* Non-maintainer upload by the LTS Team.
* CVE-2021-45098
Fix bypass of HTTP-based signature by faking an RST TCP packet.
* CVE-2023-35852
Fix unintended file access in local filesystem.
* CVE-2024-32663
Fix using large amount of memory.
* CVE-2024-37151
Fix mishandling of multiple fragmented packets, which might lead to
policy bypass.
* CVE-2024-45796
Fix logic error during fragment reassembly.
* CVE-2025-29918
Fix infinite loop.
* CVE-2024-55626
Fix buffer overflow due to large BPF filter file.
[dgit import unpatched suricata 1:6.0.1-3+deb11u1]
--- /dev/null
--- /dev/null
++#!/bin/bash
++
++# this script prints 'true' if any ancestor process name is any of $REGEXPS
++
++REGEXPS="debci autopkgtest adt"
++
++set -e
++
++walk()
++{
++ pid=$1
++
++ [ ! -r /proc/$pid/cmdline ] && exit 1
++
++ name=$(ps -p $pid -o cmd | tail -1)
++ for exp in $REGEXPS
++ do
++ if grep -e $exp <<< $name >/dev/null ; then
++ echo true
++ exit
++ fi
++ done
++
++ ppid=$(ps -o ppid= $pid | tr -d ' ')
++ walk $ppid
++}
++
++walk $$
--- /dev/null
--- /dev/null
++suricata (1:6.0.1-3+deb11u1) bullseye-security; urgency=medium
++
++ * Non-maintainer upload by the LTS Team.
++ * CVE-2021-45098
++ Fix bypass of HTTP-based signature by faking an RST TCP packet.
++ * CVE-2023-35852
++ Fix unintended file access in local filesystem.
++ * CVE-2024-32663
++ Fix using large amount of memory.
++ * CVE-2024-37151
++ Fix mishandling of multiple fragmented packets, which might lead to
++ policy bypass.
++ * CVE-2024-45796
++ Fix logic error during fragment reassembly.
++ * CVE-2025-29918
++ Fix infinite loop.
++ * CVE-2024-55626
++ Fix buffer overflow due to large BPF filter file.
++
++ -- Thorsten Alteholz <debian@alteholz.de> Sun, 30 Mar 2025 12:03:02 +0200
++
++suricata (1:6.0.1-3) unstable; urgency=medium
++
++ * Address CVE-2021-35063 by backporting upstream fix.
++ Closes: #990835
++
++ -- Sascha Steinbiss <satta@debian.org> Mon, 19 Jul 2021 13:26:22 +0200
++
++suricata (1:6.0.1-2) unstable; urgency=medium
++
++ * Also specify explicit separate '-latomic' reference on mipsel.
++ This addresses a remaining FTBFS there.
++
++ -- Sascha Steinbiss <satta@debian.org> Fri, 11 Dec 2020 09:35:57 +0100
++
++suricata (1:6.0.1-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Disable Prelude support.
++ This is broken upstream, see https://redmine.openinfosecfoundation.org/issues/4065
++ * Bump libhtp dependency to 0.5.36.
++ * Disable suricata-update, as it is a separate package in Debian.
++ * Add patches to fix builds with new Autoconf scripts.
++ * Use debhelper 13.
++ * Include upstream's man pages.
++ * Add workaround for missing '-latomic' symbols on armel.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 08 Oct 2020 22:23:17 +0200
++
++suricata (1:5.0.3-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Use /run instead of /var/run for pidfiles. Thanks to Michael Berg for the
++ patch.
++ Closes: #954435
++ * Bump libhtp dependency to 0.5.33.
++ * Remove nonexistent Files entries in d/copyright.
++ * Use correct DEB_LDFLAGS_MAINT_APPEND in d/rules..
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 29 Apr 2020 09:34:49 +0200
++
++suricata (1:5.0.2-3) unstable; urgency=medium
++
++ * Source upload to enable testing migration.
++ * Bump Standards-Version.
++
++ -- Sascha Steinbiss <satta@debian.org> Sat, 22 Feb 2020 12:47:50 +0100
++
++suricata (1:5.0.2-2) unstable; urgency=medium
++
++ * Add --allow-multiple-definition linker flag to work around FTBFS on armel.
++ Closes: #951765
++
++ -- Sascha Steinbiss <satta@debian.org> Sat, 22 Feb 2020 12:23:52 +0100
++
++suricata (1:5.0.2-1) unstable; urgency=medium
++
++ * New upstream release.
++ Closes: #951654
++ * Add patch from upstream to build without needing if_tunnel.h.
++ This avoids a potentially foreign arch build-dep for eBPF builds.
++ Thanks to Eric Leblond.
++ * Drop patches applied upstream.
++ * Use debhelper-compat.
++ * Mark autopkgtests requiring a control socket as potentially flaky.
++ We cannot always predict the timing on all archs and do not want to
++ use them for CI gating.
++ Closes: #951721
++ * Bring d/copyright up to date with current code base.
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 20 Feb 2020 14:55:23 +0100
++
++suricata (1:4.1.5-2) unstable; urgency=medium
++
++ * Add versioned Depends on at least libhtp version used for building.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 09 Oct 2019 13:13:40 +0200
++
++suricata (1:4.1.5-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 25 Sep 2019 10:24:50 +0200
++
++suricata (1:4.1.4-7) unstable; urgency=medium
++
++ * Prevent file clash with other packages writing into the Python3
++ module root directory (suricata/__init__.py).
++ * Add patch to make suricatactl Python3-compatible.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 18 Sep 2019 20:55:51 +0200
++
++suricata (1:4.1.4-6) unstable; urgency=medium
++
++ * Make Python components use Python3.
++ Closes: #938603
++
++ -- Sascha Steinbiss <satta@debian.org> Sat, 07 Sep 2019 17:47:44 +0200
++
++suricata (1:4.1.4-5) unstable; urgency=medium
++
++ * Add patch to fix FTBFS on recent kernels. Thanks to Aurelien Jarno for
++ pointing this out.
++ Closes: #934316
++
++ -- Sascha Steinbiss <satta@debian.org> Mon, 12 Aug 2019 12:48:29 +0200
++
++suricata (1:4.1.4-4) unstable; urgency=medium
++
++ [ Hilko Bengen ]
++ * Patch: add --with-ebpf-includes, point to proper include directory for
++ kernel headers, fixing FTBFS on i386
++
++ [ Sascha Steinbiss ]
++ * Only build eBPF programs on archs with available dependencies.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 24 Jul 2019 10:34:25 +0200
++
++suricata (1:4.1.4-3) unstable; urgency=medium
++
++ * Fix cross building by including patch that addresses abuse of
++ AC_CHECK_FILE. Thanks to Helmut Grohne for the patch.
++ Closes: #923174
++ * Enable building with eBPF support.
++ Thanks to Hilko Bengen for the patch.
++ Closes: #917816
++ * Create temporary CARGO_HOME to allow building with new cargo
++ versions when $HOME is nonexistent.
++ * Make autopkgtest more robust when external resources are unavailable.
++ Closes: #932463
++ * Bump debhelper and compat to 12.
++ * Add Pre-Depends by Lintian's suggestion.
++
++ -- Sascha Steinbiss <satta@debian.org> Tue, 09 Jul 2019 16:47:49 +0200
++
++suricata (1:4.1.4-2) unstable; urgency=medium
++
++ * Do not install suricata-update, recommend external pkg instead.
++ Closes: #924096
++
++ -- Sascha Steinbiss <satta@debian.org> Thu, 02 May 2019 17:15:48 +0200
++
++suricata (1:4.1.4-1) unstable; urgency=medium
++
++ * New upstream version 4.1.4
++ - Bugs and security fixes
++ * Refreshed quilt patches
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 01 May 2019 11:44:13 +0200
++
++suricata (1:4.1.3-1) unstable; urgency=medium
++
++ * New upstream version 4.1.3
++ * Refreshed quilt patches
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 08 Mar 2019 10:24:43 +0100
++
++suricata (1:4.1.2-2) unstable; urgency=medium
++
++ * Upload to unstable.
++
++ -- Sascha Steinbiss <satta@debian.org> Wed, 09 Jan 2019 12:53:47 +0100
++
++suricata (1:4.1.2-1) experimental; urgency=medium
++
++ * New upstream release.
++ * Add myself to uploaders.
++ * Do not remove Rust vendor directory on distclean (Closes: #915154)
++
++ -- Sascha Steinbiss <satta@debian.org> Sun, 23 Dec 2018 10:48:27 +0000
++
++suricata (1:4.1.0-2) experimental; urgency=medium
++
++ * Disable Rust on armel for now (FTBFS)
++ * Add liblz4-dev to build-deps to enable pcap compression
++ * Update build-dependency on python:any to fix FTCBFS (Closes: #909606)
++
++ -- Pierre Chifflier <pollux@debian.org> Mon, 26 Nov 2018 11:07:08 +0100
++
++suricata (1:4.1.0-1) experimental; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * libhtp: bump soname to libhtp-0.5.24-1
++
++ [ Pierre Chifflier ]
++ * New upstream version 1:4.1.0
++ * Refreshed quilt patches
++ * Update python code directory
++ * Enable rust support (i386 and amd64 only for now)
++ * Also enable Rust on ARM architectures
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 15 Nov 2018 13:29:23 -0800
++
++suricata (1:4.0.6-1) unstable; urgency=medium
++
++ * New upstream version 1:4.0.6
++
++ -- Pierre Chifflier <pollux@debian.org> Mon, 12 Nov 2018 09:19:39 +0100
++
++suricata (1:4.0.5-1) unstable; urgency=medium
++
++ [ Sascha Steinbiss ]
++ * Add patches to help with cross-compiling. Thanks to Helmut Grohne
++ for the patch.
++ Closes: #895996
++ * Add patches to fix building on ia64.
++ Thanks to Jason Duerstock and Adrian Bunk for the patches.
++ Closes: #890432
++ * Fix spelling in debian/patches/reproducible.patch.
++ * Remove obsolete X-Python-Version hint.
++ * Use updated watchfile source URL with https support.
++ * Remove obsolete --parallel dh parameter.
++ * Use canonical Salsa Vcs-Git URL.
++
++ [ Pierre Chifflier ]
++ * New upstream version 1:4.0.5
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 18 Jul 2018 17:14:02 +0200
++
++suricata (1:4.0.4-1) unstable; urgency=medium
++
++ * [3f18cd8] d/control: refresh git URLs
++ * [17da106] New upstream version 4.0.4 (Closes: #889842) fixes CVE-2018-6794
++ * [00fcf17] d/compat: bump debhelper compat level to 11
++ * [45dc0db] d/control: bump std-version to 4.1.3
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 14 Feb 2018 11:33:33 +0100
++
++suricata (1:4.0.3-1) unstable; urgency=medium
++
++ [ Sascha Steinbiss ]
++ * [aece4d6] New upstream version 4.0.3
++ * [c23b64f] refresh patches
++
++ [ Arturo Borrero Gonzalez ]
++ * [7f077ca] d/control: bump std-version to 4.1.2
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 13 Dec 2017 11:42:18 +0100
++
++suricata (1:4.0.1-2) unstable; urgency=medium
++
++ * [d9998f8] suricata-oinkmaster.conf: update ETOPEN ruleset for suricata 4.0.0
++ (Closes: #882442)
++ * [0beae03] suricata-oinkmaster-updater.8: fix typos
++ * [6e7ae75] d/: get rid of dh --with autotools-dev
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 23 Nov 2017 13:41:09 +0100
++
++suricata (1:4.0.1-1) unstable; urgency=medium
++
++ * [72d28e5] d/control: upgrade std-version to 4.1.0
++ * [ea1e317] d/control: upgrade std-version to 4.1.1
++ * [14fea39] d/: switch to debhelper compat 10
++ * [a4715b8] New upstream version 4.0.1
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Sat, 21 Oct 2017 12:09:27 +0200
++
++suricata (1:4.0.0-5) unstable; urgency=medium
++
++ * [392c5b2] d/t/control: allow-stderr for the internal unittest test
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 20 Sep 2017 20:27:12 +0200
++
++suricata (1:4.0.0-4) unstable; urgency=medium
++
++ * [93ee9030] d/control: enable libluajit-5.1-dev build-dep on mipsel
++ (Closes: #873832)
++ * [9527fe94] d/t/control: run suricata -u from the source tree
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 08 Sep 2017 06:06:47 +0200
++
++suricata (1:4.0.0-3) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * [aa53ce82] suricata-oinkmaster-updater.8: fix typo
++ * [2d171d5a] suricata-oinkmaster-updater.8: clarify paragraph
++ * [90c76777] d/rules: disable dh_auto_test
++ * [5b311761] suricata: switch to use dbgsym package
++ * [9b12c48d] d/control: bump std-versions to 4.0.1
++
++ [ Sascha Steinbiss ]
++ * [c353985a] enable libevent support (Closes: #872908)
++ * [49ff3181] enable luajit on mipsel (Closes: #858545)
++
++ [ Arturo Borrero Gonzalez ]
++ * [50ab7eae] suricata.service: update online docs link
++ * [5098fd7b] d/control: add dh-python to build-deps
++ * [f070d160] d/watch: implement signature verification
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 29 Aug 2017 23:22:48 +0200
++
++suricata (1:4.0.0-2) unstable; urgency=medium
++
++ * [449b4202] d/t/control: running suricata unittest requires
++ geoip-database installed
++ * [0bd02487] d/building-in-ci.sh: be more robust
++ * [edd49e4a] d/watch: more robust approach for upstream tarball generation
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 15 Aug 2017 13:45:45 +0200
++
++suricata (1:4.0.0-1) unstable; urgency=medium
++
++ * [636f10f] d/rules: actually use dh-systemd (Closes: #861732)
++ * [c728ed0] d/rules: cleanup comments
++ * [f0d9adb] suricata: switch to src:libhtp instead of the bundled one
++ * [fa5f8be] New upstream version 4.0.0-rc1
++ * [fac7566] suricata: remove Build-Conflict with libhtp-dev
++ * [1bce782] suricata: explicit build-dep on new src:libhtp
++ * [f3aec1c] d/suricata.preinst: use strict mode (Closes: #866280)
++ * [c831659] suricata: support for internal unittest in autopktest
++ * [557ded7] New upstream version 4.0.0
++ * [5d41b6c] d/t/control: the internal suricata unittest is a command test
++ * [7f4feaa] d/changelog: add missing entry for 4.0.0-beta1-1~exp1
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 28 Jul 2017 05:29:48 +0200
++
++suricata (4.0.0-beta1-1~exp1) unstable; urgency=medium
++
++ * [c21347df] New upstream version 4.0.0-beta1
++ * [5661b3cc] libhtp: bump soname to libhtp-0.5.24-1
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 09 Jun 2017 20:52:10 +0200
++
++suricata (3.2.1-1) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * Rebuild for unstable from 3.2.1-1~exp2 (experimental).
++
++ [ Sascha Steinbiss ]
++ * [d0c3629] detect valid interface in autopkgtest
++ * [2d3ae00] fix typo in service file
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 16 Mar 2017 09:04:03 +0100
++
++suricata (3.2.1-1~exp2) experimental; urgency=medium
++
++ [ Sascha Steinbiss ]
++ * [ced48e4] suricata: migrate from old split binary scheme (Closes: #855573)
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 20 Feb 2017 13:29:37 +0100
++
++suricata (3.2.1-1~exp1) experimental; urgency=medium
++
++ * [67004c8] New upstream version 3.2.1
++ * [05b1756] d/control: bump dependency on libhyperscan
++ * [4483d1c] suricata: drop suricata-hyperscan binary package (Closes: #851647)
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 15 Feb 2017 20:54:17 +0100
++
++suricata (3.2-2) unstable; urgency=medium
++
++ * Rebuild for unstable.
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 10 Jan 2017 09:27:59 +0100
++
++suricata (3.2-2~exp1) experimental; urgency=medium
++
++ [ Sascha Steinbiss ]
++ * [8c7704d] suricata: add hyperscan support (Closes: #846143)
++
++ [ Arturo Borrero Gonzalez ]
++ * [209d2cf] suricata: add remaining hyperscan support
++
++ [ Sascha Steinbiss ]
++ * [ec9b28a] set +x bit on d/suricata-hyperscan.install
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 22 Dec 2016 09:01:29 +0100
++
++suricata (3.2-1) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * [04f5cc3] d/control: update suricata homepage to suricata-ids.org
++ (Closes: #844603)
++
++ [ Sascha Steinbiss ]
++ * [b1cd09c] d/t/control: add some time to settle in autopkgtest
++
++ [ Arturo Borrero Gonzalez ]
++ * [dde83f1] New upstream version 3.2
++ * [c55dda2] d/patches/debian-default-cfg.patch: refresh patch
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 01 Dec 2016 16:22:50 +0100
++
++suricata (3.1.3-3) unstable; urgency=medium
++
++ * [e7a248d] d/tests/control: allow-stderr in the suricata-oinkmaster-updater
++ command
++ * [2caf89b] d/control: make libhtp packages Multi-Arch: same
++ * [825cef4] d/libhtp-0.5.23-1.lintian-overrides: generalize override
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 10 Nov 2016 09:42:29 +0100
++
++suricata (3.1.3-2) unstable; urgency=medium
++
++ * [5c395f9] d/tests/control: rearange suricatasc command tests
++ * [789723b] d/tests/control: fix typo in test command 'suricatas'
++ * [353e030] d/changelog: clean word with typo from the changelog
++ * [b4cf113] d/: add libhtp-0.5.23-1.lintian-overrides
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 09 Nov 2016 13:44:17 +0100
++
++suricata (3.1.3-1) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * [165d14e] suricata-oinkmaster: move the update script to /usr/sbin
++ (Closes: #838129)
++ * [2e21734] d/tests/control: add a basic test for suricata-oinkmaster-updater
++ * [be640f3] suricata: split libhtp to separate binary packages
++ * [c41567a] suricata-oinkmaster: add manpage for suricata-oinkmaster-updater
++ * [b5b6483] d/copyright: refresh file
++ * [2be2225] d/control: add references to IPS and firewall
++ * [bd6a9ed] d/: add symbols file for libhtp
++ * [f61be7d] suricata-oinkmaster-updater.8: fix typo
++ * [ead4a84] d/: update email address to 'arturo@debian.org'
++ * [36d9b9d] d/: refresh date of manpages
++
++ [ Sascha Steinbiss ]
++ * [da1c3c6] d/suricata.logrotate: use 'copytruncate' instead of 'create'
++
++ [ Arturo Borrero Gonzalez ]
++ * [cd9d5d4] New upstream version 3.1.3
++ * [f32a582] libhtp: symbols: refresh file
++ * [1e3edb0] libhtp: bump soname
++ * [d46497e] d/control: suricata depends on lsb-base
++ * [08a6195] d/copyright: refresh copyright owner for some libhtp files
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 08 Nov 2016 08:51:58 +0100
++
++suricata (3.1.2-2) unstable; urgency=medium
++
++ * [482c6f6] d/tests/control: allow-stderr for systemd-service-test.sh
++ * [a4eff10] d/tests/control: add tests for suricatasc
++ * [892096c] d/suricata.8: fix typo 'inet' vs 'init'
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Thu, 08 Sep 2016 12:46:44 +0200
++
++suricata (3.1.2-1) unstable; urgency=medium
++
++ * [4e0605d] Revert "suricata: drop support for sysvinit"
++ * [f5abe38] d/patches: add reproducible.patch.
++ Thanks to Christoph Berg <myon@debian.org> for the pointers.
++ * [6569809] New upstream version 3.1.2
++ * [5fea3a6] d/suricata.service: include Restart=on-failure
++ * [d1a973d] d/suricata.service: add ProtectSystem=full and ProtectHome=true
++ * [8e1cddd] d/tests/systemd-service-test.sh: don't test the reload operation by now
++ * [87c00b1] d/suricata.maintscript: factorize renaming of old config file
++ (Closes: #835643)
++ * [55c7a32] d/oinkmaster/suricata-oinkmaster-updater: drop warnings
++ * [7651669] d/oinkmaster/suricata-oinkmaster-updater: cleanup file
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 07 Sep 2016 13:25:13 +0200
++
++suricata (3.1.1-4) unstable; urgency=medium
++
++ * [c9b6efd] d/tests/: add new systemd-service-test.sh test
++ * [848a40f] d/README.Debian: this is not a beta release
++ * [0afb007] d/README.Debian: update file with systemd information
++ * [234ec55] d/suricata.8: update manpage
++ * [ebd6a8a] suricata: drop support for sysvinit
++ * [d8fae07] d/suricata.service: get rid of environment variables
++ * [5fe5359] d/suricata.service: use suricatasc for stop and reload
++ * [2ffd606] d/tests/systemd-service-test.sh: add tests for daemon reload
++ * [5196c36] d/suricata.service: require network-online.target (Closes:
++ #835168)
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Thu, 25 Aug 2016 14:14:20 +0200
++
++suricata (3.1.1-3) unstable; urgency=medium
++
++ * [22d26a5] suricata-oinkmaster-updater: prevent bogus if evaluation
++ * [4805c7a] suricata-oinkmaster-updater: dont exit with error if missing
++ requirements (Closes: #834029)
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 16 Aug 2016 13:53:12 +0200
++
++suricata (3.1.1-2) unstable; urgency=medium
++
++ * [833f1c5] d/: add new binary package suricata-oinkmaster
++ * [6155001] d/suricata.service: remove duplicated -D switch in
++ ExecStart=
++ * [6ebbd82] d/patches: add debian-default-cfg.patch [enable unix socket
++ by default]
++ * [2286eb4] d/suricatasc.1: update manpage
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Thu, 28 Jul 2016 13:21:30 +0200
++
++suricata (3.1.1-1) unstable; urgency=medium
++
++ * [cafb099] d/suricata: rename suricata main conffile to
++ /etc/suricata/suricata.yaml
++ * [445c957] suricata: add systemd service file
++ * [94b93bf] Imported Upstream version 3.1.1
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 25 Jul 2016 11:12:03 +0200
++
++suricata (3.1-1) unstable; urgency=medium
++
++ * [d2cce67] d/control: add Vcs-Browser and Vcs-Git information
++ * [8bb2030] Imported Upstream version 3.1
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 21 Jun 2016 11:00:55 +0200
++
++suricata (3.0.1-2) unstable; urgency=medium
++
++ * [178f3cf] suricata: add libgeoip support
++ * [c8a0a0a] d/control: bump std-version to 3.9.8
++ * [523203d] d/control: wrap-and-sort
++ * [e5abae9] suricata: add hiredis support
++ * [9ec82b8] d/control: get rid of XS-Testsuite directive
++
++ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 23 May 2016 11:39:40 +0200
++
++suricata (3.0.1-1) unstable; urgency=medium
++
++ * Imported Upstream version 3.0.1
++ * Bump Standards Version to 3.9.7
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 08 Apr 2016 10:58:35 +0200
++
++suricata (3.0-1) unstable; urgency=medium
++
++ * Imported Upstream version 3.0
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 28 Jan 2016 06:02:41 +0100
++
++suricata (2.0.11-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.11
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 07 Jan 2016 10:17:16 +0100
++
++suricata (2.0.10-2) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * d/copyright: update file to follow Debian Policy 3.9.6.1
++ * d/control: bump standards to 3.9.6
++ * suricata: add nflog support (Closes: #775074)
++ * d/: wrap-and-sort
++ * d/control: architecture is linux-any
++ * d/rules: don't include upstream install documentation
++ * d/tests: add first basic test
++ * d/control: add missing Testsuite declaration
++ * suritaca: add package suricata-dbg (Closes: #753438)
++ * suricata sysvinit: fix libtcmalloc-minimal integration (Closes: #725249)
++ * d/suricata.init: cleanup file
++ * suricatasc: add manpage
++
++ [ Pierre Chifflier ]
++ * Merge unstable-next branch
++ * Fix dependencies and priority for -dbg package
++ * Install manpage for suricatasc
++
++ -- Pierre Chifflier <pollux@debian.org> Tue, 05 Jan 2016 21:02:40 +0100
++
++suricata (2.0.10-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.10
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 26 Nov 2015 10:35:53 +0100
++
++suricata (2.0.9-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.9
++ * Update watch file
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 25 Sep 2015 19:19:53 +0200
++
++suricata (2.0.8-1) unstable; urgency=high
++
++ [ Arturo Borrero Gonzalez ]
++ * d/suricata.logrotate: add logrotate configuration (Closes: #767249)
++ * d/patches: patch suricatasc to prevent depends on python-symplejson
++ (Closes: #759475)
++ * Revert "d/patches: patch suricatasc to prevent depends on python-symplejson"
++
++ [ Pierre Chifflier ]
++ * Imported Upstream version 2.0.8
++ * Bump Standards Version to 3.9.6
++ Fixes CVE-2015-0971 (Integer overflow in the DER parser)
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 07 May 2015 11:03:19 +0200
++
++suricata (2.0.7-2) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * d/suricata.init: fix proc nfqueue file checking (Closes: #725301)
++
++ [ Pierre Chifflier ]
++ * Check for both proc entries for nfqueue (backwards compatibility) and
++ issue warning only
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 15 Mar 2015 11:17:27 +0100
++
++suricata (2.0.7-1) unstable; urgency=medium
++
++ [ Pierre Chifflier ]
++ * Imported Upstream version 2.0.7
++ * Fix problems with upstream version import
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 12 Mar 2015 07:06:49 +0100
++
++suricata (2.0.6-3) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * suricata: don't deploy .so links
++
++ [ Pierre Chifflier ]
++ * Add missing installation files (Closes: #778724)
++ * Fix .so symlinks removal
++ * Update default-rules-path
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 19 Feb 2015 11:55:05 +0100
++
++suricata (2.0.6-2) unstable; urgency=medium
++
++ [ Arturo Borrero Gonzalez ]
++ * d/patches: drop 10-fix-missing-script-autoreconf.patch (Closes: #778670)
++ * d/rules: prevent not .so libhtp files from entering binary suricata package
++
++ [ Pierre Chifflier ]
++ * Add conflicts/replaces fields for transition from libhtp (Closes: #778668)
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 18 Feb 2015 11:19:31 +0100
++
++suricata (2.0.6-1) unstable; urgency=medium
++
++ [ Pierre Chifflier ]
++ * Imported Upstream version 2.0.6
++ * Add Arturo to uploaders
++
++ [ Arturo Borrero Gonzalez ]
++ * suricata: use embedded copy of libhtp (Closes: #772551)
++
++ -- Pierre Chifflier <pollux@debian.org> Tue, 17 Feb 2015 11:31:22 +0100
++
++suricata (2.0.4-1) unstable; urgency=high
++
++ * Imported Upstream version 2.0.4
++ * Security: fix out-of-bounds access in SSH parser (Closes: #762828)
++ * Urgency high, CVE-2014-6603
++ Stable and Oldstable versions are not affected.
