Commit Graph

107 Commits (8455efd9ac9be052f5f5424805559611e8531b16)

Author SHA1 Message Date
Shivani Bhardwaj 899eb38691 flowbits: deprecate toggle command
toggle command is not used by any major rulesets and increases the state
complexity of flowbits management. Also, all operations can be carried
out with the combination of other available commands. So, remove it.

Task 8595
1 month ago
Philippe Antoine daf68dc36f http2: split progress per direction
Ticket: 8518

Keywords that work for HTTP2 headers match now as soon as possible

A push promise is now considered like a headers frame with regards
to the progress (no dedicated "reserved" progress/state)

http.protocol and http.stat_msg keywords are now registered at
earliest progress, since these are synthetic like "HTTP/2" and
not really seen on the wire.

http.request_line and http.response_line match only on data,
and not on headers, since we must wait the end of headers
to be sure to have the full line

http2.size_update now matches at headers progress as it should

http2.frametype, http2.errorcode, http2.priority now match like
http2.window, when the tx is complete from both sides, as a
half-closed client may still send priority, rst_stream
or window_update frames
1 month ago
Jason Ish 865b7243a0 http-log: remove support for http-log
http-log was deprecated in Suricata 8, and marked for removal in
Suricata 9.0.

Ticket: #7232
1 month ago
Giuseppe Longo 143774220e doc: add llmnr
Ticket #8366
1 month ago
Philippe Antoine e98d419d96 ldap: bound the number of responses
Ticket: 8405
2 months ago
Philippe Antoine 54c02e1301 stats: replace dashes by underscores in app-layer protocols
Ticket: 6502

Forbid dashes in json keys for better use by processing tools
2 months ago
Philippe Antoine d030ea7f29 output: rename reject-target to reject_target
Ticket: 6502

Forbid dashes in json keys for better use by processing tools
2 months ago
Victor Julien 2e2132a16f doc/userguide: improve pkthdr docs 3 months ago
Jason Ish 8c7172e707 lib: remove the built-in library run-mode
This run-mode does not allow for capture ThreadVars to be created at
the appropriate place in the application life cycle. Instead,
applications should register their own custom run-mode.

Ticket: #8259
4 months ago
Shivani Bhardwaj 0e345c93ca app-layer: check ipproto enabled setting first
If the key `app-layer.protocols.PROTO.enabled` is present, the protocol
is enabled for all carrier protocols. This is not ideal.
Only if the key `app-layer.protocols.PROTO.enabled` is missing, an
attempt is made to look for a setting specific to the ipproto passed
at the time of registration e.g.
`app-layer.protocols.PROTO.udp.enabled`.

By default, check for carrier proto specific setting. If it is not
found, then fall back to the generic setting.
Issue a warning in case an inconsistent combination of global and
ipproto specific setting is found.

Bug 8205
4 months ago
Juliana Fajardini 926fde859e userguide: fix Deprecations, warn about syslog
The Deprecation note on Syslog was partly conveying the opposite
message, and we were missing a deprecation notice on the Syslog output
section.
5 months ago
Philippe Antoine d378610e93 stream: non infinite default value for reassembly.depth
So that empty config have a safer default.

Ticket: 8290
5 months ago
Philippe Antoine 54cc752cf9 ssh: hassh can be truly disabled
Rules will not re-enable it

Ticket: 8223
6 months ago
Lukas Sismis 15c83be61a hs: prune stale MPM cache files
Hyperscan MPM can cache the compiled contexts to files.
This however grows as rulesets change and leads to bloating
the system. This addition prunes the stale cache files based
on their modified file timestamp.

Part of this work incorporates new model for MPM cache stats
to split it out from the cache save function and aggregate
cache-related stats in one place (newly added pruning).

Ticket: 7830
6 months ago
Philippe Antoine 7422c97bf2 quic: encryption-handling config parameters
Ticket: 8116
6 months ago
Jason Ish 2c95f1ff44 dnp3: bound the maximum number of objects per tx
Default to 2048, but provide a user configuration value.

Ticket: #8181
6 months ago
Jason Ish 3a32bb5743 dnp3: set a bound on the number of points per message
16384 is used as the max, but a configuration parameter has been
provided. The reason for setting an upper bound is that bit flags can
create a memory amplification as we parse them into individual data
structures.

Ticket: #8181
6 months ago
Jason Ish a16f087b93 dnp3: reduce flood threshold to 32 and make configurable
Lower the number of unreplied requests from 500 to 32 to consider a
flood. At the very least this is an anomaly given the DNP3 spec mentions
that DNP3 should only have one outstanding request at a time, with an
exception for unsolicited responses, so in practice no more than 2
should be seen.

