There is no sane way to set override the DNS eve version in Suricata
tests without using a copy of the configuration file, and many of the
tests by design use the configuration file of the Suricata under test,
so making a copy would break this assumption.
To get around this, respect the SURICATA_EVE_DNS_VERSION environment
variable as a way to set the version if not explicitly set in the
configuration file.
DNS v3 logging fixes the discrepancies between request and response
logging with the main difference being queries always being placed in an
array.
Bug: #6281
V3 style DNS logging fixes the discrepancies between request and
response logging better dns records and alert records.
The main change is that queries and answers are always logged as
arrays, and header fields are not logged in array items.
For alerts this means that answers are now logged as arrays, queries
already were.
DNS records will get this new format as well, but with a configuration
parameter.
Bug: #6281
Feature: 7017
Add DNSRDataOPT struct and DNSRData enum type OPT.
Add OPT parsing function and test function.
Add DNSRData OPT type to lua.rs match.
Log OPT rdata.
Feature: 7011
Add additionals to DNSMessage struct.
Add parsing logic to populate additional section data.
Patch dns tests to account for additional section parsing.
Getting clock through Time Stamp Counter (TSC) can be precise and fast,
however only for a short duration of time.
The implementation across CPUs seems to vary. The original idea is to
increment the counter with every tick. Then dividing the delta of CPU ticks
by the CPU frequency can return the time that passed.
However, the CPU clock/frequency can change over time, resulting in uneven
incrementation of TSC. On some CPUs this is handled by extra logic.
As a result, obtaining time through this method might drift from the real
time.
This commit therefore substitues TSC time retrieval by the standard system
call wrapped in GetTime function - on Linux it is gettimeofday.
Ticket: 7115
So far, when the data size was passed to the THash API, it was sent as
a sizeof(Struct) which works fine for the other data types as they have
a fixed length but not for the StringType.
However, because of the sizeof construct, the length of a string type
dataset was always taken to be 16 Bytes which is only the size of the struct
itself. It did not accomodate the actual size of the string that the
StringType holds. Fix this so that the memuse that is used to determine
whether memcap was reached also takes into consideration the size of the
actual string.
Bug 3910
Don't assume the ntlmssp version field is always present if the flag is
set. Instead keep track of the offsets of the data of the various blobs
and see if there is space for the version.
Inspired by how Wireshark does the parsing.
Bug: #7121.
Enable backoff for most rules. The rules looking at the session start up
use a count of 1 and a multiplier of 2.
Post-3whs rules use a count of 1 and a multiplier of 10.
Implement new `type backoff` for thresholding. This allows alerts to be
limited.
A count of 1 with a multiplier of 10 would generate alerts for matching packets:
1, 10, 100, 1000, 10000, 100000, etc.
A count of 1 with a multiplier of 2 would generate alerts for matching packets:
1, 2, 4, 8, 16, 32, etc.
Like with other thresholds, rule actions like drop and setting of
flowbits will still be performed for each matching packet.
Current implementation is only for the by_flow tracker and for per rule
threshold statements.
Tracking is done using uint32_t. When it reaches this value, the rest of
the packets in the tracker will use the silent match.
Ticket: #7120.
Jason Ish
Nathan Scrivens
Sascha Steinbiss
dependabot[bot]
Jeff Lucovsky
Philippe Antoine
Lukas Sismis
Shivani Bhardwaj
Victor Julien
Philippe Antoine