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 10 Oct 2014 13:19:59 +0200
++
++suricata (2.0.3-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.3
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 20 Aug 2014 15:06:21 +0200
++
++suricata (2.0.2-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0.2
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 29 Jun 2014 18:27:56 +0200
++
++suricata (2.0-1) unstable; urgency=medium
++
++ * Imported Upstream version 2.0
++ * Update build, require a recent libhtp, and disable coccinelle tests.
++ * Upload to unstable
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 02 Apr 2014 20:23:10 +0200
++
++suricata (1.4.7-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.7
++ * Bump Standards Version to 3.9.5
++ * Run autoreconf during build to fix some errors caused by different
++ autotools versions
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 29 Dec 2013 11:29:57 +0100
++
++suricata (1.4.6-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.6
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 06 Oct 2013 18:52:34 +0200
++
++suricata (1.4.5-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.5
++ * Prepare transition for suricata 2.0 by conflicting with libhtp >= 0.5
++
++ -- Pierre Chifflier <pollux@debian.org> Tue, 20 Aug 2013 16:44:45 +0200
++
++suricata (1.4.3-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.3
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 04 Jul 2013 11:50:13 +0200
++
++suricata (1.4.2-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.2
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 29 May 2013 16:24:52 +0200
++
++suricata (1.4.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4.1
++ * Install python control script (add dependency on python, and use
++ dh_python2 for build)
++ * Bump Standards Version to 3.9.4
++ * Fix removal of pid file in init script (Closes: #700547)
++ Thanks to Игорь Козинов <madvampik@gmail.com>.
++ * Add support for af-packet mode in init script (Closes: #697928).
++ Thanks to Jamie Strandboge <jamie@ubuntu.com>.
++
++ -- Pierre Chifflier <pollux@debian.org> Tue, 21 May 2013 12:42:45 +0200
++
++suricata (1.4-3) unstable; urgency=low
++
++ * Add configure flag for luajit only on supported architectures
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 22 Dec 2012 16:38:41 +0100
++
++suricata (1.4-2) unstable; urgency=low
++
++ * Fix error in init script, stop trying to manage suricata pid file
++ * Use arch-specific build dependencies for libluajit-5.1-dev, it is not
++ available on all architectures
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 22 Dec 2012 15:39:57 +0100
++
++suricata (1.4-1) unstable; urgency=low
++
++ * Imported Upstream version 1.4
++ * Enable Jansson and LuaJIT support, and add libjansson-dev libluajit-5.1-dev
++ to build-deps
++ * Add python to recommends, for the suricatasc script
++ * Create /var/run/suricata directory when starting daemon
++
++ -- Pierre Chifflier <pollux@debian.org> Fri, 14 Dec 2012 00:02:51 +0100
++
++suricata (1.3.5-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3.5
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 06 Dec 2012 21:13:56 +0100
++
++suricata (1.3.4-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3.4
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 17 Nov 2012 09:56:08 +0100
++
++suricata (1.3.3-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3.3
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 03 Nov 2012 09:38:36 +0100
++
++suricata (1.3.2-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3.2
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 13 Oct 2012 12:18:33 +0200
++
++suricata (1.3-1) unstable; urgency=low
++
++ * Imported Upstream version 1.3
++ * Add build-dependency on libnss3-dev and libnspr4-dev
++ * Bump Standards Version to 3.9.3
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 22 Jul 2012 22:27:36 +0200
++
++suricata (1.2.1-2) unstable; urgency=low
++
++ * Use override targets in rules files (Closes: #666330)
++ * Add support for parallel build in debian/rules
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 12 Apr 2012 01:56:48 +0200
++
++suricata (1.2.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.2.1
++ * Add libmagic-dev to build-deps
++ * Convert to DH version 9
++ - Switch from hardening-wrapper to dpkg-buildflags
++
++ -- Pierre Chifflier <pollux@debian.org> Mon, 23 Jan 2012 21:47:26 +0100
++
++suricata (1.1.1-2) unstable; urgency=low
++
++ * Add *.config files to default installation
++ * Trigger rebuild with libhtp versioned symbols
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 05 Jan 2012 08:20:24 +0100
++
++suricata (1.1.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.1.1
++ * Add configure option --enable-af-packet
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 07 Dec 2011 21:52:53 +0100
++
++suricata (1.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.1
++ * Add instructions on getting new rules using oinkmaster
++ * Add Recommends on oinkmaster
++ * Move snort-rules-default to Recommends
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 17 Nov 2011 23:20:51 +0100
++
++suricata (1.0.5-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.5
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 27 Jul 2011 08:20:25 +0200
++
++suricata (1.0.4-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.4
++ * Bump Standards Version to 3.9.2
++ * Enable hardening-wrapper
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 25 Jun 2011 13:45:44 +0200
++
++suricata (1.0.3-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.3
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 13 Apr 2011 16:59:32 +0200
++
++suricata (1.0.2-2) unstable; urgency=low
++
++ * Add init script (thanks to Edward Fjellskål)
++ * Switch to dpkg-source 3.0 (quilt) format
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 19 Dec 2010 18:35:50 +0100
++
++suricata (1.0.2-1) unstable; urgency=low
++
++ * New Upstream version 1.0.2 (Closes: #598389)
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 29 Sep 2010 10:02:52 +0200
++
++suricata (1.0.1-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.1 (Closes: #591559)
++ * Bump Standards version to 3.9.1
++ * Create /var/log/suricata (Closes: #590861)
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 11 Aug 2010 14:45:14 +0200
++
++suricata (1.0.0-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.0
++ * Remove arch=native flag from build (Closes: #587714)
++ * Bump Standards version to 3.9.0
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 01 Jul 2010 21:28:41 +0200
++
++suricata (0.9.2-1) unstable; urgency=low
++
++ * Imported Upstream version 0.9.2
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 19 Jun 2010 17:39:14 +0200
++
++suricata (0.9.1-1) unstable; urgency=low
++
++ * Imported Upstream version 0.9.1
++ * Update watch file
++
++ -- Pierre Chifflier <pollux@debian.org> Wed, 26 May 2010 23:09:07 +0200
++
++suricata (0.9.0-1) unstable; urgency=low
++
++ * Imported Upstream version 0.9.0
++ * Add libcap-ng-dev to build-deps
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 09 May 2010 10:43:44 +0200
++
++suricata (0.8.2-1) unstable; urgency=low
++
++ * Imported Upstream version 0.8.2
++ * Force selection of external libhtp during build
++ * Enable Prelude support
++ * Update watch file
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 02 May 2010 10:50:05 +0200
++
++suricata (0.8.0-2) unstable; urgency=low
++
++ * Update debian/copyright to include all files
++
++ -- Pierre Chifflier <pollux@debian.org> Sun, 21 Feb 2010 21:45:33 +0100
++
++suricata (0.8.0-1) unstable; urgency=low
++
++ * Initial release (Closes: #563422)
++
++ -- Pierre Chifflier <pollux@debian.org> Sat, 30 Jan 2010 18:25:05 +0100
--- /dev/null
--- /dev/null
++Source: suricata
++Section: net
++Priority: optional
++Maintainer: Pierre Chifflier <pollux@debian.org>
++Uploaders: Arturo Borrero Gonzalez <arturo@debian.org>,
++ Sascha Steinbiss <satta@debian.org>
++Build-Depends: debhelper-compat (= 13),
++ dh-python,
++ libbpf-dev [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
++ clang [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
++ llvm [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
++ libcap-ng-dev,
++ libelf-dev [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
++ libevent-dev,
++ libgeoip-dev,
++ libhiredis-dev,
++ libjansson-dev,
++ libluajit-5.1-dev [i386 amd64 powerpc mips mipsel armel armhf],
++ libhyperscan-dev (>= 4.4.0) [i386 amd64 x32],
++ rustc (>= 1.28.0),
++ cargo (>= 0.29.0),
++ liblz4-dev,
++ libmagic-dev,
++ libmaxminddb-dev,
++ libnet1-dev | libnet-dev,
++ libnetfilter-log-dev,
++ libnetfilter-queue-dev,
++ libnspr4-dev,
++ libnss3-dev,
++ libpcap-dev,
++ libpcre3-dev,
++ libyaml-dev,
++ python3:any,
++ zlib1g-dev | libz-dev,
++ libhtp-dev (>= 1:0.5.36),
++ procps
++Standards-Version: 4.5.0
++Homepage: https://www.suricata-ids.org/
++Vcs-Browser: https://salsa.debian.org/pkg-suricata-team/pkg-suricata
++Vcs-Git: https://salsa.debian.org/pkg-suricata-team/pkg-suricata.git
++
++Package: suricata
++Architecture: linux-any
++Pre-Depends: dpkg (>= 1.15.7.2), ${misc:Pre-Depends}
++Depends: ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends}, libhtp2 (>= ${libhtp:Version}~), lsb-base (>= 3.0-6)
++Conflicts: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2)
++Replaces: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2)
++Recommends: python3, snort-rules-default, suricata-update
++Suggests: libtcmalloc-minimal4
++Description: Next Generation Intrusion Detection and Prevention Tool
++ Suricata is a network Intrusion Detection System (IDS). It is based on
++ rules (and is fully compatible with snort rules) to detect a variety of
++ attacks / probes by searching packet content.
++ .
++ It can also be used as Intrusion Prevention System (IPS), and as higher layer
++ firewall.
++ .
++ This new Engine supports Multi-Threading, Automatic Protocol Detection
++ (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast
++ IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU
++ cards.
++ .
++ This version has inline (NFQUEUE) support enabled.
++
++Package: suricata-oinkmaster
++Architecture: all
++Depends: oinkmaster, suricata (>= ${source:Version}), ${misc:Depends}
++Description: Integration package between suricata and oinkmaster
++ Suricata is a network Intrusion Detection System (IDS). It is based on
++ rules (and is fully compatible with snort rules) to detect a variety of
++ attacks / probes by searching packet content.
++ .
++ This package contains the integration bits between suricata and oinkmaster
++ to allow easy automated ruleset updates.
--- /dev/null
--- /dev/null
++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
++Upstream-Name: suricata
++Source: https://suricata-ids.org/download/
++Files-Excluded: libhtp
++
++Files: *
++Copyright: 2007-2020 Open Information Security Foundation
++License: GPL-2
++
++Files: aclocal.m4
++Copyright: 1996-2017 Free Software Foundation, Inc.
++ 2004 Scott James Remnant <scott@netsplit.com>
++ 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
++License: GPL-2+
++
++Files: compile
++ config.sub
++ configure
++Copyright: 1992-2018 Free Software Foundation, Inc.
++License: GPL-2
++
++Files: config.guess
++Copyright: 1992-2018 Free Software Foundation, Inc.
++License: GPL-3
++
++Files: contrib/Makefile.am
++Copyright: 2007-2020 Open Information Security Foundation
++License: GPL-2
++
++Files: contrib/file_processor/*
++Copyright: 2007-2020 Open Information Security Foundation
++License: GPL-2
++
++Files: contrib/file_processor/Action/Makefile.in
++Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
++License: GPL-2
++
++Files: contrib/file_processor/Makefile.in
++Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
++License: GPL-2
++
++Files: contrib/file_processor/Processor/Makefile.in
++Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
++License: GPL-2
++
++Files: contrib/file_processor/file_processor.pl
++Copyright: 2012, Martin Holste
++License: GPL-2
++
++Files: contrib/suri-graphite
++Copyright: 2013, 2015, Eric Leblond <eric@regit.org>
++License: GPL-2
++
++Files: debian/*
++Copyright: 2010 Pierre Chifflier <pollux@debian.org>
++ 2019-2020 Sascha Steinbiss <satta@debian.org>
++License: GPL-2
++
++Files: debian/oinkmaster/*
++Copyright: 2016 Arturo Borrero Gonzalez <arturo@debian.org>
++License: GPL-2
++
++Files: doc/Makefile.in
++ doc/userguide/Makefile.in
++Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
++License: GPL-2
++
++Files: install-sh
++Copyright: 1994, X Consortium
++License: Expat
++
++Files: ebpf/Makefile.in
++ etc/Makefile.in
++ python/Makefile.in
++ qa/Makefile.in
++ qa/coccinelle/Makefile.in
++ rules/Makefile.in
++ rust/Makefile.in
++ src/Makefile.in
++ suricata-update/Makefile*
++Copyright: 1994-2017 Free Software Foundation, Inc.
++License: GPL-2
++
++Files: ebpf/include/linux/bpf.h
++Copyright: 2011-2014 PLUMgrid
++License: GPL-2
++
++Files: python/suricata/ctl/loghandler.py
++Copyright: 2017 Open Information Security Foundation
++ 2016 Jason Ish
++License: GPL-2
++
++Files: qa/coccinelle/sz3.cocci
++Copyright: 2012 LIP6/INRIA
++License: GPL-2
++
++Files: qa/wirefuzz.pl
++Copyright: 2010-2015 Open Information Security Foundation
++License: GPL-2
++
++Files: rust/gen/*
++Copyright: 2017 Open Information Security Foundation
++License: GPL-2
++
++Files: rust/vendor/autocfg*/*
++Copyright: 2018 Josh Stone <cuviper@gmail.com>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/base64/*
++Copyright: 2015 Alice Maz
++License: MIT or Apache-2.0
++
++Files: rust/vendor/bitflags/*
++Copyright: 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/build_const/*
++Copyright: 2017 Garrett Berg, vitiral@gmail.com
++License: MIT
++
++Files: rust/vendor/byteorder/*
++Copyright: 2015 Andrew Gallant
++License: MIT or Unlicense
++
++Files: rust/vendor/cloudabi/*
++Copyright: 2016-2018 Nuxi (https://nuxi.nl/) and contributors
++License: BSD-2-clause
++
++Files: rust/vendor/cookie-factory/*
++Copyright: 2017 Geoffroy Couprie <geo.couprie@gmail.com>
++License: MIT
++
++Files: rust/vendor/crc/*
++Copyright: 2017 crc-rs Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/der-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/enum_primitive/*
++Copyright: 2015 Anders Kaseorg <andersk@mit.edu>
++License: MIT
++
++Files: rust/vendor/fuchsia-cprng/*
++Copyright: 2019 The Fuchsia Authors
++License: BSD-3-clause
++
++Files: rust/vendor/ipsec-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/kerberos-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/libc/*
++Copyright: 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/memchr/*
++Copyright: 2015 Andrew Gallant <jamslam@gmail.com>
++License: Unlicense or MIT
++
++Files: rust/vendor/nom/*
++Copyright: 2014-2018 Geoffroy Couprie <contact@geoffroycouprie.com>
++License: MIT
++
++Files: rust/vendor/ntp-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/num*/*
++Copyright: 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/phf*/*
++Copyright: 2014-2016 Steven Fackler <sfackler@gmail.com>
++License: MIT
++
++Files: rust/vendor/proc-macro2/*
++Copyright: 2014 Alex Crichton <alex@alexcrichton.com>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/quote/*
++Copyright: 2016 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/rand*/*
++Copyright: 2018 The Rand Project Developers
++ 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/rand_pcg/*
++Copyright: 2014-2017 Melissa O'Neill and PCG Project contributors
++ 2018 Developers of the Rand project
++License: MIT or Apache-2.0
++
++Files: rust/vendor/rdrand/*
++Copyright: 2014 Simonas Kazlauskas <rdrand@kazlauskas.me>
++License: ISC
++
++Files: rust/vendor/rusticata-macros/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/siphasher/*
++Copyright: 2012-2016 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/snmp-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/syn/*
++Copyright: David Tolnay <dtolnay@gmail.com>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/time/*
++Copyright: 2014 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/tls-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/unicode-xid/*
++Copyright: 2015 The Rust Project Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/version_check/*
++Copyright: 2017-2018 Sergio Benitez <sb@sergio.bz>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/widestring/*
++Copyright: 2016 Kathryn Long <squeeself@gmail.com>
++License: MIT or Apache-2.0
++
++Files: rust/vendor/winapi*/*
++Copyright: 2015-2018 The winapi-rs Developers
++License: MIT or Apache-2.0
++
++Files: rust/vendor/x509-parser/*
++Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
++License: MIT or Apache-2.0
++
++Files: src/Makefile.am
++ src/util-hash-lookup3.c
++ src/util-hash-lookup3.h
++Copyright: 2008 Victor Julien <victor@inliniac.net>
++License: GPL-2
++
++Files: src/app-layer-htp-libhtp.c
++ src/app-layer-htp-libhtp.h
++Copyright: 2010-2013, Qualys, Inc.
++ 2009, 2010, Open Information Security Foundation
++License: BSD-3-clause
++
++Files: src/app-layer-modbus.c
++ src/app-layer-modbus.h
++ src/detect-engine-modbus.c
++ src/detect-engine-modbus.h
++ src/detect-modbus.c
++ src/detect-modbus.h
++ src/detect-tls.c
++ src/detect-tls.h
++ src/util-decode-der-get.c
++ src/util-decode-der-get.h
++ src/util-decode-der.c
++ src/util-decode-der.h
++Copyright: 2011-2015, ANSSI
++License: BSD-3-clause
++
++Files: src/queue.h
++ src/win32-syslog.h
++Copyright: 1982, 1986, 1988, 1991, 1993, The Regents of the University of California.
++License: BSD-3-clause
++
++Files: src/util-decode-mime.c
++ src/util-decode-mime.h
++Copyright: 2012, BAE Systems
++License: GPL-2
++
++Files: src/util-fix_checksum.c
++ src/util-fix_checksum.h
++Copyright: 2002-2008, Henning Brauer
++ 2001, Daniel Hartmeier
++License: BSD-2-clause
++Comment:
++ In addition to the BSD license, the authors state the following:
++ Effort sponsored in part by the Defense Advanced Research Projects
++ Agency (DARPA) and Air Force Research Laboratory, Air Force
++ Materiel Command, USAF, under agreement number F30602-01-2-0537
++
++Files: src/util-strlcatu.c
++ src/util-strlcpyu.c
++Copyright: 1998, Todd C. Miller <Todd.Miller@courtesan.com>
++License: BSD-3-clause
++
++Files: src/tree.h
++Copyright: 2002 Niels Provos <provos@citi.umich.edu>
++License: BSD-2-clause
++
++Files: suricata-update/*
++Copyright: 2017-2019 Open Information Security Foundation
++ 2013-2017 Jason Ish
++License: GPL-2
++
++Files: suricata-update/suricata/update/compat/ordereddict.py
++Copyright: 2009 Raymond Hettinger
++License: MIT
++
++License: BSD-3-clause
++ The BSD License
++ .
++ Redistribution and use in source and binary forms, with or without
++ modification, are permitted provided that the following conditions are
++ met:
++ .
++ * Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++ .
++ * Redistributions in binary form must reproduce the above copyright
++ notice, this list of conditions and the following disclaimer in the
++ documentation and/or other materials provided with the distribution.
++ .
++ * Neither the name of foo nor the names of its
++ contributors may be used to endorse or promote products derived from
++ this software without specific prior written permission.
++ .
++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
++ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
++ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
++ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
++ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
++ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
++ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
++ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
++ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
++ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++License: Expat
++ The MIT License
++ .
++ Permission is hereby granted, free of charge, to any person
++ obtaining a copy of this software and associated
++ documentation files (the "Software"), to deal in the Software
++ without restriction, including without limitation the rights to
++ use, copy, modify, merge, publish, distribute, sublicense,
++ and/or sell copies of the Software, and to permit persons to
++ whom the Software is furnished to do so, subject to the
++ following conditions:
++ .
++ The above copyright notice and this permission notice shall
++ be included in all copies or substantial portions of the
++ Software.
++ .
++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
++ WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
++ INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ MERCHANTABILITY, FITNESS FOR A PARTICULAR
++ PURPOSE AND NONINFRINGEMENT. IN NO EVENT
++ SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
++ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
++ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++ CONNECTION WITH THE SOFTWARE OR THE USE OR
++ OTHER DEALINGS IN THE SOFTWARE.
