suricata: Update to 5.0.9

Changelog:

"5.0.9 -- 2022-04-21

Security #4889: ftp: SEGV at flow cleanup due to protocol confusion
Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #5028: smtp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input
Security #5253: Infinite loop in JsonFTPLogger
Feature #4644: pthreads: set minimum stack size
Bug #4466: dataset file not written when run as user
Bug #4678: Configuration test mode succeeds when reference.config file contains invalid content
Bug #4745: Absent app-layer protocol is always enabled by default
Bug #4819: tcp: insert_data_normal_fail can hit without triggering memcap
Bug #4823: conf: quadratic complexity
Bug #4825: pppoe decoder fails when protocol identity field is only 1 byte
Bug #4827: packetpool: packets in pool may have capture method ReleasePacket callbacks set
Bug #4838: af-packet: cluster_id is not used when trying to set fanout support
Bug #4878: datasets: memory leak in 5.0.x
Bug #4887: dnp3: buffer over read in logging base64 empty objects
Bug #4891: protodetect: SMB vs TLS protocol detection in midstream
Bug #4893: TFTP: memory leak due to missing detect state
Bug #4895: Memory leak with signature using file_data and NFS
Bug #4897: profiling: Invalid performance counter when using sampling
Bug #4901: eve: memory leak related to dns
Bug #4932: smtp: smtp transaction not logged if no email is present
Bug #4955: stream: too aggressive pruning in lossy streams
Bug #4957: SMTP assertion triggered
Bug #4959: suricatasc loop if recv returns no data
Bug #4961: dns: transaction not created when z-bit set
Bug #4963: Run stream reassembly on both directions upon receiving a FIN packet
Bug #5058: dns: probing/parser can return error when it should return incomplete
Bug #5063: Not keyword matches in Kerberos requests
Bug #5096: output: timestamp missing usecs on Arm 32bit + Musl
Bug #5099: htp: server personality radix handling issue
Bug #5101: defrag: policy config can setup radix incorrectly
Bug #5103: Application log cannot to be re-opened when running as non-root user
Bug #5105: iprep: cidr support can set up radix incorrectly
Bug #5107: detect/iponly: rule parsing does not always apply netmask correctly
Bug #5109: swf: coverity warning
Bug #5115: detect/ip_proto: inconsistent behavior when specifying protocol by string
Bug #5117: detect/iponly: mixing netblocks can lead to FN/FP
Bug #5119: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice()
Bug #5137: smb: excessive memory use during file transfer
Bug #5150: nfs: Integer underflow in NFS
Bug #5157: xbits: noalert is allowed in rule language with other commands
Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT)
Bug #5171: detect/iponly: non-cidr netmask settings can lead incorrect radix tree
Bug #5193: SSL : over allocation for certificates
Bug #5213: content:"22 2 22"; is parsed without error
Bug #5227: 5.0.x: SMB: Wrong buffer being checked for possible overflow.
Bug #5251: smb: integer underflows and overflows
Task #5006: libhtp 0.5.40"

Additionally, I moved the 'suricata' patch files into a separate directory.
Apart from some line numbers, nothing else was changed.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>

src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch

@@ -0,0 +1,55 @@
+From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 19 Nov 2021 17:17:47 +0000
+Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval
+
+For connections that use TCP timestamps for which the first SYN packet
+does not reach the server, any replies to retransmitted SYNs will be
+tropped.
+
+This is happening in StateSynSentValidateTimestamp, where the timestamp
+value in a SYN-ACK packet must match the one from the SYN packet.
+However, since the server never received the first SYN packet, it will
+respond with an updated timestamp from any of the following SYN packets.
+
+The timestamp value inside suricata is not being updated at any time
+which should happen. This patch fixes that problem.
+
+This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/stream-tcp.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/stream-tcp.c b/src/stream-tcp.c
+index 1cff19fa5..af681760b 100644
+--- a/src/stream-tcp.c
++++ b/src/stream-tcp.c
+@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
+                     "ssn->client.last_ack %"PRIu32"", ssn,
+                     ssn->client.isn, ssn->client.next_seq,
+                     ssn->client.last_ack);
++        } else if (PKT_IS_TOSERVER(p)) {
++            /*
++	     * On retransmitted SYN packets, the timestamp value must be updated,
++	     * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN
++	     * with an updated timestamp in StateSynSentValidateTimestamp.
++	     */
++            if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) {
++                uint32_t ts_val = TCP_GET_TSVAL(p);
++
++                // Check whether packets have been received in the correct order (only ever update)
++                if (ssn->client.last_ts < ts_val) {
++                    ssn->client.last_ts = ts_val;
++                    ssn->client.last_pkt_ts = p->ts.tv_sec;
++                }
++
++                SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt);
++            }
+         }
+ 
+         /** \todo check if it's correct or set event */
+-- 
+2.30.2
+

src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch

@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index d56d3a550..81abf8f00 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2318,7 +2318,7 @@ fi
+     AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no")
+     if test "$HAVE_GETCONF_CMD" != "no"; then
+         CLS=$(getconf LEVEL1_DCACHE_LINESIZE)
+-        if [test "$CLS" != "" && test "$CLS" != "0"]; then
++        if [test "$CLS" != "" && test "$CLS" != "0" && test "$CLS" != "undefined"]; then
+             AC_DEFINE_UNQUOTED([CLS],[${CLS}],[L1 cache line size])
+         else
+             AC_DEFINE([CLS],[64],[L1 cache line size])

src/patches/suricata/suricata-disable-sid-2210059.patch

@@ -0,0 +1,12 @@
+diff -Nur a/rules/stream-events.rules b/rules/stream-events.rules
+--- a/rules/stream-events.rules	2021-11-17 16:55:12.000000000 +0100
++++ b/rules/stream-events.rules	2021-12-08 18:12:39.850189502 +0100
+@@ -89,7 +89,7 @@
+ # rule to alert if a stream has excessive retransmissions
+ alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
+ # Packet on wrong thread. Fires at most once per flow.
+-alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
++#alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
+ 
+ # Packet with FIN+SYN set
+ alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)