Skip to content

Staging/70x/v4#11609

Closed
jasonish wants to merge 290 commits intoOISF:masterfrom
jasonish:staging/70x/v4
Closed

Staging/70x/v4#11609
jasonish wants to merge 290 commits intoOISF:masterfrom
jasonish:staging/70x/v4

Conversation

@jasonish
Copy link
Member

@jasonish jasonish commented Aug 6, 2024

regit and others added 30 commits January 18, 2024 16:11
In our conf.py we reference some ReadTheDocs stylesheets that appear to
be old and break formatting of some items like bulletted lists.

Bug: OISF#6589
(cherry picked from commit cc0adaa)
Issue: 6605

Flash decompression will remain so the deprecation notice is not needed.

(cherry picked from commit 995f5fc)
As the feature module is not available for Rust unit tests, a mock
version is also provided.

(cherry picked from commit 15ed51f)
Add a new rule keyword "requires" that allows a rule to require specific
Suricata versions and/or Suricata features to be enabled.

Example:

  requires: feature geoip, version >= 7.0.0, version < 8;
  requires: version >= 7.0.3 < 8
  requires: version >= 7.0.3 < 8 | >= 8.0.3

Feature: OISF#5972

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
(cherry picked from commit 5d5b050)
Add a "pre-scan" rule parse that will check for requires statement. It
will return a special error code (-4) if the requires fails due to
missing requirements.

Syntactic errors will also abort parsing here.

Feature: OISF#5972
(cherry picked from commit 435c031)
During the pre-scan for "requires", also parse the SID if possible. If
the rule fails high level parsing (syntax), the SID will not be
parsed.

But every keyword other than "sid" and "requires" should expect to be
provided with a parsed sid.

(cherry picked from commit 71bbba9)
Rule skipped is a count of the number of rules that are skipped due to
missing requirements.

Feature: OISF#6637
(cherry picked from commit b453eea)
Bug: OISF#6618.

Fix Endace ERF to SCTime_t timestamp conversion

Fix typo preventing compilation with --enable-dag

(cherry picked from commit 879db3d)
Bug: OISF#6667.

Fix compiler warnings for function pointer parameters missing const with --enable-dag

(cherry picked from commit c28cc93)
Ticket: 6656
(cherry picked from commit d321838)
The shutdown(2) syscall would always return ENOTCONN for FreeBSD 11,
FreeBSD 12, FreeBSD 13 and FreeBSD 14.  It could do some action on the
socket in the kernel in FreeBSD 10 and before, did not test.

(cherry picked from commit b239e88)
When running Suricata in XDP bypass mode (bypass: yes),

Suricata started up with error:
Error: threads: thread "FB" failed to start in time: flags 0003

"FB" thread does not transition from THV_INIT_DONE to THV_RUNNING.

Set "FB" thread THV_RUNNING state in BypassedFlowManager().

Bug: OISF#6254

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
(cherry picked from commit f80d26d)
Previous integration of hugepage analysis only fetched data
from /proc/meminfo. However this proved to be often
deceiving mainly for providing only global information and
not taking into account different hugepage sizes (e.g. 1GB
hugepages) and different NUMA nodes.

Ticket: OISF#6697
(cherry picked from commit ca6f7c2)
Remove references that are mentioning Suricata 3 or less
As a note - only one Suricata 4 reference found:
(suricata-yaml.rst:"In 4.1.x")
Fast pattern selection criteria can be internally found by inspecting
SupportFastPatternForSigMatchList and SigTableSetup functions.

Ticket: OISF#6699
(cherry picked from commit 6e4cc79)
Move to libhtp to the 0.5.x branch instead of 0.5.45.

(cherry picked from commit c3b3c11)
"sigerror_ok" and "sigerror_requires" were not being reset after each
rule which could lead to a rule load error being incorrectly tracked
as skipped rather than failed.

Also initialize "skippedsigs" to 0 along with "goodsigs" and
"badsigs", while not directly related to this issue, could also throw
off some stats.

