Commit Graph

17501 Commits (f0eaebe3a64d5ff0c46a7018efcf8af23c3fe95f)
 

Author SHA1 Message Date
Jason Ish f0eaebe3a6 rust: set MSRV to 1.75.0
This is the Rust version found on Ubuntu LTS releases as of today, and
is the oldest we need to support.

Ticket: #6573
2 months ago
Jeff Lucovsky a8a3780276 doc/entropy: Document the entropy log output 2 months ago
Jeff Lucovsky a292670443 detect/entropy: Add calculated entropy value to flowvars
When the entropy keyword is used, record the calculated entropy value to
a flow variable for logging use.
2 months ago
Jeff Lucovsky 62e3c02914 doc: Add missing contributors to ack file
Add missing contributors as identified by
    git shortlog -s -n --no-merges -- .
2 months ago
Juliana Fajardini 9614770483 doc/lua: document request_host lua lib
Seems that we missed bringing this one, when documenting HTTP lua lib
functions.
2 months ago
Philippe Antoine 9054187659 pop3: install rules 2 months ago
Philippe Antoine 966b833113 pop3: fix event rule 2 months ago
Philippe Antoine 79544d0f1e rust: remove some unneeded cbindgen:ignore
Ticket: 7667
2 months ago
Philippe Antoine 7bb0c94ae9 rust: bindgen app-layer-detect-proto.h
Ticket: 7667
2 months ago
Jeff Lucovsky ace0d37636 detect/content: account for distance variables
Under some cases (below), the depth and offset values are used
twice. This commit disregards the distance variable (if any), when
computing the final depth.

These rules are logically equivalent::
1. alert tcp any any -> any 8080 (msg:"distance name"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:option_len; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:1;)
2. alert tcp any any -> any 8080 (msg:"distance number"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:7; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:2;)

The differences:
Rule 1: content:!"|38|"; distance:option_len; within:1; //option_len == 7

Rule 2: content:!"|38|"; distance:7; within:1;

Without this commit, rule 2 triggers an alert but rule 1 doesn't.

Issue: 7390
2 months ago
Lukas Sismis 5dcd0a36f9 flow: convert flow_id to uint64 as no signdess is necessary 2 months ago
Lukas Sismis a90f0c96b5 dpdk: change thread_id field to uint16_t 2 months ago
Lukas Sismis 4dfd44d350 dpdk: update types to avoid type-warnings 2 months ago
Lukas Sismis 21366c5353 detect-engine: remove redundant configuration check 2 months ago
Lukas Sismis 0ef3bff495 detect-engine: check return value of SCGetConf
Ticket: 7634
coverity id: 1645571
2 months ago
Juliana Fajardini e3e24cfb3d decode/ipv4: add missing ip-in-ip case handling
A flow with IPv4 IP in IP traffic won't handle this tunneling case
properly.
This leads to potential malicious traffic not triggering alerts, as well
as other inaccuracies in the logs.

Bug #7725
2 months ago
Juliana Fajardini 72e440551d decode/ipv4: apply-clang formatting changes 2 months ago
Jason Ish 62df7c8e81 doc/lua: remove reference to removed functions
These have all been replaced by libs and already documented in their
lib format.

Ticket: #7728
2 months ago
Jason Ish e1d91497c9 lua/output: access luastate within lock
Fixes Coverity issue:

CID 1648445: (#1 of 1): Data race condition (MISSING_LOCK)
4. missing_lock: Accessing td->lua_ctx->luastate without holding lock
LogLuaCtx_.m. Elsewhere, LogLuaCtx_.luastate is written to with
LogLuaCtx_.m held 41 out of 41 times.
2 months ago
Juliana Fajardini 765041dcdd pgsql: fix clippy warnings 2 months ago
Juliana Fajardini be47de4f6d pgsql: fix typo in comment that changed meaning 2 months ago
Juliana Fajardini 88fdfb9d5a pgsql: debug validation on duplicated request msgs
There shouldn't be duplicated messages in the requests Vec. And thus
the parser shouldn't log duplicated keys nor messages. Add debug
validations to ensure this.

With PGSQL's current state machine, most frontend/ client messages will
lead to the creation of a new transaction - which would prevent
duplicated messages being pushed to the requests array and reaching the
logger.

The current exceptions for that are:

- CopyDataIn
- CopyDone
- CopyFail

Thus, debug statements were added for those cases.

CopyDone and CopyFail, per the documentation, shouldn't be seen
duplicated on the wire for the same transaction. CopyDataIn -- yes, but
we consolidate those, so the expectation is that they won't be
duplicated in the requests array or when reaching the logger either.

Related to
Task #7645
2 months ago
Juliana Fajardini f4439c520c pgsql: separate request completion and state type
Since some of state types could indicate a request completion, don't
process them in if/else statements.

Related to
Task #7645
2 months ago
Juliana Fajardini 68acc0cfcb pgsql: be more strict with pub usage
Review pub visibility to:
Make it pub crate-only wherever possible.
Remove pub altogether where not-needed.
2 months ago
Juliana Fajardini 57f7f93a03 pgsql: reorganize pgsql states for CopyData msgs
To set apart states that are both for frontend and backend.
2 months ago
Juliana Fajardini f3aa0085a0 pgsql: rename copy in/out response field
We used `copy_column_count`, while just `columns` is more accurate with
what PostgreSQL describes, and what Wireshark shows.

