From: Thorsten Alteholz Date: Sun, 30 Mar 2025 10:03:02 +0000 (+0200) Subject: Import suricata_6.0.1-3+deb11u1.debian.tar.xz X-Git-Tag: archive/raspbian/1%6.0.1-3+rpi1+deb11u1^2~22^2 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=f805f6659a602418434529268923b737d8a25b3e;p=suricata.git Import suricata_6.0.1-3+deb11u1.debian.tar.xz [dgit import tarball suricata 1:6.0.1-3+deb11u1 suricata_6.0.1-3+deb11u1.debian.tar.xz] --- f805f6659a602418434529268923b737d8a25b3e diff --git a/building-in-ci.sh b/building-in-ci.sh new file mode 100755 index 00000000..ccf552d0 --- /dev/null +++ b/building-in-ci.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# this script prints 'true' if any ancestor process name is any of $REGEXPS + +REGEXPS="debci autopkgtest adt" + +set -e + +walk() +{ + pid=$1 + + [ ! -r /proc/$pid/cmdline ] && exit 1 + + name=$(ps -p $pid -o cmd | tail -1) + for exp in $REGEXPS + do + if grep -e $exp <<< $name >/dev/null ; then + echo true + exit + fi + done + + ppid=$(ps -o ppid= $pid | tr -d ' ') + walk $ppid +} + +walk $$ diff --git a/changelog b/changelog new file mode 100644 index 00000000..ce2f378f --- /dev/null +++ b/changelog @@ -0,0 +1,915 @@ +suricata (1:6.0.1-3+deb11u1) bullseye-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2021-45098 + Fix bypass of HTTP-based signature by faking an RST TCP packet. + * CVE-2023-35852 + Fix unintended file access in local filesystem. + * CVE-2024-32663 + Fix using large amount of memory. + * CVE-2024-37151 + Fix mishandling of multiple fragmented packets, which might lead to + policy bypass. + * CVE-2024-45796 + Fix logic error during fragment reassembly. + * CVE-2025-29918 + Fix infinite loop. + * CVE-2024-55626 + Fix buffer overflow due to large BPF filter file. + + -- Thorsten Alteholz Sun, 30 Mar 2025 12:03:02 +0200 + +suricata (1:6.0.1-3) unstable; urgency=medium + + * Address CVE-2021-35063 by backporting upstream fix. + Closes: #990835 + + -- Sascha Steinbiss Mon, 19 Jul 2021 13:26:22 +0200 + +suricata (1:6.0.1-2) unstable; urgency=medium + + * Also specify explicit separate '-latomic' reference on mipsel. + This addresses a remaining FTBFS there. + + -- Sascha Steinbiss Fri, 11 Dec 2020 09:35:57 +0100 + +suricata (1:6.0.1-1) unstable; urgency=medium + + * New upstream release. + * Disable Prelude support. + This is broken upstream, see https://redmine.openinfosecfoundation.org/issues/4065 + * Bump libhtp dependency to 0.5.36. + * Disable suricata-update, as it is a separate package in Debian. + * Add patches to fix builds with new Autoconf scripts. + * Use debhelper 13. + * Include upstream's man pages. + * Add workaround for missing '-latomic' symbols on armel. + + -- Sascha Steinbiss Thu, 08 Oct 2020 22:23:17 +0200 + +suricata (1:5.0.3-1) unstable; urgency=medium + + * New upstream release. + * Use /run instead of /var/run for pidfiles. Thanks to Michael Berg for the + patch. + Closes: #954435 + * Bump libhtp dependency to 0.5.33. + * Remove nonexistent Files entries in d/copyright. + * Use correct DEB_LDFLAGS_MAINT_APPEND in d/rules.. + + -- Sascha Steinbiss Wed, 29 Apr 2020 09:34:49 +0200 + +suricata (1:5.0.2-3) unstable; urgency=medium + + * Source upload to enable testing migration. + * Bump Standards-Version. + + -- Sascha Steinbiss Sat, 22 Feb 2020 12:47:50 +0100 + +suricata (1:5.0.2-2) unstable; urgency=medium + + * Add --allow-multiple-definition linker flag to work around FTBFS on armel. + Closes: #951765 + + -- Sascha Steinbiss Sat, 22 Feb 2020 12:23:52 +0100 + +suricata (1:5.0.2-1) unstable; urgency=medium + + * New upstream release. + Closes: #951654 + * Add patch from upstream to build without needing if_tunnel.h. + This avoids a potentially foreign arch build-dep for eBPF builds. + Thanks to Eric Leblond. + * Drop patches applied upstream. + * Use debhelper-compat. + * Mark autopkgtests requiring a control socket as potentially flaky. + We cannot always predict the timing on all archs and do not want to + use them for CI gating. + Closes: #951721 + * Bring d/copyright up to date with current code base. + + -- Sascha Steinbiss Thu, 20 Feb 2020 14:55:23 +0100 + +suricata (1:4.1.5-2) unstable; urgency=medium + + * Add versioned Depends on at least libhtp version used for building. + + -- Sascha Steinbiss Wed, 09 Oct 2019 13:13:40 +0200 + +suricata (1:4.1.5-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss Wed, 25 Sep 2019 10:24:50 +0200 + +suricata (1:4.1.4-7) unstable; urgency=medium + + * Prevent file clash with other packages writing into the Python3 + module root directory (suricata/__init__.py). + * Add patch to make suricatactl Python3-compatible. + + -- Sascha Steinbiss Wed, 18 Sep 2019 20:55:51 +0200 + +suricata (1:4.1.4-6) unstable; urgency=medium + + * Make Python components use Python3. + Closes: #938603 + + -- Sascha Steinbiss Sat, 07 Sep 2019 17:47:44 +0200 + +suricata (1:4.1.4-5) unstable; urgency=medium + + * Add patch to fix FTBFS on recent kernels. Thanks to Aurelien Jarno for + pointing this out. + Closes: #934316 + + -- Sascha Steinbiss Mon, 12 Aug 2019 12:48:29 +0200 + +suricata (1:4.1.4-4) unstable; urgency=medium + + [ Hilko Bengen ] + * Patch: add --with-ebpf-includes, point to proper include directory for + kernel headers, fixing FTBFS on i386 + + [ Sascha Steinbiss ] + * Only build eBPF programs on archs with available dependencies. + + -- Sascha Steinbiss Wed, 24 Jul 2019 10:34:25 +0200 + +suricata (1:4.1.4-3) unstable; urgency=medium + + * Fix cross building by including patch that addresses abuse of + AC_CHECK_FILE. Thanks to Helmut Grohne for the patch. + Closes: #923174 + * Enable building with eBPF support. + Thanks to Hilko Bengen for the patch. + Closes: #917816 + * Create temporary CARGO_HOME to allow building with new cargo + versions when $HOME is nonexistent. + * Make autopkgtest more robust when external resources are unavailable. + Closes: #932463 + * Bump debhelper and compat to 12. + * Add Pre-Depends by Lintian's suggestion. + + -- Sascha Steinbiss Tue, 09 Jul 2019 16:47:49 +0200 + +suricata (1:4.1.4-2) unstable; urgency=medium + + * Do not install suricata-update, recommend external pkg instead. + Closes: #924096 + + -- Sascha Steinbiss Thu, 02 May 2019 17:15:48 +0200 + +suricata (1:4.1.4-1) unstable; urgency=medium + + * New upstream version 4.1.4 + - Bugs and security fixes + * Refreshed quilt patches + + -- Pierre Chifflier Wed, 01 May 2019 11:44:13 +0200 + +suricata (1:4.1.3-1) unstable; urgency=medium + + * New upstream version 4.1.3 + * Refreshed quilt patches + + -- Pierre Chifflier Fri, 08 Mar 2019 10:24:43 +0100 + +suricata (1:4.1.2-2) unstable; urgency=medium + + * Upload to unstable. + + -- Sascha Steinbiss Wed, 09 Jan 2019 12:53:47 +0100 + +suricata (1:4.1.2-1) experimental; urgency=medium + + * New upstream release. + * Add myself to uploaders. + * Do not remove Rust vendor directory on distclean (Closes: #915154) + + -- Sascha Steinbiss Sun, 23 Dec 2018 10:48:27 +0000 + +suricata (1:4.1.0-2) experimental; urgency=medium + + * Disable Rust on armel for now (FTBFS) + * Add liblz4-dev to build-deps to enable pcap compression + * Update build-dependency on python:any to fix FTCBFS (Closes: #909606) + + -- Pierre Chifflier Mon, 26 Nov 2018 11:07:08 +0100 + +suricata (1:4.1.0-1) experimental; urgency=medium + + [ Arturo Borrero Gonzalez ] + * libhtp: bump soname to libhtp-0.5.24-1 + + [ Pierre Chifflier ] + * New upstream version 1:4.1.0 + * Refreshed quilt patches + * Update python code directory + * Enable rust support (i386 and amd64 only for now) + * Also enable Rust on ARM architectures + + -- Pierre Chifflier Thu, 15 Nov 2018 13:29:23 -0800 + +suricata (1:4.0.6-1) unstable; urgency=medium + + * New upstream version 1:4.0.6 + + -- Pierre Chifflier Mon, 12 Nov 2018 09:19:39 +0100 + +suricata (1:4.0.5-1) unstable; urgency=medium + + [ Sascha Steinbiss ] + * Add patches to help with cross-compiling. Thanks to Helmut Grohne + for the patch. + Closes: #895996 + * Add patches to fix building on ia64. + Thanks to Jason Duerstock and Adrian Bunk for the patches. + Closes: #890432 + * Fix spelling in debian/patches/reproducible.patch. + * Remove obsolete X-Python-Version hint. + * Use updated watchfile source URL with https support. + * Remove obsolete --parallel dh parameter. + * Use canonical Salsa Vcs-Git URL. + + [ Pierre Chifflier ] + * New upstream version 1:4.0.5 + + -- Pierre Chifflier Wed, 18 Jul 2018 17:14:02 +0200 + +suricata (1:4.0.4-1) unstable; urgency=medium + + * [3f18cd8] d/control: refresh git URLs + * [17da106] New upstream version 4.0.4 (Closes: #889842) fixes CVE-2018-6794 + * [00fcf17] d/compat: bump debhelper compat level to 11 + * [45dc0db] d/control: bump std-version to 4.1.3 + + -- Arturo Borrero Gonzalez Wed, 14 Feb 2018 11:33:33 +0100 + +suricata (1:4.0.3-1) unstable; urgency=medium + + [ Sascha Steinbiss ] + * [aece4d6] New upstream version 4.0.3 + * [c23b64f] refresh patches + + [ Arturo Borrero Gonzalez ] + * [7f077ca] d/control: bump std-version to 4.1.2 + + -- Arturo Borrero Gonzalez Wed, 13 Dec 2017 11:42:18 +0100 + +suricata (1:4.0.1-2) unstable; urgency=medium + + * [d9998f8] suricata-oinkmaster.conf: update ETOPEN ruleset for suricata 4.0.0 + (Closes: #882442) + * [0beae03] suricata-oinkmaster-updater.8: fix typos + * [6e7ae75] d/: get rid of dh --with autotools-dev + + -- Arturo Borrero Gonzalez Thu, 23 Nov 2017 13:41:09 +0100 + +suricata (1:4.0.1-1) unstable; urgency=medium + + * [72d28e5] d/control: upgrade std-version to 4.1.0 + * [ea1e317] d/control: upgrade std-version to 4.1.1 + * [14fea39] d/: switch to debhelper compat 10 + * [a4715b8] New upstream version 4.0.1 + + -- Arturo Borrero Gonzalez Sat, 21 Oct 2017 12:09:27 +0200 + +suricata (1:4.0.0-5) unstable; urgency=medium + + * [392c5b2] d/t/control: allow-stderr for the internal unittest test + + -- Arturo Borrero Gonzalez Wed, 20 Sep 2017 20:27:12 +0200 + +suricata (1:4.0.0-4) unstable; urgency=medium + + * [93ee9030] d/control: enable libluajit-5.1-dev build-dep on mipsel + (Closes: #873832) + * [9527fe94] d/t/control: run suricata -u from the source tree + + -- Arturo Borrero Gonzalez Fri, 08 Sep 2017 06:06:47 +0200 + +suricata (1:4.0.0-3) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * [aa53ce82] suricata-oinkmaster-updater.8: fix typo + * [2d171d5a] suricata-oinkmaster-updater.8: clarify paragraph + * [90c76777] d/rules: disable dh_auto_test + * [5b311761] suricata: switch to use dbgsym package + * [9b12c48d] d/control: bump std-versions to 4.0.1 + + [ Sascha Steinbiss ] + * [c353985a] enable libevent support (Closes: #872908) + * [49ff3181] enable luajit on mipsel (Closes: #858545) + + [ Arturo Borrero Gonzalez ] + * [50ab7eae] suricata.service: update online docs link + * [5098fd7b] d/control: add dh-python to build-deps + * [f070d160] d/watch: implement signature verification + + -- Arturo Borrero Gonzalez Tue, 29 Aug 2017 23:22:48 +0200 + +suricata (1:4.0.0-2) unstable; urgency=medium + + * [449b4202] d/t/control: running suricata unittest requires + geoip-database installed + * [0bd02487] d/building-in-ci.sh: be more robust + * [edd49e4a] d/watch: more robust approach for upstream tarball generation + + -- Arturo Borrero Gonzalez Tue, 15 Aug 2017 13:45:45 +0200 + +suricata (1:4.0.0-1) unstable; urgency=medium + + * [636f10f] d/rules: actually use dh-systemd (Closes: #861732) + * [c728ed0] d/rules: cleanup comments + * [f0d9adb] suricata: switch to src:libhtp instead of the bundled one + * [fa5f8be] New upstream version 4.0.0-rc1 + * [fac7566] suricata: remove Build-Conflict with libhtp-dev + * [1bce782] suricata: explicit build-dep on new src:libhtp + * [f3aec1c] d/suricata.preinst: use strict mode (Closes: #866280) + * [c831659] suricata: support for internal unittest in autopktest + * [557ded7] New upstream version 4.0.0 + * [5d41b6c] d/t/control: the internal suricata unittest is a command test + * [7f4feaa] d/changelog: add missing entry for 4.0.0-beta1-1~exp1 + + -- Arturo Borrero Gonzalez Fri, 28 Jul 2017 05:29:48 +0200 + +suricata (4.0.0-beta1-1~exp1) unstable; urgency=medium + + * [c21347df] New upstream version 4.0.0-beta1 + * [5661b3cc] libhtp: bump soname to libhtp-0.5.24-1 + + -- Arturo Borrero Gonzalez Fri, 09 Jun 2017 20:52:10 +0200 + +suricata (3.2.1-1) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * Rebuild for unstable from 3.2.1-1~exp2 (experimental). + + [ Sascha Steinbiss ] + * [d0c3629] detect valid interface in autopkgtest + * [2d3ae00] fix typo in service file + + -- Arturo Borrero Gonzalez Thu, 16 Mar 2017 09:04:03 +0100 + +suricata (3.2.1-1~exp2) experimental; urgency=medium + + [ Sascha Steinbiss ] + * [ced48e4] suricata: migrate from old split binary scheme (Closes: #855573) + + -- Arturo Borrero Gonzalez Mon, 20 Feb 2017 13:29:37 +0100 + +suricata (3.2.1-1~exp1) experimental; urgency=medium + + * [67004c8] New upstream version 3.2.1 + * [05b1756] d/control: bump dependency on libhyperscan + * [4483d1c] suricata: drop suricata-hyperscan binary package (Closes: #851647) + + -- Arturo Borrero Gonzalez Wed, 15 Feb 2017 20:54:17 +0100 + +suricata (3.2-2) unstable; urgency=medium + + * Rebuild for unstable. + + -- Arturo Borrero Gonzalez Tue, 10 Jan 2017 09:27:59 +0100 + +suricata (3.2-2~exp1) experimental; urgency=medium + + [ Sascha Steinbiss ] + * [8c7704d] suricata: add hyperscan support (Closes: #846143) + + [ Arturo Borrero Gonzalez ] + * [209d2cf] suricata: add remaining hyperscan support + + [ Sascha Steinbiss ] + * [ec9b28a] set +x bit on d/suricata-hyperscan.install + + -- Arturo Borrero Gonzalez Thu, 22 Dec 2016 09:01:29 +0100 + +suricata (3.2-1) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * [04f5cc3] d/control: update suricata homepage to suricata-ids.org + (Closes: #844603) + + [ Sascha Steinbiss ] + * [b1cd09c] d/t/control: add some time to settle in autopkgtest + + [ Arturo Borrero Gonzalez ] + * [dde83f1] New upstream version 3.2 + * [c55dda2] d/patches/debian-default-cfg.patch: refresh patch + + -- Arturo Borrero Gonzalez Thu, 01 Dec 2016 16:22:50 +0100 + +suricata (3.1.3-3) unstable; urgency=medium + + * [e7a248d] d/tests/control: allow-stderr in the suricata-oinkmaster-updater + command + * [2caf89b] d/control: make libhtp packages Multi-Arch: same + * [825cef4] d/libhtp-0.5.23-1.lintian-overrides: generalize override + + -- Arturo Borrero Gonzalez Thu, 10 Nov 2016 09:42:29 +0100 + +suricata (3.1.3-2) unstable; urgency=medium + + * [5c395f9] d/tests/control: rearange suricatasc command tests + * [789723b] d/tests/control: fix typo in test command 'suricatas' + * [353e030] d/changelog: clean word with typo from the changelog + * [b4cf113] d/: add libhtp-0.5.23-1.lintian-overrides + + -- Arturo Borrero Gonzalez Wed, 09 Nov 2016 13:44:17 +0100 + +suricata (3.1.3-1) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * [165d14e] suricata-oinkmaster: move the update script to /usr/sbin + (Closes: #838129) + * [2e21734] d/tests/control: add a basic test for suricata-oinkmaster-updater + * [be640f3] suricata: split libhtp to separate binary packages + * [c41567a] suricata-oinkmaster: add manpage for suricata-oinkmaster-updater + * [b5b6483] d/copyright: refresh file + * [2be2225] d/control: add references to IPS and firewall + * [bd6a9ed] d/: add symbols file for libhtp + * [f61be7d] suricata-oinkmaster-updater.8: fix typo + * [ead4a84] d/: update email address to 'arturo@debian.org' + * [36d9b9d] d/: refresh date of manpages + + [ Sascha Steinbiss ] + * [da1c3c6] d/suricata.logrotate: use 'copytruncate' instead of 'create' + + [ Arturo Borrero Gonzalez ] + * [cd9d5d4] New upstream version 3.1.3 + * [f32a582] libhtp: symbols: refresh file + * [1e3edb0] libhtp: bump soname + * [d46497e] d/control: suricata depends on lsb-base + * [08a6195] d/copyright: refresh copyright owner for some libhtp files + + -- Arturo Borrero Gonzalez Tue, 08 Nov 2016 08:51:58 +0100 + +suricata (3.1.2-2) unstable; urgency=medium + + * [482c6f6] d/tests/control: allow-stderr for systemd-service-test.sh + * [a4eff10] d/tests/control: add tests for suricatasc + * [892096c] d/suricata.8: fix typo 'inet' vs 'init' + + -- Arturo Borrero Gonzalez Thu, 08 Sep 2016 12:46:44 +0200 + +suricata (3.1.2-1) unstable; urgency=medium + + * [4e0605d] Revert "suricata: drop support for sysvinit" + * [f5abe38] d/patches: add reproducible.patch. + Thanks to Christoph Berg for the pointers. + * [6569809] New upstream version 3.1.2 + * [5fea3a6] d/suricata.service: include Restart=on-failure + * [d1a973d] d/suricata.service: add ProtectSystem=full and ProtectHome=true + * [8e1cddd] d/tests/systemd-service-test.sh: don't test the reload operation by now + * [87c00b1] d/suricata.maintscript: factorize renaming of old config file + (Closes: #835643) + * [55c7a32] d/oinkmaster/suricata-oinkmaster-updater: drop warnings + * [7651669] d/oinkmaster/suricata-oinkmaster-updater: cleanup file + + -- Arturo Borrero Gonzalez Wed, 07 Sep 2016 13:25:13 +0200 + +suricata (3.1.1-4) unstable; urgency=medium + + * [c9b6efd] d/tests/: add new systemd-service-test.sh test + * [848a40f] d/README.Debian: this is not a beta release + * [0afb007] d/README.Debian: update file with systemd information + * [234ec55] d/suricata.8: update manpage + * [ebd6a8a] suricata: drop support for sysvinit + * [d8fae07] d/suricata.service: get rid of environment variables + * [5fe5359] d/suricata.service: use suricatasc for stop and reload + * [2ffd606] d/tests/systemd-service-test.sh: add tests for daemon reload + * [5196c36] d/suricata.service: require network-online.target (Closes: + #835168) + + -- Arturo Borrero Gonzalez Thu, 25 Aug 2016 14:14:20 +0200 + +suricata (3.1.1-3) unstable; urgency=medium + + * [22d26a5] suricata-oinkmaster-updater: prevent bogus if evaluation + * [4805c7a] suricata-oinkmaster-updater: dont exit with error if missing + requirements (Closes: #834029) + + -- Arturo Borrero Gonzalez Tue, 16 Aug 2016 13:53:12 +0200 + +suricata (3.1.1-2) unstable; urgency=medium + + * [833f1c5] d/: add new binary package suricata-oinkmaster + * [6155001] d/suricata.service: remove duplicated -D switch in + ExecStart= + * [6ebbd82] d/patches: add debian-default-cfg.patch [enable unix socket + by default] + * [2286eb4] d/suricatasc.1: update manpage + + -- Arturo Borrero Gonzalez Thu, 28 Jul 2016 13:21:30 +0200 + +suricata (3.1.1-1) unstable; urgency=medium + + * [cafb099] d/suricata: rename suricata main conffile to + /etc/suricata/suricata.yaml + * [445c957] suricata: add systemd service file + * [94b93bf] Imported Upstream version 3.1.1 + + -- Arturo Borrero Gonzalez Mon, 25 Jul 2016 11:12:03 +0200 + +suricata (3.1-1) unstable; urgency=medium + + * [d2cce67] d/control: add Vcs-Browser and Vcs-Git information + * [8bb2030] Imported Upstream version 3.1 + + -- Arturo Borrero Gonzalez Tue, 21 Jun 2016 11:00:55 +0200 + +suricata (3.0.1-2) unstable; urgency=medium + + * [178f3cf] suricata: add libgeoip support + * [c8a0a0a] d/control: bump std-version to 3.9.8 + * [523203d] d/control: wrap-and-sort + * [e5abae9] suricata: add hiredis support + * [9ec82b8] d/control: get rid of XS-Testsuite directive + + -- Arturo Borrero Gonzalez Mon, 23 May 2016 11:39:40 +0200 + +suricata (3.0.1-1) unstable; urgency=medium + + * Imported Upstream version 3.0.1 + * Bump Standards Version to 3.9.7 + + -- Pierre Chifflier Fri, 08 Apr 2016 10:58:35 +0200 + +suricata (3.0-1) unstable; urgency=medium + + * Imported Upstream version 3.0 + + -- Pierre Chifflier Thu, 28 Jan 2016 06:02:41 +0100 + +suricata (2.0.11-1) unstable; urgency=medium + + * Imported Upstream version 2.0.11 + + -- Pierre Chifflier Thu, 07 Jan 2016 10:17:16 +0100 + +suricata (2.0.10-2) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * d/copyright: update file to follow Debian Policy 3.9.6.1 + * d/control: bump standards to 3.9.6 + * suricata: add nflog support (Closes: #775074) + * d/: wrap-and-sort + * d/control: architecture is linux-any + * d/rules: don't include upstream install documentation + * d/tests: add first basic test + * d/control: add missing Testsuite declaration + * suritaca: add package suricata-dbg (Closes: #753438) + * suricata sysvinit: fix libtcmalloc-minimal integration (Closes: #725249) + * d/suricata.init: cleanup file + * suricatasc: add manpage + + [ Pierre Chifflier ] + * Merge unstable-next branch + * Fix dependencies and priority for -dbg package + * Install manpage for suricatasc + + -- Pierre Chifflier Tue, 05 Jan 2016 21:02:40 +0100 + +suricata (2.0.10-1) unstable; urgency=medium + + * Imported Upstream version 2.0.10 + + -- Pierre Chifflier Thu, 26 Nov 2015 10:35:53 +0100 + +suricata (2.0.9-1) unstable; urgency=medium + + * Imported Upstream version 2.0.9 + * Update watch file + + -- Pierre Chifflier Fri, 25 Sep 2015 19:19:53 +0200 + +suricata (2.0.8-1) unstable; urgency=high + + [ Arturo Borrero Gonzalez ] + * d/suricata.logrotate: add logrotate configuration (Closes: #767249) + * d/patches: patch suricatasc to prevent depends on python-symplejson + (Closes: #759475) + * Revert "d/patches: patch suricatasc to prevent depends on python-symplejson" + + [ Pierre Chifflier ] + * Imported Upstream version 2.0.8 + * Bump Standards Version to 3.9.6 + Fixes CVE-2015-0971 (Integer overflow in the DER parser) + + -- Pierre Chifflier Thu, 07 May 2015 11:03:19 +0200 + +suricata (2.0.7-2) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * d/suricata.init: fix proc nfqueue file checking (Closes: #725301) + + [ Pierre Chifflier ] + * Check for both proc entries for nfqueue (backwards compatibility) and + issue warning only + + -- Pierre Chifflier Sun, 15 Mar 2015 11:17:27 +0100 + +suricata (2.0.7-1) unstable; urgency=medium + + [ Pierre Chifflier ] + * Imported Upstream version 2.0.7 + * Fix problems with upstream version import + + -- Pierre Chifflier Thu, 12 Mar 2015 07:06:49 +0100 + +suricata (2.0.6-3) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * suricata: don't deploy .so links + + [ Pierre Chifflier ] + * Add missing installation files (Closes: #778724) + * Fix .so symlinks removal + * Update default-rules-path + + -- Pierre Chifflier Thu, 19 Feb 2015 11:55:05 +0100 + +suricata (2.0.6-2) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * d/patches: drop 10-fix-missing-script-autoreconf.patch (Closes: #778670) + * d/rules: prevent not .so libhtp files from entering binary suricata package + + [ Pierre Chifflier ] + * Add conflicts/replaces fields for transition from libhtp (Closes: #778668) + + -- Pierre Chifflier Wed, 18 Feb 2015 11:19:31 +0100 + +suricata (2.0.6-1) unstable; urgency=medium + + [ Pierre Chifflier ] + * Imported Upstream version 2.0.6 + * Add Arturo to uploaders + + [ Arturo Borrero Gonzalez ] + * suricata: use embedded copy of libhtp (Closes: #772551) + + -- Pierre Chifflier Tue, 17 Feb 2015 11:31:22 +0100 + +suricata (2.0.4-1) unstable; urgency=high + + * Imported Upstream version 2.0.4 + * Security: fix out-of-bounds access in SSH parser (Closes: #762828) + * Urgency high, CVE-2014-6603 + Stable and Oldstable versions are not affected. + + -- Pierre Chifflier Fri, 10 Oct 2014 13:19:59 +0200 + +suricata (2.0.3-1) unstable; urgency=medium + + * Imported Upstream version 2.0.3 + + -- Pierre Chifflier Wed, 20 Aug 2014 15:06:21 +0200 + +suricata (2.0.2-1) unstable; urgency=medium + + * Imported Upstream version 2.0.2 + + -- Pierre Chifflier Sun, 29 Jun 2014 18:27:56 +0200 + +suricata (2.0-1) unstable; urgency=medium + + * Imported Upstream version 2.0 + * Update build, require a recent libhtp, and disable coccinelle tests. + * Upload to unstable + + -- Pierre Chifflier Wed, 02 Apr 2014 20:23:10 +0200 + +suricata (1.4.7-1) unstable; urgency=low + + * Imported Upstream version 1.4.7 + * Bump Standards Version to 3.9.5 + * Run autoreconf during build to fix some errors caused by different + autotools versions + + -- Pierre Chifflier Sun, 29 Dec 2013 11:29:57 +0100 + +suricata (1.4.6-1) unstable; urgency=low + + * Imported Upstream version 1.4.6 + + -- Pierre Chifflier Sun, 06 Oct 2013 18:52:34 +0200 + +suricata (1.4.5-1) unstable; urgency=low + + * Imported Upstream version 1.4.5 + * Prepare transition for suricata 2.0 by conflicting with libhtp >= 0.5 + + -- Pierre Chifflier Tue, 20 Aug 2013 16:44:45 +0200 + +suricata (1.4.3-1) unstable; urgency=low + + * Imported Upstream version 1.4.3 + + -- Pierre Chifflier Thu, 04 Jul 2013 11:50:13 +0200 + +suricata (1.4.2-1) unstable; urgency=low + + * Imported Upstream version 1.4.2 + + -- Pierre Chifflier Wed, 29 May 2013 16:24:52 +0200 + +suricata (1.4.1-1) unstable; urgency=low + + * Imported Upstream version 1.4.1 + * Install python control script (add dependency on python, and use + dh_python2 for build) + * Bump Standards Version to 3.9.4 + * Fix removal of pid file in init script (Closes: #700547) + Thanks to Игорь Козинов . + * Add support for af-packet mode in init script (Closes: #697928). + Thanks to Jamie Strandboge . + + -- Pierre Chifflier Tue, 21 May 2013 12:42:45 +0200 + +suricata (1.4-3) unstable; urgency=low + + * Add configure flag for luajit only on supported architectures + + -- Pierre Chifflier Sat, 22 Dec 2012 16:38:41 +0100 + +suricata (1.4-2) unstable; urgency=low + + * Fix error in init script, stop trying to manage suricata pid file + * Use arch-specific build dependencies for libluajit-5.1-dev, it is not + available on all architectures + + -- Pierre Chifflier Sat, 22 Dec 2012 15:39:57 +0100 + +suricata (1.4-1) unstable; urgency=low + + * Imported Upstream version 1.4 + * Enable Jansson and LuaJIT support, and add libjansson-dev libluajit-5.1-dev + to build-deps + * Add python to recommends, for the suricatasc script + * Create /var/run/suricata directory when starting daemon + + -- Pierre Chifflier Fri, 14 Dec 2012 00:02:51 +0100 + +suricata (1.3.5-1) unstable; urgency=low + + * Imported Upstream version 1.3.5 + + -- Pierre Chifflier Thu, 06 Dec 2012 21:13:56 +0100 + +suricata (1.3.4-1) unstable; urgency=low + + * Imported Upstream version 1.3.4 + + -- Pierre Chifflier Sat, 17 Nov 2012 09:56:08 +0100 + +suricata (1.3.3-1) unstable; urgency=low + + * Imported Upstream version 1.3.3 + + -- Pierre Chifflier Sat, 03 Nov 2012 09:38:36 +0100 + +suricata (1.3.2-1) unstable; urgency=low + + * Imported Upstream version 1.3.2 + + -- Pierre Chifflier Sat, 13 Oct 2012 12:18:33 +0200 + +suricata (1.3-1) unstable; urgency=low + + * Imported Upstream version 1.3 + * Add build-dependency on libnss3-dev and libnspr4-dev + * Bump Standards Version to 3.9.3 + + -- Pierre Chifflier Sun, 22 Jul 2012 22:27:36 +0200 + +suricata (1.2.1-2) unstable; urgency=low + + * Use override targets in rules files (Closes: #666330) + * Add support for parallel build in debian/rules + + -- Pierre Chifflier Thu, 12 Apr 2012 01:56:48 +0200 + +suricata (1.2.1-1) unstable; urgency=low + + * Imported Upstream version 1.2.1 + * Add libmagic-dev to build-deps + * Convert to DH version 9 + - Switch from hardening-wrapper to dpkg-buildflags + + -- Pierre Chifflier Mon, 23 Jan 2012 21:47:26 +0100 + +suricata (1.1.1-2) unstable; urgency=low + + * Add *.config files to default installation + * Trigger rebuild with libhtp versioned symbols + + -- Pierre Chifflier Thu, 05 Jan 2012 08:20:24 +0100 + +suricata (1.1.1-1) unstable; urgency=low + + * Imported Upstream version 1.1.1 + * Add configure option --enable-af-packet + + -- Pierre Chifflier Wed, 07 Dec 2011 21:52:53 +0100 + +suricata (1.1-1) unstable; urgency=low + + * Imported Upstream version 1.1 + * Add instructions on getting new rules using oinkmaster + * Add Recommends on oinkmaster + * Move snort-rules-default to Recommends + + -- Pierre Chifflier Thu, 17 Nov 2011 23:20:51 +0100 + +suricata (1.0.5-1) unstable; urgency=low + + * Imported Upstream version 1.0.5 + + -- Pierre Chifflier Wed, 27 Jul 2011 08:20:25 +0200 + +suricata (1.0.4-1) unstable; urgency=low + + * Imported Upstream version 1.0.4 + * Bump Standards Version to 3.9.2 + * Enable hardening-wrapper + + -- Pierre Chifflier Sat, 25 Jun 2011 13:45:44 +0200 + +suricata (1.0.3-1) unstable; urgency=low + + * Imported Upstream version 1.0.3 + + -- Pierre Chifflier Wed, 13 Apr 2011 16:59:32 +0200 + +suricata (1.0.2-2) unstable; urgency=low + + * Add init script (thanks to Edward Fjellskål) + * Switch to dpkg-source 3.0 (quilt) format + + -- Pierre Chifflier Sun, 19 Dec 2010 18:35:50 +0100 + +suricata (1.0.2-1) unstable; urgency=low + + * New Upstream version 1.0.2 (Closes: #598389) + + -- Pierre Chifflier Wed, 29 Sep 2010 10:02:52 +0200 + +suricata (1.0.1-1) unstable; urgency=low + + * Imported Upstream version 1.0.1 (Closes: #591559) + * Bump Standards version to 3.9.1 + * Create /var/log/suricata (Closes: #590861) + + -- Pierre Chifflier Wed, 11 Aug 2010 14:45:14 +0200 + +suricata (1.0.0-1) unstable; urgency=low + + * Imported Upstream version 1.0.0 + * Remove arch=native flag from build (Closes: #587714) + * Bump Standards version to 3.9.0 + + -- Pierre Chifflier Thu, 01 Jul 2010 21:28:41 +0200 + +suricata (0.9.2-1) unstable; urgency=low + + * Imported Upstream version 0.9.2 + + -- Pierre Chifflier Sat, 19 Jun 2010 17:39:14 +0200 + +suricata (0.9.1-1) unstable; urgency=low + + * Imported Upstream version 0.9.1 + * Update watch file + + -- Pierre Chifflier Wed, 26 May 2010 23:09:07 +0200 + +suricata (0.9.0-1) unstable; urgency=low + + * Imported Upstream version 0.9.0 + * Add libcap-ng-dev to build-deps + + -- Pierre Chifflier Sun, 09 May 2010 10:43:44 +0200 + +suricata (0.8.2-1) unstable; urgency=low + + * Imported Upstream version 0.8.2 + * Force selection of external libhtp during build + * Enable Prelude support + * Update watch file + + -- Pierre Chifflier Sun, 02 May 2010 10:50:05 +0200 + +suricata (0.8.0-2) unstable; urgency=low + + * Update debian/copyright to include all files + + -- Pierre Chifflier Sun, 21 Feb 2010 21:45:33 +0100 + +suricata (0.8.0-1) unstable; urgency=low + + * Initial release (Closes: #563422) + + -- Pierre Chifflier Sat, 30 Jan 2010 18:25:05 +0100 diff --git a/control b/control new file mode 100644 index 00000000..91a75a0f --- /dev/null +++ b/control @@ -0,0 +1,74 @@ +Source: suricata +Section: net +Priority: optional +Maintainer: Pierre Chifflier +Uploaders: Arturo Borrero Gonzalez , + Sascha Steinbiss +Build-Depends: debhelper-compat (= 13), + dh-python, + libbpf-dev [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32], + clang [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32], + llvm [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32], + libcap-ng-dev, + libelf-dev [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32], + libevent-dev, + libgeoip-dev, + libhiredis-dev, + libjansson-dev, + libluajit-5.1-dev [i386 amd64 powerpc mips mipsel armel armhf], + libhyperscan-dev (>= 4.4.0) [i386 amd64 x32], + rustc (>= 1.28.0), + cargo (>= 0.29.0), + liblz4-dev, + libmagic-dev, + libmaxminddb-dev, + libnet1-dev | libnet-dev, + libnetfilter-log-dev, + libnetfilter-queue-dev, + libnspr4-dev, + libnss3-dev, + libpcap-dev, + libpcre3-dev, + libyaml-dev, + python3:any, + zlib1g-dev | libz-dev, + libhtp-dev (>= 1:0.5.36), + procps +Standards-Version: 4.5.0 +Homepage: https://www.suricata-ids.org/ +Vcs-Browser: https://salsa.debian.org/pkg-suricata-team/pkg-suricata +Vcs-Git: https://salsa.debian.org/pkg-suricata-team/pkg-suricata.git + +Package: suricata +Architecture: linux-any +Pre-Depends: dpkg (>= 1.15.7.2), ${misc:Pre-Depends} +Depends: ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends}, libhtp2 (>= ${libhtp:Version}~), lsb-base (>= 3.0-6) +Conflicts: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2) +Replaces: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2) +Recommends: python3, snort-rules-default, suricata-update +Suggests: libtcmalloc-minimal4 +Description: Next Generation Intrusion Detection and Prevention Tool + Suricata is a network Intrusion Detection System (IDS). It is based on + rules (and is fully compatible with snort rules) to detect a variety of + attacks / probes by searching packet content. + . + It can also be used as Intrusion Prevention System (IPS), and as higher layer + firewall. + . + This new Engine supports Multi-Threading, Automatic Protocol Detection + (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast + IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU + cards. + . + This version has inline (NFQUEUE) support enabled. + +Package: suricata-oinkmaster +Architecture: all +Depends: oinkmaster, suricata (>= ${source:Version}), ${misc:Depends} +Description: Integration package between suricata and oinkmaster + Suricata is a network Intrusion Detection System (IDS). It is based on + rules (and is fully compatible with snort rules) to detect a variety of + attacks / probes by searching packet content. + . + This package contains the integration bits between suricata and oinkmaster + to allow easy automated ruleset updates. diff --git a/copyright b/copyright new file mode 100644 index 00000000..1f21f25b --- /dev/null +++ b/copyright @@ -0,0 +1,484 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: suricata +Source: https://suricata-ids.org/download/ +Files-Excluded: libhtp + +Files: * +Copyright: 2007-2020 Open Information Security Foundation +License: GPL-2 + +Files: aclocal.m4 +Copyright: 1996-2017 Free Software Foundation, Inc. + 2004 Scott James Remnant + 2012-2015 Dan Nicholson +License: GPL-2+ + +Files: compile + config.sub + configure +Copyright: 1992-2018 Free Software Foundation, Inc. +License: GPL-2 + +Files: config.guess +Copyright: 1992-2018 Free Software Foundation, Inc. +License: GPL-3 + +Files: contrib/Makefile.am +Copyright: 2007-2020 Open Information Security Foundation +License: GPL-2 + +Files: contrib/file_processor/* +Copyright: 2007-2020 Open Information Security Foundation +License: GPL-2 + +Files: contrib/file_processor/Action/Makefile.in +Copyright: 1989, 1991-2015, Free Software Foundation, Inc. +License: GPL-2 + +Files: contrib/file_processor/Makefile.in +Copyright: 1989, 1991-2015, Free Software Foundation, Inc. +License: GPL-2 + +Files: contrib/file_processor/Processor/Makefile.in +Copyright: 1989, 1991-2015, Free Software Foundation, Inc. +License: GPL-2 + +Files: contrib/file_processor/file_processor.pl +Copyright: 2012, Martin Holste +License: GPL-2 + +Files: contrib/suri-graphite +Copyright: 2013, 2015, Eric Leblond +License: GPL-2 + +Files: debian/* +Copyright: 2010 Pierre Chifflier + 2019-2020 Sascha Steinbiss +License: GPL-2 + +Files: debian/oinkmaster/* +Copyright: 2016 Arturo Borrero Gonzalez +License: GPL-2 + +Files: doc/Makefile.in + doc/userguide/Makefile.in +Copyright: 1989, 1991-2015, Free Software Foundation, Inc. +License: GPL-2 + +Files: install-sh +Copyright: 1994, X Consortium +License: Expat + +Files: ebpf/Makefile.in + etc/Makefile.in + python/Makefile.in + qa/Makefile.in + qa/coccinelle/Makefile.in + rules/Makefile.in + rust/Makefile.in + src/Makefile.in + suricata-update/Makefile* +Copyright: 1994-2017 Free Software Foundation, Inc. +License: GPL-2 + +Files: ebpf/include/linux/bpf.h +Copyright: 2011-2014 PLUMgrid +License: GPL-2 + +Files: python/suricata/ctl/loghandler.py +Copyright: 2017 Open Information Security Foundation + 2016 Jason Ish +License: GPL-2 + +Files: qa/coccinelle/sz3.cocci +Copyright: 2012 LIP6/INRIA +License: GPL-2 + +Files: qa/wirefuzz.pl +Copyright: 2010-2015 Open Information Security Foundation +License: GPL-2 + +Files: rust/gen/* +Copyright: 2017 Open Information Security Foundation +License: GPL-2 + +Files: rust/vendor/autocfg*/* +Copyright: 2018 Josh Stone +License: MIT or Apache-2.0 + +Files: rust/vendor/base64/* +Copyright: 2015 Alice Maz +License: MIT or Apache-2.0 + +Files: rust/vendor/bitflags/* +Copyright: 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/build_const/* +Copyright: 2017 Garrett Berg, vitiral@gmail.com +License: MIT + +Files: rust/vendor/byteorder/* +Copyright: 2015 Andrew Gallant +License: MIT or Unlicense + +Files: rust/vendor/cloudabi/* +Copyright: 2016-2018 Nuxi (https://nuxi.nl/) and contributors +License: BSD-2-clause + +Files: rust/vendor/cookie-factory/* +Copyright: 2017 Geoffroy Couprie +License: MIT + +Files: rust/vendor/crc/* +Copyright: 2017 crc-rs Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/der-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/enum_primitive/* +Copyright: 2015 Anders Kaseorg +License: MIT + +Files: rust/vendor/fuchsia-cprng/* +Copyright: 2019 The Fuchsia Authors +License: BSD-3-clause + +Files: rust/vendor/ipsec-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/kerberos-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/libc/* +Copyright: 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/memchr/* +Copyright: 2015 Andrew Gallant +License: Unlicense or MIT + +Files: rust/vendor/nom/* +Copyright: 2014-2018 Geoffroy Couprie +License: MIT + +Files: rust/vendor/ntp-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/num*/* +Copyright: 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/phf*/* +Copyright: 2014-2016 Steven Fackler +License: MIT + +Files: rust/vendor/proc-macro2/* +Copyright: 2014 Alex Crichton +License: MIT or Apache-2.0 + +Files: rust/vendor/quote/* +Copyright: 2016 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/rand*/* +Copyright: 2018 The Rand Project Developers + 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/rand_pcg/* +Copyright: 2014-2017 Melissa O'Neill and PCG Project contributors + 2018 Developers of the Rand project +License: MIT or Apache-2.0 + +Files: rust/vendor/rdrand/* +Copyright: 2014 Simonas Kazlauskas +License: ISC + +Files: rust/vendor/rusticata-macros/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/siphasher/* +Copyright: 2012-2016 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/snmp-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/syn/* +Copyright: David Tolnay +License: MIT or Apache-2.0 + +Files: rust/vendor/time/* +Copyright: 2014 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/tls-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: rust/vendor/unicode-xid/* +Copyright: 2015 The Rust Project Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/version_check/* +Copyright: 2017-2018 Sergio Benitez +License: MIT or Apache-2.0 + +Files: rust/vendor/widestring/* +Copyright: 2016 Kathryn Long +License: MIT or Apache-2.0 + +Files: rust/vendor/winapi*/* +Copyright: 2015-2018 The winapi-rs Developers +License: MIT or Apache-2.0 + +Files: rust/vendor/x509-parser/* +Copyright: 2017 Pierre Chifflier +License: MIT or Apache-2.0 + +Files: src/Makefile.am + src/util-hash-lookup3.c + src/util-hash-lookup3.h +Copyright: 2008 Victor Julien +License: GPL-2 + +Files: src/app-layer-htp-libhtp.c + src/app-layer-htp-libhtp.h +Copyright: 2010-2013, Qualys, Inc. + 2009, 2010, Open Information Security Foundation +License: BSD-3-clause + +Files: src/app-layer-modbus.c + src/app-layer-modbus.h + src/detect-engine-modbus.c + src/detect-engine-modbus.h + src/detect-modbus.c + src/detect-modbus.h + src/detect-tls.c + src/detect-tls.h + src/util-decode-der-get.c + src/util-decode-der-get.h + src/util-decode-der.c + src/util-decode-der.h +Copyright: 2011-2015, ANSSI +License: BSD-3-clause + +Files: src/queue.h + src/win32-syslog.h +Copyright: 1982, 1986, 1988, 1991, 1993, The Regents of the University of California. +License: BSD-3-clause + +Files: src/util-decode-mime.c + src/util-decode-mime.h +Copyright: 2012, BAE Systems +License: GPL-2 + +Files: src/util-fix_checksum.c + src/util-fix_checksum.h +Copyright: 2002-2008, Henning Brauer + 2001, Daniel Hartmeier +License: BSD-2-clause +Comment: + In addition to the BSD license, the authors state the following: + Effort sponsored in part by the Defense Advanced Research Projects + Agency (DARPA) and Air Force Research Laboratory, Air Force + Materiel Command, USAF, under agreement number F30602-01-2-0537 + +Files: src/util-strlcatu.c + src/util-strlcpyu.c +Copyright: 1998, Todd C. Miller +License: BSD-3-clause + +Files: src/tree.h +Copyright: 2002 Niels Provos +License: BSD-2-clause + +Files: suricata-update/* +Copyright: 2017-2019 Open Information Security Foundation + 2013-2017 Jason Ish +License: GPL-2 + +Files: suricata-update/suricata/update/compat/ordereddict.py +Copyright: 2009 Raymond Hettinger +License: MIT + +License: BSD-3-clause + The BSD License + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + * Neither the name of foo nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Expat + The MIT License + . + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated + documentation files (the "Software"), to deal in the Software + without restriction, including without limitation the rights to + use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to + whom the Software is furnished to do so, subject to the + following conditions: + . + The above copyright notice and this permission notice shall + be included in all copies or substantial portions of the + Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT + WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE AND NONINFRINGEMENT. IN NO EVENT + SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Library General Public License as published by + the Free Software Foundation. