next/1234/80x/20260224/v1

configure.ac

@@ -537,6 +537,14 @@
     ])
     AM_CONDITIONAL([DEBUG_VALIDATION], [test "x$enable_debug_validation" = "xyes"])
 
+  # enable qa-simulation mode -- disabled by default
+    AC_ARG_ENABLE(qa-simulation,
+           AS_HELP_STRING([--enable-qa-simulation], [Enable qa-simulation mode]))
+    AS_IF([test "x$enable_qa_simulation" = "xyes"], [
+        AC_DEFINE([QA_SIMULATION],[1],[Enable qa-simulation mode])
+    ])
+    AM_CONDITIONAL([QA_SIMULATION], [test "x$enable_qa_simulation" = "xyes"])
+
   # profiling support
     AC_ARG_ENABLE(profiling,
            AS_HELP_STRING([--enable-profiling], [Enable performance profiling]),[enable_profiling=$enableval],[enable_profiling=no])
@@ -2643,6 +2651,7 @@ Development settings:
   Unit tests enabled:                      ${enable_unittests}
   Debug output enabled:                    ${enable_debug}
   Debug validation enabled:                ${enable_debug_validation}
+  QA-simulation enabled:                   ${enable_qa_simulation}
   Fuzz targets enabled:                    ${enable_fuzztargets}
 
 Generic build parameters:

doc/userguide/output/syslog-alerting-comp.rst

@@ -5,6 +5,10 @@ Suricata can alert via syslog which is a very handy feature for central log coll
 
 However, there are different syslog daemons and there can be parsing issues with the syslog format a SIEM expects and what syslog format Suricata sends. The syslog format from Suricata is dependent on the syslog daemon running on the Suricata sensor but often the format it sends is not the format the SIEM expects and cannot parse it properly.
 
+.. attention:: The syslog output is deprecated in Suricata 8.0 and
+               will be removed in Suricata 9.0. Please migrate to the
+               ``eve`` output which has the ability to send to syslog.
+
 Popular syslog daemons
 ----------------------
 

doc/userguide/rules/payload-keywords.rst

@@ -271,6 +271,70 @@ You can also use the negation (!) before isdataat.
 
 .. image:: payload-keywords/isdataat1.png
 
+absolute vs relative values
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The absolute ``isdataat`` checks will succeed if the offset used is
+**less than** the size of the inspection buffer.
+
+For *relative* ``isdataat`` checks, there is a **1 byte difference** vs
+the absolute handling.
+
+Matching will succeed if the relative offset is **less than or equal to**
+the size of the inspection buffer. This is different from absolute
+``isdataat`` checks.
+
+As an example, consider a 32 byte payload:
+
++---------------------------+--------+
+| rule statement            | Match? |
++---------------------------+--------+
+| ``isdataat:31;``          | Yes    |
++---------------------------+--------+
+| ``isdataat:32;``          | No     |
++---------------------------+--------+
+| ``isdataat:31,relative;`` | Yes    |
++---------------------------+--------+
+| ``isdataat:32,relative;`` | Yes    |
++---------------------------+--------+
+| ``isdataat:33,relative;`` | No     |
++---------------------------+--------+
+
+Another example, consider the following payload:
+
++-------+---+---+---+---+---+---+---+---+
+| Index | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
++-------+---+---+---+---+---+---+---+---+
+| Value | a | b | c | d | e | f | g | h |
++-------+---+---+---+---+---+---+---+---+
+
+Then the following rules match the payload as follows:
+
++----------------------------------------+--------+
+| Rule statement                         | Match? |
++----------------------------------------+--------+
+| ``isdataat:7;``                        | Yes    |
++----------------------------------------+--------+
+| ``isdataat:8;``                        | No     |
++----------------------------------------+--------+
+| ``isdataat:7,relative;``               | Yes    |
++----------------------------------------+--------+
+| ``isdataat:8,relative;``               | Yes    |
++----------------------------------------+--------+
+| ``isdataat:9,relative;``               | No     |
++----------------------------------------+--------+
+| ``payload:"c"; isdataat:4,relative;``  | Yes    |
++----------------------------------------+--------+
+| ``payload:"c"; isdataat:5,relative;``  | Yes    |
++----------------------------------------+--------+
+| ``payload:"c"; isdataat:6,relative;``  | No     |
++----------------------------------------+--------+
+
+These differences are also discussed in :doc:`differences-from-snort`.
+
+A discussion of this difference can be found at
+https://redmine.openinfosecfoundation.org/issues/8031
+
 absent
 ------
 

