From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 30cae58dd0be39699a95473e4abdbaace1d2f15f
Date: Fri, 08 Aug 2025 15:11:01 +0000 (UTC) [thread overview]
Message-ID: <4bz6tF3c77z2xHR@people01.haj.ipfire.org> (raw)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 153543 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 30cae58dd0be39699a95473e4abdbaace1d2f15f (commit)
via 9a46d0806f10011e66794fed4ba04c85beca7ed2 (commit)
via 6de4f7200ae09c5978215f178657e9451be58439 (commit)
via 0f388dc6d28383f9a5ac230f0dcea23b68b30f7d (commit)
via b141bee7923d7c738189d98c716bc2e8aa827edd (commit)
via 47d0118abbbdc2bfec798c6cb99e976820aec862 (commit)
via 5015601b7a7128bfe1e4282c26f72c6cb5ecb031 (commit)
via 5d503216b9757b228bc3020a976e9cd95b33b4fc (commit)
via 1fa9c1c12894f502f301fd1d2656cbdfe78e4090 (commit)
via 799b385d1075042ca0d0ab9485d149a208bc7762 (commit)
via fb8caf7839080c860bd5cbd62d2d667b20dac970 (commit)
via 2271a47bf31682be8c0bb9319277339a86cc70be (commit)
from ceb35099fa8af7c2ac85fa2487e1e5ec4e36d2ce (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 30cae58dd0be39699a95473e4abdbaace1d2f15f
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Aug 8 15:10:39 2025 +0000
core198: Ship graphs.pl
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9a46d0806f10011e66794fed4ba04c85beca7ed2
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Aug 5 11:44:51 2025 +0100
IPS: Rename bypassed to "Offloaded"
Bypassed seems to suggest to some people that the traffic was never
looked at, when in fact the IPS is rather offloading anything it is no
longer interested in. I think this is a better phrase.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6de4f7200ae09c5978215f178657e9451be58439
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Aug 5 11:40:27 2025 +0100
suricata: Create the SGH cache directory
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 0f388dc6d28383f9a5ac230f0dcea23b68b30f7d
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Aug 5 11:34:13 2025 +0100
suricata: Sync configuration with upstream
There are not many big changes except that any new engines have been
enabled and new defaults have beep carried over from upstream.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit b141bee7923d7c738189d98c716bc2e8aa827edd
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Aug 8 15:06:58 2025 +0000
core198: Ship binutils
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 47d0118abbbdc2bfec798c6cb99e976820aec862
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Aug 8 14:28:42 2025 +0000
make.sh: Bump toolchain version
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5015601b7a7128bfe1e4282c26f72c6cb5ecb031
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Aug 8 14:28:41 2025 +0000
binutils: Update to 2.45
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5d503216b9757b228bc3020a976e9cd95b33b4fc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Aug 8 15:03:50 2025 +0000
core198: Ship vectorscan
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 1fa9c1c12894f502f301fd1d2656cbdfe78e4090
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Jul 22 23:22:08 2025 +0200
vectorscan: Update to version 5.4.12
- Update from version 5.4.11 to 5.4.12
- Update of rootfile
- Removal of patch for sse4.2 as changes now part of source tarball
- Changelog
5.4.12
Multiple changes since last release, this will be the last 100% ABI and API
compatible with Hyperscan release.
Next versions will include major refactors and API extensions, it will be
mostly backwards compatible however.
Without particular order, platform support is now:
* Linux (x86, Arm, Power)
* FreeBSD 14 (x86, Arm, Power)
* MacOS 14+ (x86, Arm)
In total more than 200 configurations in the CI are tested for every PR.
Other features:
- Fat Runtime supported for Arm as well (ASIMD/SVE/SVE2).
- Initial implementations for Arm SVE/SVE2 algorithms added, thanks to
Yoan Picchi from Arm.
- SIMDe support added, used as an alternative backend for existing
platforms, but mostly interesting for allowing Vectorscan to build
in new platforms without a supported SIMD engine.
- Various speedups and optimizations.
- Cppcheck and clang-tidy fixes throughout the code, both have been
added to CI for multiple configurations, but only cppcheck triggers
a build failure for now.
Various bugfixes, most important listed:
- Speed up truffle with 256b TBL instructions (#290)
- Fix Clang Tidy warnings (#295)
- Clang 17+ is more restrictive on rebind<T> on MacOS/Boost, remove
warning (#332)
- partial_load_u64 will fail if buf == NULL/c_len == 0 (#331)
- Bugfix/fix avx512vbmi regressions (#335)
- fix missing hs_version.h header (closes #198)
- hs_valid_platform: Fix check for SSE4.2 (#310)
- Fixed out of bounds read in AVX512VBMI version of
fdr_exec_fat_teddy … (#333)
- Fix noodle SVE2 off by one bug (#313)
- Make vectorscan accept \0 starting pattern (#312)
- Fix 5.4.11's config step regression (#327)
- Fix double shufti's vector end false positive (#325)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 799b385d1075042ca0d0ab9485d149a208bc7762
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Aug 8 15:02:39 2025 +0000
core198: Ship suricata
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit fb8caf7839080c860bd5cbd62d2d667b20dac970
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Jul 22 18:55:43 2025 +0200
suricata: Update to version 8.0.0
- Update from version 7.0.11 to 8.0.0
- Update of rootfile
- patch file updated for disabling sid-2210059
- Changelog
8.0.0
Security #7658: http2: global tx (stream id 0) may open file and never close
it(HIGH - CVE 2025-53538)
Bug #7798: dpdk: auto count of threads assigns more threads than affined
Bug #7791: http: BUG_ON assertion reached in packet path
Bug #7790: affinity: intermittent unittest failures
Bug #7789: dpdk: compilation warning of a function without prototype
Bug #7783: smtp: incorrect inspection window
Bug #7752: decode: no parent packet flow for ip-in-ipv6
Bug #7678: mpm/ac: error "Just ran out of space in the queue"
Bug #7649: lib: suricata version in sys crate needs to be updated on build
Bug #1484: src: BUG_ON(1) statements in the packet path
Optimization #7643: excessive mtu messages at start up
Optimization #7212: strtoul: replace with ByteExtractString variant
Optimization #6264: mpm/ac-ks: reduce stack usage
Optimization #4753: lua: fix inconsistency in the init "needs" key
Documentation #7749: doc: update user manual seciton on RPMs
Documentation #7723: doc/exceptions: review 'inspection' terminology
Documentation #7648: rtd: set "latest" to last stable release starting with 8.0.0
Documentation #7078: devguide: document current ffi naming style
Documentation #6955: devguide: update coding-style docs
Documentation #6566: userguide: add description for missing EVE krb fields
Documentation #6288: eve/schema: generate tables of data for app-layer protocols
Documentation #6252: userguide/install: move Ubuntu distros to their own page
Documentation #6069: userguide/install: move RPM distros to their own page
Documentation #6022: devguide: explain how the engine identifies applayer
protocols
Documentation #5911: userguide: update & bring guide for installation on
Windows to RtD
Task #7758: decode: add stats counters for ipv4/ipv6 over ipv4
Task #7750: packaging: rpm for RHEL 10
Task #7632: suricata-lua-sys: tag with a non-prerelease version
Task #6941: lua: review and document lua rule return types
Task #6814: libsuricata: opt-in signal handling
Task #6359: detect/analyzer: add more details for the ICMP icode keyword
Task #6262: tracking: reduce stack usage
8.0.0-rc1
Feature #7715: rules: add option to skip flow tracking for a packet
Feature #7714: detect: add pre_flow rule hook
Feature #7713: detect: add tcp.wscale keyword to match on TCP wscale option
values
Feature #7712: detect: add pre_stream rule hook
Feature #7702: commandline: add --list-app-layer-hooks option
Feature #7645: pgsql: add CopyIn subprotocol/mode
Feature #7635: eve: include transaction count
Feature #7599: mime: add email.received keyword
Feature #7597: mime: add email.url keyword
Feature #7593: mime: add email.message_id keyword
Feature #7507: rules: ftp.completion_code keyword
Feature #7506: rules: ftp.reply_received keyword
Feature #7505: rules: ftp.mode keyword
Feature #7504: rules: ftp.dynamic_port keyword
Feature #7372: Datajson: a dataset evolution
Feature #7047: eve: add ip version field
Feature #7036: DPDK NUMA setup: choose correct CPUs from worker-cpu-set
Feature #6805: cpu-affinity: enhance CPU affinity logic with per-interface
NUMA preferences
Feature #6695: tls: log extensions
Feature #6259: pgsql: add `query` detection keyword
Feature #5692: http: brotli content encoding for HTTP/1.1
Feature #4099: app-layer: allow direct rule keyword registration
Feature #3952: protocols: implement mDNS
Feature #2290: lua: use script as transform
Bug #7747: affinity: warnings in the granular thread affinity settings code
Bug #7746: suricatasc does not handle reconnect
Bug #7735: brotli: old crate version has integer underflow
Bug #7732: http1: use cursor wrapper handling EOF for brotli
Bug #7730: dcerpc: uint16 overflow (rust debug assertion)
Bug #7725: decode/ipv4: missing ip-in-ip case handling
Bug #7698: firewall: eve verdict field should state "accept" instead of alert
Bug #7694: flow: elephant flow counts previous bytes revisiting an index
Bug #7689: Dataset of type IP can't set IPv4
Bug #7687: flow: non-TCP protocol timeout handling leads to missing flows
Bug #7681: flow: race condition at shutdown leads to duplicate flows
Bug #7671: lua: suricata-lua-sys needs to honor MSAN oss-fuzz flags
Bug #7668: http: lack of setting updated_ts leads to firewall bypass
Bug #7665: transaction rules: support filesize
Bug #7653: ips: deconflict pass flow and drop packet rules
Bug #7647: pgsql: empty request logged if password message disabled
Bug #7634: hyperscan: coverity warnings
Bug #7579: detect/files: local_file_id not incremented if inspection buffer is
NULL
Bug #7568: pcap: continuous file reading fails on an empty directory
Bug #7549: detect: using different sticky buffers for byte_extract and
byte_jump leads to undefined value before doing the jump
Bug #7498: rust: cleanup of extern "C" functions and no_mangle
Bug #7479: segfault using dummy config
output.eve-log.types.alert.payload-buffer-size = 0
Bug #7420: detect-engine: warning fgets could get negative value
Bug #7390: byte_extract: issue with saved 'name' in distance keyword
Bug #7374: dpdk: iface-copy should not be mandatory
Bug #7344: build: build can sometimes fail copying the lua headers into place
Bug #7285: Websocket compression mishandling
Bug #7236: plugins: custom transaction loggers cannot be registered by a plugin
Bug #7019: snmp: probing parser returns ALPROTO_FAILED instead of
ALPROTO_UNKNOWN if slice.len() < 4
Bug #7004: app-layer: wrong tx may be logged for stream rules
Bug #6981: dpdk: compiler warnings about lossy integer precision
Bug #6400: log of DNS answer is in wrong direction
Bug #6186: Integer overflows 64 to 32 bytes
Bug #5739: htp: handle alloc failure for user data
Bug #5177: detect/analyzer: rule analyzer warns about http buffers usage
Bug #4815: unix socket: ftp memcap missing from socket commands
Bug #3436: suricatasc: crashing using command 'reopen-log-files'
Optimization #7733: transforms: move base64 transform pure rust
Optimization #7708: http1: add tx iterator
Optimization #7529: detect/dns: move wrapper code from C to rust
Optimization #7353: files: remove deprecated force-md5 config option
Optimization #7292: CI: clang-format rechecks every main-7.0.x commit
Optimization #7083: detect/dataset: skip adding localstatedir if fullpath is
provided
Task #7727: lua: suricata.log library
Task #7673: libsuricata: rate_filter callback
Task #7656: fast.lua: update script to reflect library use
Task #7609: lua: suricata.util lib
Task #7608: lua: turn tls into lib
Task #7607: lua: turn ssh into lib
Task #7606: lua: turn smtp into lib
Task #7605: lua: turn ja3 into lib
Task #7603: lua: turn hassh into lib
Task #7598: mime: add email.x_mailer
Task #7591: mime: add email.date keyword
Task #7491: lua: turn file into lua lib
Task #7490: lua: turn rule into lua lib
Task #7487: lua: turn flowints into lib
Task #7486: lua: turn flowvars into lib
Task #7461: suricata-verify: pass all tests
Task #7079: rust: unify rust ffi style
Task #7026: app-protos: trigger raw stream inspection
Task #6573: rust: set new minimum Rust version for Suricata 8
Task #3695: research: libhwloc for better autoconfiguration
Documentation #7683: mime: add email.attachment keyword
Documentation #7329: doc: explain the priority ports setting
Documentation #7143: doc: legacy keyword http_host used in examples
Documentation #5485: userguide: explain that the http.header_names buffer is
normalized
8.0.0-beta1
Feature #7644: pgsql: add CopyOut subprotocol/mode
Feature #7633: dpdk: refrain from creating TX queues on zero TX descriptors
Feature #7620: smb: configurable logging
Feature #7596: mime: add email.to keyword
Feature #7595: mime: add email.subject keyword
Feature #7592: mime: add email.from keyword
Feature #7588: mime: add email.cc keyword
Feature #7565: dcerpc: rpc interfaces info in request event
Feature #7533: detect/ldap: add ldap.request.attribute_type and
ldap.request.attribute keywords, and same for responses
Feature #7532: detect/ldap: add keywords for LDAPResult
Feature #7517: detect: smtp.mail_from keyword
Feature #7516: detect: smtp.rcpt_to keyword
Feature #7515: detect: smtp.helo keyword
Feature #7513: detect/integers: add support for negated strings when enum is used
Feature #7508: rules: ftp.reply keyword
Feature #7503: rules: ftp.command_data keyword
Feature #7502: rules: ftp.command keyword
Feature #7485: rules: allow specifying explicit hooks
Feature #7482: eve/flow: log tcp session reuse as a timeout reason
Feature #7481: rules/actions: explicit action scopes
Feature #7477: ldap: add support for AbandonRequest
Feature #7471: detect/ldap: add ldap.distinguished_name keywords for request
and response
Feature #7453: detect/ldap: add ldap.request.operation and
ldap.response.operation keywords
Feature #7433: eve/alert: enrich decoder event rules
Feature #7403: requires: add ability to check for a rule keyword
Feature #7382: dpdk: create separate packet mempools per queue
Feature #7381: dpdk: when running with ice driver fully start only when link
state change event is caught
Feature #7380: dpdk: provide "auto" option for RX/TX descriptors