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Library General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991, or (at + your option) any later version. + . + On Debian systems, the complete text of version 2 of the GNU General + Public License can be found in '/usr/share/common-licenses/GPL-2'. + +License: GPL-3 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 3 dated June, 2007. + . + On Debian systems, the complete text of version 3 of the GNU General + Public License can be found in '/usr/share/common-licenses/GPL-3'. + +License: Apache-2.0 + Debian systems provide the Apache 2.0 license in + /usr/share/common-licenses/Apache-2.0 + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +License: Unlicense + This is free and unencumbered software released into the public domain. + . + Anyone is free to copy, modify, publish, use, compile, sell, or + distribute this software, either in source code form or as a compiled + binary, for any purpose, commercial or non-commercial, and by any + means. + . + In jurisdictions that recognize copyright laws, the author or authors + of this software dedicate any and all copyright interest in the + software to the public domain. We make this dedication for the benefit + of the public at large and to the detriment of our heirs and + successors. We intend this dedication to be an overt act of + relinquishment in perpetuity of all present and future rights to this + software under copyright law. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR + OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any purpose with or without + fee is hereby granted, provided that the above copyright notice and this permission notice appear + in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS + SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF + THIS SOFTWARE. \ No newline at end of file diff --git a/libhtp-0.5.24-1.install b/libhtp-0.5.24-1.install new file mode 100644 index 00000000..3ddde584 --- /dev/null +++ b/libhtp-0.5.24-1.install @@ -0,0 +1 @@ +usr/lib/*/lib*.so.* diff --git a/libhtp-0.5.24-1.lintian-overrides b/libhtp-0.5.24-1.lintian-overrides new file mode 100644 index 00000000..a5b3b880 --- /dev/null +++ b/libhtp-0.5.24-1.lintian-overrides @@ -0,0 +1,2 @@ +# false positive, the link is there. Somehow lintian is confused +libhtp-0.5.24-1: dev-pkg-without-shlib-symlink diff --git a/libhtp-0.5.24-1.symbols b/libhtp-0.5.24-1.symbols new file mode 100644 index 00000000..d724f5fd --- /dev/null +++ b/libhtp-0.5.24-1.symbols @@ -0,0 +1,347 @@ +libhtp-0.5.24.so.1 libhtp-0.5.24-1 #MINVER# + bstr_add@Base 3.1.3 + bstr_add_c@Base 3.1.3 + bstr_add_c_noex@Base 3.1.3 + bstr_add_mem@Base 3.1.3 + bstr_add_mem_noex@Base 3.1.3 + bstr_add_noex@Base 3.1.3 + bstr_adjust_len@Base 3.1.3 + bstr_adjust_realptr@Base 3.1.3 + bstr_adjust_size@Base 3.1.3 + bstr_alloc@Base 3.1.3 + bstr_begins_with@Base 3.1.3 + bstr_begins_with_c@Base 3.1.3 + bstr_begins_with_c_nocase@Base 3.1.3 + bstr_begins_with_mem@Base 3.1.3 + bstr_begins_with_mem_nocase@Base 3.1.3 + bstr_begins_with_nocase@Base 3.1.3 + bstr_builder_append_c@Base 3.1.3 + bstr_builder_append_mem@Base 3.1.3 + bstr_builder_appendn@Base 3.1.3 + bstr_builder_clear@Base 3.1.3 + bstr_builder_create@Base 3.1.3 + bstr_builder_destroy@Base 3.1.3 + bstr_builder_size@Base 3.1.3 + bstr_builder_to_str@Base 3.1.3 + bstr_char_at@Base 3.1.3 + bstr_char_at_end@Base 3.1.3 + bstr_chop@Base 3.1.3 + bstr_chr@Base 3.1.3 + bstr_cmp@Base 3.1.3 + bstr_cmp_c@Base 3.1.3 + bstr_cmp_c_nocase@Base 3.1.3 + bstr_cmp_mem@Base 3.1.3 + bstr_cmp_mem_nocase@Base 3.1.3 + bstr_cmp_nocase@Base 3.1.3 + bstr_dup@Base 3.1.3 + bstr_dup_c@Base 3.1.3 + bstr_dup_ex@Base 3.1.3 + bstr_dup_lower@Base 3.1.3 + bstr_dup_mem@Base 3.1.3 + bstr_expand@Base 3.1.3 + bstr_free@Base 3.1.3 + bstr_index_of@Base 3.1.3 + bstr_index_of_c@Base 3.1.3 + bstr_index_of_c_nocase@Base 3.1.3 + bstr_index_of_mem@Base 3.1.3 + bstr_index_of_mem_nocase@Base 3.1.3 + bstr_index_of_nocase@Base 3.1.3 + bstr_rchr@Base 3.1.3 + bstr_to_lowercase@Base 3.1.3 + bstr_util_cmp_mem@Base 3.1.3 + bstr_util_cmp_mem_nocase@Base 3.1.3 + bstr_util_mem_index_of_c@Base 3.1.3 + bstr_util_mem_index_of_c_nocase@Base 3.1.3 + bstr_util_mem_index_of_mem@Base 3.1.3 + bstr_util_mem_index_of_mem_nocase@Base 3.1.3 + bstr_util_mem_to_pint@Base 3.1.3 + bstr_util_mem_trim@Base 3.1.3 + bstr_util_memdup_to_c@Base 3.1.3 + bstr_util_strdup_to_c@Base 3.1.3 + bstr_wrap_c@Base 3.1.3 + bstr_wrap_mem@Base 3.1.3 + fprint_bstr@Base 3.1.3 + fprint_raw_data@Base 3.1.3 + fprint_raw_data_ex@Base 3.1.3 + htp_base64_decode@Base 3.1.3 + htp_base64_decode_bstr@Base 3.1.3 + htp_base64_decode_mem@Base 3.1.3 + htp_base64_decode_single@Base 3.1.3 + htp_base64_decoder_init@Base 3.1.3 + htp_ch_multipart_callback_request_body_data@Base 3.1.3 + htp_ch_multipart_callback_request_headers@Base 3.1.3 + htp_ch_urlencoded_callback_request_body_data@Base 3.1.3 + htp_ch_urlencoded_callback_request_headers@Base 3.1.3 + htp_ch_urlencoded_callback_request_line@Base 3.1.3 + htp_chomp@Base 3.1.3 + htp_config_copy@Base 3.1.3 + htp_config_create@Base 3.1.3 + htp_config_destroy@Base 3.1.3 + htp_config_get_user_data@Base 3.1.3 + htp_config_register_log@Base 3.1.3 + htp_config_register_multipart_parser@Base 3.1.3 + htp_config_register_request_body_data@Base 3.1.3 + htp_config_register_request_complete@Base 3.1.3 + htp_config_register_request_file_data@Base 3.1.3 + htp_config_register_request_header_data@Base 3.1.3 + htp_config_register_request_headers@Base 3.1.3 + htp_config_register_request_line@Base 3.1.3 + htp_config_register_request_start@Base 3.1.3 + htp_config_register_request_trailer@Base 3.1.3 + htp_config_register_request_trailer_data@Base 3.1.3 + htp_config_register_request_uri_normalize@Base 3.1.3 + htp_config_register_response_body_data@Base 3.1.3 + htp_config_register_response_complete@Base 3.1.3 + htp_config_register_response_header_data@Base 3.1.3 + htp_config_register_response_headers@Base 3.1.3 + htp_config_register_response_line@Base 3.1.3 + htp_config_register_response_start@Base 3.1.3 + htp_config_register_response_trailer@Base 3.1.3 + htp_config_register_response_trailer_data@Base 3.1.3 + htp_config_register_transaction_complete@Base 3.1.3 + htp_config_register_urlencoded_parser@Base 3.1.3 + htp_config_set_backslash_convert_slashes@Base 3.1.3 + htp_config_set_bestfit_map@Base 3.1.3 + htp_config_set_bestfit_replacement_byte@Base 3.1.3 + htp_config_set_control_chars_unwanted@Base 3.1.3 + htp_config_set_convert_lowercase@Base 3.1.3 + htp_config_set_extract_request_files@Base 3.1.3 + htp_config_set_field_limits@Base 3.1.3 + htp_config_set_log_level@Base 3.1.3 + htp_config_set_nul_encoded_terminates@Base 3.1.3 + htp_config_set_nul_encoded_unwanted@Base 3.1.3 + htp_config_set_nul_raw_terminates@Base 3.1.3 + htp_config_set_nul_raw_unwanted@Base 3.1.3 + htp_config_set_parse_request_auth@Base 3.1.3 + htp_config_set_parse_request_cookies@Base 3.1.3 + htp_config_set_path_separators_compress@Base 3.1.3 + htp_config_set_path_separators_decode@Base 3.1.3 + htp_config_set_path_separators_encoded_unwanted@Base 3.1.3 + htp_config_set_plusspace_decode@Base 3.1.3 + htp_config_set_requestline_leading_whitespace_unwanted@Base 3.1.3 + htp_config_set_response_decompression@Base 3.1.3 + htp_config_set_response_decompression_layer_limit@Base 3.1.3 + htp_config_set_server_personality@Base 3.1.3 + htp_config_set_tmpdir@Base 3.1.3 + htp_config_set_tx_auto_destroy@Base 3.1.3 + htp_config_set_u_encoding_decode@Base 3.1.3 + htp_config_set_u_encoding_unwanted@Base 3.1.3 + htp_config_set_url_encoding_invalid_handling@Base 3.1.3 + htp_config_set_url_encoding_invalid_unwanted@Base 3.1.3 + htp_config_set_user_data@Base 3.1.3 + htp_config_set_utf8_convert_bestfit@Base 3.1.3 + htp_config_set_utf8_invalid_unwanted@Base 3.1.3 + htp_conn_close@Base 3.1.3 + htp_conn_create@Base 3.1.3 + htp_conn_destroy@Base 3.1.3 + htp_conn_open@Base 3.1.3 + htp_conn_remove_tx@Base 3.1.3 + htp_conn_track_inbound_data@Base 3.1.3 + htp_conn_track_outbound_data@Base 3.1.3 + htp_connp_REQ_BODY_CHUNKED_DATA@Base 3.1.3 + htp_connp_REQ_BODY_CHUNKED_DATA_END@Base 3.1.3 + htp_connp_REQ_BODY_CHUNKED_LENGTH@Base 3.1.3 + htp_connp_REQ_BODY_DETERMINE@Base 3.1.3 + htp_connp_REQ_BODY_IDENTITY@Base 3.1.3 + htp_connp_REQ_CONNECT_CHECK@Base 3.1.3 + htp_connp_REQ_CONNECT_PROBE_DATA@Base 3.1.3 + htp_connp_REQ_CONNECT_WAIT_RESPONSE@Base 3.1.3 + htp_connp_REQ_FINALIZE@Base 3.1.3 + htp_connp_REQ_HEADERS@Base 3.1.3 + htp_connp_REQ_IDLE@Base 3.1.3 + htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9@Base 3.1.3 + htp_connp_REQ_LINE@Base 3.1.3 + htp_connp_REQ_LINE_complete@Base 3.1.3 + htp_connp_REQ_PROTOCOL@Base 3.1.3 + htp_connp_RES_BODY_CHUNKED_DATA@Base 3.1.3 + htp_connp_RES_BODY_CHUNKED_DATA_END@Base 3.1.3 + htp_connp_RES_BODY_CHUNKED_LENGTH@Base 3.1.3 + htp_connp_RES_BODY_DETERMINE@Base 3.1.3 + htp_connp_RES_BODY_IDENTITY_CL_KNOWN@Base 3.1.3 + htp_connp_RES_BODY_IDENTITY_STREAM_CLOSE@Base 3.1.3 + htp_connp_RES_FINALIZE@Base 3.1.3 + htp_connp_RES_HEADERS@Base 3.1.3 + htp_connp_RES_IDLE@Base 3.1.3 + htp_connp_RES_LINE@Base 3.1.3 + htp_connp_clear_error@Base 3.1.3 + htp_connp_close@Base 3.1.3 + htp_connp_create@Base 3.1.3 + htp_connp_destroy@Base 3.1.3 + htp_connp_destroy_all@Base 3.1.3 + htp_connp_destroy_decompressors@Base 3.1.3 + htp_connp_get_connection@Base 3.1.3 + htp_connp_get_in_tx@Base 3.1.3 + htp_connp_get_last_error@Base 3.1.3 + htp_connp_get_out_tx@Base 3.1.3 + htp_connp_get_user_data@Base 3.1.3 + htp_connp_in_reset@Base 3.1.3 + htp_connp_in_state_as_string@Base 3.1.3 + htp_connp_is_line_folded@Base 3.1.3 + htp_connp_is_line_ignorable@Base 3.1.3 + htp_connp_is_line_terminator@Base 3.1.3 + htp_connp_open@Base 3.1.3 + htp_connp_out_state_as_string@Base 3.1.3 + htp_connp_req_data@Base 3.1.3 + htp_connp_req_data_consumed@Base 3.1.3 + htp_connp_req_receiver_finalize_clear@Base 3.1.3 + htp_connp_res_data@Base 3.1.3 + htp_connp_res_data_consumed@Base 3.1.3 + htp_connp_res_receiver_finalize_clear@Base 3.1.3 + htp_connp_set_user_data@Base 3.1.3 + htp_connp_tx_create@Base 3.1.3 + htp_connp_tx_remove@Base 3.1.3 + htp_convert_method_to_number@Base 3.1.3 + htp_decode_path_inplace@Base 3.1.3 + htp_extract_quoted_string_as_bstr@Base 3.1.3 + htp_get_version@Base 3.1.3 + htp_gzip_decompressor_create@Base 3.1.3 + htp_hook_copy@Base 3.1.3 + htp_hook_create@Base 3.1.3 + htp_hook_destroy@Base 3.1.3 + htp_hook_register@Base 3.1.3 + htp_hook_run_all@Base 3.1.3 + htp_hook_run_one@Base 3.1.3 + htp_is_folding_char@Base 3.1.3 + htp_is_line_empty@Base 3.1.3 + htp_is_line_whitespace@Base 3.1.3 + htp_is_lws@Base 3.1.3 + htp_is_separator@Base 3.1.3 + htp_is_space@Base 3.1.3 + htp_is_text@Base 3.1.3 + htp_is_token@Base 3.1.3 + htp_list_array_clear@Base 3.1.3 + htp_list_array_create@Base 3.1.3 + htp_list_array_destroy@Base 3.1.3 + htp_list_array_get@Base 3.1.3 + htp_list_array_pop@Base 3.1.3 + htp_list_array_push@Base 3.1.3 + htp_list_array_replace@Base 3.1.3 + htp_list_array_shift@Base 3.1.3 + htp_list_array_size@Base 3.1.3 + htp_log@Base 3.1.3 + htp_mpart_part_create@Base 3.1.3 + htp_mpart_part_destroy@Base 3.1.3 + htp_mpart_part_finalize_data@Base 3.1.3 + htp_mpart_part_handle_data@Base 3.1.3 + htp_mpart_part_parse_c_d@Base 3.1.3 + htp_mpart_part_process_headers@Base 3.1.3 + htp_mpartp_create@Base 3.1.3 + htp_mpartp_destroy@Base 3.1.3 + htp_mpartp_finalize@Base 3.1.3 + htp_mpartp_find_boundary@Base 3.1.3 + htp_mpartp_get_multipart@Base 3.1.3 + htp_mpartp_parse@Base 3.1.3 + htp_mpartp_parse_header@Base 3.1.3 + htp_mpartp_run_request_file_data_hook@Base 3.1.3 + htp_normalize_hostname_inplace@Base 3.1.3 + htp_normalize_parsed_uri@Base 3.1.3 + htp_normalize_uri_path_inplace@Base 3.1.3 + htp_parse_authorization@Base 3.1.3 + htp_parse_authorization_basic@Base 3.1.3 + htp_parse_authorization_digest@Base 3.1.3 + htp_parse_chunked_length@Base 3.1.3 + htp_parse_content_length@Base 3.1.3 + htp_parse_cookies_v0@Base 3.1.3 + htp_parse_ct_header@Base 3.1.3 + htp_parse_header_hostport@Base 3.1.3 + htp_parse_hostport@Base 3.1.3 + htp_parse_positive_integer_whitespace@Base 3.1.3 + htp_parse_protocol@Base 3.1.3 + htp_parse_request_header_generic@Base 3.1.3 + htp_parse_request_line_apache_2_2@Base 3.1.3 + htp_parse_request_line_generic@Base 3.1.3 + htp_parse_request_line_generic_ex@Base 3.1.3 + htp_parse_response_header_generic@Base 3.1.3 + htp_parse_response_line_generic@Base 3.1.3 + htp_parse_single_cookie_v0@Base 3.1.3 + htp_parse_status@Base 3.1.3 + htp_parse_uri@Base 3.1.3 + htp_parse_uri_hostport@Base 3.1.3 + htp_php_parameter_processor@Base 3.1.3 + htp_process_request_header_apache_2_2@Base 3.1.3 + htp_process_request_header_generic@Base 3.1.3 + htp_process_response_header_generic@Base 3.1.3 + htp_req_run_hook_body_data@Base 3.1.3 + htp_res_run_hook_body_data@Base 3.1.3 + htp_table_add@Base 3.1.3 + htp_table_addk@Base 3.1.3 + htp_table_addn@Base 3.1.3 + htp_table_clear@Base 3.1.3 + htp_table_clear_ex@Base 3.1.3 + htp_table_create@Base 3.1.3 + htp_table_destroy@Base 3.1.3 + htp_table_destroy_ex@Base 3.1.3 + htp_table_get@Base 3.1.3 + htp_table_get_c@Base 3.1.3 + htp_table_get_index@Base 3.1.3 + htp_table_get_mem@Base 3.1.3 + htp_table_size@Base 3.1.3 + htp_transcode_bstr@Base 3.1.3 + htp_transcode_params@Base 3.1.3 + htp_treat_response_line_as_body@Base 3.1.3 + htp_tx_create@Base 3.1.3 + htp_tx_destroy@Base 3.1.3 + htp_tx_destroy_incomplete@Base 3.1.3 + htp_tx_finalize@Base 3.1.3 + htp_tx_get_is_config_shared@Base 3.1.3 + htp_tx_get_user_data@Base 3.1.3 + htp_tx_is_complete@Base 3.1.3 + htp_tx_register_request_body_data@Base 3.1.3 + htp_tx_register_response_body_data@Base 3.1.3 + htp_tx_req_add_param@Base 3.1.3 + htp_tx_req_get_param@Base 3.1.3 + htp_tx_req_get_param_ex@Base 3.1.3 + htp_tx_req_has_body@Base 3.1.3 + htp_tx_req_process_body_data@Base 3.1.3 + htp_tx_req_process_body_data_ex@Base 3.1.3 + htp_tx_req_set_header@Base 3.1.3 + htp_tx_req_set_headers_clear@Base 3.1.3 + htp_tx_req_set_line@Base 3.1.3 + htp_tx_req_set_method@Base 3.1.3 + htp_tx_req_set_method_number@Base 3.1.3 + htp_tx_req_set_parsed_uri@Base 3.1.3 + htp_tx_req_set_protocol@Base 3.1.3 + htp_tx_req_set_protocol_0_9@Base 3.1.3 + htp_tx_req_set_protocol_number@Base 3.1.3 + htp_tx_req_set_uri@Base 3.1.3 + htp_tx_request_progress_as_string@Base 3.1.3 + htp_tx_res_process_body_data@Base 3.1.3 + htp_tx_res_process_body_data_ex@Base 3.1.3 + htp_tx_res_set_header@Base 3.1.3 + htp_tx_res_set_headers_clear@Base 3.1.3 + htp_tx_res_set_protocol_number@Base 3.1.3 + htp_tx_res_set_status_code@Base 3.1.3 + htp_tx_res_set_status_line@Base 3.1.3 + htp_tx_res_set_status_message@Base 3.1.3 + htp_tx_response_progress_as_string@Base 3.1.3 + htp_tx_set_config@Base 3.1.3 + htp_tx_set_user_data@Base 3.1.3 + htp_tx_state_request_complete@Base 3.1.3 + htp_tx_state_request_complete_partial@Base 3.1.3 + htp_tx_state_request_headers@Base 3.1.3 + htp_tx_state_request_line@Base 3.1.3 + htp_tx_state_request_start@Base 3.1.3 + htp_tx_state_response_complete@Base 3.1.3 + htp_tx_state_response_complete_ex@Base 3.1.3 + htp_tx_state_response_headers@Base 3.1.3 + htp_tx_state_response_line@Base 3.1.3 + htp_tx_state_response_start@Base 3.1.3 + htp_tx_urldecode_params_inplace@Base 3.1.3 + htp_tx_urldecode_uri_inplace@Base 3.1.3 + htp_unparse_uri_noencode@Base 3.1.3 + htp_uri_alloc@Base 3.1.3 + htp_uri_free@Base 3.1.3 + htp_urldecode_inplace@Base 3.1.3 + htp_urldecode_inplace_ex@Base 3.1.3 + htp_urlenp_create@Base 3.1.3 + htp_urlenp_destroy@Base 3.1.3 + htp_urlenp_finalize@Base 3.1.3 + htp_urlenp_parse_complete@Base 3.1.3 + htp_urlenp_parse_partial@Base 3.1.3 + htp_utf8_decode@Base 3.1.3 + htp_utf8_decode_allow_overlong@Base 3.1.3 + htp_utf8_decode_path_inplace@Base 3.1.3 + htp_utf8_validate_path@Base 3.1.3 + htp_validate_hostname@Base 3.1.3 + strlcat@Base 3.1.3 + strlcpy@Base 3.1.3 diff --git a/oinkmaster/suricata-oinkmaster b/oinkmaster/suricata-oinkmaster new file mode 100755 index 00000000..80161f0f --- /dev/null +++ b/oinkmaster/suricata-oinkmaster @@ -0,0 +1,5 @@ +#!/bin/sh + +BIN="$(which suricata-oinkmaster-updater)" +[ ! -x "$BIN" ] && exit 0 +$BIN diff --git a/oinkmaster/suricata-oinkmaster-updater b/oinkmaster/suricata-oinkmaster-updater new file mode 100755 index 00000000..4828dbe2 --- /dev/null +++ b/oinkmaster/suricata-oinkmaster-updater @@ -0,0 +1,62 @@ +#!/bin/sh + +# Copyright (c) 2016 Arturo Borrero Gonzalez +# This file is released under the GPLv2 license. +# +# Can obtain a complete copy of the license at: http://www.gnu.org/licenses/gpl-2.0.html +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be included +# in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +# +# vars +# + +THIS_SCRIPT_NAME=$(basename -- $0) +OINKMASTER_BIN=$(which oinkmaster) +SURICATASC_BIN=$(which suricatasc) +OUTPUT_DIR="/etc/suricata/rules" +CONFIG_FILE="/etc/suricata/suricata-oinkmaster.conf" + +# +# functions +# + +msg_err() +{ + echo "ERROR: ${THIS_SCRIPT_NAME}: $1" >&2 + exit 1 +} + +# +# main execution +# + +if [ $(id -u) -ne 0 ] ; then + msg_err "this script requires root permissions" +fi + +[ ! -x "$OINKMASTER_BIN" ] && exit 0 +[ ! -x "$SURICATASC_BIN" ] && exit 0 +[ ! -r "$CONFIG_FILE" ] && exit 0 +[ ! -d "$OUTPUT_DIR" ] && exit 0 + +set -e +$OINKMASTER_BIN -C $CONFIG_FILE -o $OUTPUT_DIR +$SURICATASC_BIN -c reload-rules diff --git a/oinkmaster/suricata-oinkmaster-updater.8 b/oinkmaster/suricata-oinkmaster-updater.8 new file mode 100644 index 00000000..db773769 --- /dev/null +++ b/oinkmaster/suricata-oinkmaster-updater.8 @@ -0,0 +1,45 @@ +.\" (C) Copyright 2016-2017 Arturo Borrero Gonzalez , +.\" +.\" +.TH SURICATA-OINKMASTER-UPDATER 8 "Nov 23, 2017" +.