From patchwork Wed Jul 13 21:03:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 5748 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LjqqM4yM7z3wfC for ; Wed, 13 Jul 2022 21:03:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LjqqL1jK1zqj; Wed, 13 Jul 2022 21:03:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LjqqL0dftz2yvw; Wed, 13 Jul 2022 21:03:58 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LjqqK1n4pz2xGX for ; Wed, 13 Jul 2022 21:03:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4LjqqJ22vhzqj for ; Wed, 13 Jul 2022 21:03:56 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1657746236; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=K50NboJnRNnYRePD4Zjslq2aQOWAooyxMpJ8YziCSic=; b=wyYyV9Z2THSTtIAyI1OsFal4o1CioVJNyJubXKj8mOmyjqKu/vcA8VG4rhcw2xkCPY4h+r BFKbkI1YpD8XPdAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1657746236; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=K50NboJnRNnYRePD4Zjslq2aQOWAooyxMpJ8YziCSic=; b=Og5swmKaZZvN+cHnuQssMkTrBavelj4iqTToPmHd4Bnc+HUjkFQBK9Lt8sRtFQDmBCXRsK uXNcMHzyMevdYRFPR8yhhaJ3jVpRJHWnHINYDOxDdBa/bsm1WTfVMvILpLtxnVTlbYNIuN lVPcJwJPi4Z3T82mmc7AgM2Tl8DzPabK+ccckAKGpcZYNkEWW9TZJpI2td/eDDOF1lvhd5 qy2jKjBZzW4tI+6qmP7T9Ja80awDHzJdrqDFJ9vY1FozhuizNvNUFGMziM08SPhbAnU9f1 R61fTyiKQFY8dUeA2ZNY1g6YSCUVdlsdJSJ+eK1TCyjxN4FoxMn9+zoHNVrbzw== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] suricata: Update to 5.0.10 Date: Wed, 13 Jul 2022 23:03:50 +0200 Message-Id: <20220713210350.4043526-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Changelog: "5.0.10 -- 2022-07-12 Bug #5429: TCP flow that retransmits the SYN with a newer TSval not properly tracked (5.0.x backport) [Note: Therefore 'suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch' could be removed] Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work correct. (5.0.x backport) Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport) Bug #5404: detect: will still inspect packets of a "dropped" flow for non-TCP (5.0.x backport) Bug #5388: detect/threshold: offline time handling issue (5.0.x backports) Bug #5358: test failure on Ubuntu 22.04 with GCC 12 (5.0.x backport) Bug #5354: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails (5.0.x backport) Bug #5345: CIDR prefix calculation fails on big endian archs (5.0.x backport) Bug #5343: ftp: quadratic complexity for tx iterator with linked list (5.0.x backport) Bug #5341: decode/mime: base64 decoding for data with spaces is broken (5.0.x backport) Bug #5339: PreProcessCommands does not handle all the edge cases (5.0.x backport) Bug #5325: FTP: expectation created in wrong direction (5.0.x backport) Bug #5305: cppcheck: various static analyzer "warning"s Bug #5302: Failed assert DeStateSearchState Bug #5301: eve: payload field randomly missing even if the packet field is present Bug #5289: Remove unneeded stack-on-signal initialization. Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum length Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport) Bug #5113: Off-by-one in flow-manager flow_hash row allocation Bug #5055: Documentation copyright years are invalid Bug #5021: dataset: error with space in rule language Bug #4926: Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backport) Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport) Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ (5.0.x backport) Task #5322: stats/alert: log out to stats alerts that have been discarded from packet queue (5.0.x backport)" Signed-off-by: Matthias Fischer Reviewed-by: Stefan Schantl Reviewed-by: Stefan Schantl --- lfs/suricata | 5 +- ...-Handle-retransmitted-SYN-with-TSval.patch | 55 ------------------- 2 files changed, 2 insertions(+), 58 deletions(-) delete mode 100644 src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch diff --git a/lfs/suricata b/lfs/suricata index 1ebcb4ba4..1fbc2c185 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@ include Config -VER = 5.0.9 +VER = 5.0.10 THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 02ab99585233a47b1577e55060ba1141c339718e5bd39b6f4d38bb9384fd459aae353f313083048128507f9023a8bcfea3e5a5bcc9ea0c75cfc9c288ca9db6b6 +$(DL_FILE)_BLAKE2 = b5c83b9882e89894c3dedb7f536d584a20bbeab24236752e528171db6589a6308422c8b0be4f433fc63b8cfc227aa0b67935a4aece943b10f4577398ea9ed467 install : $(TARGET) @@ -70,7 +70,6 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-disable-sid-2210059.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \ diff --git a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch deleted file mode 100644 index 6bc745a0f..000000000 --- a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001 -From: Michael Tremer -Date: Fri, 19 Nov 2021 17:17:47 +0000 -Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval - -For connections that use TCP timestamps for which the first SYN packet -does not reach the server, any replies to retransmitted SYNs will be -tropped. - -This is happening in StateSynSentValidateTimestamp, where the timestamp -value in a SYN-ACK packet must match the one from the SYN packet. -However, since the server never received the first SYN packet, it will -respond with an updated timestamp from any of the following SYN packets. - -The timestamp value inside suricata is not being updated at any time -which should happen. This patch fixes that problem. - -This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318. - -Signed-off-by: Michael Tremer ---- - src/stream-tcp.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/src/stream-tcp.c b/src/stream-tcp.c -index 1cff19fa5..af681760b 100644 ---- a/src/stream-tcp.c -+++ b/src/stream-tcp.c -@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p, - "ssn->client.last_ack %"PRIu32"", ssn, - ssn->client.isn, ssn->client.next_seq, - ssn->client.last_ack); -+ } else if (PKT_IS_TOSERVER(p)) { -+ /* -+ * On retransmitted SYN packets, the timestamp value must be updated, -+ * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN -+ * with an updated timestamp in StateSynSentValidateTimestamp. -+ */ -+ if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) { -+ uint32_t ts_val = TCP_GET_TSVAL(p); -+ -+ // Check whether packets have been received in the correct order (only ever update) -+ if (ssn->client.last_ts < ts_val) { -+ ssn->client.last_ts = ts_val; -+ ssn->client.last_pkt_ts = p->ts.tv_sec; -+ } -+ -+ SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt); -+ } - } - - /** \todo check if it's correct or set event */ --- -2.30.2 -