Additionally make this value configurable by introducing the max-tx
parameter.

Ticket: #8181
6 months ago
Lukas Sismis b596073a79 src: doc: remove double-space typos 6 months ago
Philippe Antoine af8390f2ca doc: upgrade note for engine-analysis breaking change
For keywords that now use the generic integer framework

Ticket: 7889
8 months ago
Jeff Lucovsky 16d124cfda doc/output: Highlight ethertype value change
Issue: 7855

Highlight the change to how ether_type values are displayed. Previously,
they were displayed in network order as a decimal value.

They are now displayed in host order as a decimal value.
9 months ago
Jason Ish ced0c2c466 doc: upgrade notes for changes to ike output 9 months ago
Philippe Antoine 9146fc8957 doc: upgrade note about keyword tls.cert_subject
Following commit 5379b52af2
rules that use multiple times the keyword tls.cert_subject
will result in

Warning: detect: duplicate instance for tls.cert_subject

These rules likely meant to use a multi-buffer which is not the
case for tls.cert_subject (even if it was documented so).

Ticket: 7890

This is put in a new section of upgrade notes for
upgrading to 8.0.1
10 months ago
Thomas Winter 0b2dfa2b68 doc: Add upgrade note for ppp changes 10 months ago
Juliana Fajardini a8453d73cd detect: remove unused non-pf stats counters
Remove unused rule prefilter-related stats counters that aren't in use.

94644ac960 (detect: move non-pf rules into special prefilter engines)
removed the logic that made use of and incremented the stats counters:
- det_ctx->counter_fnonmpm_list
- det_ctx->counter_nonmpm_list

Some code was left, registering them, and mentioning them in the
json schema.

Ticket #7834
11 months ago
Jason Ish 3b7b908fe2 doc/upgrade: mention that lua rules are enabled by default 11 months ago
Shivani Bhardwaj 58367149cc doc: add upgrade note about change in inspection 1 year ago
Lukas Sismis 6c654e30ac threading: support previous threading configuration format
Provide backward compatibility with the previous configuration
format to allow smooth transition to the new format.
The commit adds docs about the new format and the introduced changes.
1 year ago
Shivani Bhardwaj bdb8713ffd doc: move upgrade note to correct section
The PR for the behavior change of dealing with spaces in http URI and
protocol was started in 2019 and merged in 2024. When the PR was
created, it belonged to the correct upgrade section, however, by the
time it was merged, it was 8.0.x branch already.
Move it to upgrade notes from 7 to 8 for correctness.
1 year ago
Dean Balandin 3cdb0ceb7e stream: decouple stream.bypass dependency from tls bypass
Decouple app.protocols.tls.encryption-handling and stream.bypass.
There's no apparent reason why encrypted TLS bypass traffic should
depend on stream bypass, as these are unrelated features.

Ticket: 6788
1 year ago
Lukas Sismis 185123a130 tls: deprecate "default" as a encryption-handling option
The default value for TLS encryption is generic and not precise.
The new keyword, "track-only" substitues the old keyword, being
more on point what action is actually taken when the TLS flow
reaches an encrypted state.
1 year ago
Todd Mortimer 9c324b796e http: Use libhtp-rs.
Ticket: #2696

There are a lot of changes here, which are described below.

In general these changes are renaming constants to conform to the
libhtp-rs versions (which are generated by cbindgen); making all htp
types opaque and changing struct->member references to
htp_struct_member() function calls; and a handful of changes to offload
functionality onto libhtp-rs from suricata, such as URI normalization
and transaction cleanup.

Functions introduced to handle opaque htp_tx_t:
- tx->parsed_uri => htp_tx_parsed_uri(tx)
- tx->parsed_uri->path => htp_uri_path(htp_tx_parsed_uri(tx)
- tx->parsed_uri->hostname => htp_uri_hostname(htp_tx_parsed_uri(tx))
- htp_tx_get_user_data() => htp_tx_user_data(tx)
- htp_tx_is_http_2_upgrade(tx) convenience function introduced to detect response status 101
  and “Upgrade: h2c" header.

Functions introduced to handle opaque htp_tx_data_t:
- d->len => htp_tx_data_len()
- d->data => htp_tx_data_data()
- htp_tx_data_tx(data) function to get the htp_tx_t from the htp_tx_data_t
- htp_tx_data_is_empty(data) convenience function introduced to test if the data is empty.

Other changes:

Build libhtp-rs as a crate inside rust. Update autoconf to no longer
use libhtp as an external dependency. Remove HAVE_HTP feature defines
since they are no longer needed.

