--- /dev/null
--- /dev/null
++#!/bin/bash
++
++# this script prints 'true' if any ancestor process name is any of $REGEXPS
++
++REGEXPS="debci autopkgtest adt"
++
++set -e
++
++walk()
++{
++ pid=$1
++
++ [ ! -r /proc/$pid/cmdline ] && exit 1
++
++ name=$(ps -p $pid -o cmd | tail -1)
++ for exp in $REGEXPS
++ do
++ if grep -e $exp <<< $name >/dev/null ; then
++ echo true
++ exit
++ fi
++ done
++
++ ppid=$(ps -o ppid= $pid | tr -d ' ')
++ walk $ppid
++}
++
++walk $$
--- /dev/null
--- /dev/null
++suricata (1:7.0.10-1+deb13u3) trixie; urgency=medium
++
++ * Fix CVE-2026-22258 in 7.0.10.
++ Cherry-Picked from:
++ * f82a388d0283725cb76782cf64e8341cab370830
++ * df389f8a43a06c718bb336ea082d6c80d6fefda0
++ * c9b80e5affe073ce9d95d0c935a8d67647c83bf7
++ * Fix CVE-2026-22262 in 7.0.10.
++ Cherry-Picked from:
++ * 32609e6896f9079c175665a94005417cec7637eb
++ * 27a2180bceaa3477419c78c54fce364398d011f1
++ * Fix CVE-2026-22264 in 7.0.10.
++ Cherry-Picked from 5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2.
++ * Fix CVE-2026-22259 in 7.0.10.
++ Cherry-Picked from:
++ * 63225d5f8ef64cc65164c0bb1800730842d54942
++ * 635af8dc8be09667689be71d781912718ca1aa49
++ * fdd79bdb14488244604729f1d68ca4bc60000dbd
++ * a6d950315d9b6c1e35c10c24d9bb7128d422c21f
++ With this fix, DNP3 has reduced the default maximum number of
++ outstanding transactions from 500 down to 32.
++ Read the update instructions for Suricata 7.0.14 for more details.
++ * Fix CVE-2026-22261 in 7.0.10.
++ Cherry-Picked from:
++ * 44d0c81f537f230e9215c769453fb4d7214217a1
++ * 7e704a3f50690b5f5d5cc573147ef41449fe37ac
++
++ -- Andreas Dolp <dev@andreas-dolp.de> Sun, 22 Feb 2026 13:28:52 +0100
++
++suricata (1:7.0.10-1+deb13u2) trixie; urgency=medium
++
++ * Fix CVE-2025-64344 in 7.0.10.
++ Cherry-Picked from upstream a7ff4c9ba53009680c7cd128b16c28d0aeda9886.
++ * Fix CVE-2025-64333 in 7.0.10.
++ Cherry-Picked from upstream 4b1d284bb57219b6677a8bda5cdc14a24a6aa22d.
++ * Fix CVE-2025-64332 in 7.0.10.
++ Cherry-Picked from upstream f67d72702a2601d0a86ac1450686e70d7176f629.
++ * Fix CVE-2025-64331 in 7.0.10.
++ Cherry-Picked from upstream 5abf9b81e78476f49ab074f3a74b5840747cd069.
++ Added missing function declaration and refreshed patch by quilt.
++ * Fix CVE-2025-64330 in 7.0.10.
++ Cherry-Picked from upstream 5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc.
++
++ -- Andreas Dolp <dev@andreas-dolp.de> Wed, 10 Dec 2025 20:12:20 +0100
++
++suricata (1:7.0.10-1+deb13u1) trixie; urgency=medium
++
++ * Fix CVE-2025-53538 in 7.0.10.
++ Cherry-Picked from upstream 97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.
++ Closes: #1109806
++ Reference: #1116945
++ * Fix CVE-2025-59147 in 7.0.10.
++ Cherry-Picked from upstream e91b03c90385db15e21cf1a0e85b921bf92b039e
++ and slightly modified to fit for Suricata 7.0.10.
++ Reference: #1119940
++
++ -- Andreas Dolp <dev@andreas-dolp.de> Sat, 27 Sep 2025 21:43:45 +0200
++
++suricata (1:7.0.10-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 26 Mar 2025 09:28:20 +0100
++
++suricata (1:7.0.9-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Bump versioned libhtp dependency to 0.5.50 or later.
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 18 Mar 2025 18:15:01 +0100
++
++suricata (1:7.0.8-2) unstable; urgency=medium
++
++ * Drop dpkg depencency from Pre-Depends.
++ Thanks to Guillem Jover for noticing this.
++ Closes: #1100109
++ * Use dpkg-query instead of apt-cache in debian/rules.
++ Thanks to Jochen Sprickerhof for pointing this out.
++ Closes: #1100051
++
++ -- Sascha Steinbiss <satta@debian.org> Sat, 15 Mar 2025 14:37:24 +0100
++
++suricata (1:7.0.8-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Sascha Steinbiss <satta@debian.org> Fri, 13 Dec 2024 09:29:46 +0100
++
++suricata (1:7.0.7-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Bump versioned libhtp dependency to 0.5.49 or later.
++
++ -- Sascha Steinbiss <satta@debian.org> Mon, 14 Oct 2024 10:48:09 +0200
++
++suricata (1:7.0.6-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Re-enable tests.
++ * Bump copyright date for debian/ directory.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 27 Jun 2024 14:29:40 +0200
++
++suricata (1:7.0.5-2) unstable; urgency=medium
++
++ * Disable tests that need builds for now.
++ Meant to remove one of the roadblocks towards testing migration.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 24 Apr 2024 23:01:32 +0200
++
++suricata (1:7.0.5-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Bump versioned libhtp dependency to 0.5.48 or later.
++ * Remove (probably buggy) Rust constraint from d/rules.
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 23 Apr 2024 15:12:33 +0200
++
++suricata (1:7.0.4-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Bump versioned libhtp dependency to 0.5.47 or later.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 20 Mar 2024 13:41:22 +0100
++
++suricata (1:7.0.3-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 08 Feb 2024 23:22:40 +0100
++
++suricata (1:7.0.2-2) unstable; urgency=medium
++
++ * Enable DPDK feature and add dependencies on archs that support it.
++ Closes: #1061762
++
++ -- Sascha Steinbiss <satta@debian.org> Fri, 02 Feb 2024 20:35:20 +0100
++
++suricata (1:7.0.2-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 19 Oct 2023 19:30:48 +0200
++
++suricata (1:7.0.1-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Sascha Steinbiss <satta@debian.org> Fri, 15 Sep 2023 21:18:47 +0200
++
++suricata (1:7.0.0-2) unstable; urgency=medium
++
++ * Fix FTBFS on armel and mipsel by fixing -latomic addition in LDFLAGS.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 20 Jul 2023 11:03:07 +0200
++
++suricata (1:7.0.0-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Drop Arturo Borrero Gonzalez from Uploaders at his request.
++ * Use new project website at suricata.io.
++ * Remove patches applied upstream.
++ * Change PCRE lib dependency to libpcre2.
++ * Bump versioned libhtp dependency to 0.5.45 or later.
++ * Bump versioned Rust dependency to 1.61 or later.
++ * Bump watchfile to version 4.
++ * Remove obsolete dependency on lsb-base.
++ * Remove obsolete entries in d/copyright.
++ * Remove versions in Conflicts/Replaces.
++ * Remove obsolete dh_strip override.
++ * Bump d/copyright dates.
++ * Update/fix Lintian overrides regarding eBPF file distribution.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 19 Jul 2023 10:14:37 +0200
++
++suricata (1:6.0.13-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Raise libhtp minimum dependency version to 0.5.44.
++ * Bump Standards-Version.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 15 Jun 2023 23:45:03 +0200
++
++suricata (1:6.0.12-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 09 May 2023 15:58:02 +0200
++
++suricata (1:6.0.11-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Raise libhtp minimum dependency version to 0.5.43.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 13 Apr 2023 23:53:02 +0200
++
++suricata (1:6.0.10-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Drop patch applied upstream.
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 31 Jan 2023 14:34:17 +0100
++
++suricata (1:6.0.9-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Use manpages built from source instead of outdated bundled ones.
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 29 Nov 2022 11:19:06 +0100
++
++suricata (1:6.0.8-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Raise libhtp minimum dependency version to 0.5.41.
++ * Remove obsolete patch since Python scripts are installed differently
++ via upstream now.
++ * Add upstream metadata.
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 27 Sep 2022 23:24:59 +0200
++
++suricata (1:6.0.6-2) unstable; urgency=medium
++
++ * Add patch to not use deprecated libbpf API. This prepares Suricata to be
++ ready for libbpf 1.0 when it hits unstable.
++ Closes: #1018914
++ * Raise libbpf dependency version requirement to 0.7.
++ * Refresh other patches.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 21 Sep 2022 18:39:53 +0200
++
++suricata (1:6.0.6-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Drop patch applied upstream: bigendian-cidr.patch
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 12 Jul 2022 16:57:16 +0200
++
++suricata (1:6.0.5-3) unstable; urgency=medium
++
++ * Add patch to handle undefined LEVEL1_DCACHE_LINESIZE.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 01 Jun 2022 11:33:06 +0200
++
++suricata (1:6.0.5-2) unstable; urgency=medium
++
++ * Introduce patch to fix segfaulting autopkgtests on s390x.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 28 Apr 2022 08:51:06 +0200
++
++suricata (1:6.0.5-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Raise libhtp minimum dependency version to 0.5.40.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 21 Apr 2022 19:53:32 +0200
++
++suricata (1:6.0.4-3) unstable; urgency=medium
++
++ * Remove suricata-oinkmaster binary package.
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 14 Dec 2021 15:24:47 +0100
++
++suricata (1:6.0.4-2) unstable; urgency=medium
++
++ * Raise libhtp minimum dependency version to 0.5.39.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 18 Nov 2021 22:57:47 +0100
++
++suricata (1:6.0.4-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 18 Nov 2021 22:00:08 +0100
++
++suricata (1:6.0.3-2) unstable; urgency=medium
++
++ * Use 'command -v' instead of 'which' in suricata-oinkmaster cron file.
++ This avoids a runtime deprecation warning on recent versions, and fixes
++ piuparts cron job tests.
++
++ -- Sascha Steinbiss <satta@debian.org> Mon, 30 Aug 2021 20:56:18 +0200
++
++suricata (1:6.0.3-1) unstable; urgency=medium
++
++ * Upload to unstable post-release.
++ * Remove patch applied upstream.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 18 Aug 2021 16:33:31 +0200
++
++suricata (1:6.0.3-1~exp2) experimental; urgency=medium
++
++ * Also use libatomic workaround on powerpc.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 01 Jul 2021 19:44:53 +0200
++
++suricata (1:6.0.3-1~exp1) experimental; urgency=medium
++
++ * New upstream release.
++ * Bump Standards-Version.
++ * Add Rules-Requires-Root: no.
++ * Raise libhtp minimum version B-D to 0.5.38.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 30 Jun 2021 23:51:24 +0200
++
++suricata (1:6.0.2-1~exp1) experimental; urgency=medium
++
++ * Fix conditional variable use in d/rules.
++ * New upstream release.
++ * Use libhtp 0.5.37.
++
++ -- Sascha Steinbiss <satta@debian.org> Fri, 11 Dec 2020 09:45:02 +0100
++
++suricata (1:6.0.1-3) unstable; urgency=medium
++
++ * Address CVE-2021-35063 by backporting upstream fix.
++ Closes: #990835
++
++ -- Sascha Steinbiss <satta@debian.org> Mon, 19 Jul 2021 13:26:22 +0200
++
++suricata (1:6.0.1-2) unstable; urgency=medium
++
++ * Also specify explicit separate '-latomic' reference on mipsel.
++ This addresses a remaining FTBFS there.
++
++ -- Sascha Steinbiss <satta@debian.org> Fri, 11 Dec 2020 09:35:57 +0100
++
++suricata (1:6.0.1-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Disable Prelude support.
++ This is broken upstream, see https://redmine.openinfosecfoundation.org/issues/4065
++ * Bump libhtp dependency to 0.5.36.
++ * Disable suricata-update, as it is a separate package in Debian.
++ * Add patches to fix builds with new Autoconf scripts.
++ * Use debhelper 13.
++ * Include upstream's man pages.
++ * Add workaround for missing '-latomic' symbols on armel.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 08 Oct 2020 22:23:17 +0200
++
++suricata (1:5.0.3-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Use /run instead of /var/run for pidfiles. Thanks to Michael Berg for the
++ patch.
++ Closes: #954435
++ * Bump libhtp dependency to 0.5.33.
++ * Remove nonexistent Files entries in d/copyright.
++ * Use correct DEB_LDFLAGS_MAINT_APPEND in d/rules..
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 29 Apr 2020 09:34:49 +0200
++
++suricata (1:5.0.2-3) unstable; urgency=medium
++
++ * Source upload to enable testing migration.
++ * Bump Standards-Version.
++
++ -- Sascha Steinbiss <satta@debian.org> Sat, 22 Feb 2020 12:47:50 +0100
++
++suricata (1:5.0.2-2) unstable; urgency=medium
++
++ * Add --allow-multiple-definition linker flag to work around FTBFS on armel.
++ Closes: #951765
++
++ -- Sascha Steinbiss <satta@debian.org> Sat, 22 Feb 2020 12:23:52 +0100
++
++suricata (1:5.0.2-1) unstable; urgency=medium
++
++ * New upstream release.
++ Closes: #951654
++ * Add patch from upstream to build without needing if_tunnel.h.
++ This avoids a potentially foreign arch build-dep for eBPF builds.
++ Thanks to Eric Leblond.
++ * Drop patches applied upstream.
++ * Use debhelper-compat.
++ * Mark autopkgtests requiring a control socket as potentially flaky.
++ We cannot always predict the timing on all archs and do not want to
++ use them for CI gating.
++ Closes: #951721
++ * Bring d/copyright up to date with current code base.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 20 Feb 2020 14:55:23 +0100
++
++suricata (1:4.1.5-2) unstable; urgency=medium
++
++ * Add versioned Depends on at least libhtp version used for building.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 09 Oct 2019 13:13:40 +0200
++
++suricata (1:4.1.5-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 25 Sep 2019 10:24:50 +0200
++
++suricata (1:4.1.4-7) unstable; urgency=medium
++
++ * Prevent file clash with other packages writing into the Python3
++ module root directory (suricata/__init__.py).
++ * Add patch to make suricatactl Python3-compatible.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 18 Sep 2019 20:55:51 +0200
++
++suricata (1:4.1.4-6) unstable; urgency=medium
++
++ * Make Python components use Python3.
++ Closes: #938603
++
++ -- Sascha Steinbiss <satta@debian.org> Sat, 07 Sep 2019 17:47:44 +0200
++
++suricata (1:4.1.4-5) unstable; urgency=medium
++
++ * Add patch to fix FTBFS on recent kernels. Thanks to Aurelien Jarno for
++ pointing this out.
++ Closes: #934316
++
++ -- Sascha Steinbiss <satta@debian.org> Mon, 12 Aug 2019 12:48:29 +0200
++
++suricata (1:4.1.4-4) unstable; urgency=medium
++
++ [ Hilko Bengen ]
++ * Patch: add --with-ebpf-includes, point to proper include directory for
++ kernel headers, fixing FTBFS on i386
++
++ [ Sascha Steinbiss ]
++ * Only build eBPF programs on archs with available dependencies.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 24 Jul 2019 10:34:25 +0200
++
++suricata (1:4.1.4-3) unstable; urgency=medium
++
++ * Fix cross building by including patch that addresses abuse of
++ AC_CHECK_FILE. Thanks to Helmut Grohne for the patch.
++ Closes: #923174
++ * Enable building with eBPF support.
++ Thanks to Hilko Bengen for the patch.
++ Closes: #917816
++ * Create temporary CARGO_HOME to allow building with new cargo
++ versions when $HOME is nonexistent.
++ * Make autopkgtest more robust when external resources are unavailable.
++ Closes: #932463
++ * Bump debhelper and compat to 12.
++ * Add Pre-Depends by Lintian's suggestion.
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 09 Jul 2019 16:47:49 +0200
++
++suricata (1:4.1.4-2) unstable; urgency=medium
++
++ * Do not install suricata-update, recommend external pkg instead.
++ Closes: #924096
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 02 May 2019 17:15:48 +0200
++
++suricata (1:4.1.4-1) unstable; urgency=medium
++
++ * New upstream version 4.1.4
++ - Bugs and security fixes
++ * Refreshed quilt patches
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 01 May 2019 11:44:13 +0200
++
++suricata (1:4.1.3-1) unstable; urgency=medium
++
++ * New upstream version 4.1.3
++ * Refreshed quilt patches
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 08 Mar 2019 10:24:43 +0100
++
++suricata (1:4.1.2-2) unstable; urgency=medium
++
++ * Upload to unstable.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 09 Jan 2019 12:53:47 +0100
++
++suricata (1:4.1.2-1) experimental; urgency=medium
++
++ * New upstream release.
++ * Add myself to uploaders.
++ * Do not remove Rust vendor directory on distclean (Closes: #915154)
++
++ -- Sascha Steinbiss <satta@debian.org> Sun, 23 Dec 2018 10:48:27 +0000
++
++suricata (1:4.1.0-2) experimental; urgency=medium
++
++ * Disable Rust on armel for now (FTBFS)
++ * Add liblz4-dev to build-deps to enable pcap compression
++ * Update build-dependency on python:any to fix FTCBFS (Closes: #909606)
++
++ -- Pierre Chifflier <pollux@debian.org> Mon, 26 Nov 2018 11:07:08 +0100
++
++suricata (1:4.1.0-1) experimental; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * libhtp: bump soname to libhtp-0.5.24-1
++
++ [ Pierre Chifflier ]
++ * New upstream version 1:4.1.0
++ * Refreshed quilt patches
++ * Update python code directory
++ * Enable rust support (i386 and amd64 only for now)
++ * Also enable Rust on ARM architectures
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 15 Nov 2018 13:29:23 -0800
++
++suricata (1:4.0.6-1) unstable; urgency=medium
++
++ * New upstream version 1:4.0.6
++
++ -- Pierre Chifflier <pollux@debian.org> Mon, 12 Nov 2018 09:19:39 +0100
++
++suricata (1:4.0.5-1) unstable; urgency=medium
++
++ [ Sascha Steinbiss ]
++ * Add patches to help with cross-compiling. Thanks to Helmut Grohne
++ for the patch.
++ Closes: #895996
++ * Add patches to fix building on ia64.
++ Thanks to Jason Duerstock and Adrian Bunk for the patches.
++ Closes: #890432
++ * Fix spelling in debian/patches/reproducible.patch.
++ * Remove obsolete X-Python-Version hint.
++ * Use updated watchfile source URL with https support.
++ * Remove obsolete --parallel dh parameter.
++ * Use canonical Salsa Vcs-Git URL.
++
++ [ Pierre Chifflier ]
++ * New upstream version 1:4.0.5
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 18 Jul 2018 17:14:02 +0200
++
++suricata (1:4.0.4-1) unstable; urgency=medium
++
++ * [3f18cd8] d/control: refresh git URLs
++ * [17da106] New upstream version 4.0.4 (Closes: #889842) fixes CVE-2018-6794
++ * [00fcf17] d/compat: bump debhelper compat level to 11
++ * [45dc0db] d/control: bump std-version to 4.1.3
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 14 Feb 2018 11:33:33 +0100
++
++suricata (1:4.0.3-1) unstable; urgency=medium
++
++ [ Sascha Steinbiss ]
++ * [aece4d6] New upstream version 4.0.3
++ * [c23b64f] refresh patches
++
++ [ Arturo Borrero Gonzalez ]
++ * [7f077ca] d/control: bump std-version to 4.1.2
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 13 Dec 2017 11:42:18 +0100
++
++suricata (1:4.0.1-2) unstable; urgency=medium
++
++ * [d9998f8] suricata-oinkmaster.conf: update ETOPEN ruleset for suricata 4.0.0
++ (Closes: #882442)
++ * [0beae03] suricata-oinkmaster-updater.8: fix typos
++ * [6e7ae75] d/: get rid of dh --with autotools-dev
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 23 Nov 2017 13:41:09 +0100
++
++suricata (1:4.0.1-1) unstable; urgency=medium
++
++ * [72d28e5] d/control: upgrade std-version to 4.1.0
++ * [ea1e317] d/control: upgrade std-version to 4.1.1
++ * [14fea39] d/: switch to debhelper compat 10
++ * [a4715b8] New upstream version 4.0.1
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Sat, 21 Oct 2017 12:09:27 +0200
++
++suricata (1:4.0.0-5) unstable; urgency=medium
++
++ * [392c5b2] d/t/control: allow-stderr for the internal unittest test
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 20 Sep 2017 20:27:12 +0200
++
++suricata (1:4.0.0-4) unstable; urgency=medium
++
++ * [93ee9030] d/control: enable libluajit-5.1-dev build-dep on mipsel
++ (Closes: #873832)
++ * [9527fe94] d/t/control: run suricata -u from the source tree
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 08 Sep 2017 06:06:47 +0200
++
++suricata (1:4.0.0-3) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * [aa53ce82] suricata-oinkmaster-updater.8: fix typo
++ * [2d171d5a] suricata-oinkmaster-updater.8: clarify paragraph
++ * [90c76777] d/rules: disable dh_auto_test
++ * [5b311761] suricata: switch to use dbgsym package
++ * [9b12c48d] d/control: bump std-versions to 4.0.1
++
++ [ Sascha Steinbiss ]
++ * [c353985a] enable libevent support (Closes: #872908)
++ * [49ff3181] enable luajit on mipsel (Closes: #858545)
++
++ [ Arturo Borrero Gonzalez ]
++ * [50ab7eae] suricata.service: update online docs link
++ * [5098fd7b] d/control: add dh-python to build-deps
++ * [f070d160] d/watch: implement signature verification
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 29 Aug 2017 23:22:48 +0200
++
++suricata (1:4.0.0-2) unstable; urgency=medium
++
++ * [449b4202] d/t/control: running suricata unittest requires
++ geoip-database installed
++ * [0bd02487] d/building-in-ci.sh: be more robust
++ * [edd49e4a] d/watch: more robust approach for upstream tarball generation
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 15 Aug 2017 13:45:45 +0200
++
++suricata (1:4.0.0-1) unstable; urgency=medium
++
++ * [636f10f] d/rules: actually use dh-systemd (Closes: #861732)
++ * [c728ed0] d/rules: cleanup comments
++ * [f0d9adb] suricata: switch to src:libhtp instead of the bundled one
++ * [fa5f8be] New upstream version 4.0.0-rc1
++ * [fac7566] suricata: remove Build-Conflict with libhtp-dev
++ * [1bce782] suricata: explicit build-dep on new src:libhtp
++ * [f3aec1c] d/suricata.preinst: use strict mode (Closes: #866280)
++ * [c831659] suricata: support for internal unittest in autopktest
++ * [557ded7] New upstream version 4.0.0
++ * [5d41b6c] d/t/control: the internal suricata unittest is a command test
++ * [7f4feaa] d/changelog: add missing entry for 4.0.0-beta1-1~exp1
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 28 Jul 2017 05:29:48 +0200
++
++suricata (4.0.0-beta1-1~exp1) unstable; urgency=medium
++
++ * [c21347df] New upstream version 4.0.0-beta1
++ * [5661b3cc] libhtp: bump soname to libhtp-0.5.24-1
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 09 Jun 2017 20:52:10 +0200
++
++suricata (3.2.1-1) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * Rebuild for unstable from 3.2.1-1~exp2 (experimental).
++
++ [ Sascha Steinbiss ]
++ * [d0c3629] detect valid interface in autopkgtest
++ * [2d3ae00] fix typo in service file
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 16 Mar 2017 09:04:03 +0100
++
++suricata (3.2.1-1~exp2) experimental; urgency=medium
++
++ [ Sascha Steinbiss ]
++ * [ced48e4] suricata: migrate from old split binary scheme (Closes: #855573)
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 20 Feb 2017 13:29:37 +0100
++
++suricata (3.2.1-1~exp1) experimental; urgency=medium
++
++ * [67004c8] New upstream version 3.2.1
++ * [05b1756] d/control: bump dependency on libhyperscan
++ * [4483d1c] suricata: drop suricata-hyperscan binary package (Closes: #851647)
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 15 Feb 2017 20:54:17 +0100
++
++suricata (3.2-2) unstable; urgency=medium
++
++ * Rebuild for unstable.