Feature #7373: dpdk: provide "auto" option to mempool-size property
Feature #7337: dpdk: implement configuration of RSS using rte_flow rules for
major cards
Feature #7330: dpdk: support HW VLAN stripping
Feature #7320: flow: add user registerable flow update callbacks
Feature #7319: flow: add user registerable flow initialization callback
Feature #7311: http1: log invalid status as string
Feature #7291: sdp: implements sticky buffer
Feature #7243: lua: expose dataset functions
Feature #7240: libsuricata: use provided threads and packets
Feature #7204: sip: rustify sticky buffers
Feature #7203: ldap: extend parser for udp
Feature #7202: ldap: frame support
Feature #7170: hyperscan: Cache Hyperscan databases to disk to speed up the
startup
Feature #7120: threshold: add backoff type
Feature #7108: tls: ALPN keyword
Feature #7098: eve: add payload length field
Feature #7074: lua: expose base64 functions
Feature #7073: lua: expose hashing functions (md5/sha1/sha256)
Feature #7055: tls: log ALPN
Feature #7051: websocket: data frame
Feature #7045: tls-store: add support client certs
Feature #7017: dns: add OPT rdata struct and parsing
Feature #7012: rules: add dns.response sticky buffer
Feature #7011: dns: additional section parsing and logging
Feature #6967: multi-tenancy: support thresholding per tenant
Feature #6943: pcap: datalink type 229 not (yet) supported in module PcapFile
Feature #6939: lua: incremement stat when a lua rule exhausts its instruction
count
Feature #6857: iprep: support seeing if rule is part of a rep list
Feature #6856: http: anomaly when request line is missing protocol
Feature #6832: pcap/log: Support BPFs for filtering pcap output
Feature #6827: arp: implement decoder and logger
Feature #6822: threshold: support tracking by flow
Feature #6788: bypass: decouple stream.bypass dependency from TLS encrypted
bypass
Feature #6739: dpdk: warn the user if user-settings are adjusted to the device
capabilities
Feature #6666: dns: add keyword for dns rrtype: dns.rrtype
Feature #6648: detect: integer: support bitmasks
Feature #6647: detect: integers: support for enumerations
Feature #6646: detect: integer: support negated ranges
Feature #6645: detect: integer parsed with hexadecimal notation
Feature #6637: requires: add skipped rules to stats
Feature #6627: sdp: add protocol parser and logger
Feature #6621: dns: add keyword for dns rcode: dns.rcode
Feature #6550: profiling/rules: allow enabling profiling for pcap file runs
Feature #6546: detect/transform: strip_pseudo_headers
Feature #6497: dns: new detection buffer: dns.query.name
Feature #6496: dns: new detection buffer: dns.answer.name
Feature #6487: detect/transform: from_base64
Feature #6480: plugins: allow plugins to specify the version of suricata they
are for
Feature #6455: txbits: support for new type of bits
Feature #6439: rules: add to_lowercase transform
Feature #6426: http2: app-layer-event and normalization when userinfo is in
the :authority pseudo header for the http.host header
Feature #6396: rules: add protocol string support for mqtt
Feature #6379: ja4: support for TLS and QUIC
Feature #6374: sip: add sticky buffers for headers
Feature #6366: pop3: protocol detection
Feature #6290: http: support case insensitive testing of header name existence
Feature #6260: flow: flow matching excluding packet recursion level
Feature #6215: flow/output: log triggered exception policy
Feature #6164: rules: allow matching on flow pkts and bytes
Feature #6090: eve/alert: missing dcerpc metadata
Feature #6079: eve/dcerpc: eve/smb: log dcerpc uuid with request/response txs
Feature #5976: eve/stats: allow hiding counters whose value is 0
Feature #5972: rules: "requires" keyword representing the minimum version of
suricata to support the rule
Feature #5839: dpdk: power saving mode
Feature #5816: stats: exception policy counters
Feature #5773: doh: support DNS over HTTPS (DoH)
Feature #5743: http2: add frame support
Feature #5734: ssh: add frame support
Feature #5665: rules: bidirectional transaction matching
Feature #5647: rules: mark flow as elephant flow
Feature #5646: rules: allow matching on flow pkts and bytes in either direction
Feature #5489: research: multi version rules; or version dependent rules
Feature #5466: detect: allow alert-then-pass logic
Feature #5446: rules: allow ranges in dns.opcode value
Feature #5234: tls: subjectAltName buffer
Feature #5082: smb: keyword for matching the SMB files
Feature #5075: smb: keyword for the SMB version
Feature #4974: eve: log rule references
Feature #4905: smtp: add stream app-layer frame support
Feature #4904: dcerpc: frames support
Feature #4853: eve: Add information about Suricata version
Feature #4777: lua: implement sandboxing
Feature #4776: lua: vendor latest lua stable
Feature #4321: http2: Support link between packets in the same stream
Feature #4102: plugins: support creating app-layer parser, logger and detect
Feature #3958: enip: convert protocol parser to rust
Feature #3487: mime: multi-part parser in Rust
Feature #3351: sip: parse traffic over tcp
Feature #2816: vlan: support more than 2 layers
Feature #2696: http: implement parser in rust
Feature #2695: websocket support
Feature #2486: prefilter/fast_pattern logic for flowbits
Feature #2377: deprecate: ssh.softwareversion and ssh.protoversion
Feature #2280: http: rules that match both request and response
Feature #1971: lua: make mandatory
Feature #1520: multi-tenancy: verbose output clarity
Feature #1199: protocol: LDAP support
Feature #1125: smtp: improve protocol detection
Feature #1065: rules: introduce vlan id keyword
Feature #845: stats: track memory consumption
Security #7615: datasets: signature keyword setting can cause high memory
usage(MODERATE - CVE 2025-29916)
Security #7613: decode_base64: signature can do large
memory allocation(HIGH - CVE 2025-29917)
Security #7526: detect: infinite loop in DetectEngineContentInspectionInternal
with negated pcre(HIGH - CVE 2025-29918)
Security #7465: ldap: bound of number of transactions is not fully enforced
Security #7464: doh2: buffer is not really limited to 65K as should be for DNS
Security #7458: af-packet: defrag option can lead to truncated packets
(HIGH - CVE 2025-29915)
Security #7450: tracking: signature can allocate arbitrary amount of memory
Security #7411: tcp: generic detection bypass using TCP urgent support
(HIGH - CVE 2024-55629)
Security #7393: tcp: segfault on StreamingBufferSlideToOffsetWithRegions
(CRITICAL - CVE 2024-55627)
Security #7366: bpf: oversized bpf file can lead to buffer overflow
(MODERATE - CVE 2024-55626)
Security #7280: dns: quadratic complexity in logging and invalid json as
output(HIGH - CVE 2024-55628)
Security #7267: ja4: non alphanumeric characters in alpn lead to panic
(CRITICAL - CVE 2024-47522)
Security #7229: detect: write to read-only memory in transforms
(CRITICAL - CVE 2024-55605)
Security #7209: thash: random factor not used; possible abusive hash
collisions(CRITICAL - CVE 2024-47187)
Security #7195: datasets: rule with unset makes suricata abort
(HIGH - CVE 2024-45795)
Security #7191: http: quadratic complexity in headers processing/finding
(CRITICAL - CVE 2024-45797)
Security #7183: smb: hashmap entries not removed for error responses
Security #7104: http2: oom from duplicate headers(CRITICAL - CVE 2024-38535)
Security #7085: eve: transactions can be logged an arbitrary number of times
Security #7067: defrag: off by one leads to possible evasion
(HIGH - CVE 2024-45796)
Security #7040: defrag: id reuse can lead to invalid reassembly
(CRITICAL - CVE 2024-37151)
Security #7029: http/range: segv when http.memcap is reached
(HIGH - CVE 2024-38536)
Security #6987: modbus: txs without responses are never freed
(MODERATE - CVE 2024-38534)
Security #6902: base64: off-by-three overflow in DecodeBase64()
(HIGH - CVE 2024-32664)
Security #6900: http2: timeout logging headers(HIGH - CVE 2024-32663)
Security #6892: http2: oom on copying compressed headers
(CRITICAL - CVE 2024-32663)
Security #6866: eve: excessive ssh long banner logging(HIGH - CVE 2024-28870)
Security #6799: ssh: quadratic complexity in overlong banner
(CRITICAL - CVE 2024-28870)
Security #6796: output/filestore: slowdown because of running OutputTxLog on
useless packets
Security #6770: log: arbitrary-length value can be logged
Security #6757: libhtp: quadratic complexity checking after request line
missing protocol(CRITICAL - CVE 2024-28871)
Security #6680: smb: pcap with many open files takes too much time
Security #6675: ip-defrag: packet can be considered complete even with holes
(MODERATE - CVE 2024-32867)
Security #6669: ip defrag: re-assembly error in bsd policy
(MODERATE - CVE 2024-32867)
Security #6668: ip defrag: final overlapping packet can lead to "hole" in
re-assembled data(MODERATE - CVE 2024-32867)
Security #6493: ip defrag: several issues with overlap handling
Security #6481: http2: quadratic complexity in find_or_create_tx not bounded
by max-tx(CRITICAL - CVE 2024-23836)
Security #6477: smtp: quadratic complexity from unbounded number of
transaction per flow(CRITICAL - CVE 2024-23836)
Security #6444: http1: quadratic complexity from infinite folded headers
(CRITICAL - CVE 2024-23837)
Security #6441: detect: heap use after free with http.request_header keyword
(CRITICAL - CVE 2024-23839)
Security #6411: pgsql: quadratic complexity leads to over consumption of memory
(HIGH - CVE 2024-23835)
Security #6299: mqtt: pcap with anomalies takes too long to process because of
app-layer-event detection
Security #5926: http2: evasion by splitting header fields over frames
(HIGH - CVE 2024-24568)
Security #5921: http1: configurable limit for maximum number of live
transactions per flow(CRITICAL - CVE 2024-23836)
Bug #7618: af-packet: setting bpf fails
Bug #7577: detect/files: file.data does not use content passed when closing
the file internally
Bug #7567: dcerpc: assertion triggered !((res.needed + res.consumed < input_len))
Bug #7562: detect/flow: null deference in signature parsing
Bug #7560: detect/krb5: undefined behavior with krb5.ticket_encryption when
passing -INT32_MAX
Bug #7556: quic: valid traffic blocked in IPS mode
Bug #7554: tls: parser error on unACK'd data in FIN shutdown
Bug #7552: app-layer: misdetection if response is seen first without request
Bug #7548: dcerpc: avoid integer underflow
Bug #7523: rules/prefilter: prefilter keyword ignored when in content rule
Bug #7521: detect/ip-only: false positive alerts on pseudo packets ending a
one direction flow
Bug #7495: protocol detection: probing parsers do not finish as soon as possible
Bug #7469: smtp: recognize when client initiated TLS
Bug #7467: detect: checksum detection broken by stream.checksum-validation
Bug #7466: lua: Flowvar memory leak
Bug #7455: flow: flow timeout behavior non-deterministic
Bug #7449: app-layer metadata does not get logged for stream rules and
unidirectional protocols
Bug #7447: NULL dereference in ThreadLogFileHashFreeFunc in bug-5198 SV test
Bug #7444: dpdk: RSS key length missmatch on ice (E810) card with DPDK version
22.11.6
Bug #7440: eve/frame: incomplete frame logging
Bug #7437: protocol detection : probing parsers are limited to 32 by use of
bitflag
Bug #7436: sip: remove UPDATE pattern as already used by HTTP/1.1
Bug #7435: fuzz: fix protocol detection target initialization sequence
Bug #7422: tcp: GAP event set on unack'd data following a RST
Bug #7418: requires: rules with unmet requirements are still loaded
Bug #7417: rust: remove shared reference to static mutable
Bug #7414: detect: decoder event rules fail to match on invalid packets
Bug #7409: http: crash in strip_pseudo_headers transform
Bug #7406: eve: Alerts with app_proto=tls no longer logs the tls app data
Bug #7398: datasets: scan-build warning call to blocking fn inside critical
section
Bug #7394: ldap: support starttls with tls upgrade
Bug #7365: flow-manager: multi Flow Manager memory leak problem
Bug #7361: rules: unknown internal events not being detected as errors
Bug #7359: eve/syslog: crashes on use
Bug #7338: rust: different int types turn garbage on FFI boundary
Bug #7334: asan/profiling: global-buffer-overflow error
Bug #7333: tls: impossible to log alpns with 'custom' logging
Bug #7332: tls: fix duplicate EVE field issuerdn
Bug #7326: http: FN with prefilter if the first of multi buffer did not match
Bug #7325: sdp: one or more time descriptions
Bug #7323: mqtt: wrong and missing direction for keywords
Bug #7318: flow: flow timeout pseudo packet triggers unexpected alert
Bug #7315: template: remove usage of template-rust
Bug #7314: misc/warnings: compile warnings during build
Bug #7309: http: incorrect file direction handling
Bug #7305: sdp: media's encryption key not logged
Bug #7303: detect: memleak in case of errors during initialization
Bug #7302: conf: memleak if yaml parser is initialized before checking if file
exists
Bug #7300: output: oversized records lead to invalid json
Bug #7296: detect: transform base64 creates a 0-sized variable-length array
Bug #7279: dns: protocol detection is not strict enough
Bug #7270: conf: nullptr dereference if mem alloc fails for a node in yaml parser
Bug #7264: detect/flow: ACK with data on 3whs fails to match 'flow:established'
Bug #7256: ja3: Error: ja3: Buffer should not be NULL
Bug #7253: fuzz: CIFuzz is not fuzzing PRs as it is supposed to
Bug #7241: app-layer-protocol: negated matching false positive
Bug #7238: app-layer: protocol flows are miscounted in case of error
Bug #7235: tls: a rule stops working since 7.0.5
Bug #7230: dcerpc: invalid dcerpc header is not rejected
Bug #7228: dns: no data logged, and no events with udp corrupt additional record
Bug #7226: lua: use crate from crates.io instead of github to fix offline builds
Bug #7218: profiling: packet profiling to log file is only active with rule
profiling
Bug #7213: frames: stream frame is not always the first one registered
Bug #7210: docs: inconsistent spelling in documentation for RFB
`security_result` key
Bug #7206: cbindgen: comptability with newer version 0.27
Bug #7200: smtp: crash in ByteExtractString
Bug #7199: detect: missing app-layer metadata in alerts
Bug #7187: detect: dcerpc logging and matching issues
Bug #7181: fuzz: File confyaml.c is missing
Bug #7176: ldap: crash when encountering GAP
Bug #7172: detect/integers: do not bother to free NULL pointer on setup/parse
failure
Bug #7169: lua/output: vendored lua search for modules in /usr/local/ rather
than /usr/
Bug #7158: tcp: 'broken ack' event set on flow timeout
Bug #7135: util/thash: debug assertion for memuse
Bug #7126: decode/base64: Error message on packet path.