++
++License: GPL-2
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU Library General Public License as published by
++ the Free Software Foundation.
++ .
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU Library General Public License for more details.
++ .
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>
++ .
++ On Debian systems, the complete text of the GNU General
++ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
++
++License: GPL-2+
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; version 2 dated June, 1991, or (at
++ your option) any later version.
++ .
++ On Debian systems, the complete text of version 2 of the GNU General
++ Public License can be found in '/usr/share/common-licenses/GPL-2'.
++
++License: GPL-3
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; version 3 dated June, 2007.
++ .
++ On Debian systems, the complete text of version 3 of the GNU General
++ Public License can be found in '/usr/share/common-licenses/GPL-3'.
++
++License: Apache-2.0
++ Debian systems provide the Apache 2.0 license in
++ /usr/share/common-licenses/Apache-2.0
++
++License: MIT
++ Permission is hereby granted, free of charge, to any person obtaining a copy
++ of this software and associated documentation files (the "Software"), to deal
++ in the Software without restriction, including without limitation the rights
++ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ copies of the Software, and to permit persons to whom the Software is
++ furnished to do so, subject to the following conditions:
++ .
++ The above copyright notice and this permission notice shall be included in all
++ copies or substantial portions of the Software.
++ .
++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ SOFTWARE.
++
++License: Unlicense
++ This is free and unencumbered software released into the public domain.
++ .
++ Anyone is free to copy, modify, publish, use, compile, sell, or
++ distribute this software, either in source code form or as a compiled
++ binary, for any purpose, commercial or non-commercial, and by any
++ means.
++ .
++ In jurisdictions that recognize copyright laws, the author or authors
++ of this software dedicate any and all copyright interest in the
++ software to the public domain. We make this dedication for the benefit
++ of the public at large and to the detriment of our heirs and
++ successors. We intend this dedication to be an overt act of
++ relinquishment in perpetuity of all present and future rights to this
++ software under copyright law.
++ .
++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
++ IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
++ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
++ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
++ OTHER DEALINGS IN THE SOFTWARE.
++
++License: BSD-2-clause
++ Redistribution and use in source and binary forms, with or without
++ modification, are permitted provided that the following conditions are
++ met:
++ .
++ 1. Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++ 2. Redistributions in binary form must reproduce the above copyright
++ notice, this list of conditions and the following disclaimer in the
++ documentation and/or other materials provided with the distribution.
++ .
++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
++ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
++ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++License: ISC
++ Permission to use, copy, modify, and/or distribute this software for any purpose with or without
++ fee is hereby granted, provided that the above copyright notice and this permission notice appear
++ in all copies.
++ .
++ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
++ SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
++ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
++ NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
++ THIS SOFTWARE.
--- /dev/null
--- /dev/null
++usr/lib/*/lib*.so.*
--- /dev/null
--- /dev/null
++# false positive, the link is there. Somehow lintian is confused
++libhtp-0.5.24-1: dev-pkg-without-shlib-symlink
--- /dev/null
--- /dev/null
++libhtp-0.5.24.so.1 libhtp-0.5.24-1 #MINVER#
++ bstr_add@Base 3.1.3
++ bstr_add_c@Base 3.1.3
++ bstr_add_c_noex@Base 3.1.3
++ bstr_add_mem@Base 3.1.3
++ bstr_add_mem_noex@Base 3.1.3
++ bstr_add_noex@Base 3.1.3
++ bstr_adjust_len@Base 3.1.3
++ bstr_adjust_realptr@Base 3.1.3
++ bstr_adjust_size@Base 3.1.3
++ bstr_alloc@Base 3.1.3
++ bstr_begins_with@Base 3.1.3
++ bstr_begins_with_c@Base 3.1.3
++ bstr_begins_with_c_nocase@Base 3.1.3
++ bstr_begins_with_mem@Base 3.1.3
++ bstr_begins_with_mem_nocase@Base 3.1.3
++ bstr_begins_with_nocase@Base 3.1.3
++ bstr_builder_append_c@Base 3.1.3
++ bstr_builder_append_mem@Base 3.1.3
++ bstr_builder_appendn@Base 3.1.3
++ bstr_builder_clear@Base 3.1.3
++ bstr_builder_create@Base 3.1.3
++ bstr_builder_destroy@Base 3.1.3
++ bstr_builder_size@Base 3.1.3
++ bstr_builder_to_str@Base 3.1.3
++ bstr_char_at@Base 3.1.3
++ bstr_char_at_end@Base 3.1.3
++ bstr_chop@Base 3.1.3
++ bstr_chr@Base 3.1.3
++ bstr_cmp@Base 3.1.3
++ bstr_cmp_c@Base 3.1.3
++ bstr_cmp_c_nocase@Base 3.1.3
++ bstr_cmp_mem@Base 3.1.3
++ bstr_cmp_mem_nocase@Base 3.1.3
++ bstr_cmp_nocase@Base 3.1.3
++ bstr_dup@Base 3.1.3
++ bstr_dup_c@Base 3.1.3
++ bstr_dup_ex@Base 3.1.3
++ bstr_dup_lower@Base 3.1.3
++ bstr_dup_mem@Base 3.1.3
++ bstr_expand@Base 3.1.3
++ bstr_free@Base 3.1.3
++ bstr_index_of@Base 3.1.3
++ bstr_index_of_c@Base 3.1.3
++ bstr_index_of_c_nocase@Base 3.1.3
++ bstr_index_of_mem@Base 3.1.3
++ bstr_index_of_mem_nocase@Base 3.1.3
++ bstr_index_of_nocase@Base 3.1.3
++ bstr_rchr@Base 3.1.3
++ bstr_to_lowercase@Base 3.1.3
++ bstr_util_cmp_mem@Base 3.1.3
++ bstr_util_cmp_mem_nocase@Base 3.1.3
++ bstr_util_mem_index_of_c@Base 3.1.3
++ bstr_util_mem_index_of_c_nocase@Base 3.1.3
++ bstr_util_mem_index_of_mem@Base 3.1.3
++ bstr_util_mem_index_of_mem_nocase@Base 3.1.3
++ bstr_util_mem_to_pint@Base 3.1.3
++ bstr_util_mem_trim@Base 3.1.3
++ bstr_util_memdup_to_c@Base 3.1.3
++ bstr_util_strdup_to_c@Base 3.1.3
++ bstr_wrap_c@Base 3.1.3
++ bstr_wrap_mem@Base 3.1.3
++ fprint_bstr@Base 3.1.3
++ fprint_raw_data@Base 3.1.3
++ fprint_raw_data_ex@Base 3.1.3
++ htp_base64_decode@Base 3.1.3
++ htp_base64_decode_bstr@Base 3.1.3
++ htp_base64_decode_mem@Base 3.1.3
++ htp_base64_decode_single@Base 3.1.3
++ htp_base64_decoder_init@Base 3.1.3
++ htp_ch_multipart_callback_request_body_data@Base 3.1.3
++ htp_ch_multipart_callback_request_headers@Base 3.1.3
++ htp_ch_urlencoded_callback_request_body_data@Base 3.1.3
++ htp_ch_urlencoded_callback_request_headers@Base 3.1.3
++ htp_ch_urlencoded_callback_request_line@Base 3.1.3
++ htp_chomp@Base 3.1.3
++ htp_config_copy@Base 3.1.3
++ htp_config_create@Base 3.1.3
++ htp_config_destroy@Base 3.1.3
++ htp_config_get_user_data@Base 3.1.3
++ htp_config_register_log@Base 3.1.3
++ htp_config_register_multipart_parser@Base 3.1.3
++ htp_config_register_request_body_data@Base 3.1.3
++ htp_config_register_request_complete@Base 3.1.3
++ htp_config_register_request_file_data@Base 3.1.3
++ htp_config_register_request_header_data@Base 3.1.3
++ htp_config_register_request_headers@Base 3.1.3
++ htp_config_register_request_line@Base 3.1.3
++ htp_config_register_request_start@Base 3.1.3
++ htp_config_register_request_trailer@Base 3.1.3
++ htp_config_register_request_trailer_data@Base 3.1.3
++ htp_config_register_request_uri_normalize@Base 3.1.3
++ htp_config_register_response_body_data@Base 3.1.3
++ htp_config_register_response_complete@Base 3.1.3
++ htp_config_register_response_header_data@Base 3.1.3
++ htp_config_register_response_headers@Base 3.1.3
++ htp_config_register_response_line@Base 3.1.3
++ htp_config_register_response_start@Base 3.1.3
++ htp_config_register_response_trailer@Base 3.1.3
++ htp_config_register_response_trailer_data@Base 3.1.3
++ htp_config_register_transaction_complete@Base 3.1.3
++ htp_config_register_urlencoded_parser@Base 3.1.3
++ htp_config_set_backslash_convert_slashes@Base 3.1.3
++ htp_config_set_bestfit_map@Base 3.1.3
++ htp_config_set_bestfit_replacement_byte@Base 3.1.3
++ htp_config_set_control_chars_unwanted@Base 3.1.3
++ htp_config_set_convert_lowercase@Base 3.1.3
++ htp_config_set_extract_request_files@Base 3.1.3
++ htp_config_set_field_limits@Base 3.1.3
++ htp_config_set_log_level@Base 3.1.3
++ htp_config_set_nul_encoded_terminates@Base 3.1.3
++ htp_config_set_nul_encoded_unwanted@Base 3.1.3
++ htp_config_set_nul_raw_terminates@Base 3.1.3
++ htp_config_set_nul_raw_unwanted@Base 3.1.3
++ htp_config_set_parse_request_auth@Base 3.1.3
++ htp_config_set_parse_request_cookies@Base 3.1.3
++ htp_config_set_path_separators_compress@Base 3.1.3
++ htp_config_set_path_separators_decode@Base 3.1.3
++ htp_config_set_path_separators_encoded_unwanted@Base 3.1.3
++ htp_config_set_plusspace_decode@Base 3.1.3
++ htp_config_set_requestline_leading_whitespace_unwanted@Base 3.1.3
++ htp_config_set_response_decompression@Base 3.1.3
++ htp_config_set_response_decompression_layer_limit@Base 3.1.3
++ htp_config_set_server_personality@Base 3.1.3
++ htp_config_set_tmpdir@Base 3.1.3
++ htp_config_set_tx_auto_destroy@Base 3.1.3
++ htp_config_set_u_encoding_decode@Base 3.1.3
++ htp_config_set_u_encoding_unwanted@Base 3.1.3
++ htp_config_set_url_encoding_invalid_handling@Base 3.1.3
++ htp_config_set_url_encoding_invalid_unwanted@Base 3.1.3
++ htp_config_set_user_data@Base 3.1.3
++ htp_config_set_utf8_convert_bestfit@Base 3.1.3
++ htp_config_set_utf8_invalid_unwanted@Base 3.1.3
++ htp_conn_close@Base 3.1.3
++ htp_conn_create@Base 3.1.3
++ htp_conn_destroy@Base 3.1.3
++ htp_conn_open@Base 3.1.3
++ htp_conn_remove_tx@Base 3.1.3
++ htp_conn_track_inbound_data@Base 3.1.3
++ htp_conn_track_outbound_data@Base 3.1.3
++ htp_connp_REQ_BODY_CHUNKED_DATA@Base 3.1.3
++ htp_connp_REQ_BODY_CHUNKED_DATA_END@Base 3.1.3
++ htp_connp_REQ_BODY_CHUNKED_LENGTH@Base 3.1.3
++ htp_connp_REQ_BODY_DETERMINE@Base 3.1.3
++ htp_connp_REQ_BODY_IDENTITY@Base 3.1.3
++ htp_connp_REQ_CONNECT_CHECK@Base 3.1.3
++ htp_connp_REQ_CONNECT_PROBE_DATA@Base 3.1.3
++ htp_connp_REQ_CONNECT_WAIT_RESPONSE@Base 3.1.3
++ htp_connp_REQ_FINALIZE@Base 3.1.3
++ htp_connp_REQ_HEADERS@Base 3.1.3
++ htp_connp_REQ_IDLE@Base 3.1.3
++ htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9@Base 3.1.3
++ htp_connp_REQ_LINE@Base 3.1.3
++ htp_connp_REQ_LINE_complete@Base 3.1.3
++ htp_connp_REQ_PROTOCOL@Base 3.1.3
++ htp_connp_RES_BODY_CHUNKED_DATA@Base 3.1.3
++ htp_connp_RES_BODY_CHUNKED_DATA_END@Base 3.1.3
++ htp_connp_RES_BODY_CHUNKED_LENGTH@Base 3.1.3
++ htp_connp_RES_BODY_DETERMINE@Base 3.1.3
++ htp_connp_RES_BODY_IDENTITY_CL_KNOWN@Base 3.1.3
++ htp_connp_RES_BODY_IDENTITY_STREAM_CLOSE@Base 3.1.3
++ htp_connp_RES_FINALIZE@Base 3.1.3
++ htp_connp_RES_HEADERS@Base 3.1.3
++ htp_connp_RES_IDLE@Base 3.1.3
++ htp_connp_RES_LINE@Base 3.1.3
++ htp_connp_clear_error@Base 3.1.3
++ htp_connp_close@Base 3.1.3
++ htp_connp_create@Base 3.1.3
++ htp_connp_destroy@Base 3.1.3
++ htp_connp_destroy_all@Base 3.1.3
++ htp_connp_destroy_decompressors@Base 3.1.3
++ htp_connp_get_connection@Base 3.1.3
++ htp_connp_get_in_tx@Base 3.1.3
++ htp_connp_get_last_error@Base 3.1.3
++ htp_connp_get_out_tx@Base 3.1.3
++ htp_connp_get_user_data@Base 3.1.3
++ htp_connp_in_reset@Base 3.1.3
++ htp_connp_in_state_as_string@Base 3.1.3
++ htp_connp_is_line_folded@Base 3.1.3
++ htp_connp_is_line_ignorable@Base 3.1.3
++ htp_connp_is_line_terminator@Base 3.1.3
++ htp_connp_open@Base 3.1.3
++ htp_connp_out_state_as_string@Base 3.1.3
++ htp_connp_req_data@Base 3.1.3
++ htp_connp_req_data_consumed@Base 3.1.3
++ htp_connp_req_receiver_finalize_clear@Base 3.1.3
++ htp_connp_res_data@Base 3.1.3
++ htp_connp_res_data_consumed@Base 3.1.3
++ htp_connp_res_receiver_finalize_clear@Base 3.1.3
++ htp_connp_set_user_data@Base 3.1.3
++ htp_connp_tx_create@Base 3.1.3
++ htp_connp_tx_remove@Base 3.1.3
++ htp_convert_method_to_number@Base 3.1.3
++ htp_decode_path_inplace@Base 3.1.3
++ htp_extract_quoted_string_as_bstr@Base 3.1.3
++ htp_get_version@Base 3.1.3
++ htp_gzip_decompressor_create@Base 3.1.3
++ htp_hook_copy@Base 3.1.3
++ htp_hook_create@Base 3.1.3
++ htp_hook_destroy@Base 3.1.3
++ htp_hook_register@Base 3.1.3
++ htp_hook_run_all@Base 3.1.3
++ htp_hook_run_one@Base 3.1.3
++ htp_is_folding_char@Base 3.1.3
++ htp_is_line_empty@Base 3.1.3
++ htp_is_line_whitespace@Base 3.1.3
++ htp_is_lws@Base 3.1.3
++ htp_is_separator@Base 3.1.3
++ htp_is_space@Base 3.1.3
++ htp_is_text@Base 3.1.3
++ htp_is_token@Base 3.1.3
++ htp_list_array_clear@Base 3.1.3
++ htp_list_array_create@Base 3.1.3
++ htp_list_array_destroy@Base 3.1.3
++ htp_list_array_get@Base 3.1.3
++ htp_list_array_pop@Base 3.1.3
++ htp_list_array_push@Base 3.1.3
++ htp_list_array_replace@Base 3.1.3
++ htp_list_array_shift@Base 3.1.3
++ htp_list_array_size@Base 3.1.3
++ htp_log@Base 3.1.3
++ htp_mpart_part_create@Base 3.1.3
++ htp_mpart_part_destroy@Base 3.1.3
++ htp_mpart_part_finalize_data@Base 3.1.3
++ htp_mpart_part_handle_data@Base 3.1.3
++ htp_mpart_part_parse_c_d@Base 3.1.3
++ htp_mpart_part_process_headers@Base 3.1.3
++ htp_mpartp_create@Base 3.1.3
++ htp_mpartp_destroy@Base 3.1.3
++ htp_mpartp_finalize@Base 3.1.3
++ htp_mpartp_find_boundary@Base 3.1.3
++ htp_mpartp_get_multipart@Base 3.1.3
++ htp_mpartp_parse@Base 3.1.3
++ htp_mpartp_parse_header@Base 3.1.3
++ htp_mpartp_run_request_file_data_hook@Base 3.1.3
++ htp_normalize_hostname_inplace@Base 3.1.3
++ htp_normalize_parsed_uri@Base 3.1.3
++ htp_normalize_uri_path_inplace@Base 3.1.3
++ htp_parse_authorization@Base 3.1.3
++ htp_parse_authorization_basic@Base 3.1.3
++ htp_parse_authorization_digest@Base 3.1.3
++ htp_parse_chunked_length@Base 3.1.3
++ htp_parse_content_length@Base 3.1.3
++ htp_parse_cookies_v0@Base 3.1.3
++ htp_parse_ct_header@Base 3.1.3
++ htp_parse_header_hostport@Base 3.1.3
++ htp_parse_hostport@Base 3.1.3
++ htp_parse_positive_integer_whitespace@Base 3.1.3
++ htp_parse_protocol@Base 3.1.3
++ htp_parse_request_header_generic@Base 3.1.3
++ htp_parse_request_line_apache_2_2@Base 3.1.3
++ htp_parse_request_line_generic@Base 3.1.3
++ htp_parse_request_line_generic_ex@Base 3.1.3
++ htp_parse_response_header_generic@Base 3.1.3
++ htp_parse_response_line_generic@Base 3.1.3
++ htp_parse_single_cookie_v0@Base 3.1.3
++ htp_parse_status@Base 3.1.3
++ htp_parse_uri@Base 3.1.3
++ htp_parse_uri_hostport@Base 3.1.3
++ htp_php_parameter_processor@Base 3.1.3
++ htp_process_request_header_apache_2_2@Base 3.1.3
++ htp_process_request_header_generic@Base 3.1.3
++ htp_process_response_header_generic@Base 3.1.3
++ htp_req_run_hook_body_data@Base 3.1.3
++ htp_res_run_hook_body_data@Base 3.1.3
++ htp_table_add@Base 3.1.3
++ htp_table_addk@Base 3.1.3
++ htp_table_addn@Base 3.1.3
++ htp_table_clear@Base 3.1.3
++ htp_table_clear_ex@Base 3.1.3
++ htp_table_create@Base 3.1.3
++ htp_table_destroy@Base 3.1.3
++ htp_table_destroy_ex@Base 3.1.3
++ htp_table_get@Base 3.1.3
++ htp_table_get_c@Base 3.1.3
++ htp_table_get_index@Base 3.1.3
++ htp_table_get_mem@Base 3.1.3
++ htp_table_size@Base 3.1.3
++ htp_transcode_bstr@Base 3.1.3
++ htp_transcode_params@Base 3.1.3
++ htp_treat_response_line_as_body@Base 3.1.3
++ htp_tx_create@Base 3.1.3
++ htp_tx_destroy@Base 3.1.3
++ htp_tx_destroy_incomplete@Base 3.1.3
++ htp_tx_finalize@Base 3.1.3
++ htp_tx_get_is_config_shared@Base 3.1.3
++ htp_tx_get_user_data@Base 3.1.3
++ htp_tx_is_complete@Base 3.1.3
++ htp_tx_register_request_body_data@Base 3.1.3
++ htp_tx_register_response_body_data@Base 3.1.3
++ htp_tx_req_add_param@Base 3.1.3
++ htp_tx_req_get_param@Base 3.1.3
++ htp_tx_req_get_param_ex@Base 3.1.3
++ htp_tx_req_has_body@Base 3.1.3
++ htp_tx_req_process_body_data@Base 3.1.3
++ htp_tx_req_process_body_data_ex@Base 3.1.3
++ htp_tx_req_set_header@Base 3.1.3
++ htp_tx_req_set_headers_clear@Base 3.1.3
++ htp_tx_req_set_line@Base 3.1.3
++ htp_tx_req_set_method@Base 3.1.3
++ htp_tx_req_set_method_number@Base 3.1.3
++ htp_tx_req_set_parsed_uri@Base 3.1.3
++ htp_tx_req_set_protocol@Base 3.1.3
++ htp_tx_req_set_protocol_0_9@Base 3.1.3
++ htp_tx_req_set_protocol_number@Base 3.1.3
++ htp_tx_req_set_uri@Base 3.1.3
++ htp_tx_request_progress_as_string@Base 3.1.3
++ htp_tx_res_process_body_data@Base 3.1.3
++ htp_tx_res_process_body_data_ex@Base 3.1.3
++ htp_tx_res_set_header@Base 3.1.3
++ htp_tx_res_set_headers_clear@Base 3.1.3
++ htp_tx_res_set_protocol_number@Base 3.1.3
++ htp_tx_res_set_status_code@Base 3.1.3
++ htp_tx_res_set_status_line@Base 3.1.3
++ htp_tx_res_set_status_message@Base 3.1.3
++ htp_tx_response_progress_as_string@Base 3.1.3
++ htp_tx_set_config@Base 3.1.3
++ htp_tx_set_user_data@Base 3.1.3
++ htp_tx_state_request_complete@Base 3.1.3
++ htp_tx_state_request_complete_partial@Base 3.1.3
++ htp_tx_state_request_headers@Base 3.1.3
++ htp_tx_state_request_line@Base 3.1.3
++ htp_tx_state_request_start@Base 3.1.3
++ htp_tx_state_response_complete@Base 3.1.3
++ htp_tx_state_response_complete_ex@Base 3.1.3
++ htp_tx_state_response_headers@Base 3.1.3
++ htp_tx_state_response_line@Base 3.1.3
++ htp_tx_state_response_start@Base 3.1.3
++ htp_tx_urldecode_params_inplace@Base 3.1.3
++ htp_tx_urldecode_uri_inplace@Base 3.1.3
++ htp_unparse_uri_noencode@Base 3.1.3
++ htp_uri_alloc@Base 3.1.3
++ htp_uri_free@Base 3.1.3
++ htp_urldecode_inplace@Base 3.1.3
++ htp_urldecode_inplace_ex@Base 3.1.3
++ htp_urlenp_create@Base 3.1.3
++ htp_urlenp_destroy@Base 3.1.3
++ htp_urlenp_finalize@Base 3.1.3
++ htp_urlenp_parse_complete@Base 3.1.3
++ htp_urlenp_parse_partial@Base 3.1.3
++ htp_utf8_decode@Base 3.1.3
++ htp_utf8_decode_allow_overlong@Base 3.1.3
++ htp_utf8_decode_path_inplace@Base 3.1.3
++ htp_utf8_validate_path@Base 3.1.3
++ htp_validate_hostname@Base 3.1.3
++ strlcat@Base 3.1.3
++ strlcpy@Base 3.1.3
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++BIN="$(which suricata-oinkmaster-updater)"
++[ ! -x "$BIN" ] && exit 0
++$BIN
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++# Copyright (c) 2016 Arturo Borrero Gonzalez <arturo@debian.org>
++# This file is released under the GPLv2 license.