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 10 Jan 2017 09:27:59 +0100
++
++suricata (3.2-2~exp1) experimental; urgency=medium
++
++ [ Sascha Steinbiss ]
++ * [8c7704d] suricata: add hyperscan support (Closes: #846143)
++
++ [ Arturo Borrero Gonzalez ]
++ * [209d2cf] suricata: add remaining hyperscan support
++
++ [ Sascha Steinbiss ]
++ * [ec9b28a] set +x bit on d/suricata-hyperscan.install
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 22 Dec 2016 09:01:29 +0100
++
++suricata (3.2-1) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * [04f5cc3] d/control: update suricata homepage to suricata-ids.org
++ (Closes: #844603)
++
++ [ Sascha Steinbiss ]
++ * [b1cd09c] d/t/control: add some time to settle in autopkgtest
++
++ [ Arturo Borrero Gonzalez ]
++ * [dde83f1] New upstream version 3.2
++ * [c55dda2] d/patches/debian-default-cfg.patch: refresh patch
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 01 Dec 2016 16:22:50 +0100
++
++suricata (3.1.3-3) unstable; urgency=medium
++
++ * [e7a248d] d/tests/control: allow-stderr in the suricata-oinkmaster-updater
++ command
++ * [2caf89b] d/control: make libhtp packages Multi-Arch: same
++ * [825cef4] d/libhtp-0.5.23-1.lintian-overrides: generalize override
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 10 Nov 2016 09:42:29 +0100
++
++suricata (3.1.3-2) unstable; urgency=medium
++
++ * [5c395f9] d/tests/control: rearange suricatasc command tests
++ * [789723b] d/tests/control: fix typo in test command 'suricatas'
++ * [353e030] d/changelog: clean word with typo from the changelog
++ * [b4cf113] d/: add libhtp-0.5.23-1.lintian-overrides
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 09 Nov 2016 13:44:17 +0100
++
++suricata (3.1.3-1) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * [165d14e] suricata-oinkmaster: move the update script to /usr/sbin
++ (Closes: #838129)
++ * [2e21734] d/tests/control: add a basic test for suricata-oinkmaster-updater
++ * [be640f3] suricata: split libhtp to separate binary packages
++ * [c41567a] suricata-oinkmaster: add manpage for suricata-oinkmaster-updater
++ * [b5b6483] d/copyright: refresh file
++ * [2be2225] d/control: add references to IPS and firewall
++ * [bd6a9ed] d/: add symbols file for libhtp
++ * [f61be7d] suricata-oinkmaster-updater.8: fix typo
++ * [ead4a84] d/: update email address to 'arturo@debian.org'
++ * [36d9b9d] d/: refresh date of manpages
++
++ [ Sascha Steinbiss ]
++ * [da1c3c6] d/suricata.logrotate: use 'copytruncate' instead of 'create'
++
++ [ Arturo Borrero Gonzalez ]
++ * [cd9d5d4] New upstream version 3.1.3
++ * [f32a582] libhtp: symbols: refresh file
++ * [1e3edb0] libhtp: bump soname
++ * [d46497e] d/control: suricata depends on lsb-base
++ * [08a6195] d/copyright: refresh copyright owner for some libhtp files
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 08 Nov 2016 08:51:58 +0100
++
++suricata (3.1.2-2) unstable; urgency=medium
++
++ * [482c6f6] d/tests/control: allow-stderr for systemd-service-test.sh
++ * [a4eff10] d/tests/control: add tests for suricatasc
++ * [892096c] d/suricata.8: fix typo 'inet' vs 'init'
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Thu, 08 Sep 2016 12:46:44 +0200
++
++suricata (3.1.2-1) unstable; urgency=medium
++
++ * [4e0605d] Revert "suricata: drop support for sysvinit"
++ * [f5abe38] d/patches: add reproducible.patch.
++ Thanks to Christoph Berg <myon@debian.org> for the pointers.
++ * [6569809] New upstream version 3.1.2
++ * [5fea3a6] d/suricata.service: include Restart=on-failure
++ * [d1a973d] d/suricata.service: add ProtectSystem=full and ProtectHome=true
++ * [8e1cddd] d/tests/systemd-service-test.sh: don't test the reload operation by now
++ * [87c00b1] d/suricata.maintscript: factorize renaming of old config file
++ (Closes: #835643)
++ * [55c7a32] d/oinkmaster/suricata-oinkmaster-updater: drop warnings
++ * [7651669] d/oinkmaster/suricata-oinkmaster-updater: cleanup file
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 07 Sep 2016 13:25:13 +0200
++
++suricata (3.1.1-4) unstable; urgency=medium
++
++ * [c9b6efd] d/tests/: add new systemd-service-test.sh test
++ * [848a40f] d/README.Debian: this is not a beta release
++ * [0afb007] d/README.Debian: update file with systemd information
++ * [234ec55] d/suricata.8: update manpage
++ * [ebd6a8a] suricata: drop support for sysvinit
++ * [d8fae07] d/suricata.service: get rid of environment variables
++ * [5fe5359] d/suricata.service: use suricatasc for stop and reload
++ * [2ffd606] d/tests/systemd-service-test.sh: add tests for daemon reload
++ * [5196c36] d/suricata.service: require network-online.target (Closes:
++ #835168)
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Thu, 25 Aug 2016 14:14:20 +0200
++
++suricata (3.1.1-3) unstable; urgency=medium
++
++ * [22d26a5] suricata-oinkmaster-updater: prevent bogus if evaluation
++ * [4805c7a] suricata-oinkmaster-updater: dont exit with error if missing
++ requirements (Closes: #834029)
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 16 Aug 2016 13:53:12 +0200
++
++suricata (3.1.1-2) unstable; urgency=medium
++
++ * [833f1c5] d/: add new binary package suricata-oinkmaster
++ * [6155001] d/suricata.service: remove duplicated -D switch in
++ ExecStart=
++ * [6ebbd82] d/patches: add debian-default-cfg.patch [enable unix socket
++ by default]
++ * [2286eb4] d/suricatasc.1: update manpage
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Thu, 28 Jul 2016 13:21:30 +0200
++
++suricata (3.1.1-1) unstable; urgency=medium
++
++ * [cafb099] d/suricata: rename suricata main conffile to
++ /etc/suricata/suricata.yaml
++ * [445c957] suricata: add systemd service file
++ * [94b93bf] Imported Upstream version 3.1.1
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 25 Jul 2016 11:12:03 +0200
++
++suricata (3.1-1) unstable; urgency=medium
++
++ * [d2cce67] d/control: add Vcs-Browser and Vcs-Git information
++ * [8bb2030] Imported Upstream version 3.1
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 21 Jun 2016 11:00:55 +0200
++
++suricata (3.0.1-2) unstable; urgency=medium
++
++ * [178f3cf] suricata: add libgeoip support
++ * [c8a0a0a] d/control: bump std-version to 3.9.8
++ * [523203d] d/control: wrap-and-sort
++ * [e5abae9] suricata: add hiredis support
++ * [9ec82b8] d/control: get rid of XS-Testsuite directive
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 23 May 2016 11:39:40 +0200
++
++suricata (3.0.1-1) unstable; urgency=medium
++
++ * Imported Upstream version 3.0.1
++ * Bump Standards Version to 3.9.7
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 08 Apr 2016 10:58:35 +0200
++
++suricata (3.0-1) unstable; urgency=medium
++
++ * Imported Upstream version 3.0
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 28 Jan 2016 06:02:41 +0100
++
++suricata (2.0.11-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.11
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 07 Jan 2016 10:17:16 +0100
++
++suricata (2.0.10-2) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * d/copyright: update file to follow Debian Policy 3.9.6.1
++ * d/control: bump standards to 3.9.6
++ * suricata: add nflog support (Closes: #775074)
++ * d/: wrap-and-sort
++ * d/control: architecture is linux-any
++ * d/rules: don't include upstream install documentation
++ * d/tests: add first basic test
++ * d/control: add missing Testsuite declaration
++ * suritaca: add package suricata-dbg (Closes: #753438)
++ * suricata sysvinit: fix libtcmalloc-minimal integration (Closes: #725249)
++ * d/suricata.init: cleanup file
++ * suricatasc: add manpage
++
++ [ Pierre Chifflier ]
++ * Merge unstable-next branch
++ * Fix dependencies and priority for -dbg package
++ * Install manpage for suricatasc
++
++ -- Pierre Chifflier <pollux@debian.org> Tue, 05 Jan 2016 21:02:40 +0100
++
++suricata (2.0.10-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.10
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 26 Nov 2015 10:35:53 +0100
++
++suricata (2.0.9-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.9
++ * Update watch file
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 25 Sep 2015 19:19:53 +0200
++
++suricata (2.0.8-1) unstable; urgency=high
++
++ [ Arturo Borrero Gonzalez ]
++ * d/suricata.logrotate: add logrotate configuration (Closes: #767249)
++ * d/patches: patch suricatasc to prevent depends on python-symplejson
++ (Closes: #759475)
++ * Revert "d/patches: patch suricatasc to prevent depends on python-symplejson"
++
++ [ Pierre Chifflier ]
++ * Imported Upstream version 2.0.8
++ * Bump Standards Version to 3.9.6
++ Fixes CVE-2015-0971 (Integer overflow in the DER parser)
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 07 May 2015 11:03:19 +0200
++
++suricata (2.0.7-2) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * d/suricata.init: fix proc nfqueue file checking (Closes: #725301)
++
++ [ Pierre Chifflier ]
++ * Check for both proc entries for nfqueue (backwards compatibility) and
++ issue warning only
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 15 Mar 2015 11:17:27 +0100
++
++suricata (2.0.7-1) unstable; urgency=medium
++
++ [ Pierre Chifflier ]
++ * Imported Upstream version 2.0.7
++ * Fix problems with upstream version import
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 12 Mar 2015 07:06:49 +0100
++
++suricata (2.0.6-3) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * suricata: don't deploy .so links
++
++ [ Pierre Chifflier ]
++ * Add missing installation files (Closes: #778724)
++ * Fix .so symlinks removal
++ * Update default-rules-path
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 19 Feb 2015 11:55:05 +0100
++
++suricata (2.0.6-2) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * d/patches: drop 10-fix-missing-script-autoreconf.patch (Closes: #778670)
++ * d/rules: prevent not .so libhtp files from entering binary suricata package
++
++ [ Pierre Chifflier ]
++ * Add conflicts/replaces fields for transition from libhtp (Closes: #778668)
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 18 Feb 2015 11:19:31 +0100
++
++suricata (2.0.6-1) unstable; urgency=medium
++
++ [ Pierre Chifflier ]
++ * Imported Upstream version 2.0.6
++ * Add Arturo to uploaders
++
++ [ Arturo Borrero Gonzalez ]
++ * suricata: use embedded copy of libhtp (Closes: #772551)
++
++ -- Pierre Chifflier <pollux@debian.org> Tue, 17 Feb 2015 11:31:22 +0100
++
++suricata (2.0.4-1) unstable; urgency=high
++
++ * Imported Upstream version 2.0.4
++ * Security: fix out-of-bounds access in SSH parser (Closes: #762828)
++ * Urgency high, CVE-2014-6603
++ Stable and Oldstable versions are not affected.
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 10 Oct 2014 13:19:59 +0200
++
++suricata (2.0.3-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.3
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 20 Aug 2014 15:06:21 +0200
++
++suricata (2.0.2-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.2
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 29 Jun 2014 18:27:56 +0200
++
++suricata (2.0-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0
++ * Update build, require a recent libhtp, and disable coccinelle tests.
++ * Upload to unstable
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 02 Apr 2014 20:23:10 +0200
++
++suricata (1.4.7-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.7
++ * Bump Standards Version to 3.9.5
++ * Run autoreconf during build to fix some errors caused by different
++ autotools versions
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 29 Dec 2013 11:29:57 +0100
++
++suricata (1.4.6-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.6
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 06 Oct 2013 18:52:34 +0200
++
++suricata (1.4.5-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.5
++ * Prepare transition for suricata 2.0 by conflicting with libhtp >= 0.5
++
++ -- Pierre Chifflier <pollux@debian.org> Tue, 20 Aug 2013 16:44:45 +0200
++
++suricata (1.4.3-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.3
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 04 Jul 2013 11:50:13 +0200
++
++suricata (1.4.2-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.2
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 29 May 2013 16:24:52 +0200
++
++suricata (1.4.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.1
++ * Install python control script (add dependency on python, and use
++ dh_python2 for build)
++ * Bump Standards Version to 3.9.4
++ * Fix removal of pid file in init script (Closes: #700547)
++ Thanks to Игорь Козинов <madvampik@gmail.com>.
++ * Add support for af-packet mode in init script (Closes: #697928).
++ Thanks to Jamie Strandboge <jamie@ubuntu.com>.
++
++ -- Pierre Chifflier <pollux@debian.org> Tue, 21 May 2013 12:42:45 +0200
++
++suricata (1.4-3) unstable; urgency=low
++
++ * Add configure flag for luajit only on supported architectures
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 22 Dec 2012 16:38:41 +0100
++
++suricata (1.4-2) unstable; urgency=low
++
++ * Fix error in init script, stop trying to manage suricata pid file
++ * Use arch-specific build dependencies for libluajit-5.1-dev, it is not
++ available on all architectures
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 22 Dec 2012 15:39:57 +0100
++
++suricata (1.4-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4
++ * Enable Jansson and LuaJIT support, and add libjansson-dev libluajit-5.1-dev
++ to build-deps
++ * Add python to recommends, for the suricatasc script
++ * Create /var/run/suricata directory when starting daemon
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 14 Dec 2012 00:02:51 +0100
++
++suricata (1.3.5-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3.5
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 06 Dec 2012 21:13:56 +0100
++
++suricata (1.3.4-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3.4
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 17 Nov 2012 09:56:08 +0100
++
++suricata (1.3.3-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3.3
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 03 Nov 2012 09:38:36 +0100
++
++suricata (1.3.2-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3.2
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 13 Oct 2012 12:18:33 +0200
++
++suricata (1.3-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3
++ * Add build-dependency on libnss3-dev and libnspr4-dev
++ * Bump Standards Version to 3.9.3
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 22 Jul 2012 22:27:36 +0200
++
++suricata (1.2.1-2) unstable; urgency=low
++
++ * Use override targets in rules files (Closes: #666330)
++ * Add support for parallel build in debian/rules
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 12 Apr 2012 01:56:48 +0200
++
++suricata (1.2.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.2.1
++ * Add libmagic-dev to build-deps
++ * Convert to DH version 9
++ - Switch from hardening-wrapper to dpkg-buildflags
++
++ -- Pierre Chifflier <pollux@debian.org> Mon, 23 Jan 2012 21:47:26 +0100
++
++suricata (1.1.1-2) unstable; urgency=low
++
++ * Add *.config files to default installation
++ * Trigger rebuild with libhtp versioned symbols
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 05 Jan 2012 08:20:24 +0100
++
++suricata (1.1.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.1.1
++ * Add configure option --enable-af-packet
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 07 Dec 2011 21:52:53 +0100
++
++suricata (1.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.1
++ * Add instructions on getting new rules using oinkmaster
++ * Add Recommends on oinkmaster
++ * Move snort-rules-default to Recommends
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 17 Nov 2011 23:20:51 +0100
++
++suricata (1.0.5-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.5
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 27 Jul 2011 08:20:25 +0200
++
++suricata (1.0.4-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.4
++ * Bump Standards Version to 3.9.2
++ * Enable hardening-wrapper
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 25 Jun 2011 13:45:44 +0200
++
++suricata (1.0.3-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.3
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 13 Apr 2011 16:59:32 +0200
++
++suricata (1.0.2-2) unstable; urgency=low
++
++ * Add init script (thanks to Edward Fjellskål)
++ * Switch to dpkg-source 3.0 (quilt) format
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 19 Dec 2010 18:35:50 +0100
++
++suricata (1.0.2-1) unstable; urgency=low
++
++ * New Upstream version 1.0.2 (Closes: #598389)
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 29 Sep 2010 10:02:52 +0200
++
++suricata (1.0.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.1 (Closes: #591559)
++ * Bump Standards version to 3.9.1
++ * Create /var/log/suricata (Closes: #590861)
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 11 Aug 2010 14:45:14 +0200
++
++suricata (1.0.0-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.0
++ * Remove arch=native flag from build (Closes: #587714)
++ * Bump Standards version to 3.9.0
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 01 Jul 2010 21:28:41 +0200
++
++suricata (0.9.2-1) unstable; urgency=low
++
++ * Imported Upstream version 0.9.2
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 19 Jun 2010 17:39:14 +0200
++
++suricata (0.9.1-1) unstable; urgency=low
++
++ * Imported Upstream version 0.9.1
++ * Update watch file
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 26 May 2010 23:09:07 +0200
++
++suricata (0.9.0-1) unstable; urgency=low
++
++ * Imported Upstream version 0.9.0
++ * Add libcap-ng-dev to build-deps
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 09 May 2010 10:43:44 +0200
++
++suricata (0.8.2-1) unstable; urgency=low
++
++ * Imported Upstream version 0.8.2
++ * Force selection of external libhtp during build
++ * Enable Prelude support
++ * Update watch file
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 02 May 2010 10:50:05 +0200
++
++suricata (0.8.0-2) unstable; urgency=low
++
++ * Update debian/copyright to include all files
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 21 Feb 2010 21:45:33 +0100
++
++suricata (0.8.0-1) unstable; urgency=low
++
++ * Initial release (Closes: #563422)
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 30 Jan 2010 18:25:05 +0100
--- /dev/null
--- /dev/null
++Source: suricata
++Section: net
++Priority: optional
++Maintainer: Pierre Chifflier <pollux@debian.org>
++Uploaders: Sascha Steinbiss <satta@debian.org>
++Build-Depends: debhelper-compat (= 13),
++ dh-python,
++ libbpf-dev (>= 1:0.7.0) [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
++ clang [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
++ llvm [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
++ libcap-ng-dev,
++ libelf-dev [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
++ libevent-dev,
++ libgeoip-dev,
++ libhiredis-dev,
++ libjansson-dev,
++ libluajit-5.1-dev [i386 amd64 powerpc mips mipsel armel armhf],
++ libhyperscan-dev (>= 4.4.0) [i386 amd64 x32],
++ rustc (>= 1.61.0),
++ cargo (>= 0.29.0),
++ liblz4-dev,
++ libmagic-dev,
++ libmaxminddb-dev,
++ libnet1-dev | libnet-dev,
++ libnetfilter-log-dev,
++ libnetfilter-queue-dev,
++ libnspr4-dev,
++ libnss3-dev,
++ libpcap-dev,
++ libpcre2-dev,
++ libyaml-dev,
++ python3:any,
++ zlib1g-dev | libz-dev,
++ libhtp-dev (>= 1:0.5.50),
++ procps,
++ dpdk-dev [amd64 arm64 riscv64 ppc64el],
++ libnuma-dev [amd64 arm64 riscv64 ppc64el]
++Standards-Version: 4.6.2
++Rules-Requires-Root: no
++Homepage: https://suricata.io
++Vcs-Browser: https://salsa.debian.org/pkg-suricata-team/pkg-suricata
++Vcs-Git: https://salsa.debian.org/pkg-suricata-team/pkg-suricata.git
++
++Package: suricata
++Architecture: linux-any
++Pre-Depends: ${misc:Pre-Depends}
++Depends: ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends}, libhtp2 (>= ${libhtp:Version}~)
++Conflicts: libhtp1, suricata-hyperscan
++Replaces: suricata-hyperscan
++Recommends: python3, snort-rules-default, suricata-update
++Suggests: libtcmalloc-minimal4
++Description: Next Generation Intrusion Detection and Prevention Tool
++ Suricata is a network Intrusion Detection System (IDS). It is based on
++ rules (and is fully compatible with snort rules) to detect a variety of
++ attacks / probes by searching packet content.
++ .
++ It can also be used as Intrusion Prevention System (IPS), and as higher layer
++ firewall.
++ .
++ This new Engine supports Multi-Threading, Automatic Protocol Detection
++ (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast
++ IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU
++ cards.
++ .
++ This version has inline (NFQUEUE) support enabled.
--- /dev/null
--- /dev/null
++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
++Upstream-Name: suricata
++Source: https://suricata.io/download/
++Files-Excluded: libhtp
++
++Files: *
++Copyright: 2007-2020 Open Information Security Foundation
++License: GPL-2
++
++Files: aclocal.m4
++Copyright: 1996-2017 Free Software Foundation, Inc.
++ 2004 Scott James Remnant <scott@netsplit.com>
++ 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
++License: GPL-2+
++
++Files: compile
++ config.sub
++ configure
++Copyright: 1992-2018 Free Software Foundation, Inc.
++License: GPL-2
++
++Files: config.guess
++Copyright: 1992-2018 Free Software Foundation, Inc.
++License: GPL-3
++
++Files: contrib/Makefile.am
++Copyright: 2007-2020 Open Information Security Foundation
++License: GPL-2
++
++Files: contrib/file_processor/*
++Copyright: 2007-2020 Open Information Security Foundation
++License: GPL-2
++
++Files: contrib/file_processor/Action/Makefile.in
++Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
++License: GPL-2
++
++Files: contrib/file_processor/Makefile.in
++Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
++License: GPL-2
++
++Files: contrib/file_processor/Processor/Makefile.in
++Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
++License: GPL-2
++
++Files: contrib/file_processor/file_processor.pl
++Copyright: 2012, Martin Holste
++License: GPL-2
++
++Files: contrib/suri-graphite
++Copyright: 2013, 2015, Eric Leblond <eric@regit.org>
++License: GPL-2
++
++Files: debian/*
++Copyright: 2010 Pierre Chifflier <pollux@debian.org>
++ 2019-2024 Sascha Steinbiss <satta@debian.org>
++License: GPL-2
++
++Files: doc/Makefile.in
++ doc/userguide/Makefile.in
++Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
++License: GPL-2
++
++Files: install-sh
++Copyright: 1994, X Consortium
++License: Expat
++
++Files: ebpf/Makefile.in
++ etc/Makefile.in
++ python/Makefile.in
++ qa/Makefile.in
++ qa/coccinelle/Makefile.in
++ rules/Makefile.in
++ rust/Makefile.in
++ src/Makefile.in
++Copyright: 1994-2023 Free Software Foundation, Inc.
++License: GPL-2
++
++Files: ebpf/include/linux/bpf.h
++Copyright: 2011-2014 PLUMgrid
++License: GPL-2
++
++Files: python/suricata/ctl/loghandler.py
++Copyright: 2017 Open Information Security Foundation
++ 2016 Jason Ish
++License: GPL-2
++
++Files: qa/coccinelle/sz3.cocci
++Copyright: 2012 LIP6/INRIA
++License: GPL-2
++
++Files: qa/wirefuzz.pl
++Copyright: 2010-2015 Open Information Security Foundation
++License: GPL-2
++
++Files: rust/vendor/autocfg*/*
++Copyright: 2018 Josh Stone <cuviper@gmail.com>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/base64/*
++Copyright: 2015 Alice Maz
++License: MIT or Apache-2.0
++
++Files: rust/vendor/bitflags/*
++Copyright: 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/build_const/*
++Copyright: 2017 Garrett Berg, vitiral@gmail.com
++License: MIT
++
++Files: rust/vendor/byteorder/*
++Copyright: 2015 Andrew Gallant
++License: MIT or Unlicense
++
++Files: rust/vendor/crc/*
++Copyright: 2017 crc-rs Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/der-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/enum_primitive/*
++Copyright: 2015 Anders Kaseorg <andersk@mit.edu>
++License: MIT
++
++Files: rust/vendor/ipsec-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/kerberos-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/libc/*
++Copyright: 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/memchr/*
++Copyright: 2015 Andrew Gallant <jamslam@gmail.com>
++License: Unlicense or MIT
++
++Files: rust/vendor/nom/*
++Copyright: 2014-2018 Geoffroy Couprie <contact@geoffroycouprie.com>
++License: MIT
++
++Files: rust/vendor/ntp-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/num*/*
++Copyright: 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/phf*/*
++Copyright: 2014-2016 Steven Fackler <sfackler@gmail.com>
++License: MIT
++
++Files: rust/vendor/proc-macro2/*
++Copyright: 2014 Alex Crichton <alex@alexcrichton.com>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/quote/*
++Copyright: 2016 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/rand*/*
++Copyright: 2018 The Rand Project Developers
++ 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/rusticata-macros/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/siphasher/*
++Copyright: 2012-2016 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/snmp-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/syn/*
++Copyright: David Tolnay <dtolnay@gmail.com>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/time/*
++Copyright: 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/tls-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/unicode-xid/*
++Copyright: 2015 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/version_check/*
++Copyright: 2017-2018 Sergio Benitez <sb@sergio.bz>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/widestring/*
++Copyright: 2016 Kathryn Long <squeeself@gmail.com>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/x509-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: src/Makefile.am
++ src/util-hash-lookup3.c
++ src/util-hash-lookup3.h
++Copyright: 2008 Victor Julien <victor@inliniac.net>
++License: GPL-2
++
++Files: src/app-layer-htp-libhtp.c
++ src/app-layer-htp-libhtp.h
++Copyright: 2010-2013, Qualys, Inc.
++ 2009, 2010, Open Information Security Foundation
++License: BSD-3-clause
++
++Files: src/detect-modbus.c
++ src/detect-modbus.h
++ src/detect-tls.c
++ src/detect-tls.h
++Copyright: 2011-2015, ANSSI
++License: BSD-3-clause
++
++Files: src/queue.h
++ src/win32-syslog.h
++Copyright: 1982, 1986, 1988, 1991, 1993, The Regents of the University of California.
++License: BSD-3-clause
++
++Files: src/util-decode-mime.c
++ src/util-decode-mime.h
++Copyright: 2012, BAE Systems
++License: GPL-2
++
++Files: src/util-fix_checksum.c
++ src/util-fix_checksum.h
++Copyright: 2002-2008, Henning Brauer
++ 2001, Daniel Hartmeier
++License: BSD-2-clause
++Comment:
++ In addition to the BSD license, the authors state the following:
++ Effort sponsored in part by the Defense Advanced Research Projects
++ Agency (DARPA) and Air Force Research Laboratory, Air Force
++ Materiel Command, USAF, under agreement number F30602-01-2-0537
++
++Files: src/util-strlcatu.c
++ src/util-strlcpyu.c
++Copyright: 1998, Todd C. Miller <Todd.Miller@courtesan.com>
++License: BSD-3-clause
++
++Files: src/tree.h
++Copyright: 2002 Niels Provos <provos@citi.umich.edu>
++License: BSD-2-clause
++
++Files: suricata-update/*
++Copyright: 2017-2019 Open Information Security Foundation
++ 2013-2017 Jason Ish
++License: GPL-2
++
++Files: suricata-update/suricata/update/compat/ordereddict.py
++Copyright: 2009 Raymond Hettinger
++License: MIT
++
++License: BSD-3-clause
++ The BSD License
++ .
++ Redistribution and use in source and binary forms, with or without
++ modification, are permitted provided that the following conditions are
++ met:
++ .
++ * Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++ .
++ * Redistributions in binary form must reproduce the above copyright
++ notice, this list of conditions and the following disclaimer in the
++ documentation and/or other materials provided with the distribution.
++ .