\" Please adjust this date whenever updating the manpage. + +.SH NAME +suricata-oinkmaster-updater \- Run oinkmaster to update suricata ruleset + +.SH SYNOPSIS +.B suricata-oinkmaster-updater + +.SH DESCRIPTION +This manual page documents briefly the \fBsuricata-oinkmaster-updater\fP +command. +.PP +\fBsuricata-oinkmaster-updater\fP is a shell script that runs +\fBoinkmaster(1)\fP to update \fBsuricata(8)\fP ruleset. +The intention is to hook the call to this script from a daily cron job, +so \fBsuricata(8)\fP rulesets are automagically updated every day. + +.SH HOW IT WORKS +The default Debian configuration will run \fBoinkmaster(1)\fP with the config +file \fI/etc/suricata/suricata-oinkmaster.conf\fP which is pre-configured to +download the \fPEmergingThreats\fP open ruleset for \fBsuricata(8)\fP. +.PP +When the download is completed, \fBsuricatasc(1)\fP will be called to +instruct \fBsuricata(8)\fP to reload the ruleset. + +.SH CONFIGURATION +By now, the only way to modify the behaviour of +\fPsuricata-oinkmaster-updater\fP is to modify the +\fI/etc/suricata/suricata-oinkmaster.conf\fP file (which is a +\fBoinkmaster(1)\fP configuration file). Or modify the shell +script itself. +.PP +More options may be added in the future. + +.SH SEE ALSO +\fBsuricata(8)\fP, \fBoinkmaster(1)\fP, \fBsuricatasc(1)\fP + +.SH ABOUT +\fBsuricata-oinkmaster-updater\fP and this manpage were written by +Arturo Borrero Gonzalez +for the Debian GNU/Linux distribution (but it may be used by others). diff --git a/oinkmaster/suricata-oinkmaster.conf b/oinkmaster/suricata-oinkmaster.conf new file mode 100644 index 00000000..85c915a6 --- /dev/null +++ b/oinkmaster/suricata-oinkmaster.conf @@ -0,0 +1,11 @@ +# This is a Debian specific config file for oinkmaster crafted for suricata, +# you should read oinkmaster documentation to modify this file. +# This config is loaded by default from the suricata-oinkmaster-updater binary +# which is called daily from a cronjob by default + +skipfile local.rules +skipfile deleted.rules +skipfile snort.conf +use_external_bins = 0 + +url = https://rules.emergingthreats.net/open/suricata-4.0.0/emerging.rules.tar.gz diff --git a/patches/CVE-2021-45098.patch b/patches/CVE-2021-45098.patch new file mode 100644 index 00000000..0121e7a6 --- /dev/null +++ b/patches/CVE-2021-45098.patch @@ -0,0 +1,121 @@ +commit 50e2b973eeec7172991bf8f544ab06fb782b97df +Author: Victor Julien +Date: Tue Oct 5 14:48:27 2021 +0200 + + stream/tcp: handle RST with MD5 or AO header + + Special handling for RST packets if they have an TCP MD5 or AO header option. + The options hash can't be validated. The end host might be able to validate + it, as it can have a key/password that was communicated out of band. + + The sender could use this to move the TCP state to 'CLOSED', leading to + a desync of the TCP session. + + This patch builds on top of + 843d0b7a10bb ("stream: support RST getting lost/ignored") + + It flags the receiver as having received an RST and moves the TCP state + into the CLOSED state. It then reverts this if the sender continues to + send traffic. In this case it sets the following event: + + stream-event:suspected_rst_inject; + + Bug: #4710. + +Index: suricata-6.0.1/src/decode-tcp.c +=================================================================== +--- suricata-6.0.1.orig/src/decode-tcp.c 2025-03-24 23:45:30.172534825 +0100 ++++ suricata-6.0.1/src/decode-tcp.c 2025-03-24 23:45:30.172534825 +0100 +@@ -186,6 +186,26 @@ + ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN); + } + break; ++ /* RFC 2385 MD5 option */ ++ case TCP_OPT_MD5: ++ SCLogDebug("MD5 option, len %u", olen); ++ if (olen != 18) { ++ ENGINE_SET_INVALID_EVENT(p,TCP_OPT_INVALID_LEN); ++ } else { ++ /* we can't validate the option as the key is out of band */ ++ p->tcpvars.md5_option_present = true; ++ } ++ break; ++ /* RFC 5925 AO option */ ++ case TCP_OPT_AO: ++ SCLogDebug("AU option, len %u", olen); ++ if (olen < 4) { ++ ENGINE_SET_INVALID_EVENT(p,TCP_OPT_INVALID_LEN); ++ } else { ++ /* we can't validate the option as the key is out of band */ ++ p->tcpvars.ao_option_present = true; ++ } ++ break; + } + + pkt += olen; +Index: suricata-6.0.1/src/decode-tcp.h +=================================================================== +--- suricata-6.0.1.orig/src/decode-tcp.h 2025-03-24 23:45:30.172534825 +0100 ++++ suricata-6.0.1/src/decode-tcp.h 2025-03-24 23:45:30.172534825 +0100 +@@ -54,6 +54,8 @@ + #define TCP_OPT_TFO 0x22 /* TCP Fast Open */ + #define TCP_OPT_EXP1 0xfd /* Experimental, could be TFO */ + #define TCP_OPT_EXP2 0xfe /* Experimental, could be TFO */ ++#define TCP_OPT_MD5 0x13 /* 19: RFC 2385 TCP MD5 option */ ++#define TCP_OPT_AO 0x1d /* 29: RFC 5925 TCP AO option */ + + #define TCP_OPT_SACKOK_LEN 2 + #define TCP_OPT_WS_LEN 3 +@@ -153,6 +155,8 @@ + typedef struct TCPVars_ + { + /* commonly used and needed opts */ ++ bool md5_option_present; ++ bool ao_option_present; + bool ts_set; + uint32_t ts_val; /* host-order */ + uint32_t ts_ecr; /* host-order */ +Index: suricata-6.0.1/src/stream-tcp.c +=================================================================== +--- suricata-6.0.1.orig/src/stream-tcp.c 2025-03-24 23:45:30.172534825 +0100 ++++ suricata-6.0.1/src/stream-tcp.c 2025-03-24 23:45:30.172534825 +0100 +@@ -4331,6 +4331,9 @@ + if (ostream->flags & STREAMTCP_STREAM_FLAG_RST_RECV) { + if (StreamTcpStateDispatch(tv, p, stt, ssn, &stt->pseudo_queue, ssn->pstate) < 0) + return -1; ++ /* if state is still "closed", it wasn't updated by our dispatch. */ ++ if (ssn->state == TCP_CLOSED) ++ ssn->state = ssn->pstate; + } + } + return 0; +@@ -5299,7 +5302,6 @@ + + static int StreamTcpValidateRst(TcpSession *ssn, Packet *p) + { +- + uint8_t os_policy; + + if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) { +@@ -5337,6 +5339,21 @@ + } + } + ++ /* RFC 2385 md5 signature header or RFC 5925 TCP AO headerpresent. Since we can't ++ * validate these (requires key that is set/transfered out of band), we can't know ++ * if the RST will be accepted or rejected by the end host. We accept it, but keep ++ * tracking if the sender of it ignores it, which would be a sign of injection. */ ++ if (p->tcpvars.md5_option_present || p->tcpvars.ao_option_present) { ++ TcpStream *receiver_stream; ++ if (PKT_IS_TOSERVER(p)) { ++ receiver_stream = &ssn->server; ++ } else { ++ receiver_stream = &ssn->client; ++ } ++ SCLogDebug("ssn %p: setting STREAMTCP_STREAM_FLAG_RST_RECV on receiver stream", ssn); ++ receiver_stream->flags |= STREAMTCP_STREAM_FLAG_RST_RECV; ++ } ++ + if (ssn->flags & STREAMTCP_FLAG_ASYNC) { + if (PKT_IS_TOSERVER(p)) { + if (SEQ_GEQ(TCP_GET_SEQ(p), ssn->client.next_seq)) { diff --git a/patches/CVE-2023-35852-1.patch b/patches/CVE-2023-35852-1.patch new file mode 100644 index 00000000..671ee57c --- /dev/null +++ b/patches/CVE-2023-35852-1.patch @@ -0,0 +1,98 @@ +commit aee1523b4591430ebed1ded0bb95508e6717a335 +Author: Jason Ish +Date: Tue May 23 15:17:59 2023 -0600 + + datasets: don't allow absolute or paths with directory traversal + + For dataset filenames coming from rules, do not allow filenames that + are absolute or contain a directory traversal with "..". This prevents + datasets from escaping the define data-directory which may allow a bad + rule to overwrite any file that Suricata has permission to write to. + + Add a new configuration option, + "datasets.rules.allow-absolute-filenames" to allow absolute filenames + in dataset rules. This will be a way to revert back to the pre 6.0.13 + behavior where save/state rules could use any filename. + + Ticket: #6118 + +Index: suricata-6.0.1/src/detect-dataset.c +=================================================================== +--- suricata-6.0.1.orig/src/detect-dataset.c 2025-03-24 23:48:36.956508994 +0100 ++++ suricata-6.0.1/src/detect-dataset.c 2025-03-24 23:48:36.956508994 +0100 +@@ -307,8 +307,20 @@ + { + SCLogDebug("save %s", save); + +- if (PathIsAbsolute(save)) { +- return 0; ++ int allow_absolute = 0; ++ (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute); ++ if (allow_absolute) { ++ SCLogNotice("Allowing absolute filename for dataset rule: %s", save); ++ } else { ++ if (PathIsAbsolute(save)) { ++ SCLogError(SC_ERR_INVALID_ARGUMENT, "Absolute paths not allowed: %s", save); ++ return -1; ++ } ++ ++ if (SCPathContainsTraversal(save)) { ++ SCLogError(SC_ERR_INVALID_ARGUMENT, "Directory traversals not allowed: %s", save); ++ return -1; ++ } + } + + // data dir +Index: suricata-6.0.1/src/util-path.c +=================================================================== +--- suricata-6.0.1.orig/src/util-path.c 2025-03-24 23:48:36.956508994 +0100 ++++ suricata-6.0.1/src/util-path.c 2025-03-24 23:48:36.956508994 +0100 +@@ -247,3 +247,20 @@ + + return final + 1; + } ++ ++/** ++ * \brief Check for directory traversal ++ * ++ * \param path The path string to check for traversal ++ * ++ * \retval true if directory traversal is found, otherwise false ++ */ ++bool SCPathContainsTraversal(const char *path) ++{ ++#ifdef OS_WIN32 ++ const char *pattern = "..\\"; ++#else ++ const char *pattern = "../"; ++#endif ++ return strstr(path, pattern) != NULL; ++} +Index: suricata-6.0.1/src/util-path.h +=================================================================== +--- suricata-6.0.1.orig/src/util-path.h 2025-03-24 23:48:36.956508994 +0100 ++++ suricata-6.0.1/src/util-path.h 2025-03-24 23:48:36.956508994 +0100 +@@ -41,5 +41,6 @@ + bool SCIsRegularFile(const struct dirent *const dir_entry); + char *SCRealPath(const char *path, char *resolved_path); + const char *SCBasename(const char *path); ++bool SCPathContainsTraversal(const char *path); + + #endif /* __UTIL_PATH_H__ */ +Index: suricata-6.0.1/suricata.yaml.in +=================================================================== +--- suricata-6.0.1.orig/suricata.yaml.in 2025-03-24 23:48:36.956508994 +0100 ++++ suricata-6.0.1/suricata.yaml.in 2025-03-24 23:48:36.956508994 +0100 +@@ -976,6 +976,12 @@ + # defaults: + # memcap: 100mb + # hashsize: 2048 ++# ++# rules: ++# # Set to true to allow absolute filenames and filenames that use ++# # ".." components to reference parent directories in rules that specify ++# # their filenames. ++# #allow-absolute-filenames: false + + ############################################################################## + ## diff --git a/patches/CVE-2023-35852-2.patch b/patches/CVE-2023-35852-2.patch new file mode 100644 index 00000000..23281631 --- /dev/null +++ b/patches/CVE-2023-35852-2.patch @@ -0,0 +1,48 @@ +commit 735f5aa9ca3b28cfacc7a443f93a44387fbacf17 +Author: Jason Ish +Date: Tue Jun 6 16:04:56 2023 -0600 + + datasets: flag to disable "write" actions + + Add a new configuration flag, "datasets.rules.allow-write" to control + if rules can contain "save" or "state" rules which allow write access + to the file system. + + Ticket: #6123 + +Index: suricata-6.0.1/src/detect-dataset.c +=================================================================== +--- suricata-6.0.1.orig/src/detect-dataset.c 2025-03-24 23:48:43.376508135 +0100 ++++ suricata-6.0.1/src/detect-dataset.c 2025-03-24 23:48:43.376508135 +0100 +@@ -307,6 +307,15 @@ + { + SCLogDebug("save %s", save); + ++ int allow_save = 1; ++ if (ConfGetBool("datasets.rules.allow-write", &allow_save)) { ++ if (!allow_save) { ++ SCLogError(SC_ERR_INVALID_SIGNATURE, ++ "Rules containing save/state datasets have been disabled"); ++ return -1; ++ } ++ } ++ + int allow_absolute = 0; + (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute); + if (allow_absolute) { +Index: suricata-6.0.1/suricata.yaml.in +=================================================================== +--- suricata-6.0.1.orig/suricata.yaml.in 2025-03-24 23:48:43.376508135 +0100 ++++ suricata-6.0.1/suricata.yaml.in 2025-03-24 23:48:43.376508135 +0100 +@@ -982,6 +982,11 @@ + # # ".." components to reference parent directories in rules that specify + # # their filenames. + # #allow-absolute-filenames: false ++# ++# # Allow datasets in rules write access for "save" and ++# # "state". This is enabled by default, however write access is ++# # limited to the data directory. ++# #allow-write: true + + ############################################################################## + ## diff --git a/patches/CVE-2024-32663-1.patch b/patches/CVE-2024-32663-1.patch new file mode 100644 index 00000000..bdafc15e --- /dev/null +++ b/patches/CVE-2024-32663-1.patch @@ -0,0 +1,223 @@ +commit 08d93f7c3762781b743f88f9fdc4389eb9c3eb64 +Author: Philippe Antoine +Date: Wed Mar 27 14:33:54 2024 +0100 + + http2: use a reference counter for headers + + Ticket: 6892 + + As HTTP hpack header compression allows one single byte to + express a previously seen arbitrary-size header block (name+value) + we should avoid to copy the vectors data, but just point + to the same data, while reamining memory safe, even in the case + of later headers eviction from the dybnamic table. + + Rust std solution is Rc, and the use of clone, so long as the + data is accessed by only one thread. + + (cherry picked from commit 390f09692eb99809c679d3f350c7cc185d163e1a) + +Index: suricata-6.0.1/rust/src/http2/detect.rs +=================================================================== +--- suricata-6.0.1.orig/rust/src/http2/detect.rs 2025-03-25 16:24:31.631773847 +0100 ++++ suricata-6.0.1/rust/src/http2/detect.rs 2025-03-25 16:24:31.631773847 +0100 +@@ -23,6 +23,7 @@ + use std::ffi::CStr; + use std::mem::transmute; + use std::str::FromStr; ++use std::rc::Rc; + + fn http2_tx_has_frametype( + tx: &mut HTTP2Transaction, direction: u8, value: u8, +@@ -557,8 +558,8 @@ + }; + let mut blocks = Vec::new(); + let b = parser::HTTP2FrameHeaderBlock { +- name: name.to_vec(), +- value: input.to_vec(), ++ name: Rc::new(name.to_vec()), ++ value: Rc::new(input.to_vec()), + error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }; +Index: suricata-6.0.1/rust/src/http2/parser.rs +=================================================================== +--- suricata-6.0.1.orig/rust/src/http2/parser.rs 2025-03-25 16:24:31.631773847 +0100 ++++ suricata-6.0.1/rust/src/http2/parser.rs 2025-03-25 16:24:31.631773847 +0100 +@@ -25,6 +25,7 @@ + use nom::IResult; + use std::fmt; + use std::str::FromStr; ++use std::rc::Rc; + + #[repr(u8)] + #[derive(Clone, Copy, PartialEq, FromPrimitive, Debug)] +@@ -281,8 +282,8 @@ + }; + if name.len() > 0 { + return Some(HTTP2FrameHeaderBlock { +- name: name.as_bytes().to_vec(), +- value: value.as_bytes().to_vec(), ++ name: Rc::new(name.as_bytes().to_vec()), ++ value: Rc::new(value.as_bytes().to_vec()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }); +@@ -290,23 +291,23 @@ + //use dynamic table + if n == 0 { + return Some(HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Rc::new(Vec::new()), ++ value: Rc::new(Vec::new()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIndex0, + sizeupdate: 0, + }); + } else if dyn_headers.table.len() + HTTP2_STATIC_HEADERS_NUMBER < n as usize { + return Some(HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Rc::new(Vec::new()), ++ value: Rc::new(Vec::new()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed, + sizeupdate: 0, + }); + } else { + let indyn = dyn_headers.table.len() - (n as usize - HTTP2_STATIC_HEADERS_NUMBER); + let headcopy = HTTP2FrameHeaderBlock { +- name: dyn_headers.table[indyn].name.to_vec(), +- value: dyn_headers.table[indyn].value.to_vec(), ++ name: dyn_headers.table[indyn].name.clone(), ++ value: dyn_headers.table[indyn].value.clone(), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }; +@@ -334,8 +335,10 @@ + + #[derive(Clone, Debug)] + pub struct HTTP2FrameHeaderBlock { +- pub name: Vec, +- pub value: Vec, ++ // Use Rc reference counted so that indexed headers do not get copied. ++ // Otherwise, this leads to quadratic complexity in memory occupation. ++ pub name: Rc>, ++ pub value: Rc>, + pub error: HTTP2HeaderDecodeStatus, + pub sizeupdate: u64, + } +@@ -386,7 +389,7 @@ + ) -> IResult<&'a [u8], HTTP2FrameHeaderBlock> { + let (i3, name, error) = if index == 0 { + match http2_parse_headers_block_string(input) { +- Ok((r, n)) => Ok((r, n, HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)), ++ Ok((r, n)) => Ok((r, Rc::new(n), HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)), + Err(e) => Err(e), + } + } else { +@@ -398,7 +401,7 @@ + )), + None => Ok(( + input, +- Vec::new(), ++ Rc::new(Vec::new()), + HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed, + )), + } +@@ -408,7 +411,7 @@ + i4, + HTTP2FrameHeaderBlock { + name, +- value, ++ value: Rc::new(value), + error, + sizeupdate: 0, + }, +@@ -436,8 +439,8 @@ + match r { + Ok((r, head)) => { + let headcopy = HTTP2FrameHeaderBlock { +- name: head.name.to_vec(), +- value: head.value.to_vec(), ++ name: head.name.clone(), ++ value: head.value.clone(), + error: head.error, + sizeupdate: 0, + }; +@@ -554,8 +557,8 @@ + return Ok(( + i3, + HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Vec::new().into(), ++ value: Vec::new().into(), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIntegerOverflow, + sizeupdate: 0, + }, +@@ -573,8 +576,8 @@ + return Ok(( + i3, + HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Rc::new(Vec::new()), ++ value: Rc::new(Vec::new()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate, + sizeupdate: maxsize2, + }, +@@ -928,8 +931,8 @@ + match r0 { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, ":method".as_bytes().to_vec()); +- assert_eq!(hd.value, "GET".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":method".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "GET".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + } +@@ -945,8 +948,8 @@ + match r1 { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, "accept".as_bytes().to_vec()); +- assert_eq!(hd.value, "*/*".as_bytes().to_vec()); ++ assert_eq!(hd.name, "accept".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "*/*".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 1); +@@ -965,8 +968,8 @@ + match result { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, ":authority".as_bytes().to_vec()); +- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 2); +@@ -983,8 +986,8 @@ + match r3 { + Ok((remainder, hd)) => { + // same as before +- assert_eq!(hd.name, ":authority".as_bytes().to_vec()); +- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 2); +@@ -1019,8 +1022,8 @@ + match r2 { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, ":path".as_bytes().to_vec()); +- assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":path".