Ticket: 7326
Having a lower progress than one where we actually can get
occurences of the multibuffer made prefilter
bail out too early, not having found a buffer in the multi-buffer
that matiched the prefilter.
For example, we registered http_request_header with progress 0
instad of progress HTP_REQUEST_HEADERS==2, and if the first
packet had only the request line, we would consider
that signatures with http_request_header as prefilter/fast_pattern
could not match for this transaction, even if they in fact
could have a later packet with matching headers.
Hence, we got false negatives, if http.request_header or
http.response_header was used as fast pattern, and if the request
or response came in multiple packets, and the first of these packets
did not have enough data (like only http request line),
and the next packets did have the matching data.
These tests purpose seems to have been lost.
Registering a alproto with a parser function that always fails,
and just testing that AppLayerParserParse returned -1...
We would get the same result without registering a parser function,
or using ALPROTO_FAILED as argument to AppLayerParserParse
The comment says "Test the deallocation of app layer parser memory
on occurrence of error in the parsing process."
but I do not see how this is tested.
This crate lets us instruct it where to copy the header files instead
of our Makefile trying to find the correct ones and copying them into
place.
Can prevent the simultaneous copy errors sometimes seen on a make
without a clean.
The patch a0fc2b8628 has removed the
declaration of functions used when building with ruleset profiling
only (without --enable-profiling). This is causing a build failure.
This patch moves the declaration to the rules profiling section to
be sure it is always there.
Some compiler/platform combinations don't like creating one const from
another as it can't guarantee the other is defined, resulting in the
following compile error:
output-json-tls.c:102:5: error: initializer element is not constant
BASIC_FIELDS |
^~~~~~~~~~~~
Fixes commit 377989df6c
Introduce a common function for mapping names to IDs that performs
bounds checking.
Note: For event IDs in the enum that are larger than a uint8_t, -1
will be returned instead of -4. -4 has special meaning during
signature parsin that means requirements were not met. -4 has no
special handling prior to requirements, or the meaning has been lost.
During EVE TLS setup, a broken check for Ja3 being enabled led to Ja3
being disabled, but only in custom mode. This check is not needed, if
Ja3 is disabled, it won't be available, and won't be logged.
This is required to implement "extended" in terms of "custom" fields.
The profiling arrays are incorrectly sized by the number of thread
modules. Since they contain app-layer protocol data, they should be
sized by ALPROTO_MAX.
Since enabling custom logging will replace the extended logging, thus
possibly leading to certain fields disappearing from the logs, mention
this aspect.
Related to
Bug #7333
This was done following the fact that this setting was historically
named incorrectly. The purpose of the setting was always to define the
ports that will be prioritized and have rule groups associated w them on
priority. Rename all occurences of this to correctly reflect the purpose
of the setting.
Jason Ish
dependabot[bot]
Philippe Antoine
Nancy Enos
Sascha Steinbiss
Eric Leblond
Victor Julien
Adam Kiripolsky
Alice Akaki
Juliana Fajardini
Jeff Lucovsky
Shivani Bhardwaj