upstream/suricata
1
0
Fork 0
mirror of https://github.com/OISF/suricata.git synced 2026-05-28 04:32:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
18994 commits 8 branches 171 tags 193 MiB
Commit graph

2290 commits

Author SHA1 Message Date
Philippe Antoine
bcc1e6ae32 rust: format http2 files 
Ticket: 3836
 2026-05-25 16:20:24 +00:00
Philippe Antoine
1070e733d8 rust: format websocket files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
89e5332d88 rust: format utils files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
edf29b0000 rust: format ssh files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
fe27a2159c rust: format rfb files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
5cca346f16 rust: format quic files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
415360d9e8 rust: format ntp files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
fa864f9c2f rust: format mime files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
2cfcaec1b0 rust: format ldap files 
Ticket: 3836
 2026-05-23 18:01:39 +00:00
Philippe Antoine
64e7c671cc rust: format ftp files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
f217e249cb rust: format ffi files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
f7c14809f4 rust: format enip files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
e526eb8e2b rust: format bittorrent_dht files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
f5ac0e201c rust: format asn1 files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
1ced97bdbb rust: format applayertemplate files 
Ticket: 3836
 2026-05-23 18:01:38 +00:00
Philippe Antoine
efe3b16aac rust: feature debug in main crate enables feature debug in ffi 2026-05-20 17:57:52 +00:00
Philippe Antoine
b90adcc2bb rust/ffi: move AppLayerTxData to ffi 
Ticket: 7666
 2026-05-20 17:57:52 +00:00
Philippe Antoine
bce88dd83f rust: build depends on ffi/Cargo.toml.in 2026-05-20 17:57:52 +00:00
Philippe Antoine
0773fba5fd rust/ffi: move txdata flags to ffi 
Ticket: 7666
 2026-05-20 17:57:52 +00:00
Philippe Antoine
2525ea2e37 rust/ffi: move direction to ffi 
Ticket: 7666
 2026-05-20 17:57:52 +00:00
Philippe Antoine
5440e41314 rust/ffi: move debug validations macros to ffi 
Ticket: 7666
 2026-05-20 17:57:52 +00:00
Philippe Antoine
bf64b52b95 http2: better compression against decompression bombs
Some checks failed
builds / Ubuntu 24.04 (afpacket IPS tests in namespaces) (push) Blocked by required conditions
Details
builds / Ubuntu 24.04 (afpacket and dpdk live tests with ASAN) (push) Blocked by required conditions
Details
builds / Ubuntu 24.04 (fuzz corpus coverage) (push) Blocked by required conditions
Details
builds / Ubuntu 20.04 (-DNDEBUG) (push) Blocked by required conditions
Details
builds / Ubuntu 20.04 (unsupported rust) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Debug Validation) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Fuzz) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Netmap build) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Minimal/Recommended Build) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (DPDK Build) (push) Blocked by required conditions
Details
builds / Debian 12 (xdp) (push) Blocked by required conditions
Details
builds / Debian 13 (xdp) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Details
builds / Debian 12 MSRV (push) Blocked by required conditions
Details
builds / Debian 11 (push) Blocked by required conditions
Details
builds / MacOS Latest (push) Blocked by required conditions
Details
builds / FreeBSD 15.0 (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (NPcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (libpcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 UCRT64 (libpcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (WinDivert) (push) Blocked by required conditions
Details
builds / PF_RING (push) Blocked by required conditions
Details
CodeQL (Rust/C) / Analyze (push) Waiting to run
Details
docs / Prepare dependencies (push) Waiting to run
Details
docs / Prepare cbindgen (push) Waiting to run
Details
docs / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Details
Nix Env Build / tests (push) Waiting to run
Details
Scan-build / Scan-build (push) Waiting to run
Details
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Details
CodeQL (Python) / Analyze (push) Has been cancelled
Details 
Ticket: 8513

Suricata decides at 2 levels if a http2 flow is doing a compression
bomb.