Bug #7121: smb/ntlmssp: nonsense smb.ntlmssp.version values
Bug #7115: dpdk: timestamping packets through TSC does not yield the same time
as kernel time
Bug #7113: pgsql: track 'progress' in tx per direction
Bug #7111: protodetect: DNS flow direction is not correct sometimes
Bug #7106: packet: app-layer-events incorrectly used on recycled packets
Bug #7093: sip: wrong slice used for sip_take_line with tcp leads to quadratic
oom
Bug #7059: smtp: split name logged as 2 names
Bug #7053: bypass: cannot bypass udp flow from first packet in second direction
Bug #7049: util/radix-tree: Possible dereference of nullptr in case of
unsuccess allocation of memory for node
Bug #7048: af-packet: failure to start up on many threads plus high load
Bug #7037: pcap/log: MacOS rotates file well before limit is reached
Bug #7034: time: in offline mode, time can stay behind at pcap start
Bug #7028: base64: heap buffer overflow in RFC 2045 and 4648 modes
Bug #7025: websocket: wrong value for opcode ping/pong
Bug #7022: unix-socket: iface-bypassed-stat crash
Bug #7020: unix-socket: hostbit commands don't properly release host
Bug #7013: rust: build with rust 1.78 with slice::from_raw_parts now requiring
the pointer to be non-null
Bug #7000: pgsql: trigger raw stream reassembly
Bug #6994: sip/sdp: logget closes unopened array for empty medias
Bug #6989: tls.random buffers don't work as expected
Bug #6985: base64: coverity dead code warning
Bug #6984: mqtt: do not log non-string messages?
Bug #6983: eve/alert/metadata: no pgsql object encapsulation
Bug #6973: detect: log relevant frames app-layer metdata
Bug #6969: dataset: lookup function is not working with ip type
Bug #6964: base64: consumed bytes are incorrectly set for different modes
Bug #6959: http: improve handling of content encoding: gzip but request_body
not actually compressed
Bug #6957: Assert: BUG_ON(id <= 0 || id > (int)thread_store.threads_size);
Bug #6954: eve: packet field packet_info.linktype is non-portable
Bug #6948: detect/http.response_body: false positive because not enforcing
direction to_client
Bug #6942: decode/ppp: decoder.event.ppp.wrong_type on valid packet
Bug #6940: lua: handle errors in lua rules
Bug #6921: jsonbuilder: serializes Rust f64 NaNs to an invalid literal
Bug #6918: pcre2: compile warning
Bug #6913: reimplement systemd sd_notify w/o linking to libsystemd
Bug #6906: smtp/mime: data command rejected by pipelining server does not
reset data mode
Bug #6904: mime: buffer overflow in GetFullValue() (util-decode-mime.c)
Bug #6903: streaming buffer: heap overflows in
StreamingBufferAppend()/StreamingBufferAppendNoTrack()
Bug #6896: detect/port: upper boundary ports are not correctly handled
Bug #6891: sip: usage of Vec instead of Vecdeque leads to quadratic complexity
on cleanup
Bug #6889: detect: slowdown in rule parsing
Bug #6887: defrag: reassembled packet can have wrong datatype
Bug #6883: rust: clippy 1.77 warning
Bug #6881: detect/port: port grouping does not happen correctly if gap between
a single and range port
Bug #6877: Suricata 8 general protection fault ip:698117 sp:7fd537b08090
Bug #6875: output/alert: assertion failed p->flow != NULL
Bug #6871: dpdk: fix compatibility issues for ice cards
Bug #6864: detect: ipopts keyword false positive
Bug #6861: profiling/rules: crash when profiling ends
Bug #6846: eve/alerts: wrongly using tx id 0 when there is no tx
Bug #6843: detect/port: port ranges are incorrect when a port is single as
well as a part of range
Bug #6839: coverity: warning in port grouping code
Bug #6838: eve/filetypes: move from plugin api to eve api
Bug #6837: netmap: error message Netmap pipes (with lb)
Bug #6835: BUG_ON triggered from TmThreadsInjectFlowById
Bug #6834: iprep: rule with '=,0' can't match
Bug #6811: capture plugins: capture plugins unusable due to initialization order
Bug #6790: dpdk: evaluate the correct handling of DPDK ports on shutdown
Bug #6787: decode/pppoe: Suspicious pointer scaling
Bug #6782: streaming/buffer: crash in HTTP body handling
Bug #6778: detect/tls.certs: direction flag checked against wrong field
Bug #6766: multi-tenancy: dead lock during tenant loading
Bug #6762: hugepages: error for FreeBSD when kernel NUMA build option is not
enabled
Bug #6760: af-packet: hugepages Error for ARM64 and af-packet IPS mode
Bug #6755: netmap: deadlock if netmap_open fails
Bug #6753: detect/cip: missing return-value check for a 'scanf'-like function
Bug #6745: util/mime: Memory leak at util-decode-mime.c:MimeDecInitParser
Bug #6741: dpdk: automatic cache calculation is broken
Bug #6737: dpdk: property configuration can lead to integer overflow
Bug #6733: tcp: tcp flow flags changing incorrectly when ruleset contains
content matching
Bug #6732: eve/stats: parent interface object in stats contains VLAN-ID as keys
Bug #6726: stream: stream.drop-invalid drops valid traffic
Bug #6715: dpdk: NUMA warning on non-NUMA system
Bug #6710: rules: failed rules after a skipped rule are recorded as skipped,
not failed
Bug #6678: datasets: discard datasets that hit the memcap while loading correctly
Bug #6664: eve/smtp: attachment filenames not logged
Bug #6661: detect/content-inspect: FN on negative distance
Bug #6656: detect/requires: assertion failed !(ret == -4)
Bug #6643: http: wrongly assuming http0.9 leads to missed headers
Bug #6634: tls: Invalid ja3 due to double client hello
Bug #6633: stats: flows with a detection-only alproto not accounted in this
protocol
Bug #6619: profiling: runtime much longer to run than it used to
Bug #6618: endace: timestamp fixes
Bug #6617: detect/filestore: flow, to_server was broken by moving files into
transactions
Bug #6615: detect/analyzer: misrepresenting negative distance value
Bug #6592: mqtt: frames on TCP are not set properly when parsing multiple PDUs
in one go
Bug #6585: src: SCTIME_FROM_TIMESPEC() creates incorrect timestamps
Bug #6584: src: SCTIME_ADD_SECS() macro zeros out ts.usec part
Bug #6578: ssh: no alert on packet with Message Code: New Keys (21)
Bug #6574: detect/filestore: memory leak on rule parsing
Bug #6553: eve/alert: payload/payload_printable misrepresent data in case of
overlaps
Bug #6551: Invalid registration of prefiltering in stream size
Bug #6547: http2: http.response_line has leading space
Bug #6527: cppcheck 2.11 errors
Bug #6501: eve/alert: missing TFTP metadata
Bug #6500: eve/alert: missing FTP metadata
Bug #6490: profiling: rule profiling doesn't support absolute paths
Bug #6483: http.request_headers - odd behavior with multiple signtures
Bug #6419: dpdk: Analyze hugepage allocation on startup more thoroughly
Bug #6415: http: various header buffer not populated when malformed header
value exists
Bug #6414: detect-engine/port: recursive DetectPortInsert calls are expensive
Bug #6408: Output plugins receive identifier, but not thread identifier
Bug #6405: eve: ethernet src_mac should match src_ip
Bug #6398: eve/stats: threads object in stats contains memcap_pressure scalars
Bug #6393: detect/filestore: be more explicit about the U16_MAX limit per
signature group head
Bug #6390: detect/filestore: do not store if "both,flow" is triggered after
the file was set to "nostore"
Bug #6389: pgsql: u16 overflow found by oss-fuzz w/ quadfuzz
Bug #6376: detect: huge increase on start up time with a lot of ip-only rules
and bigger HOME_NET
Bug #6347: log-pcap: crash with suricata.yaml setting max-file to 1
Bug #6305: drop: assertion failed
!(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP)
Bug #6304: schema.json : if protocol such as ENIP is detection only, we do not
have _tcp suffix in stats
Bug #6281: dns: structure of query differs between "alert" and "dns" event types
Bug #6280: base64: strict mode should only accept strings that can be reliably
converted back
Bug #6254: bypass: thread "FB" failed to start in time: flags 0003
Bug #6092: eve/alert: missing pgsql metadata
Bug #6080: pgsql/probe: TCP on 5432 traffic incorrectly tagged as PGSQL
Bug #5977: eve/alert: missing KRB5 metadata
Bug #5539: landlock: coverity warnings
Bug #5524: pgsql: parser should not error on parsing error, so as to keep on
parsing the next PDUs
Bug #5491: smtp: response 530 appears to generate an invalid response alert
Bug #5486: eve: ethernet metadata is missing for some protocols or parts of a
protocol
Bug #5279: nom: use of count combinator can use too much memory
Bug #5220: detect/base64_data: fast_pattern shouldn't be allowed
Bug #5185: mime: URL extraction missing
Bug #4921: detect/app-layer-protocol: unexpected results when one direction
state "failed"
Bug #4858: fuzz: Timeout with pcre
Bug #4734: pfring: memory leak
Bug #3910: datasets: for type string the memcap isn't applied to the string data
Bug #3682: detect/bsize: error for impossible matching conditions
Bug #2886: imap: protocol detection is incomplete
Bug #2881: http.protocol parsing inaccuracy : accept spaces in URI
Bug #2224: rules: negated http_* match returns false if buffer not populated
Bug #1457: conf: non-standard units used for file size indication
Optimization #7617: af-packet: set defrag based on passive or inline mode
Optimization #7558: detect: convert rule group dumping to JsonBuilder
Optimization #7358: CI: only run CodeQL python if the PR contains changed
files that are python
Optimization #7304: detect: improve support for multi-protocol keywords
Optimization #7297: src: remove duplicate function declarations
Optimization #7272: af-packet: improve startup time
Optimization #7208: tcp/reassemble: GetBlock takes O(nlgn) in worst case
Optimization #7185: stats: exceptions: use search-friendly log output
Optimization #7178: rfb: rustify keywords and app-layer registration
Optimization #7155: pcap: use larger read size buffer for a performance increase
Optimization #7087: app-layer: track modified transactions
Optimization #7065: base64: move the decoder to rust
Optimization #7044: app-layer: clean up truncate callbacks and logic
Optimization #7018: dns/tcp: allow triggering raw stream reassembly
Optimization #7002: detect: move pseudo packet checks out of keyword Match funcs
Optimization #6938: packet: optimize packet data storage
Optimization #6937: compile: make code clean with -Wunused-macros
Optimization #6878: conf: quadratic complexity in yaml loader
Optimization #6873: byte_extract: convert keyword/option parsing to Rust
Optimization #6855: src: var code cleanups
Optimization #6852: mpm/ac: support endswith
Optimization #6821: smtp: add 535 code
Optimization #6795: detect/port: PortGroupWhitelist fn takes a lot of
processing time
Optimization #6792: detect/port: port grouping is quite slow in worst cases
Optimization #6786: util-rohash.c : make code cleaner to make CodeQL happier
Optimization #6775: detect: do not run tx detection on tcp non established
packets
Optimization #6773: app-layer/template: no limit on txs number
Optimization #6728: detect: prefilter for events (decode, stream, app-layer,
etc...)