++ * Neither the name of foo nor the names of its
++ contributors may be used to endorse or promote products derived from
++ this software without specific prior written permission.
++ .
++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
++ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
++ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
++ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
++ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
++ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
++ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
++ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
++ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
++ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++License: Expat
++ The MIT License
++ .
++ Permission is hereby granted, free of charge, to any person
++ obtaining a copy of this software and associated
++ documentation files (the "Software"), to deal in the Software
++ without restriction, including without limitation the rights to
++ use, copy, modify, merge, publish, distribute, sublicense,
++ and/or sell copies of the Software, and to permit persons to
++ whom the Software is furnished to do so, subject to the
++ following conditions:
++ .
++ The above copyright notice and this permission notice shall
++ be included in all copies or substantial portions of the
++ Software.
++ .
++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
++ WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
++ INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ MERCHANTABILITY, FITNESS FOR A PARTICULAR
++ PURPOSE AND NONINFRINGEMENT. IN NO EVENT
++ SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
++ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
++ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++ CONNECTION WITH THE SOFTWARE OR THE USE OR
++ OTHER DEALINGS IN THE SOFTWARE.
++
++License: GPL-2
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU Library General Public License as published by
++ the Free Software Foundation.
++ .
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU Library General Public License for more details.
++ .
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>
++ .
++ On Debian systems, the complete text of the GNU General
++ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
++
++License: GPL-2+
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; version 2 dated June, 1991, or (at
++ your option) any later version.
++ .
++ On Debian systems, the complete text of version 2 of the GNU General
++ Public License can be found in '/usr/share/common-licenses/GPL-2'.
++
++License: GPL-3
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; version 3 dated June, 2007.
++ .
++ On Debian systems, the complete text of version 3 of the GNU General
++ Public License can be found in '/usr/share/common-licenses/GPL-3'.
++
++License: Apache-2.0
++ Debian systems provide the Apache 2.0 license in
++ /usr/share/common-licenses/Apache-2.0
++
++License: MIT
++ Permission is hereby granted, free of charge, to any person obtaining a copy
++ of this software and associated documentation files (the "Software"), to deal
++ in the Software without restriction, including without limitation the rights
++ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ copies of the Software, and to permit persons to whom the Software is
++ furnished to do so, subject to the following conditions:
++ .
++ The above copyright notice and this permission notice shall be included in all
++ copies or substantial portions of the Software.
++ .
++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ SOFTWARE.
++
++License: Unlicense
++ This is free and unencumbered software released into the public domain.
++ .
++ Anyone is free to copy, modify, publish, use, compile, sell, or
++ distribute this software, either in source code form or as a compiled
++ binary, for any purpose, commercial or non-commercial, and by any
++ means.
++ .
++ In jurisdictions that recognize copyright laws, the author or authors
++ of this software dedicate any and all copyright interest in the
++ software to the public domain. We make this dedication for the benefit
++ of the public at large and to the detriment of our heirs and
++ successors. We intend this dedication to be an overt act of
++ relinquishment in perpetuity of all present and future rights to this
++ software under copyright law.
++ .
++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
++ IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
++ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
++ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
++ OTHER DEALINGS IN THE SOFTWARE.
++
++License: BSD-2-clause
++ Redistribution and use in source and binary forms, with or without
++ modification, are permitted provided that the following conditions are
++ met:
++ .
++ 1. Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++ 2. Redistributions in binary form must reproduce the above copyright
++ notice, this list of conditions and the following disclaimer in the
++ documentation and/or other materials provided with the distribution.
++ .
++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
++ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
++ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++License: ISC
++ Permission to use, copy, modify, and/or distribute this software for any purpose with or without
++ fee is hereby granted, provided that the above copyright notice and this permission notice appear
++ in all copies.
++ .
++ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
++ SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
++ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
++ NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
++ THIS SOFTWARE.
--- /dev/null
--- /dev/null
++usr/lib/*/lib*.so.*
--- /dev/null
--- /dev/null
++# false positive, the link is there. Somehow lintian is confused
++libhtp-0.5.24-1: dev-pkg-without-shlib-symlink
--- /dev/null
--- /dev/null
++libhtp-0.5.24.so.1 libhtp-0.5.24-1 #MINVER#
++ bstr_add@Base 3.1.3
++ bstr_add_c@Base 3.1.3
++ bstr_add_c_noex@Base 3.1.3
++ bstr_add_mem@Base 3.1.3
++ bstr_add_mem_noex@Base 3.1.3
++ bstr_add_noex@Base 3.1.3
++ bstr_adjust_len@Base 3.1.3
++ bstr_adjust_realptr@Base 3.1.3
++ bstr_adjust_size@Base 3.1.3
++ bstr_alloc@Base 3.1.3
++ bstr_begins_with@Base 3.1.3
++ bstr_begins_with_c@Base 3.1.3
++ bstr_begins_with_c_nocase@Base 3.1.3
++ bstr_begins_with_mem@Base 3.1.3
++ bstr_begins_with_mem_nocase@Base 3.1.3
++ bstr_begins_with_nocase@Base 3.1.3
++ bstr_builder_append_c@Base 3.1.3
++ bstr_builder_append_mem@Base 3.1.3
++ bstr_builder_appendn@Base 3.1.3
++ bstr_builder_clear@Base 3.1.3
++ bstr_builder_create@Base 3.1.3
++ bstr_builder_destroy@Base 3.1.3
++ bstr_builder_size@Base 3.1.3
++ bstr_builder_to_str@Base 3.1.3
++ bstr_char_at@Base 3.1.3
++ bstr_char_at_end@Base 3.1.3
++ bstr_chop@Base 3.1.3
++ bstr_chr@Base 3.1.3
++ bstr_cmp@Base 3.1.3
++ bstr_cmp_c@Base 3.1.3
++ bstr_cmp_c_nocase@Base 3.1.3
++ bstr_cmp_mem@Base 3.1.3
++ bstr_cmp_mem_nocase@Base 3.1.3
++ bstr_cmp_nocase@Base 3.1.3
++ bstr_dup@Base 3.1.3
++ bstr_dup_c@Base 3.1.3
++ bstr_dup_ex@Base 3.1.3
++ bstr_dup_lower@Base 3.1.3
++ bstr_dup_mem@Base 3.1.3
++ bstr_expand@Base 3.1.3
++ bstr_free@Base 3.1.3
++ bstr_index_of@Base 3.1.3
++ bstr_index_of_c@Base 3.1.3
++ bstr_index_of_c_nocase@Base 3.1.3
++ bstr_index_of_mem@Base 3.1.3
++ bstr_index_of_mem_nocase@Base 3.1.3
++ bstr_index_of_nocase@Base 3.1.3
++ bstr_rchr@Base 3.1.3
++ bstr_to_lowercase@Base 3.1.3
++ bstr_util_cmp_mem@Base 3.1.3
++ bstr_util_cmp_mem_nocase@Base 3.1.3
++ bstr_util_mem_index_of_c@Base 3.1.3
++ bstr_util_mem_index_of_c_nocase@Base 3.1.3
++ bstr_util_mem_index_of_mem@Base 3.1.3
++ bstr_util_mem_index_of_mem_nocase@Base 3.1.3
++ bstr_util_mem_to_pint@Base 3.1.3
++ bstr_util_mem_trim@Base 3.1.3
++ bstr_util_memdup_to_c@Base 3.1.3
++ bstr_util_strdup_to_c@Base 3.1.3
++ bstr_wrap_c@Base 3.1.3
++ bstr_wrap_mem@Base 3.1.3
++ fprint_bstr@Base 3.1.3
++ fprint_raw_data@Base 3.1.3
++ fprint_raw_data_ex@Base 3.1.3
++ htp_base64_decode@Base 3.1.3
++ htp_base64_decode_bstr@Base 3.1.3
++ htp_base64_decode_mem@Base 3.1.3
++ htp_base64_decode_single@Base 3.1.3
++ htp_base64_decoder_init@Base 3.1.3
++ htp_ch_multipart_callback_request_body_data@Base 3.1.3
++ htp_ch_multipart_callback_request_headers@Base 3.1.3
++ htp_ch_urlencoded_callback_request_body_data@Base 3.1.3
++ htp_ch_urlencoded_callback_request_headers@Base 3.1.3
++ htp_ch_urlencoded_callback_request_line@Base 3.1.3
++ htp_chomp@Base 3.1.3
++ htp_config_copy@Base 3.1.3
++ htp_config_create@Base 3.1.3
++ htp_config_destroy@Base 3.1.3
++ htp_config_get_user_data@Base 3.1.3
++ htp_config_register_log@Base 3.1.3
++ htp_config_register_multipart_parser@Base 3.1.3
++ htp_config_register_request_body_data@Base 3.1.3
++ htp_config_register_request_complete@Base 3.1.3
++ htp_config_register_request_file_data@Base 3.1.3
++ htp_config_register_request_header_data@Base 3.1.3
++ htp_config_register_request_headers@Base 3.1.3
++ htp_config_register_request_line@Base 3.1.3
++ htp_config_register_request_start@Base 3.1.3
++ htp_config_register_request_trailer@Base 3.1.3
++ htp_config_register_request_trailer_data@Base 3.1.3
++ htp_config_register_request_uri_normalize@Base 3.1.3
++ htp_config_register_response_body_data@Base 3.1.3
++ htp_config_register_response_complete@Base 3.1.3
++ htp_config_register_response_header_data@Base 3.1.3
++ htp_config_register_response_headers@Base 3.1.3
++ htp_config_register_response_line@Base 3.1.3
++ htp_config_register_response_start@Base 3.1.3
++ htp_config_register_response_trailer@Base 3.1.3
++ htp_config_register_response_trailer_data@Base 3.1.3
++ htp_config_register_transaction_complete@Base 3.1.3
++ htp_config_register_urlencoded_parser@Base 3.1.3
++ htp_config_set_backslash_convert_slashes@Base 3.1.3
++ htp_config_set_bestfit_map@Base 3.1.3
++ htp_config_set_bestfit_replacement_byte@Base 3.1.3
++ htp_config_set_control_chars_unwanted@Base 3.1.3
++ htp_config_set_convert_lowercase@Base 3.1.3
++ htp_config_set_extract_request_files@Base 3.1.3
++ htp_config_set_field_limits@Base 3.1.3
++ htp_config_set_log_level@Base 3.1.3
++ htp_config_set_nul_encoded_terminates@Base 3.1.3
++ htp_config_set_nul_encoded_unwanted@Base 3.1.3
++ htp_config_set_nul_raw_terminates@Base 3.1.3
++ htp_config_set_nul_raw_unwanted@Base 3.1.3
++ htp_config_set_parse_request_auth@Base 3.1.3
++ htp_config_set_parse_request_cookies@Base 3.1.3
++ htp_config_set_path_separators_compress@Base 3.1.3
++ htp_config_set_path_separators_decode@Base 3.1.3
++ htp_config_set_path_separators_encoded_unwanted@Base 3.1.3
++ htp_config_set_plusspace_decode@Base 3.1.3
++ htp_config_set_requestline_leading_whitespace_unwanted@Base 3.1.3
++ htp_config_set_response_decompression@Base 3.1.3
++ htp_config_set_response_decompression_layer_limit@Base 3.1.3
++ htp_config_set_server_personality@Base 3.1.3
++ htp_config_set_tmpdir@Base 3.1.3
++ htp_config_set_tx_auto_destroy@Base 3.1.3
++ htp_config_set_u_encoding_decode@Base 3.1.3
++ htp_config_set_u_encoding_unwanted@Base 3.1.3
++ htp_config_set_url_encoding_invalid_handling@Base 3.1.3
++ htp_config_set_url_encoding_invalid_unwanted@Base 3.1.3
++ htp_config_set_user_data@Base 3.1.3
++ htp_config_set_utf8_convert_bestfit@Base 3.1.3
++ htp_config_set_utf8_invalid_unwanted@Base 3.1.3
++ htp_conn_close@Base 3.1.3
++ htp_conn_create@Base 3.1.3
++ htp_conn_destroy@Base 3.1.3
++ htp_conn_open@Base 3.1.3
++ htp_conn_remove_tx@Base 3.1.3
++ htp_conn_track_inbound_data@Base 3.1.3
++ htp_conn_track_outbound_data@Base 3.1.3
++ htp_connp_REQ_BODY_CHUNKED_DATA@Base 3.1.3
++ htp_connp_REQ_BODY_CHUNKED_DATA_END@Base 3.1.3
++ htp_connp_REQ_BODY_CHUNKED_LENGTH@Base 3.1.3
++ htp_connp_REQ_BODY_DETERMINE@Base 3.1.3
++ htp_connp_REQ_BODY_IDENTITY@Base 3.1.3
++ htp_connp_REQ_CONNECT_CHECK@Base 3.1.3
++ htp_connp_REQ_CONNECT_PROBE_DATA@Base 3.1.3
++ htp_connp_REQ_CONNECT_WAIT_RESPONSE@Base 3.1.3
++ htp_connp_REQ_FINALIZE@Base 3.1.3
++ htp_connp_REQ_HEADERS@Base 3.1.3
++ htp_connp_REQ_IDLE@Base 3.1.3
++ htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9@Base 3.1.3
++ htp_connp_REQ_LINE@Base 3.1.3
++ htp_connp_REQ_LINE_complete@Base 3.1.3
++ htp_connp_REQ_PROTOCOL@Base 3.1.3
++ htp_connp_RES_BODY_CHUNKED_DATA@Base 3.1.3
++ htp_connp_RES_BODY_CHUNKED_DATA_END@Base 3.1.3
++ htp_connp_RES_BODY_CHUNKED_LENGTH@Base 3.1.3
++ htp_connp_RES_BODY_DETERMINE@Base 3.1.3
++ htp_connp_RES_BODY_IDENTITY_CL_KNOWN@Base 3.1.3
++ htp_connp_RES_BODY_IDENTITY_STREAM_CLOSE@Base 3.1.3
++ htp_connp_RES_FINALIZE@Base 3.1.3
++ htp_connp_RES_HEADERS@Base 3.1.3
++ htp_connp_RES_IDLE@Base 3.1.3
++ htp_connp_RES_LINE@Base 3.1.3
++ htp_connp_clear_error@Base 3.1.3
++ htp_connp_close@Base 3.1.3
++ htp_connp_create@Base 3.1.3
++ htp_connp_destroy@Base 3.1.3
++ htp_connp_destroy_all@Base 3.1.3
++ htp_connp_destroy_decompressors@Base 3.1.3
++ htp_connp_get_connection@Base 3.1.3
++ htp_connp_get_in_tx@Base 3.1.3
++ htp_connp_get_last_error@Base 3.1.3
++ htp_connp_get_out_tx@Base 3.1.3
++ htp_connp_get_user_data@Base 3.1.3
++ htp_connp_in_reset@Base 3.1.3
++ htp_connp_in_state_as_string@Base 3.1.3
++ htp_connp_is_line_folded@Base 3.1.3
++ htp_connp_is_line_ignorable@Base 3.1.3
++ htp_connp_is_line_terminator@Base 3.1.3
++ htp_connp_open@Base 3.1.3
++ htp_connp_out_state_as_string@Base 3.1.3
++ htp_connp_req_data@Base 3.1.3
++ htp_connp_req_data_consumed@Base 3.1.3
++ htp_connp_req_receiver_finalize_clear@Base 3.1.3
++ htp_connp_res_data@Base 3.1.3
++ htp_connp_res_data_consumed@Base 3.1.3
++ htp_connp_res_receiver_finalize_clear@Base 3.1.3
++ htp_connp_set_user_data@Base 3.1.3
++ htp_connp_tx_create@Base 3.1.3
++ htp_connp_tx_remove@Base 3.1.3
++ htp_convert_method_to_number@Base 3.1.3
++ htp_decode_path_inplace@Base 3.1.3
++ htp_extract_quoted_string_as_bstr@Base 3.1.3
++ htp_get_version@Base 3.1.3
++ htp_gzip_decompressor_create@Base 3.1.3
++ htp_hook_copy@Base 3.1.3
++ htp_hook_create@Base 3.1.3
++ htp_hook_destroy@Base 3.1.3
++ htp_hook_register@Base 3.1.3
++ htp_hook_run_all@Base 3.1.3
++ htp_hook_run_one@Base 3.1.3
++ htp_is_folding_char@Base 3.1.3
++ htp_is_line_empty@Base 3.1.3
++ htp_is_line_whitespace@Base 3.1.3
++ htp_is_lws@Base 3.1.3
++ htp_is_separator@Base 3.1.3
++ htp_is_space@Base 3.1.3
++ htp_is_text@Base 3.1.3
++ htp_is_token@Base 3.1.3
++ htp_list_array_clear@Base 3.1.3
++ htp_list_array_create@Base 3.1.3
++ htp_list_array_destroy@Base 3.1.3
++ htp_list_array_get@Base 3.1.3
++ htp_list_array_pop@Base 3.1.3
++ htp_list_array_push@Base 3.1.3
++ htp_list_array_replace@Base 3.1.3
++ htp_list_array_shift@Base 3.1.3
++ htp_list_array_size@Base 3.1.3
++ htp_log@Base 3.1.3
++ htp_mpart_part_create@Base 3.1.3
++ htp_mpart_part_destroy@Base 3.1.3
++ htp_mpart_part_finalize_data@Base 3.1.3
++ htp_mpart_part_handle_data@Base 3.1.3
++ htp_mpart_part_parse_c_d@Base 3.1.3
++ htp_mpart_part_process_headers@Base 3.1.3
++ htp_mpartp_create@Base 3.1.3
++ htp_mpartp_destroy@Base 3.1.3
++ htp_mpartp_finalize@Base 3.1.3
++ htp_mpartp_find_boundary@Base 3.1.3
++ htp_mpartp_get_multipart@Base 3.1.3
++ htp_mpartp_parse@Base 3.1.3
++ htp_mpartp_parse_header@Base 3.1.3
++ htp_mpartp_run_request_file_data_hook@Base 3.1.3
++ htp_normalize_hostname_inplace@Base 3.1.3
++ htp_normalize_parsed_uri@Base 3.1.3
++ htp_normalize_uri_path_inplace@Base 3.1.3
++ htp_parse_authorization@Base 3.1.3
++ htp_parse_authorization_basic@Base 3.1.3
++ htp_parse_authorization_digest@Base 3.1.3
++ htp_parse_chunked_length@Base 3.1.3
++ htp_parse_content_length@Base 3.1.3
++ htp_parse_cookies_v0@Base 3.1.3
++ htp_parse_ct_header@Base 3.1.3
++ htp_parse_header_hostport@Base 3.1.3
++ htp_parse_hostport@Base 3.1.3
++ htp_parse_positive_integer_whitespace@Base 3.1.3
++ htp_parse_protocol@Base 3.1.3
++ htp_parse_request_header_generic@Base 3.1.3
++ htp_parse_request_line_apache_2_2@Base 3.1.3
++ htp_parse_request_line_generic@Base 3.1.3
++ htp_parse_request_line_generic_ex@Base 3.1.3
++ htp_parse_response_header_generic@Base 3.1.3
++ htp_parse_response_line_generic@Base 3.1.3
++ htp_parse_single_cookie_v0@Base 3.1.3
++ htp_parse_status@Base 3.1.3
++ htp_parse_uri@Base 3.1.3
++ htp_parse_uri_hostport@Base 3.1.3
++ htp_php_parameter_processor@Base 3.1.3
++ htp_process_request_header_apache_2_2@Base 3.1.3
++ htp_process_request_header_generic@Base 3.1.3
++ htp_process_response_header_generic@Base 3.1.3
++ htp_req_run_hook_body_data@Base 3.1.3
++ htp_res_run_hook_body_data@Base 3.1.3
++ htp_table_add@Base 3.1.3
++ htp_table_addk@Base 3.1.3
++ htp_table_addn@Base 3.1.3
++ htp_table_clear@Base 3.1.3
++ htp_table_clear_ex@Base 3.1.3
++ htp_table_create@Base 3.1.3
++ htp_table_destroy@Base 3.1.3
++ htp_table_destroy_ex@Base 3.1.3
++ htp_table_get@Base 3.1.3
++ htp_table_get_c@Base 3.1.3
++ htp_table_get_index@Base 3.1.3
++ htp_table_get_mem@Base 3.1.3
++ htp_table_size@Base 3.1.3
++ htp_transcode_bstr@Base 3.1.3
++ htp_transcode_params@Base 3.1.3
++ htp_treat_response_line_as_body@Base 3.1.3
++ htp_tx_create@Base 3.1.3
++ htp_tx_destroy@Base 3.1.3
++ htp_tx_destroy_incomplete@Base 3.1.3
++ htp_tx_finalize@Base 3.1.3
++ htp_tx_get_is_config_shared@Base 3.1.3
++ htp_tx_get_user_data@Base 3.1.3
++ htp_tx_is_complete@Base 3.1.3
++ htp_tx_register_request_body_data@Base 3.1.3
++ htp_tx_register_response_body_data@Base 3.1.3
++ htp_tx_req_add_param@Base 3.1.3
++ htp_tx_req_get_param@Base 3.1.3
++ htp_tx_req_get_param_ex@Base 3.1.3
++ htp_tx_req_has_body@Base 3.1.3
++ htp_tx_req_process_body_data@Base 3.1.3
++ htp_tx_req_process_body_data_ex@Base 3.1.3
++ htp_tx_req_set_header@Base 3.1.3
++ htp_tx_req_set_headers_clear@Base 3.1.3
++ htp_tx_req_set_line@Base 3.1.3
++ htp_tx_req_set_method@Base 3.1.3
++ htp_tx_req_set_method_number@Base 3.1.3
++ htp_tx_req_set_parsed_uri@Base 3.1.3
++ htp_tx_req_set_protocol@Base 3.1.3
++ htp_tx_req_set_protocol_0_9@Base 3.1.3
++ htp_tx_req_set_protocol_number@Base 3.1.3
++ htp_tx_req_set_uri@Base 3.1.3
++ htp_tx_request_progress_as_string@Base 3.1.3
++ htp_tx_res_process_body_data@Base 3.1.3
++ htp_tx_res_process_body_data_ex@Base 3.1.3
++ htp_tx_res_set_header@Base 3.1.3
++ htp_tx_res_set_headers_clear@Base 3.1.3
++ htp_tx_res_set_protocol_number@Base 3.1.3
++ htp_tx_res_set_status_code@Base 3.1.3
++ htp_tx_res_set_status_line@Base 3.1.3
++ htp_tx_res_set_status_message@Base 3.1.3
++ htp_tx_response_progress_as_string@Base 3.1.3
++ htp_tx_set_config@Base 3.1.3
++ htp_tx_set_user_data@Base 3.1.3
++ htp_tx_state_request_complete@Base 3.1.3
++ htp_tx_state_request_complete_partial@Base 3.1.3
++ htp_tx_state_request_headers@Base 3.1.3
++ htp_tx_state_request_line@Base 3.1.3
++ htp_tx_state_request_start@Base 3.1.3
++ htp_tx_state_response_complete@Base 3.1.3
++ htp_tx_state_response_complete_ex@Base 3.1.3
++ htp_tx_state_response_headers@Base 3.1.3
++ htp_tx_state_response_line@Base 3.1.3
++ htp_tx_state_response_start@Base 3.1.3
++ htp_tx_urldecode_params_inplace@Base 3.1.3
++ htp_tx_urldecode_uri_inplace@Base 3.1.3
++ htp_unparse_uri_noencode@Base 3.1.3
++ htp_uri_alloc@Base 3.1.3
++ htp_uri_free@Base 3.1.3
++ htp_urldecode_inplace@Base 3.1.3
++ htp_urldecode_inplace_ex@Base 3.1.3
++ htp_urlenp_create@Base 3.1.3
++ htp_urlenp_destroy@Base 3.1.3
++ htp_urlenp_finalize@Base 3.1.3
++ htp_urlenp_parse_complete@Base 3.1.3
++ htp_urlenp_parse_partial@Base 3.1.3
++ htp_utf8_decode@Base 3.1.3
++ htp_utf8_decode_allow_overlong@Base 3.1.3
++ htp_utf8_decode_path_inplace@Base 3.1.3
++ htp_utf8_validate_path@Base 3.1.3
++ htp_validate_hostname@Base 3.1.3
++ strlcat@Base 3.1.3
++ strlcpy@Base 3.1.3
--- /dev/null
--- /dev/null
++From 97eee2cadacf3423a1ebcdd1943a7a7917f5cc56 Mon Sep 17 00:00:00 2001
++From: Philippe Antoine <pantoine@oisf.net>
++Date: Tue, 15 Apr 2025 12:34:37 +0200
++# Subject: [PATCH] http2: forbid data on stream 0
++
++Ticket: 7658
++
++Suricata will not handle well if we open a file for this tx,
++do not close it, but set the transaction state to completed.
++
++RFC 9113 section 6.1 states:
++
++If a DATA frame is received whose Stream Identifier field is 0x00,
++the recipient MUST respond with a connection error (Section 5.4.1)
++ of type PROTOCOL_ERROR.
