From 2cdb8f75d1965ddd905258d9b36d1cc8e6d88077 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Mon, 20 Jan 2025 08:46:39 -0500 Subject: [PATCH 1/2] detect/csum: rm interaction btw stream setting/csum Issue: 7467 Stream checksum validation no longer has a side effect of setting PKT_IGNORE_CHECKSUM and thus, no longer affects csum keyword checks. (cherry picked from commit 758da982f087dce249012304de7d3077adf9bade) --- src/stream-tcp.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 46b379f7de16..b847fb6f8a00 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -5815,11 +5815,7 @@ TmEcode StreamTcp (ThreadVars *tv, Packet *p, void *data, PacketQueueNoLock *pq) StatsIncr(tv, stt->counter_tcp_invalid_checksum); return TM_ECODE_OK; } - } else { - p->flags |= PKT_IGNORE_CHECKSUM; } - } else { - p->flags |= PKT_IGNORE_CHECKSUM; //TODO check that this is set at creation } AppLayerProfilingReset(stt->ra_ctx->app_tctx); From 1ce02094b3d9177ab9933f47bc2d0dbac0c9e3a9 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Tue, 21 Jan 2025 09:21:24 -0500 Subject: [PATCH 2/2] doc/csum: Stream checksum validation change Describe the change of behavior between the stream.checksum-validation setting and checksum-based rule keywords. (cherry picked from commit cfbf8fda94771461844b0fc805af5476f92328ce) --- doc/userguide/upgrade.rst | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 6da52adb1f88..20317621a199 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -39,7 +39,7 @@ Upgrading to 7.0.8 - Unknown requirements in the ``requires`` keyword will now be treated as unsatisfied requirements, causing the rule to not be loaded. See :ref:`keyword_requires`. To opt out of this change and to ignore - uknown requirements, effectively treating them as satified the + unknown requirements, effectively treating them as satisfied the ``ignore-unknown-requirements`` configuration option can be used. Command line example:: @@ -66,6 +66,13 @@ Upgrading to 7.0.8 the engine will NOT log any transaction metadata if there is more than one live transaction, to reduce the chances of logging unrelated data.** This may lead to what looks like a regression in behavior, but it is a considered choice. +- The configuration setting controlling stream checksum checks no longer affects + checksum keyword validation. In previous Suricata versions, when ``stream.checksum-validation`` + was set to ``no``, the checksum keywords (e.g., ``ipv4-csum``, ``tcpv4-csum``, etc) + will always consider it valid; e.g., ``tcpv4-csum: invalid`` will never match. Now, + ``stream.checksum-validation`` no longer affects the checksum rule keywords. + E.g., ``ipv4-csum: valid`` will only match if the check sum is valid, even when engine + checksum validations are disabled. Upgrading 6.0 to 7.0 -------------------- @@ -80,7 +87,6 @@ Major changes `_. - New protocols enabled by default: bittorrent-dht, quic, http2. - The telnet protocol is also enabled by default, but only for the ``app-layer``. - Security changes ~~~~~~~~~~~~~~~~ - suricata.yaml now prevents process creation by Suricata by default with `security.limit-noproc`.