Optimization #6718: detect/frames: avoid rescanning in IPS mode
Optimization #6702: streaming-buffer: Explore Rank Balanced trees
Optimization #6575: detect/multi-buffer: use single definition of struct
PrefilterMpmKrb5Name
Optimization #6569: threading: fix condition signalling w/o taking lock first
Optimization #6454: detect: force os to release memory on rule reload
Optimization #6433: packetpool: improve return sync logic
Optimization #6387: mqtt: move parser registration code to the rust side
Optimization #6111: defrag: avoid passing null pointers to functions
Optimization #5699: dcerpc: switch to incomplete api for tcp
Optimization #5672: smb: avoid unbounded hash maps
Optimization #5634: detect: unify ValidateCallback for MD5-like keywords
Optimization #5566: pgsql: add events
Optimization #5517: decode: big clean up (macros and functions)
Optimization #5311: ftp: use unsigned integer for input_len
Optimization #5047: sip: implement pattern based protocol detection
Optimization #4798: af-packet: default to tpacket-v3 in IDS mode
Optimization #3827: output: clean up logging initialization code
Optimization #3449: eve: output calls fflush very often
Optimization #3427: datasets: issue warning/info for data with type string
that are not base64
Optimization #426: threshold: rule based thresholding data structure improvement
Task #7604: lua: turn http into lib
Task #7602: lua: turn dns into lib
Task #7601: lua: turn dnp3 into lib
Task #7492: lua: remove script_api_ver check from needs block
Task #7489: lua: turn flow into lib
Task #7488: lua: turn packet into lib
Task #7456: engine/analysis: report rule state altered by flowbit rule
Task #7426: flowint: add isnotset support
Task #7350: firewall usecase: log app-layer metadata for for catch-all drop rules
Task #7341: rust: use bindgen to generate Rust bindings to C functions
Task #7287: schema: add missing tls fields certificate and chain
Task #7246: libhtp 0.5.49
Task #7227: logging: document and cleanup low level logging registration
Task #7219: rust/crates: update base64
Task #7167: dns: make the version field in a dns object required
Task #7165: napatech: move into bundled plugin
Task #7162: pfring: move into bundled plugin
Task #7154: plugins: add template detection plugin
Task #7152: plugins: add template logger plugin
Task #7151: plugins: add template app-layer plugin
Task #7130: rust: dependency "time" fails to build on Rust nightly
Task #7058: fuzz/base64: check decoded strings for correctness in strict mode
Task #6965: libhtp 0.5.48
Task #6962: yaml: unify 0 stats counter config option terminology
Task #6961: lua: use a rust crate to vendor lua
Task #6935: unittests: convert tests to new FAIL/PASS API - src/app-layer-htp.c
Task #6888: contrib: remove obsolete items from contrib
Task #6818: rust: snmp-parser 0.10.0
Task #6817: rust: kerberos-parser 0.8.0
Task #6769: libhtp 0.5.47
Task #6748: doc: mention X710 RX descriptor limitation
Task #6712: dependencies: completely remove nss
Task #6705: build-info: remove obsolete "rust support" line
Task #6605: flash decompression: update/remove deprecation warnings
Task #6603: pgsql: don't log password msg if password disabled
Task #6586: mpm/ac-bs: remove implementation
Task #6577: pgsql: add cancel request message
Task #6544: logging: deprecate syslog
Task #6543: logging: deprecate http-log
Task #6542: logging: deprecate tls-log
Task #6488: plugins: add example plugins to the suricata source tree
Task #6432: tracking: autofp capture stalls due to packetpool depletion
Task #6427: runmodes: remove reference to auto modes
Task #6360: detect/analyzer: add more details for the icmp_id keyword
Task #6355: detect/analyzer: add more details for the tcp.mss keyword
Task #6354: detect/analyzer: add more details for the tcp ack keyword
Task #6353: detect/analyzer: add more details for the tcp seq keyword
Task #6352: detect/analyzer: add more details for the tcp window keyword
Task #6318: unittests: convert tests to new
FAIL/PASS API - detect-engine-address-ipv4.c
Task #6312: detect/analyzer: add more details for the flow.age keyword
Task #6309: detect/analyzer: add more details for the flowbits keyword
Task #6287: suricatasc: rewrite in rust
Task #6209: libhtp 0.5.46
Task #6107: unittests: convert tests to new FAIL/PASS API - util-memcmp.c
Task #6050: base64: make a fuzz target
Task #5626: doc: document file.data
Task #5588: ips/tap: don't allow mixed tap and ips modes
Task #5053: app-layer: dynamic alproto IDs
Task #4742: build: make the auto-generated config.h not conflict with other
config.h
Task #4698: lib: Example program to bootstrap Suricata (an alternate main()
for Suricata)
Task #4683: detect: remove sigmatch_table in favor of a dynamic storage option
Task #4105: plugins: Create template capture source plugin
Task #4103: plugins: convert an app-layer to use the plugin API (snmp)
Documentation #7540: doc/userguide: fix typo
Documentation #7383: userguide: fix typo
Documentation #7262: doc: remove mentions to suricata-6
Documentation #7260: userguide/config: fix consistency of dashes instead of
underscores
Documentation #7153: devguide: document adding a detection plugin
Documentation #7150: devguide: document adding a logging plugin
Documentation #7149: devguide: document adding a app-layer plugin
Documentation #7031: userguide: document SignatureProperties sigtype
Documentation #6911: manpages: use consistant date based on release and/or git
commits
Documentation #6908: userguide: document how to verify tar.gz signature
Documentation #6781: http: document duplicate headers concatenation handling
Documentation #6725: document pcap file variables
Documentation #6708: userguide/payload: fix explanation about bsize ranges
Documentation #6686: docs: port userguide build instruction changes from
master-6.0.x
Documentation #6685: userguide: explain noalert keyword
Documentation #6629: docs: fix byte_test examples
Documentation #6628: userguide: document generic aspects of integer keywords
Documentation #6599: docs: update eBPF installation instructions
Documentation #6589: docs: fix broken bulleted list style on rtd
Documentation #6570: remove references in docs mentioning prehistoric Suricata
versions
Documentation #6568: devguide: document backports policies and process
Documentation #6552: doc: add tcp timeout fix to upgrade guide
Documentation #6548: http2: http.stat_msg - note about HTTP/2 behavior
Documentation #6445: userguide: explain what flow_id is
Documentation #6076: eve/schema: document quic
Documentation #5651: detect/bsize: format should specify operators
Documentation #5494: userguide: update tls eve-log fields 'not_before' and
'not_after'
Documentation #5393: devguide: move github workflow document from redmine into
devguide
Documentation #5088: detect/file.name: keyword is not documented
Documentation #4359: docs: elaborate documentation for rule profiling
Documentation #3015: userguide: document "tag" keyword
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 2271a47bf31682be8c0bb9319277339a86cc70be
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Aug 8 15:01:04 2025 +0000
make.sh: Start Core Update 198
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/graphs.pl | 2 +-
config/rootfiles/common/aarch64/binutils | 11 +-
config/rootfiles/common/aarch64/vectorscan | 4 +-
config/rootfiles/common/riscv64/binutils | 11 +-
config/rootfiles/common/suricata | 10 +
config/rootfiles/common/x86_64/binutils | 11 +-
config/rootfiles/core/{197 => 198}/exclude | 0
.../133 => core/198}/filelists/aarch64/binutils | 0
.../187 => core/198}/filelists/aarch64/vectorscan | 0
.../core/{197 => 198}/filelists/core-files | 0
config/rootfiles/core/198/filelists/files | 1 +
.../180 => core/198}/filelists/riscv64/binutils | 0
.../rootfiles/core/{197 => 198}/filelists/suricata | 0
.../100 => core/198}/filelists/x86_64/binutils | 0
.../187 => core/198}/filelists/x86_64/vectorscan | 0
.../rootfiles/{oldcore/152 => core/198}/update.sh | 12 +-
config/rootfiles/{core => oldcore}/197/exclude | 0
.../{core => oldcore}/197/filelists/aarch64/linux | 0
.../197/filelists/aarch64/lm_sensors | 0
.../197/filelists/aarch64/util-linux | 0
.../{core => oldcore}/197/filelists/apache2 | 0
.../{core => oldcore}/197/filelists/automake | 0
.../rootfiles/{core => oldcore}/197/filelists/bash | 0
.../rootfiles/{core => oldcore}/197/filelists/bind | 0
.../{core => oldcore}/197/filelists/btrfs-progs | 0
.../{core => oldcore}/197/filelists/core-files | 0
.../rootfiles/{core => oldcore}/197/filelists/curl | 0
.../{core => oldcore}/197/filelists/e2fsprogs | 0
.../{core => oldcore}/197/filelists/files | 0
.../{core => oldcore}/197/filelists/fontconfig | 0
.../{core => oldcore}/197/filelists/gettext | 0
.../{core => oldcore}/197/filelists/gnutls | 0
.../rootfiles/{core => oldcore}/197/filelists/jq | 0
.../{core => oldcore}/197/filelists/json-glib | 0
.../{core => oldcore}/197/filelists/libhtp | 0
.../{core => oldcore}/197/filelists/libjpeg | 0
.../{core => oldcore}/197/filelists/libpng | 0
.../{core => oldcore}/197/filelists/libssh | 0
.../{core => oldcore}/197/filelists/libtasn1 | 0
.../{core => oldcore}/197/filelists/libunistring | 0
.../rootfiles/{core => oldcore}/197/filelists/lvm2 | 0
.../{core => oldcore}/197/filelists/nettle | 0
.../{core => oldcore}/197/filelists/openssl | 0
.../{core => oldcore}/197/filelists/openvpn | 0
.../{core => oldcore}/197/filelists/pango | 0
.../{core => oldcore}/197/filelists/pciutils | 0
.../{core => oldcore}/197/filelists/readline | 0
.../{core => oldcore}/197/filelists/riscv64/linux | 0
.../197/filelists/riscv64/lm_sensors | 0
.../197/filelists/riscv64/util-linux | 0
.../{core => oldcore}/197/filelists/shadow | 0
.../{core => oldcore}/197/filelists/sqlite | 0
.../{core => oldcore}/197/filelists/strongswan | 0
.../{core => oldcore}/197/filelists/suricata | 0
.../{core => oldcore}/197/filelists/unbound | 0
.../{core => oldcore}/197/filelists/x86_64/linux | 0
.../197/filelists/x86_64/lm_sensors | 0
.../197/filelists/x86_64/util-linux | 0
config/rootfiles/{core => oldcore}/197/update.sh | 0
config/suricata/suricata.yaml | 698 ++++++++++++++++-----
doc/language_issues.de | 1 +
doc/language_issues.en | 2 +-
doc/language_issues.es | 2 +
doc/language_issues.fr | 2 +-
doc/language_issues.it | 2 +-
doc/language_issues.nl | 2 +-
doc/language_issues.pl | 2 +-
doc/language_issues.ru | 2 +-
doc/language_issues.tr | 2 +-
doc/language_issues.tw | 2 +
doc/language_issues.zh | 2 +
doc/language_missings | 9 +
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
lfs/binutils | 4 +-
lfs/suricata | 10 +-
lfs/vectorscan | 7 +-
make.sh | 4 +-
...ch => suricata-8.0.0-disable-sid-2210059.patch} | 11 +-
src/patches/vectorscan-5.4.11-sse4.2.patch | 16 -
80 files changed, 642 insertions(+), 202 deletions(-)
copy config/rootfiles/core/{197 => 198}/exclude (100%)
copy config/rootfiles/{oldcore/133 => core/198}/filelists/aarch64/binutils (100%)
copy config/rootfiles/{oldcore/187 => core/198}/filelists/aarch64/vectorscan (100%)
copy config/rootfiles/core/{197 => 198}/filelists/core-files (100%)
create mode 100644 config/rootfiles/core/198/filelists/files
copy config/rootfiles/{oldcore/180 => core/198}/filelists/riscv64/binutils (100%)
copy config/rootfiles/core/{197 => 198}/filelists/suricata (100%)
copy config/rootfiles/{oldcore/100 => core/198}/filelists/x86_64/binutils (100%)
copy config/rootfiles/{oldcore/187 => core/198}/filelists/x86_64/vectorscan (100%)
copy config/rootfiles/{oldcore/152 => core/198}/update.sh (95%)