Related to
Task #7644
Task #7645
2 months ago
Juliana Fajardini e5a47d7616 pgsql: rename 'dummy' response variables
While this could be considered minor, they were not just bad, but
misleading names, as the variables weren't really `dummy` responses,
but consolidating several messages.
2 months ago
Juliana Fajardini 2086f99d6b pgsql: add initial support to CopyIn mode/subproto
This sub-protocol inspects messages sent mainly from the frontend to
the backend after a 'COPY FROM STDIN' has been processed by the
backend.

Parses new messages:
- CopyInResponse -- initiates copy-in mode/sub-protocol
- CopyData (In) -- data transfer message, from frontend to backend
- CopyDone -- signals that no more CopyData messages will be seen from
  the frontend, for the current transaction
- CopyFail -- used by the frontend to signal some failure to proceed
  with sending CopyData messages

Task #7645
2 months ago
Juliana Fajardini d5c48259de schema/psgql: fix fields order 2 months ago
Juliana Fajardini 3febbcbf1c pgsql: document CopyOut messages
Related to
Task #7644
2 months ago
Juliana Fajardini decbb0ba5f pgsql: allow multi-request transactions
Important for CopyIn mode/ subprotocol, where the frontend is the one
sending 0 or more messages to the backend as part of a transaction.

Related to
Task #7645
2 months ago
Juliana Fajardini b3b0bbd1c3 pgsql: make CopyData struct generic
We have a data structure that can be used both for backend and frontend
messages, but was named as backend only.

Related to
Task #7645
2 months ago
Philippe Antoine d8a99e1fdd transforms: move base64 to rust
Ticket: 7733
2 months ago
Philippe Antoine 31cc9e0a0e detect: remove unused transform ids
As they are now dynamic from rust
2 months ago
Philippe Antoine 55a5a278f8 base64: use more precise and compact type for mode 2 months ago
Philippe Antoine 8b0d256e6b transform: move rust base64 to dedicated subdirectory 2 months ago
Philippe Antoine 97591230a9 rust: update brotli crate to latest version
Ticket: 7735

New version has a fix for an integer underflow
2 months ago
Jason Ish e5faedf7e6 lua/util: move SCThreadInfo into suricata.util lib
Move the SCThreadInfo global function into the suricata.util library as
thread_info().

This is the last global function to be registered, so remove the
supporting functions.
2 months ago
Jason Ish 778a699622 lua: simplify streaming output setup
Setup the init function to simply return:

   {streaming = "tcp"}

or

   {streaming = "http"}

The returned table can have a lot of parameters that don't make sense
together, this should simplify this one case.
2 months ago
Jason Ish 02bdea2bce lua/streaming: provide streaming buffer as argument
When setting up a Lua output script for streaming data, we're
explicitly requesting stream data. Just pass the streaming data as
arguments, rather than requiring the script to make an extra call to
get the stream data.

The streaming data will be passed in the "stream" field of the args
passed to the log function.

Eliminates the SCStreamingBuffer Lua function.
2 months ago
Jason Ish 11b3ebcb5f lua/bytevar: convert SCByteVar to Lua lib
Similar to flowvars and flowints, but a byte var cannot be registered
from a Lua script, but it still needs to be setup. Instead provide an
"map" function that sets it up, or errors out if the byte var is
unknown.

This also required passing the signature into the Lua init method, as
the state of the Signature object and the time of loading the Lua
keyword is required.
2 months ago
Jason Ish 5a19c95a07 lua/logging: re-add lua script and line numbers
Note that while we try to log the Lua function name, its never
logged. Instead "Lua" is logged as the function name.
2 months ago
Jason Ish 535661139e util/debug: expose more raw logging macros
Add raw logging macros for config, perf and debug.
2 months ago
Jason Ish 2cb19ad72f lua: fix coverity unchecked return
CID 1648351: (#1 of 1): Unchecked return value (CHECKED_RETURN)
1. check_return: Calling lua_getstack without checking return value (as is done elsewhere 9 out of 10 times).
2 months ago
Jason Ish ce7cdd6f9a lua: create suricata.config lua lib
Currently only provides "log_path" as a replacement for SCLogPath.
2 months ago
Philippe Antoine 16fee33368 http1: use a blocking cursor for decompression
Kind of as is done by HTTP2 which limits input data instead of
output data

Ticket: 7732
2 months ago
Philippe Antoine 7c88d37570 ci: check cargo fmt for htp 2 months ago
Philippe Antoine 261d2ad63b dcerpc: use wrapping to prevent u16 overflow
Otherwise, rust with debug assertion may trigger a panic
2 months ago
dependabot[bot] 3bc88d8330 github-actions: bump github/codeql-action from 3.28.16 to 3.28.18
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.16 to 3.28.18.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](https://github.com/github/codeql-action/compare/v3.28.16...v3.28.18)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 3.28.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2 months ago
dependabot[bot] c8ef5fe192 github-actions: bump ossf/scorecard-action from 2.4.1 to 2.4.2
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.1 to 2.4.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](f49aabe0b5...05b42c6244)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2 months ago