Commit Graph

19193 Commits (72e93144022c5e38f4b271eeeb8602573106291a)
 

Author SHA1 Message Date
Philippe Antoine 72e9314402 ci: check cargo fmt for whole suricata 3 weeks ago
Philippe Antoine e6ee69c7da rust: format all files
except the ones with #[rustfmt::skip]

Ticket: 3836
3 weeks ago
Shivani Bhardwaj 3adb975032 misc: rename requirements.txt to bundle.txt
Do not use Python's standard file name to define external packages that
need to be installed. This confuses Dependabot.
3 weeks ago
Victor Julien 2b19f86ee6 Revert "af-packet: speed up thread sync during startup"
This reverts commit 923ad6af77.

Several issues have been reported:

1. non-deterministic thread to queue mapping (privately reported)

2. race condition causing IPS mode to loose packets, or get stuck
   completely, ticket 8667.

Ticket: #8667.
3 weeks ago
Philippe Antoine ac1b3cc1ef windows: always quote path for windows functions needing it
Ticket: 8600

CreateServiceA doc states for example :

> If the path contains a space, it must be quoted so that it is
  correctly interpreted.

Also fixes strlcat usage and check return value to error out on
truncated path
3 weeks ago
Philippe Antoine 114c80099c suricata: make FUZZING a feature
so as to skip SV tests that would fail when we are building in unsafe
fuzzing mode
3 weeks ago
Philippe Antoine 5a03fbfc61 detect/engine-analyzer: add note for pcre with \X
Ticket: 8634
3 weeks ago
Maxime FORJA a4841e60cb docs: fix typos in Basic_Setup.txt
- Fixed a typo where 'change' was used instead of 'chance'.

- Removed trailing spaces before commas.

- Corrected 'up-dated' to 'updated'.
3 weeks ago
Samaresh Kumar Singh decd897eff doc: clarify suricata.yaml location per install
The Quickstart guide installs Suricata from the Ubuntu PPA, where the
config lives at /etc/suricata/suricata.yaml. A source build installs it
under the prefix passed to configure, which defaults to /usr/local, so
the file ends up at /usr/local/etc/suricata/suricata.yaml instead. Add a
note next to the edit step so source-build users are not confused when
the package path does not exist on their system.

Ticket: #8358
Signed-off-by: Samaresh Kumar Singh <ssam3003@gmail.com>
3 weeks ago
Philippe Antoine ca34fba00c rust: format smb files
Ticket: 3836
3 weeks ago
Philippe Antoine f8ac56c591 dcerpc: remove obsolete comment 3 weeks ago
Jason Ish 2fe4bb2872 ftpdata: ignore direction in ftpdata_command
The ftpdata_command would never match a RETR in the to_server direction,
or a STOR in the to_client direction, this effectively makes the
ftpdata_command applicable to passive mode only.

Instead, remove the directionality on the ftpdata_command. Its "meta"
information passed from the control channel and isn't really
directional. I think the idea was to abstract away active/passive from
the rule writer, but unfortunately doesn't allow the ftpdata_command
keyword to work in the more strict firewll mode.

Ticket: #8663
3 weeks ago
Jason Ish d346e469c5 ftp: skip ts inspection on tc only transactions
In FTP, the first transaction is a banner from the server. Skip TS
inspection on this transaction.

Allows firewall mode to get past this transaction and onto the next.

Ticket: #8662
3 weeks ago
Philippe Antoine 097975e289 fuzz: forbid usage of pcre with \X
Ticket: 8634
4 weeks ago
Philippe Antoine aea9fd73b7 rust: format dcerpc files
Ticket: 3836
4 weeks ago
Abhijeet Singh 28b10fb042 util/log: rotate log file periodically
Fix log file not rotating during zero traffic periods by triggering rotation logic every second

Ticket: https://redmine.openinfosecfoundation.org/issues/8115
4 weeks ago
Victor Julien 1eff94f2b2 github-ci: add gcc analyzer build
Make sure to not run against lua rust crate build, as it's not clean.
4 weeks ago
Victor Julien 7cb64cc20f nfq: suppress gcc analyzer warnings 4 weeks ago
Victor Julien 79ef58be12 mpm/hs: remove useless pointer check
Pointer can't be NULL, so don't check it.

