upstream/suricata
1
0
Fork 0
mirror of https://github.com/OISF/suricata.git synced 2026-06-10 09:21:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
19112 commits 10 branches 171 tags 204 MiB
Commit graph

2073 commits

Author SHA1 Message Date
William Ling
30628e45bc rust: replace helper with built-in 
Replace custom u32_as_bytes with built-in to_be_bytes

Issue: 5785
 2026-06-05 12:38:57 +00:00
Philippe Antoine
9318bbfbdb rust: format tftp files 
Ticket: 3836
 2026-06-05 12:38:56 +00:00
Philippe Antoine
9ec200e834 rust: format x509 files 
Ticket: 3836
 2026-06-05 12:38:56 +00:00
Philippe Antoine
dd66276f82 rust: format telnet files 
Ticket: 3836
 2026-06-05 12:38:56 +00:00
Philippe Antoine
709ad1bdf4 rust: format sip files 
Ticket: 3836
 2026-06-05 12:38:56 +00:00
Samaresh Kumar Singh
f06bb7d43e dhcp: support option 52 overload 
Per RFC 2132 the BOOTP sname and file fields can hold extra DHCP
options when option 52 is present, but the parser ignored them. After
parsing the main options we now look up option 52 and walk sname or
file as additional option streams, appending what we find to the same
options vector so the logger and detection keywords see the
overloaded values too.

Bug: #8538.
 2026-06-05 12:38:55 +00:00
Philippe Antoine
26bb18cfaa http2: replace state todrop with a dedicated boolean
Some checks failed
builds / Ubuntu 24.04 (afpacket IPS tests in namespaces) (push) Blocked by required conditions
Details
builds / Ubuntu 24.04 (afpacket and dpdk live tests with ASAN) (push) Blocked by required conditions
Details
builds / Ubuntu 24.04 (fuzz corpus coverage) (push) Blocked by required conditions
Details
builds / Ubuntu 20.04 (-DNDEBUG) (push) Blocked by required conditions
Details
builds / Ubuntu 20.04 (unsupported rust) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Debug Validation) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Fuzz) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Netmap build) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Minimal/Recommended Build) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (DPDK Build) (push) Blocked by required conditions
Details
builds / Debian 12 (xdp) (push) Blocked by required conditions
Details
builds / Debian 13 (xdp) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Details
builds / Debian 12 MSRV (push) Blocked by required conditions
Details
builds / Debian 11 (push) Blocked by required conditions
Details
builds / MacOS Latest (push) Blocked by required conditions
Details
builds / FreeBSD 15.0 (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (NPcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (libpcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 UCRT64 (libpcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (WinDivert) (push) Blocked by required conditions
Details
builds / PF_RING (push) Blocked by required conditions
Details
CodeQL (Rust/C) / Analyze (push) Waiting to run
Details
docs / Prepare dependencies (push) Waiting to run
Details
docs / Prepare cbindgen (push) Waiting to run
Details
docs / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Details
Nix Env Build / tests (push) Waiting to run
Details
Scan-build / Scan-build (push) Waiting to run
Details
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Details
CodeQL (Python) / Analyze (push) Has been cancelled
Details 
Ticket: 8518
 2026-06-02 21:16:54 +00:00
Philippe Antoine
8eed90ca9d http2: global txs are unidirectional 
Ticket: 8518

Meaning they will now match only once per tx instead of twice:
once for each direction
 2026-06-02 21:16:54 +00:00
Philippe Antoine
daf68dc36f http2: split progress per direction 
Ticket: 8518

Keywords that work for HTTP2 headers match now as soon as possible

A push promise is now considered like a headers frame with regards
to the progress (no dedicated "reserved" progress/state)

http.protocol and http.stat_msg keywords are now registered at
earliest progress, since these are synthetic like "HTTP/2" and
not really seen on the wire.

