Excerpt from changelog:
"6.0.14 -- 2023-09-13
Security #6289: Crash in SMTP parser during parsing of email (6.0.x backport)
Security #6196: process exit in hyperscan error handling (6.0.x backport)
Security #6156: dcerpc: max-tx config parameter, also for UDP (6.0.x backport)
Bug #6285: community-id: Fix IPv6 address sorting not respecting byte order (6.0.x backport)
Bug #6248: Multi-tenancy: crash under test mode when tenant signature load fails (6.0.x backport)
Bug #6245: tcp: RST with data used in reassembly (6.0.x backport)
Bug #6236: if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc (6.0.x backport)
Bug #6228: ips/af-packet: crash when copy-iface is the same as the interface (6.0.x backport)
Bug #6227: windows: lua script path truncated (6.0.x backport)
Bug #6226: Decode-events of IPv6 GRE are not triggered (6.0.x backport)
Bug #6224: base64: complete support for RFC2045 (6.0.x backport)
Bug #6220: Backport tenant_id conversion to uint32_t
Bug #6213: file.magic: rule reload can lead to crashes (6.0.x backport)
Bug #6193: smtp: Attachment not being md5 matched (6.0.x backport)
Bug #6192: smtp: use every byte to compute email.body_md5 (6.0.x backport)
Bug #6182: log-pcap: fix segfault on lz4 compressed pcaps (6.0.x backport)
Bug #6181: eve/alert: deprecated fields can have unexpected side affects (6.0.x backport)
Bug #6174: FTP bounce detection doesn't work for big-endian platforms (6.0.x backport)
Bug #6166: http2: fileinfo events log http2 object instead of http object as alerts and http2 do (6.0.x backport)
Bug #6139: smb: wrong offset when parse SMB_COM_WRITE_ANDX record (6.0.x backport)
Bug #6082: pcap: device reopen broken (6.0.x backport)
Bug #6068: pcap: memory leaks (6.0.x backport)
Bug #6045: detect: multi-tenancy leaks memory if more than 1 tenant registered (6.0.x backport)
Bug #6035: stream.midstream: if enabled breaks exception policy (6.0.x backport)
Bug #5915: rfb: parser returns error on unimplemented record types (6.0.x backport)
Bug #5794: eve: if alert and drop rules match for a packet, "alert.action" is ambigious (6.0.x backport)
Bug #5439: Invalid certificate when Issuer is not present.
Optimization #6229: Performance impact of Cisco Fabricpath (6.0.x backport)
Optimization #6203: detect: modernize filename fileext filemagic (6.0.x backport)
Optimization #6153: suricatasc: Gracefully handle unsupported commands (6.0.x backport)
Feature #6282: dns/eve: add 'HTTPS' type logging (6.0.x backport)
Feature #5935: ips: add 'master switch' to enable dropping on traffic (handling) exceptions (6.0.x backport)
Documentation #6234: userguide: add installation from Ubuntu PPA section (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Excerpt from changelog:
"6.0.13 -- 2023-06-15
Security #6119: datasets: absolute path in rules can overwrite arbitrary files (6.0.x backport)
Bug #6138: Decode-events of IPv6 packets are not triggered (6.0.x backport)
Bug #6136: suricata-update: dump-sample-configs: configuration files not found (6.0.x backport)
Bug #6125: http2: cpu overconsumption in rust moving/memcpy in http2_parse_headers_blocks (6.0.x backport)
Bug #6113: ips: txs still logged for dropped flow (6.0.x backport)
Bug #6056: smtp: long line discard logic should be separate for server and client (6.0.x backport)
Bug #6055: ftp: long line discard logic should be separate for server and client (6.0.x backport)
Bug #5990: smtp: any command post a long command gets skipped (6.0.x backport)
Bug #5982: smtp: Long DATA line post boundary is capped at 4k Bytes (6.0.x backport)
Bug #5809: smb: convert transaction list to vecdeque (6.0.x backport)
Bug #5604: counters: tcp.syn, tcp.synack, tcp.rst depend on flow (6.0.x backport)
Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport)
Task #5984: libhtp 0.5.44 (6.0.x backport)
Documentation #6134: userguide: add instructions/explanation for (not) running suricata with root (6.0.x backport)
Documentation #6121: datasets: 6.0.x work-arounds for dataset supply chain attacks"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog:
"6.0.8 -- 2022-09-27
Task #5552: libhtp 0.5.41
6.0.7 -- 2022-09-27
Security #5430: mqtt: DOS by quadratic with too many transactions in one parse (6.0.x backport)
Bug #5559: BUG_ON triggered from TmThreadsInjectFlowById (6.0.x backport)
Bug #5549: Failed assert DeStateSearchState (6.0.x)
Bug #5548: tcp: assertion failed in DoInsertSegment (BUG_ON) (6.0.x)
Bug #5547: rules: less strict parsing of unexpected flowbit options
Bug #5546: rules: don't error on bad hex in content
Bug #5540: detect: transform strip whitespace creates a 0-sized variable-length array: backport6
Bug #5505: http2: slow http2_frames_get_header_value_vec because of allocation [backport6]
Bug #5471: Reject action is no longer working (6.0.x backport)
Bug #5467: rules: more graceful handling of anomalies for stable versions
Bug #5459: Counters are not initialized in all places. (6.0.x backport)
Bug #5448: nfs: add maximum number of operations per compound (6.0.x backport)
Bug #5436: Infinite loop if the sniffing interface temporarily goes down (6.0.x backports)
Bug #5335: flow: vlan.use-for-tracking is not used for ICMPv4 (6.0.x backport)
Bug #4421: flow manager: using too much CPU during idle (6.0.x backport)
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)
Task #5551: doc: add exception policy documentation (6.0.x)
Task #5533: detect/parse: add tests for parsing signatures with reject and drop action (6.0.x backport)
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)
Task #5381: add `alert-queue-expand-fails` command-line option (6.0.x backport)
Task #5328: python: distutils deprecation warning (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
These rules do not drop anything, but only alert when internal parts of
the engine trigger an event. This will allow us more insight on what is
happening.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
* Enable RDP and SIP parsers.
* Enable new introduced parsers for RFB and DCERPC.
Because HTTP2 support and parser currently is experimental the suricata
developers decided to disable it at default - we keep this default
setting for now.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This config file is mostly based on the example configuration shipped
by the suricata project and needs to be enhanched.
See #11808.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
