Skip to content

Next/20230608/v10#8994

Merged
victorjulien merged 17 commits intoOISF:masterfrom
victorjulien:next/20230608/v10
Jun 9, 2023
Merged

Next/20230608/v10#8994
victorjulien merged 17 commits intoOISF:masterfrom
victorjulien:next/20230608/v10

Conversation

victorjulien and others added 17 commits June 6, 2023 12:09
When sliding a region it could start to overlap with the next region.
This case wasn't handled, causing validation checks to trigger.

This patch adds support for this, where largest region will be expanded
to fit both region and both regions will be consolidated into it.

Bug: OISF#6066.
During consolidation of regions, buf_offset could get out of sync if
the region was grown on the left side.

To fix, reset it and let "sbb slide" logic correct it.

Bug: OISF#6117.
Slide error may happen if the region we're sliding starts to overlap
with the next region. If we can't temporary grow the current region
to merge with the next region, keep the regions separate.
Rust 1.70 has introduced some possible issues between LLVM and gcc
causing link errors that are fixed by explicitly adding -lntdll.

Thanks to extendr/rextendr#285 for the fix.
So far, we store one variable in state to hold whether we want to
discard a long line till LF irrespective of direction. This means that a
long command to the client followed by a regular command w LF can be
considered as one long line which is incorrect.

Bug 6054
Currently, there is no way to mark if LF was found and then the line was
truncated. It becomes difficult to spot in the callers whether the line
was truncated despite LF being found or not. So, label it clearly with a
variable.
Set the IPv6 packet proto before parsing the ext headers, similar to
decode-ipv4, incase of an ext header parsing error. Otherwise
rule decode-events are not triggered for packets encapsulated in IPv6.

Bug: OISF#6086.
In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior
regardless of being in IDS or IPS mode.
This meant that (at least) the 'flow.action' was changed to drop when we
hit an exception policy in IDS mode.

Bug OISF#6109
and not the one from state

If a SNMP flow starts with a V2 version transaction,
then there is a V3i version transaction,
we will now log V3 for the second transaction
The first report didn't have an example rule to go with.
Add Arch AUR information for installation on Arch-based distros.
@victorjulien victorjulien requested review from a team, jasonish and jufajardini as code owners June 8, 2023 18:06
@github-actions
Copy link

github-actions bot commented Jun 8, 2023

NOTE: This PR may contain new authors:

Jeremy MountainJohnson <jay@jskier.com>
Long Doan <hoanglong7421@gmail.com>

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 14335

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

8 participants