++#
++# Can obtain a complete copy of the license at: http://www.gnu.org/licenses/gpl-2.0.html
++#
++# Permission is hereby granted, free of charge, to any person obtaining
++# a copy of this software and associated documentation files (the
++# "Software"), to deal in the Software without restriction, including
++# without limitation the rights to use, copy, modify, merge, publish,
++# distribute, sublicense, and/or sell copies of the Software, and to
++# permit persons to whom the Software is furnished to do so, subject to
++# the following conditions:
++#
++# The above copyright notice and this permission notice shall be included
++# in all copies or substantial portions of the Software.
++#
++# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
++# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
++# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
++# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
++# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
++
++#
++# vars
++#
++
++THIS_SCRIPT_NAME=$(basename -- $0)
++OINKMASTER_BIN=$(which oinkmaster)
++SURICATASC_BIN=$(which suricatasc)
++OUTPUT_DIR="/etc/suricata/rules"
++CONFIG_FILE="/etc/suricata/suricata-oinkmaster.conf"
++
++#
++# functions
++#
++
++msg_err()
++{
++ echo "ERROR: ${THIS_SCRIPT_NAME}: $1" >&2
++ exit 1
++}
++
++#
++# main execution
++#
++
++if [ $(id -u) -ne 0 ] ; then
++ msg_err "this script requires root permissions"
++fi
++
++[ ! -x "$OINKMASTER_BIN" ] && exit 0
++[ ! -x "$SURICATASC_BIN" ] && exit 0
++[ ! -r "$CONFIG_FILE" ] && exit 0
++[ ! -d "$OUTPUT_DIR" ] && exit 0
++
++set -e
++$OINKMASTER_BIN -C $CONFIG_FILE -o $OUTPUT_DIR
++$SURICATASC_BIN -c reload-rules
--- /dev/null
--- /dev/null
++.\" (C) Copyright 2016-2017 Arturo Borrero Gonzalez <arturo@debian.org>,
++.\"
++.\"
++.TH SURICATA-OINKMASTER-UPDATER 8 "Nov 23, 2017"
++.\" Please adjust this date whenever updating the manpage.
++
++.SH NAME
++suricata-oinkmaster-updater \- Run oinkmaster to update suricata ruleset
++
++.SH SYNOPSIS
++.B suricata-oinkmaster-updater
++
++.SH DESCRIPTION
++This manual page documents briefly the \fBsuricata-oinkmaster-updater\fP
++command.
++.PP
++\fBsuricata-oinkmaster-updater\fP is a shell script that runs
++\fBoinkmaster(1)\fP to update \fBsuricata(8)\fP ruleset.
++The intention is to hook the call to this script from a daily cron job,
++so \fBsuricata(8)\fP rulesets are automagically updated every day.
++
++.SH HOW IT WORKS
++The default Debian configuration will run \fBoinkmaster(1)\fP with the config
++file \fI/etc/suricata/suricata-oinkmaster.conf\fP which is pre-configured to
++download the \fPEmergingThreats\fP open ruleset for \fBsuricata(8)\fP.
++.PP
++When the download is completed, \fBsuricatasc(1)\fP will be called to
++instruct \fBsuricata(8)\fP to reload the ruleset.
++
++.SH CONFIGURATION
++By now, the only way to modify the behaviour of
++\fPsuricata-oinkmaster-updater\fP is to modify the
++\fI/etc/suricata/suricata-oinkmaster.conf\fP file (which is a
++\fBoinkmaster(1)\fP configuration file). Or modify the shell
++script itself.
++.PP
++More options may be added in the future.
++
++.SH SEE ALSO
++\fBsuricata(8)\fP, \fBoinkmaster(1)\fP, \fBsuricatasc(1)\fP
++
++.SH ABOUT
++\fBsuricata-oinkmaster-updater\fP and this manpage were written by
++Arturo Borrero Gonzalez <arturo@debian.org>
++for the Debian GNU/Linux distribution (but it may be used by others).
--- /dev/null
--- /dev/null
++# This is a Debian specific config file for oinkmaster crafted for suricata,
++# you should read oinkmaster documentation to modify this file.
++# This config is loaded by default from the suricata-oinkmaster-updater binary
++# which is called daily from a cronjob by default
++
++skipfile local.rules
++skipfile deleted.rules
++skipfile snort.conf
++use_external_bins = 0
++
++url = https://rules.emergingthreats.net/open/suricata-4.0.0/emerging.rules.tar.gz
--- /dev/null
--- /dev/null
++commit 50e2b973eeec7172991bf8f544ab06fb782b97df
++Author: Victor Julien <victor@inliniac.net>
++Date: Tue Oct 5 14:48:27 2021 +0200
++
++ stream/tcp: handle RST with MD5 or AO header
++
++ Special handling for RST packets if they have an TCP MD5 or AO header option.
++ The options hash can't be validated. The end host might be able to validate
++ it, as it can have a key/password that was communicated out of band.
++
++ The sender could use this to move the TCP state to 'CLOSED', leading to
++ a desync of the TCP session.
++
++ This patch builds on top of
++ 843d0b7a10bb ("stream: support RST getting lost/ignored")
++
++ It flags the receiver as having received an RST and moves the TCP state
++ into the CLOSED state. It then reverts this if the sender continues to
++ send traffic. In this case it sets the following event:
++
++ stream-event:suspected_rst_inject;
++
++ Bug: #4710.
++
++Index: suricata-6.0.1/src/decode-tcp.c
++===================================================================
++--- suricata-6.0.1.orig/src/decode-tcp.c 2025-03-24 23:45:30.172534825 +0100
+++++ suricata-6.0.1/src/decode-tcp.c 2025-03-24 23:45:30.172534825 +0100
++@@ -186,6 +186,26 @@
++ ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
++ }
++ break;
+++ /* RFC 2385 MD5 option */
+++ case TCP_OPT_MD5:
+++ SCLogDebug("MD5 option, len %u", olen);
+++ if (olen != 18) {
+++ ENGINE_SET_INVALID_EVENT(p,TCP_OPT_INVALID_LEN);
+++ } else {
+++ /* we can't validate the option as the key is out of band */
+++ p->tcpvars.md5_option_present = true;
+++ }
+++ break;
+++ /* RFC 5925 AO option */
+++ case TCP_OPT_AO:
+++ SCLogDebug("AU option, len %u", olen);
+++ if (olen < 4) {
+++ ENGINE_SET_INVALID_EVENT(p,TCP_OPT_INVALID_LEN);
+++ } else {
+++ /* we can't validate the option as the key is out of band */
+++ p->tcpvars.ao_option_present = true;
+++ }
+++ break;
++ }
++
++ pkt += olen;
++Index: suricata-6.0.1/src/decode-tcp.h
++===================================================================
++--- suricata-6.0.1.orig/src/decode-tcp.h 2025-03-24 23:45:30.172534825 +0100
+++++ suricata-6.0.1/src/decode-tcp.h 2025-03-24 23:45:30.172534825 +0100
++@@ -54,6 +54,8 @@
++ #define TCP_OPT_TFO 0x22 /* TCP Fast Open */
++ #define TCP_OPT_EXP1 0xfd /* Experimental, could be TFO */
++ #define TCP_OPT_EXP2 0xfe /* Experimental, could be TFO */
+++#define TCP_OPT_MD5 0x13 /* 19: RFC 2385 TCP MD5 option */
+++#define TCP_OPT_AO 0x1d /* 29: RFC 5925 TCP AO option */
++
++ #define TCP_OPT_SACKOK_LEN 2
++ #define TCP_OPT_WS_LEN 3
++@@ -153,6 +155,8 @@
++ typedef struct TCPVars_
++ {
++ /* commonly used and needed opts */
+++ bool md5_option_present;
+++ bool ao_option_present;
++ bool ts_set;
++ uint32_t ts_val; /* host-order */
++ uint32_t ts_ecr; /* host-order */
++Index: suricata-6.0.1/src/stream-tcp.c
++===================================================================
++--- suricata-6.0.1.orig/src/stream-tcp.c 2025-03-24 23:45:30.172534825 +0100
+++++ suricata-6.0.1/src/stream-tcp.c 2025-03-24 23:45:30.172534825 +0100
++@@ -4331,6 +4331,9 @@
++ if (ostream->flags & STREAMTCP_STREAM_FLAG_RST_RECV) {
++ if (StreamTcpStateDispatch(tv, p, stt, ssn, &stt->pseudo_queue, ssn->pstate) < 0)
++ return -1;
+++ /* if state is still "closed", it wasn't updated by our dispatch. */
+++ if (ssn->state == TCP_CLOSED)
+++ ssn->state = ssn->pstate;
++ }
++ }
++ return 0;
++@@ -5299,7 +5302,6 @@
++
++ static int StreamTcpValidateRst(TcpSession *ssn, Packet *p)
++ {
++-
++ uint8_t os_policy;
++
++ if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
++@@ -5337,6 +5339,21 @@
++ }
++ }
++
+++ /* RFC 2385 md5 signature header or RFC 5925 TCP AO headerpresent. Since we can't
+++ * validate these (requires key that is set/transfered out of band), we can't know
+++ * if the RST will be accepted or rejected by the end host. We accept it, but keep
+++ * tracking if the sender of it ignores it, which would be a sign of injection. */
+++ if (p->tcpvars.md5_option_present || p->tcpvars.ao_option_present) {
+++ TcpStream *receiver_stream;
+++ if (PKT_IS_TOSERVER(p)) {
+++ receiver_stream = &ssn->server;
+++ } else {
+++ receiver_stream = &ssn->client;
+++ }
+++ SCLogDebug("ssn %p: setting STREAMTCP_STREAM_FLAG_RST_RECV on receiver stream", ssn);
+++ receiver_stream->flags |= STREAMTCP_STREAM_FLAG_RST_RECV;
+++ }
+++
++ if (ssn->flags & STREAMTCP_FLAG_ASYNC) {
++ if (PKT_IS_TOSERVER(p)) {
++ if (SEQ_GEQ(TCP_GET_SEQ(p), ssn->client.next_seq)) {
--- /dev/null
--- /dev/null
++commit aee1523b4591430ebed1ded0bb95508e6717a335
++Author: Jason Ish <jason.ish@oisf.net>
++Date: Tue May 23 15:17:59 2023 -0600
++
++ datasets: don't allow absolute or paths with directory traversal
++
++ For dataset filenames coming from rules, do not allow filenames that
++ are absolute or contain a directory traversal with "..". This prevents
++ datasets from escaping the define data-directory which may allow a bad
++ rule to overwrite any file that Suricata has permission to write to.
++
++ Add a new configuration option,
++ "datasets.rules.allow-absolute-filenames" to allow absolute filenames
++ in dataset rules. This will be a way to revert back to the pre 6.0.13
++ behavior where save/state rules could use any filename.
++
++ Ticket: #6118
++
++Index: suricata-6.0.1/src/detect-dataset.c
++===================================================================
++--- suricata-6.0.1.orig/src/detect-dataset.c 2025-03-24 23:48:36.956508994 +0100
+++++ suricata-6.0.1/src/detect-dataset.c 2025-03-24 23:48:36.956508994 +0100
++@@ -307,8 +307,20 @@
++ {
++ SCLogDebug("save %s", save);
++
++- if (PathIsAbsolute(save)) {
++- return 0;
+++ int allow_absolute = 0;
+++ (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute);
+++ if (allow_absolute) {
+++ SCLogNotice("Allowing absolute filename for dataset rule: %s", save);
+++ } else {
+++ if (PathIsAbsolute(save)) {
+++ SCLogError(SC_ERR_INVALID_ARGUMENT, "Absolute paths not allowed: %s", save);
+++ return -1;
+++ }
+++
+++ if (SCPathContainsTraversal(save)) {
+++ SCLogError(SC_ERR_INVALID_ARGUMENT, "Directory traversals not allowed: %s", save);
+++ return -1;
+++ }
++ }
++
++ // data dir
++Index: suricata-6.0.1/src/util-path.c
++===================================================================
++--- suricata-6.0.1.orig/src/util-path.c 2025-03-24 23:48:36.956508994 +0100
+++++ suricata-6.0.1/src/util-path.c 2025-03-24 23:48:36.956508994 +0100
++@@ -247,3 +247,20 @@
++
++ return final + 1;
++ }
+++
+++/**
+++ * \brief Check for directory traversal
+++ *
+++ * \param path The path string to check for traversal
+++ *
+++ * \retval true if directory traversal is found, otherwise false
+++ */
+++bool SCPathContainsTraversal(const char *path)
+++{
+++#ifdef OS_WIN32
+++ const char *pattern = "..\\";
+++#else
+++ const char *pattern = "../";
+++#endif
+++ return strstr(path, pattern) != NULL;
+++}
++Index: suricata-6.0.1/src/util-path.h
++===================================================================
++--- suricata-6.0.1.orig/src/util-path.h 2025-03-24 23:48:36.956508994 +0100
+++++ suricata-6.0.1/src/util-path.h 2025-03-24 23:48:36.956508994 +0100
++@@ -41,5 +41,6 @@
++ bool SCIsRegularFile(const struct dirent *const dir_entry);
++ char *SCRealPath(const char *path, char *resolved_path);
++ const char *SCBasename(const char *path);
+++bool SCPathContainsTraversal(const char *path);
++
++ #endif /* __UTIL_PATH_H__ */
++Index: suricata-6.0.1/suricata.yaml.in
++===================================================================
++--- suricata-6.0.1.orig/suricata.yaml.in 2025-03-24 23:48:36.956508994 +0100
+++++ suricata-6.0.1/suricata.yaml.in 2025-03-24 23:48:36.956508994 +0100
++@@ -976,6 +976,12 @@
++ # defaults:
++ # memcap: 100mb
++ # hashsize: 2048
+++#
+++# rules:
+++# # Set to true to allow absolute filenames and filenames that use
+++# # ".." components to reference parent directories in rules that specify
+++# # their filenames.
+++# #allow-absolute-filenames: false
++
++ ##############################################################################
++ ##
--- /dev/null
--- /dev/null
++commit 735f5aa9ca3b28cfacc7a443f93a44387fbacf17
++Author: Jason Ish <jason.ish@oisf.net>
++Date: Tue Jun 6 16:04:56 2023 -0600
++
++ datasets: flag to disable "write" actions
++
++ Add a new configuration flag, "datasets.rules.allow-write" to control
++ if rules can contain "save" or "state" rules which allow write access
++ to the file system.
++
++ Ticket: #6123
++
++Index: suricata-6.0.1/src/detect-dataset.c
++===================================================================
++--- suricata-6.0.1.orig/src/detect-dataset.c 2025-03-24 23:48:43.376508135 +0100
+++++ suricata-6.0.1/src/detect-dataset.c 2025-03-24 23:48:43.376508135 +0100
++@@ -307,6 +307,15 @@
++ {
++ SCLogDebug("save %s", save);
++
+++ int allow_save = 1;
+++ if (ConfGetBool("datasets.rules.allow-write", &allow_save)) {
+++ if (!allow_save) {
+++ SCLogError(SC_ERR_INVALID_SIGNATURE,
+++ "Rules containing save/state datasets have been disabled");
+++ return -1;
+++ }
+++ }
+++
++ int allow_absolute = 0;
++ (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute);
++ if (allow_absolute) {
++Index: suricata-6.0.1/suricata.yaml.in
++===================================================================
++--- suricata-6.0.1.orig/suricata.yaml.in 2025-03-24 23:48:43.376508135 +0100
+++++ suricata-6.0.1/suricata.yaml.in 2025-03-24 23:48:43.376508135 +0100
++@@ -982,6 +982,11 @@
++ # # ".." components to reference parent directories in rules that specify
++ # # their filenames.
++ # #allow-absolute-filenames: false
+++#
+++# # Allow datasets in rules write access for "save" and
+++# # "state". This is enabled by default, however write access is
+++# # limited to the data directory.
+++# #allow-write: true
++
++ ##############################################################################
++ ##
--- /dev/null
--- /dev/null
++commit 08d93f7c3762781b743f88f9fdc4389eb9c3eb64
++Author: Philippe Antoine <pantoine@oisf.net>
++Date: Wed Mar 27 14:33:54 2024 +0100
++
++ http2: use a reference counter for headers
++
++ Ticket: 6892
++
++ As HTTP hpack header compression allows one single byte to
++ express a previously seen arbitrary-size header block (name+value)
++ we should avoid to copy the vectors data, but just point
++ to the same data, while reamining memory safe, even in the case
++ of later headers eviction from the dybnamic table.
++
++ Rust std solution is Rc, and the use of clone, so long as the
++ data is accessed by only one thread.
++
++ (cherry picked from commit 390f09692eb99809c679d3f350c7cc185d163e1a)
++
++Index: suricata-6.0.1/rust/src/http2/detect.rs
++===================================================================
++--- suricata-6.0.1.orig/rust/src/http2/detect.rs 2025-03-25 16:24:31.631773847 +0100
+++++ suricata-6.0.1/rust/src/http2/detect.rs 2025-03-25 16:24:31.631773847 +0100
++@@ -23,6 +23,7 @@
++ use std::ffi::CStr;
++ use std::mem::transmute;
++ use std::str::FromStr;
+++use std::rc::Rc;
++
++ fn http2_tx_has_frametype(
++ tx: &mut HTTP2Transaction, direction: u8, value: u8,
++@@ -557,8 +558,8 @@
++ };
++ let mut blocks = Vec::new();
++ let b = parser::HTTP2FrameHeaderBlock {
++- name: name.to_vec(),
++- value: input.to_vec(),
+++ name: Rc::new(name.to_vec()),
+++ value: Rc::new(input.to_vec()),
++ error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess,
++ sizeupdate: 0,
++ };
++Index: suricata-6.0.1/rust/src/http2/parser.rs
++===================================================================
++--- suricata-6.0.1.orig/rust/src/http2/parser.rs 2025-03-25 16:24:31.631773847 +0100
+++++ suricata-6.0.1/rust/src/http2/parser.rs 2025-03-25 16:24:31.631773847 +0100
++@@ -25,6 +25,7 @@
++ use nom::IResult;
++ use std::fmt;
++ use std::str::FromStr;
+++use std::rc::Rc;
++
++ #[repr(u8)]
++ #[derive(Clone, Copy, PartialEq, FromPrimitive, Debug)]
++@@ -281,8 +282,8 @@
++ };
++ if name.len() > 0 {
++ return Some(HTTP2FrameHeaderBlock {
++- name: name.as_bytes().to_vec(),
++- value: value.as_bytes().to_vec(),
+++ name: Rc::new(name.as_bytes().to_vec()),
+++ value: Rc::new(value.as_bytes().to_vec()),
++ error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess,
++ sizeupdate: 0,
++ });
++@@ -290,23 +291,23 @@
++ //use dynamic table
++ if n == 0 {
++ return Some(HTTP2FrameHeaderBlock {
++- name: Vec::new(),
++- value: Vec::new(),
+++ name: Rc::new(Vec::new()),
+++ value: Rc::new(Vec::new()),
++ error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIndex0,
++ sizeupdate: 0,
++ });
++ } else if dyn_headers.table.len() + HTTP2_STATIC_HEADERS_NUMBER < n as usize {
++ return Some(HTTP2FrameHeaderBlock {
++- name: Vec::new(),
++- value: Vec::new(),
+++ name: Rc::new(Vec::new()),
+++ value: Rc::new(Vec::new()),
++ error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed,
++ sizeupdate: 0,
++ });
++ } else {
++ let indyn = dyn_headers.table.len() - (n as usize - HTTP2_STATIC_HEADERS_NUMBER);
++ let headcopy = HTTP2FrameHeaderBlock {
++- name: dyn_headers.table[indyn].name.to_vec(),
++- value: dyn_headers.table[indyn].value.to_vec(),
+++ name: dyn_headers.table[indyn].name.clone(),
+++ value: dyn_headers.table[indyn].value.clone(),
++ error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess,
++ sizeupdate: 0,
++ };
++@@ -334,8 +335,10 @@
++
++ #[derive(Clone, Debug)]
++ pub struct HTTP2FrameHeaderBlock {
++- pub name: Vec<u8>,
++- pub value: Vec<u8>,
+++ // Use Rc reference counted so that indexed headers do not get copied.
+++ // Otherwise, this leads to quadratic complexity in memory occupation.
+++ pub name: Rc<Vec<u8>>,
+++ pub value: Rc<Vec<u8>>,
++ pub error: HTTP2HeaderDecodeStatus,
++ pub sizeupdate: u64,
++ }
++@@ -386,7 +389,7 @@
++ ) -> IResult<&'a [u8], HTTP2FrameHeaderBlock> {
++ let (i3, name, error) = if index == 0 {
++ match http2_parse_headers_block_string(input) {
++- Ok((r, n)) => Ok((r, n, HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)),
+++ Ok((r, n)) => Ok((r, Rc::new(n), HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)),
++ Err(e) => Err(e),
++ }
++ } else {
++@@ -398,7 +401,7 @@
++ )),
++ None => Ok((
++ input,
++- Vec::new(),
+++ Rc::new(Vec::new()),
++ HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed,
++ )),
++ }
++@@ -408,7 +411,7 @@
++ i4,
++ HTTP2FrameHeaderBlock {
++ name,
++- value,
+++ value: Rc::new(value),
++ error,
++ sizeupdate: 0,
++ },
++@@ -436,8 +439,8 @@
++ match r {
++ Ok((r, head)) => {
++ let headcopy = HTTP2FrameHeaderBlock {
++- name: head.name.to_vec(),
++- value: head.value.to_vec(),
+++ name: head.name.clone(),
+++ value: head.value.clone(),
++ error: head.error,
++ sizeupdate: 0,
++ };
++@@ -554,8 +557,8 @@
++ return Ok((
++ i3,
++ HTTP2FrameHeaderBlock {
++- name: Vec::new(),
++- value: Vec::new(),
+++ name: Vec::new().into(),
+++ value: Vec::new().into(),
++ error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIntegerOverflow,
++ sizeupdate: 0,
++ },
++@@ -573,8 +576,8 @@
++ return Ok((
++ i3,
++ HTTP2FrameHeaderBlock {
++- name: Vec::new(),
++- value: Vec::new(),
+++ name: Rc::new(Vec::new()),
+++ value: Rc::new(Vec::new()),
++ error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate,
++ sizeupdate: maxsize2,
++ },
++@@ -928,8 +931,8 @@
++ match r0 {
++ Ok((remainder, hd)) => {
++ // Check the first message.
++- assert_eq!(hd.name, ":method".as_bytes().to_vec());
++- assert_eq!(hd.value, "GET".as_bytes().to_vec());
+++ assert_eq!(hd.name, ":method".as_bytes().to_vec().into());
+++ assert_eq!(hd.value, "GET".as_bytes().to_vec().into());
++ // And we should have no bytes left.
++ assert_eq!(remainder.len(), 0);
++ }
++@@ -945,8 +948,8 @@
++ match r1 {
++ Ok((remainder, hd)) => {
++ // Check the first message.