++
++(cherry picked from commit 1d6d331752e933c46aca0ae7a9679b27462246e3)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/7659
++Bug-Debian: https://bugs.debian.org/1109806
++Subject: Upstream fix for CVE-2025-53538
++---
++ rules/http2-events.rules | 1 +
++ rust/src/http2/http2.rs | 5 ++++-
++ 2 files changed, 5 insertions(+), 1 deletion(-)
++
++diff --git a/rules/http2-events.rules b/rules/http2-events.rules
++index 413fdd652..8242e2f79 100644
++--- a/rules/http2-events.rules
+++++ b/rules/http2-events.rules
++@@ -21,3 +21,4 @@ alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:esta
++ alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
++ alert http2 any any -> any any (msg:"SURICATA HTTP2 user info in uri"; flow:established,to_server; app-layer-event:http2.userinfo_in_uri; classtype:protocol-command-decode; sid:2290014; rev:1;)
++ alert http2 any any -> any any (msg:"SURICATA HTTP2 reassembly limit reached"; flow:established; app-layer-event:http2.reassembly_limit_reached; classtype:protocol-command-decode; sid:2290015; rev:1;)
+++alert http2 any any -> any any (msg:"SURICATA HTTP2 data on stream zero"; flow:established; app-layer-event:http2.data_stream_zero; classtype:protocol-command-decode; sid:2290018; rev:1;)
++diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
++index 20b7cd947..a79a33c8e 100644
++--- a/rust/src/http2/http2.rs
+++++ b/rust/src/http2/http2.rs
++@@ -409,6 +409,7 @@ pub enum HTTP2Event {
++ AuthorityHostMismatch,
++ UserinfoInUri,
++ ReassemblyLimitReached,
+++ DataStreamZero,
++ }
++
++ pub struct HTTP2DynTable {
++@@ -1078,7 +1079,9 @@ impl HTTP2State {
++ data: txdata,
++ });
++ }
++- if ftype == parser::HTTP2FrameType::Data as u8 {
+++ if ftype == parser::HTTP2FrameType::Data as u8 && sid == 0 {
+++ tx.tx_data.set_event(HTTP2Event::DataStreamZero as u8);
+++ } else if ftype == parser::HTTP2FrameType::Data as u8 && sid > 0 {
++ match unsafe { SURICATA_HTTP2_FILE_CONFIG } {
++ Some(sfcm) => {
++ //borrow checker forbids to reuse directly tx
++--
++2.51.0
++
--- /dev/null
--- /dev/null
++From e91b03c90385db15e21cf1a0e85b921bf92b039e Mon Sep 17 00:00:00 2001
++From: Victor Julien <vjulien@oisf.net>
++Date: Wed, 20 Aug 2025 12:43:27 +0200
++# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
++
++Take SEQ and ACK into account for more scenarios.
++
++SYN on SYN_SENT
++
++In this case the SYN packets with different SEQ and other properties are
++queued up. Each packet updates the ssn to reflect the last packet to
++come in. The old ssn data is added to a TcpStateQueue entry in
++TcpSession::queue. If the max queue length is exceeded, the oldest entry
++is evicted. The queue is actually a single linked list, where the list
++head reflects the oldest entry.
++
++SYN/ACK on SYN_SENT
++
++In this case the first check is if the SYN/ACK matches the session. If
++it doesn't, the queue is checked to see if there SYN's stored. If one is
++found that matches, it is used and the session is updated to reflect
++that.
++
++SYN/ACK on SYN_RECV
++
++SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated
++from the current packet. The old settings are stored in a TcpStateQueue
++entry in the TcpSession::queue.
++
++ACK on SYN_RECV
++
++Checks any stored SYN/ACKs before checking the session. If a queued
++SYN/ACK was sound, the session is updated to match it.
++
++Ticket: #3844.
++Ticket: #7657.
++(cherry picked from commit be6315dba0d9101b11d16e9dacfe2822b3792f1b)
++
++Patch adjusted for Debian to fit for Suricata 7.0.10.
++
++Origin: upstream, https://github.com/OISF/suricata/commit/e91b03c90385db15e21cf1a0e85b921bf92b039e.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/7852
++Subject: Upstream fix for CVE-2025-59147
++---
++ src/stream-tcp-private.h | 2 +-
++ src/stream-tcp.c | 212 ++++++++++++++++++++++++++++-----------
++ 2 files changed, 155 insertions(+), 59 deletions(-)
++
++diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
++index 2da93f6ce..380b9eed1 100644
++--- a/src/stream-tcp-private.h
+++++ b/src/stream-tcp-private.h
++@@ -295,7 +295,7 @@ typedef struct TcpSession_ {
++ uint32_t reassembly_depth; /**< reassembly depth for the stream */
++ TcpStream server;
++ TcpStream client;
++- TcpStateQueue *queue; /**< list of SYN/ACK candidates */
+++ TcpStateQueue *queue; /**< list of SYN or SYN/ACK candidates */
++ } TcpSession;
++
++ #define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream) \
++diff --git a/src/stream-tcp.c b/src/stream-tcp.c
++index a266ebf1a..5677d3090 100644
++--- a/src/stream-tcp.c
+++++ b/src/stream-tcp.c
++@@ -1787,6 +1787,7 @@ static void TcpStateQueueInitFromSsnSyn(const TcpSession *ssn, TcpStateQueue *q)
++ BUG_ON(ssn->state != TCP_SYN_SENT); // TODO
++ memset(q, 0, sizeof(*q));
++
+++ q->seq = ssn->client.isn;
++ /* SYN won't use wscale yet. So window should be limited to 16 bits. */
++ DEBUG_VALIDATE_BUG_ON(ssn->server.window > UINT16_MAX);
++ q->win = (uint16_t)ssn->server.window;
++@@ -1817,8 +1818,9 @@ static void TcpStateQueueInitFromPktSyn(const Packet *p, TcpStateQueue *q)
++ #endif
++ memset(q, 0, sizeof(*q));
++
+++ q->seq = TCP_GET_SEQ(p);
++ q->win = TCP_GET_WINDOW(p);
++- q->pkt_ts = SCTIME_SECS(p->ts);
+++ q->pkt_ts = (uint32_t)SCTIME_SECS(p->ts);
++
++ if (TCP_GET_SACKOK(p) == 1) {
++ q->flags |= STREAMTCP_QUEUE_FLAG_SACK;
++@@ -1846,6 +1848,7 @@ static void TcpStateQueueInitFromPktSynAck(const Packet *p, TcpStateQueue *q)
++ #endif
++ memset(q, 0, sizeof(*q));
++
+++ q->seq = TCP_GET_ACK(p) - 1;
++ q->win = TCP_GET_WINDOW(p);
++ q->pkt_ts = SCTIME_SECS(p->ts);
++
++@@ -1870,36 +1873,62 @@ static void TcpStateQueueInitFromPktSynAck(const Packet *p, TcpStateQueue *q)
++ /** \internal
++ * \brief Find the Queued SYN that is the same as this SYN/ACK
++ * \retval q or NULL */
++-static const TcpStateQueue *StreamTcp3whsFindSyn(const TcpSession *ssn, TcpStateQueue *s)
+++static const TcpStateQueue *StreamTcp3whsFindSyn(
+++ const TcpSession *ssn, TcpStateQueue *s, TcpStateQueue **ret_tail)
++ {
++ SCLogDebug("ssn %p: search state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, s, s->seq, s->win,
++ BOOL2STR(s->flags & STREAMTCP_QUEUE_FLAG_TS), s->ts);
++
++- for (const TcpStateQueue *q = ssn->queue; q != NULL; q = q->next) {
++- SCLogDebug("ssn %p: queue state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->seq,
++- q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts);
+++ TcpStateQueue *last = NULL;
+++ for (TcpStateQueue *q = ssn->queue; q != NULL; q = q->next) {
+++ SCLogDebug("ssn %p: queue state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u (last:%s)", ssn, q,
+++ q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts,
+++ BOOL2STR(q->next == NULL));
++ if ((s->flags & STREAMTCP_QUEUE_FLAG_TS) == (q->flags & STREAMTCP_QUEUE_FLAG_TS) &&
++- s->ts == q->ts) {
+++ s->ts == q->ts && s->seq == q->seq) {
++ return q;
++ }
+++ last = q;
++ }
+++ if (ret_tail)
+++ *ret_tail = last;
++ return NULL;
++ }
++
++-/** \note the SEQ values *must* be the same */
+++/** \internal
+++ * \brief take oldest element in the list and replace it with the new data
+++ */
+++static void AddAndRotate(TcpSession *ssn, TcpStateQueue *tail, TcpStateQueue *search)
+++{
+++ TcpStateQueue *old_head = ssn->queue;
+++ TcpStateQueue *new_head = old_head->next;
+++ /* set new head */
+++ ssn->queue = new_head;
+++
+++ /* old head node is now appended to the list tail */
+++ tail->next = old_head;
+++
+++ *old_head = *search;
+++ old_head->next = NULL;
+++}
+++
++ static int StreamTcp3whsStoreSyn(TcpSession *ssn, Packet *p)
++ {
++ TcpStateQueue search;
++ TcpStateQueueInitFromSsnSyn(ssn, &search);
+++ TcpStateQueue *tail = NULL;
++
++ /* first see if this is already in our list */
++- if (ssn->queue != NULL && StreamTcp3whsFindSyn(ssn, &search) != NULL)
+++ if (ssn->queue != NULL && StreamTcp3whsFindSyn(ssn, &search, &tail) != NULL)
++ return 0;
++
++ if (ssn->queue_len == stream_config.max_syn_queued) {
++- SCLogDebug("ssn %p: =~ SYN queue limit reached", ssn);
+++ SCLogDebug("%" PRIu64 ": ssn %p: =~ SYN queue limit reached, rotate", p->pcap_cnt, ssn);
++ StreamTcpSetEvent(p, STREAM_3WHS_SYN_FLOOD);
++- return -1;
+++
+++ /* add to the list, evicting the oldest entry */
+++ AddAndRotate(ssn, tail, &search);
+++ return 0;
++ }
++
++ if (StreamTcpCheckMemcap((uint32_t)sizeof(TcpStateQueue)) == 0) {
++@@ -1916,9 +1945,13 @@ static int StreamTcp3whsStoreSyn(TcpSession *ssn, Packet *p)
++
++ *q = search;
++ /* put in list */
++- q->next = ssn->queue;
++- ssn->queue = q;
+++ if (tail)
+++ tail->next = q;
+++ if (ssn->queue == NULL)
+++ ssn->queue = q;
++ ssn->queue_len++;
+++ SCLogDebug("%" PRIu64 ": ssn %p: =~ SYN with SEQ %u added (queue_len %u)", p->pcap_cnt, ssn,
+++ q->seq, ssn->queue_len);
++ return 0;
++ }
++
++@@ -1944,6 +1977,102 @@ static inline void StreamTcp3whsStoreSynApplyToSsn(TcpSession *ssn, const TcpSta
++ } else {
++ ssn->flags &= ~STREAMTCP_FLAG_CLIENT_SACKOK;
++ }
+++ ssn->client.isn = q->seq;
+++ ssn->client.base_seq = ssn->client.next_seq = ssn->client.isn + 1;
+++ SCLogDebug("ssn: %p client.isn updated to %u", ssn, ssn->client.isn);
+++}
+++
+++/** \internal
+++ * \brief handle SYN/ACK on SYN_SENT state (non-TFO case)
+++ *
+++ * If packet doesn't match the session, check queued states (if any)
+++ *
+++ * \retval true packet is accepted
+++ * \retval false packet is rejected
+++ */
+++static inline bool StateSynSentCheckSynAck3Whs(TcpSession *ssn, Packet *p, const bool ts_mismatch)
+++{
+++ const bool seq_match = SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1);
+++ if (seq_match && !ts_mismatch) {
+++ return true;
+++ }
+++
+++ /* check the queued syns */
+++ if (ssn->queue == NULL) {
+++ goto failure;
+++ }
+++
+++ TcpStateQueue search;
+++ TcpStateQueueInitFromPktSynAck(p, &search);
+++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK looking for SEQ %u", p->pcap_cnt, ssn, search.seq);
+++
+++ const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search, NULL);
+++ if (q == NULL) {
+++ SCLogDebug("not found: mismatch");
+++ goto failure;
+++ }
+++
+++ SCLogDebug("ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q,
+++ q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts);
+++ StreamTcp3whsStoreSynApplyToSsn(ssn, q);
+++ return true;
+++failure:
+++ if (!seq_match) {
+++ StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK);
+++ } else if (ts_mismatch) {
+++ StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP);
+++ }
+++ return false;
+++}
+++
+++/** \internal
+++ * \brief handle SYN/ACK on SYN_SENT state (TFO case)
+++ *
+++ * If packet doesn't match the session, check queued states (if any)
+++ *
+++ * \retval true packet is accepted
+++ * \retval false packet is rejected
+++ */
+++static inline bool StateSynSentCheckSynAckTFO(TcpSession *ssn, Packet *p, const bool ts_mismatch)
+++{
+++ const bool seq_match_tfo = SEQ_EQ(TCP_GET_ACK(p), ssn->client.next_seq);
+++ const bool seq_match_nodata = SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1);
+++ if (seq_match_tfo && !ts_mismatch) {
+++ // ok
+++ } else if (seq_match_nodata && !ts_mismatch) {
+++ ssn->client.next_seq = ssn->client.isn; // reset to ISN
+++ SCLogDebug("ssn %p: (TFO) next_seq reset to isn (%u)", ssn, ssn->client.next_seq);
+++ StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_TFO_DATA_IGNORED);
+++ ssn->flags |= STREAMTCP_FLAG_TFO_DATA_IGNORED;
+++ } else {
+++ /* check the queued syns */
+++ if (ssn->queue == NULL) {
+++ goto failure;
+++ }
+++
+++ TcpStateQueue search;
+++ TcpStateQueueInitFromPktSynAck(p, &search);
+++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK looking for SEQ %u", p->pcap_cnt, ssn, search.seq);
+++
+++ const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search, NULL);
+++ if (q == NULL) {
+++ SCLogDebug("not found: mismatch");
+++ goto failure;
+++ }
+++
+++ SCLogDebug("ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q,
+++ q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts);
+++ StreamTcp3whsStoreSynApplyToSsn(ssn, q);
+++ }
+++ ssn->flags |= STREAMTCP_FLAG_TCP_FAST_OPEN;
+++ return true;
+++failure:
+++ if (!seq_match_tfo && !seq_match_nodata) {
+++ StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK);
+++ } else if (ts_mismatch) {
+++ StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP);
+++ }
+++ return false;
++ }
++
++ /**
++@@ -1965,72 +2094,38 @@ static int StreamTcpPacketStateSynSent(
++
++ /* common case: SYN/ACK from server to client */
++ if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK) && PKT_IS_TOCLIENT(p)) {
++- SCLogDebug("ssn %p: SYN/ACK on SYN_SENT state for packet %" PRIu64, ssn, p->pcap_cnt);
+++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK on SYN_SENT state for packet %" PRIu64,
+++ p->pcap_cnt, ssn, p->pcap_cnt);
+++ const bool ts_mismatch = !StateSynSentValidateTimestamp(ssn, p);
++
++ if (!(TCP_HAS_TFO(p) || (ssn->flags & STREAMTCP_FLAG_TCP_FAST_OPEN))) {
++- /* Check if the SYN/ACK packet ack's the earlier
++- * received SYN packet. */
++- if (!(SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1))) {
++- StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK);
++- SCLogDebug("ssn %p: ACK mismatch, packet ACK %" PRIu32 " != "
++- "%" PRIu32 " from stream", ssn, TCP_GET_ACK(p),
++- ssn->client.isn + 1);
+++ if (StateSynSentCheckSynAck3Whs(ssn, p, ts_mismatch)) {
+++ SCLogDebug("ssn %p: ACK match, packet ACK %" PRIu32 " == "
+++ "%" PRIu32 " from stream",
+++ ssn, TCP_GET_ACK(p), ssn->client.isn + 1);
+++ } else {
+++ SCLogDebug("ssn %p: (3WHS) ACK mismatch, packet ACK %" PRIu32 " != "
+++ "%" PRIu32 " from stream",
+++ ssn, TCP_GET_ACK(p), ssn->client.next_seq);
++ return -1;
++ }
++ } else {
++- if (SEQ_EQ(TCP_GET_ACK(p), ssn->client.next_seq)) {
+++ if (StateSynSentCheckSynAckTFO(ssn, p, ts_mismatch)) {
++ SCLogDebug("ssn %p: (TFO) ACK matches next_seq, packet ACK %" PRIu32 " == "
++ "%" PRIu32 " from stream",
++ ssn, TCP_GET_ACK(p), ssn->client.next_seq);
++- } else if (SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1)) {
++- SCLogDebug("ssn %p: (TFO) ACK matches ISN+1, packet ACK %" PRIu32 " == "
++- "%" PRIu32 " from stream",
++- ssn, TCP_GET_ACK(p), ssn->client.isn + 1);
++- ssn->client.next_seq = ssn->client.isn; // reset to ISN
++- SCLogDebug("ssn %p: (TFO) next_seq reset to isn (%u)", ssn, ssn->client.next_seq);
++- StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_TFO_DATA_IGNORED);
++- ssn->flags |= STREAMTCP_FLAG_TFO_DATA_IGNORED;
++ } else {
++- StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK);
++ SCLogDebug("ssn %p: (TFO) ACK mismatch, packet ACK %" PRIu32 " != "
++ "%" PRIu32 " from stream", ssn, TCP_GET_ACK(p),
++ ssn->client.next_seq);
++ return -1;
++ }
++- ssn->flags |= STREAMTCP_FLAG_TCP_FAST_OPEN;
++- StreamTcpPacketSetState(p, ssn, TCP_ESTABLISHED);
++- }
++-
++- const bool ts_mismatch = !StateSynSentValidateTimestamp(ssn, p);
++- if (ts_mismatch) {
++- SCLogDebug("ssn %p: ts_mismatch:%s", ssn, BOOL2STR(ts_mismatch));
++- if (ssn->queue) {
++- TcpStateQueue search;
++- TcpStateQueueInitFromPktSynAck(p, &search);
++-
++- const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search);
++- if (q == NULL) {
++- SCLogDebug("not found: mismatch");
++- StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP);
++- return -1;
++- }
++- SCLogDebug("ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u",
++- ssn, q, q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS),
++- q->ts);
++-
++- StreamTcp3whsStoreSynApplyToSsn(ssn, q);
++-
++- } else {
++- SCLogDebug("not found: no queue");
++- StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP);
++- return -1;
++- }
++ }
++-
++ /* clear ssn->queue on state change: TcpSession can be reused by SYN/ACK */
++ StreamTcp3wsFreeQueue(ssn);
++
++ StreamTcp3whsSynAckUpdate(ssn, p, /* no queue override */NULL);
+++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK on SYN_SENT state: accepted", p->pcap_cnt, ssn);
++ return 0;
++
++ } else if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK) && PKT_IS_TOSERVER(p)) {
++--
++2.51.0
++
--- /dev/null
--- /dev/null
++From 5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc Mon Sep 17 00:00:00 2001
++From: Juliana Fajardini <jufajardini@oisf.net>
++Date: Fri, 31 Oct 2025 21:38:12 -0700
++Subject: [PATCH] output/alert: fix alert index access for verdict
++
++The engine uses p.alerts.cnt as an index to access the packet alert that
++has the `pass` action for the verdict.
++For IDS/IPS mode, a `pass` will always be the last signature in the
++alert queue. However, that position could be either `p.alerts.cnt` or
++`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
++keyword or not.
++This patch fix corner-case scenarios of:
++- accessing an index out of boundaries
++- off-by-one access
++Without changing how the engine increments the alerts.cnt, as this is
++used in many places, and would be a more invasive change.
++It checks the two different scenarios, plus the case when there is only
++a single match as a silent `pass` rule.
++
++Bug #8021
++Bug #7630
++
++Origin: upstream, https://github.com/OISF/suricata/commit/5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8021
++Subject: Upstream fix for CVE-2025-64330
++---
++ src/output-json-alert.c | 7 ++++++-
++ 1 file changed, 6 insertions(+), 1 deletion(-)
++
++diff --git a/src/output-json-alert.c b/src/output-json-alert.c
++index 495b8285f..8c000cb2a 100644
++--- a/src/output-json-alert.c
+++++ b/src/output-json-alert.c
++@@ -702,7 +702,12 @@ void EveAddVerdict(JsonBuilder *jb, const Packet *p)
++
++ } else if (PacketCheckAction(p, ACTION_DROP) && EngineModeIsIPS()) {
++ JB_SET_STRING(jb, "action", "drop");
++- } else if (p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS) {
+++ } else if (p->alerts.cnt == 0 ||
+++ (p->alerts.cnt <= packet_alert_max &&
+++ (p->alerts.alerts[p->alerts.cnt - 1].action &
+++ (ACTION_PASS | ACTION_ALERT)) == (ACTION_PASS | ACTION_ALERT)) ||
+++ (p->alerts.cnt < packet_alert_max &&
+++ p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS)) {
++ JB_SET_STRING(jb, "action", "pass");
++ } else {
++ // TODO make sure we don't have a situation where this wouldn't work
++--
++2.51.2
++
--- /dev/null
--- /dev/null
++From 5abf9b81e78476f49ab074f3a74b5840747cd069 Mon Sep 17 00:00:00 2001
++From: Philippe Antoine <pantoine@oisf.net>
++Date: Thu, 30 Oct 2025 11:18:15 +0100
++Subject: [PATCH] output/jsonbuilder: helper function SCJbSetPrintAsciiString
++
++To replace C PrintStringsToBuffer and avoid a stack alloc
+++ copy
++
++Ticket: 8004
++(cherry picked from commit 7447651fa0956ff4ce55283a51b4a9494ec8cc6a)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/5abf9b81e78476f49ab074f3a74b5840747cd069.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8004
++Subject: Upstream fix for CVE-2025-64331
++---
++ rust/src/jsonbuilder.rs | 60 +++++++++++++++++++++++++++++++++++++++++
++ src/output-json-alert.c | 15 +++--------
++ src/output-json-frame.c | 12 ++-------
++ src/output-json-http.c | 9 +------
++ src/output-json.c | 36 +++++--------------------
++ 5 files changed, 72 insertions(+), 60 deletions(-)
++
++--- a/rust/src/jsonbuilder.rs
+++++ b/rust/src/jsonbuilder.rs
++@@ -527,6 +527,52 @@
++ }
++ }
++
+++ /// Set a key with a string value taking only ascii-printable bytes.
