From: Andreas Dolp Date: Wed, 10 Dec 2025 19:12:20 +0000 (+0100) Subject: Import suricata_7.0.10-1+deb13u2.debian.tar.xz X-Git-Tag: archive/raspbian/1%7.0.10-1+rpi1+deb13u2^2~18^2 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=ab75135bacef6357dd694b0a2bec0477be7549f9;p=suricata.git Import suricata_7.0.10-1+deb13u2.debian.tar.xz [dgit import tarball suricata 1:7.0.10-1+deb13u2 suricata_7.0.10-1+deb13u2.debian.tar.xz] --- ab75135bacef6357dd694b0a2bec0477be7549f9 diff --git a/building-in-ci.sh b/building-in-ci.sh new file mode 100755 index 00000000..ccf552d0 --- /dev/null +++ b/building-in-ci.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# this script prints 'true' if any ancestor process name is any of $REGEXPS + +REGEXPS="debci autopkgtest adt" + +set -e + +walk() +{ + pid=$1 + + [ ! -r /proc/$pid/cmdline ] && exit 1 + + name=$(ps -p $pid -o cmd | tail -1) + for exp in $REGEXPS + do + if grep -e $exp <<< $name >/dev/null ; then + echo true + exit + fi + done + + ppid=$(ps -o ppid= $pid | tr -d ' ') + walk $ppid +} + +walk $$ diff --git a/changelog b/changelog new file mode 100644 index 00000000..13814f8a --- /dev/null +++ b/changelog @@ -0,0 +1,1177 @@ +suricata (1:7.0.10-1+deb13u2) trixie; urgency=medium + + * Fix CVE-2025-64344 in 7.0.10. + Cherry-Picked from upstream a7ff4c9ba53009680c7cd128b16c28d0aeda9886. + * Fix CVE-2025-64333 in 7.0.10. + Cherry-Picked from upstream 4b1d284bb57219b6677a8bda5cdc14a24a6aa22d. + * Fix CVE-2025-64332 in 7.0.10. + Cherry-Picked from upstream f67d72702a2601d0a86ac1450686e70d7176f629. + * Fix CVE-2025-64331 in 7.0.10. + Cherry-Picked from upstream 5abf9b81e78476f49ab074f3a74b5840747cd069. + Added missing function declaration and refreshed patch by quilt. + * Fix CVE-2025-64330 in 7.0.10. + Cherry-Picked from upstream 5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc. + + -- Andreas Dolp Wed, 10 Dec 2025 20:12:20 +0100 + +suricata (1:7.0.10-1+deb13u1) trixie; urgency=medium + + * Fix CVE-2025-53538 in 7.0.10. + Cherry-Picked from upstream 97eee2cadacf3423a1ebcdd1943a7a7917f5cc56. + Closes: #1109806 + Reference: #1116945 + * Fix CVE-2025-59147 in 7.0.10. + Cherry-Picked from upstream e91b03c90385db15e21cf1a0e85b921bf92b039e + and slightly modified to fit for Suricata 7.0.10. + Reference: #1119940 + + -- Andreas Dolp Sat, 27 Sep 2025 21:43:45 +0200 + +suricata (1:7.0.10-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss Wed, 26 Mar 2025 09:28:20 +0100 + +suricata (1:7.0.9-1) unstable; urgency=medium + + * New upstream release. + * Bump versioned libhtp dependency to 0.5.50 or later. + + -- Sascha Steinbiss Tue, 18 Mar 2025 18:15:01 +0100 + +suricata (1:7.0.8-2) unstable; urgency=medium + + * Drop dpkg depencency from Pre-Depends. + Thanks to Guillem Jover for noticing this. + Closes: #1100109 + * Use dpkg-query instead of apt-cache in debian/rules. + Thanks to Jochen Sprickerhof for pointing this out. + Closes: #1100051 + + -- Sascha Steinbiss Sat, 15 Mar 2025 14:37:24 +0100 + +suricata (1:7.0.8-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss Fri, 13 Dec 2024 09:29:46 +0100 + +suricata (1:7.0.7-1) unstable; urgency=medium + + * New upstream release. + * Bump versioned libhtp dependency to 0.5.49 or later. + + -- Sascha Steinbiss Mon, 14 Oct 2024 10:48:09 +0200 + +suricata (1:7.0.6-1) unstable; urgency=medium + + * New upstream release. + * Re-enable tests. + * Bump copyright date for debian/ directory. + + -- Sascha Steinbiss Thu, 27 Jun 2024 14:29:40 +0200 + +suricata (1:7.0.5-2) unstable; urgency=medium + + * Disable tests that need builds for now. + Meant to remove one of the roadblocks towards testing migration. + + -- Sascha Steinbiss Wed, 24 Apr 2024 23:01:32 +0200 + +suricata (1:7.0.5-1) unstable; urgency=medium + + * New upstream release. + * Bump versioned libhtp dependency to 0.5.48 or later. + * Remove (probably buggy) Rust constraint from d/rules. + + -- Sascha Steinbiss Tue, 23 Apr 2024 15:12:33 +0200 + +suricata (1:7.0.4-1) unstable; urgency=medium + + * New upstream release. + * Bump versioned libhtp dependency to 0.5.47 or later. + + -- Sascha Steinbiss Wed, 20 Mar 2024 13:41:22 +0100 + +suricata (1:7.0.3-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss Thu, 08 Feb 2024 23:22:40 +0100 + +suricata (1:7.0.2-2) unstable; urgency=medium + + * Enable DPDK feature and add dependencies on archs that support it. + Closes: #1061762 + + -- Sascha Steinbiss Fri, 02 Feb 2024 20:35:20 +0100 + +suricata (1:7.0.2-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss Thu, 19 Oct 2023 19:30:48 +0200 + +suricata (1:7.0.1-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss Fri, 15 Sep 2023 21:18:47 +0200 + +suricata (1:7.0.0-2) unstable; urgency=medium + + * Fix FTBFS on armel and mipsel by fixing -latomic addition in LDFLAGS. + + -- Sascha Steinbiss Thu, 20 Jul 2023 11:03:07 +0200 + +suricata (1:7.0.0-1) unstable; urgency=medium + + * New upstream release. + * Drop Arturo Borrero Gonzalez from Uploaders at his request. + * Use new project website at suricata.io. + * Remove patches applied upstream. + * Change PCRE lib dependency to libpcre2. + * Bump versioned libhtp dependency to 0.5.45 or later. + * Bump versioned Rust dependency to 1.61 or later. + * Bump watchfile to version 4. + * Remove obsolete dependency on lsb-base. + * Remove obsolete entries in d/copyright. + * Remove versions in Conflicts/Replaces. + * Remove obsolete dh_strip override. + * Bump d/copyright dates. + * Update/fix Lintian overrides regarding eBPF file distribution. + + -- Sascha Steinbiss Wed, 19 Jul 2023 10:14:37 +0200 + +suricata (1:6.0.13-1) unstable; urgency=medium + + * New upstream release. + * Raise libhtp minimum dependency version to 0.5.44. + * Bump Standards-Version. + + -- Sascha Steinbiss Thu, 15 Jun 2023 23:45:03 +0200 + +suricata (1:6.0.12-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss Tue, 09 May 2023 15:58:02 +0200 + +suricata (1:6.0.11-1) unstable; urgency=medium + + * New upstream release. + * Raise libhtp minimum dependency version to 0.5.43. + + -- Sascha Steinbiss Thu, 13 Apr 2023 23:53:02 +0200 + +suricata (1:6.0.10-1) unstable; urgency=medium + + * New upstream release. + * Drop patch applied upstream. + + -- Sascha Steinbiss Tue, 31 Jan 2023 14:34:17 +0100 + +suricata (1:6.0.9-1) unstable; urgency=medium + + * New upstream release. + * Use manpages built from source instead of outdated bundled ones. + + -- Sascha Steinbiss Tue, 29 Nov 2022 11:19:06 +0100 + +suricata (1:6.0.8-1) unstable; urgency=medium + + * New upstream release. + * Raise libhtp minimum dependency version to 0.5.41. + * Remove obsolete patch since Python scripts are installed differently + via upstream now. + * Add upstream metadata. + + -- Sascha Steinbiss Tue, 27 Sep 2022 23:24:59 +0200 + +suricata (1:6.0.6-2) unstable; urgency=medium + + * Add patch to not use deprecated libbpf API. This prepares Suricata to be + ready for libbpf 1.0 when it hits unstable. + Closes: #1018914 + * Raise libbpf dependency version requirement to 0.7. + * Refresh other patches. + + -- Sascha Steinbiss Wed, 21 Sep 2022 18:39:53 +0200 + +suricata (1:6.0.6-1) unstable; urgency=medium + + * New upstream release. + * Drop patch applied upstream: bigendian-cidr.patch + + -- Sascha Steinbiss Tue, 12 Jul 2022 16:57:16 +0200 + +suricata (1:6.0.5-3) unstable; urgency=medium + + * Add patch to handle undefined LEVEL1_DCACHE_LINESIZE. + + -- Sascha Steinbiss Wed, 01 Jun 2022 11:33:06 +0200 + +suricata (1:6.0.5-2) unstable; urgency=medium + + * Introduce patch to fix segfaulting autopkgtests on s390x. + + -- Sascha Steinbiss Thu, 28 Apr 2022 08:51:06 +0200 + +suricata (1:6.0.5-1) unstable; urgency=medium + + * New upstream release. + * Raise libhtp minimum dependency version to 0.5.40. + + -- Sascha Steinbiss Thu, 21 Apr 2022 19:53:32 +0200 + +suricata (1:6.0.4-3) unstable; urgency=medium + + * Remove suricata-oinkmaster binary package. + + -- Sascha Steinbiss Tue, 14 Dec 2021 15:24:47 +0100 + +suricata (1:6.0.4-2) unstable; urgency=medium + + * Raise libhtp minimum dependency version to 0.5.39. + + -- Sascha Steinbiss Thu, 18 Nov 2021 22:57:47 +0100 + +suricata (1:6.0.4-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss Thu, 18 Nov 2021 22:00:08 +0100 + +suricata (1:6.0.3-2) unstable; urgency=medium + + * Use 'command -v' instead of 'which' in suricata-oinkmaster cron file. + This avoids a runtime deprecation warning on recent versions, and fixes + piuparts cron job tests. + + -- Sascha Steinbiss Mon, 30 Aug 2021 20:56:18 +0200 + +suricata (1:6.0.3-1) unstable; urgency=medium + + * Upload to unstable post-release. + * Remove patch applied upstream. + + -- Sascha Steinbiss Wed, 18 Aug 2021 16:33:31 +0200 + +suricata (1:6.0.3-1~exp2) experimental; urgency=medium + + * Also use libatomic workaround on powerpc. + + -- Sascha Steinbiss Thu, 01 Jul 2021 19:44:53 +0200 + +suricata (1:6.0.3-1~exp1) experimental; urgency=medium + + * New upstream release. + * Bump Standards-Version. + * Add Rules-Requires-Root: no. + * Raise libhtp minimum version B-D to 0.5.38. + + -- Sascha Steinbiss Wed, 30 Jun 2021 23:51:24 +0200 + +suricata (1:6.0.2-1~exp1) experimental; urgency=medium + + * Fix conditional variable use in d/rules. + * New upstream release. + * Use libhtp 0.5.37. + + -- Sascha Steinbiss Fri, 11 Dec 2020 09:45:02 +0100 + +suricata (1:6.0.1-3) unstable; urgency=medium + + * Address CVE-2021-35063 by backporting upstream fix. + Closes: #990835 + + -- Sascha Steinbiss Mon, 19 Jul 2021 13:26:22 +0200 + +suricata (1:6.0.1-2) unstable; urgency=medium + + * Also specify explicit separate '-latomic' reference on mipsel. + This addresses a remaining FTBFS there. + + -- Sascha Steinbiss Fri, 11 Dec 2020 09:35:57 +0100 + +suricata (1:6.0.1-1) unstable; urgency=medium + + * New upstream release. + * Disable Prelude support. + This is broken upstream, see https://redmine.openinfosecfoundation.org/issues/4065 + * Bump libhtp dependency to 0.5.36. + * Disable suricata-update, as it is a separate package in Debian. + * Add patches to fix builds with new Autoconf scripts. + * Use debhelper 13. + * Include upstream's man pages. + * Add workaround for missing '-latomic' symbols on armel. + + -- Sascha Steinbiss Thu, 08 Oct 2020 22:23:17 +0200 + +suricata (1:5.0.3-1) unstable; urgency=medium + + * New upstream release. + * Use /run instead of /var/run for pidfiles. Thanks to Michael Berg for the + patch. + Closes: #954435 + * Bump libhtp dependency to 0.5.33. + * Remove nonexistent Files entries in d/copyright. + * Use correct DEB_LDFLAGS_MAINT_APPEND in d/rules.. + + -- Sascha Steinbiss Wed, 29 Apr 2020 09:34:49 +0200 + +suricata (1:5.0.2-3) unstable; urgency=medium + + * Source upload to enable testing migration. + * Bump Standards-Version. + + -- Sascha Steinbiss Sat, 22 Feb 2020 12:47:50 +0100 + +suricata (1:5.0.2-2) unstable; urgency=medium + + * Add --allow-multiple-definition linker flag to work around FTBFS on armel. + Closes: #951765 + + -- Sascha Steinbiss Sat, 22 Feb 2020 12:23:52 +0100 + +suricata (1:5.0.2-1) unstable; urgency=medium + + * New upstream release. + Closes: #951654 + * Add patch from upstream to build without needing if_tunnel.h. + This avoids a potentially foreign arch build-dep for eBPF builds. + Thanks to Eric Leblond. + * Drop patches applied upstream. + * Use debhelper-compat. + * Mark autopkgtests requiring a control socket as potentially flaky. + We cannot always predict the timing on all archs and do not want to + use them for CI gating. + Closes: #951721 + * Bring d/copyright up to date with current code base. + + -- Sascha Steinbiss Thu, 20 Feb 2020 14:55:23 +0100 + +suricata (1:4.1.5-2) unstable; urgency=medium + + * Add versioned Depends on at least libhtp version used for building. + + -- Sascha Steinbiss Wed, 09 Oct 2019 13:13:40 +0200 + +suricata (1:4.1.5-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss Wed, 25 Sep 2019 10:24:50 +0200 + +suricata (1:4.1.4-7) unstable; urgency=medium + + * Prevent file clash with other packages writing into the Python3 + module root directory (suricata/__init__.py). + * Add patch to make suricatactl Python3-compatible. + + -- Sascha Steinbiss Wed, 18 Sep 2019 20:55:51 +0200 + +suricata (1:4.1.4-6) unstable; urgency=medium + + * Make Python components use Python3. + Closes: #938603 + + -- Sascha Steinbiss Sat, 07 Sep 2019 17:47:44 +0200 + +suricata (1:4.1.4-5) unstable; urgency=medium + + * Add patch to fix FTBFS on recent kernels. Thanks to Aurelien Jarno for + pointing this out. + Closes: #934316 + + -- Sascha Steinbiss Mon, 12 Aug 2019 12:48:29 +0200 + +suricata (1:4.1.4-4) unstable; urgency=medium + + [ Hilko Bengen ] + * Patch: add --with-ebpf-includes, point to proper include directory for + kernel headers, fixing FTBFS on i386 + + [ Sascha Steinbiss ] + * Only build eBPF programs on archs with available dependencies. + + -- Sascha Steinbiss Wed, 24 Jul 2019 10:34:25 +0200 + +suricata (1:4.1.4-3) unstable; urgency=medium + + * Fix cross building by including patch that addresses abuse of + AC_CHECK_FILE. Thanks to Helmut Grohne for the patch. + Closes: #923174 + * Enable building with eBPF support. + Thanks to Hilko Bengen for the patch. + Closes: #917816 + * Create temporary CARGO_HOME to allow building with new cargo + versions when $HOME is nonexistent. + * Make autopkgtest more robust when external resources are unavailable. + Closes: #932463 + * Bump debhelper and compat to 12. + * Add Pre-Depends by Lintian's suggestion. + + -- Sascha Steinbiss Tue, 09 Jul 2019 16:47:49 +0200 + +suricata (1:4.1.4-2) unstable; urgency=medium + + * Do not install suricata-update, recommend external pkg instead. + Closes: #924096 + + -- Sascha Steinbiss Thu, 02 May 2019 17:15:48 +0200 + +suricata (1:4.1.4-1) unstable; urgency=medium + + * New upstream version 4.1.4 + - Bugs and security fixes + * Refreshed quilt patches + + -- Pierre Chifflier Wed, 01 May 2019 11:44:13 +0200 + +suricata (1:4.1.3-1) unstable; urgency=medium + + * New upstream version 4.1.3 + * Refreshed quilt patches + + -- Pierre Chifflier Fri, 08 Mar 2019 10:24:43 +0100 + +suricata (1:4.1.2-2) unstable; urgency=medium + + * Upload to unstable. + + -- Sascha Steinbiss Wed, 09 Jan 2019 12:53:47 +0100 + +suricata (1:4.1.2-1) experimental; urgency=medium + + * New upstream release. + * Add myself to uploaders. + * Do not remove Rust vendor directory on distclean (Closes: #915154) + + -- Sascha Steinbiss Sun, 23 Dec 2018 10:48:27 +0000 + +suricata (1:4.1.0-2) experimental; urgency=medium + + * Disable Rust on armel for now (FTBFS) + * Add liblz4-dev to build-deps to enable pcap compression + * Update build-dependency on python:any to fix FTCBFS (Closes: #909606) + + -- Pierre Chifflier Mon, 26 Nov 2018 11:07:08 +0100 + +suricata (1:4.1.0-1) experimental; urgency=medium + + [ Arturo Borrero Gonzalez ] + * libhtp: bump soname to libhtp-0.5.24-1 + + [ Pierre Chifflier ] + * New upstream version 1:4.1.0 + * Refreshed quilt patches + * Update python code directory + * Enable rust support (i386 and amd64 only for now) + * Also enable Rust on ARM architectures + + -- Pierre Chifflier Thu, 15 Nov 2018 13:29:23 -0800 + +suricata (1:4.0.6-1) unstable; urgency=medium + + * New upstream version 1:4.0.6 + + -- Pierre Chifflier Mon, 12 Nov 2018 09:19:39 +0100 + +suricata (1:4.0.5-1) unstable; urgency=medium + + [ Sascha Steinbiss ] + * Add patches to help with cross-compiling. Thanks to Helmut Grohne + for the patch. + Closes: #895996 + * Add patches to fix building on ia64. + Thanks to Jason Duerstock and Adrian Bunk for the patches. + Closes: #890432 + * Fix spelling in debian/patches/reproducible.patch. + * Remove obsolete X-Python-Version hint. + * Use updated watchfile