Ticket: OISF#6710
(cherry picked from commit de3cbe4)
When a TCP flow packet has not led to app-layer updates,
it is useless to run DetectRunTx, as there cannot be new
matches.

This happens for instance, when one side sends in a row multiple
packets which are not acked (and thus not parsed in IDS mode).

Doing so requires to move up the call to
AppLayerParserSetTransactionInspectId
so that it is run the same times DetectRunTx is run, and not in the
case where the transaction was not updated.

Ticket: 6299
(cherry picked from commit 9240ae2)
Ticket: OISF#6299

Simply because it is faster (just linear).

This is for merging match_array into tx_candidates

(cherry picked from commit 5bb8800)
Especially sets transactions to complete when we get a response
without having seen the request, so that the transactions
end up getting cleaned (instead of living/leaking in the state).

Also try to set the event on the relevant transaction, instead
of creating a new transaction just for the purpose of having
the event.

Ticket: OISF#6299
(cherry picked from commit 89936b6)
Ticket: 5926

HTTP2 continuation frames are defined in RFC 9113.
They allow header blocks to be split over multiple HTTP2 frames.
For Suricata to process correctly these header blocks, it
must do the reassembly of the payload of these HTTP2 frames.
Otherwise, we get incomplete decoding for headers names and/or
values while decoding a single frame.

Design is to add a field to the HTTP2 state, as the RFC states that
these continuation frames form a discrete unit :
> Field blocks MUST be transmitted as a contiguous sequence of frames,
> with no interleaved frames of any other type or from any other stream.
So, we do not have to duplicate this reassembly field per stream id.

Another design choice is to wait for the reassembly to be complete
before doing any decoding, to avoid quadratic complexity on partially
decoding of the data.

(cherry picked from commit aff54f2)
instead of keeping a NULL pointer in an array

Ticket: OISF#5921
(cherry picked from commit 8f63a8f)
Ticket: OISF#5921

Co-authored-by: Jason Ish <jason.ish@oisf.net>
(cherry picked from commit 4175680)
Ticket: 6477

So as to avoid ending up with too many empty transactions.

This happens when Suricata sees a DATA command in the current
transaction but did not have a confirmation response for it.
Then, if Suricata receives another DATA command, it will
create another new transaction, even if the previous one
is empty. And so, a malicious client can create many empty
transactions by just sending a repeated amount of DATA commands
without having a confirmation code for them.

Suricata cannot use state->current_command == SMTP_COMMAND_DATA
to prevent this attack and needs to resort to a new boolean
is_data because the malicious client may send another dummy command
after each DATA command.

This patch leaves only one call to SMTPTransactionCreate

(cherry picked from commit 61f2e4e)
Ticket: OISF#6441

This keyword and the response one use a multiple inspection buffer.
But the different instances point to the same memory address
that comes from HttpHeaderGetBufferSpace and is not owned
by the transaction, and is rebuilt, which is a functional
bug in itself.

As it gets crafted, it can get reallocated if one header
is over 1024 bytes, while the previous freed pointer will still get
used for the previous headers.

(cherry picked from commit bc422c1)
If the next PDU is already in the slice next, do not use it and
restrict ourselves to the length of this PDU.
Avoids overconsumption of memory by quadratic complexity, when
having many small PDUS in one big chunk being parsed

Ticket: OISF#6411
(cherry picked from commit f52c033)
A next PDU may already be in the slice to parse.
Do not skip its parsing, ie do not use rest, but take just
the length of the pdu

(cherry picked from commit 86de7cf)
victorjulien and others added 23 commits July 2, 2024 21:25
Ticket: 6390

This can happen with keyword filestore:both,flow
If one direction does not have a signature group with a filestore,
the file is set to nostore on opening, until a signature in
the other direction tries to set it to store.
Subsequent files will be stored in both directions as flow flags
are now set.

(cherry picked from commit 5f35035)
Ticket: 7053

As flow state would be overwritten by established...

(cherry picked from commit df5dcfe)
No need to init ptrs to NULL after SCCalloc.

(cherry picked from commit 3e46c51)
Implement special "isset" and "isnotset" modes.