Make function arguments and return values const where possible

htp_tx_destroy(tx) will now free an incomplete transaction

htp_time_t replaced with standard struct timeval

Callbacks from libhtp now provide the htp_connp_t and the htp_tx_data_t
as separate arguments. This means the connection parser is no longer
fetched from the transaction inside callbacks.

SCHTPGenerateNormalizedUri() functionality moved inside libhtp-rs, which
now provides normalized URI values.
The normalized URI is available with accessor function: htp_tx_normalized_uri()
Configuration settings added to control the behaviour of the URI normalization:
- htp_config_set_normalized_uri_include_all()
- htp_config_set_plusspace_decode()
- htp_config_set_convert_lowercase()
- htp_config_set_double_decode_normalized_query()
- htp_config_set_double_decode_normalized_path()
- htp_config_set_backslash_convert_slashes()
- htp_config_set_bestfit_replacement_byte()
- htp_config_set_convert_lowercase()
- htp_config_set_nul_encoded_terminates()
- htp_config_set_nul_raw_terminates()
- htp_config_set_path_separators_compress()
- htp_config_set_path_separators_decode()
- htp_config_set_u_encoding_decode()
- htp_config_set_url_encoding_invalid_handling()
- htp_config_set_utf8_convert_bestfit()
- htp_config_set_normalized_uri_include_all()
- htp_config_set_plusspace_decode()
Constants related to configuring uri normalization:
- HTP_URL_DECODE_PRESERVE_PERCENT => HTP_URL_ENCODING_HANDLING_PRESERVE_PERCENT
- HTP_URL_DECODE_REMOVE_PERCENT => HTP_URL_ENCODING_HANDLING_REMOVE_PERCENT
- HTP_URL_DECODE_PROCESS_INVALID => HTP_URL_ENCODING_HANDLING_PROCESS_INVALID

htp_config_set_field_limits(soft_limit, hard_limit) changed to
htp_config_set_field_limit(limit) because libhtp didn't implement soft
limits.

libhtp logging API updated to provide HTP_LOG_CODE constants along with
the message. This eliminates the need to perform string matching on
message text to map log messages to HTTP_DECODER_EVENT values, and the
HTP_LOG_CODE values can be used directly. In support of this,
HTP_DECODER_EVENT values are mapped to their corresponding HTP_LOG_CODE
values.

New log events to describe additional anomalies:
HTP_LOG_CODE_REQUEST_TOO_MANY_LZMA_LAYERS
HTP_LOG_CODE_RESPONSE_TOO_MANY_LZMA_LAYERS
HTP_LOG_CODE_PROTOCOL_CONTAINS_EXTRA_DATA
HTP_LOG_CODE_CONTENT_LENGTH_EXTRA_DATA_START
HTP_LOG_CODE_CONTENT_LENGTH_EXTRA_DATA_END
HTP_LOG_CODE_SWITCHING_PROTO_WITH_CONTENT_LENGTH
HTP_LOG_CODE_DEFORMED_EOL
HTP_LOG_CODE_PARSER_STATE_ERROR
HTP_LOG_CODE_MISSING_OUTBOUND_TRANSACTION_DATA
HTP_LOG_CODE_MISSING_INBOUND_TRANSACTION_DATA
HTP_LOG_CODE_ZERO_LENGTH_DATA_CHUNKS
HTP_LOG_CODE_REQUEST_LINE_UNKNOWN_METHOD
HTP_LOG_CODE_REQUEST_LINE_UNKNOWN_METHOD_NO_PROTOCOL
HTP_LOG_CODE_REQUEST_LINE_UNKNOWN_METHOD_INVALID_PROTOCOL
HTP_LOG_CODE_REQUEST_LINE_NO_PROTOCOL
HTP_LOG_CODE_RESPONSE_LINE_INVALID_PROTOCOL
HTP_LOG_CODE_RESPONSE_LINE_INVALID_RESPONSE_STATUS
HTP_LOG_CODE_RESPONSE_BODY_INTERNAL_ERROR
HTP_LOG_CODE_REQUEST_BODY_DATA_CALLBACK_ERROR
HTP_LOG_CODE_RESPONSE_INVALID_EMPTY_NAME
HTP_LOG_CODE_REQUEST_INVALID_EMPTY_NAME
HTP_LOG_CODE_RESPONSE_INVALID_LWS_AFTER_NAME
HTP_LOG_CODE_RESPONSE_HEADER_NAME_NOT_TOKEN
HTP_LOG_CODE_REQUEST_INVALID_LWS_AFTER_NAME
HTP_LOG_CODE_LZMA_DECOMPRESSION_DISABLED
HTP_LOG_CODE_CONNECTION_ALREADY_OPEN
HTP_LOG_CODE_COMPRESSION_BOMB_DOUBLE_LZMA
HTP_LOG_CODE_INVALID_CONTENT_ENCODING
HTP_LOG_CODE_INVALID_GAP
HTP_LOG_CODE_ERROR

The new htp_log API supports consuming log messages more easily than
walking a list and tracking the current offset. Internally, libhtp-rs
now provides log messages as a queue of htp_log_t, which means the
application can simply call htp_conn_next_log() to fetch the next log
message until the queue is empty. Once the application is done with a
log message, they can call htp_log_free() to dispose of it.