+++ /// Non-printable characters are replaced by a dot `.`, except
+++ /// CR and LF which are escaped the regular json way \r and \n
+++ pub fn set_print_ascii(&mut self, key: &str, val: &[u8]) -> Result<&mut Self, JsonError> {
+++ match self.current_state() {
+++ State::ObjectNth => {
+++ self.push(',')?;
+++ }
+++ State::ObjectFirst => {
+++ self.set_state(State::ObjectNth);
+++ }
+++ _ => {
+++ debug_validate_fail!("invalid state");
+++ return Err(JsonError::InvalidState);
+++ }
+++ }
+++ self.push('"')?;
+++ self.push_str(key)?;
+++ self.push_str("\":\"")?;
+++ for &x in val.iter() {
+++ match x {
+++ b'\r' => {
+++ self.push_str("\\r")?;
+++ }
+++ b'\n'=> {
+++ self.push_str("\\n")?;
+++ }
+++ b'"'=> {
+++ self.push_str("\\\"")?;
+++ }
+++ b'\\'=> {
+++ self.push_str("\\\\")?;
+++ }
+++ _ => {
+++ if !x.is_ascii() || x.is_ascii_control() {
+++ self.push('.')?;
+++ } else {
+++ self.push(x as char)?;
+++ }
+++ }
+++ }
+++ }
+++ self.push('"')?;
+++ Ok(self)
+++ }
+++
++ /// Set a key and a string value (from bytes) on an object, with a limited size
++ pub fn set_string_from_bytes_limited(&mut self, key: &str, val: &[u8], limit: usize) -> Result<&mut Self, JsonError> {
++ let mut valtrunc = Vec::new();
++@@ -883,6 +929,20 @@
++ }
++ return false;
++ }
+++
+++#[no_mangle]
+++pub unsafe extern "C" fn SCJbSetPrintAsciiString(
+++ js: &mut JsonBuilder, key: *const c_char, bytes: *const u8, len: u32,
+++) -> bool {
+++ if bytes.is_null() || len == 0 {
+++ return false;
+++ }
+++ if let Ok(key) = CStr::from_ptr(key).to_str() {
+++ let val = std::slice::from_raw_parts(bytes, len as usize);
+++ return js.set_print_ascii(key, val).is_ok();
+++ }
+++ return false;
+++}
++
++ #[no_mangle]
++ pub unsafe extern "C" fn jb_set_base64(
++--- a/src/output-json-alert.c
+++++ b/src/output-json-alert.c
++@@ -452,13 +452,7 @@
++ }
++
++ if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
++- uint8_t printable_buf[p->payload_len + 1];
++- uint32_t offset = 0;
++- PrintStringsToBuffer(printable_buf, &offset,
++- p->payload_len + 1,
++- p->payload, p->payload_len);
++- printable_buf[p->payload_len] = '\0';
++- jb_set_string(js, "payload_printable", (char *)printable_buf);
+++ SCJbSetPrintAsciiString(js, "payload_printable", p->payload, p->payload_len);
++ }
++ }
++
++@@ -764,11 +758,8 @@
++ }
++
++ if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
++- uint8_t printable_buf[cbd.payload->offset + 1];
++- uint32_t offset = 0;
++- PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), cbd.payload->buffer,
++- cbd.payload->offset);
++- jb_set_string(jb, "payload_printable", (char *)printable_buf);
+++ SCJbSetPrintAsciiString(
+++ jb, "payload_printable", cbd.payload->buffer, cbd.payload->offset);
++ }
++ return true;
++ }
++--- a/src/output-json-frame.c
+++++ b/src/output-json-frame.c
++@@ -202,11 +202,7 @@
++
++ if (cbd.payload->offset) {
++ jb_set_base64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
++- uint8_t printable_buf[cbd.payload->offset + 1];
++- uint32_t offset = 0;
++- PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), cbd.payload->buffer,
++- cbd.payload->offset);
++- jb_set_string(jb, "payload_printable", (char *)printable_buf);
+++ SCJbSetPrintAsciiString(jb, "payload_printable", cbd.payload->buffer, cbd.payload->offset);
++ jb_set_bool(jb, "complete", complete);
++ }
++ }
++@@ -235,11 +231,7 @@
++ const uint32_t log_data_len = MIN(data_len, 256);
++ jb_set_base64(js, "payload", data, log_data_len);
++
++- uint8_t printable_buf[log_data_len + 1];
++- uint32_t o = 0;
++- PrintStringsToBuffer(printable_buf, &o, log_data_len + 1, data, log_data_len);
++- printable_buf[log_data_len] = '\0';
++- jb_set_string(js, "payload_printable", (char *)printable_buf);
+++ SCJbSetPrintAsciiString(js, "payload_printable", data, log_data_len);
++ #if 0
++ char pretty_buf[data_len * 4 + 1];
++ pretty_buf[0] = '\0';
++--- a/src/output-json-http.c
+++++ b/src/output-json-http.c
++@@ -366,7 +366,6 @@
++ static void BodyPrintableBuffer(JsonBuilder *js, HtpBody *body, const char *key)
++ {
++ if (body->sb != NULL && body->sb->region.buf != NULL) {
++- uint32_t offset = 0;
++ const uint8_t *body_data;
++ uint32_t body_data_len;
++ uint64_t body_offset;
++@@ -376,13 +375,7 @@
++ return;
++ }
++
++- uint8_t printable_buf[body_data_len + 1];
++- PrintStringsToBuffer(printable_buf, &offset,
++- sizeof(printable_buf),
++- body_data, body_data_len);
++- if (offset > 0) {
++- jb_set_string(js, key, (char *)printable_buf);
++- }
+++ SCJbSetPrintAsciiString(js, key, body_data, body_data_len);
++ }
++ }
++
++--- a/src/output-json.c
+++++ b/src/output-json.c
++@@ -210,22 +210,10 @@
++ PrintStringsToBuffer(keybuf, &offset,
++ sizeof(keybuf),
++ pv->key, pv->key_len);
++- uint32_t len = pv->value_len;
++- uint8_t printable_buf[len + 1];
++- offset = 0;
++- PrintStringsToBuffer(printable_buf, &offset,
++- sizeof(printable_buf),
++- pv->value, pv->value_len);
++- jb_set_string(js_vars, (char *)keybuf, (char *)printable_buf);
+++ SCJbSetPrintAsciiString(js_vars, (char *)keybuf, pv->value, pv->value_len);
++ } else {
++ const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
++- uint32_t len = pv->value_len;
++- uint8_t printable_buf[len + 1];
++- uint32_t offset = 0;
++- PrintStringsToBuffer(printable_buf, &offset,
++- sizeof(printable_buf),
++- pv->value, pv->value_len);
++- jb_set_string(js_vars, varname, (char *)printable_buf);
+++ SCJbSetPrintAsciiString(js_vars, varname, pv->value, pv->value_len);
++ }
++ jb_close(js_vars);
++ }
++@@ -276,15 +264,9 @@
++ break;
++ }
++
++- uint32_t len = fv->data.fv_str.value_len;
++- uint8_t printable_buf[len + 1];
++- uint32_t offset = 0;
++- PrintStringsToBuffer(printable_buf, &offset,
++- sizeof(printable_buf),
++- fv->data.fv_str.value, fv->data.fv_str.value_len);
++-
++ jb_start_object(js_flowvars);
++- jb_set_string(js_flowvars, varname, (char *)printable_buf);
+++ SCJbSetPrintAsciiString(
+++ js_flowvars, varname, fv->data.fv_str.value, fv->data.fv_str.value_len);
++ jb_close(js_flowvars);
++ }
++ } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
++@@ -300,15 +282,9 @@
++ sizeof(keybuf),
++ fv->key, fv->keylen);
++
++- uint32_t len = fv->data.fv_str.value_len;
++- uint8_t printable_buf[len + 1];
++- offset = 0;
++- PrintStringsToBuffer(printable_buf, &offset,
++- sizeof(printable_buf),
++- fv->data.fv_str.value, fv->data.fv_str.value_len);
++-
++ jb_start_object(js_flowvars);
++- jb_set_string(js_flowvars, (const char *)keybuf, (char *)printable_buf);
+++ SCJbSetPrintAsciiString(js_flowvars, (const char *)keybuf, fv->data.fv_str.value,
+++ fv->data.fv_str.value_len);
++ jb_close(js_flowvars);
++ } else if (fv->datatype == FLOWVAR_TYPE_INT) {
++ const char *varname = VarNameStoreLookupById(fv->idx,
++--- a/rust/dist/rust-bindings.h
+++++ b/rust/dist/rust-bindings.h
++@@ -4898,6 +4898,11 @@
++ const uint8_t *bytes,
++ uint32_t len);
++
+++bool SCJbSetPrintAsciiString(struct JsonBuilder *js,
+++ const char *key,
+++ const uint8_t *bytes,
+++ uint32_t len);
+++
++ bool jb_set_base64(struct JsonBuilder *js,
++ const char *key,
++ const uint8_t *bytes,
--- /dev/null
--- /dev/null
++From f67d72702a2601d0a86ac1450686e70d7176f629 Mon Sep 17 00:00:00 2001
++From: Philippe Antoine <pantoine@oisf.net>
++Date: Thu, 30 Oct 2025 11:27:22 +0100
++Subject: [PATCH] util/swf: move allocation from stack to heap
++
++As it can overflow the stack
++
++Ticket: 8055
++(cherry picked from commit a84addb771846f6d4d55ec535a4591f58369e49c)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/f67d72702a2601d0a86ac1450686e70d7176f629.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8055
++Subject: Upstream fix for CVE-2025-64332
++---
++ src/util-file-decompression.c | 6 +++++-
++ 1 file changed, 5 insertions(+), 1 deletion(-)
++
++diff --git a/src/util-file-decompression.c b/src/util-file-decompression.c
++index dfafdc87f..bf65b0b7c 100644
++--- a/src/util-file-decompression.c
+++++ b/src/util-file-decompression.c
++@@ -169,7 +169,10 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
++ * | LZMA properties | Uncompressed length | Compressed data |
++ */
++ compressed_data_len += 13;
++- uint8_t compressed_data[compressed_data_len];
+++ uint8_t *compressed_data = SCCalloc(1, compressed_data_len);
+++ if (compressed_data == NULL) {
+++ goto error;
+++ }
++ /* put lzma properties */
++ memcpy(compressed_data, buffer + 12, 5);
++ /* put lzma end marker */
++@@ -183,6 +186,7 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
++ r = FileSwfLzmaDecompression(det_ctx,
++ compressed_data, compressed_data_len,
++ out_buffer->buf + 8, out_buffer->len - 8);
+++ SCFree(compressed_data);
++ if (r == 0)
++ goto error;
++ } else {
++--
++2.51.2
++
--- /dev/null
--- /dev/null
++From 4b1d284bb57219b6677a8bda5cdc14a24a6aa22d Mon Sep 17 00:00:00 2001
++From: Philippe Antoine <pantoine@oisf.net>
++Date: Thu, 30 Oct 2025 11:43:27 +0100
++Subject: [PATCH] output/http: log content-type like other headers
++
++Ticket: 8056
++
++Avoid stack allocation.
++Do not handle null and ; especially
++
++(cherry picked from commit b8411fcc8dfc16910c3080d4d8c03a9a64c3a1f7)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/4b1d284bb57219b6677a8bda5cdc14a24a6aa22d.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8056
++Subject: Upstream fix for CVE-2025-64333
++---
++ src/output-json-http.c | 11 +++++------
++ 1 file changed, 5 insertions(+), 6 deletions(-)
++
++diff --git a/src/output-json-http.c b/src/output-json-http.c
++index bd3f6a116..87191caa9 100644
++--- a/src/output-json-http.c
+++++ b/src/output-json-http.c
++@@ -237,13 +237,12 @@ static void EveHttpLogJSONBasic(JsonBuilder *js, htp_tx_t *tx)
++ if (tx->response_headers != NULL) {
++ htp_header_t *h_content_type = htp_table_get_c(tx->response_headers, "content-type");
++ if (h_content_type != NULL) {
++- const size_t size = bstr_len(h_content_type->value) * 2 + 1;
++- char string[size];
++- BytesToStringBuffer(bstr_ptr(h_content_type->value), bstr_len(h_content_type->value), string, size);
++- char *p = strchr(string, ';');
+++ uint32_t len = (uint32_t)bstr_len(h_content_type->value);
+++ const uint8_t *p = memchr(bstr_ptr(h_content_type->value), ';', len);
++ if (p != NULL)
++- *p = '\0';
++- jb_set_string(js, "http_content_type", string);
+++ len = (uint32_t)(p - bstr_ptr(h_content_type->value));
+++ jb_set_string_from_bytes(
+++ js, "http_content_type", bstr_ptr(h_content_type->value), len);
++ }
++ htp_header_t *h_content_range = htp_table_get_c(tx->response_headers, "content-range");
++ if (h_content_range != NULL) {
++--
++2.51.2
++
--- /dev/null
--- /dev/null
++From a7ff4c9ba53009680c7cd128b16c28d0aeda9886 Mon Sep 17 00:00:00 2001
++From: Victor Julien <vjulien@oisf.net>
++Date: Fri, 31 Oct 2025 09:38:55 +0100
++Subject: [PATCH] lua: remove luajit pushlstring workaround
++
++81ee6f5aadeb ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
++added a workaround for valgrind warnings in pushing a string buffer
++into the lua state. This is no longer needed as tested with both
++address sanitizer and valgrind.
++
++(cherry picked from commit 52fd61dffdfa50c9a2d4ec24865a54da0b8f0a2a)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/a7ff4c9ba53009680c7cd128b16c28d0aeda9886.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8065
++Subject: Upstream fix for CVE-2025-64344
++---
++ src/util-lua.c | 17 +----------------
++ 1 file changed, 1 insertion(+), 16 deletions(-)
++
++diff --git a/src/util-lua.c b/src/util-lua.c
++index 9e65c3017..3dd1d3150 100644
++--- a/src/util-lua.c
+++++ b/src/util-lua.c
++@@ -328,22 +328,7 @@ void LuaPrintStack(lua_State *state) {
++
++ int LuaPushStringBuffer(lua_State *luastate, const uint8_t *input, size_t input_len)
++ {
++- if (input_len % 4 != 0) {
++- /* we're using a buffer sized at a multiple of 4 as lua_pushlstring generates
++- * invalid read errors in valgrind otherwise. Adding in a nul to be sure.
++- *
++- * Buffer size = len + 1 (for nul) + whatever makes it a multiple of 4 */
++- size_t buflen = input_len + 1 + ((input_len + 1) % 4);
++- uint8_t buf[buflen];
++- memset(buf, 0x00, buflen);
++- memcpy(buf, input, input_len);
++- buf[input_len] = '\0';
++-
++- /* return value through luastate, as a luastring */
++- lua_pushlstring(luastate, (char *)buf, input_len);
++- } else {
++- lua_pushlstring(luastate, (char *)input, input_len);
++- }
+++ lua_pushlstring(luastate, (char *)input, input_len);
++ return 1;
++ }
++
++--
++2.51.2
++
--- /dev/null
--- /dev/null
++From f82a388d0283725cb76782cf64e8341cab370830 Mon Sep 17 00:00:00 2001
++From: Shivani Bhardwaj <shivani@oisf.net>
++Date: Tue, 6 Jan 2026 16:44:52 +0530
++Subject: [PATCH 1/3] dcerpc: add upper limit on stub data
++
++DCERPC parsers had no upper bounds when it came to extending the stub
++data buffer. Traffic can be crafted to bypass some internal parser
++conditions to create an indefinite buffering in the stub_data array that
++can make Suricata crash.
++
++Add a default limit of 1MiB and make it configurable for the user.
++
++Security 8182
++
++Co-authored-by: Philippe Antoine <pantoine@oisf.net>
++(cherry picked from commit e412215af990feeffbb66c7dd9f392813a20ae50)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8182
++Subject: Upstream fix for CVE-2026-22258 part 1
++---
++ rust/src/dcerpc/dcerpc.rs | 31 +++++++++++++++++++++++++++++--
++ rust/src/dcerpc/dcerpc_udp.rs | 18 +++++++++++++-----
++ rust/src/smb/dcerpc.rs | 31 +++++++++++++++++++++++--------
++ rust/src/smb/smb.rs | 23 +++++++++++++++++++++++
++ suricata.yaml.in | 4 ++++
++ 5 files changed, 92 insertions(+), 15 deletions(-)
++
++diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs
++index 5469b736b..7297ff82e 100644
++--- a/rust/src/dcerpc/dcerpc.rs
+++++ b/rust/src/dcerpc/dcerpc.rs
++@@ -25,7 +25,9 @@ use std;
++ use std::cmp;
++ use std::ffi::CString;
++ use std::collections::VecDeque;
++-use crate::conf::conf_get;
+++use crate::conf::{conf_get, get_memval};
+++
+++pub static mut DCERPC_MAX_STUB_SIZE: u32 = 1048576;
++
++ // Constant DCERPC UDP Header length
++ pub const DCERPC_HDR_LEN: u16 = 16;
++@@ -163,6 +165,11 @@ pub fn get_req_type_for_resp(t: u8) -> u8 {
++ _ => DCERPC_TYPE_UNKNOWN,
++ }
++ }
+++#[inline(always)]
+++pub fn cfg_max_stub_size() -> u32 {
+++ unsafe { DCERPC_MAX_STUB_SIZE }
+++}
+++
++
++ #[derive(Default, Debug)]
++ pub struct DCERPCTransaction {
++@@ -1096,7 +1103,12 @@ fn evaluate_stub_params(
++ }
++
++ let input_slice = &input[..stub_len as usize];
++- stub_data_buffer.extend_from_slice(input_slice);
+++ let max_size = cfg_max_stub_size() as usize;
+++ if (stub_data_buffer.len() + input_slice.len()) < max_size {
+++ stub_data_buffer.extend_from_slice(input_slice);
+++ } else if stub_data_buffer.len() < max_size {
+++ stub_data_buffer.extend_from_slice(&input_slice[..max_size - stub_data_buffer.len()]);
+++ }
++
++ stub_len
++ }
++@@ -1396,6 +1408,21 @@ pub unsafe extern "C" fn rs_dcerpc_register_parser() {
++ }
++ }
++ SCLogDebug!("Rust DCERPC parser registered.");
+++ let retval = conf_get("app-layer.protocols.dcerpc.max-stub-size");
+++ if let Some(val) = retval {
+++ match get_memval(val) {
+++ Ok(retval) => {
+++ if retval > 0 {
+++ DCERPC_MAX_STUB_SIZE = retval as u32;
+++ } else {
+++ SCLogError!("Invalid max-stub-size value");
+++ }
+++ }
+++ Err(_) => {
+++ SCLogError!("Invalid max-stub-size value");
+++ }
+++ }
+++ }
++ } else {
++ SCLogDebug!("Protocol detector and parser disabled for DCERPC.");
++ }
++diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs
++index d70ca1b53..0a6213a87 100644
++--- a/rust/src/dcerpc/dcerpc_udp.rs
+++++ b/rust/src/dcerpc/dcerpc_udp.rs
++@@ -1,4 +1,4 @@
++-/* Copyright (C) 2020 Open Information Security Foundation
+++/* Copyright (C) 2020-2026 Open Information Security Foundation
++ *
++ * You can copy, redistribute or modify this Program under the terms of
++ * the GNU General Public License version 2 as published by the Free
++@@ -19,7 +19,7 @@ use crate::applayer::{self, *};
++ use crate::core::{self, Direction, DIR_BOTH};
++ use crate::dcerpc::dcerpc::{
++ DCERPCTransaction, DCERPC_MAX_TX, DCERPC_TYPE_REQUEST, DCERPC_TYPE_RESPONSE, PFCL1_FRAG, PFCL1_LASTFRAG,
++- rs_dcerpc_get_alstate_progress, ALPROTO_DCERPC, PARSER_NAME,
+++ rs_dcerpc_get_alstate_progress, ALPROTO_DCERPC, PARSER_NAME, cfg_max_stub_size,
++ };
++ use nom7::Err;
++ use std;
++@@ -169,18 +169,27 @@ impl DCERPCUDPState {
++ tx.tx_data.updated_ts = true;
++ let done = (hdr.flags1 & PFCL1_FRAG) == 0 || (hdr.flags1 & PFCL1_LASTFRAG) != 0;
++
+++ let max_size = cfg_max_stub_size() as usize;
++ match hdr.pkt_type {
++ DCERPC_TYPE_REQUEST => {
++- tx.stub_data_buffer_ts.extend_from_slice(input);
++ tx.frag_cnt_ts += 1;
+++ if input.len() + tx.stub_data_buffer_ts.len() < max_size {
+++ tx.stub_data_buffer_ts.extend_from_slice(input);
+++ } else if tx.stub_data_buffer_ts.len() < max_size {
+++ tx.stub_data_buffer_ts.extend_from_slice(&input[..max_size - tx.stub_data_buffer_ts.len()]);
+++ }
++ if done {
++ tx.req_done = true;
++ }
++ return true;
++ }
++ DCERPC_TYPE_RESPONSE => {
++- tx.stub_data_buffer_tc.extend_from_slice(input);
++ tx.frag_cnt_tc += 1;
+++ if input.len() + tx.stub_data_buffer_tc.len() < max_size {
+++ tx.stub_data_buffer_tc.extend_from_slice(input);
+++ } else if tx.stub_data_buffer_tc.len() < max_size {
+++ tx.stub_data_buffer_tc.extend_from_slice(&input[..max_size - tx.stub_data_buffer_tc.len()]);
+++ }
++ if done {
++ tx.resp_done = true;
++ }
++@@ -397,7 +406,6 @@ pub unsafe extern "C" fn rs_dcerpc_udp_register_parser() {
++ }
++ }
++
++-
++ #[cfg(test)]
++ mod tests {
++ use crate::applayer::AppLayerResult;
++diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs
++index 6c2a2f934..1e62241bb 100644
++--- a/rust/src/smb/dcerpc.rs
+++++ b/rust/src/smb/dcerpc.rs
++@@ -18,7 +18,7 @@
++ // written by Victor Julien
++
++ use uuid;
++-use crate::smb::smb::*;
+++use crate::smb::smb::{cfg_max_stub_size, *};
++ use crate::smb::smb2::*;
++ use crate::smb::dcerpc_records::*;
++ use crate::smb::events::*;
++@@ -205,10 +205,15 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
++ SCLogDebug!("previous CMD {} found at tx {} => {:?}",
++ dcer.packet_type, tx.id, tx);
++ if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data {
++- SCLogDebug!("additional frag of size {}", recr.data.len());
++- tdn.stub_data_ts.extend_from_slice(recr.data);
++ tdn.frag_cnt_ts += 1;
++- SCLogDebug!("stub_data now {}", tdn.stub_data_ts.len());
+++ let max_size = cfg_max_stub_size() as usize;
+++ if recr.data.len() + tdn.stub_data_ts.len() < max_size {
+++ SCLogDebug!("additional frag of size {}", recr.data.len());
+++ tdn.stub_data_ts.extend_from_slice(recr.data);
+++ SCLogDebug!("stub_data now {}", tdn.stub_data_ts.len());
+++ } else if tdn.stub_data_ts.len() < max_size {
+++ tdn.stub_data_ts.extend_from_slice(&recr.data[..max_size - tdn.stub_data_ts.len()]);
+++ }
++ }
++ if dcer.last_frag {
++ SCLogDebug!("last frag set, so request side of DCERPC closed");
++@@ -240,12 +245,17 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
++ SCLogDebug!("DCERPC: REQUEST {:?}", recr);
++ if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data {
++ SCLogDebug!("first frag size {}", recr.data.len());
++- tdn.stub_data_ts.extend_from_slice(recr.data);
++ tdn.opnum = recr.opnum;
++ tdn.context_id = recr.context_id;
++ tdn.frag_cnt_ts += 1;
++- SCLogDebug!("DCERPC: REQUEST opnum {} stub data len {}",
++- tdn.opnum, tdn.stub_data_ts.len());
+++ let max_size = cfg_max_stub_size() as usize;
+++ if tdn.stub_data_ts.len() + recr.data.len() < max_size {
+++ tdn.stub_data_ts.extend_from_slice(recr.data);
+++ SCLogDebug!("DCERPC: REQUEST opnum {} stub data len {}",
+++ tdn.opnum, tdn.stub_data_ts.len());
+++ } else if tdn.stub_data_ts.len() < max_size {
+++ tdn.stub_data_ts.extend_from_slice(&recr.data[..max_size - tdn.stub_data_ts.len()]);
+++ }
++ }
++ if dcer.last_frag {
++ tx.request_done = true;
++@@ -407,8 +417,13 @@ fn dcerpc_response_handle(tx: &mut SMBTransaction,
++ if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data {
++ SCLogDebug!("CMD 11 found at tx {}", tx.id);
++ tdn.set_result(DCERPC_TYPE_RESPONSE);
++- tdn.stub_data_tc.extend_from_slice(respr.data);
+++ let max_size = cfg_max_stub_size() as usize;
++ tdn.frag_cnt_tc += 1;
+++ if tdn.stub_data_tc.len() + respr.data.len() < max_size {
+++ tdn.stub_data_tc.extend_from_slice(respr.data);
+++ } else if tdn.stub_data_tc.len() < max_size {
+++ tdn.stub_data_tc.extend_from_slice(&respr.data[..max_size - tdn.stub_data_tc.len()]);
+++ }
++ }
++ tx.vercmd.set_ntstatus(ntstatus);
++ tx.response_done = dcer.last_frag;
++diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
++index c22bc9fc9..0a0fc1082 100644
++--- a/rust/src/smb/smb.rs
+++++ b/rust/src/smb/smb.rs
++@@ -81,6 +81,8 @@ pub static mut SMB_CFG_MAX_WRITE_SIZE: u32 = 16777216;
++ pub static mut SMB_CFG_MAX_WRITE_QUEUE_SIZE: u32 = 67108864;
++ pub static mut SMB_CFG_MAX_WRITE_QUEUE_CNT: u32 = 64;
++
+++pub static mut SMB_DCERPC_MAX_STUB_SIZE: u32 = 1048576;
+++
++ static mut ALPROTO_SMB: AppProto = ALPROTO_UNKNOWN;
++
++ static mut SMB_MAX_TX: usize = 1024;
++@@ -2438,6 +2440,21 @@ pub unsafe extern "C" fn rs_smb_register_parser() {
++ SCLogError!("Invalid value for smb.max-tx");
++ }
++ }
+++ let retval = conf_get("app-layer.protocols.smb.dcerpc.max-stub-size");
+++ if let Some(val) = retval {
+++ match get_memval(val) {
+++ Ok(retval) => {
+++ if retval > 0 {
+++ SMB_DCERPC_MAX_STUB_SIZE = retval as u32;
+++ } else {
+++ SCLogError!("Invalid max-stub-size value");
+++ }
+++ }
+++ Err(_) => {
+++ SCLogError!("Invalid max-stub-size value");
+++ }
+++ }
+++ }
++ SCLogConfig!("read: max record size: {}, max queued chunks {}, max queued size {}",
++ SMB_CFG_MAX_READ_SIZE, SMB_CFG_MAX_READ_QUEUE_CNT, SMB_CFG_MAX_READ_QUEUE_SIZE);
++ SCLogConfig!("write: max record size: {}, max queued chunks {}, max queued size {}",
++@@ -2446,3 +2463,9 @@ pub unsafe extern "C" fn rs_smb_register_parser() {
++ SCLogDebug!("Protocol detector and parser disabled for SMB.");
++ }
++ }
+++
+++#[inline(always)]
+++pub fn cfg_max_stub_size() -> u32 {
+++ unsafe { SMB_DCERPC_MAX_STUB_SIZE }
+++}
+++
++diff --git a/suricata.yaml.in b/suricata.yaml.in
++index 7640f2b62..eab6ca500 100644
++--- a/suricata.yaml.in
+++++ b/suricata.yaml.in
++@@ -951,6 +951,8 @@ app-layer:
++ enabled: yes
++ # Maximum number of live DCERPC transactions per flow
++ # max-tx: 1024
+++ #max-stub-size: 1MiB
+++
++ ftp:
++ enabled: yes
++ # memcap: 64mb
++@@ -1015,6 +1017,8 @@ app-layer:
++
++ # Stream reassembly size for SMB streams. By default track it completely.
++ #stream-depth: 0
+++ #dcerpc:
+++ # max-stub-size: 1MiB
++
++ nfs:
++ enabled: yes
++--
++2.47.3
++
--- /dev/null
--- /dev/null
++From df389f8a43a06c718bb336ea082d6c80d6fefda0 Mon Sep 17 00:00:00 2001
++From: Shivani Bhardwaj <shivani@oisf.net>
++Date: Wed, 7 Jan 2026 10:33:57 +0530
++Subject: [PATCH 2/3] doc: add dcerpc.max-stub-size config param
++
++(cherry picked from commit 6702791a9c4463858c8b54ee8678fd4f5fbe831a)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/df389f8a43a06c718bb336ea082d6c80d6fefda0.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8182
++Subject: Upstream fix for CVE-2026-22258 part 2
++---
++ doc/userguide/configuration/suricata-yaml.rst | 12 ++++++++++++
++ 1 file changed, 12 insertions(+)
++
++diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
++index bd414fbc6..8ea093b51 100644
++--- a/doc/userguide/configuration/suricata-yaml.rst
+++++ b/doc/userguide/configuration/suricata-yaml.rst
++@@ -1674,6 +1674,9 @@ Several options are available for limiting record sizes and data chunk tracking.
++ max-write-queue-size: 16mb
++ max-write-queue-cnt: 16
++
+++ dcerpc:
+++ max-stub-size: 1MiB
+++
++ The `max-read-size` option can be set to control the max size of accepted
++ READ records. Events will be raised if a READ request asks for too much data
++ and/or if READ responses are too big. A value of 0 disables the checks.
++@@ -1685,6 +1688,8 @@ data. A value of 0 disables the checks.
++ Additionally if the `max-read-size` or `max-write-size` values in the
++ "negotiate protocol response" exceeds this limit an event will also be raised.
++
+++To control the size of the DCERPC stub data, `dcerpc.max-stub-size` should be
+++used. It is by default set to 1MiB.