++- assert_eq!(hd.name, "accept".as_bytes().to_vec());
++- assert_eq!(hd.value, "*/*".as_bytes().to_vec());
+++ assert_eq!(hd.name, "accept".as_bytes().to_vec().into());
+++ assert_eq!(hd.value, "*/*".as_bytes().to_vec().into());
++ // And we should have no bytes left.
++ assert_eq!(remainder.len(), 0);
++ assert_eq!(dynh.table.len(), 1);
++@@ -965,8 +968,8 @@
++ match result {
++ Ok((remainder, hd)) => {
++ // Check the first message.
++- assert_eq!(hd.name, ":authority".as_bytes().to_vec());
++- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec());
+++ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into());
+++ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into());
++ // And we should have no bytes left.
++ assert_eq!(remainder.len(), 0);
++ assert_eq!(dynh.table.len(), 2);
++@@ -983,8 +986,8 @@
++ match r3 {
++ Ok((remainder, hd)) => {
++ // same as before
++- assert_eq!(hd.name, ":authority".as_bytes().to_vec());
++- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec());
+++ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into());
+++ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into());
++ // And we should have no bytes left.
++ assert_eq!(remainder.len(), 0);
++ assert_eq!(dynh.table.len(), 2);
++@@ -1019,8 +1022,8 @@
++ match r2 {
++ Ok((remainder, hd)) => {
++ // Check the first message.
++- assert_eq!(hd.name, ":path".as_bytes().to_vec());
++- assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec());
+++ assert_eq!(hd.name, ":path".as_bytes().to_vec().into());
+++ assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec().into());
++ // And we should have no bytes left.
++ assert_eq!(remainder.len(), 0);
++ assert_eq!(dynh.table.len(), 2);
--- /dev/null
--- /dev/null
++commit d24b37a103c04bb2667e449e080ba4c8e56bb019
++Author: Philippe Antoine <pantoine@oisf.net>
++Date: Thu Mar 28 11:15:51 2024 +0100
++
++ http2: do not log duplicate headers
++
++ Ticket: 6900
++
++ And thus avoid DOS by logging a request using a compressed
++ header block repeated many times and having a long value...
++
++ (cherry picked from commit 03442c9071b8d863d26b609d54c6eacf4de9e340)
++
++Index: suricata-6.0.1/rust/src/http2/logger.rs
++===================================================================
++--- suricata-6.0.1.orig/rust/src/http2/logger.rs 2025-03-25 15:28:30.810326590 +0100
+++++ suricata-6.0.1/rust/src/http2/logger.rs 2025-03-25 15:28:30.806326588 +0100
++@@ -19,7 +19,8 @@
++ use super::parser;
++ use crate::jsonbuilder::{JsonBuilder, JsonError};
++ use std;
++-use std::collections::HashMap;
+++use std::collections::{HashMap, HashSet};
+++use std::rc::Rc;
++
++ #[derive(Hash, PartialEq, Eq)]
++ enum HeaderName {
++@@ -35,10 +36,20 @@
++ blocks: &'a Vec<parser::HTTP2FrameHeaderBlock>, js: &mut JsonBuilder,
++ common: &mut HashMap<HeaderName, &'a Vec<u8>>,
++ ) -> Result<(), JsonError> {
+++ let mut logged_headers = HashSet::new();
++ for j in 0..blocks.len() {
++- js.start_object()?;
+++ // delay js.start_object() because we skip suplicate headers
++ match blocks[j].error {
++ parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess => {
+++ if Rc::strong_count(&blocks[j].name) > 2 {
+++ // more than one reference in headers table + current headers
+++ let ptr = Rc::as_ptr(&blocks[j].name) as usize;
+++ if !logged_headers.insert(ptr) {
+++ // only log once
+++ continue;
+++ }
+++ }
+++ js.start_object()?;
++ js.set_string_from_bytes("name", &blocks[j].name)?;
++ js.set_string_from_bytes("value", &blocks[j].value)?;
++ if let Ok(name) = std::str::from_utf8(&blocks[j].name) {
++@@ -66,9 +77,11 @@
++ }
++ }
++ parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate => {
+++ js.start_object()?;
++ js.set_uint("table_size_update", blocks[j].sizeupdate)?;
++ }
++ _ => {
+++ js.start_object()?;
++ js.set_string("error", &blocks[j].error.to_string())?;
++ }
++ }
--- /dev/null
--- /dev/null
++commit 9d5c4273cb7e5ca65f195f7361f0d848c85180e0
++Author: Victor Julien <vjulien@oisf.net>
++Date: Tue Jun 4 14:43:22 2024 +0200
++
++ defrag: don't use completed tracker
++
++ When a Tracker is set up for a IPID, frags come in for it and it's
++ reassembled and complete, the `DefragTracker::remove` flag is set. This
++ is mean to tell the hash cleanup code to recyle the tracker and to let
++ the lookup code skip the tracker during lookup.
++
++ A logic error lead to the following scenario:
++
++ 1. there are sufficient frag trackers to make sure the hash table is
++ filled with trackers
++ 2. frags for a Packet with IPID X are processed correctly (X1)
++ 3. frags for a new Packet that also has IPID X come in quickly after the
++ first (X2).
++ 4. during the lookup, the frag for X2 hashes to a hash row that holds
++ more than one tracker
++ 5. as the trackers in hash row are evaluated, it finds the tracker for
++ X1, but since the `remove` bit is not checked, it is returned as the
++ tracker for X2.
++ 6. reassembly fails, as the tracker is already complete
++
++ The logic error is that only for the first tracker in a row the `remove`
++ bit was checked, leading to reuse to a closed tracker if there were more
++ trackers in the hash row.
++
++ Ticket: #7042.
++
++Index: suricata-6.0.1/src/defrag-hash.c
++===================================================================
++--- suricata-6.0.1.orig/src/defrag-hash.c 2025-03-25 15:43:04.942709598 +0100
+++++ suricata-6.0.1/src/defrag-hash.c 2025-03-25 15:43:04.938709595 +0100
++@@ -582,7 +582,7 @@
++ return dt;
++ }
++
++- if (DefragTrackerCompare(dt, p) != 0) {
+++ if (!dt->remove && DefragTrackerCompare(dt, p) != 0) {
++ /* we found our tracker, lets put it on top of the
++ * hash list -- this rewards active trackers */
++ if (dt->hnext) {
--- /dev/null
--- /dev/null
++commit 9203656496c4081260817cce018a0d8fd57869b5
++Author: Philippe Antoine <pantoine@oisf.net>
++Date: Mon Jul 15 09:52:00 2024 +0200
++
++ defrag: fix off by one
++
++ Ticket: 7067
++
++ This off by one could lead to an empty fragment being inserted
++ in the rb tree, which led to integer underflow
++
++Index: suricata-6.0.1/src/defrag.c
++===================================================================
++--- suricata-6.0.1.orig/src/defrag.c 2025-03-25 15:56:11.975020710 +0100
+++++ suricata-6.0.1/src/defrag.c 2025-03-25 15:56:11.971020707 +0100
++@@ -850,7 +850,7 @@
++ }
++ }
++
++- if (ltrim > data_len) {
+++ if (ltrim >= data_len) {
++ /* Full packet has been trimmed due to the overlap policy. Overlap
++ * already set. */
++ goto done;
--- /dev/null
--- /dev/null
++commit 470795e65ba77cffba3aed850313a5f23c4b278d
++Author: Philippe Antoine <pantoine@oisf.net>
++Date: Mon Nov 4 17:09:32 2024 +0100
++
++ suricata/bpf: fix -Wshorten-64-to-32 warning
++
++ Ticket: 7366
++ Ticket: 6186
++ (cherry picked from commit dd71ef0af222a566e54dfc479dd1951dd17d7ceb)
++
++Index: suricata-6.0.1/src/suricata.c
++===================================================================
++--- suricata-6.0.1.orig/src/suricata.c 2025-03-30 13:19:17.638729314 +0200
+++++ suricata-6.0.1/src/suricata.c 2025-03-30 13:20:03.386688425 +0200
++@@ -458,7 +458,7 @@
++ char *bpf_filter = NULL;
++ char *bpf_comment_tmp = NULL;
++ char *bpf_comment_start = NULL;
++- uint32_t bpf_len = 0;
+++ size_t bpf_len = 0;
++ #ifdef OS_WIN32
++ struct _stat st;
++ #else
++@@ -481,7 +481,8 @@
++ SCLogError(SC_ERR_FOPEN, "Failed to stat file %s", filename);
++ exit(EXIT_FAILURE);
++ }
++- bpf_len = st.st_size + 1;
+++ // st.st_size is signed on Windows
+++ bpf_len = ((size_t)(st.st_size)) + 1;
++
++ // coverity[toctou : FALSE]
++ fp = fopen(filename,"r");
--- /dev/null
--- /dev/null
++commit 2f432c99a9734ea3a75c9218f35060e11a7a39ad
++Author: Victor Julien <vjulien@oisf.net>
++Date: Tue Mar 18 10:55:39 2025 +0100
++
++ datasets: improve default hashsize handling
++
++ Make hashsize default local to dataset code, instead of relying on the
++ thash code.
++
++ Use the same default value as before.
++
++ (cherry picked from commit d32a39ca4b53d7f659f4f0a2a5c162ef97dc4797)
++
++diff --git a/src/datasets.c b/src/datasets.c
++index c7c906b62..9b098c298 100644
++--- a/src/datasets.c
+++++ b/src/datasets.c
++@@ -677,6 +677,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
++ }
++ }
++
+++ GetDefaultMemcap(&default_memcap, &default_hashsize);
+++ if (hashsize == 0) {
+++ hashsize = default_hashsize;
+++ }
+++
++ set = DatasetAlloc(name);
++ if (set == NULL) {
++ goto out_err;
++@@ -696,12 +701,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
++ char cnf_name[128];
++ snprintf(cnf_name, sizeof(cnf_name), "datasets.%s.hash", name);
++
++- GetDefaultMemcap(&default_memcap, &default_hashsize);
++ switch (type) {
++ case DATASET_TYPE_MD5:
++ set->hash = THashInit(cnf_name, sizeof(Md5Type), Md5StrSet, Md5StrFree, Md5StrHash,
++ Md5StrCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap,
++- hashsize > 0 ? hashsize : default_hashsize);
+++ hashsize);
++ if (set->hash == NULL)
++ goto out_err;
++ if (DatasetLoadMd5(set) < 0)
++@@ -710,7 +714,7 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
++ case DATASET_TYPE_STRING:
++ set->hash = THashInit(cnf_name, sizeof(StringType), StringSet, StringFree, StringHash,
++ StringCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap,
++- hashsize > 0 ? hashsize : default_hashsize);
+++ hashsize);
++ if (set->hash == NULL)
++ goto out_err;
++ if (DatasetLoadString(set) < 0)
++@@ -719,26 +723,25 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
++ case DATASET_TYPE_SHA256:
++ set->hash = THashInit(cnf_name, sizeof(Sha256Type), Sha256StrSet, Sha256StrFree,
++ Sha256StrHash, Sha256StrCompare, load != NULL ? 1 : 0,
++- memcap > 0 ? memcap : default_memcap,
++- hashsize > 0 ? hashsize : default_hashsize);
+++ memcap > 0 ? memcap : default_memcap, hashsize);
++ if (set->hash == NULL)
++ goto out_err;
++ if (DatasetLoadSha256(set) < 0)
++ goto out_err;
++ break;
++ case DATASET_TYPE_IPV4:
++- set->hash = THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash,
++- IPv4Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap,
++- hashsize > 0 ? hashsize : default_hashsize);
+++ set->hash =
+++ THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash, IPv4Compare,
+++ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize);
++ if (set->hash == NULL)
++ goto out_err;
++ if (DatasetLoadIPv4(set) < 0)
++ goto out_err;
++ break;
++ case DATASET_TYPE_IPV6:
++- set->hash = THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash,
++- IPv6Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap,
++- hashsize > 0 ? hashsize : default_hashsize);
+++ set->hash =
+++ THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash, IPv6Compare,
+++ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize);
++ if (set->hash == NULL)
++ goto out_err;
++ if (DatasetLoadIPv6(set) < 0)
++@@ -830,6 +833,10 @@ void DatasetPostReloadCleanup(void)
++ SCMutexUnlock(&sets_lock);
++ }
++
+++/* Value reflects THASH_DEFAULT_HASHSIZE which is what the default was earlier,
+++ * despite 2048 commented out in the default yaml. */
+++#define DATASETS_HASHSIZE_DEFAULT 4096
+++
++ static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize)
++ {
++ const char *str = NULL;
++@@ -841,12 +848,14 @@ static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize)
++ *memcap = 0;
++ }
++ }
+++
+++ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT;
++ if (ConfGet("datasets.defaults.hashsize", &str) == 1) {
++ if (ParseSizeStringU32(str, hashsize) < 0) {
+++ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT;
++ SCLogWarning("hashsize value cannot be deduced: %s,"
++- " resetting to default",
++- str);
++- *hashsize = 0;
+++ " resetting to default: %u",
+++ str, *hashsize);
++ }
++ }
++ }
--- /dev/null
--- /dev/null
++commit e28c8c655a324a18932655a2c2b8f0d5aa1c55d7
++Author: Philippe Antoine <pantoine@oisf.net>
++Date: Tue Mar 18 10:55:39 2025 +0100
++
++ detect: add configurable limits for datasets
++
++ Ticket: 7615
++
++ Avoids signatures setting extreme hash sizes, which would lead to very
++ high memory use.
++
++ Default to allowing:
++ - 65536 per dataset
++ - 16777216 total
++
++ To override these built-in defaults:
++
++ ```yaml
++ datasets:
++ # Limits for per rule dataset instances to avoid rules using too many
++ # resources.
++ limits:
++ # Max value for per dataset `hashsize` setting
++ #single-hashsize: 65536
++ # Max combined hashsize values for all datasets.
++ #total-hashsizes: 16777216
++ ```
++
++ (cherry picked from commit a7713db709b8a0be5fc5e5809ab58e9b14a16e85)
++
++diff --git a/src/datasets.c b/src/datasets.c
++index 9b098c298..99d66b67d 100644
++--- a/src/datasets.c
+++++ b/src/datasets.c
++@@ -39,11 +39,16 @@
++ #include "util-misc.h"
++ #include "util-path.h"
++ #include "util-debug.h"
+++#include "util-validate.h"
++
++ SCMutex sets_lock = SCMUTEX_INITIALIZER;
++ static Dataset *sets = NULL;
++ static uint32_t set_ids = 0;
++
+++uint32_t dataset_max_one_hashsize = 65536;
+++uint32_t dataset_max_total_hashsize = 16777216;
+++uint32_t dataset_used_hashsize = 0;
+++
++ static int DatasetAddwRep(Dataset *set, const uint8_t *data, const uint32_t data_len,
++ DataRepType *rep);
++
++@@ -629,6 +634,34 @@ Dataset *DatasetFind(const char *name, enum DatasetTypes type)
++ return set;
++ }
++
+++static bool DatasetCheckHashsize(const char *name, uint32_t hash_size)
+++{
+++ if (dataset_max_one_hashsize > 0 && hash_size > dataset_max_one_hashsize) {
+++ SCLogError("hashsize %u in dataset '%s' exceeds configured 'single-hashsize' limit (%u)",
+++ hash_size, name, dataset_max_one_hashsize);
+++ return false;
+++ }
+++ // we cannot underflow as we know from conf loading that
+++ // dataset_max_total_hashsize >= dataset_max_one_hashsize if dataset_max_total_hashsize > 0
+++ if (dataset_max_total_hashsize > 0 &&
+++ dataset_max_total_hashsize - hash_size < dataset_used_hashsize) {
+++ SCLogError("hashsize %u in dataset '%s' exceeds configured 'total-hashsizes' limit (%u, in "
+++ "use %u)",
+++ hash_size, name, dataset_max_total_hashsize, dataset_used_hashsize);
+++ return false;
+++ }
+++
+++ return true;
+++}
+++
+++static void DatasetUpdateHashsize(const char *name, uint32_t hash_size)
+++{
+++ if (dataset_max_total_hashsize > 0) {
+++ dataset_used_hashsize += hash_size;
+++ SCLogDebug("set %s adding with hash_size %u", name, hash_size);
+++ }
+++}
+++
++ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load,
++ uint64_t memcap, uint32_t hashsize)
++ {
++@@ -682,6 +715,10 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
++ hashsize = default_hashsize;
++ }
++
+++ if (!DatasetCheckHashsize(name, hashsize)) {
+++ goto out_err;
+++ }
+++
++ set = DatasetAlloc(name);
++ if (set == NULL) {
++ goto out_err;
++@@ -760,6 +797,10 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
++ set->next = sets;
++ sets = set;
++
+++ /* hash size accounting */
+++ DEBUG_VALIDATE_BUG_ON(set->hash->config.hash_size != hashsize);
+++ DatasetUpdateHashsize(set->name, set->hash->config.hash_size);
+++
++ SCMutexUnlock(&sets_lock);
++ return set;
++ out_err:
++@@ -801,6 +842,9 @@ void DatasetReload(void)
++ continue;
++ }
++ set->hidden = true;
+++ if (dataset_max_total_hashsize > 0) {
+++ dataset_used_hashsize -= set->hash->config.hash_size;
+++ }
++ SCLogDebug("Set %s at %p hidden successfully", set->name, set);
++ set = set->next;
++ }
++@@ -868,6 +912,27 @@ int DatasetsInit(void)
++ uint32_t default_hashsize = 0;
++ GetDefaultMemcap(&default_memcap, &default_hashsize);
++ if (datasets != NULL) {
+++ const char *str = NULL;
+++ if (ConfGet("datasets.limits.total-hashsizes", &str) == 1) {
+++ if (ParseSizeStringU32(str, &dataset_max_total_hashsize) < 0) {
+++ FatalError("failed to parse datasets.limits.total-hashsizes value: %s", str);
+++ }
+++ }
+++ if (ConfGet("datasets.limits.single-hashsize", &str) == 1) {
+++ if (ParseSizeStringU32(str, &dataset_max_one_hashsize) < 0) {
+++ FatalError("failed to parse datasets.limits.single-hashsize value: %s", str);
+++ }
+++ }
+++ if (dataset_max_total_hashsize > 0 &&
+++ dataset_max_total_hashsize < dataset_max_one_hashsize) {
+++ FatalError("total-hashsizes (%u) cannot be smaller than single-hashsize (%u)",
+++ dataset_max_total_hashsize, dataset_max_one_hashsize);
+++ }
+++ if (dataset_max_total_hashsize > 0 && dataset_max_one_hashsize == 0) {
+++ // the total limit also applies for single limit
+++ dataset_max_one_hashsize = dataset_max_total_hashsize;
+++ }
+++
++ int list_pos = 0;
++ ConfNode *iter = NULL;
++ TAILQ_FOREACH(iter, &datasets->head, next) {
++diff --git a/src/tests/fuzz/confyaml.c b/src/tests/fuzz/confyaml.c
++index 194552859..05995ea56 100644
++--- a/src/tests/fuzz/confyaml.c
+++++ b/src/tests/fuzz/confyaml.c
++@@ -112,4 +112,8 @@ app-layer:\n\
++ enabled: yes\n\
++ detect:\n\
++ inspection-recursion-limit: 0\n\
+++datasets:\n\
+++ maximums:\n\
+++ single_hashsize: 65536\n\
+++ total_hashsizes: 16777216\n\
++ ";
++diff --git a/src/util-thash.c b/src/util-thash.c
++index 3ee006a2c..548637916 100644
++--- a/src/util-thash.c
+++++ b/src/util-thash.c
++@@ -311,16 +311,11 @@ THashTableContext *THashInit(const char *cnf_prefix, size_t data_size,
++ ctx->config.hash_size = hashsize > 0 ? hashsize : THASH_DEFAULT_HASHSIZE;
++ /* Reset memcap in case of loading from file to the highest possible value
++ unless defined by the rule keyword */
++-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
++- // limit memcap size to default when fuzzing
++- ctx->config.memcap = THASH_DEFAULT_MEMCAP;
++-#else
++ if (memcap > 0) {
++ ctx->config.memcap = memcap;
++ } else {
++ ctx->config.memcap = reset_memcap ? UINT64_MAX : THASH_DEFAULT_MEMCAP;
++ }
++-#endif
++ ctx->config.prealloc = THASH_DEFAULT_PREALLOC;
++
++ SC_ATOMIC_INIT(ctx->counter);
++diff --git a/suricata.yaml.in b/suricata.yaml.in
++index d74b4a27d..97236eb39 100644
++--- a/suricata.yaml.in
+++++ b/suricata.yaml.in
++@@ -1188,6 +1188,14 @@ datasets:
++ #memcap: 100mb
++ #hashsize: 2048
++
+++ # Limits for per rule dataset instances to avoid rules using too many
+++ # resources.
+++ limits:
+++ # Max value for per dataset `hashsize` setting
+++ #single-hashsize: 65536
+++ # Max combined hashsize values for all datasets.
+++ #total-hashsizes: 16777216
+++
++ rules:
++ # Set to true to allow absolute filenames and filenames that use
++ # ".." components to reference parent directories in rules that specify
--- /dev/null
--- /dev/null
++commit d86c5f9f0c75736d4fce93e27c0773fcb27e1047
++Author: Victor Julien <vjulien@oisf.net>
++Date: Mon Mar 17 21:19:13 2025 +0100
++
++ datasets: set higher hashsize limits
++
++ To avoid possible upgrade issues, allow higher defaults than in the
++ master branch. Add some upgrade guidance and a note that defaults will
++ probably be further reduced.
++
++diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
++index a78dd730c..ebd9dc337 100644
++--- a/doc/userguide/upgrade.rst
+++++ b/doc/userguide/upgrade.rst
++@@ -44,6 +44,21 @@ Upgrading to 7.0.9
++ been added, ``v2-block-size`` which can be used to tune this value
++ for TPACKET_V2. Due to the increased block size, memory usage has
++ been increased, but should not be an issue in most cases.
+++- Datasets specifying a custom `hashsize` will now be limited to 262144 by default.
+++ Additionally, the cumulative hash sizes for all datasets in use should not exceed
+++ 67108864. These settings can be changed with the following settings.
+++
+++ .. code-block:: yaml
+++
+++ datasets:
+++ # Limits for per rule dataset instances to avoid rules using too many
+++ # resources.
+++ # Note: in Suricata 8 the built-in default will be set to lower values.
+++ limits:
+++ # Max value for per dataset `hashsize` setting
+++ #single-hashsize: 262144
+++ # Max combined hashsize values for all datasets.
+++ #total-hashsizes: 67108864
++
++ Upgrading to 7.0.8
++ ------------------
++diff --git a/src/datasets.c b/src/datasets.c
++index 99d66b67d..412413ab4 100644
++--- a/src/datasets.c
+++++ b/src/datasets.c
++@@ -45,8 +45,9 @@ SCMutex sets_lock = SCMUTEX_INITIALIZER;
++ static Dataset *sets = NULL;
++ static uint32_t set_ids = 0;
++
++-uint32_t dataset_max_one_hashsize = 65536;
++-uint32_t dataset_max_total_hashsize = 16777216;
+++/* 4x what we set in master to allow a smoother upgrade path */
+++uint32_t dataset_max_one_hashsize = 262144;
+++uint32_t dataset_max_total_hashsize = 67108864;
++ uint32_t dataset_used_hashsize = 0;
++
++ static int DatasetAddwRep(Dataset *set, const uint8_t *data, const uint32_t data_len,
++diff --git a/suricata.yaml.in b/suricata.yaml.in
++index 97236eb39..722f17a0b 100644
++--- a/suricata.yaml.in
+++++ b/suricata.yaml.in
++@@ -1190,11 +1190,12 @@ datasets:
++
++ # Limits for per rule dataset instances to avoid rules using too many
++ # resources.