Helps gcc analyzer as well.
4 weeks ago
Victor Julien f434732c73 util/var-name: help gcc analyzer
Help it understand TAILQ.
4 weeks ago
Victor Julien 32fc437568 spm/bm: match suff array to pattern size
Avoids gcc -fanalyzer warning about out of bounds write to the array.
4 weeks ago
Victor Julien 5179af5557 affinity: gcc analyzer warnings
The double strchr confused gcc -fanalyzer.
4 weeks ago
Victor Julien f9cf9c1de7 output: suppress gcc analyzer warnings
By teaching about TAILQ.
4 weeks ago
Victor Julien e2f9211727 log-pcap: address gcc analyzer warnings
Reopen file descriptor for lz4 with the init function. This helps
code analyzers understand the handle it's leaked.

Improve flow of profiling dumps to avoid analyzer confusion around the
file descriptor.

Suppress TAILQ related warnings.
4 weeks ago
Victor Julien 65f1a022f0 detect/ip_proto: clean up parsing function
Helps address a gcc -fanalyzer warning.
4 weeks ago
Victor Julien ff7fae54d2 detect/flowvar: help gcc -fanalyzer
Add debug validation statement to assert prev pointer is not NULL.
4 weeks ago
Victor Julien 05eac977f0 detect/sigorder: handle allocation failure
Addresses a gcc -fanalyzer warning.
4 weeks ago
Victor Julien caa9ddaa26 decode/tcp: only set data ptr for valid option lengths 4 weeks ago
Victor Julien 32414573a7 conf: assist gcc -fanalyzer
Work around TAILQ false positive.
4 weeks ago
Victor Julien 6e1f96f91a tm/queues: assist gcc -fanalyzer
Work around TAILQ false positive.
4 weeks ago
Victor Julien a5effad936 frames: avoid possible undefined behavior
Code analyzer flagged FrameCopy as a possible source of UB due to
both pointers passed to memcpy being the same.

app-layer-frames.c: In function ‘FrameCopy’:
app-layer-frames.c:236:5: warning: overlapping buffers passed as arguments to ‘memcpy’ [-Wanalyzer-overlapping-buffers]
  236 |     memcpy(dst, src, sizeof(*dst));
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ‘FramePrune’: events 1-8
    │
    │  750 | static void FramePrune(Frames *frames, const TcpStream *stream, const bool eof)
    │      |             ^~~~~~~~~~
    │      |             |
    │      |             (1) entry to ‘FramePrune’
    │......
    │  766 |     for (uint16_t i = 0; i < frames->cnt; i++) {
    │      |                          ~~~~~~~~~~~~~~~
    │      |                            |
    │      |                            (2) following ‘true’ branch... ─>─┐
    │      |                                                              │
    │      |                                                              │
    │      |┌─────────────────────────────────────────────────────────────┘
    │  767 |│        if (i < FRAMES_STATIC_CNT) {
    │      |│           ~
    │      |│           |
    │      |└──────────>(3) ...to here
    │      |            (4) following ‘true’ branch (when ‘i <= 2’)... ─>─┐
    │      |                                                              │
    │      |                                                              │
    │      |┌─────────────────────────────────────────────────────────────┘
    │  768 |│            Frame *frame = &frames->sframes[i];
    │      |│                            ~~~~~~~~~~~~~~~~~~
    │      |│                                           |
    │      |└──────────────────────────────────────────>(5) ...to here
    │  769 |             FrameDebug("prune(s)", frames, frame);
    │  770 |             if (eof || FrameIsDone(frame, acked)) {
    │      |                ~
    │      |                |
    │      |                (6) following ‘false’ branch... ─>─┐
    │      |                                                   │
    │......
    │      |                                                   │
    │      |┌──────────────────────────────────────────────────┘
    │  779 |│                const uint64_t fle = FrameLeftEdge(stream, frame);
    │      |│                                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    │      |│                                     |
    │      |└────────────────────────────────────>(7) ...to here
    │      |                                      (8) calling ‘FrameLeftEdge’ from ‘FramePrune’
    │
    └──> ‘FrameLeftEdge’: event 9
           │
           │  257 | static inline uint64_t FrameLeftEdge(const TcpStream *stream, const Frame *frame)
           │      |                        ^~~~~~~~~~~~~
           │      |                        |
           │      |                        (9) entry to ‘FrameLeftEdge’
           │
         ‘FrameLeftEdge’: event 10
           │
           │suricata-common.h:323:27:
           │  323 |         #define BUG_ON(x) assert(!(x))
           │      |                           ^~~~~~
           │      |                           |
           │      |                           (10) following ‘false’ branch (when ‘frame_offset <= app_progress’)... ─>─┐
           │      |                                                                                                     │
util-validate.h:95:36: note: in expansion of macro ‘BUG_ON’
           │   95 | #define DEBUG_VALIDATE_BUG_ON(exp) BUG_ON((exp))
           │      |                                    ^~~~~~
app-layer-frames.c:266:5: note: in expansion of macro ‘DEBUG_VALIDATE_BUG_ON’
           │  266 |     DEBUG_VALIDATE_BUG_ON(frame_offset > app_progress);
           │      |     ^~~~~~~~~~~~~~~~~~~~~
           │
         ‘FrameLeftEdge’: event 11
           │
           │      |                                                                                                     │
           │      |┌────────────────────────────────────────────────────────────────────────────────────────────────────┘
           │  269 |│    if (frame->len < 0) {
           │      |│        ~~~~~^~~~~
           │      |│             |
           │      |└────────────>(11) ...to here
           │
    <──────┘
    │
  ‘FramePrune’: events 12-13
    │
    │  779 |                 const uint64_t fle = FrameLeftEdge(stream, frame);
    │      |                                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
    │      |                                      |
    │      |                                      (12) returning to ‘FramePrune’ from ‘FrameLeftEdge’
    │......
    │  783 |                 FrameCopy(nframe, frame);
    │      |                 ~~~~~~~~~~~~~~~~~~~~~~~~
    │      |                 |
    │      |                 (13) calling ‘FrameCopy’ from ‘FramePrune’
    │
    └──> ‘FrameCopy’: events 14-15
           │
           │  234 | static void FrameCopy(Frame *dst, Frame *src)
           │      |             ^~~~~~~~~
           │      |             |
           │      |             (14) entry to ‘FrameCopy’
           │  235 | {
           │  236 |     memcpy(dst, src, sizeof(*dst));
           │      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           │      |     |
           │      |     (15) ⚠️  overlapping buffers passed as arguments to ‘memcpy’
           │
In file included from suricata-common.h:129,
                 from app-layer-frames.c:25:
/usr/include/string.h:47:14: note: the behavior of ‘memcpy’ is undefined for overlapping buffers
   47 | extern void *memcpy (void *__restrict __dest, const void *__restrict __src,
      |              ^~~~~~
4 weeks ago
Victor Julien 188376b577 output/filestore: refactor file descriptor handling
To assist code analyzers. Gcc -fanalyzer got confused about it.

