.github/workflows/builds.yml

@@ -233,6 +233,14 @@ jobs:
       - run: make install
       - run: suricatasc -h
       - run: suricata-update -V
+      - name: Check if Suricata-Update example configuration files are installed
+        run: |
+          test -e /usr/local/lib/suricata/python/suricata/update/configs/disable.conf
+          test -e /usr/local/lib/suricata/python/suricata/update/configs/drop.conf
+          test -e /usr/local/lib/suricata/python/suricata/update/configs/enable.conf
+          test -e /usr/local/lib/suricata/python/suricata/update/configs/modify.conf
+          test -e /usr/local/lib/suricata/python/suricata/update/configs/threshold.in
+          test -e /usr/local/lib/suricata/python/suricata/update/configs/update.yaml
 
   # This build also creates the distribution package that some other builds
   # depend on.

ChangeLog

@@ -1,3 +1,21 @@
+6.0.13 -- 2023-06-15
+
+Security #6119: datasets: absolute path in rules can overwrite arbitrary files (6.0.x backport)
+Bug #6138: Decode-events of IPv6 packets are not triggered (6.0.x backport)
+Bug #6136: suricata-update: dump-sample-configs: configuration files not found (6.0.x backport)
+Bug #6125: http2: cpu overconsumption in rust moving/memcpy in http2_parse_headers_blocks (6.0.x backport)
+Bug #6113: ips: txs still logged for dropped flow (6.0.x backport)
+Bug #6056: smtp: long line discard logic should be separate for server and client (6.0.x backport)
+Bug #6055: ftp:  long line discard logic should be separate for server and client (6.0.x backport)
+Bug #5990: smtp: any command post a long command gets skipped (6.0.x backport)
+Bug #5982: smtp: Long DATA line post boundary is capped at 4k Bytes (6.0.x backport)
+Bug #5809: smb: convert transaction list to vecdeque (6.0.x backport)
+Bug #5604: counters: tcp.syn, tcp.synack, tcp.rst depend on flow (6.0.x backport)
+Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport)
+Task #5984: libhtp 0.5.44 (6.0.x backport)
+Documentation #6134: userguide: add instructions/explanation for (not) running suricata with root (6.0.x backport)
+Documentation #6121: datasets: 6.0.x work-arounds for dataset supply chain attacks
+
 6.0.12 -- 2023-05-08
 
 Bug #6040: tcp: failed assertion ASSERT: !(ssn->state != TCP_SYN_SENT) (6.0.x backport)

Makefile.am

@@ -30,6 +30,7 @@ install-conf:
 	install -d "$(DESTDIR)$(e_logcertsdir)"
 	install -d "$(DESTDIR)$(e_rundir)"
 	install -m 770 -d "$(DESTDIR)$(e_localstatedir)"
+	install -m 770 -d "$(DESTDIR)$(e_datadir)"
 
 install-rules:
 if INSTALL_SURICATA_UPDATE

configure.ac

@@ -1,4 +1,4 @@
-    AC_INIT([suricata],[6.0.12])
+    AC_INIT([suricata],[6.0.13])
     m4_ifndef([AM_SILENT_RULES], [m4_define([AM_SILENT_RULES],[])])AM_SILENT_RULES([yes])
     AC_CONFIG_HEADERS([src/autoconf.h])
     AC_CONFIG_SRCDIR([src/suricata.c])
@@ -268,7 +268,7 @@
             CFLAGS="${CFLAGS} -DOS_WIN32"
             WINDOWS_PATH="yes"
             AC_DEFINE([HAVE_NON_POSIX_MKDIR], [1], [mkdir is not POSIX compliant: single arg])
-            RUST_LDADD=" -lws2_32 -liphlpapi -lwbemuuid -lOle32 -lOleAut32 -lUuid -luserenv -lshell32 -ladvapi32 -lgcc_eh -lbcrypt"
+            RUST_LDADD=" -lws2_32 -liphlpapi -lwbemuuid -lOle32 -lOleAut32 -lUuid -luserenv -lshell32 -ladvapi32 -lgcc_eh -lbcrypt -lntdll"
             TRY_WPCAP="yes"
             ;;
         *-*-cygwin)
@@ -1671,12 +1671,12 @@
             echo
             exit 1
         fi
-        PKG_CHECK_MODULES(LIBHTPMINVERSION, [htp >= 0.5.43],[libhtp_minver_found="yes"],[libhtp_minver_found="no"])
+        PKG_CHECK_MODULES(LIBHTPMINVERSION, [htp >= 0.5.44],[libhtp_minver_found="yes"],[libhtp_minver_found="no"])
         if test "$libhtp_minver_found" = "no"; then
             PKG_CHECK_MODULES(LIBHTPDEVVERSION, [htp = 0.5.X],[libhtp_devver_found="yes"],[libhtp_devver_found="no"])
             if test "$libhtp_devver_found" = "no"; then
                 echo
-                echo "   ERROR! libhtp was found but it is neither >= 0.5.43, nor the dev 0.5.X"
+                echo "   ERROR! libhtp was found but it is neither >= 0.5.44, nor the dev 0.5.X"
                 echo
                 exit 1
             fi
@@ -2783,6 +2783,7 @@ AC_SUBST(e_logcertsdir)
 AC_SUBST(e_sysconfdir)
 AC_DEFINE_UNQUOTED([CONFIG_DIR],["$e_sysconfdir"],[Our CONFIG_DIR])
 AC_SUBST(e_localstatedir)
+AC_SUBST(e_datadir)
 AC_DEFINE_UNQUOTED([DATA_DIR],["$e_datadir"],[Our DATA_DIR])
 AC_SUBST(e_magic_file)
 AC_SUBST(e_magic_file_comment)