++
++ For file tracking, extraction and file data inspection the parser queues up
++ out of order data chunks for both READs and WRITEs. To avoid using too much
++@@ -1710,6 +1715,13 @@ the limits are exceeded, and an event will be raised.
++ `max-write-queue-size` and `max-write-queue-cnt` are as the READ variants,
++ but then for WRITEs.
++
+++Configure DCERPC
+++~~~~~~~~~~~~~~~~
+++
+++DCERPC has one parameter that can be customized.
+++`max-stub-size` is used to control the stub data size of a DCERPC request/response. By
+++default, it is set to 1MiB.
+++
++ Configure HTTP2
++ ~~~~~~~~~~~~~~~
++
++--
++2.47.3
++
--- /dev/null
--- /dev/null
++From c9b80e5affe073ce9d95d0c935a8d67647c83bf7 Mon Sep 17 00:00:00 2001
++From: Philippe Antoine <pantoine@oisf.net>
++Date: Thu, 8 Jan 2026 14:48:40 +0100
++Subject: [PATCH 3/3] dcerpc: use saturating_add to count fragments
++
++And do not overflow if we have traffic with more than 65K fragments
++
++(cherry picked from commit a48200b9e5befb1f0aa45ad5b33e2664e6a9fa41)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/c9b80e5affe073ce9d95d0c935a8d67647c83bf7.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8182
++Subject: Upstream fix for CVE-2026-22258 part 3
++---
++ rust/src/dcerpc/dcerpc_udp.rs | 4 ++--
++ rust/src/smb/dcerpc.rs | 6 +++---
++ 2 files changed, 5 insertions(+), 5 deletions(-)
++
++diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs
++index 0a6213a87..87fa9764b 100644
++--- a/rust/src/dcerpc/dcerpc_udp.rs
+++++ b/rust/src/dcerpc/dcerpc_udp.rs
++@@ -172,7 +172,7 @@ impl DCERPCUDPState {
++ let max_size = cfg_max_stub_size() as usize;
++ match hdr.pkt_type {
++ DCERPC_TYPE_REQUEST => {
++- tx.frag_cnt_ts += 1;
+++ tx.frag_cnt_ts = tx.frag_cnt_ts.saturating_add(1);
++ if input.len() + tx.stub_data_buffer_ts.len() < max_size {
++ tx.stub_data_buffer_ts.extend_from_slice(input);
++ } else if tx.stub_data_buffer_ts.len() < max_size {
++@@ -184,7 +184,7 @@ impl DCERPCUDPState {
++ return true;
++ }
++ DCERPC_TYPE_RESPONSE => {
++- tx.frag_cnt_tc += 1;
+++ tx.frag_cnt_tc = tx.frag_cnt_tc.saturating_add(1);
++ if input.len() + tx.stub_data_buffer_tc.len() < max_size {
++ tx.stub_data_buffer_tc.extend_from_slice(input);
++ } else if tx.stub_data_buffer_tc.len() < max_size {
++diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs
++index 1e62241bb..5cb1adeba 100644
++--- a/rust/src/smb/dcerpc.rs
+++++ b/rust/src/smb/dcerpc.rs
++@@ -205,7 +205,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
++ SCLogDebug!("previous CMD {} found at tx {} => {:?}",
++ dcer.packet_type, tx.id, tx);
++ if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data {
++- tdn.frag_cnt_ts += 1;
+++ tdn.frag_cnt_ts = tdn.frag_cnt_ts.saturating_add(1);
++ let max_size = cfg_max_stub_size() as usize;
++ if recr.data.len() + tdn.stub_data_ts.len() < max_size {
++ SCLogDebug!("additional frag of size {}", recr.data.len());
++@@ -247,7 +247,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
++ SCLogDebug!("first frag size {}", recr.data.len());
++ tdn.opnum = recr.opnum;
++ tdn.context_id = recr.context_id;
++- tdn.frag_cnt_ts += 1;
+++ tdn.frag_cnt_ts = tdn.frag_cnt_ts.saturating_add(1);
++ let max_size = cfg_max_stub_size() as usize;
++ if tdn.stub_data_ts.len() + recr.data.len() < max_size {
++ tdn.stub_data_ts.extend_from_slice(recr.data);
++@@ -418,7 +418,7 @@ fn dcerpc_response_handle(tx: &mut SMBTransaction,
++ SCLogDebug!("CMD 11 found at tx {}", tx.id);
++ tdn.set_result(DCERPC_TYPE_RESPONSE);
++ let max_size = cfg_max_stub_size() as usize;
++- tdn.frag_cnt_tc += 1;
+++ tdn.frag_cnt_tc = tdn.frag_cnt_tc.saturating_add(1);
++ if tdn.stub_data_tc.len() + respr.data.len() < max_size {
++ tdn.stub_data_tc.extend_from_slice(respr.data);
++ } else if tdn.stub_data_tc.len() < max_size {
++--
++2.47.3
++
--- /dev/null
--- /dev/null
++From 63225d5f8ef64cc65164c0bb1800730842d54942 Mon Sep 17 00:00:00 2001
++From: Jason Ish <jason.ish@oisf.net>
++Date: Tue, 6 Jan 2026 16:15:09 -0600
++Subject: [PATCH 1/4] dnp3: check done state, not complete state for progress
++
++Complete is a flag used to tell if the message was completely parsed,
++as not all messages may be completely parsed if we don't know all
++their objects. However, they are still "done".
++
++In the alstate-progress callback, check the done flag, not the
++complete flag.
++
++Ticket: #8181
++(cherry picked from commit d61eef9a8a0d92921989479de15e5cbfec3251a9)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/63225d5f8ef64cc65164c0bb1800730842d54942.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8181
++Subject: Upstream fix for CVE-2026-22259 part 1
++---
++ src/app-layer-dnp3.c | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/src/app-layer-dnp3.c b/src/app-layer-dnp3.c
++index ecae4ae63..1a8b3cb63 100644
++--- a/src/app-layer-dnp3.c
+++++ b/src/app-layer-dnp3.c
++@@ -1438,7 +1438,7 @@ static int DNP3GetAlstateProgress(void *tx, uint8_t direction)
++ SCReturnInt(1);
++ }
++
++- if (dnp3tx->complete)
+++ if (dnp3tx->done)
++ retval = 1;
++
++ SCReturnInt(retval);
++--
++2.47.3
++
--- /dev/null
--- /dev/null
++From 635af8dc8be09667689be71d781912718ca1aa49 Mon Sep 17 00:00:00 2001
++From: Jason Ish <jason.ish@oisf.net>
++Date: Tue, 6 Jan 2026 11:06:40 -0600
++Subject: [PATCH 2/4] dnp3: reduce flood threshold to 32 and make configurable
++
++Lower the number of unreplied requests from 500 to 32 to consider a
++flood. At the very least this is an anomaly given the DNP3 spec mentions
++that DNP3 should only have one outstanding request at a time, with an
++exception for unsolicited responses, so in practice no more than 2
++should be seen.
++
++Additionally make this value configurable by introducing the max-tx
++parameter.
++
++Ticket: #8181
++(cherry picked from commit a16f087b93be1ff2f2edf47371866ad9b28593c1)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/635af8dc8be09667689be71d781912718ca1aa49.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8181
++Subject: Upstream fix for CVE-2026-22259 part 2
++---
++ doc/userguide/upgrade.rst | 10 ++++++++++
++ src/app-layer-dnp3.c | 29 +++++++++++++++++++----------
++ suricata.yaml.in | 1 +
++ 3 files changed, 30 insertions(+), 10 deletions(-)
++
++--- a/doc/userguide/upgrade.rst
+++++ b/doc/userguide/upgrade.rst
++@@ -34,6 +34,16 @@
++ this guide. Those features are either not enabled by default or require
++ dedicated new configuration.
++
+++Upgrading to 7.0.14 (trixie-security 1:7.0.10-1~bpo13u3)
+++-------------------
+++
+++Other Changes
+++~~~~~~~~~~~~~
+++- ``dnp3`` has reduced the default maximum number of outstanding
+++ transactions from 500 down to 32. A ``max-tx`` parameter has been
+++ added to the ``dnp3`` parser for users that need a larger number of
+++ in-flight transactions.
+++
++ Upgrading to 7.0.9
++ ------------------
++ - The AF_PACKET default block size for both TPACKET_V2 and TPACKET_V3
++--- a/src/app-layer-dnp3.c
+++++ b/src/app-layer-dnp3.c
++@@ -40,9 +40,6 @@
++ #include "app-layer-dnp3.h"
++ #include "app-layer-dnp3-objects.h"
++
++-/* Default number of unreplied requests to be considered a flood. */
++-#define DNP3_DEFAULT_REQ_FLOOD_COUNT 500
++-
++ #define DNP3_DEFAULT_PORT "20000"
++
++ /* Expected values for the start bytes. */
++@@ -93,6 +90,14 @@
++ /* Extract the range code from the object qualifier. */
++ #define DNP3_OBJ_RANGE(x) (x & 0xf)
++
+++/* Default number of unreplied requests to be considered a flood.
+++ *
+++ * DNP3 is a request/response SCADA protocol with typically only 1-2
+++ * transactions in flight. But set a limit high enough to allow for
+++ * some pipelining but reduce the chance of memory exhaustion
+++ * attacks. */
+++static uint64_t dnp3_max_tx = 32;
+++
++ /* Decoder event map. */
++ SCEnumCharMap dnp3_decoder_event_table[] = {
++ {"FLOODED", DNP3_DECODER_EVENT_FLOODED},
++@@ -514,7 +519,7 @@
++ TAILQ_INSERT_TAIL(&dnp3->tx_list, tx, next);
++
++ /* Check for flood state. */
++- if (dnp3->unreplied > DNP3_DEFAULT_REQ_FLOOD_COUNT) {
+++ if (dnp3->unreplied > dnp3_max_tx && !dnp3->flooded) {
++ DNP3SetEvent(dnp3, DNP3_DECODER_EVENT_FLOODED);
++ dnp3->flooded = 1;
++ }
++@@ -1384,7 +1389,7 @@
++ dnp3->unreplied--;
++
++ /* Check flood state. */
++- if (dnp3->flooded && dnp3->unreplied < DNP3_DEFAULT_REQ_FLOOD_COUNT) {
+++ if (dnp3->flooded && dnp3->unreplied < dnp3_max_tx) {
++ dnp3->flooded = 0;
++ }
++
++@@ -1430,8 +1435,7 @@
++ int retval = 0;
++
++ /* If flooded, "ack" old transactions. */
++- if (dnp3->flooded && (dnp3->transaction_max -
++- dnp3tx->tx_num >= DNP3_DEFAULT_REQ_FLOOD_COUNT)) {
+++ if (dnp3->flooded && (dnp3->transaction_max - dnp3tx->tx_num >= dnp3_max_tx)) {
++ SCLogDebug("flooded: returning tx as done.");
++ SCReturnInt(1);
++ }
++@@ -1604,8 +1608,13 @@
++ AppLayerParserRegisterTxDataFunc(IPPROTO_TCP, ALPROTO_DNP3,
++ DNP3GetTxData);
++ AppLayerParserRegisterStateDataFunc(IPPROTO_TCP, ALPROTO_DNP3, DNP3GetStateData);
++- }
++- else {
+++
+++ /* Parse max-tx configuration. */
+++ intmax_t value = 0;
+++ if (ConfGetInt("app-layer.protocols.dnp3.max-tx", &value)) {
+++ dnp3_max_tx = (uint64_t)value;
+++ }
+++ } else {
++ SCLogConfig("Parser disabled for protocol %s. "
++ "Protocol detection still on.", proto_name);
++ }
++@@ -2252,7 +2261,7 @@
++ FAIL_IF_NOT(tx->done);
++ FAIL_IF_NOT(DNP3GetAlstateProgress(tx, STREAM_TOSERVER));
++
++- for (int i = 0; i < DNP3_DEFAULT_REQ_FLOOD_COUNT - 1; i++) {
+++ for (uint64_t i = 0; i < dnp3_max_tx - 1; i++) {
++ SCMutexLock(&flow.m);
++ FAIL_IF(AppLayerParserParse(NULL, alp_tctx, &flow, ALPROTO_DNP3,
++ STREAM_TOSERVER, request, sizeof(request)));
++--- a/suricata.yaml.in
+++++ b/suricata.yaml.in
++@@ -1161,6 +1161,7 @@
++ enabled: no
++ detection-ports:
++ dp: 20000
+++ #max-tx: 32
++
++ # SCADA EtherNet/IP and CIP protocol support
++ enip:
--- /dev/null
--- /dev/null
++From fdd79bdb14488244604729f1d68ca4bc60000dbd Mon Sep 17 00:00:00 2001
++From: Jason Ish <jason.ish@oisf.net>
++Date: Wed, 7 Jan 2026 09:23:09 -0600
++Subject: [PATCH 3/4] dnp3: set a bound on the number of points per message
++
++16384 is used as the max, but a configuration parameter has been
++provided. The reason for setting an upper bound is that bit flags can
++create a memory amplification as we parse them into individual data
++structures.
++
++Ticket: #8181
++(cherry picked from commit 3a32bb5743c35afb3278a6448f7e9669512dbe92)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/fdd79bdb14488244604729f1d68ca4bc60000dbd.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8181
++Subject: Upstream fix for CVE-2026-22259 part 3
++---
++ doc/userguide/upgrade.rst | 9 +++++----
++ rules/dnp3-events.rules | 5 +++++
++ src/app-layer-dnp3.c | 33 ++++++++++++++++++++++++++-------
++ src/app-layer-dnp3.h | 1 +
++ suricata.yaml.in | 1 +
++ 5 files changed, 38 insertions(+), 11 deletions(-)
++
++--- a/doc/userguide/upgrade.rst
+++++ b/doc/userguide/upgrade.rst
++@@ -39,10 +39,11 @@
++
++ Other Changes
++ ~~~~~~~~~~~~~
++-- ``dnp3`` has reduced the default maximum number of outstanding
++- transactions from 500 down to 32. A ``max-tx`` parameter has been
++- added to the ``dnp3`` parser for users that need a larger number of
++- in-flight transactions.
+++- ``dnp3`` has reduced the maximum number of open transactions from
+++ 500 down to 32, and the maximum number of points per message from
+++ unbounded to 16384. Configuration options, ``max-tx`` and
+++ ``max-points`` have been added for users who may need to change
+++ these defaults.
++
++ Upgrading to 7.0.9
++ ------------------
++--- a/rules/dnp3-events.rules
+++++ b/rules/dnp3-events.rules
++@@ -24,3 +24,8 @@
++ # Unknown object.
++ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object"; \
++ app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)
+++
+++# Too many points in a message.
+++alert dnp3 any any -> any any (msg:"SURICATA DNP3 Too many points in message"; \
+++ app-layer-event:dnp3.too_many_points; \
+++ classtype:protocol-command-decode; sid:2270005; rev:1;)
++--- a/src/app-layer-dnp3.c
+++++ b/src/app-layer-dnp3.c
++@@ -98,15 +98,19 @@
++ * attacks. */
++ static uint64_t dnp3_max_tx = 32;
++
+++/* The maximum number of points allowed per message (configurable). */
+++static uint64_t max_points = 16384;
+++
++ /* Decoder event map. */
++ SCEnumCharMap dnp3_decoder_event_table[] = {
++- {"FLOODED", DNP3_DECODER_EVENT_FLOODED},
++- {"LEN_TOO_SMALL", DNP3_DECODER_EVENT_LEN_TOO_SMALL},
++- {"BAD_LINK_CRC", DNP3_DECODER_EVENT_BAD_LINK_CRC},
++- {"BAD_TRANSPORT_CRC", DNP3_DECODER_EVENT_BAD_TRANSPORT_CRC},
++- {"MALFORMED", DNP3_DECODER_EVENT_MALFORMED},
++- {"UNKNOWN_OBJECT", DNP3_DECODER_EVENT_UNKNOWN_OBJECT},
++- {NULL, -1},
+++ { "FLOODED", DNP3_DECODER_EVENT_FLOODED },
+++ { "LEN_TOO_SMALL", DNP3_DECODER_EVENT_LEN_TOO_SMALL },
+++ { "BAD_LINK_CRC", DNP3_DECODER_EVENT_BAD_LINK_CRC },
+++ { "BAD_TRANSPORT_CRC", DNP3_DECODER_EVENT_BAD_TRANSPORT_CRC },
+++ { "MALFORMED", DNP3_DECODER_EVENT_MALFORMED },
+++ { "UNKNOWN_OBJECT", DNP3_DECODER_EVENT_UNKNOWN_OBJECT },
+++ { "TOO_MANY_POINTS", DNP3_DECODER_EVENT_TOO_MANY_POINTS },
+++ { NULL, -1 },
++ };
++
++ /* Calculate the next transport sequence number. */
++@@ -709,6 +713,7 @@
++ uint32_t len, DNP3ObjectList *objects)
++ {
++ int retval = 0;
+++ uint64_t point_count = 0;
++
++ if (buf == NULL || len == 0) {
++ return 1;
++@@ -839,6 +844,13 @@
++ goto next;
++ }
++
+++ /* Check if we've exceeded the maximum number of points per message. */
+++ point_count += object->count;
+++ if (point_count > max_points) {
+++ DNP3SetEventTx(tx, DNP3_DECODER_EVENT_TOO_MANY_POINTS);
+++ goto done;
+++ }
+++
++ int event = DNP3DecodeObject(header->group, header->variation, &buf,
++ &len, object->prefix_code, object->start, object->count,
++ object->points);
++@@ -1614,6 +1626,13 @@
++ if (ConfGetInt("app-layer.protocols.dnp3.max-tx", &value)) {
++ dnp3_max_tx = (uint64_t)value;
++ }
+++
+++ /* Parse max-points configuration. */
+++ if (ConfGetInt("app-layer.protocols.dnp3.max-points", &value)) {
+++ if (value > 0) {
+++ max_points = (uint64_t)value;
+++ }
+++ }
++ } else {
++ SCLogConfig("Parser disabled for protocol %s. "
++ "Protocol detection still on.", proto_name);
++--- a/src/app-layer-dnp3.h
+++++ b/src/app-layer-dnp3.h
++@@ -109,6 +109,7 @@
++ DNP3_DECODER_EVENT_BAD_TRANSPORT_CRC,
++ DNP3_DECODER_EVENT_MALFORMED,
++ DNP3_DECODER_EVENT_UNKNOWN_OBJECT,
+++ DNP3_DECODER_EVENT_TOO_MANY_POINTS,
++ };
++
++ /**
++--- a/suricata.yaml.in
+++++ b/suricata.yaml.in
++@@ -1162,6 +1162,7 @@
++ detection-ports:
++ dp: 20000
++ #max-tx: 32
+++ #max-points: 16384
++
++ # SCADA EtherNet/IP and CIP protocol support
++ enip:
--- /dev/null
--- /dev/null
++From a6d950315d9b6c1e35c10c24d9bb7128d422c21f Mon Sep 17 00:00:00 2001
++From: Jason Ish <jason.ish@oisf.net>
++Date: Tue, 6 Jan 2026 17:14:21 -0600
++Subject: [PATCH 4/4] dnp3: bound the maximum number of objects per tx
++
++Default to 2048, but provide a user configuration value.
++
++Ticket: #8181
++(cherry picked from commit 2c95f1ff44e17c3bc8693d5e23e175f2bc90ea10)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/a6d950315d9b6c1e35c10c24d9bb7128d422c21f.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8181
++Subject: Upstream fix for CVE-2026-22259 part 4
++---
++ doc/userguide/upgrade.rst | 9 +++++----
++ rules/dnp3-events.rules | 5 +++++
++ src/app-layer-dnp3.c | 18 ++++++++++++++++++
++ src/app-layer-dnp3.h | 1 +
++ suricata.yaml.in | 1 +
++ 5 files changed, 30 insertions(+), 4 deletions(-)
++
++--- a/doc/userguide/upgrade.rst
+++++ b/doc/userguide/upgrade.rst
++@@ -40,10 +40,11 @@
++ Other Changes
++ ~~~~~~~~~~~~~
++ - ``dnp3`` has reduced the maximum number of open transactions from
++- 500 down to 32, and the maximum number of points per message from
++- unbounded to 16384. Configuration options, ``max-tx`` and
++- ``max-points`` have been added for users who may need to change
++- these defaults.
+++ 500 down to 32, the maximum number of points per message from
+++ unbounded to 16384, and the maximum number of objects per message
+++ from unbounded to 2048. Configuration options, ``max-tx``,
+++ ``max-points``, and ``max-objects`` have been added for users who
+++ may need to change these defaults.
++
++ Upgrading to 7.0.9
++ ------------------
++--- a/rules/dnp3-events.rules
+++++ b/rules/dnp3-events.rules
++@@ -29,3 +29,8 @@
++ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Too many points in message"; \
++ app-layer-event:dnp3.too_many_points; \
++ classtype:protocol-command-decode; sid:2270005; rev:1;)
+++
+++# Too many objects.
+++alert dnp3 any any -> any any (msg:"SURICATA DNP3 Too many objects"; \
+++ app-layer-event:dnp3.too_many_objects; \
+++ classtype:protocol-command-decode; sid:2270006; rev:1;)
++--- a/src/app-layer-dnp3.c
+++++ b/src/app-layer-dnp3.c
++@@ -101,6 +101,9 @@
++ /* The maximum number of points allowed per message (configurable). */
++ static uint64_t max_points = 16384;
++
+++/* The maximum number of objects allowed per message (configurable). */
+++static uint64_t dnp3_max_objects = 2048;
+++
++ /* Decoder event map. */
++ SCEnumCharMap dnp3_decoder_event_table[] = {
++ { "FLOODED", DNP3_DECODER_EVENT_FLOODED },
++@@ -110,6 +113,7 @@
++ { "MALFORMED", DNP3_DECODER_EVENT_MALFORMED },
++ { "UNKNOWN_OBJECT", DNP3_DECODER_EVENT_UNKNOWN_OBJECT },
++ { "TOO_MANY_POINTS", DNP3_DECODER_EVENT_TOO_MANY_POINTS },
+++ { "TOO_MANY_OBJECTS", DNP3_DECODER_EVENT_TOO_MANY_OBJECTS },
++ { NULL, -1 },
++ };
++
++@@ -714,6 +718,7 @@
++ {
++ int retval = 0;
++ uint64_t point_count = 0;
+++ uint64_t object_count = 0;
++
++ if (buf == NULL || len == 0) {
++ return 1;
++@@ -728,6 +733,12 @@
++ DNP3ObjHeader *header = (DNP3ObjHeader *)buf;
++ offset += sizeof(DNP3ObjHeader);
++
+++ /* Check if we've exceeded the maximum number of objects. */
+++ if (++object_count > dnp3_max_objects) {
+++ DNP3SetEventTx(tx, DNP3_DECODER_EVENT_TOO_MANY_OBJECTS);
+++ goto done;
+++ }
+++
++ DNP3Object *object = DNP3ObjectAlloc();
++ if (unlikely(object == NULL)) {
++ goto done;
++@@ -1633,6 +1644,13 @@
++ max_points = (uint64_t)value;
++ }
++ }
+++
+++ /* Parse max-objects configuration. */
+++ if (ConfGetInt("app-layer.protocols.dnp3.max-objects", &value)) {
+++ if (value > 0) {
+++ dnp3_max_objects = (uint64_t)value;
+++ }
+++ }
++ } else {
++ SCLogConfig("Parser disabled for protocol %s. "
++ "Protocol detection still on.", proto_name);
++--- a/src/app-layer-dnp3.h
+++++ b/src/app-layer-dnp3.h
++@@ -110,6 +110,7 @@
++ DNP3_DECODER_EVENT_MALFORMED,
++ DNP3_DECODER_EVENT_UNKNOWN_OBJECT,
++ DNP3_DECODER_EVENT_TOO_MANY_POINTS,
+++ DNP3_DECODER_EVENT_TOO_MANY_OBJECTS,
++ };
++
++ /**
++--- a/suricata.yaml.in
+++++ b/suricata.yaml.in
++@@ -1163,6 +1163,7 @@
++ dp: 20000
++ #max-tx: 32
++ #max-points: 16384
+++ #max-objects: 2048
++
++ # SCADA EtherNet/IP and CIP protocol support
++ enip:
--- /dev/null
--- /dev/null
++From 44d0c81f537f230e9215c769453fb4d7214217a1 Mon Sep 17 00:00:00 2001
++From: Philippe Antoine <pantoine@oisf.net>
++Date: Tue, 9 Dec 2025 09:21:58 +0100
++Subject: [PATCH 1/2] output: optimize loop for finding alert http xff
++
++Ticket: 8156
++
++In case of non-tx alerts, we try to loop over all the txs to find
++the xff header. Do not start from tx_id 0, but from min_id
++as AppLayerParserTransactionsCleanup to skip txs that were freed
++
++(cherry picked from commit 3b1a6c1711b8f7d0bde4cb05f15cf50c751eda60)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/44d0c81f537f230e9215c769453fb4d7214217a1.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8156
++Subject: Upstream fix for CVE-2026-22261 part 1
++---
++ src/app-layer-htp-xff.c | 2 +-
++ src/app-layer-parser.c | 7 +++++++
++ src/app-layer-parser.h | 1 +
++ 3 files changed, 9 insertions(+), 1 deletion(-)
++
++diff --git a/src/app-layer-htp-xff.c b/src/app-layer-htp-xff.c
++index c145e5818..6eae5b1b3 100644
++--- a/src/app-layer-htp-xff.c
+++++ b/src/app-layer-htp-xff.c
++@@ -180,7 +180,7 @@ int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg,
++ int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
++ {
++ HtpState *htp_state = NULL;
++- uint64_t tx_id = 0;
+++ uint64_t tx_id = AppLayerParserGetMinId(f->alparser);
++ uint64_t total_txs = 0;
++
++ htp_state = (HtpState *)FlowGetAppState(f);
++diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
++index 627bf929a..2b8a59a14 100644
++--- a/src/app-layer-parser.c
+++++ b/src/app-layer-parser.c
++@@ -721,6 +721,13 @@ uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
++ SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t");
++ }
++
+++uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate)
+++{
+++ SCEnter();
+++
+++ SCReturnCT((pstate == NULL) ? 0 : pstate->min_id, "uint64_t");
+++}
+++
++ void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
++ {
++ SCEnter();
++diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h
++index 77e8c813f..dad0b613c 100644
++--- a/src/app-layer-parser.h
+++++ b/src/app-layer-parser.h
++@@ -230,6 +230,7 @@ void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto a
++
++
++ uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate);
+++uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate);
++ void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id);
++
++ uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction);
++--
++2.47.3
++
--- /dev/null
--- /dev/null
++From 7e704a3f50690b5f5d5cc573147ef41449fe37ac Mon Sep 17 00:00:00 2001
++From: Philippe Antoine <pantoine@oisf.net>
++Date: Tue, 9 Dec 2025 09:38:31 +0100
++Subject: [PATCH 2/2] output: use tx iterator for finding alert http xff
++
++Ticket: 8156
++
++Allows better performance.
