Commits on May 9, 2023

  1. version: start development towards 6.0.13

    @victorjulien
    victorjulien committed May 9, 2023
    Configuration menu
    Copy the full SHA
    cd12468 View commit details
    Browse the repository at this point in the history

Commits on Jun 2, 2023

  1. flow: apply flow to packet on flow lookup 

    Issue drop to packet as early as possible.

(cherry picked from commit 71a033a)
    @victorjulien
    victorjulien committed Jun 2, 2023
    Configuration menu
    Copy the full SHA
    49051b6 View commit details
    Browse the repository at this point in the history

  2. detect: update/document drop flow logic 

    Now that flow drop is applied to packets before other processing,
no drop has to be issued on a packet.

(cherry picked from commit 85ddba6)
    @victorjulien
    victorjulien committed Jun 2, 2023
    Configuration menu
    Copy the full SHA
    66aed44 View commit details
    Browse the repository at this point in the history

  3. app-layer: don't update UDP applayer for dropped packets 

    (cherry picked from commit 77f4966)
    @victorjulien
    victorjulien committed Jun 2, 2023
    Configuration menu
    Copy the full SHA
    416cc84 View commit details
    Browse the repository at this point in the history

  4. stream: simplify drop handling 

    Remove logic to apply flow drop, as this is now handled in the
flow engine.

However, keep the logic that frees/cleans the session state.

(cherry picked from commit d91a1e8)
    @victorjulien
    victorjulien committed Jun 2, 2023
    Configuration menu
    Copy the full SHA
    4b9cac4 View commit details
    Browse the repository at this point in the history

  5. flow/timeout: no pseudo packets for dropped flows 

    When a flow is in the drop flow state, don't use pseudo packets
when it is timing out. There should be no work left to do at this
point.

(cherry picked from commit 2a95154)
    @victorjulien
    victorjulien committed Jun 2, 2023
    Configuration menu
    Copy the full SHA
    043bbb9 View commit details
    Browse the repository at this point in the history

  6. detect: fix stateful drops for rate_filter 

    (cherry picked from commit 418cc1f)
    @victorjulien
    victorjulien committed Jun 2, 2023
    Configuration menu
    Copy the full SHA
    644a231 View commit details
    Browse the repository at this point in the history

  7. detect: add check to validate drops 

    (cherry picked from commit 95bf724)
    @victorjulien
    victorjulien committed Jun 2, 2023
    Configuration menu
    Copy the full SHA
    5c2e6c4 View commit details
    Browse the repository at this point in the history

Commits on Jun 3, 2023

  1. detect: remove flow drop unittest 

    Test broke after recent changes. Functionality is tested in
suricata-verify, so just remove the test.

(cherry picked from commit 8a535a0)
    @victorjulien
    victorjulien committed Jun 3, 2023
    Configuration menu
    Copy the full SHA
    6767b1c View commit details
    Browse the repository at this point in the history

Commits on Jun 4, 2023

  1. rust/doc: wrap some code examples in backticks 

    (cherry picked from commit 13fe957)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 4, 2023
    Configuration menu
    Copy the full SHA
    f5f2dc9 View commit details
    Browse the repository at this point in the history

  2. windivert: fix compile warnings 

    (cherry picked from commit fd93f00)
    @victorjulien
    victorjulien committed Jun 4, 2023
    Configuration menu
    Copy the full SHA
    ad041da View commit details
    Browse the repository at this point in the history

Commits on Jun 6, 2023

  1. ftp: separate truncated line markers 

    So far, we store one variable in state to hold whether we want to
discard a long line till LF irrespective of direction. This means that a
long command to the client followed by a regular command w LF can be
considered as one long line which is incorrect.