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 2); diff --git a/patches/CVE-2024-32663-2.patch b/patches/CVE-2024-32663-2.patch new file mode 100644 index 00000000..4f47542b --- /dev/null +++ b/patches/CVE-2024-32663-2.patch @@ -0,0 +1,61 @@ +commit d24b37a103c04bb2667e449e080ba4c8e56bb019 +Author: Philippe Antoine +Date: Thu Mar 28 11:15:51 2024 +0100 + + http2: do not log duplicate headers + + Ticket: 6900 + + And thus avoid DOS by logging a request using a compressed + header block repeated many times and having a long value... + + (cherry picked from commit 03442c9071b8d863d26b609d54c6eacf4de9e340) + +Index: suricata-6.0.1/rust/src/http2/logger.rs +=================================================================== +--- suricata-6.0.1.orig/rust/src/http2/logger.rs 2025-03-25 15:28:30.810326590 +0100 ++++ suricata-6.0.1/rust/src/http2/logger.rs 2025-03-25 15:28:30.806326588 +0100 +@@ -19,7 +19,8 @@ + use super::parser; + use crate::jsonbuilder::{JsonBuilder, JsonError}; + use std; +-use std::collections::HashMap; ++use std::collections::{HashMap, HashSet}; ++use std::rc::Rc; + + #[derive(Hash, PartialEq, Eq)] + enum HeaderName { +@@ -35,10 +36,20 @@ + blocks: &'a Vec, js: &mut JsonBuilder, + common: &mut HashMap>, + ) -> Result<(), JsonError> { ++ let mut logged_headers = HashSet::new(); + for j in 0..blocks.len() { +- js.start_object()?; ++ // delay js.start_object() because we skip suplicate headers + match blocks[j].error { + parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess => { ++ if Rc::strong_count(&blocks[j].name) > 2 { ++ // more than one reference in headers table + current headers ++ let ptr = Rc::as_ptr(&blocks[j].name) as usize; ++ if !logged_headers.insert(ptr) { ++ // only log once ++ continue; ++ } ++ } ++ js.start_object()?; + js.set_string_from_bytes("name", &blocks[j].name)?; + js.set_string_from_bytes("value", &blocks[j].value)?; + if let Ok(name) = std::str::from_utf8(&blocks[j].name) { +@@ -66,9 +77,11 @@ + } + } + parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate => { ++ js.start_object()?; + js.set_uint("table_size_update", blocks[j].sizeupdate)?; + } + _ => { ++ js.start_object()?; + js.set_string("error", &blocks[j].error.to_string())?; + } + } diff --git a/patches/CVE-2024-37151.patch b/patches/CVE-2024-37151.patch new file mode 100644 index 00000000..ac55da74 --- /dev/null +++ b/patches/CVE-2024-37151.patch @@ -0,0 +1,44 @@ +commit 9d5c4273cb7e5ca65f195f7361f0d848c85180e0 +Author: Victor Julien +Date: Tue Jun 4 14:43:22 2024 +0200 + + defrag: don't use completed tracker + + When a Tracker is set up for a IPID, frags come in for it and it's + reassembled and complete, the `DefragTracker::remove` flag is set. This + is mean to tell the hash cleanup code to recyle the tracker and to let + the lookup code skip the tracker during lookup. + + A logic error lead to the following scenario: + + 1. there are sufficient frag trackers to make sure the hash table is + filled with trackers + 2. frags for a Packet with IPID X are processed correctly (X1) + 3. frags for a new Packet that also has IPID X come in quickly after the + first (X2). + 4. during the lookup, the frag for X2 hashes to a hash row that holds + more than one tracker + 5. as the trackers in hash row are evaluated, it finds the tracker for + X1, but since the `remove` bit is not checked, it is returned as the + tracker for X2. + 6. reassembly fails, as the tracker is already complete + + The logic error is that only for the first tracker in a row the `remove` + bit was checked, leading to reuse to a closed tracker if there were more + trackers in the hash row. + + Ticket: #7042. + +Index: suricata-6.0.1/src/defrag-hash.c +=================================================================== +--- suricata-6.0.1.orig/src/defrag-hash.c 2025-03-25 15:43:04.942709598 +0100 ++++ suricata-6.0.1/src/defrag-hash.c 2025-03-25 15:43:04.938709595 +0100 +@@ -582,7 +582,7 @@ + return dt; + } + +- if (DefragTrackerCompare(dt, p) != 0) { ++ if (!dt->remove && DefragTrackerCompare(dt, p) != 0) { + /* we found our tracker, lets put it on top of the + * hash list -- this rewards active trackers */ + if (dt->hnext) { diff --git a/patches/CVE-2024-45796.patch b/patches/CVE-2024-45796.patch new file mode 100644 index 00000000..7f044f73 --- /dev/null +++ b/patches/CVE-2024-45796.patch @@ -0,0 +1,24 @@ +commit 9203656496c4081260817cce018a0d8fd57869b5 +Author: Philippe Antoine +Date: Mon Jul 15 09:52:00 2024 +0200 + + defrag: fix off by one + + Ticket: 7067 + + This off by one could lead to an empty fragment being inserted + in the rb tree, which led to integer underflow + +Index: suricata-6.0.1/src/defrag.c +=================================================================== +--- suricata-6.0.1.orig/src/defrag.c 2025-03-25 15:56:11.975020710 +0100 ++++ suricata-6.0.1/src/defrag.c 2025-03-25 15:56:11.971020707 +0100 +@@ -850,7 +850,7 @@ + } + } + +- if (ltrim > data_len) { ++ if (ltrim >= data_len) { + /* Full packet has been trimmed due to the overlap policy. Overlap + * already set. */ + goto done; diff --git a/patches/CVE-2024-55626.patch b/patches/CVE-2024-55626.patch new file mode 100644 index 00000000..7424aacf --- /dev/null +++ b/patches/CVE-2024-55626.patch @@ -0,0 +1,33 @@ +commit 470795e65ba77cffba3aed850313a5f23c4b278d +Author: Philippe Antoine +Date: Mon Nov 4 17:09:32 2024 +0100 + + suricata/bpf: fix -Wshorten-64-to-32 warning + + Ticket: 7366 + Ticket: 6186 + (cherry picked from commit dd71ef0af222a566e54dfc479dd1951dd17d7ceb) + +Index: suricata-6.0.1/src/suricata.c +=================================================================== +--- suricata-6.0.1.orig/src/suricata.c 2025-03-30 13:19:17.638729314 +0200 ++++ suricata-6.0.1/src/suricata.c 2025-03-30 13:20:03.386688425 +0200 +@@ -458,7 +458,7 @@ + char *bpf_filter = NULL; + char *bpf_comment_tmp = NULL; + char *bpf_comment_start = NULL; +- uint32_t bpf_len = 0; ++ size_t bpf_len = 0; + #ifdef OS_WIN32 + struct _stat st; + #else +@@ -481,7 +481,8 @@ + SCLogError(SC_ERR_FOPEN, "Failed to stat file %s", filename); + exit(EXIT_FAILURE); + } +- bpf_len = st.st_size + 1; ++ // st.st_size is signed on Windows ++ bpf_len = ((size_t)(st.st_size)) + 1; + + // coverity[toctou : FALSE] + fp = fopen(filename,"r"); diff --git a/patches/CVE-2025-29916-1.patch b/patches/CVE-2025-29916-1.patch new file mode 100644 index 00000000..a19e8cd2 --- /dev/null +++ b/patches/CVE-2025-29916-1.patch @@ -0,0 +1,115 @@ +commit 2f432c99a9734ea3a75c9218f35060e11a7a39ad +Author: Victor Julien +Date: Tue Mar 18 10:55:39 2025 +0100 + + datasets: improve default hashsize handling + + Make hashsize default local to dataset code, instead of relying on the + thash code. + + Use the same default value as before. + + (cherry picked from commit d32a39ca4b53d7f659f4f0a2a5c162ef97dc4797) + +diff --git a/src/datasets.c b/src/datasets.c +index c7c906b62..9b098c298 100644 +--- a/src/datasets.c ++++ b/src/datasets.c +@@ -677,6 +677,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + } + } + ++ GetDefaultMemcap(&default_memcap, &default_hashsize); ++ if (hashsize == 0) { ++ hashsize = default_hashsize; ++ } ++ + set = DatasetAlloc(name); + if (set == NULL) { + goto out_err; +@@ -696,12 +701,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + char cnf_name[128]; + snprintf(cnf_name, sizeof(cnf_name), "datasets.%s.hash", name); + +- GetDefaultMemcap(&default_memcap, &default_hashsize); + switch (type) { + case DATASET_TYPE_MD5: + set->hash = THashInit(cnf_name, sizeof(Md5Type), Md5StrSet, Md5StrFree, Md5StrHash, + Md5StrCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadMd5(set) < 0) +@@ -710,7 +714,7 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + case DATASET_TYPE_STRING: + set->hash = THashInit(cnf_name, sizeof(StringType), StringSet, StringFree, StringHash, + StringCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadString(set) < 0) +@@ -719,26 +723,25 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + case DATASET_TYPE_SHA256: + set->hash = THashInit(cnf_name, sizeof(Sha256Type), Sha256StrSet, Sha256StrFree, + Sha256StrHash, Sha256StrCompare, load != NULL ? 1 : 0, +- memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ memcap > 0 ? memcap : default_memcap, hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadSha256(set) < 0) + goto out_err; + break; + case DATASET_TYPE_IPV4: +- set->hash = THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash, +- IPv4Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ set->hash = ++ THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash, IPv4Compare, ++ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadIPv4(set) < 0) + goto out_err; + break; + case DATASET_TYPE_IPV6: +- set->hash = THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash, +- IPv6Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ set->hash = ++ THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash, IPv6Compare, ++ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadIPv6(set) < 0) +@@ -830,6 +833,10 @@ void DatasetPostReloadCleanup(void) + SCMutexUnlock(&sets_lock); + } + ++/* Value reflects THASH_DEFAULT_HASHSIZE which is what the default was earlier, ++ * despite 2048 commented out in the default yaml. */ ++#define DATASETS_HASHSIZE_DEFAULT 4096 ++ + static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize) + { + const char *str = NULL; +@@ -841,12 +848,14 @@ static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize) + *memcap = 0; + } + } ++ ++ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT; + if (ConfGet("datasets.defaults.hashsize", &str) == 1) { + if (ParseSizeStringU32(str, hashsize) < 0) { ++ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT; + SCLogWarning("hashsize value cannot be deduced: %s," +- " resetting to default", +- str); +- *hashsize = 0; ++ " resetting to default: %u", ++ str, *hashsize); + } + } + } diff --git a/patches/CVE-2025-29916-2.patch b/patches/CVE-2025-29916-2.patch new file mode 100644 index 00000000..72b87285 --- /dev/null +++ b/patches/CVE-2025-29916-2.patch @@ -0,0 +1,199 @@ +commit e28c8c655a324a18932655a2c2b8f0d5aa1c55d7 +Author: Philippe Antoine +Date: Tue Mar 18 10:55:39 2025 +0100 + + detect: add configurable limits for datasets + + Ticket: 7615 + + Avoids signatures setting extreme hash sizes, which would lead to very + high memory use. + + Default to allowing: + - 65536 per dataset + - 16777216 total + + To override these built-in defaults: + + ```yaml + datasets: + # Limits for per rule dataset instances to avoid rules using too many + # resources. + limits: + # Max value for per dataset `hashsize` setting + #single-hashsize: 65536 + # Max combined hashsize values for all datasets. + #total-hashsizes: 16777216 + ``` + + (cherry picked from commit a7713db709b8a0be5fc5e5809ab58e9b14a16e85) + +diff --git a/src/datasets.c b/src/datasets.c +index 9b098c298..99d66b67d 100644 +--- a/src/datasets.c ++++ b/src/datasets.c +@@ -39,11 +39,16 @@ + #include "util-misc.h" + #include "util-path.h" + #include "util-debug.h" ++#include "util-validate.h" + + SCMutex sets_lock = SCMUTEX_INITIALIZER; + static Dataset *sets = NULL; + static uint32_t set_ids = 0; + ++uint32_t dataset_max_one_hashsize = 65536; ++uint32_t dataset_max_total_hashsize = 16777216; ++uint32_t dataset_used_hashsize = 0; ++ + static int DatasetAddwRep(Dataset *set, const uint8_t *data, const uint32_t data_len, + DataRepType *rep); + +@@ -629,6 +634,34 @@ Dataset *DatasetFind(const char *name, enum DatasetTypes type) + return set; + } + ++static bool DatasetCheckHashsize(const char *name, uint32_t hash_size) ++{ ++ if (dataset_max_one_hashsize > 0 && hash_size > dataset_max_one_hashsize) { ++ SCLogError("hashsize %u in dataset '%s' exceeds configured 'single-hashsize' limit (%u)", ++ hash_size, name, dataset_max_one_hashsize); ++ return false; ++ } ++ // we cannot underflow as we know from conf loading that ++ // dataset_max_total_hashsize >= dataset_max_one_hashsize if dataset_max_total_hashsize > 0 ++ if (dataset_max_total_hashsize > 0 && ++ dataset_max_total_hashsize - hash_size < dataset_used_hashsize) { ++ SCLogError("hashsize %u in dataset '%s' exceeds configured 'total-hashsizes' limit (%u, in " ++ "use %u)", ++ hash_size, name, dataset_max_total_hashsize, dataset_used_hashsize); ++ return false; ++ } ++ ++ return true; ++} ++ ++static void DatasetUpdateHashsize(const char *name, uint32_t hash_size) ++{ ++ if (dataset_max_total_hashsize > 0) { ++ dataset_used_hashsize += hash_size; ++ SCLogDebug("set %s adding with hash_size %u", name, hash_size); ++ } ++} ++ + Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load, + uint64_t memcap, uint32_t hashsize) + { +@@ -682,6 +715,10 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + hashsize = default_hashsize; + } + ++ if (!DatasetCheckHashsize(name, hashsize)) { ++ goto out_err; ++ } ++ + set = DatasetAlloc(name); + if (set == NULL) { + goto out_err; +@@ -760,6 +797,10 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + set->next = sets; + sets = set; + ++ /* hash size accounting */ ++ DEBUG_VALIDATE_BUG_ON(set->hash->config.hash_size != hashsize); ++ DatasetUpdateHashsize(set->name, set->hash->config.hash_size); ++ + SCMutexUnlock(&sets_lock); + return set; + out_err: +@@ -801,6 +842,9 @@ void DatasetReload(void) + continue; + } + set->hidden = true; ++ if (dataset_max_total_hashsize > 0) { ++ dataset_used_hashsize -= set->hash->config.hash_size; ++ } + SCLogDebug("Set %s at %p hidden successfully", set->name, set); + set = set->next; + } +@@ -868,6 +912,27 @@ int DatasetsInit(void) + uint32_t default_hashsize = 0; + GetDefaultMemcap(&default_memcap, &default_hashsize); + if (datasets != NULL) { ++ const char *str = NULL; ++ if (ConfGet("datasets.limits.total-hashsizes", &str) == 1) { ++ if (ParseSizeStringU32(str, &dataset_max_total_hashsize) < 0) { ++ FatalError("failed to parse datasets.limits.total-hashsizes value: %s", str); ++ } ++ } ++ if (ConfGet("datasets.limits.single-hashsize", &str) == 1) { ++ if (ParseSizeStringU32(str, &dataset_max_one_hashsize) < 0) { ++ FatalError("failed to parse datasets.limits.single-hashsize value: %s", str); ++ } ++ } ++ if (dataset_max_total_hashsize > 0 && ++ dataset_max_total_hashsize < dataset_max_one_hashsize) { ++ FatalError("total-hashsizes (%u) cannot be smaller than single-hashsize (%u)", ++ dataset_max_total_hashsize, dataset_max_one_hashsize); ++ } ++ if (dataset_max_total_hashsize > 0 && dataset_max_one_hashsize == 0) { ++ // the total limit also applies for single limit ++ dataset_max_one_hashsize = dataset_max_total_hashsize; ++ } ++ + int list_pos = 0; + ConfNode *iter = NULL; + TAILQ_FOREACH(iter, &datasets->head, next) { +diff --git a/src/tests/fuzz/confyaml.c b/src/tests/fuzz/confyaml.c +index 194552859..05995ea56 100644 +--- a/src/tests/fuzz/confyaml.c ++++ b/src/tests/fuzz/confyaml.c +@@ -112,4 +112,8 @@ app-layer:\n\ + enabled: yes\n\ + detect:\n\ + inspection-recursion-limit: 0\n\ ++datasets:\n\ ++ maximums:\n\ ++ single_hashsize: 65536\n\ ++ total_hashsizes: 16777216\n\ + "; +diff --git a/src/util-thash.c b/src/util-thash.c +index 3ee006a2c..548637916 100644 +--- a/src/util-thash.c ++++ b/src/util-thash.c +@@ -311,16 +311,11 @@ THashTableContext *THashInit(const char *cnf_prefix, size_t data_size, + ctx->config.hash_size = hashsize > 0 ? hashsize : THASH_DEFAULT_HASHSIZE; + /* Reset memcap in case of loading from file to the highest possible value + unless defined by the rule keyword */ +-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +- // limit memcap size to default when fuzzing +- ctx->config.memcap = THASH_DEFAULT_MEMCAP; +-#else + if (memcap > 0) { + ctx->config.memcap = memcap; + } else { + ctx->config.memcap = reset_memcap ? UINT64_MAX : THASH_DEFAULT_MEMCAP; + } +-#endif + ctx->config.prealloc = THASH_DEFAULT_PREALLOC; + + SC_ATOMIC_INIT(ctx->counter); +diff --git a/suricata.yaml.in b/suricata.yaml.in +index d74b4a27d..97236eb39 100644 +--- a/suricata.yaml.in ++++ b/suricata.yaml.in +@@ -1188,6 +1188,14 @@ datasets: + #memcap: 100mb + #hashsize: 2048 + ++ # Limits for per rule dataset instances to avoid rules using too many ++ # resources. ++ limits: ++ # Max value for per dataset `hashsize` setting ++ #single-hashsize: 65536 ++ # Max combined hashsize values for all datasets. ++ #total-hashsizes: 16777216 ++ + rules: + # Set to true to allow absolute filenames and filenames that use + # ".." components to reference parent directories in rules that specify diff --git a/patches/CVE-2025-29916-3.patch b/patches/CVE-2025-29916-3.patch new file mode 100644 index 00000000..105c00dc --- /dev/null +++ b/patches/CVE-2025-29916-3.patch @@ -0,0 +1,71 @@ +commit d86c5f9f0c75736d4fce93e27c0773fcb27e1047 +Author: Victor Julien +Date: Mon Mar 17 21:19:13 2025 +0100 + + datasets: set higher hashsize limits + + To avoid possible upgrade issues, allow higher defaults than in the + master branch. Add some upgrade guidance and a note that defaults will + probably be further reduced. + +diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst +index a78dd730c..ebd9dc337 100644 +--- a/doc/userguide/upgrade.rst ++++ b/doc/userguide/upgrade.rst +@@ -44,6 +44,21 @@ Upgrading to 7.0.9 + been added, ``v2-block-size`` which can be used to tune this value + for TPACKET_V2. Due to the increased block size, memory usage has + been increased, but should not be an issue in most cases. ++- Datasets specifying a custom `hashsize` will now be limited to 262144 by default. ++ Additionally, the cumulative hash sizes for all datasets in use should not exceed ++ 67108864. These settings can be changed with the following settings. ++ ++ .. code-block:: yaml ++ ++ datasets: ++ # Limits for per rule dataset instances to avoid rules using too many ++ # resources. ++ # Note: in Suricata 8 the built-in default will be set to lower values. ++ limits: ++ # Max value for per dataset `hashsize` setting ++ #single-hashsize: 262144 ++ # Max combined hashsize values for all datasets. ++ #total-hashsizes: 67108864 + + Upgrading to 7.0.8 + ------------------ +diff --git a/src/datasets.c b/src/datasets.c +index 99d66b67d..412413ab4 100644 +--- a/src/datasets.c ++++ b/src/datasets.c +@@ -45,8 +45,9 @@ SCMutex sets_lock = SCMUTEX_INITIALIZER; + static Dataset *sets = NULL; + static uint32_t set_ids = 0; + +-uint32_t dataset_max_one_hashsize = 65536; +-uint32_t dataset_max_total_hashsize = 16777216; ++/* 4x what we set in master to allow a smoother upgrade path */ ++uint32_t dataset_max_one_hashsize = 262144; ++uint32_t dataset_max_total_hashsize = 67108864; + uint32_t dataset_used_hashsize = 0; + + static int DatasetAddwRep(Dataset *set, const uint8_t *data, const uint32_t data_len, +diff --git a/suricata.yaml.in b/suricata.yaml.in +index 97236eb39..722f17a0b 100644 +--- a/suricata.yaml.in ++++ b/suricata.yaml.in +@@ -1190,11 +1190,12 @@ datasets: + + # Limits for per rule dataset instances to avoid rules using too many + # resources. ++ # Note: in Suricata 8 the built-in default will be set to lower values. + limits: + # Max value for per dataset `hashsize` setting +- #single-hashsize: 65536 ++ #single-hashsize: 262144 + # Max combined hashsize values for all datasets. +- #total-hashsizes: 16777216 ++ #total-hashsizes: 67108864 + + rules: + # Set to true to allow absolute filenames and filenames that use diff --git a/patches/CVE-2025-29917.patch b/patches/CVE-2025-29917.patch new file mode 100644 index 00000000..349d6489 --- /dev/null +++ b/patches/CVE-2025-29917.patch @@ -0,0 +1,104 @@ +commit bab716776ba3561cfbfd1a57fc18ff1f6859f019 +Author: Philippe Antoine +Date: Tue Dec 17 15:06:25 2024 +0100 + + detect: limit base64_decode `bytes` to 64KiB + + Ticket: 7613 + + Avoids potential large per-thread memory allocation. A buffer with the + size of the largest decode_base64 buffer size setting would be allocated + per thread. As this was a u32, it could mean a per-thread 4GiB memory + allocation. + + 64KiB was already the built-in default for cases where bytes size wasn't + specified. + + (cherry picked from commit 32d0bd2bbb4d486623dec85a94952fde2515f2f0) + +diff --git a/doc/userguide/rules/base64-keywords.rst b/doc/userguide/rules/base64-keywords.rst +index 190fdb5bf..256f6c013 100644 +--- a/doc/userguide/rules/base64-keywords.rst ++++ b/doc/userguide/rules/base64-keywords.rst +@@ -15,6 +15,7 @@ Syntax:: + base64_decode:bytes , offset , relative; + + The ``bytes`` option specifies how many bytes Suricata should decode and make available for base64_data. ++This number is limited to 64KiB. + The decoding will stop at the end of the buffer. + + The ``offset`` option specifies how many bytes Suricata should skip before decoding. +diff --git a/src/detect-base64-decode.c b/src/detect-base64-decode.c +index 25fdf10e7..5ae38c572 100644 +--- a/src/detect-base64-decode.c ++++ b/src/detect-base64-decode.c +@@ -28,7 +28,7 @@ + #define BASE64_DECODE_MAX 65535 + + typedef struct DetectBase64Decode_ { +- uint32_t bytes; ++ uint16_t bytes; + uint32_t offset; + uint8_t relative; + } DetectBase64Decode; +@@ -111,8 +111,8 @@ int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s + return det_ctx->base64_decoded_len > 0; + } + +-static int DetectBase64DecodeParse(const char *str, uint32_t *bytes, +- uint32_t *offset, uint8_t *relative) ++static int DetectBase64DecodeParse( ++ const char *str, uint16_t *bytes, uint32_t *offset, uint8_t *relative) + { + const char *bytes_str = NULL; + const char *offset_str = NULL; +@@ -132,7 +132,7 @@ static int DetectBase64DecodeParse(const char *str, uint32_t *bytes, + + if (pcre_rc >= 3) { + if (pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) { +- if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) { ++ if (StringParseUint16(bytes, 10, 0, bytes_str) <= 0) { + SCLogError("Bad value for bytes: \"%s\"", bytes_str); + goto error; + } +@@ -186,7 +186,7 @@ error: + static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s, + const char *str) + { +- uint32_t bytes = 0; ++ uint16_t bytes = 0; + uint32_t offset = 0; + uint8_t relative = 0; + DetectBase64Decode *data = NULL; +@@ -238,9 +238,6 @@ static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s, + data->bytes = BASE64_DECODE_MAX; + } + if (data->bytes > de_ctx->base64_decode_max_len) { +-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +- data->bytes = BASE64_DECODE_MAX; +-#endif + de_ctx->base64_decode_max_len = data->bytes; + } + +@@ -272,7 +269,7 @@ static int g_http_header_buffer_id = 0; + static int DetectBase64TestDecodeParse(void) + { + int retval = 0; +- uint32_t bytes = 0; ++ uint16_t bytes = 0; + uint32_t offset = 0; + uint8_t relative = 0; + +diff --git a/src/detect.h b/src/detect.h +index 2379d3253..73fa010d1 100644 +--- a/src/detect.h ++++ b/src/detect.h +@@ -927,7 +927,7 @@ typedef struct DetectEngineCtx_ { + struct SigGroupHead_ *decoder_event_sgh; + + /* Maximum size of the buffer for decoded base64 data. */ +- uint32_t base64_decode_max_len; ++ uint16_t base64_decode_max_len; + + /** Store rule file and line so that parsers can use them in errors. */ + int rule_line; diff --git a/patches/CVE-2025-29918.patch b/patches/CVE-2025-29918.patch new file mode 100644 index 00000000..df90e7e9 --- /dev/null +++ b/patches/CVE-2025-29918.patch @@ -0,0 +1,40 @@ +commit f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6 +Author: Philippe Antoine +Date: Tue Jan 28 15:02:45 2025 +0100 + + detect/pcre: avoid infinite loop after negated pcre + + Ticket: 7526 + + The usage of negated pcre, followed by other relative payload + content keywords could lead to an infinite loop. + + This is because regular (not negated) pcre can test multiple + occurences, but negated pcre should be tried only once. + + (cherry picked from commit b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b) + +Index: suricata-6.0.1/src/detect-engine-content-inspection.c +=================================================================== +--- suricata-6.0.1.orig/src/detect-engine-content-inspection.c 2025-03-24 23:38:06.156602585 +0100 ++++ suricata-6.0.1/src/detect-engine-content-inspection.c 2025-03-24 23:38:06.152602584 +0100 +@@ -430,7 +430,6 @@ + if (r == 0) { + goto no_match; + } +- + if (!(pe->flags & DETECT_PCRE_RELATIVE_NEXT)) { + SCLogDebug("no relative match coming up, so this is a match"); + goto match; +@@ -453,6 +452,11 @@ + if (det_ctx->discontinue_matching) + goto no_match; + ++ if (prev_offset == 0) { ++ // This happens for negated PCRE ++ // We do not search for another occurrence of this pcre ++ SCReturnInt(0); ++ } + det_ctx->buffer_offset = prev_buffer_offset; + det_ctx->pcre_match_start_offset = prev_offset; + } while (1); diff --git a/patches/avoid-to-include-if_tunnel-h.patch b/patches/avoid-to-include-if_tunnel-h.patch new file mode 100644 index 00000000..645de57e --- /dev/null +++ b/patches/avoid-to-include-if_tunnel-h.patch @@ -0,0 +1,34 @@ +From 6f7636cfc6dffb387afe21f4f3bff119f8d8e033 Mon Sep 17 00:00:00 2001 +From: Eric Leblond +Date: Thu, 31 Oct 2019 13:29:56 +0100 +Subject: [PATCH] ebpf: avoid to include if_tunnel.h + +This is causing a dependency issue as file from another architecture +have to be installed. +--- + ebpf/xdp_lb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/ebpf/xdp_lb.c ++++ b/ebpf/xdp_lb.c +@@ -23,7 +23,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -32,6 +31,12 @@ + + #include "hash_func01.h" + ++#define GRE_CSUM __cpu_to_be16(0x8000) ++#define GRE_ROUTING __cpu_to_be16(0x4000) ++#define GRE_KEY __cpu_to_be16(0x2000) ++#define GRE_SEQ __cpu_to_be16(0x1000) ++#define GRE_VERSION __cpu_to_be16(0x0007) ++ + #define LINUX_VERSION_CODE 263682 + + /* Hashing initval */ diff --git a/patches/configure-clang-variable.patch b/patches/configure-clang-variable.patch new file mode 100644 index 00000000..6aae947a --- /dev/null +++ b/patches/configure-clang-variable.patch @@ -0,0 +1,26 @@ +From: Hilko Bengen +Date: Tue, 22 Jan 2019 18:10:47 +0100 +Subject: configure: Introduce CLANG variable + +--- + configure.ac | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/configure.ac ++++ b/configure.ac +@@ -38,6 +38,15 @@ + + AC_SUBST([CLANG]) + ++ AC_ARG_WITH([clang], ++ [CLANG compiler], ++ [CLANG="$withval"], ++ [AS_IF([test "$compiler" = clang], ++ [CLANG="$CC"], ++ [AC_PATH_PROG([CLANG],[clang])])]) ++ ++ AC_SUBST([CLANG]) ++ + case "$compiler" in + clang) + CLANG_CFLAGS="-Wextra -Werror-implicit-function-declaration -Wno-error=unused-command-line-argument" diff --git a/patches/cross.patch b/patches/cross.patch new file mode 100644 index 00000000..ddc724d9 --- /dev/null +++ b/patches/cross.patch @@ -0,0 +1,13 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -77,8 +77,8 @@ + AC_PATH_PROG(HAVE_CYGPATH, cygpath, "no") + AM_CONDITIONAL([HAVE_CYGPATH], [test "x$HAVE_CYGPATH" != "xno"]) + +- AC_PATH_PROG(HAVE_PKG_CONFIG, pkg-config, "no") +- if test "$HAVE_PKG_CONFIG" = "no"; then ++ PKG_PROG_PKG_CONFIG ++ if test "x$PKG_CONFIG" = "x"; then + echo + echo " ERROR! pkg-config not found, go get it " + echo " http://pkg-config.freedesktop.org/wiki/ " diff --git a/patches/debian-default-cfg.patch b/patches/debian-default-cfg.patch new file mode 100644 index 00000000..8a7ff401 --- /dev/null +++ b/patches/debian-default-cfg.patch @@ -0,0 +1,43 @@ +From: Arturo Borrero Gonzalez +Subject: Debian default configuration + This patch sets Debian defaults for suricata configuration. + . + Currently, it sets a proper path for suricata unix socket. +Forwarded: not-needed +Last-Update: 2016-12-01 + +--- a/suricata.yaml.in ++++ b/suricata.yaml.in +@@ -1061,8 +1061,8 @@ + # activated in live capture mode. You can use the filename variable to set + # the file name of the socket. + unix-command: +- enabled: auto +- #filename: custom.socket ++ enabled: yes ++ filename: @e_localstatedir@suricata-command.socket + + # Magic file. The extension .mgc is added to the value here. + #magic-file: /usr/share/file/magic +--- a/src/unix-manager.c ++++ b/src/unix-manager.c +@@ -53,7 +53,7 @@ + # endif + #endif + +-#define SOCKET_PATH LOCAL_STATE_DIR "/run/suricata/" ++#define SOCKET_PATH LOCAL_STATE_DIR "/" + #define SOCKET_FILENAME "suricata-command.socket" + #define SOCKET_TARGET SOCKET_PATH SOCKET_FILENAME + +--- a/configure.ac ++++ b/configure.ac +@@ -2747,7 +2747,7 @@ + EXPAND_VARIABLE(localstatedir, e_logfilesdir, "/log/suricata/files") + EXPAND_VARIABLE(localstatedir, e_logcertsdir, "/log/suricata/certs") + EXPAND_VARIABLE(sysconfdir, e_sysconfdir, "/suricata/") +- EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/suricata") ++ EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/") + EXPAND_VARIABLE(datadir, e_datarulesdir, "/suricata/rules") + EXPAND_VARIABLE(localstatedir, e_datadir, "/lib/suricata/data") + EXPAND_VARIABLE(ruledirprefix, e_defaultruledir, "/suricata/rules") diff --git a/patches/fix-repeated-builds.patch b/patches/fix-repeated-builds.patch new file mode 100644 index 00000000..0357ec80 --- /dev/null +++ b/patches/fix-repeated-builds.patch @@ -0,0 +1,16 @@ +Description: do not clean vendor directory on distclean + dh_auto_clean calls make distclean, which in the case of Suricata also + removes the vendor directory. This breaks repeated builds. +Author: Sascha Steinbiss +Last-Update: 2018-12-26 +--- a/rust/Makefile.am ++++ b/rust/Makefile.am +@@ -61,7 +61,7 @@ + rm -f Cargo.lock + + maintainerclean-local: +- rm -rf vendor gen ++ rm -rf gen + + check: + CARGO_HOME="$(CARGO_HOME)" @rustup_home@ \ diff --git a/patches/import-sockio-h.patch b/patches/import-sockio-h.patch new file mode 100644 index 00000000..67bfe95b --- /dev/null +++ b/patches/import-sockio-h.patch @@ -0,0 +1,16 @@ +From: Eric Leblond +Date: Wed, 17 Jul 2019 12:35:12 +0200 +Subject: [PATCH] af-packet: fix build on recent Linux kernels +--- a/src/source-af-packet.c ++++ b/src/source-af-packet.c +@@ -68,6 +68,10 @@ + #include + #endif + ++#if HAVE_LINUX_SOCKIOS_H ++#include ++#endif ++ + #ifdef HAVE_PACKET_EBPF + #include "util-ebpf.h" + #include diff --git a/patches/llc.patch b/patches/llc.patch new file mode 100644 index 00000000..c349e1d0 --- /dev/null +++ b/patches/llc.patch @@ -0,0 +1,20 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -497,11 +497,12 @@ + [ + AS_IF([test "$CLANG" != no], + [ +- llc_candidates=$($CLANG --version | \ +- awk '/^clang version/ { +- split($3, v, "."); +- printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]]) +- }') ++ #llc_candidates=$($CLANG --version | \ ++ # awk '/^clang version/ { ++ # split($3, v, "."); ++ # printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]]) ++ # }') ++ llc_candidates=llc + AC_CHECK_PROGS([LLC], [$llc_candidates], "no") + if test "$LLC" = "no"; then + AC_MSG_ERROR([unable to find any of $llc_candidates needed to build ebpf files]) diff --git a/patches/no-use-gnu.patch b/patches/no-use-gnu.patch new file mode 100644 index 00000000..20fb069b --- /dev/null +++ b/patches/no-use-gnu.patch @@ -0,0 +1,28 @@ +Description: Don't use __USE_GNU + __USE_GNU is a glibc-internal symbol. + AC_USE_SYSTEM_EXTENSIONS is the proper autoconf + way to enable extensions. +Author: Adrian Bunk + +--- a/configure.ac ++++ b/configure.ac +@@ -6,6 +6,7 @@ + AM_INIT_AUTOMAKE([tar-ustar subdir-objects]) + + AC_LANG([C]) ++ AC_USE_SYSTEM_EXTENSIONS + LT_INIT + PKG_PROG_PKG_CONFIG + +--- a/src/suricata-common.h ++++ b/src/suricata-common.h +@@ -33,9 +33,6 @@ + #define TRUE 1 + #define FALSE 0 + +-#define _GNU_SOURCE +-#define __USE_GNU +- + #if HAVE_CONFIG_H + #include + #endif diff --git a/patches/remove-conflicting-python-file.patch b/patches/remove-conflicting-python-file.patch new file mode 100644 index 00000000..cc742d21 --- /dev/null +++ b/patches/remove-conflicting-python-file.patch @@ -0,0 +1,18 @@ +Description: do not install the suricata Python module + Suricata's Python tools only import submodules of 'suricata'. Not installing + this module ensures that there is no chance of having an __init__.py in the + root module directory that might clash with other packages, e.g. suricata- + update. +Author: Sascha Steinbiss +Bug: https://redmine.openinfosecfoundation.org/issues/3156 +Last-Update: 2019-09-18 +--- a/python/setup.py ++++ b/python/setup.py +@@ -49,7 +49,6 @@ + author_email='oisf-devel@lists.openinfosecfoundation.org, eric@regit.org', + url='https://www.suricata-ids.org/', + packages=[ +- "suricata", + "suricata.config", + "suricata.ctl", + "suricata.sc", diff --git a/patches/reproducible.patch b/patches/reproducible.patch new file mode 100644 index 00000000..f2fd542a --- /dev/null +++ b/patches/reproducible.patch @@ -0,0 +1,21 @@ +From: Arturo Borrero Gonzalez +Subject: Patch to make the suricata build reproducible + This patch makes some changes to the suricata build to make it reproducible + . + Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds + the build path. +Forwarded: not-needed +Last-Update: 2016-09-05 + +--- a/configure.ac ++++ b/configure.ac +@@ -2873,7 +2873,8 @@ + echo + echo "$SURICATA_BUILD_CONF" + echo "printf(" >src/build-info.h +-echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' >>src/build-info.h ++echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' \ ++ | sed 's/-fdebug-prefix-map=.*=. //' >>src/build-info.h + echo ");" >>src/build-info.h + + echo " diff --git a/patches/series b/patches/series new file mode 100644 index 00000000..4963469c --- /dev/null +++ b/patches/series @@ -0,0 +1,22 @@ +reproducible.patch +debian-default-cfg.patch +cross.patch +no-use-gnu.patch +fix-repeated-builds.patch +configure-clang-variable.patch +with-ebpf-includes.patch +import-sockio-h.patch +remove-conflicting-python-file.patch +avoid-to-include-if_tunnel-h.patch +llc.patch +stream-no-reject-bad-ack.patch + +CVE-2021-45098.patch +CVE-2023-35852-1.patch +CVE-2023-35852-2.patch +CVE-2024-32663-1.patch +CVE-2024-32663-2.patch +CVE-2024-37151.patch +CVE-2024-45796.patch +CVE-2025-29918.patch +CVE-2024-55626.patch diff --git a/patches/stream-no-reject-bad-ack.patch b/patches/stream-no-reject-bad-ack.patch new file mode 100644 index 00000000..739355b8 --- /dev/null +++ b/patches/stream-no-reject-bad-ack.patch @@ -0,0 +1,30 @@ +From 556570f7dd7f21f11cffda5ebcb72738a29cbb90 Mon Sep 17 00:00:00 2001 +From: Eric Leblond +Date: Fri, 28 May 2021 12:19:38 +0200 +Subject: [PATCH] stream/tcp: don't reject on bad ack + +Not using a packet for the streaming analysis when a non zero +ACK value and ACK bit was unset was leading to evasion as it was +possible to start a session with a SYN packet with a non zero ACK +value to see the full TCP stream to escape all stream and application +layer detection. + +This addresses CVE-2021-35063. + +Fixes: fa692df37 ("stream: reject broken ACK packets") + +Ticket: #4504. +--- + src/stream-tcp.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/src/stream-tcp.c ++++ b/src/stream-tcp.c +@@ -4789,7 +4789,6 @@ + /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */ + if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) { + StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK); +- goto error; + } + + /* If we are on IPS mode, and got a drop action triggered from diff --git a/patches/with-ebpf-includes.patch b/patches/with-ebpf-includes.patch new file mode 100644 index 00000000..8c44ef3b --- /dev/null +++ b/patches/with-ebpf-includes.patch @@ -0,0 +1,41 @@ +From: Hilko Bengen +Date: Tue, 23 Jul 2019 14:43:21 +0200 +Subject: Add --with-ebpf-includes parameter + +--- + configure.ac | 4 ++++ + ebpf/Makefile.am | 3 +-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -509,6 +509,10 @@ + AC_SUBST(LLC) + ], + [AC_MSG_ERROR([clang needed to build ebpf files])]) ++ AC_ARG_WITH(ebpf_includes, ++ [ --with-ebpf-includes=DIR include directory for building eBPF programs], ++ [AC_SUBST([ebpf_includes],["$withval"])], ++ [AC_SUBST([ebpf_includes],["/usr/include/${build_alias}"])]) + ]) + + # enable debug output +--- a/ebpf/Makefile.am ++++ b/ebpf/Makefile.am +@@ -4,7 +4,7 @@ + if BUILD_EBPF + + # Maintaining a local copy of UAPI linux/bpf.h +-BPF_CFLAGS = -Iinclude ++BPF_CFLAGS = -Iinclude -I$(ebpf_includes) + + BPF_TARGETS = lb.bpf + BPF_TARGETS += filter.bpf +@@ -19,7 +19,6 @@ + $(BPF_TARGETS): %.bpf: %.c + # From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm) + ${CLANG} -Wall $(BPF_CFLAGS) -O2 \ +- -I/usr/include/$(build_cpu)-$(build_os)/ \ + -D__KERNEL__ -D__ASM_SYSREG_H \ + -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll} + # From LLVM-IR to BPF-bytecode in ELF-obj file diff --git a/rules b/rules new file mode 100755 index 00000000..6312df92 --- /dev/null +++ b/rules @@ -0,0 +1,100 @@ +#!/usr/bin/make -f + +# verbose mode +export DH_VERBOSE=1 + +SURICATA_DESTDIR = $(CURDIR)/debian/suricata +export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow +export CARGO_HOME = $(CURDIR)/debian/cargohome + +include /usr/share/dpkg/architecture.mk + +# workaround for linking issue on some archs +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--allow-multiple-definition +EXTRA_ATOMIC_ARCHS = armel mipsel +ifneq (,$(findstring $(DEB_HOST_ARCH),$(EXTRA_ATOMIC_ARCHS))) + DEB_LDFLAGS_MAINT_APPEND += -latomic + export DEB_LDFLAGS_MAINT_APPEND +endif + +LUAJIT_ARCHS = i386 amd64 powerpc mips mipsel armel armhf +HYPERSCAN_ARCHS = i386 amd64 hurd-i386 kfreebsd-amd64 x32 +RUST_ARCHS = i386 amd64 +EBPF_ARCHS = amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32 + +LIBHTP_PKG_VERSION=$(shell apt-cache policy libhtp2 | grep Installed | cut -f2- -d: | cut -c2-) + +ifneq (,$(findstring $(DEB_HOST_ARCH),$(LUAJIT_ARCHS))) + ENABLE_LUAJIT="--enable-luajit" +endif + +ifneq (,$(findstring $(DEB_HOST_ARCH),$(HYPERSCAN_ARCHS))) + ENABLE_HYPERSCAN="--enable-libhs" +endif + +ifneq (,$(findstring $(DEB_HOST_ARCH),$(RUST_ARCHS))) + ENABLE_HYPERSCAN="--enable-rust" +endif + +CI ?= $(shell $(CURDIR)/debian/building-in-ci.sh) +ifeq ($(CI),true) + ENABLE_UNITTESTS="--enable-unittests" +endif + +ifneq (,$(findstring $(DEB_HOST_ARCH),$(EBPF_ARCHS))) + ENABLE_EBPF=--enable-ebpf --enable-ebpf-build \ + --with-ebpf-includes=/usr/include/$(DEB_HOST_MULTIARCH) +endif + +CONFIGURE_ARGS = --enable-af-packet --enable-nfqueue --enable-nflog \ + --enable-gccprotect --disable-gccmarch-native \ + --with-libnss-includes=/usr/include/nss --with-libnss-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --with-libnspr-includes=/usr/include/nspr --with-libnspr-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --with-libevent-includes=/usr/include --with-libevent-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --disable-coccinelle \ + --enable-geoip --enable-hiredis \ + --enable-non-bundled-htp \ + --disable-suricata-update \ + $(ENABLE_LUAJIT) \ + $(ENABLE_HYPERSCAN) \ + $(ENABLE_UNITTESTS) \ + $(ENABLE_EBPF) + +override_dh_auto_configure: + dh_auto_configure -- $(CONFIGURE_ARGS) + +override_dh_auto_build: + uname -a + mkdir -p $(CARGO_HOME) + dh_auto_build + +override_dh_auto_clean: + rm -rf $(CARGO_HOME) + rm -f debian/suricata.substvars + +override_dh_auto_install: + dh_auto_install + rm -rf $(SURICATA_DESTDIR)/usr/lib/python*;\ + (cd python &&\ + python3 -B setup.py install --install-layout=deb --prefix $(SURICATA_DESTDIR)/usr) + # clean upstream install documentation + rm -rf $(SURICATA_DESTDIR)/usr/share/doc/suricata/* + $(foreach file, $(wildcard ebpf/*bpf), \ + install -D -t $(SURICATA_DESTDIR)/usr/lib/suricata/ebpf $(file) ;\ + ) + +override_dh_strip: + dh_strip --dbgsym-migration='suricata-dbg (<< 1:4.0.0-2~)' + +override_dh_auto_test: + # do nothing + +override_dh_missing: + dh_missing --list-missing + +override_dh_gencontrol: + echo "libhtp:Version=$(LIBHTP_PKG_VERSION)" >> debian/suricata.substvars + dh_gencontrol + +%: + dh $@ --with python3 diff --git a/source/format b/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/suricata-oinkmaster.install b/suricata-oinkmaster.install new file mode 100644 index 00000000..2027f26f --- /dev/null +++ b/suricata-oinkmaster.install @@ -0,0 +1,3 @@ +debian/oinkmaster/suricata-oinkmaster.conf etc/suricata +debian/oinkmaster/suricata-oinkmaster etc/cron.daily +debian/oinkmaster/suricata-oinkmaster-updater usr/sbin diff --git a/suricata-oinkmaster.manpages b/suricata-oinkmaster.manpages new file mode 100644 index 00000000..6d581a51 --- /dev/null +++ b/suricata-oinkmaster.manpages @@ -0,0 +1 @@ +debian/oinkmaster/suricata-oinkmaster-updater.8 diff --git a/suricata.1 b/suricata.1 new file mode 100644 index 00000000..873f6ec4 --- /dev/null +++ b/suricata.1 @@ -0,0 +1,516 @@ +.