"isset" matches if an IP address is part of an iprep category with any
value.

It is internally implemented as ">=,0", which should always be true if
there is a value to evaluate, as valid reputation values are 0-127.

"isnotset" matches if an IP address is not part of an iprep category.

Internally it is implemented outside the uint support.

Ticket: OISF#6857.
(cherry picked from commit 83976a4)
THashInitConfig may not allocate array and increase memuse.
Such a failure leads to THashShutdown which should not decrease
the memuse.

Ticket: 7135
(cherry picked from commit eeec609)
Don't assume the ntlmssp version field is always present if the flag is
set. Instead keep track of the offsets of the data of the various blobs
and see if there is space for the version.

Inspired by how Wireshark does the parsing.

Bug: OISF#7121.
(cherry picked from commit f59c43b)
For TCP streams, app proto stream reassembly can start earlier, instead
of waiting and queueing up data before doing so.

Task OISF#7018
Related to
Bug OISF#7004

(cherry picked from commit bb45ac7)
Getting clock through Time Stamp Counter (TSC) can be precise and fast,
however only for a short duration of time.
The implementation across CPUs seems to vary. The original idea is to
increment the counter with every tick. Then dividing the delta of CPU ticks
by the CPU frequency can return the time that passed.
However, the CPU clock/frequency can change over time, resulting in uneven
incrementation of TSC. On some CPUs this is handled by extra logic.
As a result, obtaining time through this method might drift from the real
time.

This commit therefore substitues TSC time retrieval by the standard system
call wrapped in GetTime function - on Linux it is gettimeofday.

Ticket: 7116

(cherry picked from commit 35dffc6)
Ticket: 7172

When parsing an integer for a rule keyword fails, we return error
straight away, without bothering to try to free the NULL pointer.

On the way, remove some one-line wrapper around DetectUxParse

(cherry picked from commit daad7f2)
Issue: 7194

Ensure that the jb object is closed on errors.
Ticket: 7181

Allows confyaml.c to be in the release archive

(cherry picked from commit 3f8251b)
error: this `match` can be collapsed into the outer `match`
   --> src/dcerpc/detect.rs:215:20
    |
215 |           Some(x) => match x {
    |  ____________________^
216 | |             DCERPC_TYPE_REQUEST | DCERPC_TYPE_RESPONSE => {}
217 | |             _ => {
218 | |                 return 0;
219 | |             }
220 | |         },
    | |_________^
    |
help: the outer pattern can be modified to include the inner pattern
   --> src/dcerpc/detect.rs:215:14
    |
215 |         Some(x) => match x {
    |              ^ replace this binding
216 |             DCERPC_TYPE_REQUEST | DCERPC_TYPE_RESPONSE => {}
    |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ with this pattern
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match
Fix clippy lint for if_let_redundant_pattern_matching by using
.is_some().
Fixes clippy lint for collapsible_match.

error: this `match` can be collapsed into the outer `if let`
  --> src/conf.rs:85:9
   |
85 | /         match val {
86 | |             "1" | "yes" | "true" | "on" => {
87 | |                 return true;
88 | |             },
89 | |             _ => {},
90 | |         }
   | |_________^
   |
help: the outer pattern can be modified to include the inner pattern
  --> src/conf.rs:84:17
   |
84 |     if let Some(val) = conf_get(key) {
   |                 ^^^ replace this binding
85 |         match val {
86 |             "1" | "yes" | "true" | "on" => {
   |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^ with this pattern
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match
Fixes clippy lint:

error: doc list item missing indentation
   --> src/dcerpc/dcerpc.rs:511:9
    |
511 |     ///  description: direction of the flow
    |         ^
    |
    = help: if this is supposed to be its own paragraph, add a blank line
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#doc_lazy_continuation
@jasonish
Copy link
Member Author

jasonish commented Aug 6, 2024

Wrong base branch.

@jasonish jasonish closed this Aug 6, 2024
@jasonish jasonish deleted the staging/70x/v4 branch August 7, 2024 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.