rename config/rootfiles/{core => oldcore}/197/exclude (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/aarch64/linux (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/aarch64/lm_sensors (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/aarch64/util-linux (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/apache2 (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/automake (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/bash (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/bind (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/btrfs-progs (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/core-files (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/curl (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/e2fsprogs (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/files (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/fontconfig (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/gettext (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/gnutls (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/jq (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/json-glib (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/libhtp (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/libjpeg (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/libpng (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/libssh (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/libtasn1 (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/libunistring (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/lvm2 (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/nettle (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/openssl (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/openvpn (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/pango (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/pciutils (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/readline (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/riscv64/linux (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/riscv64/lm_sensors (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/riscv64/util-linux (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/shadow (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/sqlite (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/strongswan (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/suricata (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/unbound (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/x86_64/linux (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/x86_64/lm_sensors (100%)
rename config/rootfiles/{core => oldcore}/197/filelists/x86_64/util-linux (100%)
rename config/rootfiles/{core => oldcore}/197/update.sh (100%)
rename src/patches/suricata/{suricata-disable-sid-2210059.patch => suricata-8.0.0-disable-sid-2210059.patch} (51%)
delete mode 100644 src/patches/vectorscan-5.4.11-sse4.2.patch
Difference in files:
diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
index a64958c75a..2a4ccf8c40 100644
--- a/config/cfgroot/graphs.pl
+++ b/config/cfgroot/graphs.pl
@@ -1251,7 +1251,7 @@ sub updateipsthroughputgraph {
"GPRINT:whitelisted_bytes_max:%9.2lf %sbps\\j",
# Bypassed Packets
- "STACK:bypassed_bytes$color{'color11'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}),
+ "STACK:bypassed_bytes$color{'color11'}A0:" . sprintf("%-30s", $Lang::tr{'offloaded'}),
"GPRINT:bypassed_bytes_avg:%9.2lf %sbps",
"GPRINT:bypassed_bytes_min:%9.2lf %sbps",
"GPRINT:bypassed_bytes_max:%9.2lf %sbps\\j",
diff --git a/config/rootfiles/common/aarch64/binutils b/config/rootfiles/common/aarch64/binutils
index f4d8cb09cb..e961f8a887 100644
--- a/config/rootfiles/common/aarch64/binutils
+++ b/config/rootfiles/common/aarch64/binutils
@@ -426,7 +426,7 @@ usr/lib/bfd-plugins/libdep.so
#usr/lib/ldscripts/armelfb_linux_eabi.xwe
#usr/lib/ldscripts/armelfb_linux_eabi.xwer
#usr/lib/ldscripts/stamp
-usr/lib/libbfd-2.44.so
+usr/lib/libbfd-2.45.so
#usr/lib/libbfd.a
#usr/lib/libbfd.la
#usr/lib/libbfd.so
@@ -445,15 +445,15 @@ usr/lib/libctf.so.0.0.0
#usr/lib/libgprofng.so
usr/lib/libgprofng.so.0
usr/lib/libgprofng.so.0.0.0
-usr/lib/libopcodes-2.44.so
+usr/lib/libopcodes-2.45.so
#usr/lib/libopcodes.a
#usr/lib/libopcodes.la
#usr/lib/libopcodes.so
#usr/lib/libsframe.a
#usr/lib/libsframe.la
#usr/lib/libsframe.so
-usr/lib/libsframe.so.1
-usr/lib/libsframe.so.1.0.0
+usr/lib/libsframe.so.2
+usr/lib/libsframe.so.2.0.0
#usr/share/doc/gprofng
#usr/share/doc/gprofng/examples.tar.gz
#usr/share/info/as.info
@@ -501,6 +501,9 @@ usr/lib/libsframe.so.1.0.0
#usr/share/locale/ga/LC_MESSAGES/gprof.mo
#usr/share/locale/ga/LC_MESSAGES/ld.mo
#usr/share/locale/ga/LC_MESSAGES/opcodes.mo
+#usr/share/locale/gas.es
+#usr/share/locale/gas.es/LC_MESSAGES
+#usr/share/locale/gas.es/LC_MESSAGES/gas.mo
#usr/share/locale/hr/LC_MESSAGES/bfd.mo
#usr/share/locale/hr/LC_MESSAGES/binutils.mo
#usr/share/locale/hu/LC_MESSAGES/gprof.mo
diff --git a/config/rootfiles/common/aarch64/vectorscan b/config/rootfiles/common/aarch64/vectorscan
index 160dc3ae7c..e0a4e67e01 100644
--- a/config/rootfiles/common/aarch64/vectorscan
+++ b/config/rootfiles/common/aarch64/vectorscan
@@ -6,8 +6,8 @@
#usr/include/hs/hs_version.h
#usr/lib/libhs.so
usr/lib/libhs.so.5
-usr/lib/libhs.so.5.4.11
+usr/lib/libhs.so.5.4.12
#usr/lib/libhs_runtime.so
usr/lib/libhs_runtime.so.5
-usr/lib/libhs_runtime.so.5.4.11
+usr/lib/libhs_runtime.so.5.4.12
#usr/lib/pkgconfig/libhs.pc
diff --git a/config/rootfiles/common/riscv64/binutils b/config/rootfiles/common/riscv64/binutils
index 5153af16fe..06025b088f 100644
--- a/config/rootfiles/common/riscv64/binutils
+++ b/config/rootfiles/common/riscv64/binutils
@@ -426,7 +426,7 @@ usr/bin/strings
#usr/lib/ldscripts/elf64lriscv_lp64f.xwe
#usr/lib/ldscripts/elf64lriscv_lp64f.xwer
#usr/lib/ldscripts/stamp
-usr/lib/libbfd-2.44.so
+usr/lib/libbfd-2.45.so
#usr/lib/libbfd.a
#usr/lib/libbfd.la
#usr/lib/libbfd.so
@@ -445,15 +445,15 @@ usr/lib/libctf.so.0.0.0
#usr/lib/libgprofng.so
#usr/lib/libgprofng.so.0
#usr/lib/libgprofng.so.0.0.0
-usr/lib/libopcodes-2.44.so
+usr/lib/libopcodes-2.45.so
#usr/lib/libopcodes.a
#usr/lib/libopcodes.la
#usr/lib/libopcodes.so
#usr/lib/libsframe.a
#usr/lib/libsframe.la
#usr/lib/libsframe.so
-usr/lib/libsframe.so.1
-usr/lib/libsframe.so.1.0.0
+usr/lib/libsframe.so.2
+usr/lib/libsframe.so.2.0.0
#usr/share/doc/gprofng
#usr/share/doc/gprofng/examples.tar.gz
#usr/share/info/as.info
@@ -501,6 +501,9 @@ usr/lib/libsframe.so.1.0.0
#usr/share/locale/ga/LC_MESSAGES/gprof.mo
#usr/share/locale/ga/LC_MESSAGES/ld.mo
#usr/share/locale/ga/LC_MESSAGES/opcodes.mo
+#usr/share/locale/gas.es
+#usr/share/locale/gas.es/LC_MESSAGES
+#usr/share/locale/gas.es/LC_MESSAGES/gas.mo
#usr/share/locale/hr/LC_MESSAGES/bfd.mo
#usr/share/locale/hr/LC_MESSAGES/binutils.mo
#usr/share/locale/hu/LC_MESSAGES/gprof.mo
diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 8fe53f7e66..2bfc3babda 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -2,6 +2,8 @@ etc/suricata
etc/suricata/suricata.yaml
usr/bin/suricata
usr/bin/suricata-watcher
+#usr/bin/suricatactl
+#usr/bin/suricatasc
usr/sbin/convert-ids-backend-files
#usr/share/doc/suricata
#usr/share/doc/suricata/AUTHORS
@@ -26,16 +28,20 @@ usr/share/suricata
#usr/share/suricata/rules/dhcp-events.rules
#usr/share/suricata/rules/dnp3-events.rules
#usr/share/suricata/rules/dns-events.rules
+#usr/share/suricata/rules/enip-events.rules
#usr/share/suricata/rules/files.rules
#usr/share/suricata/rules/ftp-events.rules
#usr/share/suricata/rules/http-events.rules
#usr/share/suricata/rules/http2-events.rules
#usr/share/suricata/rules/ipsec-events.rules
#usr/share/suricata/rules/kerberos-events.rules
+#usr/share/suricata/rules/mdns-events.rules
#usr/share/suricata/rules/modbus-events.rules
#usr/share/suricata/rules/mqtt-events.rules
#usr/share/suricata/rules/nfs-events.rules
#usr/share/suricata/rules/ntp-events.rules
+#usr/share/suricata/rules/pgsql-events.rules
+#usr/share/suricata/rules/pop3-events.rules
#usr/share/suricata/rules/quic-events.rules
#usr/share/suricata/rules/rfb-events.rules
#usr/share/suricata/rules/smb-events.rules
@@ -43,9 +49,13 @@ usr/share/suricata
#usr/share/suricata/rules/ssh-events.rules
#usr/share/suricata/rules/stream-events.rules
#usr/share/suricata/rules/tls-events.rules
+#usr/share/suricata/rules/websocket-events.rules
#usr/share/suricata/threshold.config
var/cache/suricata
+var/cache/suricata/sgh
var/lib/suricata
+#var/lib/suricata/cache
+#var/lib/suricata/cache/sgh
#var/lib/suricata/data
var/log/suricata
#var/log/suricata/certs
diff --git a/config/rootfiles/common/x86_64/binutils b/config/rootfiles/common/x86_64/binutils
index d56ff28144..08f4bea04c 100644
--- a/config/rootfiles/common/x86_64/binutils
+++ b/config/rootfiles/common/x86_64/binutils
@@ -178,7 +178,7 @@ usr/bin/strings
#usr/lib/ldscripts/elf_x86_64.xwe
#usr/lib/ldscripts/elf_x86_64.xwer
#usr/lib/ldscripts/stamp
-usr/lib/libbfd-2.44.so
+usr/lib/libbfd-2.45.so
#usr/lib/libbfd.a
#usr/lib/libbfd.la
#usr/lib/libbfd.so
@@ -197,15 +197,15 @@ usr/lib/libctf.so.0.0.0
#usr/lib/libgprofng.so
usr/lib/libgprofng.so.0
usr/lib/libgprofng.so.0.0.0
-usr/lib/libopcodes-2.44.so
+usr/lib/libopcodes-2.45.so
#usr/lib/libopcodes.a
#usr/lib/libopcodes.la
#usr/lib/libopcodes.so
#usr/lib/libsframe.a
#usr/lib/libsframe.la
#usr/lib/libsframe.so
-usr/lib/libsframe.so.1
-usr/lib/libsframe.so.1.0.0
+usr/lib/libsframe.so.2
+usr/lib/libsframe.so.2.0.0
#usr/share/doc/gprofng
#usr/share/doc/gprofng/examples.tar.gz
#usr/share/info/as.info
@@ -253,6 +253,9 @@ usr/lib/libsframe.so.1.0.0
#usr/share/locale/ga/LC_MESSAGES/gprof.mo
#usr/share/locale/ga/LC_MESSAGES/ld.mo
#usr/share/locale/ga/LC_MESSAGES/opcodes.mo
+#usr/share/locale/gas.es
+#usr/share/locale/gas.es/LC_MESSAGES
+#usr/share/locale/gas.es/LC_MESSAGES/gas.mo
#usr/share/locale/hr/LC_MESSAGES/bfd.mo
#usr/share/locale/hr/LC_MESSAGES/binutils.mo
#usr/share/locale/hu/LC_MESSAGES/gprof.mo
diff --git a/config/rootfiles/core/197/exclude b/config/rootfiles/core/198/exclude
similarity index 100%
rename from config/rootfiles/core/197/exclude
rename to config/rootfiles/core/198/exclude
diff --git a/config/rootfiles/core/198/filelists/aarch64/binutils b/config/rootfiles/core/198/filelists/aarch64/binutils
new file mode 120000
index 0000000000..6da9d39e5e
--- /dev/null
+++ b/config/rootfiles/core/198/filelists/aarch64/binutils
@@ -0,0 +1 @@
+../../../../common/aarch64/binutils
\ No newline at end of file
diff --git a/config/rootfiles/core/198/filelists/aarch64/vectorscan b/config/rootfiles/core/198/filelists/aarch64/vectorscan
new file mode 120000
index 0000000000..e2115fe7ce
--- /dev/null
+++ b/config/rootfiles/core/198/filelists/aarch64/vectorscan
@@ -0,0 +1 @@
+../../../../common/aarch64/vectorscan
\ No newline at end of file
diff --git a/config/rootfiles/core/197/filelists/core-files b/config/rootfiles/core/198/filelists/core-files
similarity index 100%
rename from config/rootfiles/core/197/filelists/core-files
rename to config/rootfiles/core/198/filelists/core-files
diff --git a/config/rootfiles/core/198/filelists/files b/config/rootfiles/core/198/filelists/files
new file mode 100644
index 0000000000..9a71c3df6d
--- /dev/null
+++ b/config/rootfiles/core/198/filelists/files
@@ -0,0 +1 @@
+var/ipfire/graphs.pl
diff --git a/config/rootfiles/core/198/filelists/riscv64/binutils b/config/rootfiles/core/198/filelists/riscv64/binutils
new file mode 120000
index 0000000000..c5f3990b61
--- /dev/null
+++ b/config/rootfiles/core/198/filelists/riscv64/binutils
@@ -0,0 +1 @@
+../../../../common/riscv64/binutils
\ No newline at end of file
diff --git a/config/rootfiles/core/197/filelists/suricata b/config/rootfiles/core/198/filelists/suricata
similarity index 100%
rename from config/rootfiles/core/197/filelists/suricata
rename to config/rootfiles/core/198/filelists/suricata
diff --git a/config/rootfiles/core/198/filelists/x86_64/binutils b/config/rootfiles/core/198/filelists/x86_64/binutils
new file mode 120000
index 0000000000..7d0fda554d
--- /dev/null
+++ b/config/rootfiles/core/198/filelists/x86_64/binutils
@@ -0,0 +1 @@
+../../../../common/x86_64/binutils
\ No newline at end of file
diff --git a/config/rootfiles/core/198/filelists/x86_64/vectorscan b/config/rootfiles/core/198/filelists/x86_64/vectorscan
new file mode 120000
index 0000000000..f5bdb47f97
--- /dev/null
+++ b/config/rootfiles/core/198/filelists/x86_64/vectorscan
@@ -0,0 +1 @@
+../../../../common/x86_64/vectorscan
\ No newline at end of file
diff --git a/config/rootfiles/core/198/update.sh b/config/rootfiles/core/198/update.sh
new file mode 100644
index 0000000000..ba5f239759
--- /dev/null
+++ b/config/rootfiles/core/198/update.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2025 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+core=198
+
+# Remove old core updates from pakfire cache to save space...