source URL with https support. + * Remove obsolete --parallel dh parameter. + * Use canonical Salsa Vcs-Git URL. + + [ Pierre Chifflier ] + * New upstream version 1:4.0.5 + + -- Pierre Chifflier Wed, 18 Jul 2018 17:14:02 +0200 + +suricata (1:4.0.4-1) unstable; urgency=medium + + * [3f18cd8] d/control: refresh git URLs + * [17da106] New upstream version 4.0.4 (Closes: #889842) fixes CVE-2018-6794 + * [00fcf17] d/compat: bump debhelper compat level to 11 + * [45dc0db] d/control: bump std-version to 4.1.3 + + -- Arturo Borrero Gonzalez Wed, 14 Feb 2018 11:33:33 +0100 + +suricata (1:4.0.3-1) unstable; urgency=medium + + [ Sascha Steinbiss ] + * [aece4d6] New upstream version 4.0.3 + * [c23b64f] refresh patches + + [ Arturo Borrero Gonzalez ] + * [7f077ca] d/control: bump std-version to 4.1.2 + + -- Arturo Borrero Gonzalez Wed, 13 Dec 2017 11:42:18 +0100 + +suricata (1:4.0.1-2) unstable; urgency=medium + + * [d9998f8] suricata-oinkmaster.conf: update ETOPEN ruleset for suricata 4.0.0 + (Closes: #882442) + * [0beae03] suricata-oinkmaster-updater.8: fix typos + * [6e7ae75] d/: get rid of dh --with autotools-dev + + -- Arturo Borrero Gonzalez Thu, 23 Nov 2017 13:41:09 +0100 + +suricata (1:4.0.1-1) unstable; urgency=medium + + * [72d28e5] d/control: upgrade std-version to 4.1.0 + * [ea1e317] d/control: upgrade std-version to 4.1.1 + * [14fea39] d/: switch to debhelper compat 10 + * [a4715b8] New upstream version 4.0.1 + + -- Arturo Borrero Gonzalez Sat, 21 Oct 2017 12:09:27 +0200 + +suricata (1:4.0.0-5) unstable; urgency=medium + + * [392c5b2] d/t/control: allow-stderr for the internal unittest test + + -- Arturo Borrero Gonzalez Wed, 20 Sep 2017 20:27:12 +0200 + +suricata (1:4.0.0-4) unstable; urgency=medium + + * [93ee9030] d/control: enable libluajit-5.1-dev build-dep on mipsel + (Closes: #873832) + * [9527fe94] d/t/control: run suricata -u from the source tree + + -- Arturo Borrero Gonzalez Fri, 08 Sep 2017 06:06:47 +0200 + +suricata (1:4.0.0-3) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * [aa53ce82] suricata-oinkmaster-updater.8: fix typo + * [2d171d5a] suricata-oinkmaster-updater.8: clarify paragraph + * [90c76777] d/rules: disable dh_auto_test + * [5b311761] suricata: switch to use dbgsym package + * [9b12c48d] d/control: bump std-versions to 4.0.1 + + [ Sascha Steinbiss ] + * [c353985a] enable libevent support (Closes: #872908) + * [49ff3181] enable luajit on mipsel (Closes: #858545) + + [ Arturo Borrero Gonzalez ] + * [50ab7eae] suricata.service: update online docs link + * [5098fd7b] d/control: add dh-python to build-deps + * [f070d160] d/watch: implement signature verification + + -- Arturo Borrero Gonzalez Tue, 29 Aug 2017 23:22:48 +0200 + +suricata (1:4.0.0-2) unstable; urgency=medium + + * [449b4202] d/t/control: running suricata unittest requires + geoip-database installed + * [0bd02487] d/building-in-ci.sh: be more robust + * [edd49e4a] d/watch: more robust approach for upstream tarball generation + + -- Arturo Borrero Gonzalez Tue, 15 Aug 2017 13:45:45 +0200 + +suricata (1:4.0.0-1) unstable; urgency=medium + + * [636f10f] d/rules: actually use dh-systemd (Closes: #861732) + * [c728ed0] d/rules: cleanup comments + * [f0d9adb] suricata: switch to src:libhtp instead of the bundled one + * [fa5f8be] New upstream version 4.0.0-rc1 + * [fac7566] suricata: remove Build-Conflict with libhtp-dev + * [1bce782] suricata: explicit build-dep on new src:libhtp + * [f3aec1c] d/suricata.preinst: use strict mode (Closes: #866280) + * [c831659] suricata: support for internal unittest in autopktest + * [557ded7] New upstream version 4.0.0 + * [5d41b6c] d/t/control: the internal suricata unittest is a command test + * [7f4feaa] d/changelog: add missing entry for 4.0.0-beta1-1~exp1 + + -- Arturo Borrero Gonzalez Fri, 28 Jul 2017 05:29:48 +0200 + +suricata (4.0.0-beta1-1~exp1) unstable; urgency=medium + + * [c21347df] New upstream version 4.0.0-beta1 + * [5661b3cc] libhtp: bump soname to libhtp-0.5.24-1 + + -- Arturo Borrero Gonzalez Fri, 09 Jun 2017 20:52:10 +0200 + +suricata (3.2.1-1) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * Rebuild for unstable from 3.2.1-1~exp2 (experimental). + + [ Sascha Steinbiss ] + * [d0c3629] detect valid interface in autopkgtest + * [2d3ae00] fix typo in service file + + -- Arturo Borrero Gonzalez Thu, 16 Mar 2017 09:04:03 +0100 + +suricata (3.2.1-1~exp2) experimental; urgency=medium + + [ Sascha Steinbiss ] + * [ced48e4] suricata: migrate from old split binary scheme (Closes: #855573) + + -- Arturo Borrero Gonzalez Mon, 20 Feb 2017 13:29:37 +0100 + +suricata (3.2.1-1~exp1) experimental; urgency=medium + + * [67004c8] New upstream version 3.2.1 + * [05b1756] d/control: bump dependency on libhyperscan + * [4483d1c] suricata: drop suricata-hyperscan binary package (Closes: #851647) + + -- Arturo Borrero Gonzalez Wed, 15 Feb 2017 20:54:17 +0100 + +suricata (3.2-2) unstable; urgency=medium + + * Rebuild for unstable. + + -- Arturo Borrero Gonzalez Tue, 10 Jan 2017 09:27:59 +0100 + +suricata (3.2-2~exp1) experimental; urgency=medium + + [ Sascha Steinbiss ] + * [8c7704d] suricata: add hyperscan support (Closes: #846143) + + [ Arturo Borrero Gonzalez ] + * [209d2cf] suricata: add remaining hyperscan support + + [ Sascha Steinbiss ] + * [ec9b28a] set +x bit on d/suricata-hyperscan.install + + -- Arturo Borrero Gonzalez Thu, 22 Dec 2016 09:01:29 +0100 + +suricata (3.2-1) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * [04f5cc3] d/control: update suricata homepage to suricata-ids.org + (Closes: #844603) + + [ Sascha Steinbiss ] + * [b1cd09c] d/t/control: add some time to settle in autopkgtest + + [ Arturo Borrero Gonzalez ] + * [dde83f1] New upstream version 3.2 + * [c55dda2] d/patches/debian-default-cfg.patch: refresh patch + + -- Arturo Borrero Gonzalez Thu, 01 Dec 2016 16:22:50 +0100 + +suricata (3.1.3-3) unstable; urgency=medium + + * [e7a248d] d/tests/control: allow-stderr in the suricata-oinkmaster-updater + command + * [2caf89b] d/control: make libhtp packages Multi-Arch: same + * [825cef4] d/libhtp-0.5.23-1.lintian-overrides: generalize override + + -- Arturo Borrero Gonzalez Thu, 10 Nov 2016 09:42:29 +0100 + +suricata (3.1.3-2) unstable; urgency=medium + + * [5c395f9] d/tests/control: rearange suricatasc command tests + * [789723b] d/tests/control: fix typo in test command 'suricatas' + * [353e030] d/changelog: clean word with typo from the changelog + * [b4cf113] d/: add libhtp-0.5.23-1.lintian-overrides + + -- Arturo Borrero Gonzalez Wed, 09 Nov 2016 13:44:17 +0100 + +suricata (3.1.3-1) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * [165d14e] suricata-oinkmaster: move the update script to /usr/sbin + (Closes: #838129) + * [2e21734] d/tests/control: add a basic test for suricata-oinkmaster-updater + * [be640f3] suricata: split libhtp to separate binary packages + * [c41567a] suricata-oinkmaster: add manpage for suricata-oinkmaster-updater + * [b5b6483] d/copyright: refresh file + * [2be2225] d/control: add references to IPS and firewall + * [bd6a9ed] d/: add symbols file for libhtp + * [f61be7d] suricata-oinkmaster-updater.8: fix typo + * [ead4a84] d/: update email address to 'arturo@debian.org' + * [36d9b9d] d/: refresh date of manpages + + [ Sascha Steinbiss ] + * [da1c3c6] d/suricata.logrotate: use 'copytruncate' instead of 'create' + + [ Arturo Borrero Gonzalez ] + * [cd9d5d4] New upstream version 3.1.3 + * [f32a582] libhtp: symbols: refresh file + * [1e3edb0] libhtp: bump soname + * [d46497e] d/control: suricata depends on lsb-base + * [08a6195] d/copyright: refresh copyright owner for some libhtp files + + -- Arturo Borrero Gonzalez Tue, 08 Nov 2016 08:51:58 +0100 + +suricata (3.1.2-2) unstable; urgency=medium + + * [482c6f6] d/tests/control: allow-stderr for systemd-service-test.sh + * [a4eff10] d/tests/control: add tests for suricatasc + * [892096c] d/suricata.8: fix typo 'inet' vs 'init' + + -- Arturo Borrero Gonzalez Thu, 08 Sep 2016 12:46:44 +0200 + +suricata (3.1.2-1) unstable; urgency=medium + + * [4e0605d] Revert "suricata: drop support for sysvinit" + * [f5abe38] d/patches: add reproducible.patch. + Thanks to Christoph Berg for the pointers. + * [6569809] New upstream version 3.1.2 + * [5fea3a6] d/suricata.service: include Restart=on-failure + * [d1a973d] d/suricata.service: add ProtectSystem=full and ProtectHome=true + * [8e1cddd] d/tests/systemd-service-test.sh: don't test the reload operation by now + * [87c00b1] d/suricata.maintscript: factorize renaming of old config file + (Closes: #835643) + * [55c7a32] d/oinkmaster/suricata-oinkmaster-updater: drop warnings + * [7651669] d/oinkmaster/suricata-oinkmaster-updater: cleanup file + + -- Arturo Borrero Gonzalez Wed, 07 Sep 2016 13:25:13 +0200 + +suricata (3.1.1-4) unstable; urgency=medium + + * [c9b6efd] d/tests/: add new systemd-service-test.sh test + * [848a40f] d/README.Debian: this is not a beta release + * [0afb007] d/README.Debian: update file with systemd information + * [234ec55] d/suricata.8: update manpage + * [ebd6a8a] suricata: drop support for sysvinit + * [d8fae07] d/suricata.service: get rid of environment variables + * [5fe5359] d/suricata.service: use suricatasc for stop and reload + * [2ffd606] d/tests/systemd-service-test.sh: add tests for daemon reload + * [5196c36] d/suricata.service: require network-online.target (Closes: + #835168) + + -- Arturo Borrero Gonzalez Thu, 25 Aug 2016 14:14:20 +0200 + +suricata (3.1.1-3) unstable; urgency=medium + + * [22d26a5] suricata-oinkmaster-updater: prevent bogus if evaluation + * [4805c7a] suricata-oinkmaster-updater: dont exit with error if missing + requirements (Closes: #834029) + + -- Arturo Borrero Gonzalez Tue, 16 Aug 2016 13:53:12 +0200 + +suricata (3.1.1-2) unstable; urgency=medium + + * [833f1c5] d/: add new binary package suricata-oinkmaster + * [6155001] d/suricata.service: remove duplicated -D switch in + ExecStart= + * [6ebbd82] d/patches: add debian-default-cfg.patch [enable unix socket + by default] + * [2286eb4] d/suricatasc.1: update manpage + + -- Arturo Borrero Gonzalez Thu, 28 Jul 2016 13:21:30 +0200 + +suricata (3.1.1-1) unstable; urgency=medium + + * [cafb099] d/suricata: rename suricata main conffile to + /etc/suricata/suricata.yaml + * [445c957] suricata: add systemd service file + * [94b93bf] Imported Upstream version 3.1.1 + + -- Arturo Borrero Gonzalez Mon, 25 Jul 2016 11:12:03 +0200 + +suricata (3.1-1) unstable; urgency=medium + + * [d2cce67] d/control: add Vcs-Browser and Vcs-Git information + * [8bb2030] Imported Upstream version 3.1 + + -- Arturo Borrero Gonzalez Tue, 21 Jun 2016 11:00:55 +0200 + +suricata (3.0.1-2) unstable; urgency=medium + + * [178f3cf] suricata: add libgeoip support + * [c8a0a0a] d/control: bump std-version to 3.9.8 + * [523203d] d/control: wrap-and-sort + * [e5abae9] suricata: add hiredis support + * [9ec82b8] d/control: get rid of XS-Testsuite directive + + -- Arturo Borrero Gonzalez Mon, 23 May 2016 11:39:40 +0200 + +suricata (3.0.1-1) unstable; urgency=medium + + * Imported Upstream version 3.0.1 + * Bump Standards Version to 3.9.7 + + -- Pierre Chifflier Fri, 08 Apr 2016 10:58:35 +0200 + +suricata (3.0-1) unstable; urgency=medium + + * Imported Upstream version 3.0 + + -- Pierre Chifflier Thu, 28 Jan 2016 06:02:41 +0100 + +suricata (2.0.11-1) unstable; urgency=medium + + * Imported Upstream version 2.0.11 + + -- Pierre Chifflier Thu, 07 Jan 2016 10:17:16 +0100 + +suricata (2.0.10-2) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * d/copyright: update file to follow Debian Policy 3.9.6.1 + * d/control: bump standards to 3.9.6 + * suricata: add nflog support (Closes: #775074) + * d/: wrap-and-sort + * d/control: architecture is linux-any + * d/rules: don't include upstream install documentation + * d/tests: add first basic test + * d/control: add missing Testsuite declaration + * suritaca: add package suricata-dbg (Closes: #753438) + * suricata sysvinit: fix libtcmalloc-minimal integration (Closes: #725249) + * d/suricata.init: cleanup file + * suricatasc: add manpage + + [ Pierre Chifflier ] + * Merge unstable-next branch + * Fix dependencies and priority for -dbg package + * Install manpage for suricatasc + + -- Pierre Chifflier Tue, 05 Jan 2016 21:02:40 +0100 + +suricata (2.0.10-1) unstable; urgency=medium + + * Imported Upstream version 2.0.10 + + -- Pierre Chifflier Thu, 26 Nov 2015 10:35:53 +0100 + +suricata (2.0.9-1) unstable; urgency=medium + + * Imported Upstream version 2.0.9 + * Update watch file + + -- Pierre Chifflier Fri, 25 Sep 2015 19:19:53 +0200 + +suricata (2.0.8-1) unstable; urgency=high + + [ Arturo Borrero Gonzalez ] + * d/suricata.logrotate: add logrotate configuration (Closes: #767249) + * d/patches: patch suricatasc to prevent depends on python-symplejson + (Closes: #759475) + * Revert "d/patches: patch suricatasc to prevent depends on python-symplejson" + + [ Pierre Chifflier ] + * Imported Upstream version 2.0.8 + * Bump Standards Version to 3.9.6 + Fixes CVE-2015-0971 (Integer overflow in the DER parser) + + -- Pierre Chifflier Thu, 07 May 2015 11:03:19 +0200 + +suricata (2.0.7-2) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * d/suricata.init: fix proc nfqueue file checking (Closes: #725301) + + [ Pierre Chifflier ] + * Check for both proc entries for nfqueue (backwards compatibility) and + issue warning only + + -- Pierre Chifflier Sun, 15 Mar 2015 11:17:27 +0100 + +suricata (2.0.7-1) unstable; urgency=medium + + [ Pierre Chifflier ] + * Imported Upstream version 2.0.7 + * Fix problems with upstream version import + + -- Pierre Chifflier Thu, 12 Mar 2015 07:06:49 +0100 + +suricata (2.0.6-3) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * suricata: don't deploy .so links + + [ Pierre Chifflier ] + * Add missing installation files (Closes: #778724) + * Fix .so symlinks removal + * Update default-rules-path + + -- Pierre Chifflier Thu, 19 Feb 2015 11:55:05 +0100 + +suricata (2.0.6-2) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * d/patches: drop 10-fix-missing-script-autoreconf.patch (Closes: #778670) + * d/rules: prevent not .so libhtp files from entering binary suricata package + + [ Pierre Chifflier ] + * Add conflicts/replaces fields for transition from libhtp (Closes: #778668) + + -- Pierre Chifflier Wed, 18 Feb 2015 11:19:31 +0100 + +suricata (2.0.6-1) unstable; urgency=medium + + [ Pierre Chifflier ] + * Imported Upstream version 2.0.6 + * Add Arturo to uploaders + + [ Arturo Borrero Gonzalez ] + * suricata: use embedded copy of libhtp (Closes: #772551) + + -- Pierre Chifflier Tue, 17 Feb 2015 11:31:22 +0100 + +suricata (2.0.4-1) unstable; urgency=high + + * Imported Upstream version 2.0.4 + * Security: fix out-of-bounds access in SSH parser (Closes: #762828) + * Urgency high, CVE-2014-6603 + Stable and Oldstable versions are not affected. + + -- Pierre Chifflier Fri, 10 Oct 2014 13:19:59 +0200 + +suricata (2.0.3-1) unstable; urgency=medium + + * Imported Upstream version 2.0.3 + + -- Pierre Chifflier Wed, 20 Aug 2014 15:06:21 +0200 + +suricata (2.0.2-1) unstable; urgency=medium + + * Imported Upstream version 2.0.2 + + -- Pierre Chifflier Sun, 29 Jun 2014 18:27:56 +0200 + +suricata (2.0-1) unstable; urgency=medium + + * Imported Upstream version 2.0 + * Update build, require a recent libhtp, and disable coccinelle tests. + * Upload to unstable + + -- Pierre Chifflier Wed, 02 Apr 2014 20:23:10 +0200 + +suricata (1.4.7-1) unstable; urgency=low + + * Imported Upstream version 1.4.7 + * Bump Standards Version to 3.9.5 + * Run autoreconf during build to fix some errors caused by different + autotools versions + + -- Pierre Chifflier Sun, 29 Dec 2013 11:29:57 +0100 + +suricata (1.4.6-1) unstable; urgency=low + + * Imported Upstream version 1.4.6 + + -- Pierre Chifflier Sun, 06 Oct 2013 18:52:34 +0200 + +suricata (1.4.5-1) unstable; urgency=low + + * Imported Upstream version 1.4.5 + * Prepare transition for suricata 2.0 by conflicting with libhtp >= 0.5 + + -- Pierre Chifflier Tue, 20 Aug 2013 16:44:45 +0200 + +suricata (1.4.3-1) unstable; urgency=low + + * Imported Upstream version 1.4.3 + + -- Pierre Chifflier Thu, 04 Jul 2013 11:50:13 +0200 + +suricata (1.4.2-1) unstable; urgency=low + + * Imported Upstream version 1.4.2 + + -- Pierre Chifflier Wed, 29 May 2013 16:24:52 +0200 + +suricata (1.4.1-1) unstable; urgency=low + + * Imported Upstream version 1.4.1 + * Install python control script (add dependency on python, and use + dh_python2 for build) + * Bump Standards Version to 3.9.4 + * Fix removal of pid file in init script (Closes: #700547) + Thanks to Игорь Козинов . + * Add support for af-packet mode in init script (Closes: #697928). + Thanks to Jamie Strandboge . + + -- Pierre Chifflier Tue, 21 May 2013 12:42:45 +0200 + +suricata (1.4-3) unstable; urgency=low + + * Add configure flag for luajit only on supported architectures + + -- Pierre Chifflier Sat, 22 Dec 2012 16:38:41 +0100 + +suricata (1.4-2) unstable; urgency=low + + * Fix error in init script, stop trying to manage suricata pid file + * Use arch-specific build dependencies for libluajit-5.1-dev, it is not + available on all architectures + + -- Pierre Chifflier Sat, 22 Dec 2012 15:39:57 +0100 + +suricata (1.4-1) unstable; urgency=low + + * Imported Upstream version 1.4 + * Enable Jansson and LuaJIT support, and add libjansson-dev libluajit-5.1-dev + to build-deps + * Add python to recommends, for the suricatasc script + * Create /var/run/suricata directory when starting daemon + + -- Pierre Chifflier Fri, 14 Dec 2012 00:02:51 +0100 + +suricata (1.3.5-1) unstable; urgency=low + + * Imported Upstream version 1.3.5 + + -- Pierre Chifflier Thu, 06 Dec 2012 21:13:56 +0100 + +suricata (1.3.4-1) unstable; urgency=low + + * Imported Upstream version 1.3.4 + + -- Pierre Chifflier Sat, 17 Nov 2012 09:56:08 +0100 + +suricata (1.3.3-1) unstable; urgency=low + + * Imported Upstream version 1.3.3 + + -- Pierre Chifflier Sat, 03 Nov 2012 09:38:36 +0100 + +suricata (1.3.2-1) unstable; urgency=low + + * Imported Upstream version 1.3.2 + + -- Pierre Chifflier Sat, 13 Oct 2012 12:18:33 +0200 + +suricata (1.3-1) unstable; urgency=low + + * Imported Upstream version 1.3 + * Add build-dependency on libnss3-dev and libnspr4-dev + * Bump Standards Version to 3.9.3 + + -- Pierre Chifflier Sun, 22 Jul 2012 22:27:36 +0200 + +suricata (1.2.1-2) unstable; urgency=low + + * Use override targets in rules files (Closes: #666330) + * Add support for parallel build in debian/rules + + -- Pierre Chifflier Thu, 12 Apr 2012 01:56:48 +0200 + +suricata (1.2.1-1) unstable; urgency=low + + * Imported Upstream version 1.2.1 + * Add libmagic-dev to build-deps + * Convert to DH version 9 + - Switch from hardening-wrapper to dpkg-buildflags + + -- Pierre Chifflier Mon, 23 Jan 2012 21:47:26 +0100 + +suricata (1.1.1-2) unstable; urgency=low + + * Add *.config files to default installation + * Trigger rebuild with libhtp versioned symbols + + -- Pierre Chifflier Thu, 05 Jan 2012 08:20:24 +0100 + +suricata (1.1.1-1) unstable; urgency=low + + * Imported Upstream version 1.1.1 + * Add configure option --enable-af-packet + + -- Pierre Chifflier Wed, 07 Dec 2011 21:52:53 +0100 + +suricata (1.1-1) unstable; urgency=low + + * Imported Upstream version 1.1 + * Add instructions on getting new rules using oinkmaster + * Add Recommends on oinkmaster + * Move snort-rules-default to Recommends + + -- Pierre Chifflier Thu, 17 Nov 2011 23:20:51 +0100 + +suricata (1.0.5-1) unstable; urgency=low + + * Imported Upstream version 1.0.5 + + -- Pierre Chifflier Wed, 27 Jul 2011 08:20:25 +0200 + +suricata (1.0.4-1) unstable; urgency=low + + * Imported Upstream version 1.0.4 + * Bump Standards Version to 3.9.2 + * Enable hardening-wrapper + + -- Pierre Chifflier Sat, 25 Jun 2011 13:45:44 +0200 + +suricata (1.0.3-1) unstable; urgency=low + + * Imported Upstream version 1.0.3 + + -- Pierre Chifflier Wed, 13 Apr 2011 16:59:32 +0200 + +suricata (1.0.2-2) unstable; urgency=low + + * Add init script (thanks to Edward Fjellskål) + * Switch to dpkg-source 3.0 (quilt) format + + -- Pierre Chifflier Sun, 19 Dec 2010 18:35:50 +0100 + +suricata (1.0.2-1) unstable; urgency=low + + * New Upstream version 1.0.2 (Closes: #598389) + + -- Pierre Chifflier Wed, 29 Sep 2010 10:02:52 +0200 + +suricata (1.0.1-1) unstable; urgency=low + + * Imported Upstream version 1.0.1 (Closes: #591559) + * Bump Standards version to 3.9.1 + * Create /var/log/suricata (Closes: #590861) + + -- Pierre Chifflier Wed, 11 Aug 2010 14:45:14 +0200 + +suricata (1.0.0-1) unstable; urgency=low + + * Imported Upstream version 1.0.0 + * Remove arch=native flag from build (Closes: #587714) + * Bump Standards version to 3.9.0 + + -- Pierre Chifflier Thu, 01 Jul 2010 21:28:41 +0200 + +suricata (0.9.2-1) unstable; urgency=low + + * Imported Upstream version 0.9.2 + + -- Pierre Chifflier Sat, 19 Jun 2010 17:39:14 +0200 + +suricata (0.9.1-1) unstable; urgency=low + + * Imported Upstream version 0.9.1 + * Update watch file + + -- Pierre Chifflier Wed, 26 May 2010 23:09:07 +0200 + +suricata (0.9.0-1) unstable; urgency=low + + * Imported Upstream version 0.9.0 + * Add libcap-ng-dev to build-deps + + -- Pierre Chifflier Sun, 09 May 2010 10:43:44 +0200 + +suricata (0.8.2-1) unstable; urgency=low + + * Imported Upstream version 0.8.2 + * Force selection of external libhtp during build + * Enable Prelude support + * Update watch file + + -- Pierre Chifflier Sun, 02 May 2010 10:50:05 +0200 + +suricata (0.8.0-2) unstable; urgency=low + + * Update debian/copyright to include all files + + -- Pierre Chifflier Sun, 21 Feb 2010 21:45:33 +0100 + +suricata (0.8.0-1) unstable; urgency=low + + * Initial release (Closes: #563422) + + -- Pierre Chifflier Sat, 30 Jan 2010 18:25:05 +0100 diff --git a/control b/control new file mode 100644 index 00000000..b7637010 --- /dev/null +++ b/control @@ -0,0 +1,65 @@ +Source: suricata +Section: net +Priority: optional +Maintainer: Pierre Chifflier +Uploaders: Sascha Steinbiss +Build-Depends: debhelper-compat (= 13), + dh-python, + libbpf-dev (>= 1:0.7.0) [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32], + clang [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32], + llvm [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32], + libcap-ng-dev, + libelf-dev [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32], + libevent-dev, + libgeoip-dev, + libhiredis-dev, + libjansson-dev, + libluajit-5.1-dev [i386 amd64 powerpc mips mipsel armel armhf], + libhyperscan-dev (>= 4.4.0) [i386 amd64 x32], + rustc (>= 1.61.0), + cargo (>= 0.29.0), + liblz4-dev, + libmagic-dev, + libmaxminddb-dev, + libnet1-dev | libnet-dev, + libnetfilter-log-dev, + libnetfilter-queue-dev, + libnspr4-dev, + libnss3-dev, + libpcap-dev, + libpcre2-dev, + libyaml-dev, + python3:any, + zlib1g-dev | libz-dev, + libhtp-dev (>= 1:0.5.50), + procps, + dpdk-dev [amd64 arm64 riscv64 ppc64el], + libnuma-dev [amd64 arm64 riscv64 ppc64el] +Standards-Version: 4.6.2 +Rules-Requires-Root: no +Homepage: https://suricata.io +Vcs-Browser: https://salsa.debian.org/pkg-suricata-team/pkg-suricata +Vcs-Git: https://salsa.debian.org/pkg-suricata-team/pkg-suricata.git + +Package: suricata +Architecture: linux-any +Pre-Depends: ${misc:Pre-Depends} +Depends: ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends}, libhtp2 (>= ${libhtp:Version}~) +Conflicts: libhtp1, suricata-hyperscan +Replaces: suricata-hyperscan +Recommends: python3, snort-rules-default, suricata-update +Suggests: libtcmalloc-minimal4 +Description: Next Generation Intrusion Detection and Prevention Tool + Suricata is a network Intrusion Detection System (IDS). It is based on + rules (and is fully compatible with snort rules) to detect a variety of + attacks / probes by searching packet content. + . + It can also be used as Intrusion Prevention System (IPS), and as higher layer + firewall. + . + This new Engine supports Multi-Threading, Automatic Protocol Detection + (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast + IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU + cards. + . + This version has inline (NFQUEUE) support enabled. diff --git a/copyright b/copyright new file mode 100644 index 00000000..986585ca --- /dev/null +++ b/copyright @@ -0,0 +1,442 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: suricata +Source: https://suricata.io/download/ +Files-Excluded: libhtp + +Files: * +Copyright: 2007-2020 Open Information Security Foundation +License: GPL-2 + +Files: aclocal.m4 +Copyright: 1996-2017 Free Software Foundation, Inc. + 2004 Scott James Remnant + 2012-2015 Dan Nicholson +License: GPL-2+ + +Files: compile + config.sub + configure +Copyright: 1992-2018 Free Software Foundation, Inc. +License: GPL-2 + +Files: config.guess +Copyright: 1992-2018 Free Software Foundation, Inc. +License: GPL-3 + +Files: contrib/Makefile.am +Copyright: 2007-2020 Open Information Security Foundation +License: GPL-2 + +Files: contrib/file_processor/* +Copyright: 2007-2020 Open Information Security Foundation +License: GPL-2 + +Files: contrib/file_processor/Action/Makefile.in +Copyright: 1989, 1991-2015, Free Software Foundation, Inc. +License: GPL-2 + +Files: contrib/file_processor/Makefile.in +Copyright: 1989, 1991-2015, Free Software Foundation, Inc. +License: GPL-2 + +Files: contrib/file_processor/Processor/Makefile.in +Copyright: 1989, 1991-2015, Free Software Foundation, Inc. +License: GPL-2 + +Files: contrib/file_processor/file_processor.pl +Copyright: 2012, Martin Holste +License: GPL-2 + +Files: contrib/suri-graphite +Copyright: 2013, 2015, Eric Leblond +License: GPL-2 + +Files: debian/* +Copyright: 2010 Pierre Chifflier + 2019-2024 Sascha Steinbiss +License: GPL-2 + +Files: doc/Makefile.in + doc/userguide/Makefile.in +Copyright: 1989, 1991-2015, Free Software Foundation, Inc. +License: GPL-2 + +Files: install-sh +Copyright: 1994, X Consortium +License: Expat + +Files: ebpf/Makefile.in + etc/Makefile.in + python/Makefile.in + qa/Makefile.in + qa/coccinelle/Makefile.in + rules/Makefile.in + rust/Makefile.in + src/Makefile.in +Copyright: 1994-2023 Free Software Foundation, Inc. +License: GPL-2 + +Files: ebpf/include/linux/bpf.h +Copyright: 2011-2014 PLUMgrid +License: GPL-2 + +Files: python/suricata/ctl/loghandler.py +Copyright: 2017 Open Information Security Foundation + 2016 Jason Ish +License: GPL-2 + +Files: qa/coccinelle/sz3.cocci +Copyright: 2012 LIP6/INRIA +License: GPL-2 + +Files: qa/wirefuzz.pl +Copyright: 2010-2015 Open Information Security Foundation +License: GPL-2 + +Files: rust/vendor/autocfg*/* +Copyright: 2018 Josh Stone +License: MIT or Apache-2.0 + +Files: rust/vendor/base64/* +Copyright: 2015 Alice Maz +License: MIT or Apache-2.0 + +Files: rust/vendor/bitflags/* +Copyright: 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/build_const/* +Copyright: 2017 Garrett Berg, vitiral@gmail.com +License: MIT + +Files: rust/vendor/byteorder/* +Copyright: 2015 Andrew Gallant +License: MIT or Unlicense + +Files: rust/vendor/crc/* +Copyright: 2017 crc-rs Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/der-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/enum_primitive/* +Copyright: 2015 Anders Kaseorg +License: MIT + +Files: rust/vendor/ipsec-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/kerberos-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/libc/* +Copyright: 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/memchr/* +Copyright: 2015 Andrew Gallant +License: Unlicense or MIT + +Files: rust/vendor/nom/* +Copyright: 2014-2018 Geoffroy Couprie +License: MIT + +Files: rust/vendor/ntp-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/num*/* +Copyright: 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/phf*/* +Copyright: 2014-2016 Steven Fackler +License: MIT + +Files: rust/vendor/proc-macro2/* +Copyright: 2014 Alex Crichton +License: MIT or Apache-2.0 + +Files: rust/vendor/quote/* +Copyright: 2016 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/rand*/* +Copyright: 2018 The Rand Project Developers + 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/rusticata-macros/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/siphasher/* +Copyright: 2012-2016 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/snmp-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/syn/* +Copyright: David Tolnay +License: MIT or Apache-2.0 + +Files: rust/vendor/time/* +Copyright: 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/tls-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/unicode-xid/* +Copyright: 2015 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/version_check/* +Copyright: 2017-2018 Sergio Benitez +License: MIT or Apache-2.0 + +Files: rust/vendor/widestring/* +Copyright: 2016 Kathryn Long +License: MIT or Apache-2.0 + +Files: rust/vendor/x509-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: src/Makefile.am + src/util-hash-lookup3.c + src/util-hash-lookup3.h +Copyright: 2008 Victor Julien +License: GPL-2 + +Files: src/app-layer-htp-libhtp.c + src/app-layer-htp-libhtp.h +Copyright: 2010-2013, Qualys, Inc. + 2009, 2010, Open Information Security Foundation +License: BSD-3-clause + +Files: src/detect-modbus.c + src/detect-modbus.h + src/detect-tls.c + src/detect-tls.h +Copyright: 2011-2015, ANSSI +License: BSD-3-clause + +Files: src/queue.h + src/win32-syslog.h +Copyright: 1982, 1986, 1988, 1991, 1993, The Regents of the University of California. +License: BSD-3-clause + +Files: src/util-decode-mime.c + src/util-decode-mime.h +Copyright: 2012, BAE Systems +License: GPL-2 + +Files: src/util-fix_checksum.c + src/util-fix_checksum.h +Copyright: 2002-2008, Henning Brauer + 2001, Daniel Hartmeier +License: BSD-2-clause +Comment: + In addition to the BSD license, the authors state the following: + Effort sponsored in part by the Defense Advanced Research Projects + Agency (DARPA) and Air Force Research Laboratory, Air Force + Materiel Command, USAF, under agreement number F30602-01-2-0537 + +Files: src/util-strlcatu.c + src/util-strlcpyu.c +Copyright: 1998, Todd C. Miller +License: BSD-3-clause + +Files: src/tree.h +Copyright: 2002 Niels Provos +License: BSD-2-clause + +Files: suricata-update/* +Copyright: 2017-2019 Open Information Security Foundation + 2013-2017 Jason Ish +License: GPL-2 + +Files: suricata-update/suricata/update/compat/ordereddict.py +Copyright: 2009 Raymond Hettinger +License: MIT + +License: BSD-3-clause + The BSD License + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + * Neither the name of foo nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Expat + The MIT License + . + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated + documentation files (the "Software"), to deal in the Software + without restriction, including without limitation the rights to + use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to + whom the Software is furnished to do so, subject to the + following conditions: + . + The above copyright notice and this permission notice shall + be included in all copies or substantial portions of the + Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT + WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE AND NONINFRINGEMENT. IN NO EVENT + SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Library General Public License as published by + the Free Software Foundation. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Library General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991, or (at + your option) any later version. + . + On Debian systems, the complete text of version 2 of the GNU General + Public License can be found in '/usr/share/common-licenses/GPL-2'. + +License: GPL-3 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 3 dated June, 2007. + . + On Debian systems, the complete text of version 3 of the GNU General + Public License can be found in '/usr/share/common-licenses/GPL-3'. + +License: Apache-2.0 + Debian systems provide the Apache 2.0 license in + /usr/share/common-licenses/Apache-2.0 + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +License: Unlicense + This is free and unencumbered software released into the public domain. + . + Anyone is free to copy, modify, publish, use, compile, sell, or + distribute this software, either in source code form or as a compiled + binary, for any purpose, commercial or non-commercial, and by any + means. + . + In jurisdictions that recognize copyright laws, the author or authors + of this software dedicate any and all copyright interest in the + software to the public domain. We make this dedication for the benefit + of the public at large and to the detriment of our heirs and + successors. We intend this dedication to be an overt act of + relinquishment in perpetuity of all present and future rights to this + software under copyright law. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR + OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any purpose with or without + fee is hereby granted, provided that the above copyright notice and this permission notice appear + in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS + SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF + THIS SOFTWARE. diff --git a/libhtp-0.5.24-1.install b/libhtp-0.5.24-1.install new file mode 100644 index 00000000..3ddde584 --- /dev/null +++ b/libhtp-0.5.24-1.install @@ -0,0 +1 @@ +usr/lib/*/lib*.so.* diff --git a/libhtp-0.5.24-1.lintian-overrides b/libhtp-0.5.24-1.lintian-overrides new file mode 100644 index 00000000..a5b3b880 --- /dev/null +++ b/libhtp-0.5.24-1.lintian-overrides @@ -0,0 +1,2 @@ +# false positive, the link is there. Somehow lintian is confused +libhtp-0.5.24-1: dev-pkg-without-shlib-symlink diff --git a/libhtp-0.5.24-1.symbols b/libhtp-0.5.24-1.symbols new file mode 100644 index 00000000..d724f5fd --- /dev/null +++ b/libhtp-0.5.24-1.symbols @@ -0,0 +1,347 @@ +libhtp-0.5.24.so.1 libhtp-0.5.24-1 #MINVER# + bstr_add@Base 3.1.3 + bstr_add_c@Base 3.1.3 + bstr_add_c_noex@Base 3.1.3 + bstr_add_mem@Base 3.1.3 + bstr_add_mem_noex@Base 3.1.3 + bstr_add_noex@Base 3.1.3 + bstr_adjust_len@Base 3.1.3 + bstr_adjust_realptr@Base 3.1.3 + bstr_adjust_size@Base 3.1.3 + bstr_alloc@Base 3.1.3 + bstr_begins_with@Base 3.1.3 + bstr_begins_with_c@Base 3.1.3 + bstr_begins_with_c_nocase@Base 3.1.3 + bstr_begins_with_mem@Base 3.1.3 + bstr_begins_with_mem_nocase@Base 3.1.3 + bstr_begins_with_nocase@Base 3.1.3 + bstr_builder_append_c@Base 3.1.3 + bstr_builder_append_mem@Base 3.1.3 + bstr_builder_appendn@Base 3.1.3 + bstr_builder_clear@Base 3.1.3 + bstr_builder_create@Base 3.1.3 + bstr_builder_destroy@Base 3.1.3 + bstr_builder_size@Base 3.1.3 + bstr_builder_to_str@Base 3.1.3 + bstr_char_at@Base 3.1.3 + bstr_char_at_end@Base 3.1.3 + bstr_chop@Base 3.1.3 + bstr_chr@Base 3.1.3 + bstr_cmp@Base 3.1.3 + bstr_cmp_c@Base 3.1.3 + bstr_cmp_c_nocase@Base 3.1.3 + bstr_cmp_mem@Base 3.1.3 + bstr_cmp_mem_nocase@Base 3.1.3 + bstr_cmp_nocase@Base 3.1.3 + bstr_dup@Base 3.1.3 + bstr_dup_c@Base 3.1.3 + bstr_dup_ex@Base 3.1.3 + bstr_dup_lower@Base 3.1.3 + bstr_dup_mem@Base 3.1.3 + bstr_expand@Base 3.1.3 + bstr_free@Base 3.1.3 + bstr_index_of@Base 3.1.3 + bstr_index_of_c@Base 3.1.3 + bstr_index_of_c_nocase@Base 3.1.3 + bstr_index_of_mem@Base 3.1.3 + bstr_index_of_mem_nocase@Base 3.1.3 + bstr_index_of_nocase@Base 3.1.3 + bstr_rchr@Base 3.1.3 + bstr_to_lowercase@Base 3.1.3 + bstr_util_cmp_mem@Base 3.1.3 + bstr_util_cmp_mem_nocase@Base 3.1.3 + bstr_util_mem_index_of_c@Base 3.1.3 + bstr_util_mem_index_of_c_nocase@Base 3.1.3 + bstr_util_mem_index_of_mem@Base 3.1.3 + bstr_util_mem_index_of_mem_nocase@Base 3.1.3 + bstr_util_mem_to_pint@Base 3.1.3 + bstr_util_mem_trim@Base 3.1.3 + bstr_util_memdup_to_c@Base 3.1.3 + bstr_util_strdup_to_c@Base 3.1.3 + bstr_wrap_c@Base 3.1.3 + bstr_wrap_mem@Base 3.1.3 + fprint_bstr@Base 3.1.3 + fprint_raw_data@Base 3.1.3 + fprint_raw_data_ex@Base 3.1.3 + htp_base64_decode@Base 3.1.3 + htp_base64_decode_bstr@Base 3.1.3 + htp_base64_decode_mem@Base 3.1.3 + htp_base64_decode_single@Base 3.1.3 + htp_base64_decoder_init@Base 3.1.3 + htp_ch_multipart_callback_request_body_data@Base 3.1.3 + htp_ch_multipart_callback_request_headers@Base 3.1.3 + htp_ch_urlencoded_callback_request_body_data@Base 3.1.3 + htp_ch_urlencoded_callback_request_headers@Base 3.1.3 + htp_ch_urlencoded_callback_request_line@Base 3.1.3 + htp_chomp@Base 3.1.3 + htp_config_copy@Base 3.1.3 + htp_config_create@Base 3.1.3 + htp_config_destroy@Base 3.1.3 + htp_config_get_user_data@Base 3.1.3 + htp_config_register_log@Base 3.1.3 + htp_config_register_multipart_parser@Base 3.1.3 + htp_config_register_request_body_data@Base 3.1.3 + htp_config_register_request_complete@Base 3.1.3 + htp_config_register_request_file_data@Base 3.1.3 + htp_config_register_request_header_data@Base 3.1.3 + htp_config_register_request_headers@Base 3.1.3 + htp_config_register_request_line@Base 3.1.3 + htp_config_register_request_start@Base 3.1.3 + htp_config_register_request_trailer@Base 3.1.3 + htp_config_register_request_trailer_data@Base 3.1.3 + htp_config_register_request_uri_normalize@Base 3.1.3 + htp_config_register_response_body_data@Base 3.1.3 + htp_config_register_response_complete@Base 3.1.3 + htp_config_register_response_header_data@Base 3.1.3 + htp_config_register_response_headers@Base 3.1.3 + htp_config_register_response_line@Base 3.1.3 + htp_config_register_response_start@Base 3.1.3 + htp_config_register_response_trailer@Base 3.1.3 + htp_config_register_response_trailer_data@Base 3.1.3 + htp_config_register_transaction_complete@Base 3.1.3 + htp_config_register_urlencoded_parser@Base 3.1.3 + htp_config_set_backslash_convert_slashes@Base 3.1.3 + htp_config_set_bestfit_map@Base 3.1.3 + htp_config_set_bestfit_replacement_byte@Base 3.1.3 + htp_config_set_control_chars_unwanted@Base 3.1.3 + htp_config_set_convert_lowercase@Base 3.1.3 + htp_config_set_extract_request_files@Base 3.1.3 + htp_config_set_field_limits@Base 3.1.3 + htp_config_set_log_level@Base 3.1.3 + htp_config_set_nul_encoded_terminates@Base 3.1.3 + htp_config_set_nul_encoded_unwanted@Base 3.1.3 + htp_config_set_nul_raw_terminates@Base 3.1.3 + htp_config_set_nul_raw_unwanted@Base 3.1.3 + htp_config_set_parse_request_auth@Base 3.1.3 + htp_config_set_parse_request_cookies@Base 3.1.3 + htp_config_set_path_separators_compress@Base 3.1.3 + htp_config_set_path_separators_decode@Base 3.1.3 + htp_config_set_path_separators_encoded_unwanted@Base 3.1.3 + htp_config_set_plusspace_decode@Base 3.1.3 + htp_config_set_requestline_leading_whitespace_unwanted@Base 3.1.3 + htp_config_set_response_decompression@Base 3.1.3 + htp_config_set_response_decompression_layer_limit@Base 3.1.3 + htp_config_set_server_personality@Base 3.1.3 + htp_config_set_tmpdir@Base 3.1.3 + htp_config_set_tx_auto_destroy@Base 3.1.3 + htp_config_set_u_encoding_decode@Base 3.1.3 + htp_config_set_u_encoding_unwanted@Base 3.1.3 + htp_config_set_url_encoding_invalid_handling@Base 3.1.3 + htp_config_set_url_encoding_invalid_unwanted@Base 3.1.3 + htp_config_set_user_data@Base 3.1.3 + htp_config_set_utf8_convert_bestfit@Base 3.1.3 + htp_config_set_utf8_invalid_unwanted@Base 3.1.3 + htp_conn_close@Base 3.1.3 + htp_conn_create@Base 3.1.3 + htp_conn_destroy@Base 3.1.3 + htp_conn_open@Base 3.1.3 + htp_conn_remove_tx@Base 3.1.3 + htp_conn_track_inbound_data@Base 3.1.3 + htp_conn_track_outbound_data@Base 3.1.3 + htp_connp_REQ_BODY_CHUNKED_DATA@Base 3.1.3 + htp_connp_REQ_BODY_CHUNKED_DATA_END@Base 3.1.3 + htp_connp_REQ_BODY_CHUNKED_LENGTH@Base 3.1.3 + htp_connp_REQ_BODY_DETERMINE@Base 3.1.3 + htp_connp_REQ_BODY_IDENTITY@Base 3.1.3 + htp_connp_REQ_CONNECT_CHECK@Base 3.1.3 + htp_connp_REQ_CONNECT_PROBE_DATA@Base 3.1.3 + htp_connp_REQ_CONNECT_WAIT_RESPONSE@Base 3.1.3 + htp_connp_REQ_FINALIZE@Base 3.1.3 + htp_connp_REQ_HEADERS@Base 3.1.3 + htp_connp_REQ_IDLE@Base 3.1.3 + htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9@Base 3.1.3 + htp_connp_REQ_LINE@Base 3.1.3 + htp_connp_REQ_LINE_complete@Base 3.1.3 + htp_connp_REQ_PROTOCOL@Base 3.1.3 + htp_connp_RES_BODY_CHUNKED_DATA@Base 3.1.3 + htp_connp_RES_BODY_CHUNKED_DATA_END@Base 3.1.3 + htp_connp_RES_BODY_CHUNKED_LENGTH@Base 3.1.3 + htp_connp_RES_BODY_DETERMINE@Base 3.1.3 + htp_connp_RES_BODY_IDENTITY_CL_KNOWN@Base 3.1.3 + htp_connp_RES_BODY_IDENTITY_STREAM_CLOSE@Base 3.1.3 + htp_connp_RES_FINALIZE@Base 3.1.3 + htp_connp_RES_HEADERS@Base 3.1.3 + htp_connp_RES_IDLE@Base 3.1.3 + htp_connp_RES_LINE@Base 3.1.3 + htp_connp_clear_error@Base 3.1.3 + htp_connp_close@Base 3.1.3 + htp_connp_create@Base 3.1.3 + htp_connp_destroy@Base 3.1.3 + htp_connp_destroy_all@Base 3.1.3 + htp_connp_destroy_decompressors@Base 3.1.3 + htp_connp_get_connection@Base 3.1.3 + htp_connp_get_in_tx@Base 3.1.3 + htp_connp_get_last_error@Base 3.1.3 + htp_connp_get_out_tx@Base 3.1.3 + htp_connp_get_user_data@Base 3.1.3 + htp_connp_in_reset@Base 3.1.3 + htp_connp_in_state_as_string@Base 3.1.3 + htp_connp_is_line_folded@Base 3.1.3 + htp_connp_is_line_ignorable@Base 3.1.3 + htp_connp_is_line_terminator@Base 3.1.3 + htp_connp_open@Base 3.1.3 + htp_connp_out_state_as_string@Base 3.1.3 + htp_connp_req_data@Base 3.1.3 + htp_connp_req_data_consumed@Base 3.1.3 + htp_connp_req_receiver_finalize_clear@Base 3.1.3 + htp_connp_res_data@Base 3.1.3 + htp_connp_res_data_consumed@Base 3.1.3 + htp_connp_res_receiver_finalize_clear@Base 3.1.3 + htp_connp_set_user_data@Base 3.1.3 + htp_connp_tx_create@Base 3.1.3 + htp_connp_tx_remove@Base 3.1.3 + htp_convert_method_to_number@Base 3.1.3 + htp_decode_path_inplace@Base 3.1.3 + htp_extract_quoted_string_as_bstr@Base 3.1.3 + htp_get_version@Base 3.1.3 + htp_gzip_decompressor_create@Base 3.1.3 + htp_hook_copy@Base 3.1.3 + htp_hook_create@Base 3.1.3 + htp_hook_destroy@Base 3.1.3 + htp_hook_register@Base 3.1.3 + htp_hook_run_all@Base 3.1.3 + htp_hook_run_one@Base 3.1.3 + htp_is_folding_char@Base 3.1.3 + htp_is_line_empty@Base 3.1.3 + htp_is_line_whitespace@Base 3.1.3 + htp_is_lws@Base 3.1.3 + htp_is_separator@Base 3.1.3 + htp_is_space@Base 3.1.3 + htp_is_text@Base 3.1.3 + htp_is_token@Base 3.1.3 + htp_list_array_clear@Base 3.1.3 + htp_list_array_create@Base 3.1.3 + htp_list_array_destroy@Base 3.1.3 + htp_list_array_get@Base 3.1.3 + htp_list_array_pop@Base 3.1.3 + htp_list_array_push@Base 3.1.3 + htp_list_array_replace@Base 3.1.3 + htp_list_array_shift@Base 3.1.3 + htp_list_array_size@Base 3.1.3 + htp_log@Base 3.1.3 + htp_mpart_part_create@Base 3.1.3 + htp_mpart_part_destroy@Base 3.1.3 + htp_mpart_part_finalize_data@Base 3.1.3 + htp_mpart_part_handle_data@Base 3.1.3 + htp_mpart_part_parse_c_d@Base 3.1.3 + htp_mpart_part_process_headers@Base 3.1.3 + htp_mpartp_create@Base 3.1.3 + htp_mpartp_destroy@Base 3.1.3 + htp_mpartp_finalize@Base 3.1.3 + htp_mpartp_find_boundary@Base 3.1.3 + htp_mpartp_get_multipart@Base 3.1.3 + htp_mpartp_parse@Base 3.1.3 + htp_mpartp_parse_header@Base 3.1.3 + htp_mpartp_run_request_file_data_hook@Base 3.1.3 + htp_normalize_hostname_inplace@Base 3.1.3 + htp_normalize_parsed_uri@Base 3.1.3 + htp_normalize_uri_path_inplace@Base 3.1.3 + htp_parse_authorization@Base 3.1.3 + htp_parse_authorization_basic@Base 3.1.3 + htp_parse_authorization_digest@Base 3.1.3 + htp_parse_chunked_length@Base 3.1.3 + htp_parse_content_length@Base 3.1.3 + htp_parse_cookies_v0@Base 3.1.3 + htp_parse_ct_header@Base 3.1.3 + htp_parse_header_hostport@Base 3.1.3 + htp_parse_hostport@Base 3.1.3 + htp_parse_positive_integer_whitespace@Base 3.1.3 + htp_parse_protocol@Base 3.1.3 + htp_parse_request_header_generic@Base 3.1.3 + htp_parse_request_line_apache_2_2@Base 3.1.3 + htp_parse_request_line_generic@Base 3.1.3 + htp_parse_request_line_generic_ex@Base 3.1.3 + htp_parse_response_header_generic@Base 3.1.3 + htp_parse_response_line_generic@Base 3.1.3 + htp_parse_single_cookie_v0@Base 3.1.3 + htp_parse_status@Base 3.1.3 + htp_parse_uri@Base 3.1.3 + htp_parse_uri_hostport@Base 3.1.3 + htp_php_parameter_processor@Base 3.1.3 + htp_process_request_header_apache_2_2@Base 3.1.3 + htp_process_request_header_generic@Base 3.1.3 + htp_process_response_header_generic@Base 3.1.3 + htp_req_run_hook_body_data@Base 3.1.3 + htp_res_run_hook_body_data@Base 3.1.3 + htp_table_add@Base 3.1.3 + htp_table_addk@Base 3.1.3 + htp_table_addn@Base 3.1.3 + htp_table_clear@Base 3.1.3 + htp_table_clear_ex@Base 3.1.3 + htp_table_create@Base 3.1.3 + htp_table_destroy@Base 3.1.3 + htp_table_destroy_ex@Base 3.1.3 + htp_table_get@Base 3.1.3 + htp_table_get_c@Base 3.1.3 + htp_table_get_index@Base 3.1.3 + htp_table_get_mem@Base 3.1.3 + htp_table_size@Base 3.1.3 + htp_transcode_bstr@Base 3.1.3 + htp_transcode_params@Base 3.1.3 + htp_treat_response_line_as_body@Base 3.1.3 + htp_tx_create@Base 3.1.3 + htp_tx_destroy@Base 3.1.3 + htp_tx_destroy_incomplete@Base 3.1.3 + htp_tx_finalize@Base 3.1.3 + htp_tx_get_is_config_shared@Base 3.1.3 + htp_tx_get_user_data@Base 3.1.3 + htp_tx_is_complete@Base 3.1.3 + htp_tx_register_request_body_data@Base 3.1.3 + htp_tx_register_response_body_data@Base 3.1.3 + htp_tx_req_add_param@Base 3.1.3 + htp_tx_req_get_param@Base 3.1.3 + htp_tx_req_get_param_ex@Base 3.1.3 + htp_tx_req_has_body@Base 3.1.3 + htp_tx_req_process_body_data@Base 3.1.3 + htp_tx_req_process_body_data_ex@Base 3.1.3 + htp_tx_req_set_header@Base 3.1.3 + htp_tx_req_set_headers_clear@Base 3.1.3 + htp_tx_req_set_line@Base 3.1.3 + htp_tx_req_set_method@Base 3.1.3 + htp_tx_req_set_method_number@Base 3.1.3 + htp_tx_req_set_parsed_uri@Base 3.1.3 + htp_tx_req_set_protocol@Base 3.1.3 + htp_tx_req_set_protocol_0_9@Base 3.1.3 + htp_tx_req_set_protocol_number@Base 3.1.3 + htp_tx_req_set_uri@Base 3.1.3 + htp_tx_request_progress_as_string@Base 3.1.3 + htp_tx_res_process_body_data@Base 3.1.3 + htp_tx_res_process_body_data_ex@Base 3.1.3 + htp_tx_res_set_header@Base 3.1.3 + htp_tx_res_set_headers_clear@Base 3.1.3 + htp_tx_res_set_protocol_number@Base 3.1.3 + htp_tx_res_set_status_code@Base 3.1.3 + htp_tx_res_set_status_line@Base 3.1.3 + htp_tx_res_set_status_message@Base 3.1.3 + htp_tx_response_progress_as_string@Base 3.1.3 + htp_tx_set_config@Base 3.1.3 + htp_tx_set_user_data@Base 3.1.3 + htp_tx_state_request_complete@Base 3.1.3 + htp_tx_state_request_complete_partial@Base 3.1.3 + htp_tx_state_request_headers@Base 3.1.3 + htp_tx_state_request_line@Base 3.1.3 + htp_tx_state_request_start@Base 3.1.3 + htp_tx_state_response_complete@Base 3.1.3 + htp_tx_state_response_complete_ex@Base 3.1.3 + htp_tx_state_response_headers@Base 3.1.3 + htp_tx_state_response_line@Base 3.1.3 + htp_tx_state_response_start@Base 3.1.3 + htp_tx_urldecode_params_inplace@Base 3.1.3 + htp_tx_urldecode_uri_inplace@Base 3.1.3 + htp_unparse_uri_noencode@Base 3.1.3 + htp_uri_alloc@Base 3.1.3 + htp_uri_free@Base 3.1.3 + htp_urldecode_inplace@Base 3.1.3 + htp_urldecode_inplace_ex@Base 3.1.3 + htp_urlenp_create@Base 3.1.3 + htp_urlenp_destroy@Base 3.1.3 + htp_urlenp_finalize@Base 3.1.3 + htp_urlenp_parse_complete@Base 3.1.3 + htp_urlenp_parse_partial@Base 3.1.3 + htp_utf8_decode@Base 3.1.3 + htp_utf8_decode_allow_overlong@Base 3.1.3 + htp_utf8_decode_path_inplace@Base 3.1.3 + htp_utf8_validate_path@Base 3.1.3 + htp_validate_hostname@Base 3.1.3 + strlcat@Base 3.1.3 + strlcpy@Base 3.1.3 diff --git a/patches/CVE-2025-53538.patch b/patches/CVE-2025-53538.patch