There is a direct computation when one chunk of TCP data
is being parsed.
In this case, do not take the ratio into account, just use the size
of the decompressed data, so that if we get a big chunk of TCP data
like 1 MiB, and a not so high ratio of 200, we do not trigger
the debug assertion in util-file.c about 64MiB

The other case stays unchanged : when accumulating over the lifetile of
a flow with multiple txs, take into account the compression ratio,
so that a flow of many txs, having a super high (brotli) compression
ratio, ends up classified as a compression bomb.
(For example, having 100 txs each turning a 100 byte input into a 700 KiB
one)
 2026-05-18 13:21:46 +02:00
Philippe Antoine
6d437956e2 detect/transforms: dotprefix can be chained 
Ticket: 8537

Otherwise, it may cause a use-after-free, in case of reallocated
buffer and we used the buffer inspect which was freed.
 2026-05-18 07:41:33 +02:00
Philippe Antoine
2b20a436e7 detect/transforms: decompress checks earlier if it is in-place 
Ticket: 8536

Otherwise, it may cause a use-after-free.

So, need to allocate the temporary vector, before calling
SCInspectionBufferCheckAndExpand
 2026-05-18 07:41:33 +02:00
Philippe Antoine
4c42998feb detect/engine: helper to know if a transform happens in-place 2026-05-18 07:41:33 +02:00
Philippe Antoine
7bf48b02be http2: protection against decompression bombs 
Ticket: 8513

During decompression, fail early if we have a big decompression
ratio, and enough data.
Track this data also during a tx lifetime, and even a flow/state
lifetime, so that we set event and fail also if the compression
bomb is split over multiple packets
 2026-05-16 20:42:15 +02:00
Philippe Antoine
29e4b08647 http2: code refactoring to split big function 2026-05-16 20:42:15 +02:00
Philippe Antoine
e98d419d96 ldap: bound the number of responses 
Ticket: 8405
 2026-05-16 20:42:15 +02:00
Victor Julien
6ebd0c3cc2 http2: check for HTTP1 protocol during upgrade path 
Ticket: 8492
 2026-05-16 20:42:15 +02:00
Philippe Antoine
10bde66586 nfs: bound file_additional_procs to 1 
Ticket: 8418

As we only need to know we saw at least one NFSPROC3_COMMIT
 2026-05-16 20:42:14 +02:00
Philippe Antoine
aea7ee21b8 nfs: bound namemap by using lru 
Ticket: 8418
 2026-05-16 20:42:14 +02:00
Philippe Antoine
a50f494ef6 nfs: bound requestmap and use lru 
Ticket: 8418
 2026-05-16 20:42:14 +02:00
Juliana Fajardini
d442c3544c detect: opt-in keywords for firewall mode 
- tls.cert_chain_len
- datarep
- dataset
- dns.opcode

Part of
Ticket #8387
 2026-05-16 05:41:55 +00:00
Philippe Antoine
f0e246de34 detect/mqtt: reason_code keyword is now a multi-integer 
Ticket: 7929

Builds a vector of the reason code in a tx to do so,
except if we use the default "any", where we do not append
to the vector, but just run detection while iterating
 2026-05-11 20:04:44 +00:00
Philippe Antoine
614c48d3c3 ikev2: remove unused field
Some checks failed
builds / Ubuntu 24.04 (pcap unix socket ASAN) (push) Blocked by required conditions
Details
builds / Ubuntu 24.04 (afpacket IPS tests in namespaces) (push) Blocked by required conditions
Details
builds / Ubuntu 24.04 (afpacket and dpdk live tests with ASAN) (push) Blocked by required conditions
Details
builds / Ubuntu 24.04 (fuzz corpus coverage) (push) Blocked by required conditions
Details
builds / Ubuntu 20.04 (-DNDEBUG) (push) Blocked by required conditions
Details
builds / Ubuntu 20.04 (unsupported rust) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Debug Validation) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Fuzz) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Netmap build) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (Minimal/Recommended Build) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 (DPDK Build) (push) Blocked by required conditions
Details
builds / Debian 12 (xdp) (push) Blocked by required conditions
Details
builds / Debian 13 (xdp) (push) Blocked by required conditions
Details
builds / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Details
builds / Debian 12 MSRV (push) Blocked by required conditions
Details
builds / Debian 11 (push) Blocked by required conditions
Details
builds / MacOS Latest (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (NPcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (libpcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 UCRT64 (libpcap) (push) Blocked by required conditions
Details
builds / Windows MSYS2 MINGW64 (WinDivert) (push) Blocked by required conditions
Details
builds / PF_RING (push) Blocked by required conditions
Details
CodeQL (Rust/C) / Analyze (push) Waiting to run
Details
docs / Prepare dependencies (push) Waiting to run
Details
docs / Prepare cbindgen (push) Waiting to run
Details
docs / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Details
Nix Env Build / tests (push) Waiting to run
Details
Scan-build / Scan-build (push) Waiting to run
Details
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Details
CodeQL (Python) / Analyze (push) Has been cancelled
Details 
Ticket: 8415
 2026-05-10 21:12:30 +00:00
Jeff Lucovsky
9ea2e29581 ftp: raise too_many_transactions event on overflow 
Other parsers (SMB, POP3, ENIP) already raise a too_many_transactions
event when a flow exceeds its per-flow transaction limit. FTP had
the limit wired up through app-layer.protocols.ftp.max-tx but just
dropped the excess transaction on the floor with a "FTP does not set
events yet..." TODO, so no event was raised when the limit was
reached.