+for (( i=1; i<=$core; i++ )); do
+ rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+
+# Remove files
+
+# Extract files
+extract_files
+
+# update linker config
+ldconfig
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+# Filesytem cleanup
+/usr/local/bin/filesystem-cleanup
+
+# Apply SSH configuration
+/usr/local/bin/sshctrl
+
+# Start services
+/etc/init.d/suricata restart
+
+# This update needs a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+ grub-mkconfig -o /boot/grub/grub.cfg
+fi
+
+sync
+
+# Don't report the exitcode last command
+exit 0
diff --git a/config/rootfiles/oldcore/197/exclude b/config/rootfiles/oldcore/197/exclude
new file mode 100644
index 0000000000..8ee1c3c2f5
--- /dev/null
+++ b/config/rootfiles/oldcore/197/exclude
@@ -0,0 +1,35 @@
+boot/config.txt
+boot/grub/grub.cfg
+boot/grub/grubenv
+boot/uEnv.txt
+etc/alternatives
+etc/collectd.custom
+etc/default/grub
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/snort/snort.conf
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/dma
+var/ipfire/time
+var/ipfire/firewall/locationblock
+var/ipfire/fwhosts/customlocationgrp
+var/ipfire/ovpn
+var/ipfire/urlfilter/blacklist
+var/ipfire/urlfilter/settings
+var/lib/alternatives
+var/lib/location/database.db
+var/lib/location/ipset
+var/log/cache
+var/log/dhcpcd.log
+var/log/messages
+var/state/dhcp/dhcpd.leases
+var/updatecache
diff --git a/config/rootfiles/core/197/filelists/aarch64/linux b/config/rootfiles/oldcore/197/filelists/aarch64/linux
similarity index 100%
rename from config/rootfiles/core/197/filelists/aarch64/linux
rename to config/rootfiles/oldcore/197/filelists/aarch64/linux
diff --git a/config/rootfiles/core/197/filelists/aarch64/lm_sensors b/config/rootfiles/oldcore/197/filelists/aarch64/lm_sensors
similarity index 100%
rename from config/rootfiles/core/197/filelists/aarch64/lm_sensors
rename to config/rootfiles/oldcore/197/filelists/aarch64/lm_sensors
diff --git a/config/rootfiles/core/197/filelists/aarch64/util-linux b/config/rootfiles/oldcore/197/filelists/aarch64/util-linux
similarity index 100%
rename from config/rootfiles/core/197/filelists/aarch64/util-linux
rename to config/rootfiles/oldcore/197/filelists/aarch64/util-linux
diff --git a/config/rootfiles/core/197/filelists/apache2 b/config/rootfiles/oldcore/197/filelists/apache2
similarity index 100%
rename from config/rootfiles/core/197/filelists/apache2
rename to config/rootfiles/oldcore/197/filelists/apache2
diff --git a/config/rootfiles/core/197/filelists/automake b/config/rootfiles/oldcore/197/filelists/automake
similarity index 100%
rename from config/rootfiles/core/197/filelists/automake
rename to config/rootfiles/oldcore/197/filelists/automake
diff --git a/config/rootfiles/core/197/filelists/bash b/config/rootfiles/oldcore/197/filelists/bash
similarity index 100%
rename from config/rootfiles/core/197/filelists/bash
rename to config/rootfiles/oldcore/197/filelists/bash
diff --git a/config/rootfiles/core/197/filelists/bind b/config/rootfiles/oldcore/197/filelists/bind
similarity index 100%
rename from config/rootfiles/core/197/filelists/bind
rename to config/rootfiles/oldcore/197/filelists/bind
diff --git a/config/rootfiles/core/197/filelists/btrfs-progs b/config/rootfiles/oldcore/197/filelists/btrfs-progs
similarity index 100%
rename from config/rootfiles/core/197/filelists/btrfs-progs
rename to config/rootfiles/oldcore/197/filelists/btrfs-progs
diff --git a/config/rootfiles/oldcore/197/filelists/core-files b/config/rootfiles/oldcore/197/filelists/core-files
new file mode 100644
index 0000000000..0dec37e538
--- /dev/null
+++ b/config/rootfiles/oldcore/197/filelists/core-files
@@ -0,0 +1,5 @@
+etc/system-release
+etc/issue
+etc/os-release
+srv/web/ipfire/cgi-bin/credits.cgi
+var/ipfire/langs
diff --git a/config/rootfiles/core/197/filelists/curl b/config/rootfiles/oldcore/197/filelists/curl
similarity index 100%
rename from config/rootfiles/core/197/filelists/curl
rename to config/rootfiles/oldcore/197/filelists/curl
diff --git a/config/rootfiles/core/197/filelists/e2fsprogs b/config/rootfiles/oldcore/197/filelists/e2fsprogs
similarity index 100%
rename from config/rootfiles/core/197/filelists/e2fsprogs
rename to config/rootfiles/oldcore/197/filelists/e2fsprogs
diff --git a/config/rootfiles/core/197/filelists/files b/config/rootfiles/oldcore/197/filelists/files
similarity index 100%
rename from config/rootfiles/core/197/filelists/files
rename to config/rootfiles/oldcore/197/filelists/files
diff --git a/config/rootfiles/core/197/filelists/fontconfig b/config/rootfiles/oldcore/197/filelists/fontconfig
similarity index 100%
rename from config/rootfiles/core/197/filelists/fontconfig
rename to config/rootfiles/oldcore/197/filelists/fontconfig
diff --git a/config/rootfiles/core/197/filelists/gettext b/config/rootfiles/oldcore/197/filelists/gettext
similarity index 100%
rename from config/rootfiles/core/197/filelists/gettext
rename to config/rootfiles/oldcore/197/filelists/gettext
diff --git a/config/rootfiles/core/197/filelists/gnutls b/config/rootfiles/oldcore/197/filelists/gnutls
similarity index 100%
rename from config/rootfiles/core/197/filelists/gnutls
rename to config/rootfiles/oldcore/197/filelists/gnutls
diff --git a/config/rootfiles/core/197/filelists/jq b/config/rootfiles/oldcore/197/filelists/jq
similarity index 100%
rename from config/rootfiles/core/197/filelists/jq
rename to config/rootfiles/oldcore/197/filelists/jq
diff --git a/config/rootfiles/core/197/filelists/json-glib b/config/rootfiles/oldcore/197/filelists/json-glib
similarity index 100%
rename from config/rootfiles/core/197/filelists/json-glib
rename to config/rootfiles/oldcore/197/filelists/json-glib
diff --git a/config/rootfiles/core/197/filelists/libhtp b/config/rootfiles/oldcore/197/filelists/libhtp
similarity index 100%
rename from config/rootfiles/core/197/filelists/libhtp
rename to config/rootfiles/oldcore/197/filelists/libhtp
diff --git a/config/rootfiles/core/197/filelists/libjpeg b/config/rootfiles/oldcore/197/filelists/libjpeg
similarity index 100%
rename from config/rootfiles/core/197/filelists/libjpeg
rename to config/rootfiles/oldcore/197/filelists/libjpeg
diff --git a/config/rootfiles/core/197/filelists/libpng b/config/rootfiles/oldcore/197/filelists/libpng
similarity index 100%
rename from config/rootfiles/core/197/filelists/libpng
rename to config/rootfiles/oldcore/197/filelists/libpng
diff --git a/config/rootfiles/core/197/filelists/libssh b/config/rootfiles/oldcore/197/filelists/libssh
similarity index 100%
rename from config/rootfiles/core/197/filelists/libssh
rename to config/rootfiles/oldcore/197/filelists/libssh
diff --git a/config/rootfiles/core/197/filelists/libtasn1 b/config/rootfiles/oldcore/197/filelists/libtasn1
similarity index 100%
rename from config/rootfiles/core/197/filelists/libtasn1
rename to config/rootfiles/oldcore/197/filelists/libtasn1
diff --git a/config/rootfiles/core/197/filelists/libunistring b/config/rootfiles/oldcore/197/filelists/libunistring
similarity index 100%
rename from config/rootfiles/core/197/filelists/libunistring
rename to config/rootfiles/oldcore/197/filelists/libunistring
diff --git a/config/rootfiles/core/197/filelists/lvm2 b/config/rootfiles/oldcore/197/filelists/lvm2
similarity index 100%
rename from config/rootfiles/core/197/filelists/lvm2
rename to config/rootfiles/oldcore/197/filelists/lvm2
diff --git a/config/rootfiles/core/197/filelists/nettle b/config/rootfiles/oldcore/197/filelists/nettle
similarity index 100%
rename from config/rootfiles/core/197/filelists/nettle
rename to config/rootfiles/oldcore/197/filelists/nettle
diff --git a/config/rootfiles/core/197/filelists/openssl b/config/rootfiles/oldcore/197/filelists/openssl
similarity index 100%
rename from config/rootfiles/core/197/filelists/openssl
rename to config/rootfiles/oldcore/197/filelists/openssl
diff --git a/config/rootfiles/core/197/filelists/openvpn b/config/rootfiles/oldcore/197/filelists/openvpn
similarity index 100%
rename from config/rootfiles/core/197/filelists/openvpn
rename to config/rootfiles/oldcore/197/filelists/openvpn
diff --git a/config/rootfiles/core/197/filelists/pango b/config/rootfiles/oldcore/197/filelists/pango
similarity index 100%
rename from config/rootfiles/core/197/filelists/pango
rename to config/rootfiles/oldcore/197/filelists/pango
diff --git a/config/rootfiles/core/197/filelists/pciutils b/config/rootfiles/oldcore/197/filelists/pciutils
similarity index 100%
rename from config/rootfiles/core/197/filelists/pciutils
rename to config/rootfiles/oldcore/197/filelists/pciutils
diff --git a/config/rootfiles/core/197/filelists/readline b/config/rootfiles/oldcore/197/filelists/readline
similarity index 100%
rename from config/rootfiles/core/197/filelists/readline
rename to config/rootfiles/oldcore/197/filelists/readline
diff --git a/config/rootfiles/core/197/filelists/riscv64/linux b/config/rootfiles/oldcore/197/filelists/riscv64/linux
similarity index 100%
rename from config/rootfiles/core/197/filelists/riscv64/linux
rename to config/rootfiles/oldcore/197/filelists/riscv64/linux
diff --git a/config/rootfiles/core/197/filelists/riscv64/lm_sensors b/config/rootfiles/oldcore/197/filelists/riscv64/lm_sensors
similarity index 100%
rename from config/rootfiles/core/197/filelists/riscv64/lm_sensors
rename to config/rootfiles/oldcore/197/filelists/riscv64/lm_sensors
diff --git a/config/rootfiles/core/197/filelists/riscv64/util-linux b/config/rootfiles/oldcore/197/filelists/riscv64/util-linux
similarity index 100%
rename from config/rootfiles/core/197/filelists/riscv64/util-linux
rename to config/rootfiles/oldcore/197/filelists/riscv64/util-linux
diff --git a/config/rootfiles/core/197/filelists/shadow b/config/rootfiles/oldcore/197/filelists/shadow
similarity index 100%
rename from config/rootfiles/core/197/filelists/shadow
rename to config/rootfiles/oldcore/197/filelists/shadow
diff --git a/config/rootfiles/core/197/filelists/sqlite b/config/rootfiles/oldcore/197/filelists/sqlite
similarity index 100%
rename from config/rootfiles/core/197/filelists/sqlite
rename to config/rootfiles/oldcore/197/filelists/sqlite
diff --git a/config/rootfiles/core/197/filelists/strongswan b/config/rootfiles/oldcore/197/filelists/strongswan
similarity index 100%
rename from config/rootfiles/core/197/filelists/strongswan
rename to config/rootfiles/oldcore/197/filelists/strongswan
diff --git a/config/rootfiles/oldcore/197/filelists/suricata b/config/rootfiles/oldcore/197/filelists/suricata
new file mode 120000
index 0000000000..f671f69933
--- /dev/null
+++ b/config/rootfiles/oldcore/197/filelists/suricata
@@ -0,0 +1 @@
+../../../common/suricata
\ No newline at end of file
diff --git a/config/rootfiles/core/197/filelists/unbound b/config/rootfiles/oldcore/197/filelists/unbound
similarity index 100%
rename from config/rootfiles/core/197/filelists/unbound
rename to config/rootfiles/oldcore/197/filelists/unbound
diff --git a/config/rootfiles/core/197/filelists/x86_64/linux b/config/rootfiles/oldcore/197/filelists/x86_64/linux
similarity index 100%
rename from config/rootfiles/core/197/filelists/x86_64/linux
rename to config/rootfiles/oldcore/197/filelists/x86_64/linux
diff --git a/config/rootfiles/core/197/filelists/x86_64/lm_sensors b/config/rootfiles/oldcore/197/filelists/x86_64/lm_sensors
similarity index 100%
rename from config/rootfiles/core/197/filelists/x86_64/lm_sensors
rename to config/rootfiles/oldcore/197/filelists/x86_64/lm_sensors
diff --git a/config/rootfiles/core/197/filelists/x86_64/util-linux b/config/rootfiles/oldcore/197/filelists/x86_64/util-linux
similarity index 100%
rename from config/rootfiles/core/197/filelists/x86_64/util-linux
rename to config/rootfiles/oldcore/197/filelists/x86_64/util-linux
diff --git a/config/rootfiles/core/197/update.sh b/config/rootfiles/oldcore/197/update.sh
similarity index 100%
rename from config/rootfiles/core/197/update.sh
rename to config/rootfiles/oldcore/197/update.sh
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 443b8e19e5..6a4f31eac8 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -43,6 +43,7 @@ vars:
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
##
## Ruleset specific options.
@@ -63,7 +64,7 @@ default-log-dir: /var/log/suricata/
# Global stats configuration
stats:
- enabled: no
+ enabled: yes
# The interval field (in seconds) controls the interval at
# which stats are updated in the log.
interval: 8
@@ -74,6 +75,9 @@ stats:
#decoder-events-prefix: "decoder.event"
# Add stream events as stats.
#stream-events: false
+ exception-policy:
+ #per-app-proto-errors: false # default: false. True will log errors for
+ # each app-proto. Warning: VERY verbose
# Plugins -- Experimental -- specify the filename for each plugin shared object
plugins:
@@ -88,15 +92,6 @@ outputs:
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
- # Stats.log contains data from various counters of the suricata engine.