doc/userguide/Makefile.am

@@ -24,6 +24,7 @@ EXTRA_DIST = \
 	reputation \
 	rule-management \
 	rules \
+	security.rst \
 	setting-up-ipsinline-for-linux \
 	setting-up-ipsinline-for-linux.rst \
 	setting-up-ipsinline-for-windows.rst \

doc/userguide/configuration/suricata-yaml.rst

@@ -2480,3 +2480,21 @@ detect thread. For each output script, a single state is used. Keep in
 mind that a rule reload temporary doubles the states requirement.
 
 .. _deprecation policy: https://suricata.io/our-story/deprecation-policy/
+
+.. _suricata-yaml-config-hardening:
+
+Configuration hardening
+-----------------------
+
+Lua
+~~~
+
+Suricata 6.0.13 disables Lua rules by default. Lua rules can be
+enabled in the ``security.lua`` section of the configuration file:
+
+::
+
+   security:
+     lua:
+       # Allow Lua rules. Disabled by default.
+       #allow-rules: false

doc/userguide/index.rst

@@ -9,6 +9,7 @@ Suricata User Guide
    quickstart
    install.rst
    upgrade.rst
+   security.rst
    command-line-options
    rules/index.rst
    rule-management/index.rst

doc/userguide/rules/datasets.rst

@@ -214,3 +214,60 @@ field:
 Syntax::
 
     <data>,<value>
+
+.. _datasets_file_locations:
+
+File Locations
+--------------
+
+Dataset filenames configured in the ``suricata.yaml`` can exist
+anywhere on your filesytem.
+
+When a dataset filename is specified in rule, the following *rules*
+are applied:
+
+- For ``load``, the filename is opened relative to the rule file
+  containing the rule. Absolute filenames and parent directory
+  traversals are allowed.
+- For ``save`` and ``state`` the filename is relative to
+  ``$LOCALSTATEDIR/suricata/data``. On many installs this will be
+  ``/var/lib/suricata/data``, but run ``suricata --build-info`` and
+  check the value of ``--localstatedir`` to verify this location onn
+  your installation.
+
+  - Absolute filenames, or filenames containing parent directory
+    traversal (``..``) are not allowed unless the configuration
+    paramater ``datasets.allow-absolute-filenames`` is set to
+    ``true``.
+
+.. _datasets_security:
+
+Security
+--------
+
+As datasets potentially allow a rule distributor write access to your
+system with ``save`` and ``state`` dataset rules, the locations
+allowed are strict by default, however there are two dataset options
+to tune the security of rules utilizing dataset filenames::
+
+  datasets:
+    rules:
+      # Set to true to allow absolute filenames and filenames that use
+      # ".." components to reference parent directories in rules that specify
+      # their filenames.
+      allow-absolute-filenames: false
+
+      # Allow datasets in rules write access for "save" and
+      # "state". This is enabled by default, however write access is
+      # limited to the data directory.
+      allow-write: true
+
+By setting ``datasets.rules.allow-write`` to false, all ``save`` and
+``state`` rules will fail to load. This option is enabled by default
+to preserve compatiblity with previous 6.0 Suricata releases, however
+may change in a future major release.
+
+Pre-Suricata 6.0.13 behavior can be restored by setting
+``datasets.rules.allow-absolute-filenames`` to ``true``, however
+allowing so will allow any rule to overwrite any file on your system
+that Suricata has write access to.

doc/userguide/rules/rule-lua-scripting.rst

@@ -3,6 +3,10 @@
 Lua Scripting
 =============
 
+.. note:: Lua is disabled by default for use in rules, it must be
+          enabled in the configuration file. See the ``security.lua``
+          section of ``suricata.yaml`` and enable ``allow-rules``.
+
 Syntax:
 