new file mode 100644 index 00000000..d72f2a6b --- /dev/null +++ b/patches/CVE-2025-53538.patch @@ -0,0 +1,62 @@ +From 97eee2cadacf3423a1ebcdd1943a7a7917f5cc56 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Tue, 15 Apr 2025 12:34:37 +0200 +# Subject: [PATCH] http2: forbid data on stream 0 + +Ticket: 7658 + +Suricata will not handle well if we open a file for this tx, +do not close it, but set the transaction state to completed. + +RFC 9113 section 6.1 states: + +If a DATA frame is received whose Stream Identifier field is 0x00, +the recipient MUST respond with a connection error (Section 5.4.1) + of type PROTOCOL_ERROR. + +(cherry picked from commit 1d6d331752e933c46aca0ae7a9679b27462246e3) + +Origin: upstream, https://github.com/OISF/suricata/commit/97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.patch +Bug: https://redmine.openinfosecfoundation.org/issues/7659 +Bug-Debian: https://bugs.debian.org/1109806 +Subject: Upstream fix for CVE-2025-53538 +--- + rules/http2-events.rules | 1 + + rust/src/http2/http2.rs | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/rules/http2-events.rules b/rules/http2-events.rules +index 413fdd652..8242e2f79 100644 +--- a/rules/http2-events.rules ++++ b/rules/http2-events.rules +@@ -21,3 +21,4 @@ alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:esta + alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;) + alert http2 any any -> any any (msg:"SURICATA HTTP2 user info in uri"; flow:established,to_server; app-layer-event:http2.userinfo_in_uri; classtype:protocol-command-decode; sid:2290014; rev:1;) + alert http2 any any -> any any (msg:"SURICATA HTTP2 reassembly limit reached"; flow:established; app-layer-event:http2.reassembly_limit_reached; classtype:protocol-command-decode; sid:2290015; rev:1;) ++alert http2 any any -> any any (msg:"SURICATA HTTP2 data on stream zero"; flow:established; app-layer-event:http2.data_stream_zero; classtype:protocol-command-decode; sid:2290018; rev:1;) +diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs +index 20b7cd947..a79a33c8e 100644 +--- a/rust/src/http2/http2.rs ++++ b/rust/src/http2/http2.rs +@@ -409,6 +409,7 @@ pub enum HTTP2Event { + AuthorityHostMismatch, + UserinfoInUri, + ReassemblyLimitReached, ++ DataStreamZero, + } + + pub struct HTTP2DynTable { +@@ -1078,7 +1079,9 @@ impl HTTP2State { + data: txdata, + }); + } +- if ftype == parser::HTTP2FrameType::Data as u8 { ++ if ftype == parser::HTTP2FrameType::Data as u8 && sid == 0 { ++ tx.tx_data.set_event(HTTP2Event::DataStreamZero as u8); ++ } else if ftype == parser::HTTP2FrameType::Data as u8 && sid > 0 { + match unsafe { SURICATA_HTTP2_FILE_CONFIG } { + Some(sfcm) => { + //borrow checker forbids to reuse directly tx +-- +2.51.0 + diff --git a/patches/CVE-2025-59147.patch b/patches/CVE-2025-59147.patch new file mode 100644 index 00000000..e26e5e4e --- /dev/null +++ b/patches/CVE-2025-59147.patch @@ -0,0 +1,372 @@ +From e91b03c90385db15e21cf1a0e85b921bf92b039e Mon Sep 17 00:00:00 2001 +From: Victor Julien +Date: Wed, 20 Aug 2025 12:43:27 +0200 +# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling + +Take SEQ and ACK into account for more scenarios. + +SYN on SYN_SENT + +In this case the SYN packets with different SEQ and other properties are +queued up. Each packet updates the ssn to reflect the last packet to +come in. The old ssn data is added to a TcpStateQueue entry in +TcpSession::queue. If the max queue length is exceeded, the oldest entry +is evicted. The queue is actually a single linked list, where the list +head reflects the oldest entry. + +SYN/ACK on SYN_SENT + +In this case the first check is if the SYN/ACK matches the session. If +it doesn't, the queue is checked to see if there SYN's stored. If one is +found that matches, it is used and the session is updated to reflect +that. + +SYN/ACK on SYN_RECV + +SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated +from the current packet. The old settings are stored in a TcpStateQueue +entry in the TcpSession::queue. + +ACK on SYN_RECV + +Checks any stored SYN/ACKs before checking the session. If a queued +SYN/ACK was sound, the session is updated to match it. + +Ticket: #3844. +Ticket: #7657. +(cherry picked from commit be6315dba0d9101b11d16e9dacfe2822b3792f1b) + +Patch adjusted for Debian to fit for Suricata 7.0.10. + +Origin: upstream, https://github.com/OISF/suricata/commit/e91b03c90385db15e21cf1a0e85b921bf92b039e.patch +Bug: https://redmine.openinfosecfoundation.org/issues/7852 +Subject: Upstream fix for CVE-2025-59147 +--- + src/stream-tcp-private.h | 2 +- + src/stream-tcp.c | 212 ++++++++++++++++++++++++++++----------- + 2 files changed, 155 insertions(+), 59 deletions(-) + +diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h +index 2da93f6ce..380b9eed1 100644 +--- a/src/stream-tcp-private.h ++++ b/src/stream-tcp-private.h +@@ -295,7 +295,7 @@ typedef struct TcpSession_ { + uint32_t reassembly_depth; /**< reassembly depth for the stream */ + TcpStream server; + TcpStream client; +- TcpStateQueue *queue; /**< list of SYN/ACK candidates */ ++ TcpStateQueue *queue; /**< list of SYN or SYN/ACK candidates */ + } TcpSession; + + #define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream) \ +diff --git a/src/stream-tcp.c b/src/stream-tcp.c +index a266ebf1a..5677d3090 100644 +--- a/src/stream-tcp.c ++++ b/src/stream-tcp.c +@@ -1787,6 +1787,7 @@ static void TcpStateQueueInitFromSsnSyn(const TcpSession *ssn, TcpStateQueue *q) + BUG_ON(ssn->state != TCP_SYN_SENT); // TODO + memset(q, 0, sizeof(*q)); + ++ q->seq = ssn->client.isn; + /* SYN won't use wscale yet. So window should be limited to 16 bits. */ + DEBUG_VALIDATE_BUG_ON(ssn->server.window > UINT16_MAX); + q->win = (uint16_t)ssn->server.window; +@@ -1817,8 +1818,9 @@ static void TcpStateQueueInitFromPktSyn(const Packet *p, TcpStateQueue *q) + #endif + memset(q, 0, sizeof(*q)); + ++ q->seq = TCP_GET_SEQ(p); + q->win = TCP_GET_WINDOW(p); +- q->pkt_ts = SCTIME_SECS(p->ts); ++ q->pkt_ts = (uint32_t)SCTIME_SECS(p->ts); + + if (TCP_GET_SACKOK(p) == 1) { + q->flags |= STREAMTCP_QUEUE_FLAG_SACK; +@@ -1846,6 +1848,7 @@ static void TcpStateQueueInitFromPktSynAck(const Packet *p, TcpStateQueue *q) + #endif + memset(q, 0, sizeof(*q)); + ++ q->seq = TCP_GET_ACK(p) - 1; + q->win = TCP_GET_WINDOW(p); + q->pkt_ts = SCTIME_SECS(p->ts); + +@@ -1870,36 +1873,62 @@ static void TcpStateQueueInitFromPktSynAck(const Packet *p, TcpStateQueue *q) + /** \internal + * \brief Find the Queued SYN that is the same as this SYN/ACK + * \retval q or NULL */ +-static const TcpStateQueue *StreamTcp3whsFindSyn(const TcpSession *ssn, TcpStateQueue *s) ++static const TcpStateQueue *StreamTcp3whsFindSyn( ++ const TcpSession *ssn, TcpStateQueue *s, TcpStateQueue **ret_tail) + { + SCLogDebug("ssn %p: search state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, s, s->seq, s->win, + BOOL2STR(s->flags & STREAMTCP_QUEUE_FLAG_TS), s->ts); + +- for (const TcpStateQueue *q = ssn->queue; q != NULL; q = q->next) { +- SCLogDebug("ssn %p: queue state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->seq, +- q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts); ++ TcpStateQueue *last = NULL; ++ for (TcpStateQueue *q = ssn->queue; q != NULL; q = q->next) { ++ SCLogDebug("ssn %p: queue state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u (last:%s)", ssn, q, ++ q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts, ++ BOOL2STR(q->next == NULL)); + if ((s->flags & STREAMTCP_QUEUE_FLAG_TS) == (q->flags & STREAMTCP_QUEUE_FLAG_TS) && +- s->ts == q->ts) { ++ s->ts == q->ts && s->seq == q->seq) { + return q; + } ++ last = q; + } ++ if (ret_tail) ++ *ret_tail = last; + return NULL; + } + +-/** \note the SEQ values *must* be the same */ ++/** \internal ++ * \brief take oldest element in the list and replace it with the new data ++ */ ++static void AddAndRotate(TcpSession *ssn, TcpStateQueue *tail, TcpStateQueue *search) ++{ ++ TcpStateQueue *old_head = ssn->queue; ++ TcpStateQueue *new_head = old_head->next; ++ /* set new head */ ++ ssn->queue = new_head; ++ ++ /* old head node is now appended to the list tail */ ++ tail->next = old_head; ++ ++ *old_head = *search; ++ old_head->next = NULL; ++} ++ + static int StreamTcp3whsStoreSyn(TcpSession *ssn, Packet *p) + { + TcpStateQueue search; + TcpStateQueueInitFromSsnSyn(ssn, &search); ++ TcpStateQueue *tail = NULL; + + /* first see if this is already in our list */ +- if (ssn->queue != NULL && StreamTcp3whsFindSyn(ssn, &search) != NULL) ++ if (ssn->queue != NULL && StreamTcp3whsFindSyn(ssn, &search, &tail) != NULL) + return 0; + + if (ssn->queue_len == stream_config.max_syn_queued) { +- SCLogDebug("ssn %p: =~ SYN queue limit reached", ssn); ++ SCLogDebug("%" PRIu64 ": ssn %p: =~ SYN queue limit reached, rotate", p->pcap_cnt, ssn); + StreamTcpSetEvent(p, STREAM_3WHS_SYN_FLOOD); +- return -1; ++ ++ /* add to the list, evicting the oldest entry */ ++ AddAndRotate(ssn, tail, &search); ++ return 0; + } + + if (StreamTcpCheckMemcap((uint32_t)sizeof(TcpStateQueue)) == 0) { +@@ -1916,9 +1945,13 @@ static int StreamTcp3whsStoreSyn(TcpSession *ssn, Packet *p) + + *q = search; + /* put in list */ +- q->next = ssn->queue; +- ssn->queue = q; ++ if (tail) ++ tail->next = q; ++ if (ssn->queue == NULL) ++ ssn->queue = q; + ssn->queue_len++; ++ SCLogDebug("%" PRIu64 ": ssn %p: =~ SYN with SEQ %u added (queue_len %u)", p->pcap_cnt, ssn, ++ q->seq, ssn->queue_len); + return 0; + } + +@@ -1944,6 +1977,102 @@ static inline void StreamTcp3whsStoreSynApplyToSsn(TcpSession *ssn, const TcpSta + } else { + ssn->flags &= ~STREAMTCP_FLAG_CLIENT_SACKOK; + } ++ ssn->client.isn = q->seq; ++ ssn->client.base_seq = ssn->client.next_seq = ssn->client.isn + 1; ++ SCLogDebug("ssn: %p client.isn updated to %u", ssn, ssn->client.isn); ++} ++ ++/** \internal ++ * \brief handle SYN/ACK on SYN_SENT state (non-TFO case) ++ * ++ * If packet doesn't match the session, check queued states (if any) ++ * ++ * \retval true packet is accepted ++ * \retval false packet is rejected ++ */ ++static inline bool StateSynSentCheckSynAck3Whs(TcpSession *ssn, Packet *p, const bool ts_mismatch) ++{ ++ const bool seq_match = SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1); ++ if (seq_match && !ts_mismatch) { ++ return true; ++ } ++ ++ /* check the queued syns */ ++ if (ssn->queue == NULL) { ++ goto failure; ++ } ++ ++ TcpStateQueue search; ++ TcpStateQueueInitFromPktSynAck(p, &search); ++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK looking for SEQ %u", p->pcap_cnt, ssn, search.seq); ++ ++ const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search, NULL); ++ if (q == NULL) { ++ SCLogDebug("not found: mismatch"); ++ goto failure; ++ } ++ ++ SCLogDebug("ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, ++ q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts); ++ StreamTcp3whsStoreSynApplyToSsn(ssn, q); ++ return true; ++failure: ++ if (!seq_match) { ++ StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK); ++ } else if (ts_mismatch) { ++ StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP); ++ } ++ return false; ++} ++ ++/** \internal ++ * \brief handle SYN/ACK on SYN_SENT state (TFO case) ++ * ++ * If packet doesn't match the session, check queued states (if any) ++ * ++ * \retval true packet is accepted ++ * \retval false packet is rejected ++ */ ++static inline bool StateSynSentCheckSynAckTFO(TcpSession *ssn, Packet *p, const bool ts_mismatch) ++{ ++ const bool seq_match_tfo = SEQ_EQ(TCP_GET_ACK(p), ssn->client.next_seq); ++ const bool seq_match_nodata = SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1); ++ if (seq_match_tfo && !ts_mismatch) { ++ // ok ++ } else if (seq_match_nodata && !ts_mismatch) { ++ ssn->client.next_seq = ssn->client.isn; // reset to ISN ++ SCLogDebug("ssn %p: (TFO) next_seq reset to isn (%u)", ssn, ssn->client.next_seq); ++ StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_TFO_DATA_IGNORED); ++ ssn->flags |= STREAMTCP_FLAG_TFO_DATA_IGNORED; ++ } else { ++ /* check the queued syns */ ++ if (ssn->queue == NULL) { ++ goto failure; ++ } ++ ++ TcpStateQueue search; ++ TcpStateQueueInitFromPktSynAck(p, &search); ++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK looking for SEQ %u", p->pcap_cnt, ssn, search.seq); ++ ++ const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search, NULL); ++ if (q == NULL) { ++ SCLogDebug("not found: mismatch"); ++ goto failure; ++ } ++ ++ SCLogDebug("ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, ++ q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts); ++ StreamTcp3whsStoreSynApplyToSsn(ssn, q); ++ } ++ ssn->flags |= STREAMTCP_FLAG_TCP_FAST_OPEN; ++ return true; ++failure: ++ if (!seq_match_tfo && !seq_match_nodata) { ++ StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK); ++ } else if (ts_mismatch) { ++ StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP); ++ } ++ return false; + } + + /** +@@ -1965,72 +2094,38 @@ static int StreamTcpPacketStateSynSent( + + /* common case: SYN/ACK from server to client */ + if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK) && PKT_IS_TOCLIENT(p)) { +- SCLogDebug("ssn %p: SYN/ACK on SYN_SENT state for packet %" PRIu64, ssn, p->pcap_cnt); ++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK on SYN_SENT state for packet %" PRIu64, ++ p->pcap_cnt, ssn, p->pcap_cnt); ++ const bool ts_mismatch = !StateSynSentValidateTimestamp(ssn, p); + + if (!(TCP_HAS_TFO(p) || (ssn->flags & STREAMTCP_FLAG_TCP_FAST_OPEN))) { +- /* Check if the SYN/ACK packet ack's the earlier +- * received SYN packet. */ +- if (!(SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1))) { +- StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK); +- SCLogDebug("ssn %p: ACK mismatch, packet ACK %" PRIu32 " != " +- "%" PRIu32 " from stream", ssn, TCP_GET_ACK(p), +- ssn->client.isn + 1); ++ if (StateSynSentCheckSynAck3Whs(ssn, p, ts_mismatch)) { ++ SCLogDebug("ssn %p: ACK match, packet ACK %" PRIu32 " == " ++ "%" PRIu32 " from stream", ++ ssn, TCP_GET_ACK(p), ssn->client.isn + 1); ++ } else { ++ SCLogDebug("ssn %p: (3WHS) ACK mismatch, packet ACK %" PRIu32 " != " ++ "%" PRIu32 " from stream", ++ ssn, TCP_GET_ACK(p), ssn->client.next_seq); + return -1; + } + } else { +- if (SEQ_EQ(TCP_GET_ACK(p), ssn->client.next_seq)) { ++ if (StateSynSentCheckSynAckTFO(ssn, p, ts_mismatch)) { + SCLogDebug("ssn %p: (TFO) ACK matches next_seq, packet ACK %" PRIu32 " == " + "%" PRIu32 " from stream", + ssn, TCP_GET_ACK(p), ssn->client.next_seq); +- } else if (SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1)) { +- SCLogDebug("ssn %p: (TFO) ACK matches ISN+1, packet ACK %" PRIu32 " == " +- "%" PRIu32 " from stream", +- ssn, TCP_GET_ACK(p), ssn->client.isn + 1); +- ssn->client.next_seq = ssn->client.isn; // reset to ISN +- SCLogDebug("ssn %p: (TFO) next_seq reset to isn (%u)", ssn, ssn->client.next_seq); +- StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_TFO_DATA_IGNORED); +- ssn->flags |= STREAMTCP_FLAG_TFO_DATA_IGNORED; + } else { +- StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK); + SCLogDebug("ssn %p: (TFO) ACK mismatch, packet ACK %" PRIu32 " != " + "%" PRIu32 " from stream", ssn, TCP_GET_ACK(p), + ssn->client.next_seq); + return -1; + } +- ssn->flags |= STREAMTCP_FLAG_TCP_FAST_OPEN; +- StreamTcpPacketSetState(p, ssn, TCP_ESTABLISHED); +- } +- +- const bool ts_mismatch = !StateSynSentValidateTimestamp(ssn, p); +- if (ts_mismatch) { +- SCLogDebug("ssn %p: ts_mismatch:%s", ssn, BOOL2STR(ts_mismatch)); +- if (ssn->queue) { +- TcpStateQueue search; +- TcpStateQueueInitFromPktSynAck(p, &search); +- +- const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search); +- if (q == NULL) { +- SCLogDebug("not found: mismatch"); +- StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP); +- return -1; +- } +- SCLogDebug("ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", +- ssn, q, q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), +- q->ts); +- +- StreamTcp3whsStoreSynApplyToSsn(ssn, q); +- +- } else { +- SCLogDebug("not found: no queue"); +- StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP); +- return -1; +- } + } +- + /* clear ssn->queue on state change: TcpSession can be reused by SYN/ACK */ + StreamTcp3wsFreeQueue(ssn); + + StreamTcp3whsSynAckUpdate(ssn, p, /* no queue override */NULL); ++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK on SYN_SENT state: accepted", p->pcap_cnt, ssn); + return 0; + + } else if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK) && PKT_IS_TOSERVER(p)) { +-- +2.51.0 + diff --git a/patches/CVE-2025-64330.patch b/patches/CVE-2025-64330.patch new file mode 100644 index 00000000..fa98e31b --- /dev/null +++ b/patches/CVE-2025-64330.patch @@ -0,0 +1,50 @@ +From 5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc Mon Sep 17 00:00:00 2001 +From: Juliana Fajardini +Date: Fri, 31 Oct 2025 21:38:12 -0700 +Subject: [PATCH] output/alert: fix alert index access for verdict + +The engine uses p.alerts.cnt as an index to access the packet alert that +has the `pass` action for the verdict. +For IDS/IPS mode, a `pass` will always be the last signature in the +alert queue. However, that position could be either `p.alerts.cnt` or +`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert` +keyword or not. +This patch fix corner-case scenarios of: +- accessing an index out of boundaries +- off-by-one access +Without changing how the engine increments the alerts.cnt, as this is +used in many places, and would be a more invasive change. +It checks the two different scenarios, plus the case when there is only +a single match as a silent `pass` rule. + +Bug #8021 +Bug #7630 + +Origin: upstream, https://github.com/OISF/suricata/commit/5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc.patch +Bug: https://redmine.openinfosecfoundation.org/issues/8021 +Subject: Upstream fix for CVE-2025-64330 +--- + src/output-json-alert.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/output-json-alert.c b/src/output-json-alert.c +index 495b8285f..8c000cb2a 100644 +--- a/src/output-json-alert.c ++++ b/src/output-json-alert.c +@@ -702,7 +702,12 @@ void EveAddVerdict(JsonBuilder *jb, const Packet *p) + + } else if (PacketCheckAction(p, ACTION_DROP) && EngineModeIsIPS()) { + JB_SET_STRING(jb, "action", "drop"); +- } else if (p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS) { ++ } else if (p->alerts.cnt == 0 || ++ (p->alerts.cnt <= packet_alert_max && ++ (p->alerts.alerts[p->alerts.cnt - 1].action & ++ (ACTION_PASS | ACTION_ALERT)) == (ACTION_PASS | ACTION_ALERT)) || ++ (p->alerts.cnt < packet_alert_max && ++ p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS)) { + JB_SET_STRING(jb, "action", "pass"); + } else { + // TODO make sure we don't have a situation where this wouldn't work +-- +2.51.2 + diff --git a/patches/CVE-2025-64331.patch b/patches/CVE-2025-64331.patch new file mode 100644 index 00000000..ddd25fcb --- /dev/null +++ b/patches/CVE-2025-64331.patch @@ -0,0 +1,259 @@ +From 5abf9b81e78476f49ab074f3a74b5840747cd069 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 30 Oct 2025 11:18:15 +0100 +Subject: [PATCH] output/jsonbuilder: helper function SCJbSetPrintAsciiString + +To replace C PrintStringsToBuffer and avoid a stack alloc ++ copy + +Ticket: 8004 +(cherry picked from commit 7447651fa0956ff4ce55283a51b4a9494ec8cc6a) + +Origin: upstream, https://github.com/OISF/suricata/commit/5abf9b81e78476f49ab074f3a74b5840747cd069.patch +Bug: https://redmine.openinfosecfoundation.org/issues/8004 +Subject: Upstream fix for CVE-2025-64331 +--- + rust/src/jsonbuilder.rs | 60 +++++++++++++++++++++++++++++++++++++++++ + src/output-json-alert.c | 15 +++-------- + src/output-json-frame.c | 12 ++------- + src/output-json-http.c | 9 +------ + src/output-json.c | 36 +++++-------------------- + 5 files changed, 72 insertions(+), 60 deletions(-) + +--- a/rust/src/jsonbuilder.rs ++++ b/rust/src/jsonbuilder.rs +@@ -527,6 +527,52 @@ + } + } + ++ /// Set a key with a string value taking only ascii-printable bytes. ++ /// Non-printable characters are replaced by a dot `.`, except ++ /// CR and LF which are escaped the regular json way \r and \n ++ pub fn set_print_ascii(&mut self, key: &str, val: &[u8]) -> Result<&mut Self, JsonError> { ++ match self.current_state() { ++ State::ObjectNth => { ++ self.push(',')?; ++ } ++ State::ObjectFirst => { ++ self.set_state(State::ObjectNth); ++ } ++ _ => { ++ debug_validate_fail!("invalid state"); ++ return Err(JsonError::InvalidState); ++ } ++ } ++ self.push('"')?; ++ self.push_str(key)?; ++ self.push_str("\":\"")?; ++ for &x in val.iter() { ++ match x { ++ b'\r' => { ++ self.push_str("\\r")?; ++ } ++ b'\n'=> { ++ self.push_str("\\n")?; ++ } ++ b'"'=> { ++ self.push_str("\\\"")?; ++ } ++ b'\\'=> { ++ self.push_str("\\\\")?; ++ } ++ _ => { ++ if !x.is_ascii() || x.is_ascii_control() { ++ self.push('.')?; ++ } else { ++ self.push(x as char)?; ++ } ++ } ++ } ++ } ++ self.push('"')?; ++ Ok(self) ++ } ++ + /// Set a key and a string value (from bytes) on an object, with a limited size + pub fn set_string_from_bytes_limited(&mut self, key: &str, val: &[u8], limit: usize) -> Result<&mut Self, JsonError> { + let mut valtrunc = Vec::new(); +@@ -883,6 +929,20 @@ + } + return false; + } ++ ++#[no_mangle] ++pub unsafe extern "C" fn SCJbSetPrintAsciiString( ++ js: &mut JsonBuilder, key: *const c_char, bytes: *const u8, len: u32, ++) -> bool { ++ if bytes.is_null() || len == 0 { ++ return false; ++ } ++ if let Ok(key) = CStr::from_ptr(key).to_str() { ++ let val = std::slice::from_raw_parts(bytes, len as usize); ++ return js.set_print_ascii(key, val).is_ok(); ++ } ++ return false; ++} + + #[no_mangle] + pub unsafe extern "C" fn jb_set_base64( +--- a/src/output-json-alert.c ++++ b/src/output-json-alert.c +@@ -452,13 +452,7 @@ + } + + if (json_output_ctx->flags & LOG_JSON_PAYLOAD) { +- uint8_t printable_buf[p->payload_len + 1]; +- uint32_t offset = 0; +- PrintStringsToBuffer(printable_buf, &offset, +- p->payload_len + 1, +- p->payload, p->payload_len); +- printable_buf[p->payload_len] = '\0'; +- jb_set_string(js, "payload_printable", (char *)printable_buf); ++ SCJbSetPrintAsciiString(js, "payload_printable", p->payload, p->payload_len); + } + } + +@@ -764,11 +758,8 @@ + } + + if (json_output_ctx->flags & LOG_JSON_PAYLOAD) { +- uint8_t printable_buf[cbd.payload->offset + 1]; +- uint32_t offset = 0; +- PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), cbd.payload->buffer, +- cbd.payload->offset); +- jb_set_string(jb, "payload_printable", (char *)printable_buf); ++ SCJbSetPrintAsciiString( ++ jb, "payload_printable", cbd.payload->buffer, cbd.payload->offset); + } + return true; + } +--- a/src/output-json-frame.c ++++ b/src/output-json-frame.c +@@ -202,11 +202,7 @@ + + if (cbd.payload->offset) { + jb_set_base64(jb, "payload", cbd.payload->buffer, cbd.payload->offset); +- uint8_t printable_buf[cbd.payload->offset + 1]; +- uint32_t offset = 0; +- PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), cbd.payload->buffer, +- cbd.payload->offset); +- jb_set_string(jb, "payload_printable", (char *)printable_buf); ++ SCJbSetPrintAsciiString(jb, "payload_printable", cbd.payload->buffer, cbd.payload->offset); + jb_set_bool(jb, "complete", complete); + } + } +@@ -235,11 +231,7 @@ + const uint32_t log_data_len = MIN(data_len, 256); + jb_set_base64(js, "payload", data, log_data_len); + +- uint8_t printable_buf[log_data_len + 1]; +- uint32_t o = 0; +- PrintStringsToBuffer(printable_buf, &o, log_data_len + 1, data, log_data_len); +- printable_buf[log_data_len] = '\0'; +- jb_set_string(js, "payload_printable", (char *)printable_buf); ++ SCJbSetPrintAsciiString(js, "payload_printable", data, log_data_len); + #if 0 + char pretty_buf[data_len * 4 + 1]; + pretty_buf[0] = '\0'; +--- a/src/output-json-http.c ++++ b/src/output-json-http.c +@@ -366,7 +366,6 @@ + static void BodyPrintableBuffer(JsonBuilder *js, HtpBody *body, const char *key) + { + if (body->sb != NULL && body->sb->region.buf != NULL) { +- uint32_t offset = 0; + const uint8_t *body_data; + uint32_t body_data_len; + uint64_t body_offset; +@@ -376,13 +375,7 @@ + return; + } + +- uint8_t printable_buf[body_data_len + 1]; +- PrintStringsToBuffer(printable_buf, &offset, +- sizeof(printable_buf), +- body_data, body_data_len); +- if (offset > 0) { +- jb_set_string(js, key, (char *)printable_buf); +- } ++ SCJbSetPrintAsciiString(js, key, body_data, body_data_len); + } + } + +--- a/src/output-json.c ++++ b/src/output-json.c +@@ -210,22 +210,10 @@ + PrintStringsToBuffer(keybuf, &offset, + sizeof(keybuf), + pv->key, pv->key_len); +- uint32_t len = pv->value_len; +- uint8_t printable_buf[len + 1]; +- offset = 0; +- PrintStringsToBuffer(printable_buf, &offset, +- sizeof(printable_buf), +- pv->value, pv->value_len); +- jb_set_string(js_vars, (char *)keybuf, (char *)printable_buf); ++ SCJbSetPrintAsciiString(js_vars, (char *)keybuf, pv->value, pv->value_len); + } else { + const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR); +- uint32_t len = pv->value_len; +- uint8_t printable_buf[len + 1]; +- uint32_t offset = 0; +- PrintStringsToBuffer(printable_buf, &offset, +- sizeof(printable_buf), +- pv->value, pv->value_len); +- jb_set_string(js_vars, varname, (char *)printable_buf); ++ SCJbSetPrintAsciiString(js_vars, varname, pv->value, pv->value_len); + } + jb_close(js_vars); + } +@@ -276,15 +264,9 @@ + break; + } + +- uint32_t len = fv->data.fv_str.value_len; +- uint8_t printable_buf[len + 1]; +- uint32_t offset = 0; +- PrintStringsToBuffer(printable_buf, &offset, +- sizeof(printable_buf), +- fv->data.fv_str.value, fv->data.fv_str.value_len); +- + jb_start_object(js_flowvars); +- jb_set_string(js_flowvars, varname, (char *)printable_buf); ++ SCJbSetPrintAsciiString( ++ js_flowvars, varname, fv->data.fv_str.value, fv->data.fv_str.value_len); + jb_close(js_flowvars); + } + } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) { +@@ -300,15 +282,9 @@ + sizeof(keybuf), + fv->key, fv->keylen); + +- uint32_t len = fv->data.fv_str.value_len; +- uint8_t printable_buf[len + 1]; +- offset = 0; +- PrintStringsToBuffer(printable_buf, &offset, +- sizeof(printable_buf), +- fv->data.fv_str.value, fv->data.fv_str.value_len); +- + jb_start_object(js_flowvars); +- jb_set_string(js_flowvars, (const char *)keybuf, (char *)printable_buf); ++ SCJbSetPrintAsciiString(js_flowvars, (const char *)keybuf, fv->data.fv_str.value, ++ fv->data.fv_str.value_len); + jb_close(js_flowvars); + } else if (fv->datatype == FLOWVAR_TYPE_INT) { + const char *varname = VarNameStoreLookupById(fv->idx, +--- a/rust/dist/rust-bindings.h ++++ b/rust/dist/rust-bindings.h +@@ -4898,6 +4898,11 @@ + const uint8_t *bytes, + uint32_t len); + ++bool SCJbSetPrintAsciiString(struct JsonBuilder *js, ++ const char *key, ++ const uint8_t *bytes, ++ uint32_t len); ++ + bool jb_set_base64(struct JsonBuilder *js, + const char *key, + const uint8_t *bytes, diff --git a/patches/CVE-2025-64332.patch b/patches/CVE-2025-64332.patch new file mode 100644 index 00000000..6d7e34c5 --- /dev/null +++ b/patches/CVE-2025-64332.patch @@ -0,0 +1,44 @@ +From f67d72702a2601d0a86ac1450686e70d7176f629 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 30 Oct 2025 11:27:22 +0100 +Subject: [PATCH] util/swf: move allocation from stack to heap + +As it can overflow the stack + +Ticket: 8055 +(cherry picked from commit a84addb771846f6d4d55ec535a4591f58369e49c) + +Origin: upstream, https://github.com/OISF/suricata/commit/f67d72702a2601d0a86ac1450686e70d7176f629.patch +Bug: https://redmine.openinfosecfoundation.org/issues/8055 +Subject: Upstream fix for CVE-2025-64332 +--- + src/util-file-decompression.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/util-file-decompression.c b/src/util-file-decompression.c +index dfafdc87f..bf65b0b7c 100644 +--- a/src/util-file-decompression.c ++++ b/src/util-file-decompression.c +@@ -169,7 +169,10 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, + * | LZMA properties | Uncompressed length | Compressed data | + */ + compressed_data_len += 13; +- uint8_t compressed_data[compressed_data_len]; ++ uint8_t *compressed_data = SCCalloc(1, compressed_data_len); ++ if (compressed_data == NULL) { ++ goto error; ++ } + /* put lzma properties */ + memcpy(compressed_data, buffer + 12, 5); + /* put lzma end marker */ +@@ -183,6 +186,7 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, + r = FileSwfLzmaDecompression(det_ctx, + compressed_data, compressed_data_len, + out_buffer->buf + 8, out_buffer->len - 8); ++ SCFree(compressed_data); + if (r == 0) + goto error; + } else { +-- +2.51.2 + diff --git a/patches/CVE-2025-64333.patch b/patches/CVE-2025-64333.patch new file mode 100644 index 00000000..59b50135 --- /dev/null +++ b/patches/CVE-2025-64333.patch @@ -0,0 +1,45 @@ +From 4b1d284bb57219b6677a8bda5cdc14a24a6aa22d Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 30 Oct 2025 11:43:27 +0100 +Subject: [PATCH] output/http: log content-type like other headers + +Ticket: 8056 + +Avoid stack allocation. +Do not handle null and ; especially + +(cherry picked from commit b8411fcc8dfc16910c3080d4d8c03a9a64c3a1f7) + +Origin: upstream, https://github.com/OISF/suricata/commit/4b1d284bb57219b6677a8bda5cdc14a24a6aa22d.patch +Bug: https://redmine.openinfosecfoundation.org/issues/8056 +Subject: Upstream fix for CVE-2025-64333 +--- + src/output-json-http.