Functions supporting htp_log_t:
htp_conn_next_log(conn) - Get the next log message
htp_log_message(log) - To get the text of the message
htp_log_code(log) - To get the HTP_LOG_CODE value
htp_log_free(log) - To free the htp_log_t
1 year ago
Philippe Antoine 1851030010 detect: generic callback for md5-like keywords
Ticket: 5634
1 year ago
Giuseppe Longo 330241b162 doc: add sdp sticky buffers 1 year ago
Lukas Sismis 640d0985c2 dpdk: check for link up before full startup
ICE card (Intel E810) was not receiving packets immediatelly
after startup, Suricata workers would act as processing while
it was not. This eliminates the problem by only continuing
in the initialization if the link is already up.

The setting can be turned off manually from the configuraiton
file.

Ticket: 7381
1 year ago
Lukas Sismis cb997a64dc dpdk: replace global with per-thread mempools
It turned out that having global (interface-specific) mempool
that is shared by the threads of the interface is slower than
having individual mempools per queue for each interface.

The commit brings this change and should be user-invisible,
the config setting remains still as a number of objects of
all mempools summed (of that interface).

Ticket: 7382
1 year ago
Lukas Sismis 2ef2a9e26f dpdk: auto configure Rx/Tx descriptors and mempool size
Ticket: 7380
Ticket: 7373
1 year ago
Jason Ish 1a47fdfd46 doc/userguide: group af-packet upgrade notes together
Also fix the rendering of the sip nest list.
1 year ago
Jason Ish 080d48ba29 doc/userguide: upgrade note about defrag now off for inline use
Ticket: #7617
1 year ago
Jason Ish 8fe526006d doc/userguide: upgrade note about tpacket-v3 default for ids
Ticket: #4798
1 year ago
Juliana Fajardini 3985b24e1b upgrade: list inspection recursion default limit
As the yaml indicated before that if no value was specified there were
no limits, and now there will be one.
1 year ago
Juliana Fajardini e1f9e66af0 doc/upgrade: add datasets hash size limit note 1 year ago
Jason Ish c6d18fc871 doc/userguide: af-packet upgrade notes
Add note about increased block size and how to change it back to old
defaults if needed.

Ticket: #7458
1 year ago
Jason Ish f1d305b373 doc: add upgrade note about suricatasc and suricatactl 1 year ago
Jeff Lucovsky dd344bd07c ftp: Move config file handling to Rust
Issue: 4082

Move the configuration file handling to Rust.

These changes will no longer terminate Suricata when there's an invalid
value for ftp.memcap. Like earlier Suricata releases, an error message
is logged "Invalid value <value> for ftp.memcap" but Suricata will no
longer terminate execution. It will use a default value of "0" instead.
1 year ago
Jason Ish 97e01a8cc8 doc/userguide: upgrade notes for Lua
- Sandboxed Lua for rules
- Search path changes for Lua output scripts
1 year ago
Jeff Lucovsky cfbf8fda94 doc/csum: Stream checksum validation change
Describe the change of behavior between the stream.checksum-validation
setting and checksum-based rule keywords.
1 year ago
Philippe Antoine a499529477 doc: improve documentation about guess-applayer-tx
Ticket: 7199
2 years ago
Philippe Antoine f2c3776314 detect: log app-layer metadata in alert with single tx
Ticket: 7199

Uses a config parameter detect.guess-applayer-tx to enable
this behavior (off by default)

This feature is requested for use cases with signatures not
using app-layer keywords but still targetting application
layer transactions, such as pass/drop rule combination,
or lua usage.

This overrides the previous behavior of checking if the signature
has a content match, by checking if there is only one live
transaction, in addition to the config parameter being set.
2 years ago
Jason Ish 820a3e51b7 requires: treat unknown requires keywords as unmet requirements
For example, "requires: foo bar" is an unknown requirement, however
its not tracked, nor an error as it follows the syntax. Instead,
record these unknown keywords, and fail the requirements check if any
are present.

A future version of Suricata may have new requires keywords, for
example a check for keywords.

Ticket: #7418
2 years ago