- - stats:
- enabled: no
- filename: stats.log
- append: no # append to file (yes) or overwrite it (no)
- totals: yes # stats for all threads merged together
- threads: no # per thread stats
- #null-values: yes # print counters that have value 0
-
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: no
@@ -105,6 +100,10 @@ outputs:
# Enable for multi-threaded eve.json output; output files are amended with
# an identifier, e.g., eve.9.json
#threaded: false
+ # Specify the amount of buffering, in bytes, for
+ # this output type. The default value 0 means "no
+ # buffering".
+ #buffer-size: 0
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
@@ -116,10 +115,18 @@ outputs:
# server: 127.0.0.1
# port: 6379
# async: true ## if redis replies are read asynchronously
- # mode: list ## possible values: list|lpush (default), rpush, channel|publish
+ # mode: list ## possible values: list|lpush (default), rpush, channel|publish, xadd|stream
# ## lpush and rpush are using a Redis list. "list" is an alias for lpush
# ## publish is using a Redis channel. "channel" is an alias for publish
- # key: suricata ## key or channel to use (default to suricata)
+ # ## xadd is using a Redis stream. "stream" is an alias for xadd
+ # key: suricata ## string denoting the key/channel/stream to use (default to suricata)
+ # stream-maxlen: 100000 ## Automatically trims the stream length to at most
+ ## this number of events. Set to 0 to disable trimming.
+ ## Only used when mode is set to xadd/stream.
+ # stream-trim-exact: false ## Trim exactly to the maximum stream length above.
+ ## Default: use inexact trimming (inexact by a few
+ ## tens of items)
+ ## Only used when mode is set to xadd/stream.
# Redis pipelining set up. This will enable to only do a query every
# 'batch-size' events. This should lower the latency induced by network
# connection at the cost of some memory. There is no flushing implemented
@@ -130,6 +137,8 @@ outputs:
# Include top level metadata. Default yes.
#metadata: no
+ # Include suricata version. Default no.
+ #suricata-version: yes
# include the name of the input pcap file in pcap file processing mode
pcap-file: false
@@ -168,12 +177,28 @@ outputs:
types:
- alert:
# payload: yes # enable dumping payload in Base64
- # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ # payload-buffer-size: 4 KiB # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
+ # payload-length: yes # enable dumping payload length, including the gaps
# packet: yes # enable dumping of packet (without stream segments)
# metadata: no # enable inclusion of app layer metadata with alert. Default yes
+ # If you want metadata, use:
+ # metadata:
+ # Include the decoded application layer (ie. http, dns)
+ #app-layer: true
+ # Log the current state of the flow record.
+ #flow: true
+ #rule:
+ # Log the metadata field from the rule in a structured
+ # format.
+ #metadata: true
+ # Log the raw rule text.
+ #raw: false
+ #reference: false # include reference information from the rule
# http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
# http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
+ # websocket-payload: yes # Requires metadata; enable dumping of WebSocket Payload in Base64
+ # websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
@@ -186,6 +211,7 @@ outputs:
- frame:
# disabled by default as this is very verbose.
enabled: no
+ # payload-buffer-size: 4 KiB # max size of frame payload buffer to output in eve-log
- anomaly:
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
@@ -229,13 +255,10 @@ outputs:
# to dump all HTTP headers for every HTTP request and/or response
# dump-all-headers: none
- dns:
- # This configuration uses the new DNS logging format,
- # the old configuration is still available:
- # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
-
- # As of Suricata 5.0, version 2 of the eve dns output
- # format is the default.
- #version: 2
+ # Suricata 8.0 uses a new DNS logging format, to keep with
+ # the old format while you upgrade the version can be set
+ # to 2. See https://docs.suricata.io/en/latest/upgrade/8.0-dns-logging-changes.html
+ #version: 3
# Enable/disable this logger. Default: enabled.
#enabled: yes
@@ -256,13 +279,15 @@ outputs:
# DNS record types to log, based on the query type.
# Default: all.
#types: [a, aaaa, cname, mx, ns, ptr, txt]
+ - mdns:
- tls:
extended: yes # enable this for extended logging information
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# custom controls which TLS fields that are included in eve-log
- #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
+ # WARNING: enabling custom disables extended logging.
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname, client, client_certificate, client_chain, client_alpns, server_alpns, client_handshake, server_handshake]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
@@ -289,10 +314,15 @@ outputs:
#md5: [body, subject]
#- dnp3
+ - websocket
+ #- enip
- ftp
- rdp
- nfs
- - smb
+ - smb:
+ # restrict to only certain types in the following list
+ #types: [file, tree_connect, negotiate, dcerpc, create,
+ # session_setup, ioctl, rename, set_file_path_info, generic]
- tftp
- ike
- dcerpc
@@ -302,6 +332,10 @@ outputs:
- rfb
- sip
- quic
+ - ldap
+ - pop3
+ - arp:
+ enabled: no # Many events can be logged. Disabled by default
- dhcp:
enabled: yes
# When extended mode is on, all DHCP messages are logged
@@ -312,14 +346,27 @@ outputs:
- ssh
- mqtt:
# passwords: yes # enable output of passwords
+ # string-log-limit: 1KiB # limit size of logged strings in bytes.
+ # Can be specified in KiB, MiB, GiB. Just a number
+ # is parsed as bytes. Default is 1 KiB.
+ # Use a value of 0 to disable limiting.
+ # Note that the size is also bounded by
+ # the maximum parsed message size (see
+ # app-layer configuration)
- http2
+ # dns over http2
+ - doh2
- pgsql:
enabled: no
# passwords: yes # enable output of passwords. Disabled by default
+ # If a password message is seen but this setting
+ # is disabled, "password_redacted": true is logged
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
+ # Don't log stats counters that are zero. Default: true
+ #null-values: false # False will NOT log stats counters: 0
# bi-directional flows
- flow
# uni-directional flows
@@ -340,13 +387,224 @@ outputs:
# state-update: false # log packets triggering a TCP state update
# spurious-retransmission: false # log spurious retransmission packets
+ # output module to store certificates chain to disk
+ - tls-store:
+ enabled: no
+ #certs-log-dir: certs # directory to store the certificates files
+
+ # Packet log... log packets in pcap format. 2 modes of operation: "normal"
+ # and "multi".
+ #
+ # In normal mode a pcap file "filename" is created in the default-log-dir,
+ # or as specified by "dir".
+ # In multi mode, a file is created per thread. This will perform much
+ # better, but will create multiple files where 'normal' would create one.
+ # In multi mode the filename takes a few special variables:
+ # - %n -- thread number
+ # - %i -- thread id
+ # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
+ # E.g. filename: pcap.%n.%t
+ #
+ # Note that it's possible to use directories, but the directories are not
+ # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
+ # per thread directory.
+ #
+ # Also note that the limit and max-files settings are enforced per thread.
+ # So the size limit when using 8 threads with 1000 MiB files and 2000 files
+ # is: 8*1000*2000 ~ 16TiB.
+ #
+ # By default all packets are logged except:
+ # - TCP streams beyond stream.reassembly.depth
+ # - encrypted streams after the key exchange
+ #
+ - pcap-log:
+ enabled: no
+ filename: log.pcap
+
+ # File size limit. Can be specified in kb, mb, gb. Just a number
+ # is parsed as bytes.
+ limit: 1000 MiB
+
+ # If set to a value, ring buffer mode is enabled. Will keep maximum of
+ # "max-files" of size "limit"
+ max-files: 2000
+
+ # Compression algorithm for pcap files. Possible values: none, lz4.
+ # Note also that on Windows, enabling compression will *increase* disk I/O.
+ compression: none
+
+ # Further options for lz4 compression. The compression level can be set
+ # to a value between 0 and 16, where higher values result in higher
+ # compression.
+ #lz4-checksum: no
+ #lz4-level: 0
+
+ mode: normal # normal or multi
+
+ # Directory to place pcap files. If not provided the default log
+ # directory will be used.
+ #dir: /nsm_data/
+
+ #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
+ use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+ honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
+ # Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag"
+ # to log only flow tagged via the "tag" keyword
+ #conditional: all
+
+ # A BPF filter that will be applied to all packets being
+ # logged. If set, packets must match this filter otherwise they
+ # will not be logged.
+ #bpf-filter:
+
+ # a full alert log containing much information for signature writers
+ # or for investigating suspected false positives.
+ - alert-debug:
+ enabled: no
+ filename: alert-debug.log
+ append: yes
+ #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+ # Stats.log contains data from various counters of the Suricata engine.
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes # append to file (yes) or overwrite it (no)
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ #null-values: yes # print counters that have value 0. Default: no
+
+ # Output module for storing files on disk. Files are stored in
+ # directory names consisting of the first 2 characters of the
+ # SHA256 of the file. Each file is given its SHA256 as a filename.
+ #
+ # When a duplicate file is found, the timestamps on the existing file
+ # are updated.
+ #
+ # Unlike the older filestore, metadata is not written by default
+ # as each file should already have a "fileinfo" record in the
+ # eve-log. If write-fileinfo is set to yes, then each file will have
+ # one more associated .json files that consist of the fileinfo
+ # record. A fileinfo file will be written for each occurrence of the
+ # file seen using a filename suffix to ensure uniqueness.
+ #
+ # To prune the filestore directory see the "suricatactl filestore
+ # prune" command which can delete files over a certain age.
+ - file-store:
+ version: 2
+ enabled: no
+
+ # Set the directory for the filestore. Relative pathnames
+ # are contained within the "default-log-dir".
+ #dir: filestore
+
+ # Write out a fileinfo record for each occurrence of a file.
+ # Disabled by default as each occurrence is already logged
+ # as a fileinfo record to the main eve-log.
+ #write-fileinfo: yes
+
+ # Force storing of all files. Default: no.
+ #force-filestore: yes
+
+ # Override the global stream-depth for sessions in which we want
+ # to perform file extraction. Set to 0 for unlimited; otherwise,
+ # must be greater than the global stream-depth value to be used.
+ #stream-depth: 0
+
+ # Uncomment the following variable to define how many files can
+ # remain open for filestore by Suricata. Default value is 0 which
+ # means files get closed after each write to the file.
+ #max-open-files: 1000
+
+ # Force logging of checksums: available hash functions are md5,
+ # sha1 and sha256. Note that SHA256 is automatically forced by
+ # the use of this output module as it uses the SHA256 as the
+ # file naming scheme.
+ #force-hash: [sha1, md5]
+ # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled
+ # HTTP X-Forwarded-For support by adding an extra field or overwriting
+ # the source or destination IP address (depending on flow direction)
+ # with the one reported in the X-Forwarded-For HTTP header. This is
+ # helpful when reviewing alerts for traffic that is being reverse
+ # or forward proxied.
+ xff:
+ enabled: no
+ # Two operation modes are available, "extra-data" and "overwrite".
+ mode: extra-data
+ # Two proxy deployments are supported, "reverse" and "forward". In
+ # a "reverse" deployment the IP address used is the last one, in a
+ # "forward" deployment the first IP address is used.
+ deployment: reverse
+ # Header name where the actual IP address will be reported. If more
+ # than one IP address is present, the last IP address will be the
+ # one taken into consideration.
+ header: X-Forwarded-For
+
+ # Log TCP data after stream normalization
+ # Two types: file or dir:
+ # - file logs into a single logfile.
+ # - dir creates 2 files per TCP session and stores the raw TCP
+ # data into them.
+ # Use 'both' to enable both file and dir modes.
+ #
+ # Note: limited by "stream.reassembly.depth"
+ - tcp-data:
+ enabled: no
+ type: file
+ filename: tcp-data.log
+
+ # Log HTTP body data after normalization, de-chunking and unzipping.
+ # Two types: file or dir.
+ # - file logs into a single logfile.
+ # - dir creates 2 files per HTTP session and stores the
+ # normalized data into them.
+ # Use 'both' to enable both file and dir modes.
+ #
+ # Note: limited by the body limit settings
+ - http-body-data:
+ enabled: no
+ type: file
+ filename: http-data.log
+
+ # Lua Output Support - execute lua script to generate alert and event
+ # output.
+ # Documented at:
+ # https://docs.suricata.io/en/latest/output/lua-output.html
+ - lua:
+ enabled: no
+
+ # By default the Lua module search paths are empty. If you plan
+ # to use external modules these paths will need to be set. The
+ # examples below are likely suitable for finding modules
+ # installed with a package manager on a 64 bit Linux system, but
+ # may need tweaking.