http.request_line and http.response_line match only on data,
and not on headers, since we must wait the end of headers
to be sure to have the full line

http2.size_update now matches at headers progress as it should

http2.frametype, http2.errorcode, http2.priority now match like
http2.window, when the tx is complete from both sides, as a
half-closed client may still send priority, rst_stream
or window_update frames
 2026-06-02 21:16:54 +00:00
Philippe Antoine
8217c51126 rust: format sdp files 
Ticket: 3836
 2026-06-02 21:16:52 +00:00
Philippe Antoine
9d9d8df4cd rust: format rdp files 
Ticket: 3836
 2026-06-02 21:16:52 +00:00
Philippe Antoine
7352bae890 smb: avoid unsigned overflow debug assertion 
As we compute a padding, we can use wrapping_add as we only
care about the low-weight bit anyways
 2026-06-02 21:16:51 +00:00
Giuseppe Longo
8f205bb34f llmnr: implement logger 
This adds an LLMNR protocol logger that reuses existing DNS functions,
following the same approach as the mDNS logger:

- No grouped logging
- Rdata is logged in a field that is named after the rdata type
- Types are logged in lower case
- Flags are logged as an array

Ticket #8366
 2026-06-02 06:26:10 +00:00
Giuseppe Longo
13df0f7a06 llmnr: implement parser 
This adds a parser for LLMNR protocol over both UDP and TCP.

The parser reuses the existing DNS functions since LLMNR shares
the same wire format as DNS, but implements its own protocol-specific
validation:

- LLMNR-specific flag checks (C, TC, T bits)
- Opcode validation (only standard query opcode 0 is valid)
- An Event is set if Z-flag is set, since it's must be zero per RFC4795

LLMNR transactions inherit DNS behavior where each packet creates a new state
with one transaction.

Ticket #8366
 2026-06-02 06:26:10 +00:00
Philippe Antoine
73193c7e6a rust: format pgsql files 
Ticket: 3836
 2026-05-29 15:18:49 +00:00
Philippe Antoine
3bfe6cf4b9 rust: format nfs files 
Ticket: 3836
 2026-05-29 15:18:49 +00:00
Philippe Antoine
07112bc7ae rust: format mqtt files 
Ticket: 3836
 2026-05-28 20:49:56 +00:00
Philippe Antoine
844f2effa3 rust: format modbus files 
Ticket: 3836
 2026-05-28 20:49:56 +00:00
Philippe Antoine
db019ebefe rust: format ike files 
Ticket: 3836
 2026-05-28 20:49:56 +00:00
Philippe Antoine
bcc1e6ae32 rust: format http2 files 
Ticket: 3836
 2026-05-25 16:20:24 +00:00
Philippe Antoine
1070e733d8 rust: format websocket files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
89e5332d88 rust: format utils files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
edf29b0000 rust: format ssh files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
fe27a2159c rust: format rfb files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
5cca346f16 rust: format quic files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
415360d9e8 rust: format ntp files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
fa864f9c2f rust: format mime files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
2cfcaec1b0 rust: format ldap files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
64e7c671cc rust: format ftp files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
f217e249cb rust: format ffi files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
f7c14809f4 rust: format enip files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
e526eb8e2b rust: format bittorrent_dht files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
f5ac0e201c rust: format asn1 files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
1ced97bdbb rust: format applayertemplate files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
b90adcc2bb rust/ffi: move AppLayerTxData to ffi 
Ticket: 7666
 2026-05-20 17:57:52 +00:00
Philippe Antoine
0773fba5fd rust/ffi: move txdata flags to ffi 
Ticket: 7666
 2026-05-20 17:57:52 +00:00
Philippe Antoine
2525ea2e37 rust/ffi: move direction to ffi 
Ticket: 7666
 2026-05-20 17:57:52 +00:00
Philippe Antoine
5440e41314 rust/ffi: move debug validations macros to ffi 
Ticket: 7666
 2026-05-20 17:57:52 +00:00
Philippe Antoine
bf64b52b95 http2: better compression against decompression bombs
Some checks failed
builds / Ubuntu 24.04 (afpacket IPS tests in namespaces) (push) Blocked by required conditions
Details
builds / Ubuntu 24.04 (afpacket and dpdk live tests with ASAN) (push) Blocked by required conditions
Details
builds / Ubuntu 24.04 (fuzz corpus coverage) (push) Blocked by required conditions
Details
builds / Ubuntu 20.04 (-DNDEBUG) (push) Blocked by required conditions
Details
builds / Ubuntu 20.04 (unsupported rust) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Debug Validation) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Fuzz) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Netmap build) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Minimal/Recommended Build) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (DPDK Build) (push) Blocked by required conditions
Details
builds / Debian 12 (xdp) (push) Blocked by required conditions
Details
builds / Debian 13 (xdp) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Details
builds / Debian 12 MSRV (push) Blocked by required conditions
Details
builds / Debian 11 (push) Blocked by required conditions
Details
builds / MacOS Latest (push) Blocked by required conditions
Details
builds / FreeBSD 15.0 (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (NPcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (libpcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 UCRT64 (libpcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (WinDivert) (push) Blocked by required conditions
Details
builds / PF_RING (push) Blocked by required conditions
Details
CodeQL (Rust/C) / Analyze (push) Waiting to run
Details
docs / Prepare dependencies (push) Waiting to run
Details
docs / Prepare cbindgen (push) Waiting to run
Details
docs / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Details
Nix Env Build / tests (push) Waiting to run
Details
Scan-build / Scan-build (push) Waiting to run
Details
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Details
CodeQL (Python) / Analyze (push) Has been cancelled
Details 
Ticket: 8513