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/src/output-json-http.c b/src/output-json-http.c +index bd3f6a116..87191caa9 100644 +--- a/src/output-json-http.c ++++ b/src/output-json-http.c +@@ -237,13 +237,12 @@ static void EveHttpLogJSONBasic(JsonBuilder *js, htp_tx_t *tx) + if (tx->response_headers != NULL) { + htp_header_t *h_content_type = htp_table_get_c(tx->response_headers, "content-type"); + if (h_content_type != NULL) { +- const size_t size = bstr_len(h_content_type->value) * 2 + 1; +- char string[size]; +- BytesToStringBuffer(bstr_ptr(h_content_type->value), bstr_len(h_content_type->value), string, size); +- char *p = strchr(string, ';'); ++ uint32_t len = (uint32_t)bstr_len(h_content_type->value); ++ const uint8_t *p = memchr(bstr_ptr(h_content_type->value), ';', len); + if (p != NULL) +- *p = '\0'; +- jb_set_string(js, "http_content_type", string); ++ len = (uint32_t)(p - bstr_ptr(h_content_type->value)); ++ jb_set_string_from_bytes( ++ js, "http_content_type", bstr_ptr(h_content_type->value), len); + } + htp_header_t *h_content_range = htp_table_get_c(tx->response_headers, "content-range"); + if (h_content_range != NULL) { +-- +2.51.2 + diff --git a/patches/CVE-2025-64344.patch b/patches/CVE-2025-64344.patch new file mode 100644 index 00000000..f74ce108 --- /dev/null +++ b/patches/CVE-2025-64344.patch @@ -0,0 +1,50 @@ +From a7ff4c9ba53009680c7cd128b16c28d0aeda9886 Mon Sep 17 00:00:00 2001 +From: Victor Julien +Date: Fri, 31 Oct 2025 09:38:55 +0100 +Subject: [PATCH] lua: remove luajit pushlstring workaround + +81ee6f5aadeb ("lua: push correct length back through ScFlowvarGet, work around valgrind warning") +added a workaround for valgrind warnings in pushing a string buffer +into the lua state. This is no longer needed as tested with both +address sanitizer and valgrind. + +(cherry picked from commit 52fd61dffdfa50c9a2d4ec24865a54da0b8f0a2a) + +Origin: upstream, https://github.com/OISF/suricata/commit/a7ff4c9ba53009680c7cd128b16c28d0aeda9886.patch +Bug: https://redmine.openinfosecfoundation.org/issues/8065 +Subject: Upstream fix for CVE-2025-64344 +--- + src/util-lua.c | 17 +---------------- + 1 file changed, 1 insertion(+), 16 deletions(-) + +diff --git a/src/util-lua.c b/src/util-lua.c +index 9e65c3017..3dd1d3150 100644 +--- a/src/util-lua.c ++++ b/src/util-lua.c +@@ -328,22 +328,7 @@ void LuaPrintStack(lua_State *state) { + + int LuaPushStringBuffer(lua_State *luastate, const uint8_t *input, size_t input_len) + { +- if (input_len % 4 != 0) { +- /* we're using a buffer sized at a multiple of 4 as lua_pushlstring generates +- * invalid read errors in valgrind otherwise. Adding in a nul to be sure. +- * +- * Buffer size = len + 1 (for nul) + whatever makes it a multiple of 4 */ +- size_t buflen = input_len + 1 + ((input_len + 1) % 4); +- uint8_t buf[buflen]; +- memset(buf, 0x00, buflen); +- memcpy(buf, input, input_len); +- buf[input_len] = '\0'; +- +- /* return value through luastate, as a luastring */ +- lua_pushlstring(luastate, (char *)buf, input_len); +- } else { +- lua_pushlstring(luastate, (char *)input, input_len); +- } ++ lua_pushlstring(luastate, (char *)input, input_len); + return 1; + } + +-- +2.51.2 + diff --git a/patches/avoid-to-include-if_tunnel-h.patch b/patches/avoid-to-include-if_tunnel-h.patch new file mode 100644 index 00000000..1a40ec72 --- /dev/null +++ b/patches/avoid-to-include-if_tunnel-h.patch @@ -0,0 +1,34 @@ +From 6f7636cfc6dffb387afe21f4f3bff119f8d8e033 Mon Sep 17 00:00:00 2001 +From: Eric Leblond +Date: Thu, 31 Oct 2019 13:29:56 +0100 +Subject: [PATCH] ebpf: avoid to include if_tunnel.h + +This is causing a dependency issue as file from another architecture +have to be installed. +--- + ebpf/xdp_lb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/ebpf/xdp_lb.c ++++ b/ebpf/xdp_lb.c +@@ -26,7 +26,6 @@ + /* Workaround to avoid the need of 32bit headers */ + #define _LINUX_IF_H + #define IFNAMSIZ 16 +-#include + #include + #include + #include +@@ -35,6 +34,12 @@ + + #include "hash_func01.h" + ++#define GRE_CSUM __cpu_to_be16(0x8000) ++#define GRE_ROUTING __cpu_to_be16(0x4000) ++#define GRE_KEY __cpu_to_be16(0x2000) ++#define GRE_SEQ __cpu_to_be16(0x1000) ++#define GRE_VERSION __cpu_to_be16(0x0007) ++ + #define LINUX_VERSION_CODE 263682 + + /* Hashing initval */ diff --git a/patches/configure-clang-variable.patch b/patches/configure-clang-variable.patch new file mode 100644 index 00000000..6aae947a --- /dev/null +++ b/patches/configure-clang-variable.patch @@ -0,0 +1,26 @@ +From: Hilko Bengen +Date: Tue, 22 Jan 2019 18:10:47 +0100 +Subject: configure: Introduce CLANG variable + +--- + configure.ac | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/configure.ac ++++ b/configure.ac +@@ -38,6 +38,15 @@ + + AC_SUBST([CLANG]) + ++ AC_ARG_WITH([clang], ++ [CLANG compiler], ++ [CLANG="$withval"], ++ [AS_IF([test "$compiler" = clang], ++ [CLANG="$CC"], ++ [AC_PATH_PROG([CLANG],[clang])])]) ++ ++ AC_SUBST([CLANG]) ++ + case "$compiler" in + clang) + CLANG_CFLAGS="-Wextra -Werror-implicit-function-declaration -Wno-error=unused-command-line-argument" diff --git a/patches/cross.patch b/patches/cross.patch new file mode 100644 index 00000000..ddc724d9 --- /dev/null +++ b/patches/cross.patch @@ -0,0 +1,13 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -77,8 +77,8 @@ + AC_PATH_PROG(HAVE_CYGPATH, cygpath, "no") + AM_CONDITIONAL([HAVE_CYGPATH], [test "x$HAVE_CYGPATH" != "xno"]) + +- AC_PATH_PROG(HAVE_PKG_CONFIG, pkg-config, "no") +- if test "$HAVE_PKG_CONFIG" = "no"; then ++ PKG_PROG_PKG_CONFIG ++ if test "x$PKG_CONFIG" = "x"; then + echo + echo " ERROR! pkg-config not found, go get it " + echo " http://pkg-config.freedesktop.org/wiki/ " diff --git a/patches/debian-default-cfg.patch b/patches/debian-default-cfg.patch new file mode 100644 index 00000000..400da99c --- /dev/null +++ b/patches/debian-default-cfg.patch @@ -0,0 +1,43 @@ +From: Arturo Borrero Gonzalez +Subject: Debian default configuration + This patch sets Debian defaults for suricata configuration. + . + Currently, it sets a proper path for suricata unix socket. +Forwarded: not-needed +Last-Update: 2016-12-01 + +--- a/suricata.yaml.in ++++ b/suricata.yaml.in +@@ -1302,8 +1302,8 @@ + # activated in live capture mode. You can use the filename variable to set + # the file name of the socket. + unix-command: +- enabled: auto +- #filename: custom.socket ++ enabled: yes ++ filename: @e_localstatedir@suricata-command.socket + + # Magic file. The extension .mgc is added to the value here. + #magic-file: /usr/share/file/magic +--- a/src/unix-manager.c ++++ b/src/unix-manager.c +@@ -57,7 +57,7 @@ + # endif + #endif + +-#define SOCKET_PATH LOCAL_STATE_DIR "/run/suricata/" ++#define SOCKET_PATH LOCAL_STATE_DIR "/" + #define SOCKET_FILENAME "suricata-command.socket" + #define SOCKET_TARGET SOCKET_PATH SOCKET_FILENAME + +--- a/configure.ac ++++ b/configure.ac +@@ -2603,7 +2603,7 @@ + EXPAND_VARIABLE(localstatedir, e_logfilesdir, "/log/suricata/files") + EXPAND_VARIABLE(localstatedir, e_logcertsdir, "/log/suricata/certs") + EXPAND_VARIABLE(sysconfdir, e_sysconfdir, "/suricata/") +- EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/suricata") ++ EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/") + EXPAND_VARIABLE(datadir, e_datarulesdir, "/suricata/rules") + EXPAND_VARIABLE(localstatedir, e_datadir, "/lib/suricata/data") + EXPAND_VARIABLE(localstatedir, e_defaultruledir, "/lib/suricata/rules") diff --git a/patches/fix-repeated-builds.patch b/patches/fix-repeated-builds.patch new file mode 100644 index 00000000..f1749759 --- /dev/null +++ b/patches/fix-repeated-builds.patch @@ -0,0 +1,16 @@ +Description: do not clean vendor directory on distclean + dh_auto_clean calls make distclean, which in the case of Suricata also + removes the vendor directory. This breaks repeated builds. +Author: Sascha Steinbiss +Last-Update: 2018-12-26 +--- a/rust/Makefile.am ++++ b/rust/Makefile.am +@@ -77,7 +77,7 @@ + rm -f Cargo.lock + + maintainer-clean-local: +- rm -rf vendor gen ++ rm -rf gen + + check: + CARGO_HOME="$(CARGO_HOME)" @rustup_home@ \ diff --git a/patches/import-sockio-h.patch b/patches/import-sockio-h.patch new file mode 100644 index 00000000..83d87437 --- /dev/null +++ b/patches/import-sockio-h.patch @@ -0,0 +1,16 @@ +From: Eric Leblond +Date: Wed, 17 Jul 2019 12:35:12 +0200 +Subject: [PATCH] af-packet: fix build on recent Linux kernels +--- a/src/source-af-packet.c ++++ b/src/source-af-packet.c +@@ -72,6 +72,10 @@ + #include + #endif + ++#if HAVE_LINUX_SOCKIOS_H ++#include ++#endif ++ + #ifdef HAVE_PACKET_EBPF + #include + #include diff --git a/patches/llc.patch b/patches/llc.patch new file mode 100644 index 00000000..51c80282 --- /dev/null +++ b/patches/llc.patch @@ -0,0 +1,20 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -478,11 +478,12 @@ + [ + AS_IF([test "$CLANG" != no], + [ +- llc_candidates=$($CLANG --version | sed -e 's/.*clang version/clang version/' | \ +- awk '/^clang version/ { +- split($3, v, "."); +- printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]]) +- }') ++ #llc_candidates=$($CLANG --version | sed -e 's/.*clang version/clang version/' | \ ++ # awk '/^clang version/ { ++ # split($3, v, "."); ++ # printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]]) ++ # }') ++ llc_candidates=llc + AC_CHECK_PROGS([LLC], [$llc_candidates], "no") + if test "$LLC" = "no"; then + AC_MSG_ERROR([unable to find any of $llc_candidates needed to build ebpf files]) diff --git a/patches/no-use-gnu.patch b/patches/no-use-gnu.patch new file mode 100644 index 00000000..c6d12d9f --- /dev/null +++ b/patches/no-use-gnu.patch @@ -0,0 +1,28 @@ +Description: Don't use __USE_GNU + __USE_GNU is a glibc-internal symbol. + AC_USE_SYSTEM_EXTENSIONS is the proper autoconf + way to enable extensions. +Author: Adrian Bunk + +--- a/configure.ac ++++ b/configure.ac +@@ -6,6 +6,7 @@ + AM_INIT_AUTOMAKE([tar-ustar subdir-objects]) + + AC_LANG([C]) ++ AC_USE_SYSTEM_EXTENSIONS + LT_INIT + PKG_PROG_PKG_CONFIG + +--- a/src/suricata-common.h ++++ b/src/suricata-common.h +@@ -33,9 +33,6 @@ + #define TRUE 1 + #define FALSE 0 + +-#define _GNU_SOURCE +-#define __USE_GNU +- + #if defined(__clang_analyzer__) + /* clang analyzer acts as DEBUG_VALIDATION in some places, so + * force this so #ifdef DEBUG_VALIDATION code gets included */ diff --git a/patches/reproducible.patch b/patches/reproducible.patch new file mode 100644 index 00000000..0727b27b --- /dev/null +++ b/patches/reproducible.patch @@ -0,0 +1,21 @@ +From: Arturo Borrero Gonzalez +Subject: Patch to make the suricata build reproducible + This patch makes some changes to the suricata build to make it reproducible + . + Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds + the build path. +Forwarded: not-needed +Last-Update: 2016-09-05 + +--- a/configure.ac ++++ b/configure.ac +@@ -2738,7 +2738,8 @@ + echo + echo "$SURICATA_BUILD_CONF" + echo "printf(" >src/build-info.h +-echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' >>src/build-info.h ++echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' \ ++ | sed 's/-fdebug-prefix-map=.*=. //' >>src/build-info.h + echo ");" >>src/build-info.h + + echo " diff --git a/patches/series b/patches/series new file mode 100644 index 00000000..bf99f825 --- /dev/null +++ b/patches/series @@ -0,0 +1,17 @@ +reproducible.patch +debian-default-cfg.patch +cross.patch +no-use-gnu.patch +fix-repeated-builds.patch +configure-clang-variable.patch +with-ebpf-includes.patch +import-sockio-h.patch +avoid-to-include-if_tunnel-h.patch +llc.patch +CVE-2025-53538.patch +CVE-2025-59147.patch +CVE-2025-64344.patch +CVE-2025-64333.patch +CVE-2025-64332.patch +CVE-2025-64331.patch +CVE-2025-64330.patch diff --git a/patches/with-ebpf-includes.patch b/patches/with-ebpf-includes.patch new file mode 100644 index 00000000..965249d1 --- /dev/null +++ b/patches/with-ebpf-includes.patch @@ -0,0 +1,41 @@ +From: Hilko Bengen +Date: Tue, 23 Jul 2019 14:43:21 +0200 +Subject: Add --with-ebpf-includes parameter + +--- + configure.ac | 4 ++++ + ebpf/Makefile.am | 3 +-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -490,6 +490,10 @@ + AC_SUBST(LLC) + ], + [AC_MSG_ERROR([clang needed to build ebpf files])]) ++ AC_ARG_WITH(ebpf_includes, ++ [ --with-ebpf-includes=DIR include directory for building eBPF programs], ++ [AC_SUBST([ebpf_includes],["$withval"])], ++ [AC_SUBST([ebpf_includes],["/usr/include/${build_alias}"])]) + ]) + + # enable debug output +--- a/ebpf/Makefile.am ++++ b/ebpf/Makefile.am +@@ -4,7 +4,7 @@ + if BUILD_EBPF + + # Maintaining a local copy of UAPI linux/bpf.h +-BPF_CFLAGS = -Iinclude ++BPF_CFLAGS = -Iinclude -I$(ebpf_includes) + + BPF_TARGETS = lb.bpf + BPF_TARGETS += filter.bpf +@@ -19,7 +19,6 @@ + $(BPF_TARGETS): %.bpf: %.c + # From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm) + ${CLANG} -Wall $(BPF_CFLAGS) -O2 \ +- -I/usr/include/$(build_cpu)-$(build_os)/ \ + -D__KERNEL__ -D__ASM_SYSREG_H \ + -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll} + # From LLVM-IR to BPF-bytecode in ELF-obj file diff --git a/rules b/rules new file mode 100755 index 00000000..9e5ee880 --- /dev/null +++ b/rules @@ -0,0 +1,97 @@ +#!/usr/bin/make -f + +# verbose mode +export DH_VERBOSE=1 + +SURICATA_DESTDIR = $(CURDIR)/debian/tmp +export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow +export CARGO_HOME = $(CURDIR)/debian/cargohome + +include /usr/share/dpkg/architecture.mk + +# workaround for linking issue on some archs +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--allow-multiple-definition +EXTRA_ATOMIC_ARCHS = armel mipsel powerpc +ifneq (,$(findstring $(DEB_HOST_ARCH),$(EXTRA_ATOMIC_ARCHS))) + DEB_LDFLAGS_MAINT_APPEND += -Wl,--no-as-needed -Wl,-latomic -Wl,--as-needed + export DEB_LDFLAGS_MAINT_APPEND +endif + +LUAJIT_ARCHS = i386 amd64 powerpc mips mipsel armel armhf +HYPERSCAN_ARCHS = i386 amd64 hurd-i386 kfreebsd-amd64 x32 +EBPF_ARCHS = amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32 +DPDK_ARCHS = amd64x arm64x riscv64x ppc64elx + +LIBHTP_PKG_VERSION=$(shell dpkg-query -W -f '$${Version}' libhtp2) + +ifneq (,$(findstring $(DEB_HOST_ARCH),$(LUAJIT_ARCHS))) + ENABLE_LUAJIT="--enable-luajit" +endif + +ifneq (,$(findstring $(DEB_HOST_ARCH),$(HYPERSCAN_ARCHS))) + ENABLE_HYPERSCAN="--enable-libhs" +endif + +ifneq (,$(findstring $(DEB_HOST_ARCH)x,$(DPDK_ARCHS))) + ENABLE_DPDK="--enable-dpdk" +endif + +CI ?= $(shell $(CURDIR)/debian/building-in-ci.sh) +ifeq ($(CI),true) + ENABLE_UNITTESTS="--enable-unittests" +endif + +ifneq (,$(findstring $(DEB_HOST_ARCH),$(EBPF_ARCHS))) + ENABLE_EBPF=--enable-ebpf --enable-ebpf-build \ + --with-ebpf-includes=/usr/include/$(DEB_HOST_MULTIARCH) +endif + +CONFIGURE_ARGS = --enable-af-packet --enable-nfqueue --enable-nflog \ + --enable-gccprotect --disable-gccmarch-native \ + --with-libnss-includes=/usr/include/nss --with-libnss-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --with-libnspr-includes=/usr/include/nspr --with-libnspr-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --with-libevent-includes=/usr/include --with-libevent-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --disable-coccinelle \ + --enable-geoip --enable-hiredis \ + --enable-non-bundled-htp \ + --disable-suricata-update \ + $(ENABLE_LUAJIT) \ + $(ENABLE_HYPERSCAN) \ + $(ENABLE_UNITTESTS) \ + $(ENABLE_EBPF) \ + $(ENABLE_DPDK) + +override_dh_auto_configure: + dh_auto_configure -- $(CONFIGURE_ARGS) + +override_dh_auto_build: + uname -a + mkdir -p $(CARGO_HOME) + dh_auto_build + +override_dh_auto_clean: + rm -rf $(CARGO_HOME) + rm -f debian/suricata.substvars + +override_dh_auto_install: + dh_auto_install --destdir=$(SURICATA_DESTDIR) + rm -rf $(SURICATA_DESTDIR)/usr/lib/python*;\ + (cd python && make prefix=$(SURICATA_DESTDIR)/usr) + # clean upstream install documentation + rm -rf $(SURICATA_DESTDIR)/usr/share/doc/suricata/* + $(foreach file, $(wildcard ebpf/*bpf), \ + install -D -t $(SURICATA_DESTDIR)/usr/lib/suricata/ebpf $(file) ;\ + ) + +override_dh_auto_test: + # do nothing + +override_dh_missing: + dh_missing --list-missing + +override_dh_gencontrol: + echo "libhtp:Version=$(LIBHTP_PKG_VERSION)" >> debian/suricata.substvars + dh_gencontrol + +%: + dh $@ --with python3 diff --git a/source/format b/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/suricata.README.Debian b/suricata.README.Debian new file mode 100644 index 00000000..a1e554a0 --- /dev/null +++ b/suricata.README.Debian @@ -0,0 +1,44 @@ +Suricata for Debian +------------------- + +The engine is an Open Source Next Generation Intrusion Detection and +Prevention Tool, not intended to just replace or emulate the existing tools in +the industry, but to bring new ideas and technologies to the field. + +To run the engine with default configuration on interface eth0 (in live mode), +run the following command (as root): + suricata -c /etc/suricata/suricata.yaml -i eth0 + +To run in live NFQUEUE mode, use (as root): + suricata -c /etc/suricata/suricata.yaml -q $QUEUE_ID + +You can also run suricata on a PCAP file: + suricata -c /etc/suricata/suricata.yaml -r file.pcap + + +Daemon system integration +------------------------- + +The suricata daemon comes preconfigured to run as a system daemon with systemd. + +You can start/stop the daemon with: + % sudo systemctl start suricata.service + % sudo systemctl stop suricata.service + +You should copy /lib/systemd/system/suricata.service to +/etc/systemd/system/suricata.service and adapt the configuration to your needs. + +The sysvinit script and related files (/etc/init.d/suricata and +/etc/default/suricata) will be eventually discarted at some point in the +future. The /etc/default/suricata file is ignored by the default +suricata.service file. + +By now, there is no integration between suricata and libsystemd (so, options +like the watchdog are not supported). + + +Updating Rules +-------------- + +You should edit /etc/suricata/suricata.yaml and adjust it to fit your needs. +The recommended way to update rules is via suricata-update (also packaged in Debian). diff --git a/suricata.default b/suricata.default new file mode 100644 index 00000000..330dc591 --- /dev/null +++ b/suricata.default @@ -0,0 +1,26 @@ +# Default config for Suricata + +# set to yes to start the server in the init.d script +RUN=no + +# Configuration file to load +SURCONF=/etc/suricata/suricata.yaml + +# Listen mode: pcap, nfqueue or af-packet +# depending on this value, only one of the two following options +# will be used (af-packet uses neither). +# Please note that IPS mode is only available when using nfqueue +LISTENMODE=nfqueue + +# Interface to listen on (for pcap mode) +IFACE=eth0 + +# Queue number to listen on (for nfqueue mode) +NFQUEUE=0 + +# Load Google TCMALLOC if libtcmalloc-minimal4 is installed +# This _might_ give you very very small performance gain.... +TCMALLOC="YES" + +# Pid file +PIDFILE=/var/run/suricata.pid diff --git a/suricata.dirs b/suricata.dirs new file mode 100644 index 00000000..1d78110d --- /dev/null +++ b/suricata.dirs @@ -0,0 +1,2 @@ +etc/suricata +var/log/suricata diff --git a/suricata.init b/suricata.init new file mode 100644 index 00000000..951e42af --- /dev/null +++ b/suricata.init @@ -0,0 +1,167 @@ +#!