Ticket: 7311
If response_status_number is not a valid poisitive integer,
we should not try to parse it again, and fail again,
but just log the raw string.
Threads are initialized sequentially to allow for a predictable mapping
of threads and queues. Not all parts of the start up need to be done
sequentially. The setting up of the rings can be very expensive, taking
of a couple of hundred milliseconds. The ring setup doesn't need to be
done sequentially though.
This patch releases the thread early, after bind but before the ring
setups.
Ticket: #7272.
In the situation where the mem buffer cannot be expanded to the
requested size, drop the log message.
For each JSON log context, a warning will be emitted once with a partial
bit of the log record being dropped to identify what event types may be
leading to large log records.
This also fixes the call to MemBufferExpand which is supposed be
passed the amount to expand by, not the new size required.
Ticket: #7300
Ticket: 2224
It takes an argument to match only if the buffer is absent,
or it can still match if the buffer is present, but we test
the absence of some content.
For multi buffers, absent matches if there are 0 buffers.
For file keywords, absent matches if there is no file.
- DetectEngineInspectBufferHttpHeader is only used with ALPROTO_HTTP1
- engine->progress should be HTP_REQUEST_HEADERS or HTP_RESPONSE_HEADERS based on the direction
Implement a more compact set of trees specifically for IPv4
and IPv6 addresses. This allows for more compact data structures
and fewer memory allocations.
Based on the existing radix tree implementation.
rust-bindings.h was not being installed with "make install-headers",
and its now pulled in by a header used for plugin support, so make
sure its installed.
We first attempt to install the "dist" version if exists, otherwise
install the "gen" one. Also install the "gen" even if the "dist" one
exists, as its going to be newer.
Provide a way for library/plugin users to register a callback that
will be called prior to an EVE record being closed. The callback will
be passed ThreadVars, Packet, and Flow pointers if available, as well
as private user data.
Adds user registerable callbacks for flow initialization, flow
update and flow finish.
Some plugins, such as other DPI libraries like nDPI need a way to hook
into these flow lifecycle events.
Ticket: #7319
Ticket: #7320
Ticket: 7326
Having a lower progress than one where we actually can get
occurences of the multibuffer made prefilter
bail out too early, not having found a buffer in the multi-buffer
that matiched the prefilter.
For example, we registered http_request_header with progress 0
instad of progress HTP_REQUEST_HEADERS==2, and if the first
packet had only the request line, we would consider
that signatures with http_request_header as prefilter/fast_pattern
could not match for this transaction, even if they in fact
could have a later packet with matching headers.
Hence, we got false negatives, if http.request_header or
http.response_header was used as fast pattern, and if the request
or response came in multiple packets, and the first of these packets
did not have enough data (like only http request line),
and the next packets did have the matching data.
These tests purpose seems to have been lost.
Registering a alproto with a parser function that always fails,
and just testing that AppLayerParserParse returned -1...
We would get the same result without registering a parser function,
or using ALPROTO_FAILED as argument to AppLayerParserParse
The comment says "Test the deallocation of app layer parser memory
on occurrence of error in the parsing process."
but I do not see how this is tested.
The patch a0fc2b8628 has removed the
declaration of functions used when building with ruleset profiling
only (without --enable-profiling). This is causing a build failure.
This patch moves the declaration to the rules profiling section to
be sure it is always there.
Some compiler/platform combinations don't like creating one const from
another as it can't guarantee the other is defined, resulting in the
following compile error:
output-json-tls.c:102:5: error: initializer element is not constant
BASIC_FIELDS |
^~~~~~~~~~~~
Fixes commit 377989df6c
Introduce a common function for mapping names to IDs that performs
bounds checking.
Note: For event IDs in the enum that are larger than a uint8_t, -1
will be returned instead of -4. -4 has special meaning during
signature parsin that means requirements were not met. -4 has no
special handling prior to requirements, or the meaning has been lost.
During EVE TLS setup, a broken check for Ja3 being enabled led to Ja3
being disabled, but only in custom mode. This check is not needed, if
Ja3 is disabled, it won't be available, and won't be logged.
This is required to implement "extended" in terms of "custom" fields.
The profiling arrays are incorrectly sized by the number of thread
modules. Since they contain app-layer protocol data, they should be
sized by ALPROTO_MAX.
This was done following the fact that this setting was historically
named incorrectly. The purpose of the setting was always to define the
ports that will be prioritized and have rule groups associated w them on
priority. Rename all occurences of this to correctly reflect the purpose
of the setting.
Threads are only set to paused upon initialization and never again, we
should only have to wait once, so move the wait before any loop that
was waiting before.
Additionally, if the thread was killed while waiting to be unpaused,
don't enter the loop.
The pattern of checking the pause flag, setting to paused then
waiting to unpause was done enough times to factor out into its own
function. This is also needed by library users who bring their own
packet acquisition threads.
Commit changes are made to avoid possible memory leaks. If the parser
is initialized before configuration file checking, there was no deinit
call before function return. Do check config file existance and type
before YAML parser initialization, so we don't need to deinit parser
before exiting the function.
Bug: #7302
Detect engine tenant reloading function hasn't got engine release call
under error label, so it is possible memory leak in case of errors in
further new detect engine initialization.
Bug: #7303
Remove the call to SCDropCaps for packet processing threads. This
logic in this function is required to setup packet processing even
when the thread is provided by a library user, in which case Suricata
should not be touching is capabilities.
As SCDropCaps is currently a no-op its clear this feature needs to
be (re)designed properly, taking into consideration library users as
well.
Related ticket: https://redmine.openinfosecfoundation.org/issues/2375
Instead of inheriting from flow, because encrypted protocols like TLS
and SSH may have just set the flow flags to indicate rest of stream is
encrypted and does not need to run stream inspection. But inspection
still needs to be run detection on this last flushing packet.
Ticket: #7235.
Victor Julien
Philippe Antoine
Jason Ish
Eric Leblond
Shivani Bhardwaj
Jeff Lucovsky
Nancy Enos
Adam Kiripolsky
Alice Akaki
Sascha Steinbiss
Juliana Fajardini
Zemeteri Kamimizu
Alexey Simakov
Ilya Bakhtin