+++ # Note: in Suricata 8 the built-in default will be set to lower values.
++ limits:
++ # Max value for per dataset `hashsize` setting
++- #single-hashsize: 65536
+++ #single-hashsize: 262144
++ # Max combined hashsize values for all datasets.
++- #total-hashsizes: 16777216
+++ #total-hashsizes: 67108864
++
++ rules:
++ # Set to true to allow absolute filenames and filenames that use
--- /dev/null
--- /dev/null
++commit bab716776ba3561cfbfd1a57fc18ff1f6859f019
++Author: Philippe Antoine <pantoine@oisf.net>
++Date: Tue Dec 17 15:06:25 2024 +0100
++
++ detect: limit base64_decode `bytes` to 64KiB
++
++ Ticket: 7613
++
++ Avoids potential large per-thread memory allocation. A buffer with the
++ size of the largest decode_base64 buffer size setting would be allocated
++ per thread. As this was a u32, it could mean a per-thread 4GiB memory
++ allocation.
++
++ 64KiB was already the built-in default for cases where bytes size wasn't
++ specified.
++
++ (cherry picked from commit 32d0bd2bbb4d486623dec85a94952fde2515f2f0)
++
++diff --git a/doc/userguide/rules/base64-keywords.rst b/doc/userguide/rules/base64-keywords.rst
++index 190fdb5bf..256f6c013 100644
++--- a/doc/userguide/rules/base64-keywords.rst
+++++ b/doc/userguide/rules/base64-keywords.rst
++@@ -15,6 +15,7 @@ Syntax::
++ base64_decode:bytes <value>, offset <value>, relative;
++
++ The ``bytes`` option specifies how many bytes Suricata should decode and make available for base64_data.
+++This number is limited to 64KiB.
++ The decoding will stop at the end of the buffer.
++
++ The ``offset`` option specifies how many bytes Suricata should skip before decoding.
++diff --git a/src/detect-base64-decode.c b/src/detect-base64-decode.c
++index 25fdf10e7..5ae38c572 100644
++--- a/src/detect-base64-decode.c
+++++ b/src/detect-base64-decode.c
++@@ -28,7 +28,7 @@
++ #define BASE64_DECODE_MAX 65535
++
++ typedef struct DetectBase64Decode_ {
++- uint32_t bytes;
+++ uint16_t bytes;
++ uint32_t offset;
++ uint8_t relative;
++ } DetectBase64Decode;
++@@ -111,8 +111,8 @@ int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s
++ return det_ctx->base64_decoded_len > 0;
++ }
++
++-static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
++- uint32_t *offset, uint8_t *relative)
+++static int DetectBase64DecodeParse(
+++ const char *str, uint16_t *bytes, uint32_t *offset, uint8_t *relative)
++ {
++ const char *bytes_str = NULL;
++ const char *offset_str = NULL;
++@@ -132,7 +132,7 @@ static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
++
++ if (pcre_rc >= 3) {
++ if (pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) {
++- if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) {
+++ if (StringParseUint16(bytes, 10, 0, bytes_str) <= 0) {
++ SCLogError("Bad value for bytes: \"%s\"", bytes_str);
++ goto error;
++ }
++@@ -186,7 +186,7 @@ error:
++ static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
++ const char *str)
++ {
++- uint32_t bytes = 0;
+++ uint16_t bytes = 0;
++ uint32_t offset = 0;
++ uint8_t relative = 0;
++ DetectBase64Decode *data = NULL;
++@@ -238,9 +238,6 @@ static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
++ data->bytes = BASE64_DECODE_MAX;
++ }
++ if (data->bytes > de_ctx->base64_decode_max_len) {
++-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
++- data->bytes = BASE64_DECODE_MAX;
++-#endif
++ de_ctx->base64_decode_max_len = data->bytes;
++ }
++
++@@ -272,7 +269,7 @@ static int g_http_header_buffer_id = 0;
++ static int DetectBase64TestDecodeParse(void)
++ {
++ int retval = 0;
++- uint32_t bytes = 0;
+++ uint16_t bytes = 0;
++ uint32_t offset = 0;
++ uint8_t relative = 0;
++
++diff --git a/src/detect.h b/src/detect.h
++index 2379d3253..73fa010d1 100644
++--- a/src/detect.h
+++++ b/src/detect.h
++@@ -927,7 +927,7 @@ typedef struct DetectEngineCtx_ {
++ struct SigGroupHead_ *decoder_event_sgh;
++
++ /* Maximum size of the buffer for decoded base64 data. */
++- uint32_t base64_decode_max_len;
+++ uint16_t base64_decode_max_len;
++
++ /** Store rule file and line so that parsers can use them in errors. */
++ int rule_line;
--- /dev/null
--- /dev/null
++commit f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6
++Author: Philippe Antoine <pantoine@oisf.net>
++Date: Tue Jan 28 15:02:45 2025 +0100
++
++ detect/pcre: avoid infinite loop after negated pcre
++
++ Ticket: 7526
++
++ The usage of negated pcre, followed by other relative payload
++ content keywords could lead to an infinite loop.
++
++ This is because regular (not negated) pcre can test multiple
++ occurences, but negated pcre should be tried only once.
++
++ (cherry picked from commit b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b)
++
++Index: suricata-6.0.1/src/detect-engine-content-inspection.c
++===================================================================
++--- suricata-6.0.1.orig/src/detect-engine-content-inspection.c 2025-03-24 23:38:06.156602585 +0100
+++++ suricata-6.0.1/src/detect-engine-content-inspection.c 2025-03-24 23:38:06.152602584 +0100
++@@ -430,7 +430,6 @@
++ if (r == 0) {
++ goto no_match;
++ }
++-
++ if (!(pe->flags & DETECT_PCRE_RELATIVE_NEXT)) {
++ SCLogDebug("no relative match coming up, so this is a match");
++ goto match;
++@@ -453,6 +452,11 @@
++ if (det_ctx->discontinue_matching)
++ goto no_match;
++
+++ if (prev_offset == 0) {
+++ // This happens for negated PCRE
+++ // We do not search for another occurrence of this pcre
+++ SCReturnInt(0);
+++ }
++ det_ctx->buffer_offset = prev_buffer_offset;
++ det_ctx->pcre_match_start_offset = prev_offset;
++ } while (1);
--- /dev/null
--- /dev/null
++From 6f7636cfc6dffb387afe21f4f3bff119f8d8e033 Mon Sep 17 00:00:00 2001
++From: Eric Leblond <eric@regit.org>
++Date: Thu, 31 Oct 2019 13:29:56 +0100
++Subject: [PATCH] ebpf: avoid to include if_tunnel.h
++
++This is causing a dependency issue as file from another architecture
++have to be installed.
++---
++ ebpf/xdp_lb.c | 7 ++++++-
++ 1 file changed, 6 insertions(+), 1 deletion(-)
++
++--- a/ebpf/xdp_lb.c
+++++ b/ebpf/xdp_lb.c
++@@ -23,7 +23,6 @@
++ #include <linux/if_ether.h>
++ #include <linux/if_packet.h>
++ #include <linux/if_vlan.h>
++-#include <linux/if_tunnel.h>
++ #include <linux/ip.h>
++ #include <linux/ipv6.h>
++ #include <linux/tcp.h>
++@@ -32,6 +31,12 @@
++
++ #include "hash_func01.h"
++
+++#define GRE_CSUM __cpu_to_be16(0x8000)
+++#define GRE_ROUTING __cpu_to_be16(0x4000)
+++#define GRE_KEY __cpu_to_be16(0x2000)
+++#define GRE_SEQ __cpu_to_be16(0x1000)
+++#define GRE_VERSION __cpu_to_be16(0x0007)
+++
++ #define LINUX_VERSION_CODE 263682
++
++ /* Hashing initval */
--- /dev/null
--- /dev/null
++From: Hilko Bengen <bengen@debian.org>
++Date: Tue, 22 Jan 2019 18:10:47 +0100
++Subject: configure: Introduce CLANG variable
++
++---
++ configure.ac | 9 +++++++++
++ 1 file changed, 9 insertions(+)
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -38,6 +38,15 @@
++
++ AC_SUBST([CLANG])
++
+++ AC_ARG_WITH([clang],
+++ [CLANG compiler],
+++ [CLANG="$withval"],
+++ [AS_IF([test "$compiler" = clang],
+++ [CLANG="$CC"],
+++ [AC_PATH_PROG([CLANG],[clang])])])
+++
+++ AC_SUBST([CLANG])
+++
++ case "$compiler" in
++ clang)
++ CLANG_CFLAGS="-Wextra -Werror-implicit-function-declaration -Wno-error=unused-command-line-argument"
--- /dev/null
--- /dev/null
++--- a/configure.ac
+++++ b/configure.ac
++@@ -77,8 +77,8 @@
++ AC_PATH_PROG(HAVE_CYGPATH, cygpath, "no")
++ AM_CONDITIONAL([HAVE_CYGPATH], [test "x$HAVE_CYGPATH" != "xno"])
++
++- AC_PATH_PROG(HAVE_PKG_CONFIG, pkg-config, "no")
++- if test "$HAVE_PKG_CONFIG" = "no"; then
+++ PKG_PROG_PKG_CONFIG
+++ if test "x$PKG_CONFIG" = "x"; then
++ echo
++ echo " ERROR! pkg-config not found, go get it "
++ echo " http://pkg-config.freedesktop.org/wiki/ "
--- /dev/null
--- /dev/null
++From: Arturo Borrero Gonzalez <arturo@debian.org>
++Subject: Debian default configuration
++ This patch sets Debian defaults for suricata configuration.
++ .
++ Currently, it sets a proper path for suricata unix socket.
++Forwarded: not-needed
++Last-Update: 2016-12-01
++
++--- a/suricata.yaml.in
+++++ b/suricata.yaml.in
++@@ -1061,8 +1061,8 @@
++ # activated in live capture mode. You can use the filename variable to set
++ # the file name of the socket.
++ unix-command:
++- enabled: auto
++- #filename: custom.socket
+++ enabled: yes
+++ filename: @e_localstatedir@suricata-command.socket
++
++ # Magic file. The extension .mgc is added to the value here.
++ #magic-file: /usr/share/file/magic
++--- a/src/unix-manager.c
+++++ b/src/unix-manager.c
++@@ -53,7 +53,7 @@
++ # endif
++ #endif
++
++-#define SOCKET_PATH LOCAL_STATE_DIR "/run/suricata/"
+++#define SOCKET_PATH LOCAL_STATE_DIR "/"
++ #define SOCKET_FILENAME "suricata-command.socket"
++ #define SOCKET_TARGET SOCKET_PATH SOCKET_FILENAME
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -2747,7 +2747,7 @@
++ EXPAND_VARIABLE(localstatedir, e_logfilesdir, "/log/suricata/files")
++ EXPAND_VARIABLE(localstatedir, e_logcertsdir, "/log/suricata/certs")
++ EXPAND_VARIABLE(sysconfdir, e_sysconfdir, "/suricata/")
++- EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/suricata")
+++ EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/")
++ EXPAND_VARIABLE(datadir, e_datarulesdir, "/suricata/rules")
++ EXPAND_VARIABLE(localstatedir, e_datadir, "/lib/suricata/data")
++ EXPAND_VARIABLE(ruledirprefix, e_defaultruledir, "/suricata/rules")
--- /dev/null
--- /dev/null
++Description: do not clean vendor directory on distclean
++ dh_auto_clean calls make distclean, which in the case of Suricata also
++ removes the vendor directory. This breaks repeated builds.
++Author: Sascha Steinbiss <satta@debian.org>
++Last-Update: 2018-12-26
++--- a/rust/Makefile.am
+++++ b/rust/Makefile.am
++@@ -61,7 +61,7 @@
++ rm -f Cargo.lock
++
++ maintainerclean-local:
++- rm -rf vendor gen
+++ rm -rf gen
++
++ check:
++ CARGO_HOME="$(CARGO_HOME)" @rustup_home@ \
--- /dev/null
--- /dev/null
++From: Eric Leblond <eric@regit.org>
++Date: Wed, 17 Jul 2019 12:35:12 +0200
++Subject: [PATCH] af-packet: fix build on recent Linux kernels
++--- a/src/source-af-packet.c
+++++ b/src/source-af-packet.c
++@@ -68,6 +68,10 @@
++ #include <linux/sockios.h>
++ #endif
++
+++#if HAVE_LINUX_SOCKIOS_H
+++#include <linux/sockios.h>
+++#endif
+++
++ #ifdef HAVE_PACKET_EBPF
++ #include "util-ebpf.h"
++ #include <bpf/libbpf.h>
--- /dev/null
--- /dev/null
++--- a/configure.ac
+++++ b/configure.ac
++@@ -497,11 +497,12 @@
++ [
++ AS_IF([test "$CLANG" != no],
++ [
++- llc_candidates=$($CLANG --version | \
++- awk '/^clang version/ {
++- split($3, v, ".");
++- printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]])
++- }')
+++ #llc_candidates=$($CLANG --version | \
+++ # awk '/^clang version/ {
+++ # split($3, v, ".");
+++ # printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]])
+++ # }')
+++ llc_candidates=llc
++ AC_CHECK_PROGS([LLC], [$llc_candidates], "no")
++ if test "$LLC" = "no"; then
++ AC_MSG_ERROR([unable to find any of $llc_candidates needed to build ebpf files])
--- /dev/null
--- /dev/null
++Description: Don't use __USE_GNU
++ __USE_GNU is a glibc-internal symbol.
++ AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
++ way to enable extensions.
++Author: Adrian Bunk <bunk@debian.org>
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -6,6 +6,7 @@
++ AM_INIT_AUTOMAKE([tar-ustar subdir-objects])
++
++ AC_LANG([C])
+++ AC_USE_SYSTEM_EXTENSIONS
++ LT_INIT
++ PKG_PROG_PKG_CONFIG
++
++--- a/src/suricata-common.h
+++++ b/src/suricata-common.h
++@@ -33,9 +33,6 @@
++ #define TRUE 1
++ #define FALSE 0
++
++-#define _GNU_SOURCE
++-#define __USE_GNU
++-
++ #if HAVE_CONFIG_H
++ #include <autoconf.h>
++ #endif
--- /dev/null
--- /dev/null
++Description: do not install the suricata Python module
++ Suricata's Python tools only import submodules of 'suricata'. Not installing
++ this module ensures that there is no chance of having an __init__.py in the
++ root module directory that might clash with other packages, e.g. suricata-
++ update.
++Author: Sascha Steinbiss <satta@debian.org>
++Bug: https://redmine.openinfosecfoundation.org/issues/3156
++Last-Update: 2019-09-18
++--- a/python/setup.py
+++++ b/python/setup.py
++@@ -49,7 +49,6 @@
++ author_email='oisf-devel@lists.openinfosecfoundation.org, eric@regit.org',
++ url='https://www.suricata-ids.org/',
++ packages=[
++- "suricata",
++ "suricata.config",
++ "suricata.ctl",
++ "suricata.sc",
--- /dev/null
--- /dev/null
++From: Arturo Borrero Gonzalez <arturo@debian.org>
++Subject: Patch to make the suricata build reproducible
++ This patch makes some changes to the suricata build to make it reproducible
++ .
++ Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds
++ the build path.
++Forwarded: not-needed
++Last-Update: 2016-09-05
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -2873,7 +2873,8 @@
++ echo
++ echo "$SURICATA_BUILD_CONF"
++ echo "printf(" >src/build-info.h
++-echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' >>src/build-info.h
+++echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' \
+++ | sed 's/-fdebug-prefix-map=.*=. //' >>src/build-info.h
++ echo ");" >>src/build-info.h
++
++ echo "
--- /dev/null
--- /dev/null
++reproducible.patch
++debian-default-cfg.patch
++cross.patch
++no-use-gnu.patch
++fix-repeated-builds.patch
++configure-clang-variable.patch
++with-ebpf-includes.patch
++import-sockio-h.patch
++remove-conflicting-python-file.patch
++avoid-to-include-if_tunnel-h.patch
++llc.patch
++stream-no-reject-bad-ack.patch
++
++CVE-2021-45098.patch
++CVE-2023-35852-1.patch
++CVE-2023-35852-2.patch
++CVE-2024-32663-1.patch
++CVE-2024-32663-2.patch
++CVE-2024-37151.patch
++CVE-2024-45796.patch
++CVE-2025-29918.patch
++CVE-2024-55626.patch
--- /dev/null
--- /dev/null
++From 556570f7dd7f21f11cffda5ebcb72738a29cbb90 Mon Sep 17 00:00:00 2001
++From: Eric Leblond <el@stamus-networks.com>
++Date: Fri, 28 May 2021 12:19:38 +0200
++Subject: [PATCH] stream/tcp: don't reject on bad ack
++
++Not using a packet for the streaming analysis when a non zero
++ACK value and ACK bit was unset was leading to evasion as it was
++possible to start a session with a SYN packet with a non zero ACK
++value to see the full TCP stream to escape all stream and application
++layer detection.
++
++This addresses CVE-2021-35063.
++
++Fixes: fa692df37 ("stream: reject broken ACK packets")
++
++Ticket: #4504.
++---
++ src/stream-tcp.c | 1 -
++ 1 file changed, 1 deletion(-)
++
++--- a/src/stream-tcp.c
+++++ b/src/stream-tcp.c
++@@ -4789,7 +4789,6 @@
++ /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */
++ if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
++ StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
++- goto error;
++ }
++
++ /* If we are on IPS mode, and got a drop action triggered from
--- /dev/null
--- /dev/null
++From: Hilko Bengen <bengen@debian.org>
++Date: Tue, 23 Jul 2019 14:43:21 +0200
++Subject: Add --with-ebpf-includes parameter
++
++---
++ configure.ac | 4 ++++
++ ebpf/Makefile.am | 3 +--
++ 2 files changed, 5 insertions(+), 2 deletions(-)
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -509,6 +509,10 @@
++ AC_SUBST(LLC)
++ ],
++ [AC_MSG_ERROR([clang needed to build ebpf files])])
+++ AC_ARG_WITH(ebpf_includes,
+++ [ --with-ebpf-includes=DIR include directory for building eBPF programs],
+++ [AC_SUBST([ebpf_includes],["$withval"])],
+++ [AC_SUBST([ebpf_includes],["/usr/include/${build_alias}"])])
++ ])
++
++ # enable debug output
++--- a/ebpf/Makefile.am
+++++ b/ebpf/Makefile.am
++@@ -4,7 +4,7 @@
++ if BUILD_EBPF
++
++ # Maintaining a local copy of UAPI linux/bpf.h
++-BPF_CFLAGS = -Iinclude
+++BPF_CFLAGS = -Iinclude -I$(ebpf_includes)
++
++ BPF_TARGETS = lb.bpf
++ BPF_TARGETS += filter.bpf
++@@ -19,7 +19,6 @@
++ $(BPF_TARGETS): %.bpf: %.c
++ # From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm)
++ ${CLANG} -Wall $(BPF_CFLAGS) -O2 \
++- -I/usr/include/$(build_cpu)-$(build_os)/ \
++ -D__KERNEL__ -D__ASM_SYSREG_H \
++ -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll}
++ # From LLVM-IR to BPF-bytecode in ELF-obj file
--- /dev/null
--- /dev/null
++#!/usr/bin/make -f
++
++# verbose mode
++export DH_VERBOSE=1
++
++SURICATA_DESTDIR = $(CURDIR)/debian/suricata
++export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow
++export CARGO_HOME = $(CURDIR)/debian/cargohome
++
++include /usr/share/dpkg/architecture.mk
++
++# workaround for linking issue on some archs
++export DEB_LDFLAGS_MAINT_APPEND = -Wl,--allow-multiple-definition
++EXTRA_ATOMIC_ARCHS = armel mipsel
++ifneq (,$(findstring $(DEB_HOST_ARCH),$(EXTRA_ATOMIC_ARCHS)))
++ DEB_LDFLAGS_MAINT_APPEND += -latomic
++ export DEB_LDFLAGS_MAINT_APPEND
++endif
++
++LUAJIT_ARCHS = i386 amd64 powerpc mips mipsel armel armhf
++HYPERSCAN_ARCHS = i386 amd64 hurd-i386 kfreebsd-amd64 x32
++RUST_ARCHS = i386 amd64
++EBPF_ARCHS = amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32
++
++LIBHTP_PKG_VERSION=$(shell apt-cache policy libhtp2 | grep Installed | cut -f2- -d: | cut -c2-)
++
++ifneq (,$(findstring $(DEB_HOST_ARCH),$(LUAJIT_ARCHS)))
++ ENABLE_LUAJIT="--enable-luajit"
++endif
++
++ifneq (,$(findstring $(DEB_HOST_ARCH),$(HYPERSCAN_ARCHS)))
++ ENABLE_HYPERSCAN="--enable-libhs"
++endif
++
++ifneq (,$(findstring $(DEB_HOST_ARCH),$(RUST_ARCHS)))
++ ENABLE_HYPERSCAN="--enable-rust"
++endif
++
++CI ?= $(shell $(CURDIR)/debian/building-in-ci.sh)
++ifeq ($(CI),true)
++ ENABLE_UNITTESTS="--enable-unittests"
++endif
++
++ifneq (,$(findstring $(DEB_HOST_ARCH),$(EBPF_ARCHS)))
++ ENABLE_EBPF=--enable-ebpf --enable-ebpf-build \
++ --with-ebpf-includes=/usr/include/$(DEB_HOST_MULTIARCH)
++endif
++
++CONFIGURE_ARGS = --enable-af-packet --enable-nfqueue --enable-nflog \
++ --enable-gccprotect --disable-gccmarch-native \
++ --with-libnss-includes=/usr/include/nss --with-libnss-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \
++ --with-libnspr-includes=/usr/include/nspr --with-libnspr-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \
++ --with-libevent-includes=/usr/include --with-libevent-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \
++ --disable-coccinelle \
++ --enable-geoip --enable-hiredis \
++ --enable-non-bundled-htp \
++ --disable-suricata-update \
++ $(ENABLE_LUAJIT) \
++ $(ENABLE_HYPERSCAN) \
++ $(ENABLE_UNITTESTS) \
++ $(ENABLE_EBPF)
++
++override_dh_auto_configure:
++ dh_auto_configure -- $(CONFIGURE_ARGS)
++
++override_dh_auto_build:
++ uname -a
++ mkdir -p $(CARGO_HOME)
++ dh_auto_build
++
++override_dh_auto_clean:
++ rm -rf $(CARGO_HOME)
++ rm -f debian/suricata.substvars
++
++override_dh_auto_install:
++ dh_auto_install
++ rm -rf $(SURICATA_DESTDIR)/usr/lib/python*;\
++ (cd python &&\
++ python3 -B setup.py install --install-layout=deb --prefix $(SURICATA_DESTDIR)/usr)
++ # clean upstream install documentation
++ rm -rf $(SURICATA_DESTDIR)/usr/share/doc/suricata/*
++ $(foreach file, $(wildcard ebpf/*bpf), \
++ install -D -t $(SURICATA_DESTDIR)/usr/lib/suricata/ebpf $(file) ;\
++ )
++
++override_dh_strip:
++ dh_strip --dbgsym-migration='suricata-dbg (<< 1:4.0.0-2~)'
++
++override_dh_auto_test:
++ # do nothing
++
++override_dh_missing:
++ dh_missing --list-missing
++
++override_dh_gencontrol:
++ echo "libhtp:Version=$(LIBHTP_PKG_VERSION)" >> debian/suricata.substvars
++ dh_gencontrol
++
++%:
++ dh $@ --with python3
--- /dev/null
--- /dev/null
++3.0 (quilt)
--- /dev/null
--- /dev/null
++debian/oinkmaster/suricata-oinkmaster.conf etc/suricata
++debian/oinkmaster/suricata-oinkmaster etc/cron.daily
++debian/oinkmaster/suricata-oinkmaster-updater usr/sbin
--- /dev/null
--- /dev/null
++debian/oinkmaster/suricata-oinkmaster-updater.8
--- /dev/null
--- /dev/null
++.\" Man page generated from reStructuredText.