++
++(cherry picked from commit ab2e128176744ead5130707bb53fa59038e19634)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/7e704a3f50690b5f5d5cc573147ef41449fe37ac.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8156
++Subject: Upstream fix for CVE-2026-22261 part 2
++---
++ src/app-layer-htp-xff.c | 77 +++++++++++++++++++++++++----------------
++ 1 file changed, 47 insertions(+), 30 deletions(-)
++
++diff --git a/src/app-layer-htp-xff.c b/src/app-layer-htp-xff.c
++index 6eae5b1b3..2e5c25cdb 100644
++--- a/src/app-layer-htp-xff.c
+++++ b/src/app-layer-htp-xff.c
++@@ -107,38 +107,12 @@ static int ParseXFFString(char *input, char *output, int output_size)
++ return 0;
++ }
++
++-/**
++- * \brief Function to return XFF IP if any in the selected transaction. The
++- * caller needs to lock the flow.
++- * \retval 1 if the IP has been found and returned in dstbuf
++- * \retval 0 if the IP has not being found or error
++- */
++-int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg,
++- char *dstbuf, int dstbuflen)
+++static int HttpXFFGetIPFromTxAux(
+++ const Flow *f, htp_tx_t *tx, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
++ {
++ uint8_t xff_chain[XFF_CHAIN_MAXLEN];
++- HtpState *htp_state = NULL;
++- htp_tx_t *tx = NULL;
++- uint64_t total_txs = 0;
++ uint8_t *p_xff = NULL;
++
++- htp_state = (HtpState *)FlowGetAppState(f);
++-
++- if (htp_state == NULL) {
++- SCLogDebug("no http state, XFF IP cannot be retrieved");
++- return 0;
++- }
++-
++- total_txs = AppLayerParserGetTxCnt(f, htp_state);
++- if (tx_id >= total_txs)
++- return 0;
++-
++- tx = AppLayerParserGetTx(f->proto, ALPROTO_HTTP1, htp_state, tx_id);
++- if (tx == NULL) {
++- SCLogDebug("tx is NULL, XFF cannot be retrieved");
++- return 0;
++- }
++-
++ htp_header_t *h_xff = NULL;
++ if (tx->request_headers != NULL) {
++ h_xff = htp_table_get_c(tx->request_headers, xff_cfg->header);
++@@ -172,6 +146,38 @@ int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg,
++ return 0;
++ }
++
+++/**
+++ * \brief Function to return XFF IP if any in the selected transaction. The
+++ * caller needs to lock the flow.
+++ * \retval 1 if the IP has been found and returned in dstbuf
+++ * \retval 0 if the IP has not being found or error
+++ */
+++int HttpXFFGetIPFromTx(
+++ const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
+++{
+++ HtpState *htp_state = NULL;
+++ uint64_t total_txs = 0;
+++ htp_tx_t *tx = NULL;
+++
+++ htp_state = (HtpState *)FlowGetAppState(f);
+++
+++ if (htp_state == NULL) {
+++ SCLogDebug("no http state, XFF IP cannot be retrieved");
+++ return 0;
+++ }
+++
+++ total_txs = AppLayerParserGetTxCnt(f, htp_state);
+++ if (tx_id >= total_txs)
+++ return 0;
+++
+++ tx = AppLayerParserGetTx(f->proto, ALPROTO_HTTP1, htp_state, tx_id);
+++ if (tx == NULL) {
+++ SCLogDebug("tx is NULL, XFF cannot be retrieved");
+++ return 0;
+++ }
+++ return HttpXFFGetIPFromTxAux(f, tx, xff_cfg, dstbuf, dstbuflen);
+++}
+++
++ /**
++ * \brief Function to return XFF IP if any. The caller needs to lock the flow.
++ * \retval 1 if the IP has been found and returned in dstbuf
++@@ -190,9 +196,20 @@ int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen
++ }
++
++ total_txs = AppLayerParserGetTxCnt(f, htp_state);
++- for (; tx_id < total_txs; tx_id++) {
++- if (HttpXFFGetIPFromTx(f, tx_id, xff_cfg, dstbuf, dstbuflen) == 1)
+++ AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(f->proto, f->alproto);
+++ AppLayerGetTxIterState state;
+++ memset(&state, 0, sizeof(state));
+++
+++ while (1) {
+++ AppLayerGetTxIterTuple ires =
+++ IterFunc(f->proto, f->alproto, f->alstate, tx_id, total_txs, &state);
+++ if (ires.tx_ptr == NULL)
+++ break;
+++
+++ if (HttpXFFGetIPFromTxAux(f, ires.tx_ptr, xff_cfg, dstbuf, dstbuflen) == 1)
++ return 1;
+++
+++ tx_id = ires.tx_id + 1;
++ }
++
++ end:
++--
++2.47.3
++
--- /dev/null
--- /dev/null
++From 32609e6896f9079c175665a94005417cec7637eb Mon Sep 17 00:00:00 2001
++From: Philippe Antoine <pantoine@oisf.net>
++Date: Mon, 17 Nov 2025 13:27:54 +0100
++Subject: [PATCH 1/2] datasets: explicitly errors on too long string
++
++Also avoids stack allocation
++
++Ticket: 8110
++(cherry picked from commit 0eff24213763c2aa2bb0957901d5dc1e18414dbf)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8110
++Subject: Upstream fix for CVE-2026-22262 part 1
++---
++ src/datasets-string.c | 9 +++++----
++ 1 file changed, 5 insertions(+), 4 deletions(-)
++
++diff --git a/src/datasets-string.c b/src/datasets-string.c
++index 0a8f499ae..524a60ad9 100644
++--- a/src/datasets-string.c
+++++ b/src/datasets-string.c
++@@ -49,12 +49,13 @@ int StringAsBase64(const void *s, char *out, size_t out_size)
++ const StringType *str = s;
++
++ unsigned long len = Base64EncodeBufferSize(str->len);
++- uint8_t encoded_data[len];
++- if (Base64Encode((unsigned char *)str->ptr, str->len,
++- encoded_data, &len) != SC_BASE64_OK)
+++ if (len + 2 > out_size) {
+++ // linefeed and final zero
+++ return 0;
+++ }
+++ if (Base64Encode((unsigned char *)str->ptr, str->len, (uint8_t *)out, &len) != SC_BASE64_OK)
++ return 0;
++
++- strlcpy(out, (const char *)encoded_data, out_size);
++ strlcat(out, "\n", out_size);
++ return strlen(out);
++ }
++--
++2.47.3
++
--- /dev/null
--- /dev/null
++From 27a2180bceaa3477419c78c54fce364398d011f1 Mon Sep 17 00:00:00 2001
++From: Philippe Antoine <pantoine@oisf.net>
++Date: Tue, 25 Nov 2025 14:43:18 +0100
++Subject: [PATCH 2/2] datasets: allocates on the heap if string base64 is long
++
++Ticket: 8110
++(cherry picked from commit d6bc718e303ecbec5999066b8bc88eeeca743658)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8110
++Subject: Upstream fix for CVE-2026-22262 part 2
++---
++ src/datasets-string.c | 4 ++--
++ src/util-thash.c | 21 ++++++++++++++++++++-
++ 2 files changed, 22 insertions(+), 3 deletions(-)
++
++diff --git a/src/datasets-string.c b/src/datasets-string.c
++index 524a60ad9..53a179a10 100644
++--- a/src/datasets-string.c
+++++ b/src/datasets-string.c
++@@ -50,8 +50,8 @@ int StringAsBase64(const void *s, char *out, size_t out_size)
++
++ unsigned long len = Base64EncodeBufferSize(str->len);
++ if (len + 2 > out_size) {
++- // linefeed and final zero
++- return 0;
+++ // linefeed and final zero : signal we need more space
+++ return len + 2;
++ }
++ if (Base64Encode((unsigned char *)str->ptr, str->len, (uint8_t *)out, &len) != SC_BASE64_OK)
++ return 0;
++diff --git a/src/util-thash.c b/src/util-thash.c
++index 548637916..c6df02cf3 100644
++--- a/src/util-thash.c
+++++ b/src/util-thash.c
++@@ -390,7 +390,26 @@ int THashWalk(THashTableContext *ctx, THashFormatFunc FormatterFunc, THashOutput
++ char output_string[1024] = "";
++ int size = FormatterFunc(h->data, output_string, sizeof(output_string));
++ if (size > 0) {
++- if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
+++ if (size > 1024) {
+++ // we did not provide enough space on the stack, let's allocate on the heap
+++ char *out_alloc = SCCalloc(1, size);
+++ if (out_alloc == NULL) {
+++ err = true;
+++ break;
+++ }
+++ size = FormatterFunc(h->data, out_alloc, size);
+++ if (size == 0) {
+++ err = true;
+++ SCFree(out_alloc);
+++ break;
+++ }
+++ if (OutputterFunc(output_ctx, (const uint8_t *)out_alloc, size) < 0) {
+++ err = true;
+++ SCFree(out_alloc);
+++ break;
+++ }
+++ SCFree(out_alloc);
+++ } else if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
++ err = true;
++ break;
++ }
++--
++2.47.3
++
--- /dev/null
--- /dev/null
++From 5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2 Mon Sep 17 00:00:00 2001
++From: Shivani Bhardwaj <shivani@oisf.net>
++Date: Mon, 5 Jan 2026 19:27:11 +0530
++Subject: [PATCH] detect/alert: check alert queue capacity before expanding
++
++So far, the alert queue was expanded by doubling in size w/o any
++boundary checks in place. This led to situations where doubling
++the alert_queue_capacity meant overflow of the very same value
++stored in det_ctx.
++This led to heap-use-after-free in some conditions where
++det_ctx->alert_queue_capacity overflowed.
++
++Fix this by capping the max of alert_queue_capacity by checking if its
++expansion could result in an overflow.
++
++Security 8190
++
++(cherry picked from commit ac1eb394181530430fb7262969f423a1bf8f209b)
++
++Origin: upstream, https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2.patch
++Bug: https://redmine.openinfosecfoundation.org/issues/8190
++Subject: Upstream fix for CVE-2026-22264
++---
++ src/detect-engine-alert.c | 35 +++++++++++++++++++++++++----------
++ 1 file changed, 25 insertions(+), 10 deletions(-)
++
++diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
++index f3e49586e..0cce98196 100644
++--- a/src/detect-engine-alert.c
+++++ b/src/detect-engine-alert.c
++@@ -238,6 +238,22 @@ void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
++ det_ctx->alert_queue_capacity = 0;
++ }
++
+++static inline uint16_t AlertQueueExpandDo(DetectEngineThreadCtx *det_ctx, uint16_t new_cap)
+++{
+++ DEBUG_VALIDATE_BUG_ON(det_ctx->alert_queue_capacity >= new_cap);
+++
+++ void *tmp_queue = SCRealloc(det_ctx->alert_queue, new_cap * sizeof(PacketAlert));
+++ if (unlikely(tmp_queue == NULL)) {
+++ /* queue capacity didn't change */
+++ return det_ctx->alert_queue_capacity;
+++ }
+++ det_ctx->alert_queue = tmp_queue;
+++ det_ctx->alert_queue_capacity = new_cap;
+++ SCLogDebug("Alert queue size expanded: %u elements, bytes: %" PRIuMAX "",
+++ det_ctx->alert_queue_capacity, (uintmax_t)(new_cap * sizeof(PacketAlert)));
+++ return new_cap;
+++}
+++
++ /** \internal
++ * \retval the new capacity
++ */
++@@ -247,18 +263,17 @@ static uint16_t AlertQueueExpand(DetectEngineThreadCtx *det_ctx)
++ if (unlikely(g_eps_is_alert_queue_fail_mode))
++ return det_ctx->alert_queue_capacity;
++ #endif
++- uint16_t new_cap = det_ctx->alert_queue_capacity * 2;
++- void *tmp_queue = SCRealloc(det_ctx->alert_queue, (size_t)(sizeof(PacketAlert) * new_cap));
++- if (unlikely(tmp_queue == NULL)) {
++- /* queue capacity didn't change */
+++ if (det_ctx->alert_queue_capacity == UINT16_MAX) {
++ return det_ctx->alert_queue_capacity;
++ }
++- det_ctx->alert_queue = tmp_queue;
++- det_ctx->alert_queue_capacity = new_cap;
++- SCLogDebug("Alert queue size doubled: %u elements, bytes: %" PRIuMAX "",
++- det_ctx->alert_queue_capacity,
++- (uintmax_t)(sizeof(PacketAlert) * det_ctx->alert_queue_capacity));
++- return new_cap;
+++
+++ uint16_t new_cap;
+++ if (det_ctx->alert_queue_capacity > (UINT16_MAX / 2)) {
+++ new_cap = UINT16_MAX;
+++ } else {
+++ new_cap = det_ctx->alert_queue_capacity * 2;
+++ }
+++ return AlertQueueExpandDo(det_ctx, new_cap);
++ }
++
++ /** \internal
++--
++2.47.3
++
--- /dev/null
--- /dev/null
++From 6f7636cfc6dffb387afe21f4f3bff119f8d8e033 Mon Sep 17 00:00:00 2001
++From: Eric Leblond <eric@regit.org>
++Date: Thu, 31 Oct 2019 13:29:56 +0100
++Subject: [PATCH] ebpf: avoid to include if_tunnel.h
++
++This is causing a dependency issue as file from another architecture
++have to be installed.
++---
++ ebpf/xdp_lb.c | 7 ++++++-
++ 1 file changed, 6 insertions(+), 1 deletion(-)
++
++--- a/ebpf/xdp_lb.c
+++++ b/ebpf/xdp_lb.c
++@@ -26,7 +26,6 @@
++ /* Workaround to avoid the need of 32bit headers */
++ #define _LINUX_IF_H
++ #define IFNAMSIZ 16
++-#include <linux/if_tunnel.h>
++ #include <linux/ip.h>
++ #include <linux/ipv6.h>
++ #include <linux/tcp.h>
++@@ -35,6 +34,12 @@
++
++ #include "hash_func01.h"
++
+++#define GRE_CSUM __cpu_to_be16(0x8000)
+++#define GRE_ROUTING __cpu_to_be16(0x4000)
+++#define GRE_KEY __cpu_to_be16(0x2000)
+++#define GRE_SEQ __cpu_to_be16(0x1000)
+++#define GRE_VERSION __cpu_to_be16(0x0007)
+++
++ #define LINUX_VERSION_CODE 263682
++
++ /* Hashing initval */
--- /dev/null
--- /dev/null
++From: Hilko Bengen <bengen@debian.org>
++Date: Tue, 22 Jan 2019 18:10:47 +0100
++Subject: configure: Introduce CLANG variable
++
++---
++ configure.ac | 9 +++++++++
++ 1 file changed, 9 insertions(+)
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -38,6 +38,15 @@
++
++ AC_SUBST([CLANG])
++
+++ AC_ARG_WITH([clang],
+++ [CLANG compiler],
+++ [CLANG="$withval"],
+++ [AS_IF([test "$compiler" = clang],
+++ [CLANG="$CC"],
+++ [AC_PATH_PROG([CLANG],[clang])])])
+++
+++ AC_SUBST([CLANG])
+++
++ case "$compiler" in
++ clang)
++ CLANG_CFLAGS="-Wextra -Werror-implicit-function-declaration -Wno-error=unused-command-line-argument"
--- /dev/null
--- /dev/null
++--- a/configure.ac
+++++ b/configure.ac
++@@ -77,8 +77,8 @@
++ AC_PATH_PROG(HAVE_CYGPATH, cygpath, "no")
++ AM_CONDITIONAL([HAVE_CYGPATH], [test "x$HAVE_CYGPATH" != "xno"])
++
++- AC_PATH_PROG(HAVE_PKG_CONFIG, pkg-config, "no")
++- if test "$HAVE_PKG_CONFIG" = "no"; then
+++ PKG_PROG_PKG_CONFIG
+++ if test "x$PKG_CONFIG" = "x"; then
++ echo
++ echo " ERROR! pkg-config not found, go get it "
++ echo " http://pkg-config.freedesktop.org/wiki/ "
--- /dev/null
--- /dev/null
++From: Arturo Borrero Gonzalez <arturo@debian.org>
++Subject: Debian default configuration
++ This patch sets Debian defaults for suricata configuration.
++ .
++ Currently, it sets a proper path for suricata unix socket.
++Forwarded: not-needed
++Last-Update: 2016-12-01
++
++--- a/suricata.yaml.in
+++++ b/suricata.yaml.in
++@@ -1302,8 +1302,8 @@
++ # activated in live capture mode. You can use the filename variable to set
++ # the file name of the socket.
++ unix-command:
++- enabled: auto
++- #filename: custom.socket
+++ enabled: yes
+++ filename: @e_localstatedir@suricata-command.socket
++
++ # Magic file. The extension .mgc is added to the value here.
++ #magic-file: /usr/share/file/magic
++--- a/src/unix-manager.c
+++++ b/src/unix-manager.c
++@@ -57,7 +57,7 @@
++ # endif
++ #endif
++
++-#define SOCKET_PATH LOCAL_STATE_DIR "/run/suricata/"
+++#define SOCKET_PATH LOCAL_STATE_DIR "/"
++ #define SOCKET_FILENAME "suricata-command.socket"
++ #define SOCKET_TARGET SOCKET_PATH SOCKET_FILENAME
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -2603,7 +2603,7 @@
++ EXPAND_VARIABLE(localstatedir, e_logfilesdir, "/log/suricata/files")
++ EXPAND_VARIABLE(localstatedir, e_logcertsdir, "/log/suricata/certs")
++ EXPAND_VARIABLE(sysconfdir, e_sysconfdir, "/suricata/")
++- EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/suricata")
+++ EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/")
++ EXPAND_VARIABLE(datadir, e_datarulesdir, "/suricata/rules")
++ EXPAND_VARIABLE(localstatedir, e_datadir, "/lib/suricata/data")
++ EXPAND_VARIABLE(localstatedir, e_defaultruledir, "/lib/suricata/rules")
--- /dev/null
--- /dev/null
++Description: do not clean vendor directory on distclean
++ dh_auto_clean calls make distclean, which in the case of Suricata also
++ removes the vendor directory. This breaks repeated builds.
++Author: Sascha Steinbiss <satta@debian.org>
++Last-Update: 2018-12-26
++--- a/rust/Makefile.am
+++++ b/rust/Makefile.am
++@@ -77,7 +77,7 @@
++ rm -f Cargo.lock
++
++ maintainer-clean-local:
++- rm -rf vendor gen
+++ rm -rf gen
++
++ check:
++ CARGO_HOME="$(CARGO_HOME)" @rustup_home@ \
--- /dev/null
--- /dev/null
++From: Eric Leblond <eric@regit.org>
++Date: Wed, 17 Jul 2019 12:35:12 +0200
++Subject: [PATCH] af-packet: fix build on recent Linux kernels
++--- a/src/source-af-packet.c
+++++ b/src/source-af-packet.c
++@@ -72,6 +72,10 @@
++ #include <linux/sockios.h>
++ #endif
++
+++#if HAVE_LINUX_SOCKIOS_H
+++#include <linux/sockios.h>
+++#endif
+++
++ #ifdef HAVE_PACKET_EBPF
++ #include <bpf/libbpf.h>
++ #include <bpf/bpf.h>
--- /dev/null
--- /dev/null
++--- a/configure.ac
+++++ b/configure.ac
++@@ -478,11 +478,12 @@
++ [
++ AS_IF([test "$CLANG" != no],
++ [
++- llc_candidates=$($CLANG --version | sed -e 's/.*clang version/clang version/' | \
++- awk '/^clang version/ {
++- split($3, v, ".");
++- printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]])
++- }')
+++ #llc_candidates=$($CLANG --version | sed -e 's/.*clang version/clang version/' | \
+++ # awk '/^clang version/ {
+++ # split($3, v, ".");
+++ # printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]])
+++ # }')
+++ llc_candidates=llc
++ AC_CHECK_PROGS([LLC], [$llc_candidates], "no")
++ if test "$LLC" = "no"; then
++ AC_MSG_ERROR([unable to find any of $llc_candidates needed to build ebpf files])
--- /dev/null
--- /dev/null
++Description: Don't use __USE_GNU
++ __USE_GNU is a glibc-internal symbol.
++ AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
++ way to enable extensions.
++Author: Adrian Bunk <bunk@debian.org>
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -6,6 +6,7 @@
++ AM_INIT_AUTOMAKE([tar-ustar subdir-objects])
++
++ AC_LANG([C])
+++ AC_USE_SYSTEM_EXTENSIONS
++ LT_INIT
++ PKG_PROG_PKG_CONFIG
++
++--- a/src/suricata-common.h
+++++ b/src/suricata-common.h
++@@ -33,9 +33,6 @@
++ #define TRUE 1
++ #define FALSE 0
++
++-#define _GNU_SOURCE
++-#define __USE_GNU
++-
++ #if defined(__clang_analyzer__)
++ /* clang analyzer acts as DEBUG_VALIDATION in some places, so
++ * force this so #ifdef DEBUG_VALIDATION code gets included */
--- /dev/null
--- /dev/null
++From: Arturo Borrero Gonzalez <arturo@debian.org>
++Subject: Patch to make the suricata build reproducible
++ This patch makes some changes to the suricata build to make it reproducible
++ .
++ Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds
++ the build path.