\" Man page generated from reStructuredText. +. +.TH "SURICATA" "1" "Nov 08, 2020" "6.0.1" "Suricata" +.SH NAME +suricata \- Suricata +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBsuricata\fP [OPTIONS] [BPF FILTER] +.SH DESCRIPTION +.sp +\fBsuricata\fP is a high performance Network IDS, IPS and Network Security +Monitoring engine. Open Source and owned by a community run non\-profit +foundation, the Open Information Security Foundation (OISF). +.sp +\fBsuricata\fP can be used to analyze live traffic and pcap files. It can +generate alerts based on rules. \fBsuricata\fP will generate traffic logs. +.sp +When used with live traffic \fBsuricata\fP can be passive or active. Active +modes are: inline in a L2 bridge setup, inline with L3 integration with +host filewall (NFQ, IPFW, WinDivert), or out of band using active responses. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-h +Display a brief usage overview. +.UNINDENT +.INDENT 0.0 +.TP +.B \-V +Displays the version of Suricata. +.UNINDENT +.INDENT 0.0 +.TP +.B \-c +Path to configuration file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-T +Test configuration. +.UNINDENT +.INDENT 0.0 +.TP +.B \-v +Increase the verbosity of the Suricata application logging by +increasing the log level from the default. This option can be +passed multiple times to further increase the verbosity. +.INDENT 7.0 +.IP \(bu 2 +\-v: INFO +.IP \(bu 2 +\-vv: PERF +.IP \(bu 2 +\-vvv: CONFIG +.IP \(bu 2 +\-vvvv: DEBUG +.UNINDENT +.sp +This option will not decrease the log level set in the +configuration file if it is already more verbose than the level +requested with this option. +.UNINDENT +.INDENT 0.0 +.TP +.B \-r +Run in pcap offline mode (replay mode) reading files from pcap file. If + specifies a directory, all files in that directory will be processed +in order of modified time maintaining flow state between files. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-pcap\-file\-continuous +Used with the \-r option to indicate that the mode should stay alive until +interrupted. This is useful with directories to add new files and not reset +flow state between files. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-pcap\-file\-recursive +.TP +.B Used with the \-r option when the path provided is a directory. This option +.TP +.B enables recursive traversal into subdirectories to a maximum depth of 255. +.TP +.B This option cannot be combined with \-\-pcap\-file\-continuous. Symlinks are +.TP +.B ignored. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-pcap\-file\-delete +Used with the \-r option to indicate that the mode should delete pcap files +after they have been processed. This is useful with pcap\-file\-continuous to +continuously feed files to a directory and have them cleaned up when done. If +this option is not set, pcap files will not be deleted after processing. +.UNINDENT +.INDENT 0.0 +.TP +.B \-i +After the \-i option you can enter the interface card you would like +to use to sniff packets from. This option will try to use the best +capture method available. Can be used several times to sniff packets from +several interfaces. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-pcap[=] +Run in PCAP mode. If no device is provided the interfaces +provided in the \fIpcap\fP section of the configuration file will be +used. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-af\-packet[=] +Enable capture of packet using AF_PACKET on Linux. If no device is +supplied, the list of devices from the af\-packet section in the +yaml is used. +.UNINDENT +.INDENT 0.0 +.TP +.B \-q +Run inline of the NFQUEUE queue ID provided. May be provided +multiple times. +.UNINDENT +.INDENT 0.0 +.TP +.B \-s +With the \-s option you can set a file with signatures, which will +be loaded together with the rules set in the yaml. +.UNINDENT +.INDENT 0.0 +.TP +.B \-S +With the \-S option you can set a file with signatures, which will +be loaded exclusively, regardless of the rules set in the yaml. +.UNINDENT +.INDENT 0.0 +.TP +.B \-l +With the \-l option you can set the default log directory. If you +already have the default\-log\-dir set in yaml, it will not be used +by Suricata if you use the \-l option. It will use the log dir that +is set with the \-l option. If you do not set a directory with +the \-l option, Suricata will use the directory that is set in yaml. +.UNINDENT +.INDENT 0.0 +.TP +.B \-D +Normally if you run Suricata on your console, it keeps your console +occupied. You can not use it for other purposes, and when you close +the window, Suricata stops running. If you run Suricata as daemon +(using the \-D option), it runs at the background and you will be +able to use the console for other tasks without disturbing the +engine running. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-runmode +With the \fI\-\-runmode\fP option you can set the runmode that you would +like to use. This command line option can override the yaml runmode +option. +.sp +Runmodes are: \fIworkers\fP, \fIautofp\fP and \fIsingle\fP\&. +.sp +For more information about runmodes see Runmodes in the user guide. +.UNINDENT +.INDENT 0.0 +.TP +.B \-F +Use BPF filter from file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-k [all|none] +Force (all) the checksum check or disable (none) all checksum +checks. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-user= +Set the process user after initialization. Overrides the user +provided in the \fIrun\-as\fP section of the configuration file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-group= +Set the process group to group after initialization. Overrides the +group provided in the \fIrun\-as\fP section of the configuration file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-pidfile +Write the process ID to file. Overrides the \fIpid\-file\fP option in +the configuration file and forces the file to be written when not +running as a daemon. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-init\-errors\-fatal +Exit with a failure when errors are encountered loading signatures. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-disable\-detection +Disable the detection engine. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-dump\-config +Dump the configuration loaded from the configuration file to the +terminal and exit. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-dump\-features +Dump the features provided by Suricata modules and exit. Features +list (a subset of) the configuration values and are intended to +assist with comparing provided features with those required by +one or more rules. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-build\-info +Display the build information the Suricata was built with. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-list\-app\-layer\-protos +List all supported application layer protocols. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-list\-keywords=[all|csv|] +List all supported rule keywords. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-list\-runmodes +List all supported run modes. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-set = +Set a configuration value. Useful for overriding basic +configuration parameters. For example, to change the default log +directory: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +\-\-set default\-log\-dir=/var/tmp +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This option cannot be used to add new entries to a list in the +configuration file, such as a new output. It can only be used to +modify a value in a list that already exists. +.sp +For example, to disable the \fBeve\-log\fP in the default +configuration file: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +\-\-set outputs.1.eve\-log.enabled=no +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Also note that the index values may change as the \fBsuricata.yaml\fP +is updated. +.sp +See the output of \fB\-\-dump\-config\fP for existing values that could +be modified with their index. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-engine\-analysis +Print reports on analysis of different sections in the engine and +exit. Please have a look at the conf parameter engine\-analysis on +what reports can be printed +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-unix\-socket= +Use file as the Suricata unix control socket. Overrides the +\fIfilename\fP provided in the \fIunix\-command\fP section of the +configuration file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-reject\-dev= +Use \fIdevice\fP to send out RST / ICMP error packets with +the \fIreject\fP keyword. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-pcap\-buffer\-size= +Set the size of the PCAP buffer (0 \- 2147483647). +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-netmap[=] +Enable capture of packet using NETMAP on FreeBSD or Linux. If no +device is supplied, the list of devices from the netmap section +in the yaml is used. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-pfring[=] +Enable PF_RING packet capture. If no device provided, the devices in +the Suricata configuration will be used. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-pfring\-cluster\-id +Set the PF_RING cluster ID. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-pfring\-cluster\-type +Set the PF_RING cluster type (cluster_round_robin, cluster_flow). +.UNINDENT +.INDENT 0.0 +.TP +.B \-d +Run inline using IPFW divert mode. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-dag +Enable packet capture off a DAG card. If capturing off a specific +stream the stream can be select using a device name like +"dag0:4". This option may be provided multiple times read off +multiple devices and/or streams. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-napatech +Enable packet capture using the Napatech Streams API. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-erf\-in= +Run in offline mode reading the specific ERF file (Endace +extensible record format). +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-simulate\-ips +Simulate IPS mode when running in a non\-IPS mode. +.UNINDENT +.SH OPTIONS FOR DEVELOPERS +.INDENT 0.0 +.TP +.B \-u +Run the unit tests and exit. Requires that Suricata be configured +with \fI\-\-enable\-unittests\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-U, \-\-unittest\-filter=REGEX +With the \-U option you can select which of the unit tests you want +to run. This option uses REGEX. Example of use: suricata \-u \-U +http +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-list\-unittests +Lists available unit tests. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-fatal\-unittests +Enables fatal failure on a unit test error. Suricata will exit +instead of continuing more tests. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-unittests\-coverage +Display unit test coverage report. +.UNINDENT +.SH SIGNALS +.sp +Suricata will respond to the following signals: +.sp +SIGUSR2 +.INDENT 0.0 +.INDENT 3.5 +Causes Suricata to perform a live rule reload. +.UNINDENT +.UNINDENT +.sp +SIGHUP +.INDENT 0.0 +.INDENT 3.5 +Causes Suricata to close and re\-open all log files. This can be +used to re\-open log files after they may have been moved away by +log rotation utilities. +.UNINDENT +.UNINDENT +.SH FILES AND DIRECTORIES +.INDENT 0.0 +.TP +.B /usr/local/etc/suricata/suricata.yaml +Default location of the Suricata configuration file. +.TP +.B /usr/local/var/log/suricata +Default Suricata log directory. +.UNINDENT +.SH EXAMPLES +.sp +To capture live traffic from interface \fIeno1\fP: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +suricata \-i eno1 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +To analyze a pcap file and output logs to the CWD: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +suricata \-r /path/to/capture.pcap +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +To capture using \fIAF_PACKET\fP and override the flow memcap setting from the \fIsuricata.yaml\fP: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +suricata \-\-af\-packet \-\-set flow.memcap=1gb +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +To analyze a pcap file with a custom rule file: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +suricata \-r /pcap/to/capture.pcap \-S /path/to/custom.rules +.ft P +.fi +.UNINDENT +.UNINDENT +.SH BUGS +.sp +Please visit Suricata\(aqs support page for information about submitting +bugs or feature requests. +.SH NOTES +.INDENT 0.0 +.IP \(bu 2 +Suricata Home Page +.INDENT 2.0 +.INDENT 3.5 +\fI\%https://suricata\-ids.org/\fP +.UNINDENT +.UNINDENT +.IP \(bu 2 +Suricata Support Page +.INDENT 2.0 +.INDENT 3.5 +\fI\%https://suricata\-ids.org/support/\fP +.UNINDENT +.UNINDENT +.UNINDENT +.SH COPYRIGHT +2016-2019, OISF +.\" Generated by docutils manpage writer. +. diff --git a/suricata.README.Debian b/suricata.README.Debian new file mode 100644 index 00000000..161bdfa3 --- /dev/null +++ b/suricata.README.Debian @@ -0,0 +1,76 @@ +Suricata for Debian +------------------- + +The engine is an Open Source Next Generation Intrusion Detection and +Prevention Tool, not intended to just replace or emulate the existing tools in +the industry, but to bring new ideas and technologies to the field. + +To run the engine with default configuration on interface eth0 (in live mode), +run the following command (as root): + suricata -c /etc/suricata/suricata.yaml -i eth0 + +To run in live NFQUEUE mode, use (as root): + suricata -c /etc/suricata/suricata.yaml -q $QUEUE_ID + +You can also run suricata on a PCAP file: + suricata -c /etc/suricata/suricata.yaml -r file.pcap + + +Daemon system integration +------------------------- + +The suricata daemon comes preconfigured to run as a system daemon with systemd. + +You can start/stop the daemon with: + % sudo systemctl start suricata.service + % sudo systemctl stop suricata.service + +You should copy /lib/systemd/system/suricata.service to +/etc/systemd/system/suricata.service and adapt the configuration to your needs. + +The sysvinit script and related files (/etc/init.d/suricata and +/etc/default/suricata) will be eventually discarted at some point in the +future. The /etc/default/suricata file is ignored by the default +suricata.service file. + +By now, there is no integration between suricata and libsystemd (so, options +like the watchdog are not supported). + + +Updating Rules +-------------- + +The default configuration use the snort-rules-default package (with all rules loaded), +and all logging modules activated. +You should edit /etc/suricata/suricata.yaml and adjust it to fit your needs. + +Using rules from the snort-rules-default package will not provide up-to-date +rules. The recommended method is to install oinkmaster, configure it to get +Emerging Threats (ET), ET Pro or VRT rules. + +Edit ``/etc/oinkmaster.conf`` and use the following URL: + + http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz + +For more help, see +https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster + + -- Pierre Chifflier Thu, 17 Nov 2011 22:58:00 +0100 + +Using suricata-oinkmaster +------------------------- + +The package 'suricata-oinkmaster' deploys a pre-configured system to allow +easy auto-update of suricata rules daily using oinkmaster. + +There is a config file /etc/suricata/suricata-oinkmaster.conf which contains +the oinkmaster configuration for the auto-update. +Also, there is a cronjob at /etc/cron.daily/suricata-oinkmaster-updater which +calls oinkmaster and the suricatasc to reload the rules. + +Of course, this requires: + * suricata daemon running + * network access to download rules + * suricatasc working (ie, suricata running with unix socket) + + -- Arturo Borrero Gonzalez July 2016 diff --git a/suricata.default b/suricata.default new file mode 100644 index 00000000..330dc591 --- /dev/null +++ b/suricata.default @@ -0,0 +1,26 @@ +# Default config for Suricata + +# set to yes to start the server in the init.d script +RUN=no + +# Configuration file to load +SURCONF=/etc/suricata/suricata.yaml + +# Listen mode: pcap, nfqueue or af-packet +# depending on this value, only one of the two following options +# will be used (af-packet uses neither). +# Please note that IPS mode is only available when using nfqueue +LISTENMODE=nfqueue + +# Interface to listen on (for pcap mode) +IFACE=eth0 + +# Queue number to listen on (for nfqueue mode) +NFQUEUE=0 + +# Load Google TCMALLOC if libtcmalloc-minimal4 is installed +# This _might_ give you very very small performance gain.... +TCMALLOC="YES" + +# Pid file +PIDFILE=/var/run/suricata.pid diff --git a/suricata.dirs b/suricata.dirs new file mode 100644 index 00000000..1d78110d --- /dev/null +++ b/suricata.dirs @@ -0,0 +1,2 @@ +etc/suricata +var/log/suricata diff --git a/suricata.init b/suricata.init new file mode 100644 index 00000000..951e42af --- /dev/null +++ b/suricata.init @@ -0,0 +1,167 @@ +#!/bin/sh -e +# +### BEGIN INIT INFO +# Provides: suricata +# Required-Start: $time $network $local_fs $remote_fs +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Next Generation IDS/IPS +# Description: Intrusion detection system that will +# capture traffic from the network cards and will +# match against a set of known attacks. +### END INIT INFO + +# Source function library. +. /lib/lsb/init-functions + +if test -f /etc/default/suricata; then + . /etc/default/suricata +else + echo "/etc/default/suricata is missing... bailing out!" >&2 + exit 1 +fi + +# We'll add up all the options above and use them +NAME=suricata +DAEMON=/usr/bin/$NAME + +# Use this if you want the user to explicitly set 'RUN' in +# /etc/default/ +if [ "x$RUN" != "xyes" ] ; then + log_failure_msg "$NAME disabled, please adjust the configuration to your needs " + log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it." + exit 0 +fi + +check_root() { + if [ "$(id -u)" != "0" ]; then + log_failure_msg "You must be root to start, stop or restart $NAME." + exit 4 + fi +} + +check_nfqueue() { + if [ ! \( -e /proc/net/netfilter/nfnetlink_queue -o -e /proc/net/netfilter/nf_queue \) ]; then + log_warning_msg "NFQUEUE support not found !" + log_warning_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel" + fi +} + +check_run_dir() { + if [ ! -d /var/run/suricata ]; then + mkdir /var/run/suricata + chmod 0755 /var/run/suricata + fi +} + +load_libtcmalloc_minimal() { + lib="/usr/lib/libtcmalloc_minimal.so.4" + + if [ -f "$lib" ] && [ "x$TCMALLOC" = "xYES" ]; then + export LD_PRELOAD="$lib" + fi +} + +check_root + +case "$LISTENMODE" in +nfqueue) + IDMODE="IPS (nfqueue)" + LISTEN_OPTIONS=" -q $NFQUEUE" + check_nfqueue + ;; +pcap) + IDMODE="IDS (pcap)" + LISTEN_OPTIONS=" -i $IFACE" + ;; +af-packet) + IDMODE="IDS (af-packet)" + LISTEN_OPTIONS=" --af-packet" + ;; +*) + echo "Unsupported listen mode $LISTENMODE, aborting" + exit 1 + ;; +esac + +SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D" + +# See how we were called. +case "$1" in +start) + if [ -f $PIDFILE ]; then + PID1=$(cat $PIDFILE) + if kill -0 "$PID1" 2>/dev/null; then + echo "$NAME is already running with PID $PID1" + exit 0 + fi + fi + check_run_dir + echo -n "Starting suricata in $IDMODE mode..." + load_libtcmalloc_minimal + $DAEMON $SURICATA_OPTIONS > /var/log/suricata/suricata-start.log 2>&1 & + echo " done." + ;; +stop) + echo -n "Stopping suricata: " + if [ -f $PIDFILE ]; then + PID2=$(cat $PIDFILE) + else + echo " No PID file found; not running?" + exit 0; + fi + start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON + if [ -n "$PID2" ]; then + kill "$PID2" + ret=$? + sleep 2 + if kill -0 "$PID2" 2>/dev/null; then + ret=$? + echo -n "Waiting . " + cnt=0 + while kill -0 "$PID2" 2>/dev/null; do + ret=$? + cnt=$(expr "$cnt" + 1) + if [ "$cnt" -gt 10 ]; then + kill -9 "$PID2" + break + fi + sleep 2 + echo -n ". " + done + fi + fi + if [ -e $PIDFILE ]; then + rm $PIDFILE > /dev/null 2>&1 + fi + echo " done." + ;; +status) + # Check if running... + if [ -s $PIDFILE ]; then + PID3=$(cat $PIDFILE) + if kill -0 "$PID3" 2>/dev/null; then + echo "$NAME is running with PID $PID3" + exit 0 + else + echo "PID file $PIDFILE exists, but process not running!" + fi + else + echo "$NAME not running!" + fi + ;; +restart) + $0 stop + $0 start + ;; +force-reload) + $0 stop + $0 start + ;; +*) + echo "Usage: $0 {start|stop|restart|status}" + exit 1 +esac + +exit 0 diff --git a/suricata.install b/suricata.install new file mode 100644 index 00000000..ff5a3df1 --- /dev/null +++ b/suricata.install @@ -0,0 +1,6 @@ +etc/classification.config /etc/suricata +etc/reference.config /etc/suricata +rules/*.rules /etc/suricata/rules +suricata.yaml /etc/suricata +threshold.config /etc/suricata +/usr/bin/suricata diff --git a/suricata.lintian-overrides b/suricata.lintian-overrides new file mode 100644 index 00000000..adcdcb59 --- /dev/null +++ b/suricata.lintian-overrides @@ -0,0 +1,3 @@ +# these are eBPF files +suricata: binary-from-other-architecture usr/lib/suricata/ebpf/* +suricata: unstripped-binary-or-object usr/lib/suricata/ebpf/* diff --git a/suricata.logrotate b/suricata.logrotate new file mode 100644 index 00000000..e318d1c6 --- /dev/null +++ b/suricata.logrotate @@ -0,0 +1,12 @@ +/var/log/suricata/*.log +/var/log/suricata/*.json +{ + rotate 14 + missingok + compress + copytruncate + sharedscripts + postrotate + /bin/kill -HUP $(cat /var/run/suricata.pid) + endscript +} diff --git a/suricata.maintscript b/suricata.maintscript new file mode 100644 index 00000000..a700bfc1 --- /dev/null +++ b/suricata.maintscript @@ -0,0 +1,2 @@ +# Rename file +mv_conffile /etc/suricata/suricata-debian.yaml /etc/suricata/suricata.yaml 3.1-1 suricata diff --git a/suricata.manpages b/suricata.manpages new file mode 100644 index 00000000..042b28b7 --- /dev/null +++ b/suricata.manpages @@ -0,0 +1,4 @@ +debian/suricata.1 +debian/suricatasc.1 +debian/suricatactl.1 +debian/suricatactl-filestore.1 diff --git a/suricata.preinst b/suricata.preinst new file mode 100644 index 00000000..50f71178 --- /dev/null +++ b/suricata.preinst @@ -0,0 +1,13 @@ +#!