From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] suricata: Update to 5.0.10 Date: Thu, 14 Jul 2022 10:38:08 +0100 Message-ID: <45A0DE6C-B60F-450E-B11B-50E23067C136@ipfire.org> In-Reply-To: <181fc0f0df0.2777.cac9d3ffac9e24d09d20af05166fd73b@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7467124248759258882==" List-Id: --===============7467124248759258882== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable You are missing a bracket: Reviewed-by: Stefan Schantl > On 14 Jul 2022, at 10:34, Stefan Schantl wrot= e: >=20 > Exzellent work! >=20 > Reviewed-by: Stefan Schantl >=20 >=20 > Am 13. Juli 2022 23:04:00 schrieb Matthias Fischer : >=20 >> Changelog: >>=20 >> "5.0.10 -- 2022-07-12 >>=20 >> Bug #5429: TCP flow that retransmits the SYN with a newer TSval not proper= ly tracked (5.0.x backport) >> [Note: Therefore 'suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TS= val.patch' could be removed] >>=20 >> Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work corre= ct. (5.0.x backport) >> Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport) >> Bug #5404: detect: will still inspect packets of a "dropped" flow for non-= TCP (5.0.x backport) >> Bug #5388: detect/threshold: offline time handling issue (5.0.x backports) >> Bug #5358: test failure on Ubuntu 22.04 with GCC 12 (5.0.x backport) >> Bug #5354: detect/alert: fix segvfault when incrementing discarded alerts = if alert-queue-expand fails (5.0.x backport) >> Bug #5345: CIDR prefix calculation fails on big endian archs (5.0.x backpo= rt) >> Bug #5343: ftp: quadratic complexity for tx iterator with linked list (5.0= .x backport) >> Bug #5341: decode/mime: base64 decoding for data with spaces is broken (5.= 0.x backport) >> Bug #5339: PreProcessCommands does not handle all the edge cases (5.0.x ba= ckport) >> Bug #5325: FTP: expectation created in wrong direction (5.0.x backport) >> Bug #5305: cppcheck: various static analyzer "warning"s >> Bug #5302: Failed assert DeStateSearchState >> Bug #5301: eve: payload field randomly missing even if the packet field is= present >> Bug #5289: Remove unneeded stack-on-signal initialization. >> Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum = length >> Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert l= imit (5.0.x backport) >> Bug #5113: Off-by-one in flow-manager flow_hash row allocation >> Bug #5055: Documentation copyright years are invalid >> Bug #5021: dataset: error with space in rule language >> Bug #4926: Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backp= ort) >> Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both= sides need to be pruned >> Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0= .x backport) >> Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ (= 5.0.x backport) >> Task #5322: stats/alert: log out to stats alerts that have been discarded = from packet queue (5.0.x backport)" >>=20 >> Signed-off-by: Matthias Fischer >> --- >> lfs/suricata | 5 +- >> ...-Handle-retransmitted-SYN-with-TSval.patch | 55 ------------------- >> 2 files changed, 2 insertions(+), 58 deletions(-) >> delete mode 100644 src/patches/suricata/suricata-5.0-stream-tcp-Handle-re= transmitted-SYN-with-TSval.patch >>=20 >> diff --git a/lfs/suricata b/lfs/suricata >> index 1ebcb4ba4..1fbc2c185 100644 >> --- a/lfs/suricata >> +++ b/lfs/suricata >> @@ -24,7 +24,7 @@ >> =20 >> include Config >> =20 >> -VER =3D 5.0.9 >> +VER =3D 5.0.10 >> =20 >> THISAPP =3D suricata-$(VER) >> DL_FILE =3D $(THISAPP).tar.gz >> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) >> =20 >> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >> =20 >> -$(DL_FILE)_BLAKE2 =3D 02ab99585233a47b1577e55060ba1141c339718e5bd39b6f4d3= 8bb9384fd459aae353f313083048128507f9023a8bcfea3e5a5bcc9ea0c75cfc9c288ca9db6b6 >> +$(DL_FILE)_BLAKE2 =3D b5c83b9882e89894c3dedb7f536d584a20bbeab24236752e528= 171db6589a6308422c8b0be4f433fc63b8cfc227aa0b67935a4aece943b10f4577398ea9ed467 >> =20 >> install : $(TARGET) >> =20 >> @@ -70,7 +70,6 @@ $(subst %,%_BLAKE2,$(objects)) : >> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) >> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5= .0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch >> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-d= isable-sid-2210059.patch >> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5= .0.8-fix-level1-cache-line-size-detection.patch >> cd $(DIR_APP) && LDFLAGS=3D"$(LDFLAGS)" ./configure \ >> diff --git a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmi= tted-SYN-with-TSval.patch b/src/patches/suricata/suricata-5.0-stream-tcp-Hand= le-retransmitted-SYN-with-TSval.patch >> deleted file mode 100644 >> index 6bc745a0f..000000000 >> --- a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SY= N-with-TSval.patch >> +++ /dev/null >> @@ -1,55 +0,0 @@ >> -From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001 >> -From: Michael Tremer >> -Date: Fri, 19 Nov 2021 17:17:47 +0000 >> -Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval >> - >> -For connections that use TCP timestamps for which the first SYN packet >> -does not reach the server, any replies to retransmitted SYNs will be >> -tropped. >> - >> -This is happening in StateSynSentValidateTimestamp, where the timestamp >> -value in a SYN-ACK packet must match the one from the SYN packet. >> -However, since the server never received the first SYN packet, it will >> -respond with an updated timestamp from any of the following SYN packets. >> - >> -The timestamp value inside suricata is not being updated at any time >> -which should happen. This patch fixes that problem. >> - >> -This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318. >> - >> -Signed-off-by: Michael Tremer >> ---- >> - src/stream-tcp.c | 17 +++++++++++++++++ >> - 1 file changed, 17 insertions(+) >> - >> -diff --git a/src/stream-tcp.c b/src/stream-tcp.c >> -index 1cff19fa5..af681760b 100644 >> ---- a/src/stream-tcp.c >> -+++ b/src/stream-tcp.c >> -@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars = *tv, Packet *p, >> - "ssn->client.last_ack %"PRIu32"", ssn, >> - ssn->client.isn, ssn->client.next_seq, >> - ssn->client.last_ack); >> -+ } else if (PKT_IS_TOSERVER(p)) { >> -+ /* >> -+ * On retransmitted SYN packets, the timestamp value must be updated, >> -+ * to avoid dropping any SYN+ACK packets that respond to a retransmi= tted SYN >> -+ * with an updated timestamp in StateSynSentValidateTimestamp. >> -+ */ >> -+ if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) &&= TCP_HAS_TS(p)) { >> -+ uint32_t ts_val =3D TCP_GET_TSVAL(p); >> -+ >> -+ // Check whether packets have been received in the corre= ct order (only ever update) >> -+ if (ssn->client.last_ts < ts_val) { >> -+ ssn->client.last_ts =3D ts_val; >> -+ ssn->client.last_pkt_ts =3D p->ts.tv_sec; >> -+ } >> -+ >> -+ SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp= from packet %"PRIu64, ssn, p->pcap_cnt); >> -+ } >> - } >> -=20 >> - /** \todo check if it's correct or set event */ >> ---=20 >> -2.30.2 >> - >> --=20 >> 2.25.1 >=20 --===============7467124248759258882==--