 ::

doc/userguide/security.rst

@@ -0,0 +1,145 @@
+Security Considerations
+=======================
+
+Suricata is a security tool that processes untrusted network data, as
+well as requiring elevated system privileges to acquire that
+data. This combination deserves extra security precautions that we
+discuss below.
+
+Additionally, supply chain attacks, particularly around rule
+distribution could potentially target Suricata installations.
+
+Running as a User Other Than Root
+---------------------------------
+
+.. note:: If using the Suricata RPMs, either from the OISF COPR repo,
+          or the EPEL repo the following is already configured for
+          you. The only thing you might want to do is add your
+          management user to the ``suricata`` group.
+
+Many Suricata examples and guides will show Suricata running as the
+*root* user, particularly when running on live traffic. As Suricata
+generally needs low level read (and in IPS write) access to network
+traffic, it is required that Suricata starts as root, however Suricata
+does have the ability to drop down to a non-root user after startup
+which could limit the impact of a security vulnerability in Suricata
+itself.
+
+.. note:: Currently the ability to drop root privileges after startup
+          is only available on Linux systems.
+
+Create User
+~~~~~~~~~~~
+
+Before running as a non-root user you have to choose, and possibly
+create the user and group that will Suricata will run as. Typically
+this user would be a sytem user with the name ``suricata``. Such a
+user can be created with the following command::
+
+  useradd --no-create-home --system --shell /sbin/nologin suricata
+
+This will create a user and group with the name ``suricata``.
+
+File System Permissions
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Before running Suricata as the user ``suricata``, some directory
+permissions will need to be updated to allow the ``suricata`` read and
+write access.
+
+Assuming your Suricata was installed from source using the recommended
+configuration of::
+
+  ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
+
+the following directories will need their permissions updated:
+
++------------------+-----------+
+|Directory         |Permissions|
++==================+===========+
+|/etc/suricata     |Read       |
++------------------+-----------+
+|/var/log/suricata |Read, Write|
++------------------+-----------+
+|/var/lib/suricata |Read, Write|
++------------------+-----------+
+|/var/run/suricata |Read, Write|
++------------------+-----------+
+
+The following commands will setup the correct permissions:
+
+* ``/etc/suricata``::
+
+    chgrp -R suricata /etc/suricata
+    chmod -R g+r /etc/suricata
+
+* ``/var/log/suricata``::
+
+    chgrp -R suricata /var/log/suricata
+    chmod -R g+rw /var/log/suricata
+
+* ``/var/lib/suricata``::
+
+    chgrp -R suricata /var/lib/suricata
+    chmod -R g+srw /var/lib/suricata
+
+* ``/var/lib/suricata``::
+
+    chgrp -R suricata /var/run/suricata
+    chmod -R g+srw /var/run/suricata
+
+Configure Suricata to Run as ``Suricata``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Suricata can be configured to run as an alternate user by updating the
+configuration file or using command line arguments.
+
+* Using the configuration file, update the ``run-as`` section to look like::
+
+    run-as:
+      user: suricata
+      group: suricata
+
+* Or if using command line arguments, add the following to your command::
+
+    --user suricata --group suricata
+
+Starting Suricata
+~~~~~~~~~~~~~~~~~
+
+It is important to note that Suricata still needs to be started with
+**root** permissions in most cases. Starting as *root* allows Suricata
+to get access to the network interfaces and set the *capabilities*
+required during runtime before it switches down to the configured
+user.
+
+Other Commands: Suricata-Update, SuricataSC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+With the previous permissions setup, ``suricata-update`` and
+``suricatasc`` can also be run without root or sudo. To allow a user
+to access these commands, add them to the ``suricata`` group.
+
+Containers
+----------
+
+Containers such as Docker and Podman are other methods to provide
+isolation between Suricata and host machine running Suricata, however
+we still recommend running as a non-root user even in containers.
+
+Capabilities
+~~~~~~~~~~~~
+
+For both Docker and Podman the following capabilities should be
+provided to the container running Suricata for proper operation::
+
+  --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice
+
+Podman
+~~~~~~
+
+Unfortunately Suricata will not work with *rootless* Podman, this is
+due to Suricata's requirement to start with root privileges to gain
+access to the network interfaces. However, if started with the above
+capabilities, and configured to run as a non-root user it will drop
+root privileges before processing network data.

doc/userguide/upgrade.rst

@@ -30,6 +30,16 @@ by the ones Suricata supplies.
 Major updates include new features, new default settings and often also
 remove features.
 
+Upgrading to 6.0.13
+-------------------
+- Lua rules have been disabled. To enable them see
+  :ref:`suricata-yaml-config-hardening`.
+- Absolute filenames and filenames containing parent directory
+  traversal are no longer allowed by default for datasets when the
+  filename is specified as part of a rule. See :ref:`Datasets Security
+  <datasets_security>` and :ref:`Datasets File Locations
+  <datasets_file_locations>` for more information.
+
 Upgrading from 6.0.4 to 6.0.5
 -----------------------------
 - FTP has been updated with a maximum command request and response line length of 4096 bytes. To change the default see :ref:`suricata-yaml-configure-ftp`.

requirements.txt

@@ -3,5 +3,5 @@
 # Format:
 #
 #   name {repo} {branch|tag}
-libhtp https://github.com/OISF/libhtp 0.5.43
+libhtp https://github.com/OISF/libhtp 0.5.44
 suricata-update https://github.com/OISF/suricata-update 1.2.7

rules/dns-events.rules

@@ -7,3 +7,4 @@ alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server;
 alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;)
 # Z flag (reserved) not 0
 alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;)
+alert dns any any -> any any (msg:"SURICATA DNS Invalid opcode"; app-layer-event:dns.invalid_opcode; classtype:protocol-command-decode; sid:2240007; rev:1;)