/bin/sh + +set -e + +# we do not need alternatives anymore +if update-alternatives --quiet --query suricata 2> /dev/null; then + echo "Removing legacy alternatives for Hyperscan/non-Hyperscan versions" + update-alternatives --remove-all suricata +fi + +#DEBHELPER# + +exit 0 diff --git a/suricata.service b/suricata.service new file mode 100644 index 00000000..ca2fda88 --- /dev/null +++ b/suricata.service @@ -0,0 +1,20 @@ +[Unit] +Description=Suricata IDS/IDP daemon +After=network.target network-online.target +Requires=network-online.target +Documentation=man:suricata(8) man:suricatasc(8) +Documentation=https://suricata-ids.org/docs/ + +[Service] +Type=forking +#Environment=LD_PRELOAD=/usr/lib/libtcmalloc_minimal.so.4 +PIDFile=/run/suricata.pid +ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid +ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID +ExecStop=/usr/bin/suricatasc -c shutdown +Restart=on-failure +ProtectSystem=full +ProtectHome=true + +[Install] +WantedBy=multi-user.target diff --git a/suricatactl-filestore.1 b/suricatactl-filestore.1 new file mode 100644 index 00000000..19cc2036 --- /dev/null +++ b/suricatactl-filestore.1 @@ -0,0 +1,94 @@ +.\" Man page generated from reStructuredText. +. +.TH "SURICATACTL-FILESTORE" "1" "Nov 08, 2020" "6.0.1" "Suricata" +.SH NAME +suricatactl-filestore \- Perform actions on filestore +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBsuricatactl filestore\fP [\-h] [] +.SH DESCRIPTION +.sp +This command lets you perform certain operations on Suricata filestore. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-h +.UNINDENT +.sp +Get help about the available commands. +.SH COMMANDS +.sp +\fBprune [\-h|\-\-help] [\-n|\-\-dry\-run] [\-v|verbose] [\-q|\-\-quiet] \-d +\-\-age \fP +.sp +Prune files older than a given age. +.sp +\-d | \-\-directory is a required argument which tells +that user must provide the suricata filestore directory on which all the +specified operations are to be performed. +.sp +\-\-age is a required argument asking the age of the files. Files older +than the age mentioned with this option shall be pruned. +.sp +\-h | \-\-help is an optional argument with which you can ask for help about the +command usage. +.sp +\-n | \-\-dry\-run is an optional argument which makes the utility print only what +would happen +.sp +\-v | \-\-verbose is an optional argument to increase the verbosity of command. +.sp +\-q | \-\-quiet is an optional argument that helps log errors and warnings only +and keep silent about everything else. +.SH BUGS +.sp +Please visit Suricata\(aqs support page for information about submitting +bugs or feature requests. +.SH NOTES +.INDENT 0.0 +.IP \(bu 2 +Suricata Home Page +.INDENT 2.0 +.INDENT 3.5 +\fI\%https://suricata\-ids.org/\fP +.UNINDENT +.UNINDENT +.IP \(bu 2 +Suricata Support Page +.INDENT 2.0 +.INDENT 3.5 +\fI\%https://suricata\-ids.org/support/\fP +.UNINDENT +.UNINDENT +.UNINDENT +.SH COPYRIGHT +2016-2019, OISF +.\" Generated by docutils manpage writer. +. diff --git a/suricatactl.1 b/suricatactl.1 new file mode 100644 index 00000000..298d8c38 --- /dev/null +++ b/suricatactl.1 @@ -0,0 +1,73 @@ +.\" Man page generated from reStructuredText. +. +.TH "SURICATACTL" "1" "Nov 08, 2020" "6.0.1" "Suricata" +.SH NAME +suricatactl \- Suricata Control +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBsuricatactl\fP [\-h] [] +.SH DESCRIPTION +.sp +This tool helps control Suricata\(aqs features. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-h +.UNINDENT +.sp +Get help about the available commands. +.SH COMMANDS +.sp +\fBsuricatactl\-filestore(1)\fP +.SH BUGS +.sp +Please visit Suricata\(aqs support page for information about submitting +bugs or feature requests. +.SH NOTES +.INDENT 0.0 +.IP \(bu 2 +Suricata Home Page +.INDENT 2.0 +.INDENT 3.5 +\fI\%https://suricata\-ids.org/\fP +.UNINDENT +.UNINDENT +.IP \(bu 2 +Suricata Support Page +.INDENT 2.0 +.INDENT 3.5 +\fI\%https://suricata\-ids.org/support/\fP +.UNINDENT +.UNINDENT +.UNINDENT +.SH COPYRIGHT +2016-2019, OISF +.\" Generated by docutils manpage writer. +. diff --git a/suricatasc.1 b/suricatasc.1 new file mode 100644 index 00000000..5bf9e801 --- /dev/null +++ b/suricatasc.1 @@ -0,0 +1,244 @@ +.\" Man page generated from reStructuredText. +. +.TH "SURICATASC" "1" "Nov 08, 2020" "6.0.1" "Suricata" +.SH NAME +suricatasc \- Tool to interact via unix socket +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBsuricatasc\fP +.SH DESCRIPTION +.sp +Suricata socket control tool +.SH COMMANDS +.INDENT 0.0 +.TP +.B shutdown +Shut Suricata instance down. +.UNINDENT +.INDENT 0.0 +.TP +.B command\-list +List available commands. +.UNINDENT +.INDENT 0.0 +.TP +.B help +Get help about the available commands. +.UNINDENT +.INDENT 0.0 +.TP +.B version +Print the version of Suricata instance. +.UNINDENT +.INDENT 0.0 +.TP +.B uptime +Display the uptime of Suricata. +.UNINDENT +.INDENT 0.0 +.TP +.B running\-mode +Display running mode. This can either be \fIworkers\fP, \fIautofp\fP or \fIsingle\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B capture\-mode +Display the capture mode. This can be either of \fIPCAP_DEV\fP, +\fIPCAP_FILE\fP, \fIPFRING(DISABLED)\fP, \fINFQ\fP, \fINFLOG\fP, \fIIPFW\fP, \fIERF_FILE\fP, +\fIERF_DAG\fP, \fIAF_PACKET_DEV\fP, \fINETMAP(DISABLED)\fP, \fIUNIX_SOCKET\fP or +\fIWINDIVERT(DISABLED)\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B conf\-get +Get configuration value for a given variable. Variable to be provided can be +either of the configuration parameters that are written in suricata.yaml. +.UNINDENT +.INDENT 0.0 +.TP +.B dump\-counters +Dump Suricata\(aqs performance counters. +.UNINDENT +.INDENT 0.0 +.TP +.B ruleset\-reload\-rules +Reload the ruleset and wait for completion. +.UNINDENT +.INDENT 0.0 +.TP +.B reload\-rules +Alias .. describe \fIruleset\-reload\-rules\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B ruleset\-reload\-nonblocking +Reload ruleset and proceed without waiting. +.UNINDENT +.INDENT 0.0 +.TP +.B ruleset\-reload\-time +Return time of last reload. +.UNINDENT +.INDENT 0.0 +.TP +.B ruleset\-stats +Display the number of rules loaded and failed. +.UNINDENT +.INDENT 0.0 +.TP +.B ruleset\-failed\-rules +Display the list of failed rules. +.UNINDENT +.INDENT 0.0 +.TP +.B register\-tenant\-handler [hargs] +Register a tenant handler with the specified mapping. +.UNINDENT +.INDENT 0.0 +.TP +.B unregister\-tenant\-handler [hargs] +Unregister a tenant handler with the specified mapping. +.UNINDENT +.INDENT 0.0 +.TP +.B register\-tenant +Register tenant with a particular ID and filename. +.UNINDENT +.INDENT 0.0 +.TP +.B reload\-tenant +Reload a tenant with specified ID and filename. +.UNINDENT +.INDENT 0.0 +.TP +.B unregister\-tenant +Unregister tenant with a particular ID. +.UNINDENT +.INDENT 0.0 +.TP +.B add\-hostbit +Add hostbit on a host IP with a particular bit name and time of expiry. +.UNINDENT +.INDENT 0.0 +.TP +.B remove\-hostbit +Remove hostbit on a host IP with specified IP address and bit name. +.UNINDENT +.INDENT 0.0 +.TP +.B list\-hostbit +List hostbit for a particular host IP. +.UNINDENT +.INDENT 0.0 +.TP +.B reopen\-log\-files +Reopen log files to be run after external log rotation. +.UNINDENT +.INDENT 0.0 +.TP +.B memcap\-set +Update memcap value of a specified item. +.UNINDENT +.INDENT 0.0 +.TP +.B memcap\-show +Show memcap value of a specified item. +.UNINDENT +.INDENT 0.0 +.TP +.B memcap\-list +List all memcap values available. +.UNINDENT +.SH PCAP MODE COMMANDS +.INDENT 0.0 +.TP +.B pcap\-file [tenant] [continuous] [delete\-when\-done] +Add pcap files to Suricata for sequential processing. The generated +log/alert files will be put into the directory specified as second argument. +Make sure to provide absolute path to the files and directory. It is +acceptable to add multiple files without waiting the result. +.UNINDENT +.INDENT 0.0 +.TP +.B pcap\-file\-continuous [tenant] [delete\-when\-done] +Add pcap files to Suricata for sequential processing. Directory will be +monitored for new files being added until there is a use of +\fBpcap\-interrupt\fP or directory is moved or deleted. +.UNINDENT +.INDENT 0.0 +.TP +.B pcap\-file\-number +Number of pcap files waiting to get processed. +.UNINDENT +.INDENT 0.0 +.TP +.B pcap\-file\-list +List of queued pcap files. +.UNINDENT +.INDENT 0.0 +.TP +.B pcap\-last\-processed +Processed time of last file in milliseconds since epoch. +.UNINDENT +.INDENT 0.0 +.TP +.B pcap\-interrupt +Terminate the current state by interrupting directory processing. +.UNINDENT +.INDENT 0.0 +.TP +.B pcap\-current +Currently processed file. +.UNINDENT +.SH BUGS +.sp +Please visit Suricata\(aqs support page for information about submitting +bugs or feature requests. +.SH NOTES +.INDENT 0.0 +.IP \(bu 2 +Suricata Home Page +.INDENT 2.0 +.INDENT 3.5 +\fI\%https://suricata\-ids.org/\fP +.UNINDENT +.UNINDENT +.IP \(bu 2 +Suricata Support Page +.INDENT 2.0 +.INDENT 3.5 +\fI\%https://suricata\-ids.org/support/\fP +.UNINDENT +.UNINDENT +.UNINDENT +.SH COPYRIGHT +2016-2019, OISF +.\" Generated by docutils manpage writer. +. diff --git a/tests/control b/tests/control new file mode 100644 index 00000000..189973d2 --- /dev/null +++ b/tests/control @@ -0,0 +1,50 @@ +Test-Command: suricata --build-info +Depends: @ + +Test-Command: suricatasc -c "version" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "command-list" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "capture-mode" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: sleep 10 && suricatasc -c "dump-counters" +Depends: @ +Restrictions: needs-root, isolation-container + +Test-Command: suricatasc -c "uptime" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "reload-rules" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "iface-list" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: suricatasc -c "shutdown" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Test-Command: sleep 10 && suricatasc -c "running-mode" +Depends: @ +Restrictions: needs-root, isolation-container, flaky + +Tests: suricata-oinkmaster-updater.sh +Depends: @, curl +Restrictions: needs-root, isolation-container, allow-stderr, skippable + +Tests: systemd-service-test.sh +Depends: @, systemd, procps +Restrictions: needs-root, isolation-container, allow-stderr + +Test-Command: src/suricata -u +Depends: @, @builddeps@, procps, geoip-database +Restrictions: needs-root, isolation-container, build-needed, allow-stderr diff --git a/tests/suricata-oinkmaster-updater.sh b/tests/suricata-oinkmaster-updater.sh new file mode 100644 index 00000000..f71c0f85 --- /dev/null +++ b/tests/suricata-oinkmaster-updater.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +curl -m 30 -fSs 'https://rules.emergingthreats.net' > /dev/null || exit 77 +suricata-oinkmaster-updater \ No newline at end of file diff --git a/tests/systemd-service-test.sh b/tests/systemd-service-test.sh new file mode 100644 index 00000000..089a8b2e --- /dev/null +++ b/tests/systemd-service-test.sh @@ -0,0 +1,130 @@ +#!/bin/sh + +set -ex + +SERVICE="suricata.service" +ETC_SERVICE_FILE="/etc/systemd/system/${SERVICE}" +LIB_SERVICE_FILE="/lib/systemd/system/${SERVICE}" +CONFIG_FILE="/etc/suricata/suricata.yaml" +IFACE=$(ip route show | awk '/default/ {print $5}') + +if [ ! -r "$LIB_SERVICE_FILE" ] ; then + : ERROR unable to read $LIB_SERVICE_FILE + exit 1 +fi +if [ ! -w "$CONFIG_FILE" ] ; then + : ERROR unable to write to $CONFIG_FILE + exit 1 +fi + +systemctl_action() +{ + if ! systemctl $1 $SERVICE ; then + journalctl -u $SERVICE + return 1 + fi + return 0 +} + +echo " +%YAML 1.1 +--- +default-rule-path: /etc/suricata/rules +rule-files: + - tor.rules + - http-events.rules + - smtp-events.rules + - dns-events.rules + - tls-events.rules +classification-file: /etc/suricata/classification.config +reference-config-file: /etc/suricata/reference.config +default-log-dir: /var/log/suricata/ +af-packet: + - interface: $IFACE + cluster-id: 99 + cluster-type: cluster_flow + defrag: yes + - interface: default + tpacket-v3: yes + block-size: 131072 +app-layer: + protocols: + ssh: + enabled: yes +host-mode: auto +unix-command: + enabled: yes + filename: /var/run/suricata-command.socket +detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + grouping: + profiling: + grouping: + dump-to-disk: false + include-rules: false + include-mpm-stats: false +mpm-algo: auto +spm-algo: auto +" > $CONFIG_FILE + +# +# before start, package installation may start the daemon +# +if systemctl -q is-active $SERVICE ; then + : WARNING initial service running, stopping now + if ! systemctl_action stop ; then + : ERROR cant stop initial service + exit 1 + fi +fi + +# +# First run of the daemon and basic checks +# +if ! systemctl_action start ; then + : ERROR cant start the service + exit 1 +fi +sleep 10 # wait for service startup +systemctl status $SERVICE + +# +# Restart the daemon +# +if ! systemctl_action restart ; then + : ERROR unable to restart the service + exit 1 +fi + +sleep 10 # wait for serive startup +if ! systemctl -q is-active $SERVICE ; then + journalctl -u $SERVICE + : ERROR service not active after restart + exit 1 +fi + +# +# Reload the daemon +# + +: WARNING: Not testing daemon reload: it timeouts in ci.debian.net + +#if ! systemctl_action reload ; then +# : ERROR unable to reload the service +# exit 1 +#fi + +#sleep 10 # wait for service reload +#if ! systemctl -q is-active $SERVICE ; then +# journalctl -u $SERVICE +# : ERROR service not active after reload +# exit 1 +#fi + +: INFO all tests OK +exit 0 diff --git a/upstream/signing-key.asc b/upstream/signing-key.asc new file mode 100644 index 00000000..0ca2ef6d --- /dev/null +++ b/upstream/signing-key.asc @@ -0,0 +1,53 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF8tFVkBEADEEXYv9T6kntaOafPMsBXJPFflcpM4VdXCnEmkY2zcQzfZ+fUB +kyc6Lh1W07EPd4zGri4Hu9V8nfH5z+23oMmvVrUgbwU62u7ioUhMEpEtLbaLCWL9 +6HSlA4XWwjJhALXKFNMWtWT5BiHHty4jXvLl/KlbYtNrV+BuWDZsSiCRto134His +Uozb82Yp76qhxdFXdUkXa7PYXJ40EYg9du4Z2l8qP3VWjDHDDrXtoChIgnTmkXkF +0AdNx9jd9OSugQbJMqi7IV2wvA4xErKMujL+7ytxdMsV0WS39dPOn1mPclYLlnq6 +XDaXcVcHpXOQfC0qniKAHA9ngdKPPG5aJ7DqnZx+G4HBOAf0qnqCT2HBzvJovDuF +7LdITO+nUiuThlh26oIoRqOfFgIAKDO+F/fRFIJYFt7q5OEwiL9HmlR7UrjLyHb8 +TqWhxocZHvP0ex6qTFMlUOZFaLVD/OC0lMFZDtHNfWIyWLmRIP4CGYia7RDyEEvn +rHqK7NCF93K5UNUuBZmWNZ5r7/wKccLSYz7wAgkeWaKBAX7bQLspTZUYOOd8Kf5+ +uYlkLd1ju1wHqR7MrVb8/l6Q7cEIpLj+1ou6HeEsKyH1oZ8BQVzkVWIHmz7gaumV +RKiycSnGqi8UnlFRUbZTW5ChLb7BL+ncBI3MuvrXvB6Ps7RlDPBD4D5AJQARAQAB +tFBPcGVuIEluZm9ybWF0aW9uIFNlY3VyaXR5IEZvdW5kYXRpb24gKE9JU0YpIDxy +ZWxlYXNlc0BvcGVuaW5mb3NlY2ZvdW5kYXRpb24ub3JnPokCVAQTAQoAPhYhBLNv +2vJgfhDo/6ieXiupyYzN8ek6BQJfLRVZAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW +AgMBAh4BAheAAAoJECupyYzN8ek6BAMP/jbjbJgNNYHQpueS6q7Jx1pNsDJ0Iqlr +2AIfrvMAkvNCQALWMoKsSPYbx+lLhTMKP48wwUTu4PcagaZ74W41kFAHN6ituIeY +QJ7nyNaccu4KRMLvWsL/LVimGIfQZDWgGvJd/ggAXZcCeSiWblCqs7isGpGwGktv +O6M824BZo2tmqBOtcL/nn3xD5v3dOM2uUr4N7qEmVQgJpYY/d5GNy2576jLT1EQ7 +Nq8VW0b76yZ7SQqX/mRA3KGJRi3/qnXsuxDdQd8hzxr4+QnH1cFjYtwsJlzzf2gm +87ZbcuNf/BccH0Nt/hRkm7wIfJgXADKdCUAb60F6Ov95+aZ4hpK/Q6jJcCF9WSEZ +UjklpYzWhSoC5AvqKcLOOnfLGfdF+gKwCD+hLvBwtkDZyYnLSkaKQ3eWbesoZnl0 +uDZAgy+4UCsh4c6DmtF2YeByybmd+cOfxZqRNIGUzC5u5ROsulB4gNjCtaTrY2ug +r0br16ypXHA8M3PB+EAF08pg1PNETecdQ+uWZmYn2vAAi0lh1YREuIaFK+P5RziU +m1uwfmsTEy7xnrHfWTZyiWdDCsjhppRiUNCqXh76ChDh2cNbiiGK7EgNLeUEyplx +s60hfa4Ht0tmo3S3R2JRs4Usn0fKigR1Vv589qjDI1DNbFC/01/IFXrKjERzdm20 +ruUEU7TOqiUwuQINBF8tFVkBEADCAk7fTNtLlFDOAmXNxW+5ILRBehswEaZvAN5J +rhc9bz4dMSWQajprEAl8HFRctEUkYHyi7cwcUPrelhwjnxOH3LuVeLLtm9i3wTCX +NUvHeOWr4DBLYnwiYZ6t7U+Isd/IQRTo9l1vBEwdMOAs7FfqSmoGvJspd42dOi4r +ph6JNss4FE5GTrb4oTx0ZrAIh7mT17e16TZywrZWKFZnl+G/YqmSolGtOrkhzm18 +l3mTa/v4hq4u+ZS8Qd9ng62sl8Ls5Krx3JCBdxn849WRJ6myS7R+hvQeLR9YH/YL +ioUVzxHXmF2xlENYsbEsVAEsHUb2G5Ot+uQcUpC2u9uzw05L+zhCbd4ffW5eTsGv +d51LvBMV1b0VUjWEmTgzqFNI5ElBnpjZ3W2eiAAWrLnGACO5Lxzf5VeWYaTDJo8O +GBYSoHovjYrFI8ZQq7J1skM/YBXROTb4zSc8rL1w81VFLvFu6lOzIA15s5iLRko7 +LSKKom04Q8BNZ1nUydlxvo/5fu4VGYtWMliWUOIePIMT1EgBqYDfQyZ/h4gSMc7j +jgb2JDfq/7WueoVTy8CNuOzewRYQOU/5P34o341Q0WO2tFNrohUqG9oDHf3Fj8eg +VwWuRv+eDUmgbpisqVoj2hH1PM45Hcp62RHJasMWUmPIlCNKfvd8+fj3+zjaAN8r +4Fv0YwARAQABiQI8BBgBCgAmFiEEs2/a8mB+EOj/qJ5eK6nJjM3x6ToFAl8tFVkC +GwwFCQlmAYAACgkQK6nJjM3x6TpE0Q/7B31BrekzAIqV4gu6wE6xXe4GwzHYsQjW +MJ0zQFXy3xPeRwVuFhfEOfX23HIpzvlM5h8OJCyifYu8vpbjqJ0/bEoUIERjQ0qe +24H8tETRWsF5xRn8FwItdU+8dBsdH77JopAf3qmKPi6PZoobb0mf6mvqK/ootiIg +8ATzbaIizw5oa4XZsjOwTh9vP7/VUAD7I8i2sxjw4BzLI9Ee4Mx+3ei95TQEXdRl +jLEIH+2DLkKZTY1czfMuWAJsWpE+xewVBgm6zB0eS51HPZAhSaMmJefJeybnG4Er +MFdWPPMXzNbr056TQzL1WIdHvB3SLSnA+MSHI8tp3LpHIqHibL1HQpUwDZo1G7jK +hXcfEMAjwVJInNPOKJo93+mgTOqt0HZvnrGtFpUGBWivGLXguDW/m++Cv7hY3M7g +I48G8dSmATEfyC0zaMACD2xmfjg86gkWsgio1Hpym/4oVDBVdT7CEXuN53QsQH5Y +4XlEJh2l/fDMBAqtPmOkH6Zl3v6PLnzrkDbVEl1Nid/Oak6h6RSbAaI+uSACPTMq +bHEYDF5K/2N6gu6/6aS6JzgCqr7G63Jghh1NtoKzmDfMl2nVL2virZDREUP7tBGa +HegFin/SNaQ/vyu4kp/Y0Q6/BnN8Pa/1ngrkxwu/fAm4wq0DNArbf15fjCC0AgYZ +z9qESk6L8Cs= +=Rr5U +-----END PGP PUBLIC KEY BLOCK----- diff --git a/watch b/watch new file mode 100644 index 00000000..63b16c9f --- /dev/null +++ b/watch @@ -0,0 +1,8 @@ +# watch control file for uscan +# run the "uscan" command to check for upstream updates and more. +# See uscan(1) for format + +# Compulsory line, this is a version 3 file +version=3 + +opts=pgpsigurlmangle=s/$/.sig/ https://openinfosecfoundation.org/download/ suricata-([\d\.]*)\.tar\.gz