Also test data pointer and length before calling fwrite and check the
result better.

Use a single atomic for the max open files check.
4 weeks ago
Philippe Antoine c6014a77a2 websocket: accepts config value with units
Ticket: 8552

As was the commented out example
4 weeks ago
Samaresh Kumar Singh 565e138754 pcap-file: skip setvbuf on non-seekable streams
Reading a pcap from /dev/stdin or a named pipe currently fails with "failed to get first packet timestamp. pcap_next_ex(): -1" because InitPcapFile calls setvbuf on the FILE* underlying the pcap handle after libpcap has already consumed the pcap header. On a non-seekable fd glibc cannot recover from that and the next read returns -1.

Detect non-regular files via fstat and skip setvbuf in that case so the read keeps working on pipes, fifos and stdin.

Accept pcap-file.buffer-size values of 0, which disables setvbuf buffering as an explicit opt-out, or PCAP_FILE_BUFFER_SIZE_MIN (4 KiB) to PCAP_FILE_BUFFER_SIZE_MAX (64 MiB). Treat any non-zero setvbuf return value as an error, not just negative values.

When pcap-file.buffer-size fails to parse, retain the default buffer size instead of falling through and setting it to 0. The branches are now mutually exclusive so only one of the parse-error, accepted, or out-of-range messages is logged.

Update the user guide: --pcap-file-buffer-size now documents valid values of 0 (disables setvbuf buffering) or 4 KiB to 64 MiB, and pcap-file.rst notes that 0 is the opt-out for non-seekable sources such as stdin and named pipes.
Bug: #8464.
4 weeks ago
Samaresh Kumar Singh df353242bd detect: fail thread init on keyword ctx error
DetectEngineThreadCtxInitKeywords returns TM_ECODE_FAILED when a per-thread keyword init fails (for example DetectFilemagicThreadInit), but ThreadCtxDoInit discarded that result and still returned OK. The detect thread then ran with a partially initialized keyword context array, producing indeterminate results. Propagate the failure so the callers abort thread init and clean up.