Bug 6055
    @inashivb
    inashivb committed Jun 6, 2023
    Configuration menu
    Copy the full SHA
    544ac30 View commit details
    Browse the repository at this point in the history

Commits on Jun 7, 2023

  1. ftp: don't decrement truncated line len 

    In case LF was found for a long line way outside of the limit, we should
not need to update the delimiter len and current line len because the
line is capped at 4k and the LF was not within these 4k bytes.
    @inashivb
    inashivb committed Jun 7, 2023
    Configuration menu
    Copy the full SHA
    1b9e4fb View commit details
    Browse the repository at this point in the history

Commits on Jun 8, 2023

  1. windows: add -lntdll to Windows builds 

    Rust 1.70 has introduced some possible issues between LLVM and gcc
causing link errors that are fixed by explicitly adding -lntdll.

Thanks to extendr/rextendr#285 for the fix.
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 8, 2023
    Configuration menu
    Copy the full SHA
    13dbb5d View commit details
    Browse the repository at this point in the history

  2. stream: update no-flow checks 

    (cherry picked from commit 0360cb6)
    @victorjulien
    victorjulien committed Jun 8, 2023
    Configuration menu
    Copy the full SHA
    e275a1e View commit details
    Browse the repository at this point in the history

  3. counters: make tcp stats independent of flow, ssn 

    Counters depended on availability of flow and tcp session, meaning
that 2 memcaps could affect the counters.

Bug: #5017.
(cherry picked from commit 36f6e05)
    @victorjulien
    victorjulien committed Jun 8, 2023
    Configuration menu
    Copy the full SHA
    b46d541 View commit details
    Browse the repository at this point in the history

  4. dns: mark test buffers with rustfmt::skip 

    (cherry picked from commit 39d2524)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 8, 2023
    Configuration menu
    Copy the full SHA
    66b36f4 View commit details
    Browse the repository at this point in the history

  5. dns: parse and alert on invalid opcodes 

    Accept DNS messages with an invalid opcode that are otherwise
valid. Such DNS message will create a parser event.

This is a change of behavior, previously an invalid opcode would cause
the DNS message to not be detected or parsed as DNS.

Issue: #5444
(cherry picked from commit c98c49d)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 8, 2023
    Configuration menu
    Copy the full SHA
    dbaf63d View commit details
    Browse the repository at this point in the history

  6. dns: validate header on every incoming message 

    As UDP streams getting probed, a stream that does not appear to be DNS
at first, may have a single packet that does look close enough to DNS
to be picked up as DNS causing every subsequent packet to result in a
parser error.

To mitigate this, probe every incoming DNS message header for validity
before continuing onto the body.  If the header doesn't validate as
DNS, just ignore the packet so no parse error is registered.

(cherry picked from commit 595700a)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 8, 2023
    Configuration menu
    Copy the full SHA
    0b283ef View commit details
    Browse the repository at this point in the history

  7. dns: split header and body parsing 

    As part of extra header validation, split out DNS body parsing to
avoid the overhead of parsing the header twice.

(cherry picked from commit d720ead)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 8, 2023
    Configuration menu
    Copy the full SHA
    2e4aade View commit details
    Browse the repository at this point in the history

Commits on Jun 9, 2023

  1. http2: avoid quadratic complexity in headers 

    When adding an element to the dynamic headers table, the oldest
ones may get evicted. When multiple elements get evicted, they
should get evicted all at once with drain, instead of one by one
as there will be a massive move each time.

Ticket: #6103
(cherry picked from commit 6350736)
    @catenacyber @victorjulien
    catenacyber authored and victorjulien committed Jun 9, 2023
    Configuration menu
    Copy the full SHA
    401a1b3 View commit details
    Browse the repository at this point in the history

Commits on Jun 10, 2023

  1. smb: convert transaction list to vecdeque 

    Allows for more efficient removal from front of the list.

Ticket: #5753
(cherry picked from commit 1d91836)
    @catenacyber @victorjulien
    catenacyber authored and victorjulien committed Jun 10, 2023
    Configuration menu
    Copy the full SHA
    d362e45 View commit details
    Browse the repository at this point in the history

  2. dns: convert transaction list to vecdeque 

    Allows for more efficient removal from front of the list.