++.
++.TH "SURICATA" "1" "Nov 08, 2020" "6.0.1" "Suricata"
++.SH NAME
++suricata \- Suricata
++.
++.nr rst2man-indent-level 0
++.
++.de1 rstReportMargin
++\\$1 \\n[an-margin]
++level \\n[rst2man-indent-level]
++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
++-
++\\n[rst2man-indent0]
++\\n[rst2man-indent1]
++\\n[rst2man-indent2]
++..
++.de1 INDENT
++.\" .rstReportMargin pre:
++. RS \\$1
++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
++. nr rst2man-indent-level +1
++.\" .rstReportMargin post:
++..
++.de UNINDENT
++. RE
++.\" indent \\n[an-margin]
++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
++.nr rst2man-indent-level -1
++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
++..
++.SH SYNOPSIS
++.sp
++\fBsuricata\fP [OPTIONS] [BPF FILTER]
++.SH DESCRIPTION
++.sp
++\fBsuricata\fP is a high performance Network IDS, IPS and Network Security
++Monitoring engine. Open Source and owned by a community run non\-profit
++foundation, the Open Information Security Foundation (OISF).
++.sp
++\fBsuricata\fP can be used to analyze live traffic and pcap files. It can
++generate alerts based on rules. \fBsuricata\fP will generate traffic logs.
++.sp
++When used with live traffic \fBsuricata\fP can be passive or active. Active
++modes are: inline in a L2 bridge setup, inline with L3 integration with
++host filewall (NFQ, IPFW, WinDivert), or out of band using active responses.
++.SH OPTIONS
++.INDENT 0.0
++.TP
++.B \-h
++Display a brief usage overview.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-V
++Displays the version of Suricata.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-c <path>
++Path to configuration file.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-T
++Test configuration.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-v
++Increase the verbosity of the Suricata application logging by
++increasing the log level from the default. This option can be
++passed multiple times to further increase the verbosity.
++.INDENT 7.0
++.IP \(bu 2
++\-v: INFO
++.IP \(bu 2
++\-vv: PERF
++.IP \(bu 2
++\-vvv: CONFIG
++.IP \(bu 2
++\-vvvv: DEBUG
++.UNINDENT
++.sp
++This option will not decrease the log level set in the
++configuration file if it is already more verbose than the level
++requested with this option.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-r <path>
++Run in pcap offline mode (replay mode) reading files from pcap file. If
++<path> specifies a directory, all files in that directory will be processed
++in order of modified time maintaining flow state between files.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-pcap\-file\-continuous
++Used with the \-r option to indicate that the mode should stay alive until
++interrupted. This is useful with directories to add new files and not reset
++flow state between files.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-pcap\-file\-recursive
++.TP
++.B Used with the \-r option when the path provided is a directory. This option
++.TP
++.B enables recursive traversal into subdirectories to a maximum depth of 255.
++.TP
++.B This option cannot be combined with \-\-pcap\-file\-continuous. Symlinks are
++.TP
++.B ignored.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-pcap\-file\-delete
++Used with the \-r option to indicate that the mode should delete pcap files
++after they have been processed. This is useful with pcap\-file\-continuous to
++continuously feed files to a directory and have them cleaned up when done. If
++this option is not set, pcap files will not be deleted after processing.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-i <interface>
++After the \-i option you can enter the interface card you would like
++to use to sniff packets from. This option will try to use the best
++capture method available. Can be used several times to sniff packets from
++several interfaces.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-pcap[=<device>]
++Run in PCAP mode. If no device is provided the interfaces
++provided in the \fIpcap\fP section of the configuration file will be
++used.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-af\-packet[=<device>]
++Enable capture of packet using AF_PACKET on Linux. If no device is
++supplied, the list of devices from the af\-packet section in the
++yaml is used.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-q <queue id>
++Run inline of the NFQUEUE queue ID provided. May be provided
++multiple times.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-s <filename.rules>
++With the \-s option you can set a file with signatures, which will
++be loaded together with the rules set in the yaml.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-S <filename.rules>
++With the \-S option you can set a file with signatures, which will
++be loaded exclusively, regardless of the rules set in the yaml.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-l <directory>
++With the \-l option you can set the default log directory. If you
++already have the default\-log\-dir set in yaml, it will not be used
++by Suricata if you use the \-l option. It will use the log dir that
++is set with the \-l option. If you do not set a directory with
++the \-l option, Suricata will use the directory that is set in yaml.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-D
++Normally if you run Suricata on your console, it keeps your console
++occupied. You can not use it for other purposes, and when you close
++the window, Suricata stops running. If you run Suricata as daemon
++(using the \-D option), it runs at the background and you will be
++able to use the console for other tasks without disturbing the
++engine running.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-runmode <runmode>
++With the \fI\-\-runmode\fP option you can set the runmode that you would
++like to use. This command line option can override the yaml runmode
++option.
++.sp
++Runmodes are: \fIworkers\fP, \fIautofp\fP and \fIsingle\fP\&.
++.sp
++For more information about runmodes see Runmodes in the user guide.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-F <bpf filter file>
++Use BPF filter from file.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-k [all|none]
++Force (all) the checksum check or disable (none) all checksum
++checks.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-user=<user>
++Set the process user after initialization. Overrides the user
++provided in the \fIrun\-as\fP section of the configuration file.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-group=<group>
++Set the process group to group after initialization. Overrides the
++group provided in the \fIrun\-as\fP section of the configuration file.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-pidfile <file>
++Write the process ID to file. Overrides the \fIpid\-file\fP option in
++the configuration file and forces the file to be written when not
++running as a daemon.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-init\-errors\-fatal
++Exit with a failure when errors are encountered loading signatures.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-disable\-detection
++Disable the detection engine.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-dump\-config
++Dump the configuration loaded from the configuration file to the
++terminal and exit.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-dump\-features
++Dump the features provided by Suricata modules and exit. Features
++list (a subset of) the configuration values and are intended to
++assist with comparing provided features with those required by
++one or more rules.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-build\-info
++Display the build information the Suricata was built with.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-list\-app\-layer\-protos
++List all supported application layer protocols.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-list\-keywords=[all|csv|<kword>]
++List all supported rule keywords.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-list\-runmodes
++List all supported run modes.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-set <key>=<value>
++Set a configuration value. Useful for overriding basic
++configuration parameters. For example, to change the default log
++directory:
++.INDENT 7.0
++.INDENT 3.5
++.sp
++.nf
++.ft C
++\-\-set default\-log\-dir=/var/tmp
++.ft P
++.fi
++.UNINDENT
++.UNINDENT
++.sp
++This option cannot be used to add new entries to a list in the
++configuration file, such as a new output. It can only be used to
++modify a value in a list that already exists.
++.sp
++For example, to disable the \fBeve\-log\fP in the default
++configuration file:
++.INDENT 7.0
++.INDENT 3.5
++.sp
++.nf
++.ft C
++\-\-set outputs.1.eve\-log.enabled=no
++.ft P
++.fi
++.UNINDENT
++.UNINDENT
++.sp
++Also note that the index values may change as the \fBsuricata.yaml\fP
++is updated.
++.sp
++See the output of \fB\-\-dump\-config\fP for existing values that could
++be modified with their index.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-engine\-analysis
++Print reports on analysis of different sections in the engine and
++exit. Please have a look at the conf parameter engine\-analysis on
++what reports can be printed
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-unix\-socket=<file>
++Use file as the Suricata unix control socket. Overrides the
++\fIfilename\fP provided in the \fIunix\-command\fP section of the
++configuration file.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-reject\-dev=<device>
++Use \fIdevice\fP to send out RST / ICMP error packets with
++the \fIreject\fP keyword.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-pcap\-buffer\-size=<size>
++Set the size of the PCAP buffer (0 \- 2147483647).
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-netmap[=<device>]
++Enable capture of packet using NETMAP on FreeBSD or Linux. If no
++device is supplied, the list of devices from the netmap section
++in the yaml is used.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-pfring[=<device>]
++Enable PF_RING packet capture. If no device provided, the devices in
++the Suricata configuration will be used.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-pfring\-cluster\-id <id>
++Set the PF_RING cluster ID.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-pfring\-cluster\-type <type>
++Set the PF_RING cluster type (cluster_round_robin, cluster_flow).
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-d <divert\-port>
++Run inline using IPFW divert mode.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-dag <device>
++Enable packet capture off a DAG card. If capturing off a specific
++stream the stream can be select using a device name like
++"dag0:4". This option may be provided multiple times read off
++multiple devices and/or streams.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-napatech
++Enable packet capture using the Napatech Streams API.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-erf\-in=<file>
++Run in offline mode reading the specific ERF file (Endace
++extensible record format).
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-simulate\-ips
++Simulate IPS mode when running in a non\-IPS mode.
++.UNINDENT
++.SH OPTIONS FOR DEVELOPERS
++.INDENT 0.0
++.TP
++.B \-u
++Run the unit tests and exit. Requires that Suricata be configured
++with \fI\-\-enable\-unittests\fP\&.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-U, \-\-unittest\-filter=REGEX
++With the \-U option you can select which of the unit tests you want
++to run. This option uses REGEX. Example of use: suricata \-u \-U
++http
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-list\-unittests
++Lists available unit tests.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-fatal\-unittests
++Enables fatal failure on a unit test error. Suricata will exit
++instead of continuing more tests.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B \-\-unittests\-coverage
++Display unit test coverage report.
++.UNINDENT
++.SH SIGNALS
++.sp
++Suricata will respond to the following signals:
++.sp
++SIGUSR2
++.INDENT 0.0
++.INDENT 3.5
++Causes Suricata to perform a live rule reload.
++.UNINDENT
++.UNINDENT
++.sp
++SIGHUP
++.INDENT 0.0
++.INDENT 3.5
++Causes Suricata to close and re\-open all log files. This can be
++used to re\-open log files after they may have been moved away by
++log rotation utilities.
++.UNINDENT
++.UNINDENT
++.SH FILES AND DIRECTORIES
++.INDENT 0.0
++.TP
++.B /usr/local/etc/suricata/suricata.yaml
++Default location of the Suricata configuration file.
++.TP
++.B /usr/local/var/log/suricata
++Default Suricata log directory.
++.UNINDENT
++.SH EXAMPLES
++.sp
++To capture live traffic from interface \fIeno1\fP:
++.INDENT 0.0
++.INDENT 3.5
++.sp
++.nf
++.ft C
++suricata \-i eno1
++.ft P
++.fi
++.UNINDENT
++.UNINDENT
++.sp
++To analyze a pcap file and output logs to the CWD:
++.INDENT 0.0
++.INDENT 3.5
++.sp
++.nf
++.ft C
++suricata \-r /path/to/capture.pcap
++.ft P
++.fi
++.UNINDENT
++.UNINDENT
++.sp
++To capture using \fIAF_PACKET\fP and override the flow memcap setting from the \fIsuricata.yaml\fP:
++.INDENT 0.0
++.INDENT 3.5
++.sp
++.nf
++.ft C
++suricata \-\-af\-packet \-\-set flow.memcap=1gb
++.ft P
++.fi
++.UNINDENT
++.UNINDENT
++.sp
++To analyze a pcap file with a custom rule file:
++.INDENT 0.0
++.INDENT 3.5
++.sp
++.nf
++.ft C
++suricata \-r /pcap/to/capture.pcap \-S /path/to/custom.rules
++.ft P
++.fi
++.UNINDENT
++.UNINDENT
++.SH BUGS
++.sp
++Please visit Suricata\(aqs support page for information about submitting
++bugs or feature requests.
++.SH NOTES
++.INDENT 0.0
++.IP \(bu 2
++Suricata Home Page
++.INDENT 2.0
++.INDENT 3.5
++\fI\%https://suricata\-ids.org/\fP
++.UNINDENT
++.UNINDENT
++.IP \(bu 2
++Suricata Support Page
++.INDENT 2.0
++.INDENT 3.5
++\fI\%https://suricata\-ids.org/support/\fP
++.UNINDENT
++.UNINDENT
++.UNINDENT
++.SH COPYRIGHT
++2016-2019, OISF
++.\" Generated by docutils manpage writer.
++.
--- /dev/null
--- /dev/null
++Suricata for Debian
++-------------------
++
++The engine is an Open Source Next Generation Intrusion Detection and
++Prevention Tool, not intended to just replace or emulate the existing tools in
++the industry, but to bring new ideas and technologies to the field.
++
++To run the engine with default configuration on interface eth0 (in live mode),
++run the following command (as root):
++ suricata -c /etc/suricata/suricata.yaml -i eth0
++
++To run in live NFQUEUE mode, use (as root):
++ suricata -c /etc/suricata/suricata.yaml -q $QUEUE_ID
++
++You can also run suricata on a PCAP file:
++ suricata -c /etc/suricata/suricata.yaml -r file.pcap
++
++
++Daemon system integration
++-------------------------
++
++The suricata daemon comes preconfigured to run as a system daemon with systemd.
++
++You can start/stop the daemon with:
++ % sudo systemctl start suricata.service
++ % sudo systemctl stop suricata.service
++
++You should copy /lib/systemd/system/suricata.service to
++/etc/systemd/system/suricata.service and adapt the configuration to your needs.
++
++The sysvinit script and related files (/etc/init.d/suricata and
++/etc/default/suricata) will be eventually discarted at some point in the
++future. The /etc/default/suricata file is ignored by the default
++suricata.service file.
++
++By now, there is no integration between suricata and libsystemd (so, options
++like the watchdog are not supported).
++
++
++Updating Rules
++--------------
++
++The default configuration use the snort-rules-default package (with all rules loaded),
++and all logging modules activated.
++You should edit /etc/suricata/suricata.yaml and adjust it to fit your needs.
++
++Using rules from the snort-rules-default package will not provide up-to-date
++rules. The recommended method is to install oinkmaster, configure it to get
++Emerging Threats (ET), ET Pro or VRT rules.
++
++Edit ``/etc/oinkmaster.conf`` and use the following URL:
++
++ http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
++
++For more help, see
++https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
++
++ -- Pierre Chifflier <pollux@debian.org> Thu, 17 Nov 2011 22:58:00 +0100
++
++Using suricata-oinkmaster
++-------------------------
++
++The package 'suricata-oinkmaster' deploys a pre-configured system to allow
++easy auto-update of suricata rules daily using oinkmaster.
++
++There is a config file /etc/suricata/suricata-oinkmaster.conf which contains
++the oinkmaster configuration for the auto-update.
++Also, there is a cronjob at /etc/cron.daily/suricata-oinkmaster-updater which
++calls oinkmaster and the suricatasc to reload the rules.
++
++Of course, this requires:
++ * suricata daemon running
++ * network access to download rules
++ * suricatasc working (ie, suricata running with unix socket)
++
++ -- Arturo Borrero Gonzalez <arturo@debian.org> July 2016
--- /dev/null
--- /dev/null
++# Default config for Suricata
++
++# set to yes to start the server in the init.d script
++RUN=no
++
++# Configuration file to load
++SURCONF=/etc/suricata/suricata.yaml
++
++# Listen mode: pcap, nfqueue or af-packet
++# depending on this value, only one of the two following options
++# will be used (af-packet uses neither).
++# Please note that IPS mode is only available when using nfqueue
++LISTENMODE=nfqueue
++
++# Interface to listen on (for pcap mode)
++IFACE=eth0
++
++# Queue number to listen on (for nfqueue mode)
++NFQUEUE=0
++
++# Load Google TCMALLOC if libtcmalloc-minimal4 is installed
++# This _might_ give you very very small performance gain....
++TCMALLOC="YES"
++
++# Pid file
++PIDFILE=/var/run/suricata.pid
--- /dev/null
--- /dev/null
++etc/suricata
++var/log/suricata
--- /dev/null
--- /dev/null
++#!/bin/sh -e
++#
++### BEGIN INIT INFO
++# Provides: suricata
++# Required-Start: $time $network $local_fs $remote_fs
++# Required-Stop: $remote_fs
++# Default-Start: 2 3 4 5
++# Default-Stop: 0 1 6
++# Short-Description: Next Generation IDS/IPS
++# Description: Intrusion detection system that will
++# capture traffic from the network cards and will
++# match against a set of known attacks.
++### END INIT INFO
++
++# Source function library.
++. /lib/lsb/init-functions
++
++if test -f /etc/default/suricata; then
++ . /etc/default/suricata
++else
++ echo "/etc/default/suricata is missing... bailing out!" >&2
++ exit 1
++fi
++
++# We'll add up all the options above and use them
++NAME=suricata
++DAEMON=/usr/bin/$NAME
++
++# Use this if you want the user to explicitly set 'RUN' in
++# /etc/default/
++if [ "x$RUN" != "xyes" ] ; then
++ log_failure_msg "$NAME disabled, please adjust the configuration to your needs "
++ log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it."
++ exit 0
++fi
++
++check_root() {
++ if [ "$(id -u)" != "0" ]; then
++ log_failure_msg "You must be root to start, stop or restart $NAME."
++ exit 4
++ fi
++}
++
++check_nfqueue() {
++ if [ ! \( -e /proc/net/netfilter/nfnetlink_queue -o -e /proc/net/netfilter/nf_queue \) ]; then
++ log_warning_msg "NFQUEUE support not found !"
++ log_warning_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel"
++ fi
++}
++
++check_run_dir() {
++ if [ ! -d /var/run/suricata ]; then
++ mkdir /var/run/suricata
++ chmod 0755 /var/run/suricata
++ fi
++}
++
++load_libtcmalloc_minimal() {
++ lib="/usr/lib/libtcmalloc_minimal.so.4"
++
++ if [ -f "$lib" ] && [ "x$TCMALLOC" = "xYES" ]; then
++ export LD_PRELOAD="$lib"
++ fi
++}
++
++check_root
++
++case "$LISTENMODE" in
++nfqueue)
++ IDMODE="IPS (nfqueue)"
++ LISTEN_OPTIONS=" -q $NFQUEUE"
++ check_nfqueue
++ ;;
++pcap)
++ IDMODE="IDS (pcap)"
++ LISTEN_OPTIONS=" -i $IFACE"
++ ;;
++af-packet)
++ IDMODE="IDS (af-packet)"
++ LISTEN_OPTIONS=" --af-packet"
++ ;;
++*)
++ echo "Unsupported listen mode $LISTENMODE, aborting"
++ exit 1
++ ;;
++esac
++
++SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D"
++
++# See how we were called.
++case "$1" in
++start)
++ if [ -f $PIDFILE ]; then
++ PID1=$(cat $PIDFILE)
++ if kill -0 "$PID1" 2>/dev/null; then
++ echo "$NAME is already running with PID $PID1"
++ exit 0
++ fi
++ fi
++ check_run_dir
++ echo -n "Starting suricata in $IDMODE mode..."
++ load_libtcmalloc_minimal
++ $DAEMON $SURICATA_OPTIONS > /var/log/suricata/suricata-start.log 2>&1 &
++ echo " done."
++ ;;
++stop)
++ echo -n "Stopping suricata: "
++ if [ -f $PIDFILE ]; then
++ PID2=$(cat $PIDFILE)
++ else
++ echo " No PID file found; not running?"
++ exit 0;
++ fi
++ start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON
++ if [ -n "$PID2" ]; then
++ kill "$PID2"
++ ret=$?
++ sleep 2
++ if kill -0 "$PID2" 2>/dev/null; then
++ ret=$?
++ echo -n "Waiting . "
++ cnt=0
++ while kill -0 "$PID2" 2>/dev/null; do
++ ret=$?
++ cnt=$(expr "$cnt" + 1)
++ if [ "$cnt" -gt 10 ]; then
++ kill -9 "$PID2"
++ break
++ fi
++ sleep 2
++ echo -n ". "
++ done
++ fi
++ fi
++ if [ -e $PIDFILE ]; then
++ rm $PIDFILE > /dev/null 2>&1
++ fi
++ echo " done."
++ ;;
++status)
++ # Check if running...
++ if [ -s $PIDFILE ]; then
++ PID3=$(cat $PIDFILE)
++ if kill -0 "$PID3" 2>/dev/null; then
++ echo "$NAME is running with PID $PID3"
++ exit 0
++ else
++ echo "PID file $PIDFILE exists, but process not running!"
++ fi
++ else
++ echo "$NAME not running!"
++ fi
++ ;;
++restart)
++ $0 stop
++ $0 start
++ ;;
++force-reload)
++ $0 stop
++ $0 start
++ ;;
++*)
++ echo "Usage: $0 {start|stop|restart|status}"
++ exit 1
++esac
++
++exit 0
--- /dev/null
--- /dev/null
++etc/classification.config /etc/suricata
++etc/reference.config /etc/suricata
++rules/*.rules /etc/suricata/rules
++suricata.yaml /etc/suricata
++threshold.config /etc/suricata
++/usr/bin/suricata
--- /dev/null
--- /dev/null
++# these are eBPF files
++suricata: binary-from-other-architecture usr/lib/suricata/ebpf/*
++suricata: unstripped-binary-or-object usr/lib/suricata/ebpf/*
--- /dev/null
--- /dev/null
++/var/log/suricata/*.log
++/var/log/suricata/*.json
++{
++ rotate 14
++ missingok
++ compress
++ copytruncate
++ sharedscripts
++ postrotate
++ /bin/kill -HUP $(cat /var/run/suricata.pid)
++ endscript
++}
--- /dev/null
--- /dev/null
++# Rename file
++mv_conffile /etc/suricata/suricata-debian.yaml /etc/suricata/suricata.yaml 3.1-1 suricata
--- /dev/null
--- /dev/null
++debian/suricata.1
++debian/suricatasc.1
++debian/suricatactl.1
++debian/suricatactl-filestore.1
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++set -e
++
++# we do not need alternatives anymore
++if update-alternatives --quiet --query suricata 2> /dev/null; then
++ echo "Removing legacy alternatives for Hyperscan/non-Hyperscan versions"
++ update-alternatives --remove-all suricata
++fi
++
++#DEBHELPER#
++
++exit 0
--- /dev/null
--- /dev/null
++[Unit]
++Description=Suricata IDS/IDP daemon
++After=network.target network-online.target
++Requires=network-online.target
++Documentation=man:suricata(8) man:suricatasc(8)
++Documentation=https://suricata-ids.org/docs/
++
++[Service]
++Type=forking
++#Environment=LD_PRELOAD=/usr/lib/libtcmalloc_minimal.so.4
++PIDFile=/run/suricata.pid
++ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid
++ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID
++ExecStop=/usr/bin/suricatasc -c shutdown
++Restart=on-failure
++ProtectSystem=full
++ProtectHome=true
++
++[Install]
++WantedBy=multi-user.target
--- /dev/null
--- /dev/null
++.\" Man page generated from reStructuredText.