Add a unit test that registers a keyword whose thread init fails and verifies that DetectEngineThreadCtxInit reports the failure.

Ticket: #8237
4 weeks ago
Philippe Antoine 6bb271cee9 conf: uses SCConfGetNonNull
Ticke: 8651

Uses it in place when we dereferenced the value straight away
after checking SCConfGet result but not its value
4 weeks ago
Philippe Antoine a9e1dff4a6 conf: introduce SCConfGetNonNull
Ticket: 8651

Behaves like SCConfGet but returns 0 on null value
4 weeks ago
Philippe Antoine e0152178da rust: format detect files
Ticket: 3836
4 weeks ago
Giuseppe Longo 8a4eea44d8 suricata.yaml.in: enable app-layer.sip by default 1 month ago
Giuseppe Longo ae58cc6491 rules: add sip-events.rules
Ticket #8524
1 month ago
Giuseppe Longo 695b4f4a3d sip: remove incomplete data event
It's no longer useful to set an event when the data is incomplete,
since an error is returned.

Ticket #8524
1 month ago
Giuseppe Longo ba5e850264 sip: make pattern matching more robust
SIP and SSDP share method names like NOTIFY and SUBSCRIBE,
causing SSDP traffic to be misidentified as SIP.
Add a probing parser callback that checks for "SIP/" in the
payload before accepting a pattern match.

Example of a misidentified flow before the fix:
{"timestamp":"2014-02-27T19:44:43.164211+0100","flow_id":986757542077835,"event_type":"flow","src_ip":"192.168.1.1","src_port":9489,"dest_ip":"239.255.255.250
","dest_port":1900,"ip_v":4,"proto":"UDP","app_proto":"sip","flow":{"..."}}

After the fix:
{"timestamp":"2014-02-27T19:44:43.164211+0100","flow_id":986757542077835,"event_type":"flow","src_ip":"192.168.1.1","src_port":9489,"dest_ip":"239.255.255.250
","dest_port":1900,"ip_v":4,"proto":"UDP","app_proto":"failed","flow":{"..."}}

Ticket #8355
1 month ago
Philippe Antoine 762b725e1f ci: check-doc-rules copies data(sets) files into tmpdir
Allows to use datasets load
1 month ago
Victor Julien d154484cc6 detect/firewall: support hook LTE mode for built-in hooks
LTE support depended on registered hook names, but did not support the
built-in names. This commit adds the support.

Ticket: #8645.
1 month ago
Victor Julien b02fa53134 detect: add helper for getting hook name
To fetch hook name from app-layer, or use built-ins.
1 month ago
Victor Julien 2a2cb40336 detect: misc debug log additions 1 month ago
Victor Julien 569d27e153 detect: propagate inspect engine setup failures 1 month ago
Victor Julien d64954a873 detect: don't register unrelated inspect engines
For rules that specify an explicit app-layer hook,
e.g. http1:request_headers, don't register inspect engines for
other protocols like HTTP/2. These have their own progress tracking,
so should be excluded from these rules.
1 month ago
Urval 3b9dc5ad37 output-json: avoid freeing caller-owned JSON builder
EveEmailLogJsonData() freed the provided SCJsonBuilder when
SMTP state was unavailable, even though ownership remains with
the caller. The caller may continue using the builder for
cleanup after the function returns failure.

Return failure without freeing the builder and add defensive
NULL checks in EveSmtpDataLogger().

Signed-off-by: Urval Kheni <urvalkheni777@gmail.com>
1 month ago
Shivani Bhardwaj 0345b91ddd rust: exclude DETECT_BYTEMATH_ENDIAN_DEFAULT from bindings
to deal with the failure due to cbindgen updates and mismatches in
generated bindings.

detect-bytemath.c:61: error: "DETECT_BYTEMATH_ENDIAN_DEFAULT" redefined [-Werror]
   61 | #define DETECT_BYTEMATH_ENDIAN_DEFAULT (uint8_t) BigEndian
      |
In file included from rust.h:34,
                 from detect-bytemath.c:32:
./../rust/gen/rust-bindings.h:5071: note: this is the location of the previous definition
 5071 | #define DETECT_BYTEMATH_ENDIAN_DEFAULT BigEndian
      |
1 month ago