/bin/sh -e +# +### BEGIN INIT INFO +# Provides: suricata +# Required-Start: $time $network $local_fs $remote_fs +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Next Generation IDS/IPS +# Description: Intrusion detection system that will +# capture traffic from the network cards and will +# match against a set of known attacks. +### END INIT INFO + +# Source function library. +. /lib/lsb/init-functions + +if test -f /etc/default/suricata; then + . /etc/default/suricata +else + echo "/etc/default/suricata is missing... bailing out!" >&2 + exit 1 +fi + +# We'll add up all the options above and use them +NAME=suricata +DAEMON=/usr/bin/$NAME + +# Use this if you want the user to explicitly set 'RUN' in +# /etc/default/ +if [ "x$RUN" != "xyes" ] ; then + log_failure_msg "$NAME disabled, please adjust the configuration to your needs " + log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it." + exit 0 +fi + +check_root() { + if [ "$(id -u)" != "0" ]; then + log_failure_msg "You must be root to start, stop or restart $NAME." + exit 4 + fi +} + +check_nfqueue() { + if [ ! \( -e /proc/net/netfilter/nfnetlink_queue -o -e /proc/net/netfilter/nf_queue \) ]; then + log_warning_msg "NFQUEUE support not found !" + log_warning_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel" + fi +} + +check_run_dir() { + if [ ! -d /var/run/suricata ]; then + mkdir /var/run/suricata + chmod 0755 /var/run/suricata + fi +} + +load_libtcmalloc_minimal() { + lib="/usr/lib/libtcmalloc_minimal.so.4" + + if [ -f "$lib" ] && [ "x$TCMALLOC" = "xYES" ]; then + export LD_PRELOAD="$lib" + fi +} + +check_root + +case "$LISTENMODE" in +nfqueue) + IDMODE="IPS (nfqueue)" + LISTEN_OPTIONS=" -q $NFQUEUE" + check_nfqueue + ;; +pcap) + IDMODE="IDS (pcap)" + LISTEN_OPTIONS=" -i $IFACE" + ;; +af-packet) + IDMODE="IDS (af-packet)" + LISTEN_OPTIONS=" --af-packet" + ;; +*) + echo "Unsupported listen mode $LISTENMODE, aborting" + exit 1 + ;; +esac + +SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D" + +# See how we were called. +case "$1" in +start) + if [ -f $PIDFILE ]; then + PID1=$(cat $PIDFILE) + if kill -0 "$PID1" 2>/dev/null; then + echo "$NAME is already running with PID $PID1" + exit 0 + fi + fi + check_run_dir + echo -n "Starting suricata in $IDMODE mode..." + load_libtcmalloc_minimal + $DAEMON $SURICATA_OPTIONS > /var/log/suricata/suricata-start.log 2>&1 & + echo " done." + ;; +stop) + echo -n "Stopping suricata: " + if [ -f $PIDFILE ]; then + PID2=$(cat $PIDFILE) + else + echo " No PID file found; not running?" + exit 0; + fi + start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON + if [ -n "$PID2" ]; then + kill "$PID2" + ret=$? + sleep 2 + if kill -0 "$PID2" 2>/dev/null; then + ret=$? + echo -n "Waiting . " + cnt=0 + while kill -0 "$PID2" 2>/dev/null; do + ret=$? + cnt=$(expr "$cnt" + 1) + if [ "$cnt" -gt 10 ]; then + kill -9 "$PID2" + break + fi + sleep 2 + echo -n ". " + done + fi + fi + if [ -e $PIDFILE ]; then + rm $PIDFILE > /dev/null 2>&1 + fi + echo " done." + ;; +status) + # Check if running... + if [ -s $PIDFILE ]; then + PID3=$(cat $PIDFILE) + if kill -0 "$PID3" 2>/dev/null; then + echo "$NAME is running with PID $PID3" + exit 0 + else + echo "PID file $PIDFILE exists, but process not running!" + fi + else + echo "$NAME not running!" + fi + ;; +restart) + $0 stop + $0 start + ;; +force-reload) + $0 stop + $0 start + ;; +*) + echo "Usage: $0 {start|stop|restart|status}" + exit 1 +esac + +exit 0 diff --git a/suricata.install b/suricata.install new file mode 100644 index 00000000..3568c2ce --- /dev/null +++ b/suricata.install @@ -0,0 +1,7 @@ +etc/classification.config /etc/suricata +etc/reference.config /etc/suricata +rules/*.rules /etc/suricata/rules +suricata.yaml /etc/suricata +threshold.config /etc/suricata +usr/bin +usr/lib diff --git a/suricata.lintian-overrides b/suricata.lintian-overrides new file mode 100644 index 00000000..b44f36d3 --- /dev/null +++ b/suricata.lintian-overrides @@ -0,0 +1,4 @@ +# these are eBPF files +suricata: binary-from-other-architecture [usr/lib/suricata/ebpf/*.bpf] +suricata: unstripped-binary-or-object [usr/lib/suricata/ebpf/*.bpf] +suricata: executable-in-usr-lib [usr/lib/suricata/ebpf/*.bpf] diff --git a/suricata.logrotate b/suricata.logrotate new file mode 100644 index 00000000..e318d1c6 --- /dev/null +++ b/suricata.logrotate @@ -0,0 +1,12 @@ +/var/log/suricata/*.log +/var/log/suricata/*.json +{ + rotate 14 + missingok + compress + copytruncate + sharedscripts + postrotate + /bin/kill -HUP $(cat /var/run/suricata.pid) + endscript +} diff --git a/suricata.maintscript b/suricata.maintscript new file mode 100644 index 00000000..a700bfc1 --- /dev/null +++ b/suricata.maintscript @@ -0,0 +1,2 @@ +# Rename file +mv_conffile /etc/suricata/suricata-debian.yaml /etc/suricata/suricata.yaml 3.1-1 suricata diff --git a/suricata.manpages b/suricata.manpages new file mode 100644 index 00000000..f32b4f6e --- /dev/null +++ b/suricata.manpages @@ -0,0 +1 @@ +doc/userguide/*.1 diff --git a/suricata.preinst b/suricata.preinst new file mode 100644 index 00000000..50f71178 --- /dev/null +++ b/suricata.preinst @@ -0,0 +1,13 @@ +#!/bin/sh + +set -e + +# we do not need alternatives anymore +if update-alternatives --quiet --query suricata 2> /dev/null; then + echo "Removing legacy alternatives for Hyperscan/non-Hyperscan versions" + update-alternatives --remove-all suricata +fi + +#DEBHELPER# + +exit 0 diff --git a/suricata.service b/suricata.service new file mode 100644 index 00000000..aff98125 --- /dev/null +++ b/suricata.service @@ -0,0 +1,20 @@ +[Unit] +Description=Suricata IDS/IDP daemon +After=network.target network-online.target +Requires=network-online.target +Documentation=man:suricata(8) man:suricatasc(8) +Documentation=https://suricata.io/documentation/ + +[Service] +Type=forking +#Environment=LD_PRELOAD=/usr/lib/libtcmalloc_minimal.so.4 +PIDFile=/run/suricata.pid +ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid +ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID +ExecStop=/usr/bin/suricatasc -c shutdown +Restart=on-failure +ProtectSystem=full +ProtectHome=true + +[Install] +WantedBy=multi-user.target diff --git a/tests/control b/tests/control new file mode 100644 index 00000000..1dca1c2f --- /dev/null +++ b/tests/control @@ -0,0 +1,46 @@ +Test-Command: suricata --build-info +Depends: @ + +Test-Command: suricatasc -c "version" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "command-list" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "capture-mode" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: sleep 10 && suricatasc -c "dump-counters" +Depends: @ +Restrictions: needs-root, isolation-container + +Test-Command: suricatasc -c "uptime" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "reload-rules" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "iface-list" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "shutdown" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: sleep 10 && suricatasc -c "running-mode" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Tests: systemd-service-test.sh +Depends: @, systemd, procps +Restrictions: needs-root, isolation-container, allow-stderr + +Test-Command: src/suricata -u +Depends: @, @builddeps@, procps, geoip-database +Restrictions: needs-root, isolation-container, build-needed, allow-stderr diff --git a/tests/systemd-service-test.sh b/tests/systemd-service-test.sh new file mode 100644 index 00000000..089a8b2e --- /dev/null +++ b/tests/systemd-service-test.sh @@ -0,0 +1,130 @@ +#!/bin/sh + +set -ex + +SERVICE="suricata.service" +ETC_SERVICE_FILE="/etc/systemd/system/${SERVICE}" +LIB_SERVICE_FILE="/lib/systemd/system/${SERVICE}" +CONFIG_FILE="/etc/suricata/suricata.yaml" +IFACE=$(ip route show | awk '/default/ {print $5}') + +if [ ! -r "$LIB_SERVICE_FILE" ] ; then + : ERROR unable to read $LIB_SERVICE_FILE + exit 1 +fi +if [ ! -w "$CONFIG_FILE" ] ; then + : ERROR unable to write to $CONFIG_FILE + exit 1 +fi + +systemctl_action() +{ + if ! systemctl $1 $SERVICE ; then + journalctl -u $SERVICE + return 1 + fi + return 0 +} + +echo " +%YAML 1.1 +--- +default-rule-path: /etc/suricata/rules +rule-files: + - tor.rules + - http-events.rules + - smtp-events.rules + - dns-events.rules + - tls-events.rules +classification-file: /etc/suricata/classification.config +reference-config-file: /etc/suricata/reference.config +default-log-dir: /var/log/suricata/ +af-packet: + - interface: $IFACE + cluster-id: 99 + cluster-type: cluster_flow + defrag: yes + - interface: default + tpacket-v3: yes + block-size: 131072 +app-layer: + protocols: + ssh: + enabled: yes +host-mode: auto +unix-command: + enabled: yes + filename: /var/run/suricata-command.socket +detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + grouping: + profiling: + grouping: + dump-to-disk: false + include-rules: false + include-mpm-stats: false +mpm-algo: auto +spm-algo: auto +" > $CONFIG_FILE + +# +# before start, package installation may start the daemon +# +if systemctl -q is-active $SERVICE ; then + : WARNING initial service running, stopping now + if ! systemctl_action stop ; then + : ERROR cant stop initial service + exit 1 + fi +fi + +# +# First run of the daemon and basic checks +# +if ! systemctl_action start ; then + : ERROR cant start the service + exit 1 +fi +sleep 10 # wait for service startup +systemctl status $SERVICE + +# +# Restart the daemon +# +if ! systemctl_action restart ; then + : ERROR unable to restart the service + exit 1 +fi + +sleep 10 # wait for serive startup +if ! systemctl -q is-active $SERVICE ; then + journalctl -u $SERVICE + : ERROR service not active after restart + exit 1 +fi + +# +# Reload the daemon +# + +: WARNING: Not testing daemon reload: it timeouts in ci.debian.net + +#if ! systemctl_action reload ; then +# : ERROR unable to reload the service +# exit 1 +#fi + +#sleep 10 # wait for service reload +#if ! systemctl -q is-active $SERVICE ; then +# journalctl -u $SERVICE +# : ERROR service not active after reload +# exit 1 +#fi + +: INFO all tests OK +exit 0 diff --git a/upstream/metadata b/upstream/metadata new file mode 100644 index 00000000..dc3eb20a --- /dev/null +++ b/upstream/metadata @@ -0,0 +1,4 @@ +Bug-Database: https://redmine.openinfosecfoundation.org/ +Bug-Submit: https://redmine.openinfosecfoundation.org/projects/suricata/issues/new +Repository: https://github.com/OISF/suricata.git +Repository-Browse: https://github.com/OISF/suricata diff --git a/upstream/signing-key.asc b/upstream/signing-key.asc new file mode 100644 index 00000000..0ca2ef6d --- /dev/null +++ b/upstream/signing-key.asc @@ -0,0 +1,53 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF8tFVkBEADEEXYv9T6kntaOafPMsBXJPFflcpM4VdXCnEmkY2zcQzfZ+fUB +kyc6Lh1W07EPd4zGri4Hu9V8nfH5z+23oMmvVrUgbwU62u7ioUhMEpEtLbaLCWL9 +6HSlA4XWwjJhALXKFNMWtWT5BiHHty4jXvLl/KlbYtNrV+BuWDZsSiCRto134His +Uozb82Yp76qhxdFXdUkXa7PYXJ40EYg9du4Z2l8qP3VWjDHDDrXtoChIgnTmkXkF +0AdNx9jd9OSugQbJMqi7IV2wvA4xErKMujL+7ytxdMsV0WS39dPOn1mPclYLlnq6 +XDaXcVcHpXOQfC0qniKAHA9ngdKPPG5aJ7DqnZx+G4HBOAf0qnqCT2HBzvJovDuF +7LdITO+nUiuThlh26oIoRqOfFgIAKDO+F/fRFIJYFt7q5OEwiL9HmlR7UrjLyHb8 +TqWhxocZHvP0ex6qTFMlUOZFaLVD/OC0lMFZDtHNfWIyWLmRIP4CGYia7RDyEEvn +rHqK7NCF93K5UNUuBZmWNZ5r7/wKccLSYz7wAgkeWaKBAX7bQLspTZUYOOd8Kf5+ +uYlkLd1ju1wHqR7MrVb8/l6Q7cEIpLj+1ou6HeEsKyH1oZ8BQVzkVWIHmz7gaumV +RKiycSnGqi8UnlFRUbZTW5ChLb7BL+ncBI3MuvrXvB6Ps7RlDPBD4D5AJQARAQAB +tFBPcGVuIEluZm9ybWF0aW9uIFNlY3VyaXR5IEZvdW5kYXRpb24gKE9JU0YpIDxy +ZWxlYXNlc0BvcGVuaW5mb3NlY2ZvdW5kYXRpb24ub3JnPokCVAQTAQoAPhYhBLNv +2vJgfhDo/6ieXiupyYzN8ek6BQJfLRVZAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW +AgMBAh4BAheAAAoJECupyYzN8ek6BAMP/jbjbJgNNYHQpueS6q7Jx1pNsDJ0Iqlr +2AIfrvMAkvNCQALWMoKsSPYbx+lLhTMKP48wwUTu4PcagaZ74W41kFAHN6ituIeY +QJ7nyNaccu4KRMLvWsL/LVimGIfQZDWgGvJd/ggAXZcCeSiWblCqs7isGpGwGktv +O6M824BZo2tmqBOtcL/nn3xD5v3dOM2uUr4N7qEmVQgJpYY/d5GNy2576jLT1EQ7 +Nq8VW0b76yZ7SQqX/mRA3KGJRi3/qnXsuxDdQd8hzxr4+QnH1cFjYtwsJlzzf2gm +87ZbcuNf/BccH0Nt/hRkm7wIfJgXADKdCUAb60F6Ov95+aZ4hpK/Q6jJcCF9WSEZ +UjklpYzWhSoC5AvqKcLOOnfLGfdF+gKwCD+hLvBwtkDZyYnLSkaKQ3eWbesoZnl0 +uDZAgy+4UCsh4c6DmtF2YeByybmd+cOfxZqRNIGUzC5u5ROsulB4gNjCtaTrY2ug +r0br16ypXHA8M3PB+EAF08pg1PNETecdQ+uWZmYn2vAAi0lh1YREuIaFK+P5RziU +m1uwfmsTEy7xnrHfWTZyiWdDCsjhppRiUNCqXh76ChDh2cNbiiGK7EgNLeUEyplx +s60hfa4Ht0tmo3S3R2JRs4Usn0fKigR1Vv589qjDI1DNbFC/01/IFXrKjERzdm20 +ruUEU7TOqiUwuQINBF8tFVkBEADCAk7fTNtLlFDOAmXNxW+5ILRBehswEaZvAN5J +rhc9bz4dMSWQajprEAl8HFRctEUkYHyi7cwcUPrelhwjnxOH3LuVeLLtm9i3wTCX +NUvHeOWr4DBLYnwiYZ6t7U+Isd/IQRTo9l1vBEwdMOAs7FfqSmoGvJspd42dOi4r +ph6JNss4FE5GTrb4oTx0ZrAIh7mT17e16TZywrZWKFZnl+G/YqmSolGtOrkhzm18 +l3mTa/v4hq4u+ZS8Qd9ng62sl8Ls5Krx3JCBdxn849WRJ6myS7R+hvQeLR9YH/YL +ioUVzxHXmF2xlENYsbEsVAEsHUb2G5Ot+uQcUpC2u9uzw05L+zhCbd4ffW5eTsGv +d51LvBMV1b0VUjWEmTgzqFNI5ElBnpjZ3W2eiAAWrLnGACO5Lxzf5VeWYaTDJo8O +GBYSoHovjYrFI8ZQq7J1skM/YBXROTb4zSc8rL1w81VFLvFu6lOzIA15s5iLRko7 +LSKKom04Q8BNZ1nUydlxvo/5fu4VGYtWMliWUOIePIMT1EgBqYDfQyZ/h4gSMc7j +jgb2JDfq/7WueoVTy8CNuOzewRYQOU/5P34o341Q0WO2tFNrohUqG9oDHf3Fj8eg +VwWuRv+eDUmgbpisqVoj2hH1PM45Hcp62RHJasMWUmPIlCNKfvd8+fj3+zjaAN8r +4Fv0YwARAQABiQI8BBgBCgAmFiEEs2/a8mB+EOj/qJ5eK6nJjM3x6ToFAl8tFVkC +GwwFCQlmAYAACgkQK6nJjM3x6TpE0Q/7B31BrekzAIqV4gu6wE6xXe4GwzHYsQjW +MJ0zQFXy3xPeRwVuFhfEOfX23HIpzvlM5h8OJCyifYu8vpbjqJ0/bEoUIERjQ0qe +24H8tETRWsF5xRn8FwItdU+8dBsdH77JopAf3qmKPi6PZoobb0mf6mvqK/ootiIg +8ATzbaIizw5oa4XZsjOwTh9vP7/VUAD7I8i2sxjw4BzLI9Ee4Mx+3ei95TQEXdRl +jLEIH+2DLkKZTY1czfMuWAJsWpE+xewVBgm6zB0eS51HPZAhSaMmJefJeybnG4Er +MFdWPPMXzNbr056TQzL1WIdHvB3SLSnA+MSHI8tp3LpHIqHibL1HQpUwDZo1G7jK +hXcfEMAjwVJInNPOKJo93+mgTOqt0HZvnrGtFpUGBWivGLXguDW/m++Cv7hY3M7g +I48G8dSmATEfyC0zaMACD2xmfjg86gkWsgio1Hpym/4oVDBVdT7CEXuN53QsQH5Y +4XlEJh2l/fDMBAqtPmOkH6Zl3v6PLnzrkDbVEl1Nid/Oak6h6RSbAaI+uSACPTMq +bHEYDF5K/2N6gu6/6aS6JzgCqr7G63Jghh1NtoKzmDfMl2nVL2virZDREUP7tBGa +HegFin/SNaQ/vyu4kp/Y0Q6/BnN8Pa/1ngrkxwu/fAm4wq0DNArbf15fjCC0AgYZ +z9qESk6L8Cs= +=Rr5U +-----END PGP PUBLIC KEY BLOCK----- diff --git a/watch b/watch new file mode 100644 index 00000000..b5c5136b --- /dev/null +++ b/watch @@ -0,0 +1,6 @@ +# watch control file for uscan +# run the "uscan" command to check for upstream updates and more. +# See uscan(1) for format + +version=4 +opts=pgpsigurlmangle=s/$/.sig/ https://openinfosecfoundation.org/download/ suricata-([\d\.]*)\.tar\.gz