Ticket: #5277
(cherry picked from commit 3189414)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 10, 2023
    Configuration menu
    Copy the full SHA
    5f72846 View commit details
    Browse the repository at this point in the history

  3. rdp: convert transaction list to vecdeque 

    Allows for more efficient removal from front of the list.

Ticket: #5295
(cherry picked from commit 4e0ad5e)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 10, 2023
    Configuration menu
    Copy the full SHA
    506c45f View commit details
    Browse the repository at this point in the history

  4. http2: convert transaction list to vecdeque 

    Allows for more efficient removal from front of the list.

Ticket: #5296
(cherry picked from commit 2db8472)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 10, 2023
    Configuration menu
    Copy the full SHA
    20952ba View commit details
    Browse the repository at this point in the history

  5. template(rust): convert transaction list to vecdeque 

    Allows for more efficient removal from front of the list.

Ticket: #5298
(cherry picked from commit e319d31)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 10, 2023
    Configuration menu
    Copy the full SHA
    5937a1c View commit details
    Browse the repository at this point in the history

  6. dcerpc: convert transaction list to vecdeque 

    Allows for more efficient removal from front of the list.

Ticket: #5271
(cherry picked from commit dfe76bb)
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 10, 2023
    Configuration menu
    Copy the full SHA
    ee77e2e View commit details
    Browse the repository at this point in the history

  7. dcerpc: convert transaction list to vecdeque for UDP 

    As was done for TCP in dfe76bb and d745d28

Ticket: #5518
(cherry picked from commit bf43011)
    @catenacyber @victorjulien
    catenacyber authored and victorjulien committed Jun 10, 2023
    Configuration menu
    Copy the full SHA
    a0ce78c View commit details
    Browse the repository at this point in the history

Commits on Jun 13, 2023

  1. detect/byte-math: Support multiplication operator 

    Issue: 6070

This commit adds support for the multiplication operator to byte-math.
The regex for parsing the keyword options was missing the `*` character.
    @jlucovsky @victorjulien
    jlucovsky authored and victorjulien committed Jun 13, 2023
    Configuration menu
    Copy the full SHA
    e027080 View commit details
    Browse the repository at this point in the history

  2. decode-ipv6: Set IPv6 proto incase of ext header parsing error 

    Set the IPv6 packet proto before parsing the ext headers, similar to
decode-ipv4, incase of an ext header parsing error. Otherwise
rule decode-events are not triggered for packets encapsulated in IPv6.

Bug: #6086.
(cherry picked from commit 531d99f)
    @coledishington @victorjulien
    coledishington authored and victorjulien committed Jun 13, 2023
    Configuration menu
    Copy the full SHA
    96bb6ed View commit details
    Browse the repository at this point in the history

  3. suricata-update: install sample configuration files 

    With the move to installing Suricata-Update files from Suricata
Makefile's, the sample configuration files were forgotten.

Ticket: #6132
(cherry picked from commit b8071a9)
    @jasonish
    jasonish committed Jun 13, 2023
    Configuration menu
    Copy the full SHA
    3365972 View commit details
    Browse the repository at this point in the history

  4. github-ci: check for suricata-update example configuration files 

    Check that the Suricata-Update example configuration files are
installed.

(cherry picked from commit 6d7923c)
    @jasonish
    jasonish committed Jun 13, 2023
    Configuration menu
    Copy the full SHA
    7b7d4d2 View commit details
    Browse the repository at this point in the history

Commits on Jun 14, 2023

  1. smtp: handle DATA mode in middle of input parsing 

    Before:
If the input was such that we'd enter DATA mode in the middle, the
entire data would be passed through SMTPGetLine fn and be processed with
line limits etc in place.

After:
Since we don't want any limits to be enforced on DATA, we pass it to
SMTPPreProcessCommands fn to take care of it differently from the
commands.

