From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. a702353e262542fd5becc930e42b2a47caca2a00 Date: Thu, 14 Jul 2022 09:46:16 +0000 Message-ID: <4Lk8kw5tZNz2y32@people01.haj.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3218797758190952087==" List-Id: --===============3218797758190952087== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via a702353e262542fd5becc930e42b2a47caca2a00 (commit) via b7f887e3b112d5a871886d942645f11c59465753 (commit) via e3d8db51fbf721698aa3cb767fbc134b12b0592d (commit) via ce8610479e024c2c81a4b4893b7dbc792a32252c (commit) from 979a8b3df745e74173a777ef361bf8f3abfcbad0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit a702353e262542fd5becc930e42b2a47caca2a00 Author: Michael Tremer Date: Thu Jul 14 09:44:42 2022 +0000 c170: Ship suricata =20 Signed-off-by: Michael Tremer commit b7f887e3b112d5a871886d942645f11c59465753 Author: Matthias Fischer Date: Wed Jul 13 23:03:50 2022 +0200 suricata: Update to 5.0.10 =20 Changelog: =20 "5.0.10 -- 2022-07-12 =20 Bug #5429: TCP flow that retransmits the SYN with a newer TSval not prope= rly tracked (5.0.x backport) [Note: Therefore 'suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-T= Sval.patch' could be removed] =20 Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work corr= ect. (5.0.x backport) Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport) Bug #5404: detect: will still inspect packets of a "dropped" flow for non= -TCP (5.0.x backport) Bug #5388: detect/threshold: offline time handling issue (5.0.x backports) Bug #5358: test failure on Ubuntu 22.04 with GCC 12 (5.0.x backport) Bug #5354: detect/alert: fix segvfault when incrementing discarded alerts= if alert-queue-expand fails (5.0.x backport) Bug #5345: CIDR prefix calculation fails on big endian archs (5.0.x backp= ort) Bug #5343: ftp: quadratic complexity for tx iterator with linked list (5.= 0.x backport) Bug #5341: decode/mime: base64 decoding for data with spaces is broken (5= .0.x backport) Bug #5339: PreProcessCommands does not handle all the edge cases (5.0.x b= ackport) Bug #5325: FTP: expectation created in wrong direction (5.0.x backport) Bug #5305: cppcheck: various static analyzer "warning"s Bug #5302: Failed assert DeStateSearchState Bug #5301: eve: payload field randomly missing even if the packet field i= s present Bug #5289: Remove unneeded stack-on-signal initialization. Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum= length Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert = limit (5.0.x backport) Bug #5113: Off-by-one in flow-manager flow_hash row allocation Bug #5055: Documentation copyright years are invalid Bug #5021: dataset: error with space in rule language Bug #4926: Rule error in SMB dce_iface and dce_opnum keywords (5.0.x back= port) Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, bot= h sides need to be pruned Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.= 0.x backport) Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ = (5.0.x backport) Task #5322: stats/alert: log out to stats alerts that have been discarded= from packet queue (5.0.x backport)" =20 Signed-off-by: Matthias Fischer Reviewed-by: Stefan Schantl Reviewed-by: Stefan Schantl Signed-off-by: Michael Tremer commit e3d8db51fbf721698aa3cb767fbc134b12b0592d Author: Michael Tremer Date: Thu Jul 14 09:42:11 2022 +0000 c170: Update collectd.conf =20 Signed-off-by: Michael Tremer commit ce8610479e024c2c81a4b4893b7dbc792a32252c Author: Peter M=C3=BCller Date: Wed Jul 13 20:05:16 2022 +0000 collectd: Do not keep track of entropy any more =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/collectd/collectd.conf | 1 - .../{oldcore/131 =3D> core/170}/filelists/suricata | 0 config/rootfiles/core/170/update.sh | 6 +++ lfs/suricata | 5 +- ...m-tcp-Handle-retransmitted-SYN-with-TSval.patch | 55 --------------------= -- 5 files changed, 8 insertions(+), 59 deletions(-) copy config/rootfiles/{oldcore/131 =3D> core/170}/filelists/suricata (100%) delete mode 100644 src/patches/suricata/suricata-5.0-stream-tcp-Handle-retra= nsmitted-SYN-with-TSval.patch Difference in files: diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index e34a97da1..4ef34ea07 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -16,7 +16,6 @@ LoadPlugin conntrack LoadPlugin cpu #LoadPlugin cpufreq LoadPlugin disk -LoadPlugin entropy LoadPlugin interface LoadPlugin iptables LoadPlugin load diff --git a/config/rootfiles/core/170/filelists/suricata b/config/rootfiles/= core/170/filelists/suricata new file mode 120000 index 000000000..f671f6993 --- /dev/null +++ b/config/rootfiles/core/170/filelists/suricata @@ -0,0 +1 @@ +../../../common/suricata \ No newline at end of file diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/= update.sh index 7dde03060..aaa42cbb4 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -107,8 +107,14 @@ chown nobody:nobody /var/lib/ipblocklist # Rebuild fcrontab from scratch /usr/bin/fcrontab -z =20 +# Update collectd.conf +sed -i /etc/collectd.conf \ + -e "/LoadPlugin entropy/d" +/etc/init.d/collectd restart + # Start services /etc/init.d/rc.d/unbound start +/etc/init.d/rc.d/suricata restart =20 # This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/suricata b/lfs/suricata index 1ebcb4ba4..1fbc2c185 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 5.0.9 +VER =3D 5.0.10 =20 THISAPP =3D suricata-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_BLAKE2 =3D 02ab99585233a47b1577e55060ba1141c339718e5bd39b6f4d38bb= 9384fd459aae353f313083048128507f9023a8bcfea3e5a5bcc9ea0c75cfc9c288ca9db6b6 +$(DL_FILE)_BLAKE2 =3D b5c83b9882e89894c3dedb7f536d584a20bbeab24236752e528171= db6589a6308422c8b0be4f433fc63b8cfc227aa0b67935a4aece943b10f4577398ea9ed467 =20 install : $(TARGET) =20 @@ -70,7 +70,6 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0-= stream-tcp-Handle-retransmitted-SYN-with-TSval.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-disa= ble-sid-2210059.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0.= 8-fix-level1-cache-line-size-detection.patch cd $(DIR_APP) && LDFLAGS=3D"$(LDFLAGS)" ./configure \ diff --git a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitte= d-SYN-with-TSval.patch b/src/patches/suricata/suricata-5.0-stream-tcp-Handle-= retransmitted-SYN-with-TSval.patch deleted file mode 100644 index 6bc745a0f..000000000 --- a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-w= ith-TSval.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001 -From: Michael Tremer -Date: Fri, 19 Nov 2021 17:17:47 +0000 -Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval - -For connections that use TCP timestamps for which the first SYN packet -does not reach the server, any replies to retransmitted SYNs will be -tropped. - -This is happening in StateSynSentValidateTimestamp, where the timestamp -value in a SYN-ACK packet must match the one from the SYN packet. -However, since the server never received the first SYN packet, it will -respond with an updated timestamp from any of the following SYN packets. - -The timestamp value inside suricata is not being updated at any time -which should happen. This patch fixes that problem. - -This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318. - -Signed-off-by: Michael Tremer ---- - src/stream-tcp.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/src/stream-tcp.c b/src/stream-tcp.c -index 1cff19fa5..af681760b 100644 ---- a/src/stream-tcp.c -+++ b/src/stream-tcp.c -@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv= , Packet *p, - "ssn->client.last_ack %"PRIu32"", ssn, - ssn->client.isn, ssn->client.next_seq, - ssn->client.last_ack); -+ } else if (PKT_IS_TOSERVER(p)) { -+ /* -+ * On retransmitted SYN packets, the timestamp value must be updated, -+ * to avoid dropping any SYN+ACK packets that respond to a retransmitt= ed SYN -+ * with an updated timestamp in StateSynSentValidateTimestamp. -+ */ -+ if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TC= P_HAS_TS(p)) { -+ uint32_t ts_val =3D TCP_GET_TSVAL(p); -+ -+ // Check whether packets have been received in the correct = order (only ever update) -+ if (ssn->client.last_ts < ts_val) { -+ ssn->client.last_ts =3D ts_val; -+ ssn->client.last_pkt_ts =3D p->ts.tv_sec; -+ } -+ -+ SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp fr= om packet %"PRIu64, ssn, p->pcap_cnt); -+ } - } -=20 - /** \todo check if it's correct or set event */ ---=20 -2.30.2 - hooks/post-receive -- IPFire 2.x development tree --===============3218797758190952087==--