++.
++.TH "SURICATACTL-FILESTORE" "1" "Nov 08, 2020" "6.0.1" "Suricata"
++.SH NAME
++suricatactl-filestore \- Perform actions on filestore
++.
++.nr rst2man-indent-level 0
++.
++.de1 rstReportMargin
++\\$1 \\n[an-margin]
++level \\n[rst2man-indent-level]
++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
++-
++\\n[rst2man-indent0]
++\\n[rst2man-indent1]
++\\n[rst2man-indent2]
++..
++.de1 INDENT
++.\" .rstReportMargin pre:
++. RS \\$1
++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
++. nr rst2man-indent-level +1
++.\" .rstReportMargin post:
++..
++.de UNINDENT
++. RE
++.\" indent \\n[an-margin]
++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
++.nr rst2man-indent-level -1
++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
++..
++.SH SYNOPSIS
++.sp
++\fBsuricatactl filestore\fP [\-h] <command> [<args>]
++.SH DESCRIPTION
++.sp
++This command lets you perform certain operations on Suricata filestore.
++.SH OPTIONS
++.INDENT 0.0
++.TP
++.B \-h
++.UNINDENT
++.sp
++Get help about the available commands.
++.SH COMMANDS
++.sp
++\fBprune [\-h|\-\-help] [\-n|\-\-dry\-run] [\-v|verbose] [\-q|\-\-quiet] \-d <DIRECTORY>
++\-\-age <AGE>\fP
++.sp
++Prune files older than a given age.
++.sp
++\-d <DIRECTORY> | \-\-directory <DIRECTORY> is a required argument which tells
++that user must provide the suricata filestore directory on which all the
++specified operations are to be performed.
++.sp
++\-\-age <AGE> is a required argument asking the age of the files. Files older
++than the age mentioned with this option shall be pruned.
++.sp
++\-h | \-\-help is an optional argument with which you can ask for help about the
++command usage.
++.sp
++\-n | \-\-dry\-run is an optional argument which makes the utility print only what
++would happen
++.sp
++\-v | \-\-verbose is an optional argument to increase the verbosity of command.
++.sp
++\-q | \-\-quiet is an optional argument that helps log errors and warnings only
++and keep silent about everything else.
++.SH BUGS
++.sp
++Please visit Suricata\(aqs support page for information about submitting
++bugs or feature requests.
++.SH NOTES
++.INDENT 0.0
++.IP \(bu 2
++Suricata Home Page
++.INDENT 2.0
++.INDENT 3.5
++\fI\%https://suricata\-ids.org/\fP
++.UNINDENT
++.UNINDENT
++.IP \(bu 2
++Suricata Support Page
++.INDENT 2.0
++.INDENT 3.5
++\fI\%https://suricata\-ids.org/support/\fP
++.UNINDENT
++.UNINDENT
++.UNINDENT
++.SH COPYRIGHT
++2016-2019, OISF
++.\" Generated by docutils manpage writer.
++.
--- /dev/null
--- /dev/null
++.\" Man page generated from reStructuredText.
++.
++.TH "SURICATACTL" "1" "Nov 08, 2020" "6.0.1" "Suricata"
++.SH NAME
++suricatactl \- Suricata Control
++.
++.nr rst2man-indent-level 0
++.
++.de1 rstReportMargin
++\\$1 \\n[an-margin]
++level \\n[rst2man-indent-level]
++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
++-
++\\n[rst2man-indent0]
++\\n[rst2man-indent1]
++\\n[rst2man-indent2]
++..
++.de1 INDENT
++.\" .rstReportMargin pre:
++. RS \\$1
++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
++. nr rst2man-indent-level +1
++.\" .rstReportMargin post:
++..
++.de UNINDENT
++. RE
++.\" indent \\n[an-margin]
++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
++.nr rst2man-indent-level -1
++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
++..
++.SH SYNOPSIS
++.sp
++\fBsuricatactl\fP [\-h] <command> [<args>]
++.SH DESCRIPTION
++.sp
++This tool helps control Suricata\(aqs features.
++.SH OPTIONS
++.INDENT 0.0
++.TP
++.B \-h
++.UNINDENT
++.sp
++Get help about the available commands.
++.SH COMMANDS
++.sp
++\fBsuricatactl\-filestore(1)\fP
++.SH BUGS
++.sp
++Please visit Suricata\(aqs support page for information about submitting
++bugs or feature requests.
++.SH NOTES
++.INDENT 0.0
++.IP \(bu 2
++Suricata Home Page
++.INDENT 2.0
++.INDENT 3.5
++\fI\%https://suricata\-ids.org/\fP
++.UNINDENT
++.UNINDENT
++.IP \(bu 2
++Suricata Support Page
++.INDENT 2.0
++.INDENT 3.5
++\fI\%https://suricata\-ids.org/support/\fP
++.UNINDENT
++.UNINDENT
++.UNINDENT
++.SH COPYRIGHT
++2016-2019, OISF
++.\" Generated by docutils manpage writer.
++.
--- /dev/null
--- /dev/null
++.\" Man page generated from reStructuredText.
++.
++.TH "SURICATASC" "1" "Nov 08, 2020" "6.0.1" "Suricata"
++.SH NAME
++suricatasc \- Tool to interact via unix socket
++.
++.nr rst2man-indent-level 0
++.
++.de1 rstReportMargin
++\\$1 \\n[an-margin]
++level \\n[rst2man-indent-level]
++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
++-
++\\n[rst2man-indent0]
++\\n[rst2man-indent1]
++\\n[rst2man-indent2]
++..
++.de1 INDENT
++.\" .rstReportMargin pre:
++. RS \\$1
++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
++. nr rst2man-indent-level +1
++.\" .rstReportMargin post:
++..
++.de UNINDENT
++. RE
++.\" indent \\n[an-margin]
++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
++.nr rst2man-indent-level -1
++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
++..
++.SH SYNOPSIS
++.sp
++\fBsuricatasc\fP
++.SH DESCRIPTION
++.sp
++Suricata socket control tool
++.SH COMMANDS
++.INDENT 0.0
++.TP
++.B shutdown
++Shut Suricata instance down.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B command\-list
++List available commands.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B help
++Get help about the available commands.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B version
++Print the version of Suricata instance.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B uptime
++Display the uptime of Suricata.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B running\-mode
++Display running mode. This can either be \fIworkers\fP, \fIautofp\fP or \fIsingle\fP\&.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B capture\-mode
++Display the capture mode. This can be either of \fIPCAP_DEV\fP,
++\fIPCAP_FILE\fP, \fIPFRING(DISABLED)\fP, \fINFQ\fP, \fINFLOG\fP, \fIIPFW\fP, \fIERF_FILE\fP,
++\fIERF_DAG\fP, \fIAF_PACKET_DEV\fP, \fINETMAP(DISABLED)\fP, \fIUNIX_SOCKET\fP or
++\fIWINDIVERT(DISABLED)\fP\&.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B conf\-get <variable>
++Get configuration value for a given variable. Variable to be provided can be
++either of the configuration parameters that are written in suricata.yaml.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B dump\-counters
++Dump Suricata\(aqs performance counters.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B ruleset\-reload\-rules
++Reload the ruleset and wait for completion.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B reload\-rules
++Alias .. describe \fIruleset\-reload\-rules\fP\&.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B ruleset\-reload\-nonblocking
++Reload ruleset and proceed without waiting.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B ruleset\-reload\-time
++Return time of last reload.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B ruleset\-stats
++Display the number of rules loaded and failed.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B ruleset\-failed\-rules
++Display the list of failed rules.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B register\-tenant\-handler <id> <htype> [hargs]
++Register a tenant handler with the specified mapping.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B unregister\-tenant\-handler <id> <htype> [hargs]
++Unregister a tenant handler with the specified mapping.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B register\-tenant <id> <filename>
++Register tenant with a particular ID and filename.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B reload\-tenant <id> <filename>
++Reload a tenant with specified ID and filename.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B unregister\-tenant <id>
++Unregister tenant with a particular ID.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B add\-hostbit <ipaddress> <hostbit> <expire>
++Add hostbit on a host IP with a particular bit name and time of expiry.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B remove\-hostbit <ipaddress> <hostbit>
++Remove hostbit on a host IP with specified IP address and bit name.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B list\-hostbit <ipaddress>
++List hostbit for a particular host IP.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B reopen\-log\-files
++Reopen log files to be run after external log rotation.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B memcap\-set <config> <memcap>
++Update memcap value of a specified item.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B memcap\-show <config>
++Show memcap value of a specified item.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B memcap\-list
++List all memcap values available.
++.UNINDENT
++.SH PCAP MODE COMMANDS
++.INDENT 0.0
++.TP
++.B pcap\-file <file> <dir> [tenant] [continuous] [delete\-when\-done]
++Add pcap files to Suricata for sequential processing. The generated
++log/alert files will be put into the directory specified as second argument.
++Make sure to provide absolute path to the files and directory. It is
++acceptable to add multiple files without waiting the result.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B pcap\-file\-continuous <file> <dir> [tenant] [delete\-when\-done]
++Add pcap files to Suricata for sequential processing. Directory will be
++monitored for new files being added until there is a use of
++\fBpcap\-interrupt\fP or directory is moved or deleted.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B pcap\-file\-number
++Number of pcap files waiting to get processed.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B pcap\-file\-list
++List of queued pcap files.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B pcap\-last\-processed
++Processed time of last file in milliseconds since epoch.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B pcap\-interrupt
++Terminate the current state by interrupting directory processing.
++.UNINDENT
++.INDENT 0.0
++.TP
++.B pcap\-current
++Currently processed file.
++.UNINDENT
++.SH BUGS
++.sp
++Please visit Suricata\(aqs support page for information about submitting
++bugs or feature requests.
++.SH NOTES
++.INDENT 0.0
++.IP \(bu 2
++Suricata Home Page
++.INDENT 2.0
++.INDENT 3.5
++\fI\%https://suricata\-ids.org/\fP
++.UNINDENT
++.UNINDENT
++.IP \(bu 2
++Suricata Support Page
++.INDENT 2.0
++.INDENT 3.5
++\fI\%https://suricata\-ids.org/support/\fP
++.UNINDENT
++.UNINDENT
++.UNINDENT
++.SH COPYRIGHT
++2016-2019, OISF
++.\" Generated by docutils manpage writer.
++.
--- /dev/null
--- /dev/null
++Test-Command: suricata --build-info
++Depends: @
++
++Test-Command: suricatasc -c "version"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "command-list"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "capture-mode"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: sleep 10 && suricatasc -c "dump-counters"
++Depends: @
++Restrictions: needs-root, isolation-container
++
++Test-Command: suricatasc -c "uptime"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "reload-rules"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "iface-list"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: suricatasc -c "shutdown"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Test-Command: sleep 10 && suricatasc -c "running-mode"
++Depends: @
++Restrictions: needs-root, isolation-container, flaky
++
++Tests: suricata-oinkmaster-updater.sh
++Depends: @, curl
++Restrictions: needs-root, isolation-container, allow-stderr, skippable
++
++Tests: systemd-service-test.sh
++Depends: @, systemd, procps
++Restrictions: needs-root, isolation-container, allow-stderr
++
++Test-Command: src/suricata -u
++Depends: @, @builddeps@, procps, geoip-database
++Restrictions: needs-root, isolation-container, build-needed, allow-stderr
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++curl -m 30 -fSs 'https://rules.emergingthreats.net' > /dev/null || exit 77
++suricata-oinkmaster-updater
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++set -ex
++
++SERVICE="suricata.service"
++ETC_SERVICE_FILE="/etc/systemd/system/${SERVICE}"
++LIB_SERVICE_FILE="/lib/systemd/system/${SERVICE}"
++CONFIG_FILE="/etc/suricata/suricata.yaml"
++IFACE=$(ip route show | awk '/default/ {print $5}')
++
++if [ ! -r "$LIB_SERVICE_FILE" ] ; then
++ : ERROR unable to read $LIB_SERVICE_FILE
++ exit 1
++fi
++if [ ! -w "$CONFIG_FILE" ] ; then
++ : ERROR unable to write to $CONFIG_FILE
++ exit 1
++fi
++
++systemctl_action()
++{
++ if ! systemctl $1 $SERVICE ; then
++ journalctl -u $SERVICE
++ return 1
++ fi
++ return 0
++}
++
++echo "
++%YAML 1.1
++---
++default-rule-path: /etc/suricata/rules
++rule-files:
++ - tor.rules
++ - http-events.rules
++ - smtp-events.rules
++ - dns-events.rules
++ - tls-events.rules
++classification-file: /etc/suricata/classification.config
++reference-config-file: /etc/suricata/reference.config
++default-log-dir: /var/log/suricata/
++af-packet:
++ - interface: $IFACE
++ cluster-id: 99
++ cluster-type: cluster_flow
++ defrag: yes
++ - interface: default
++ tpacket-v3: yes
++ block-size: 131072
++app-layer:
++ protocols:
++ ssh:
++ enabled: yes
++host-mode: auto
++unix-command:
++ enabled: yes
++ filename: /var/run/suricata-command.socket
++detect:
++ profile: medium
++ custom-values:
++ toclient-groups: 3
++ toserver-groups: 25
++ sgh-mpm-context: auto
++ inspection-recursion-limit: 3000
++ grouping:
++ profiling:
++ grouping:
++ dump-to-disk: false
++ include-rules: false
++ include-mpm-stats: false
++mpm-algo: auto
++spm-algo: auto
++" > $CONFIG_FILE
++
++#
++# before start, package installation may start the daemon
++#
++if systemctl -q is-active $SERVICE ; then
++ : WARNING initial service running, stopping now
++ if ! systemctl_action stop ; then
++ : ERROR cant stop initial service
++ exit 1
++ fi
++fi
++
++#
++# First run of the daemon and basic checks
++#
++if ! systemctl_action start ; then
++ : ERROR cant start the service
++ exit 1
++fi
++sleep 10 # wait for service startup
++systemctl status $SERVICE
++
++#
++# Restart the daemon
++#
++if ! systemctl_action restart ; then
++ : ERROR unable to restart the service
++ exit 1
++fi
++
++sleep 10 # wait for serive startup
++if ! systemctl -q is-active $SERVICE ; then
++ journalctl -u $SERVICE
++ : ERROR service not active after restart
++ exit 1
++fi
++
++#
++# Reload the daemon
++#
++
++: WARNING: Not testing daemon reload: it timeouts in ci.debian.net
++
++#if ! systemctl_action reload ; then
++# : ERROR unable to reload the service
++# exit 1
++#fi
++
++#sleep 10 # wait for service reload
++#if ! systemctl -q is-active $SERVICE ; then
++# journalctl -u $SERVICE
++# : ERROR service not active after reload
++# exit 1
++#fi
++
++: INFO all tests OK
++exit 0
--- /dev/null
--- /dev/null
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++
++mQINBF8tFVkBEADEEXYv9T6kntaOafPMsBXJPFflcpM4VdXCnEmkY2zcQzfZ+fUB
++kyc6Lh1W07EPd4zGri4Hu9V8nfH5z+23oMmvVrUgbwU62u7ioUhMEpEtLbaLCWL9
++6HSlA4XWwjJhALXKFNMWtWT5BiHHty4jXvLl/KlbYtNrV+BuWDZsSiCRto134His
++Uozb82Yp76qhxdFXdUkXa7PYXJ40EYg9du4Z2l8qP3VWjDHDDrXtoChIgnTmkXkF
++0AdNx9jd9OSugQbJMqi7IV2wvA4xErKMujL+7ytxdMsV0WS39dPOn1mPclYLlnq6
++XDaXcVcHpXOQfC0qniKAHA9ngdKPPG5aJ7DqnZx+G4HBOAf0qnqCT2HBzvJovDuF
++7LdITO+nUiuThlh26oIoRqOfFgIAKDO+F/fRFIJYFt7q5OEwiL9HmlR7UrjLyHb8
++TqWhxocZHvP0ex6qTFMlUOZFaLVD/OC0lMFZDtHNfWIyWLmRIP4CGYia7RDyEEvn
++rHqK7NCF93K5UNUuBZmWNZ5r7/wKccLSYz7wAgkeWaKBAX7bQLspTZUYOOd8Kf5+
++uYlkLd1ju1wHqR7MrVb8/l6Q7cEIpLj+1ou6HeEsKyH1oZ8BQVzkVWIHmz7gaumV
++RKiycSnGqi8UnlFRUbZTW5ChLb7BL+ncBI3MuvrXvB6Ps7RlDPBD4D5AJQARAQAB
++tFBPcGVuIEluZm9ybWF0aW9uIFNlY3VyaXR5IEZvdW5kYXRpb24gKE9JU0YpIDxy
++ZWxlYXNlc0BvcGVuaW5mb3NlY2ZvdW5kYXRpb24ub3JnPokCVAQTAQoAPhYhBLNv
++2vJgfhDo/6ieXiupyYzN8ek6BQJfLRVZAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW
++AgMBAh4BAheAAAoJECupyYzN8ek6BAMP/jbjbJgNNYHQpueS6q7Jx1pNsDJ0Iqlr
++2AIfrvMAkvNCQALWMoKsSPYbx+lLhTMKP48wwUTu4PcagaZ74W41kFAHN6ituIeY
++QJ7nyNaccu4KRMLvWsL/LVimGIfQZDWgGvJd/ggAXZcCeSiWblCqs7isGpGwGktv
++O6M824BZo2tmqBOtcL/nn3xD5v3dOM2uUr4N7qEmVQgJpYY/d5GNy2576jLT1EQ7
++Nq8VW0b76yZ7SQqX/mRA3KGJRi3/qnXsuxDdQd8hzxr4+QnH1cFjYtwsJlzzf2gm
++87ZbcuNf/BccH0Nt/hRkm7wIfJgXADKdCUAb60F6Ov95+aZ4hpK/Q6jJcCF9WSEZ
++UjklpYzWhSoC5AvqKcLOOnfLGfdF+gKwCD+hLvBwtkDZyYnLSkaKQ3eWbesoZnl0
++uDZAgy+4UCsh4c6DmtF2YeByybmd+cOfxZqRNIGUzC5u5ROsulB4gNjCtaTrY2ug
++r0br16ypXHA8M3PB+EAF08pg1PNETecdQ+uWZmYn2vAAi0lh1YREuIaFK+P5RziU
++m1uwfmsTEy7xnrHfWTZyiWdDCsjhppRiUNCqXh76ChDh2cNbiiGK7EgNLeUEyplx
++s60hfa4Ht0tmo3S3R2JRs4Usn0fKigR1Vv589qjDI1DNbFC/01/IFXrKjERzdm20
++ruUEU7TOqiUwuQINBF8tFVkBEADCAk7fTNtLlFDOAmXNxW+5ILRBehswEaZvAN5J
++rhc9bz4dMSWQajprEAl8HFRctEUkYHyi7cwcUPrelhwjnxOH3LuVeLLtm9i3wTCX
++NUvHeOWr4DBLYnwiYZ6t7U+Isd/IQRTo9l1vBEwdMOAs7FfqSmoGvJspd42dOi4r
++ph6JNss4FE5GTrb4oTx0ZrAIh7mT17e16TZywrZWKFZnl+G/YqmSolGtOrkhzm18
++l3mTa/v4hq4u+ZS8Qd9ng62sl8Ls5Krx3JCBdxn849WRJ6myS7R+hvQeLR9YH/YL
++ioUVzxHXmF2xlENYsbEsVAEsHUb2G5Ot+uQcUpC2u9uzw05L+zhCbd4ffW5eTsGv
++d51LvBMV1b0VUjWEmTgzqFNI5ElBnpjZ3W2eiAAWrLnGACO5Lxzf5VeWYaTDJo8O
++GBYSoHovjYrFI8ZQq7J1skM/YBXROTb4zSc8rL1w81VFLvFu6lOzIA15s5iLRko7
++LSKKom04Q8BNZ1nUydlxvo/5fu4VGYtWMliWUOIePIMT1EgBqYDfQyZ/h4gSMc7j
++jgb2JDfq/7WueoVTy8CNuOzewRYQOU/5P34o341Q0WO2tFNrohUqG9oDHf3Fj8eg
++VwWuRv+eDUmgbpisqVoj2hH1PM45Hcp62RHJasMWUmPIlCNKfvd8+fj3+zjaAN8r
++4Fv0YwARAQABiQI8BBgBCgAmFiEEs2/a8mB+EOj/qJ5eK6nJjM3x6ToFAl8tFVkC
++GwwFCQlmAYAACgkQK6nJjM3x6TpE0Q/7B31BrekzAIqV4gu6wE6xXe4GwzHYsQjW
++MJ0zQFXy3xPeRwVuFhfEOfX23HIpzvlM5h8OJCyifYu8vpbjqJ0/bEoUIERjQ0qe
++24H8tETRWsF5xRn8FwItdU+8dBsdH77JopAf3qmKPi6PZoobb0mf6mvqK/ootiIg
++8ATzbaIizw5oa4XZsjOwTh9vP7/VUAD7I8i2sxjw4BzLI9Ee4Mx+3ei95TQEXdRl
++jLEIH+2DLkKZTY1czfMuWAJsWpE+xewVBgm6zB0eS51HPZAhSaMmJefJeybnG4Er
++MFdWPPMXzNbr056TQzL1WIdHvB3SLSnA+MSHI8tp3LpHIqHibL1HQpUwDZo1G7jK
++hXcfEMAjwVJInNPOKJo93+mgTOqt0HZvnrGtFpUGBWivGLXguDW/m++Cv7hY3M7g
++I48G8dSmATEfyC0zaMACD2xmfjg86gkWsgio1Hpym/4oVDBVdT7CEXuN53QsQH5Y
++4XlEJh2l/fDMBAqtPmOkH6Zl3v6PLnzrkDbVEl1Nid/Oak6h6RSbAaI+uSACPTMq
++bHEYDF5K/2N6gu6/6aS6JzgCqr7G63Jghh1NtoKzmDfMl2nVL2virZDREUP7tBGa
++HegFin/SNaQ/vyu4kp/Y0Q6/BnN8Pa/1ngrkxwu/fAm4wq0DNArbf15fjCC0AgYZ
++z9qESk6L8Cs=
++=Rr5U
++-----END PGP PUBLIC KEY BLOCK-----
--- /dev/null
--- /dev/null
++# watch control file for uscan
++# run the "uscan" command to check for upstream updates and more.
++# See uscan(1) for format
++
++# Compulsory line, this is a version 3 file
++version=3
++
++opts=pgpsigurlmangle=s/$/.sig/ https://openinfosecfoundation.org/download/ suricata-([\d\.]*)\.tar\.gz
projects / suricata.git / commitdiff