Suricata decides at 2 levels if a http2 flow is doing a compression
bomb.

There is a direct computation when one chunk of TCP data
is being parsed.
In this case, do not take the ratio into account, just use the size
of the decompressed data, so that if we get a big chunk of TCP data
like 1 MiB, and a not so high ratio of 200, we do not trigger
the debug assertion in util-file.c about 64MiB

The other case stays unchanged : when accumulating over the lifetile of
a flow with multiple txs, take into account the compression ratio,
so that a flow of many txs, having a super high (brotli) compression
ratio, ends up classified as a compression bomb.
(For example, having 100 txs each turning a 100 byte input into a 700 KiB
one)
 2026-05-18 13:21:46 +02:00
Philippe Antoine
6d437956e2 detect/transforms: dotprefix can be chained 
Ticket: 8537

Otherwise, it may cause a use-after-free, in case of reallocated
buffer and we used the buffer inspect which was freed.
 2026-05-18 07:41:33 +02:00
Philippe Antoine
2b20a436e7 detect/transforms: decompress checks earlier if it is in-place 
Ticket: 8536

Otherwise, it may cause a use-after-free.

So, need to allocate the temporary vector, before calling
SCInspectionBufferCheckAndExpand
 2026-05-18 07:41:33 +02:00
Philippe Antoine
7bf48b02be http2: protection against decompression bombs 
Ticket: 8513

During decompression, fail early if we have a big decompression
ratio, and enough data.
Track this data also during a tx lifetime, and even a flow/state
lifetime, so that we set event and fail also if the compression
bomb is split over multiple packets
 2026-05-16 20:42:15 +02:00
Philippe Antoine
29e4b08647 http2: code refactoring to split big function 2026-05-16 20:42:15 +02:00
Philippe Antoine
e98d419d96 ldap: bound the number of responses 
Ticket: 8405
 2026-05-16 20:42:15 +02:00
Victor Julien
6ebd0c3cc2 http2: check for HTTP1 protocol during upgrade path 
Ticket: 8492
 2026-05-16 20:42:15 +02:00
Philippe Antoine
10bde66586 nfs: bound file_additional_procs to 1 
Ticket: 8418

As we only need to know we saw at least one NFSPROC3_COMMIT
 2026-05-16 20:42:14 +02:00
Philippe Antoine
aea7ee21b8 nfs: bound namemap by using lru 
Ticket: 8418
 2026-05-16 20:42:14 +02:00
Philippe Antoine
a50f494ef6 nfs: bound requestmap and use lru 
Ticket: 8418
 2026-05-16 20:42:14 +02:00
Juliana Fajardini
d442c3544c detect: opt-in keywords for firewall mode 
- tls.cert_chain_len
- datarep
- dataset
- dns.opcode

Part of
Ticket #8387
 2026-05-16 05:41:55 +00:00
Philippe Antoine
f0e246de34 detect/mqtt: reason_code keyword is now a multi-integer 
Ticket: 7929

Builds a vector of the reason code in a tx to do so,
except if we use the default "any", where we do not append
to the vector, but just run detection while iterating
 2026-05-11 20:04:44 +00:00