Bug 5981
    @inashivb @victorjulien
    inashivb authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    432842a View commit details
    Browse the repository at this point in the history

  2. smtp: add function docs

    @inashivb @victorjulien
    inashivb authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    f5db4bb View commit details
    Browse the repository at this point in the history

  3. smtp: handle following cmd if LF was found in long line 

    If a long line had LF post the limit, it should be considered complete
and not wait for the next line to complete it. However, currently, any
following lines were skipped which could sometimes also be important
commands for the entire transaction.

Fix this by setting a flag in case we're truncating a long line but
after having found the LF character.

Bug 5989
    @inashivb @victorjulien
    inashivb authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    79a1b2e View commit details
    Browse the repository at this point in the history

  4. smtp: handle long lines per direction 

    Issue:
Currently, while handling of long lines, if the line exceeded the limit,
we'd set a variable state->discard_till_lf which will be reset in the
later stages based on the data that arrives. However, because there was
one variable per state, this meant that a later stage in the other
direction could also modify it which is incorrect.

Fix:
Use separate variables for each direction.

Bug 6053
    @inashivb @victorjulien
    inashivb authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    342e21a View commit details
    Browse the repository at this point in the history

  5. lua: disable lua rules by default 

    To protect against possible supply chain attacks, disable Lua rules by
default. They can be enabled under the "security" section of
suricata.yaml.

Ticket: #6122
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    b95bbcc View commit details
    Browse the repository at this point in the history

  6. doc/userguide: notes about Lua rules being disabled by default

    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    ea3a470 View commit details
    Browse the repository at this point in the history

  7. datasets: don't allow absolute or paths with directory traversal 

    For dataset filenames coming from rules, do not allow filenames that
are absolute or contain a directory traversal with "..". This prevents
datasets from escaping the define data-directory which may allow a bad
rule to overwrite any file that Suricata has permission to write to.

Add a new configuration option,
"datasets.rules.allow-absolute-filenames" to allow absolute filenames
in dataset rules. This will be a way to revert back to the pre 6.0.13
behavior where save/state rules could use any filename.

Ticket: #6118
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    aee1523 View commit details
    Browse the repository at this point in the history

  8. install: create runtime data directory 

    On installation, make sure the data directory is created. This will
usually be /var/lib/suricata/data, but otherwise follows the
autoconf/automake instructions.

This directory is for runtime state information, which for now is
datasets but may be expanded in the future.  Suricata already expects
this directory to exist for "state" and "save" datasets, but it has
been up to the user to create it.
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    3f7b7e0 View commit details
    Browse the repository at this point in the history

  9. datasets: flag to disable "write" actions 

    Add a new configuration flag, "datasets.rules.allow-write" to control
if rules can contain "save" or "state" rules which allow write access
to the file system.

Ticket: #6123
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    735f5aa View commit details
    Browse the repository at this point in the history

  10. config: uncomment datasets configuration 

    Uncomment the datasets configuration for easier editing by users.  The
values are left commented out as their defaults.
    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    bcb9edc View commit details
    Browse the repository at this point in the history

  11. doc/userguide: dataset upgrade notes

    @jasonish @victorjulien
    jasonish authored and victorjulien committed Jun 14, 2023
    Configuration menu
    Copy the full SHA
    27bda31 View commit details
    Browse the repository at this point in the history

Commits on Jun 15, 2023

  1. doc/userguide: start on a security chapter 

    This is the start of a security consideration chapter, starting with
directions on how to run Suricata as a non-root user.
    @jasonish @inashivb
    jasonish authored and inashivb committed Jun 15, 2023
    Configuration menu
    Copy the full SHA
    f9a0bbe View commit details
    Browse the repository at this point in the history

  2. release: 6.0.13; update changelog

    @inashivb
    inashivb committed Jun 15, 2023
    Configuration menu
    Copy the full SHA
    f09a6b5 View commit details
    Browse the repository at this point in the history