doc/userguide/rules/transforms.rst

@@ -394,3 +394,45 @@ the buffer.
        local sub = string.sub(input, offset + 1, offset + bytes)
        return string.upper(sub), bytes
    end
+
+gunzip
+------
+
+Takes the buffer, applies gunzip decompression.
+
+This transform takes an optional argument which is a comma-separated list of key-values.
+The only key being interperted is ``max-size``, which is the max output size.
+Default for max-size is 1024.
+If the decompressed data were to be larger than max-size,
+the transform will decompress data up to max-size.
+Value 0 is forbidden for max-size (there is no unlimited value).
+
+This example alerts if ``http.uri`` contains base64-encoded gzipped value
+Example::
+
+    alert http any any -> any any (msg:"from_base64 + gunzip";
+            http.uri; content:"/gzb64?value="; fast_pattern;
+            from_base64: offset 13 ;
+            gunzip; content:"This is compressed then base64-encoded"; startswith; endswith;
+            sid:2; rev:1;)
+
+zlib_deflate
+------------
+
+Takes the buffer, applies zlib decompression.
+
+This transform takes an optional argument which is a comma-separated list of key-values.
+The only key being interperted is ``max-size``, which is the max output size.
+Default for max-size is 1024.
+If the decompressed data were to be larger than max-size,
+the transform will decompress data up to max-size.
+Value 0 is forbidden for max-size (there is no unlimited value).
+
+This example alerts if ``http.uri`` contains base64-encoded zlib-compressed value
+Example::
+
+    alert http any any -> any any (msg:"from_base64 + gunzip";
+            http.uri; content:"/zb64?value="; fast_pattern;
+            from_base64: offset 12 ;
+            zlib_deflate; content:"This is compressed then base64-encoded"; startswith; endswith;
+            sid:2; rev:1;)

doc/userguide/upgrade.rst

@@ -227,7 +227,7 @@ Deprecations
 - The ``tls-log`` output is now deprecated and will be removed in Suricata 9.0.
 - The ``syslog`` output is now deprecated and will be removed in
   Suricata 9.0. Note that this is the standalone ``syslog`` output and
-  does affect the ``eve`` outputs ability to send to syslog.
+  does **not** affect the ``eve`` outputs ability to send to syslog.
 - The ``default`` option in ``app-layer.protocols.tls.encryption-handling`` is
   now deprecated and will be removed in Suricata 9.0. The ``track-only`` option
   should be used instead.

plugins/ndpi/ndpi.c

@@ -181,11 +181,21 @@ static void OnThreadInit(ThreadVars *tv, void *_data)
 static int DetectnDPIProtocolPacketMatch(
         DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
 {
+    SCEnter();
+
     const Flow *f = p->flow;
+    if (f == NULL) {
+        SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
+        SCReturnInt(0);
+    }
+
     struct NdpiFlowContext *flowctx = FlowGetStorageById(f, flow_storage_id);
-    const DetectnDPIProtocolData *data = (const DetectnDPIProtocolData *)ctx;
+    if (flowctx == NULL) {
+        SCLogDebug("packet %" PRIu64 ": no flowctx", PcapPacketCntGet(p));
+        SCReturnInt(0);
+    }
 
-    SCEnter();
+    const DetectnDPIProtocolData *data = (const DetectnDPIProtocolData *)ctx;
 
     /* if the sig is PD-only we only match when PD packet flags are set */
     /*
@@ -201,11 +211,6 @@ static int DetectnDPIProtocolPacketMatch(
         SCReturnInt(0);
     }
 
-    if (f == NULL) {
-        SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
-        SCReturnInt(0);
-    }
-
     bool r = ndpi_is_proto_equals(flowctx->detected_l7_protocol.proto, data->l7_protocol, false);
     r = r ^ data->negated;
 
@@ -311,22 +316,27 @@ static void DetectnDPIProtocolFree(DetectEngineCtx *de_ctx, void *ptr)
 static int DetectnDPIRiskPacketMatch(
         DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
 {
+    SCEnter();
+
     const Flow *f = p->flow;
+    if (f == NULL) {
+        SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
+        SCReturnInt(0);
+    }
+
     struct NdpiFlowContext *flowctx = FlowGetStorageById(f, flow_storage_id);
-    const DetectnDPIRiskData *data = (const DetectnDPIRiskData *)ctx;
+    if (flowctx == NULL) {
+        SCLogDebug("packet %" PRIu64 ": no flowctx", p->pcap_cnt);
+        SCReturnInt(0);
+    }
 
-    SCEnter();
+    const DetectnDPIRiskData *data = (const DetectnDPIRiskData *)ctx;
 
     if (!flowctx->detection_completed) {
         SCLogDebug("packet %" PRIu64 ": ndpi risks not yet detected", p->pcap_cnt);
         SCReturnInt(0);
     }
 
-    if (f == NULL) {
-        SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
-        SCReturnInt(0);
-    }
-
     bool r = ((flowctx->ndpi_flow->risk & data->risk_mask) == data->risk_mask);
     r = r ^ data->negated;