++Forwarded: not-needed
++Last-Update: 2016-09-05
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -2738,7 +2738,8 @@
++ echo
++ echo "$SURICATA_BUILD_CONF"
++ echo "printf(" >src/build-info.h
++-echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' >>src/build-info.h
+++echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' \
+++ | sed 's/-fdebug-prefix-map=.*=. //' >>src/build-info.h
++ echo ");" >>src/build-info.h
++
++ echo "
--- /dev/null
--- /dev/null
++reproducible.patch
++debian-default-cfg.patch
++cross.patch
++no-use-gnu.patch
++fix-repeated-builds.patch
++configure-clang-variable.patch
++with-ebpf-includes.patch
++import-sockio-h.patch
++avoid-to-include-if_tunnel-h.patch
++llc.patch
++CVE-2025-53538.patch
++CVE-2025-59147.patch
++CVE-2025-64344.patch
++CVE-2025-64333.patch
++CVE-2025-64332.patch
++CVE-2025-64331.patch
++CVE-2025-64330.patch
++CVE-2026-22258_1.patch
++CVE-2026-22258_2.patch
++CVE-2026-22258_3.patch
++CVE-2026-22262_1.patch
++CVE-2026-22262_2.patch
++CVE-2026-22264.patch
++CVE-2026-22259_1.patch
++CVE-2026-22259_2.patch
++CVE-2026-22259_3.patch
++CVE-2026-22259_4.patch
++CVE-2026-22261_1.patch
++CVE-2026-22261_2.patch
--- /dev/null
--- /dev/null
++From: Hilko Bengen <bengen@debian.org>
++Date: Tue, 23 Jul 2019 14:43:21 +0200
++Subject: Add --with-ebpf-includes parameter
++
++---
++ configure.ac | 4 ++++
++ ebpf/Makefile.am | 3 +--
++ 2 files changed, 5 insertions(+), 2 deletions(-)
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -490,6 +490,10 @@
++ AC_SUBST(LLC)
++ ],
++ [AC_MSG_ERROR([clang needed to build ebpf files])])
+++ AC_ARG_WITH(ebpf_includes,
+++ [ --with-ebpf-includes=DIR include directory for building eBPF programs],
+++ [AC_SUBST([ebpf_includes],["$withval"])],
+++ [AC_SUBST([ebpf_includes],["/usr/include/${build_alias}"])])
++ ])
++
++ # enable debug output
++--- a/ebpf/Makefile.am
+++++ b/ebpf/Makefile.am
++@@ -4,7 +4,7 @@
++ if BUILD_EBPF
++
++ # Maintaining a local copy of UAPI linux/bpf.h
++-BPF_CFLAGS = -Iinclude
+++BPF_CFLAGS = -Iinclude -I$(ebpf_includes)
++
++ BPF_TARGETS = lb.bpf
++ BPF_TARGETS += filter.bpf
++@@ -19,7 +19,6 @@
++ $(BPF_TARGETS): %.bpf: %.c
++ # From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm)
++ ${CLANG} -Wall $(BPF_CFLAGS) -O2 \
++- -I/usr/include/$(build_cpu)-$(build_os)/ \
++ -D__KERNEL__ -D__ASM_SYSREG_H \
++ -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll}
++ # From LLVM-IR to BPF-bytecode in ELF-obj file
--- /dev/null
--- /dev/null
++#!/usr/bin/make -f
++
++# verbose mode
++export DH_VERBOSE=1
++
++SURICATA_DESTDIR = $(CURDIR)/debian/tmp
++export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow
++export CARGO_HOME = $(CURDIR)/debian/cargohome
++
++include /usr/share/dpkg/architecture.mk
++
++# workaround for linking issue on some archs
++export DEB_LDFLAGS_MAINT_APPEND = -Wl,--allow-multiple-definition
++EXTRA_ATOMIC_ARCHS = armel mipsel powerpc
++ifneq (,$(findstring $(DEB_HOST_ARCH),$(EXTRA_ATOMIC_ARCHS)))
++ DEB_LDFLAGS_MAINT_APPEND += -Wl,--no-as-needed -Wl,-latomic -Wl,--as-needed
++ export DEB_LDFLAGS_MAINT_APPEND
++endif
++
++LUAJIT_ARCHS = i386 amd64 powerpc mips mipsel armel armhf
++HYPERSCAN_ARCHS = i386 amd64 hurd-i386 kfreebsd-amd64 x32
++EBPF_ARCHS = amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32
++DPDK_ARCHS = amd64x arm64x riscv64x ppc64elx
++
++LIBHTP_PKG_VERSION=$(shell dpkg-query -W -f '$${Version}' libhtp2)
++
++ifneq (,$(findstring $(DEB_HOST_ARCH),$(LUAJIT_ARCHS)))
++ ENABLE_LUAJIT="--enable-luajit"
++endif
++
++ifneq (,$(findstring $(DEB_HOST_ARCH),$(HYPERSCAN_ARCHS)))
++ ENABLE_HYPERSCAN="--enable-libhs"
++endif
++
++ifneq (,$(findstring $(DEB_HOST_ARCH)x,$(DPDK_ARCHS)))
++ ENABLE_DPDK="--enable-dpdk"
++endif
++
++CI ?= $(shell $(CURDIR)/debian/building-in-ci.sh)
++ifeq ($(CI),true)
++ ENABLE_UNITTESTS="--enable-unittests"
++endif
++
++ifneq (,$(findstring $(DEB_HOST_ARCH),$(EBPF_ARCHS)))
++ ENABLE_EBPF=--enable-ebpf --enable-ebpf-build \
++ --with-ebpf-includes=/usr/include/$(DEB_HOST_MULTIARCH)
++endif
++
++CONFIGURE_ARGS = --enable-af-packet --enable-nfqueue --enable-nflog \
++ --enable-gccprotect --disable-gccmarch-native \
++ --with-libnss-includes=/usr/include/nss --with-libnss-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \
++ --with-libnspr-includes=/usr/include/nspr --with-libnspr-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \
++ --with-libevent-includes=/usr/include --with-libevent-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \
++ --disable-coccinelle \
++ --enable-geoip --enable-hiredis \
++ --enable-non-bundled-htp \
++ --disable-suricata-update \
++ $(ENABLE_LUAJIT) \
++ $(ENABLE_HYPERSCAN) \
++ $(ENABLE_UNITTESTS) \
++ $(ENABLE_EBPF) \
++ $(ENABLE_DPDK)
++
++override_dh_auto_configure:
++ dh_auto_configure -- $(CONFIGURE_ARGS)
++
++override_dh_auto_build:
++ uname -a
++ mkdir -p $(CARGO_HOME)
++ dh_auto_build
++
++override_dh_auto_clean:
++ rm -rf $(CARGO_HOME)
++ rm -f debian/suricata.substvars
++
++override_dh_auto_install:
++ dh_auto_install --destdir=$(SURICATA_DESTDIR)
++ rm -rf $(SURICATA_DESTDIR)/usr/lib/python*;\
++ (cd python && make prefix=$(SURICATA_DESTDIR)/usr)
++ # clean upstream install documentation
++ rm -rf $(SURICATA_DESTDIR)/usr/share/doc/suricata/*
++ $(foreach file, $(wildcard ebpf/*bpf), \
++ install -D -t $(SURICATA_DESTDIR)/usr/lib/suricata/ebpf $(file) ;\
++ )
++
++override_dh_auto_test:
++ # do nothing
++
++override_dh_missing:
++ dh_missing --list-missing
++
++override_dh_gencontrol:
++ echo "libhtp:Version=$(LIBHTP_PKG_VERSION)" >> debian/suricata.substvars
++ dh_gencontrol
++
++%:
++ dh $@ --with python3
--- /dev/null
--- /dev/null
++3.0 (quilt)
--- /dev/null
--- /dev/null
++Suricata for Debian
++-------------------
++
++The engine is an Open Source Next Generation Intrusion Detection and
++Prevention Tool, not intended to just replace or emulate the existing tools in
++the industry, but to bring new ideas and technologies to the field.
++
++To run the engine with default configuration on interface eth0 (in live mode),
++run the following command (as root):
++ suricata -c /etc/suricata/suricata.yaml -i eth0
++
++To run in live NFQUEUE mode, use (as root):
++ suricata -c /etc/suricata/suricata.yaml -q $QUEUE_ID
++
++You can also run suricata on a PCAP file:
++ suricata -c /etc/suricata/suricata.yaml -r file.pcap
++
++
++Daemon system integration
++-------------------------
++
++The suricata daemon comes preconfigured to run as a system daemon with systemd.
++
++You can start/stop the daemon with:
++ % sudo systemctl start suricata.service
++ % sudo systemctl stop suricata.service
++
++You should copy /lib/systemd/system/suricata.service to
++/etc/systemd/system/suricata.service and adapt the configuration to your needs.
++
++The sysvinit script and related files (/etc/init.d/suricata and
++/etc/default/suricata) will be eventually discarted at some point in the
++future. The /etc/default/suricata file is ignored by the default
++suricata.service file.
++
++By now, there is no integration between suricata and libsystemd (so, options
++like the watchdog are not supported).
++
++
++Updating Rules
++--------------
++
++You should edit /etc/suricata/suricata.yaml and adjust it to fit your needs.
++The recommended way to update rules is via suricata-update (also packaged in Debian).
--- /dev/null
--- /dev/null
++# Default config for Suricata
++
++# set to yes to start the server in the init.d script
++RUN=no
++
++# Configuration file to load
++SURCONF=/etc/suricata/suricata.yaml
++
++# Listen mode: pcap, nfqueue or af-packet
++# depending on this value, only one of the two following options
++# will be used (af-packet uses neither).
++# Please note that IPS mode is only available when using nfqueue
++LISTENMODE=nfqueue
++
++# Interface to listen on (for pcap mode)
++IFACE=eth0
++
++# Queue number to listen on (for nfqueue mode)
++NFQUEUE=0
++
++# Load Google TCMALLOC if libtcmalloc-minimal4 is installed
++# This _might_ give you very very small performance gain....
++TCMALLOC="YES"
++
++# Pid file
++PIDFILE=/var/run/suricata.pid
--- /dev/null
--- /dev/null
++etc/suricata
++var/log/suricata
--- /dev/null
--- /dev/null
++#!/bin/sh -e
++#
++### BEGIN INIT INFO
++# Provides: suricata
++# Required-Start: $time $network $local_fs $remote_fs
++# Required-Stop: $remote_fs
++# Default-Start: 2 3 4 5
++# Default-Stop: 0 1 6
++# Short-Description: Next Generation IDS/IPS
++# Description: Intrusion detection system that will
++# capture traffic from the network cards and will
++# match against a set of known attacks.
++### END INIT INFO
++
++# Source function library.
++. /lib/lsb/init-functions
++
++if test -f /etc/default/suricata; then
++ . /etc/default/suricata
++else
++ echo "/etc/default/suricata is missing... bailing out!" >&2
++ exit 1
++fi
++
++# We'll add up all the options above and use them
++NAME=suricata
++DAEMON=/usr/bin/$NAME
++
++# Use this if you want the user to explicitly set 'RUN' in
++# /etc/default/
++if [ "x$RUN" != "xyes" ] ; then
++ log_failure_msg "$NAME disabled, please adjust the configuration to your needs "
++ log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it."
++ exit 0
++fi
++
++check_root() {
++ if [ "$(id -u)" != "0" ]; then
++ log_failure_msg "You must be root to start, stop or restart $NAME."
++ exit 4
++ fi
++}
++
++check_nfqueue() {
++ if [ ! \( -e /proc/net/netfilter/nfnetlink_queue -o -e /proc/net/netfilter/nf_queue \) ]; then
++ log_warning_msg "NFQUEUE support not found !"
++ log_warning_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel"
++ fi
++}
++
++check_run_dir() {
++ if [ ! -d /var/run/suricata ]; then
++ mkdir /var/run/suricata
++ chmod 0755 /var/run/suricata
++ fi
++}
++
++load_libtcmalloc_minimal() {
++ lib="/usr/lib/libtcmalloc_minimal.so.4"
++
++ if [ -f "$lib" ] && [ "x$TCMALLOC" = "xYES" ]; then
++ export LD_PRELOAD="$lib"
++ fi
++}
++
++check_root
++
++case "$LISTENMODE" in
++nfqueue)
++ IDMODE="IPS (nfqueue)"
++ LISTEN_OPTIONS=" -q $NFQUEUE"
++ check_nfqueue
++ ;;
++pcap)
++ IDMODE="IDS (pcap)"
++ LISTEN_OPTIONS=" -i $IFACE"
++ ;;
++af-packet)
++ IDMODE="IDS (af-packet)"
++ LISTEN_OPTIONS=" --af-packet"
++ ;;
++*)
++ echo "Unsupported listen mode $LISTENMODE, aborting"
++ exit 1
++ ;;
++esac
++
++SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D"
++
++# See how we were called.
++case "$1" in
++start)
++ if [ -f $PIDFILE ]; then
++ PID1=$(cat $PIDFILE)
++ if kill -0 "$PID1" 2>/dev/null; then
++ echo "$NAME is already running with PID $PID1"
++ exit 0
++ fi
++ fi
++ check_run_dir
++ echo -n "Starting suricata in $IDMODE mode..."
++ load_libtcmalloc_minimal
++ $DAEMON $SURICATA_OPTIONS > /var/log/suricata/suricata-start.log 2>&1 &
++ echo " done."
++ ;;
++stop)
++ echo -n "Stopping suricata: "
++ if [ -f $PIDFILE ]; then
++ PID2=$(cat $PIDFILE)
++ else
++ echo " No PID file found; not running?"
++ exit 0;
++ fi
++ start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON
++ if [ -n "$PID2" ]; then
++ kill "$PID2"
++ ret=$?
++ sleep 2
++ if kill -0 "$PID2" 2>/dev/null; then
++ ret=$?
++ echo -n "Waiting . "
++ cnt=0
++ while kill -0 "$PID2" 2>/dev/null; do
++ ret=$?
++ cnt=$(expr "$cnt" + 1)
++ if [ "$cnt" -gt 10 ]; then
++ kill -9 "$PID2"
++ break
++ fi
++ sleep 2
++ echo -n ". "
++ done
++ fi
++ fi
++ if [ -e $PIDFILE ]; then
++ rm $PIDFILE > /dev/null 2>&1
++ fi
++ echo " done."
++ ;;
++status)
++ # Check if running...
++ if [ -s $PIDFILE ]; then
++ PID3=$(cat $PIDFILE)
++ if kill -0 "$PID3" 2>/dev/null; then
++ echo "$NAME is running with PID $PID3"
++ exit 0
++ else
++ echo "PID file $PIDFILE exists, but process not running!"
++ fi
++ else
++ echo "$NAME not running!"
++ fi
++ ;;
++restart)
++ $0 stop
++ $0 start
++ ;;
++force-reload)
++ $0 stop
++ $0 start
++ ;;
++*)
++ echo "Usage: $0 {start|stop|restart|status}"
++ exit 1
++esac
++
++exit 0
--- /dev/null
--- /dev/null
++etc/classification.config /etc/suricata
++etc/reference.config /etc/suricata
++rules/*.rules /etc/suricata/rules
++suricata.yaml /etc/suricata
++threshold.config /etc/suricata
++usr/bin
++usr/lib
--- /dev/null
--- /dev/null
++# these are eBPF files
++suricata: binary-from-other-architecture [usr/lib/suricata/ebpf/*.bpf]
++suricata: unstripped-binary-or-object [usr/lib/suricata/ebpf/*.bpf]
++suricata: executable-in-usr-lib [usr/lib/suricata/ebpf/*.bpf]
--- /dev/null
--- /dev/null
++/var/log/suricata/*.log
++/var/log/suricata/*.json
++{
++ rotate 14
++ missingok
++ compress
++ copytruncate
++ sharedscripts
++ postrotate
++ /bin/kill -HUP $(cat /var/run/suricata.pid)
++ endscript
++}
--- /dev/null
--- /dev/null
++# Rename file
++mv_conffile /etc/suricata/suricata-debian.yaml /etc/suricata/suricata.yaml 3.1-1 suricata
--- /dev/null
--- /dev/null
++doc/userguide/*.1
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++set -e
++
++# we do not need alternatives anymore
++if update-alternatives --quiet --query suricata 2> /dev/null; then
++ echo "Removing legacy alternatives for Hyperscan/non-Hyperscan versions"
++ update-alternatives --remove-all suricata
++fi
++
++#DEBHELPER#
++
++exit 0
--- /dev/null
--- /dev/null
++[Unit]
++Description=Suricata IDS/IDP daemon
++After=network.target network-online.target
++Requires=network-online.target
++Documentation=man:suricata(8) man:suricatasc(8)
++Documentation=https://suricata.io/documentation/
++
++[Service]
++Type=forking
++#Environment=LD_PRELOAD=/usr/lib/libtcmalloc_minimal.so.4
++PIDFile=/run/suricata.pid
++ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid
++ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID
++ExecStop=/usr/bin/suricatasc -c shutdown
++Restart=on-failure
++ProtectSystem=full
++ProtectHome=true
++
++[Install]
++WantedBy=multi-user.target
--- /dev/null
--- /dev/null
++Test-Command: suricata --build-info
++Depends: @
++
++Test-Command: suricatasc -c "version"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "command-list"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "capture-mode"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: sleep 10 && suricatasc -c "dump-counters"
++Depends: @
++Restrictions: needs-root, isolation-container
++
++Test-Command: suricatasc -c "uptime"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "reload-rules"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "iface-list"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "shutdown"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: sleep 10 && suricatasc -c "running-mode"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Tests: systemd-service-test.sh
++Depends: @, systemd, procps
++Restrictions: needs-root, isolation-container, allow-stderr
++
++Test-Command: src/suricata -u
++Depends: @, @builddeps@, procps, geoip-database
++Restrictions: needs-root, isolation-container, build-needed, allow-stderr
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++set -ex
++
++SERVICE="suricata.service"
++ETC_SERVICE_FILE="/etc/systemd/system/${SERVICE}"
++LIB_SERVICE_FILE="/lib/systemd/system/${SERVICE}"
++CONFIG_FILE="/etc/suricata/suricata.yaml"
++IFACE=$(ip route show | awk '/default/ {print $5}')
++
++if [ ! -r "$LIB_SERVICE_FILE" ] ; then
++ : ERROR unable to read $LIB_SERVICE_FILE
++ exit 1
++fi
++if [ ! -w "$CONFIG_FILE" ] ; then
++ : ERROR unable to write to $CONFIG_FILE
++ exit 1
++fi
++
++systemctl_action()
++{
++ if ! systemctl $1 $SERVICE ; then
++ journalctl -u $SERVICE
++ return 1
++ fi
++ return 0
++}
++
++echo "
++%YAML 1.1
++---
++default-rule-path: /etc/suricata/rules
++rule-files:
++ - tor.rules
++ - http-events.rules
++ - smtp-events.rules
++ - dns-events.rules
++ - tls-events.rules
++classification-file: /etc/suricata/classification.config
++reference-config-file: /etc/suricata/reference.config
++default-log-dir: /var/log/suricata/
++af-packet:
++ - interface: $IFACE
++ cluster-id: 99
++ cluster-type: cluster_flow
++ defrag: yes
++ - interface: default
++ tpacket-v3: yes
++ block-size: 131072
++app-layer:
++ protocols:
++ ssh:
++ enabled: yes
++host-mode: auto
++unix-command:
++ enabled: yes
++ filename: /var/run/suricata-command.socket
++detect:
++ profile: medium
++ custom-values:
++ toclient-groups: 3
++ toserver-groups: 25
++ sgh-mpm-context: auto
++ inspection-recursion-limit: 3000
++ grouping:
++ profiling:
++ grouping:
++ dump-to-disk: false
++ include-rules: false
++ include-mpm-stats: false
++mpm-algo: auto
++spm-algo: auto
++" > $CONFIG_FILE
++
++#
++# before start, package installation may start the daemon
++#
++if systemctl -q is-active $SERVICE ; then
++ : WARNING initial service running, stopping now
++ if ! systemctl_action stop ; then
++ : ERROR cant stop initial service
++ exit 1
++ fi
++fi
++
++#
++# First run of the daemon and basic checks
++#
++if ! systemctl_action start ; then
++ : ERROR cant start the service
++ exit 1
++fi
++sleep 10 # wait for service startup
++systemctl status $SERVICE
++
++#
++# Restart the daemon
++#
++if ! systemctl_action restart ; then
++ : ERROR unable to restart the service
++ exit 1
++fi
++
++sleep 10 # wait for serive startup
++if ! systemctl -q is-active $SERVICE ; then
++ journalctl -u $SERVICE
++ : ERROR service not active after restart
++ exit 1
++fi
++
++#
++# Reload the daemon
++#
++
++: WARNING: Not testing daemon reload: it timeouts in ci.debian.net
++
++#if ! systemctl_action reload ; then
++# : ERROR unable to reload the service
++# exit 1
++#fi
++
++#sleep 10 # wait for service reload
++#if ! systemctl -q is-active $SERVICE ; then
++# journalctl -u $SERVICE
++# : ERROR service not active after reload
++# exit 1
++#fi
++
++: INFO all tests OK
++exit 0
--- /dev/null
--- /dev/null
++Bug-Database: https://redmine.openinfosecfoundation.org/
++Bug-Submit: https://redmine.openinfosecfoundation.org/projects/suricata/issues/new
++Repository: https://github.com/OISF/suricata.git
++Repository-Browse: https://github.com/OISF/suricata
--- /dev/null
--- /dev/null
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++
++mQINBF8tFVkBEADEEXYv9T6kntaOafPMsBXJPFflcpM4VdXCnEmkY2zcQzfZ+fUB
++kyc6Lh1W07EPd4zGri4Hu9V8nfH5z+23oMmvVrUgbwU62u7ioUhMEpEtLbaLCWL9
++6HSlA4XWwjJhALXKFNMWtWT5BiHHty4jXvLl/KlbYtNrV+BuWDZsSiCRto134His
++Uozb82Yp76qhxdFXdUkXa7PYXJ40EYg9du4Z2l8qP3VWjDHDDrXtoChIgnTmkXkF
++0AdNx9jd9OSugQbJMqi7IV2wvA4xErKMujL+7ytxdMsV0WS39dPOn1mPclYLlnq6
++XDaXcVcHpXOQfC0qniKAHA9ngdKPPG5aJ7DqnZx+G4HBOAf0qnqCT2HBzvJovDuF
++7LdITO+nUiuThlh26oIoRqOfFgIAKDO+F/fRFIJYFt7q5OEwiL9HmlR7UrjLyHb8
++TqWhxocZHvP0ex6qTFMlUOZFaLVD/OC0lMFZDtHNfWIyWLmRIP4CGYia7RDyEEvn
++rHqK7NCF93K5UNUuBZmWNZ5r7/wKccLSYz7wAgkeWaKBAX7bQLspTZUYOOd8Kf5+
++uYlkLd1ju1wHqR7MrVb8/l6Q7cEIpLj+1ou6HeEsKyH1oZ8BQVzkVWIHmz7gaumV
++RKiycSnGqi8UnlFRUbZTW5ChLb7BL+ncBI3MuvrXvB6Ps7RlDPBD4D5AJQARAQAB
++tFBPcGVuIEluZm9ybWF0aW9uIFNlY3VyaXR5IEZvdW5kYXRpb24gKE9JU0YpIDxy
++ZWxlYXNlc0BvcGVuaW5mb3NlY2ZvdW5kYXRpb24ub3JnPokCVAQTAQoAPhYhBLNv
++2vJgfhDo/6ieXiupyYzN8ek6BQJfLRVZAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW
++AgMBAh4BAheAAAoJECupyYzN8ek6BAMP/jbjbJgNNYHQpueS6q7Jx1pNsDJ0Iqlr
++2AIfrvMAkvNCQALWMoKsSPYbx+lLhTMKP48wwUTu4PcagaZ74W41kFAHN6ituIeY
++QJ7nyNaccu4KRMLvWsL/LVimGIfQZDWgGvJd/ggAXZcCeSiWblCqs7isGpGwGktv
++O6M824BZo2tmqBOtcL/nn3xD5v3dOM2uUr4N7qEmVQgJpYY/d5GNy2576jLT1EQ7
++Nq8VW0b76yZ7SQqX/mRA3KGJRi3/qnXsuxDdQd8hzxr4+QnH1cFjYtwsJlzzf2gm
++87ZbcuNf/BccH0Nt/hRkm7wIfJgXADKdCUAb60F6Ov95+aZ4hpK/Q6jJcCF9WSEZ
++UjklpYzWhSoC5AvqKcLOOnfLGfdF+gKwCD+hLvBwtkDZyYnLSkaKQ3eWbesoZnl0
++uDZAgy+4UCsh4c6DmtF2YeByybmd+cOfxZqRNIGUzC5u5ROsulB4gNjCtaTrY2ug
++r0br16ypXHA8M3PB+EAF08pg1PNETecdQ+uWZmYn2vAAi0lh1YREuIaFK+P5RziU
++m1uwfmsTEy7xnrHfWTZyiWdDCsjhppRiUNCqXh76ChDh2cNbiiGK7EgNLeUEyplx
++s60hfa4Ht0tmo3S3R2JRs4Usn0fKigR1Vv589qjDI1DNbFC/01/IFXrKjERzdm20
++ruUEU7TOqiUwuQINBF8tFVkBEADCAk7fTNtLlFDOAmXNxW+5ILRBehswEaZvAN5J
++rhc9bz4dMSWQajprEAl8HFRctEUkYHyi7cwcUPrelhwjnxOH3LuVeLLtm9i3wTCX
++NUvHeOWr4DBLYnwiYZ6t7U+Isd/IQRTo9l1vBEwdMOAs7FfqSmoGvJspd42dOi4r
++ph6JNss4FE5GTrb4oTx0ZrAIh7mT17e16TZywrZWKFZnl+G/YqmSolGtOrkhzm18
++l3mTa/v4hq4u+ZS8Qd9ng62sl8Ls5Krx3JCBdxn849WRJ6myS7R+hvQeLR9YH/YL
++ioUVzxHXmF2xlENYsbEsVAEsHUb2G5Ot+uQcUpC2u9uzw05L+zhCbd4ffW5eTsGv
++d51LvBMV1b0VUjWEmTgzqFNI5ElBnpjZ3W2eiAAWrLnGACO5Lxzf5VeWYaTDJo8O
++GBYSoHovjYrFI8ZQq7J1skM/YBXROTb4zSc8rL1w81VFLvFu6lOzIA15s5iLRko7
++LSKKom04Q8BNZ1nUydlxvo/5fu4VGYtWMliWUOIePIMT1EgBqYDfQyZ/h4gSMc7j
++jgb2JDfq/7WueoVTy8CNuOzewRYQOU/5P34o341Q0WO2tFNrohUqG9oDHf3Fj8eg
++VwWuRv+eDUmgbpisqVoj2hH1PM45Hcp62RHJasMWUmPIlCNKfvd8+fj3+zjaAN8r
++4Fv0YwARAQABiQI8BBgBCgAmFiEEs2/a8mB+EOj/qJ5eK6nJjM3x6ToFAl8tFVkC
++GwwFCQlmAYAACgkQK6nJjM3x6TpE0Q/7B31BrekzAIqV4gu6wE6xXe4GwzHYsQjW
++MJ0zQFXy3xPeRwVuFhfEOfX23HIpzvlM5h8OJCyifYu8vpbjqJ0/bEoUIERjQ0qe
++24H8tETRWsF5xRn8FwItdU+8dBsdH77JopAf3qmKPi6PZoobb0mf6mvqK/ootiIg
++8ATzbaIizw5oa4XZsjOwTh9vP7/VUAD7I8i2sxjw4BzLI9Ee4Mx+3ei95TQEXdRl
++jLEIH+2DLkKZTY1czfMuWAJsWpE+xewVBgm6zB0eS51HPZAhSaMmJefJeybnG4Er
++MFdWPPMXzNbr056TQzL1WIdHvB3SLSnA+MSHI8tp3LpHIqHibL1HQpUwDZo1G7jK
++hXcfEMAjwVJInNPOKJo93+mgTOqt0HZvnrGtFpUGBWivGLXguDW/m++Cv7hY3M7g
++I48G8dSmATEfyC0zaMACD2xmfjg86gkWsgio1Hpym/4oVDBVdT7CEXuN53QsQH5Y
++4XlEJh2l/fDMBAqtPmOkH6Zl3v6PLnzrkDbVEl1Nid/Oak6h6RSbAaI+uSACPTMq
++bHEYDF5K/2N6gu6/6aS6JzgCqr7G63Jghh1NtoKzmDfMl2nVL2virZDREUP7tBGa
++HegFin/SNaQ/vyu4kp/Y0Q6/BnN8Pa/1ngrkxwu/fAm4wq0DNArbf15fjCC0AgYZ
++z9qESk6L8Cs=
++=Rr5U
++-----END PGP PUBLIC KEY BLOCK-----
--- /dev/null
--- /dev/null
++# watch control file for uscan
++# run the "uscan" command to check for upstream updates and more.
++# See uscan(1) for format
++
++version=4
++opts=pgpsigurlmangle=s/$/.sig/ https://openinfosecfoundation.org/download/ suricata-([\d\.]*)\.tar\.gz
projects / suricata.git / commitdiff