Add the FtpEventTooManyTransactions variant, a stock rule at
sid 2232002, and raise the event from FTPTransactionCreate when the
live-tx count goes past ftp_config_maxtx.

Issue: 8489
 2026-05-09 04:17:40 +00:00
Jason Ish
cb69fa4e53 rust/ffi: add flow lifecycle callback wrappers 
Provide Rust friendly callback registrations for flow init, update and finish events. These
callbacks are implemented as Rust closures.

Ticket: #8446
 2026-05-09 04:17:38 +00:00
Jason Ish
d4dc8be3b2 rust: bindgen flow lifecycle callbacks 
Ticket: #8446
 2026-05-09 04:17:38 +00:00
Philippe Antoine
e38888810d detect/dcerpc: avoids FP on dcerpc.iface keyword 
When we got a bind without the first fragment flag, and did not
set any_frag in the signature, the signature always matched,
whatever the uuid value

Ticket: 8457
 2026-05-09 04:17:38 +00:00
Jason Ish
8968b1c5a1 psl: update to 2.1.206 
Update the public suffix list to latest release.
 2026-05-06 18:58:48 +00:00
Philippe Antoine
5ed394b26b rust/ffi: move AppLayerEvent to ffi 
Ticket: 7666
 2026-05-06 18:58:47 +00:00
Philippe Antoine
59b6de8239 rust: fix last collapsible_match warnings 
The ones where we need to remove a debug log
 2026-05-06 18:58:47 +00:00
Philippe Antoine
1cdff9de8e rust: fix collapsible_match warnings 
warning: this `if` can be collapsed into the outer `match`
help: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.95.0/index.html#collapsible_match
 2026-05-06 18:58:47 +00:00
Jason Ish
899e9f045e ntp: expose logged fields to lua 
This includes:
- version
- mode
- stratum
- reference_id

Ticket: #8533
 2026-05-06 12:38:50 +00:00
Jason Ish
81692dd2c1 rust/lua: add method for pushing bytes 
Much like pushstring, but accepts an &[u8] as an argument instead of an &str.

In support of ticket #8533.
 2026-05-06 12:38:50 +00:00
Jason Ish
cdb02a2779 rust/dns: rustfmt 2026-04-30 05:38:07 +00:00
Philippe Antoine
7d66eb5f04 rust: remove unused function 
rust_string_to_c was used when a buffer should be used as it could
contain nul-byte
 2026-04-30 05:38:07 +00:00
Philippe Antoine
9b12fd9f09 rust/ffi: move helper trait state_get_tx_iterator to ffi 
Ticket: 7666
 2026-04-30 05:38:06 +00:00
Philippe Antoine
07f37676b6 rust/ffi: move Flags for AppLayerParserState to ffi crate 
Ticket: 7666
 2026-04-30 05:38:06 +00:00
Philippe Antoine
fb20c69d8d rust/ffi: move APP_LAYER_PARSER_OPT_X const to ffi crate 
Ticket: 7666
 2026-04-30 05:38:06 +00:00