stats counters if that happened.
Bug #5457
(cherry picked from commit 93c2c9743d)
This is a backport of ea1d03f8e3 by Pierre
Chifflier adapted for 6.0.x.
> The `count` combinator preallocates a number of bytes. Since the value
> is untrusted, this can result in an Out Of Memory allocation.
> Use a maximum value, large enough to cover all current implementations.
Ticket: #5448
Readthedocs is attempting to use our /requirements.txt file as a Python
requirements file, which it is not. Add a Readthedocs configuration file
to tell it to not use any requirements file.
Philippe Antoine
Jeff Lucovsky
Philippe Antoine
Victor Julien
Jason Ish
Juliana Fajardini
Gleb Smirnoff
Victor Julien
Shivani Bhardwaj