+ #path: "/usr/share/lua/5.4/?.lua;/usr/share/lua/5.4/?/init.lua;/usr/lib64/lua/5.4/?.lua;/usr/lib64/lua/5.4/?/init.lua;./?.lua;./?/init.lua"
+ #cpath: "/usr/lib64/lua/5.4/?.so;/usr/lib64/lua/5.4/loadall.so;./?.so"
+
+ #scripts-dir: /etc/suricata/lua-output/
+ scripts:
+ # - script1.lua
+
+heartbeat:
+ # The output-flush-interval value governs how often Suricata will instruct the
+ # detection threads to flush their EVE output. Specify the value in seconds [1-60]
+ # and Suricata will initiate EVE log output flushes at that interval. A value
+ # of 0 means no EVE log output flushes are initiated. When the EVE output
+ # buffer-size value is non-zero, some EVE output that was written may remain
+ # buffered. The output-flush-interval governs how much buffered data exists.
+ #
+ # The default value is: 0 (never instruct detection threads to flush output)
+ #output-flush-interval: 0
+
+# Logging configuration. This is not about logging IDS alerts/events, but
+# output about what Suricata is doing, like startup messages, errors, etc.
logging:
# The default log level: can be overridden in an output section.
# Note that debug level logging will only be emitted if Suricata was
# compiled with the --enable-debug configure option.
#
# This value is overridden by the SC_LOG_LEVEL env var.
- default-log-level: Info
+ default-log-level: info
# The default output format. Optional parameter, should default to
# something reasonable if not provided. Can be overridden in an
@@ -378,39 +636,24 @@ logging:
- file:
enabled: no
level: info
- filename: /var/log/suricata/suricata.log
+ filename: suricata.log
# format: "[%i - %m] %z %d: %S: %M"
# type: json
- syslog:
enabled: yes
facility: local5
- format: ""
- #format: "[%i] <%d> -- "
+ format: "[%i] <%d> -- "
# type: json
-##
-## Netfilter configuration
-##
-
-nfq:
- mode: repeat
- repeat-mark: 2147483648
- repeat-mask: 2147483648
- bypass-mark: 1073741824
- bypass-mask: 1073741824
-# route-queue: 2
-# batchcount: 20
- fail-open: no
-
##
## Step 5: App Layer Protocol Configuration
##
# Configure the app-layer parsers.
#
-# The error-policy setting applies to all app-layer parsers. Values can be
-# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or
-# "ignore" (the default).
+# The exception policy error-policy setting applies to all app-layer parsers.
+# Values can be "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet",
+# "reject" or "ignore" (the default).
#
# The protocol's section details each protocol.
#
@@ -428,7 +671,7 @@ app-layer:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: yes
- # max-msg-length: 1mb
+ # max-msg-length: 1 MiB
# subscribe-topic-match-limit: 100
# unsubscribe-topic-match-limit: 100
# Maximum number of live MQTT transactions per flow
@@ -444,16 +687,17 @@ app-layer:
tls:
enabled: yes
detection-ports:
- dp: "[443,444,465,853,993,995]"
+ dp: 443
- # Generate JA3 fingerprint from client hello. If not specified it
+ # Generate JA3/JA4 fingerprints from client hello. If not specified it
# will be disabled by default, but enabled if rules require it.
- ja3-fingerprints: auto
+ #ja3-fingerprints: auto
+ #ja4-fingerprints: auto
# What to do when the encrypted communications start:
- # - default: keep tracking TLS session, check for protocol anomalies,
+ # - track-only: keep tracking TLS session, check for protocol anomalies,
# inspect tls_* keywords. Disables inspection of unmodified
- # 'content' signatures.
+ # 'content' signatures. (default)
# - bypass: stop processing this flow as much as possible. No further
# TLS parsing and inspection. Offload flow bypass to kernel
# or hardware if possible.
@@ -476,12 +720,28 @@ app-layer:
# max-tx: 1024
ftp:
enabled: yes
- # memcap: 64mb
+ # memcap: 64 MiB
+ websocket:
+ #enabled: yes
+ # Maximum used payload size, the rest is skipped
+ # Also applies as a maximum for uncompressed data
+ # max-payload-size: 64 KiB
rdp:
- enabled: yes
+ #enabled: yes
ssh:
enabled: yes
- #hassh: yes
+ # hassh: no
+
+ # What to do when the encrypted communications start:
+ # - track-only: keep tracking but stop inspection (default)
+ # - full: keep tracking and inspect as normal
+ # - bypass: stop processing this flow as much as possible.
+ # Offload flow bypass to kernel or hardware if possible.
+ # For the best performance, select 'bypass'.
+ #
+ # encryption-handling: track-only
+ doh2:
+ enabled: yes
http2:
enabled: yes
# Maximum number of live HTTP2 streams in a flow
@@ -528,7 +788,15 @@ app-layer:
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
+ enabled: detection-only
+ pop3:
enabled: yes
+ detection-ports:
+ dp: 110
+ # Stream reassembly size for POP3. By default, track it completely.
+ stream-depth: 0
+ # Maximum number of live POP3 transactions per flow
+ # max-tx: 256
smb:
enabled: yes
detection-ports:
@@ -545,14 +813,6 @@ app-layer:
tftp:
enabled: yes
dns:
- # memcaps. Globally and per flow/state.
- global-memcap: 32mb
- state-memcap: 512kb
-
- # How many unreplied DNS requests are considered a flood.
- # If the limit is reached, app-layer-event:dns.flooded; will match.
- #request-flood: 512
-
tcp:
enabled: yes
detection-ports:
@@ -563,15 +823,14 @@ app-layer:
dp: 53
http:
enabled: yes
- memcap: 256mb
# Byte Range Containers default settings
# byterange:
- # memcap: 100mb
+ # memcap: 100 MiB
# timeout: 60
# memcap: Maximum memory capacity for HTTP
- # Default is unlimited, values can be 64mb, e.g.
+ # Default is unlimited, values can be 64 MiB, e.g.
# default-config: Used when no server-config matches
# personality: List of personalities used by default
@@ -596,16 +855,16 @@ app-layer:
default-config:
personality: IDS
- # Can be specified in kb, mb, gb. Just a number indicates
+ # Can be specified in KiB, MiB, GiB. Just a number indicates
# it's in bytes.
- request-body-limit: 100kb
- response-body-limit: 100kb
+ request-body-limit: 100 KiB
+ response-body-limit: 100 KiB
# inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 40kb
- response-body-inspect-window: 16kb
+ request-body-minimal-inspect-size: 32 KiB
+ request-body-inspect-window: 4 KiB
+ response-body-minimal-inspect-size: 40 KiB
+ response-body-inspect-window: 16 KiB
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
@@ -624,8 +883,8 @@ app-layer:
swf-decompression:
enabled: no
type: both
- compress-depth: 100kb
- decompress-depth: 100kb
+ compress-depth: 100 KiB
+ decompress-depth: 100 KiB
# Use a random value for inspection sizes around the specified value.
# This lowers the risk of some evasion techniques but could lead
@@ -645,21 +904,23 @@ app-layer:
#lzma-enabled: false
# Memory limit usage for LZMA decompression dictionary
# Data is decompressed until dictionary reaches this size
- #lzma-memlimit: 1mb
+ #lzma-memlimit: 1 MiB
# Maximum decompressed size with a compression ratio
# above 2048 (only LZMA can reach this ratio, deflate cannot)
- #compression-bomb-limit: 1mb
+ #compression-bomb-limit: 1 MiB
# Maximum time spent decompressing a single transaction in usec
#decompression-time-limit: 100000
# Maximum number of live transactions per flow
#max-tx: 512
+ # Maximum used number of HTTP1 headers in one request or response
+ #headers-limit: 1024
server-config:
#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
- # # Can be specified in kb, mb, gb. Just a number indicates
+ # # Can be specified in KiB, MiB, GiB. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
@@ -671,7 +932,7 @@ app-layer:
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
- # # Can be specified in kb, mb, gb. Just a number indicates
+ # # Can be specified in KiB, MiB, GiB. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
@@ -725,6 +986,21 @@ app-layer:
sip:
#enabled: yes
+ ldap:
+ tcp:
+ enabled: yes
+ detection-ports:
+ dp: 389, 3268
+ udp:
+ enabled: yes
+ detection-ports:
+ dp: 389, 3268
+ # Maximum number of live LDAP transactions per flow
+ # max-tx: 1024
+
+ mdns:
+ enabled: yes
+
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
@@ -733,9 +1009,17 @@ datasets:
# Default fallback memcap and hashsize values for datasets in case these
# were not explicitly defined.
defaults:
- #memcap: 100mb
+ #memcap: 100 MiB
#hashsize: 2048
+ # Limits for per rule dataset instances to avoid rules using too many
+ # resources.
+ limits:
+ # Max value for per dataset `hashsize` setting
+ #single-hashsize: 65536
+ # Max combined hashsize values for all datasets.
+ #total-hashsizes: 16777216
+
rules:
# Set to true to allow absolute filenames and filenames that use
# ".." components to reference parent directories in rules that specify
@@ -782,8 +1066,8 @@ security:
- /var/lib/suricata
lua:
- # Allow Lua rules. Disabled by default.
- #allow-rules: false
+ # Allow Lua rules. Enabled by default.
+ #allow-rules: true
# Some logging modules will use that name in event as identifier. The default
# value is the hostname
@@ -856,11 +1140,15 @@ runmode: workers
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
unix-command:
- enabled: no
+ enabled: auto
#filename: custom.socket
-# Magic file
-magic-file: /usr/share/misc/magic.mgc
+# Magic file. The extension .mgc is added to the value here.
+magic-file: /usr/share/misc/magic
+
+# GeoIP2 database file. Specify path and filename of GeoIP2 database
+# if using rules with "geoip" rule option.
+#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb
legacy:
uricontent: enabled
@@ -893,6 +1181,12 @@ legacy:
# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable).
exception-policy: pass-packet
+# IP Reputation
+#reputation-categories-file: /etc/suricata/iprep/categories.txt
+#default-reputation-path: /etc/suricata/iprep
+#reputation-files:
+# - reputation.list
+
# When run with the option --engine-analysis, the engine will read each of
# the parameters below, and print reports for each of the enabled sections
# and exit. The reports are printed to a file in the default log dir
@@ -934,10 +1228,10 @@ host-os-policy:
# Defrag settings:
-# The memcap-policy value can be "drop-packet", "pass-packet", "reject" or
-# "ignore" (which is the default).
+# The exception policy memcap-policy value can be "drop-packet", "pass-packet",
+# "reject" or "ignore" (which is the default).
defrag:
- memcap: 64mb
+ memcap: 64 MiB
# memcap-policy: ignore
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
@@ -945,8 +1239,22 @@ defrag:
prealloc: yes
timeout: 60
+# Enable defrag per host settings
+# host-config:
+#
+# - dmz:
+# timeout: 30
+# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
+#
+# - lan:
+# timeout: 45
+# address:
+# - 192.168.0.0/24
+# - 192.168.10.0/24
+# - 172.16.14.0/24
+
# Flow settings:
-# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
+# By default, the reserved memory (memcap) for flows is 32 MiB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# more memory usage for flows.
# The hash-size determines the size of the hash used to identify flows inside
@@ -962,19 +1270,24 @@ defrag:
# the emergency bit and it will try again with more aggressive timeouts.
# If that doesn't work, then it will try to kill the oldest flows using
# last time seen flows.
-# The memcap can be specified in kb, mb, gb. Just a number indicates it's
+# The memcap can be specified in KiB, MiB, GiB. Just a number indicates it's
# in bytes.
-# The memcap-policy can be "drop-packet", "pass-packet", "reject" or "ignore"
-# (which is the default).
+# The exception policy memcap-policy can be "drop-packet", "pass-packet",
+# "reject" or "ignore" (which is the default).
flow:
- memcap: 256mb
+ memcap: 256 MiB
#memcap-policy: ignore
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
#managers: 1 # default to one flow manager
#recyclers: 1 # default to one flow recycler thread
+ # Track flows and count them as elephant flow if they exceed the rate defined
+ # by the byte count per interval configured below.
+ #rate-tracking:
+ # bytes: 1GiB
+ # interval: 10 # seconds is the only supported unit for interval so far
# This option controls the use of VLAN ids in the flow (and defrag)
# hashing. Normally this should be enabled, but in some (broken)
@@ -1046,11 +1359,11 @@ flow-timeouts:
# engine is configured.
#
# stream:
-# memcap: 64mb # Can be specified in kb, mb, gb. Just a
+# memcap: 64 MiB # Can be specified in KiB, MiB, GiB. Just a
# # number indicates it's in bytes.
-# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
-# # "drop-packet", "pass-packet", "reject" or
-# # "ignore" default is "ignore"
+# memcap-policy: ignore # The exception policy value can be "drop-flow",
+# # "pass-flow", "bypass", "drop-packet",
+# # "pass-packet", "reject" or "ignore" default is "ignore"
# checksum-validation: yes # To validate the checksum of received
# # packet. If csum validation is specified as
# # "yes", then packets with invalid csum values will not
@@ -1062,9 +1375,9 @@ flow-timeouts:
# # option
# prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread
# midstream: false # don't allow midstream session pickups
-# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
-# # "drop-packet", "pass-packet", "reject" or
-# # "ignore" default is "ignore"
+# midstream-policy: ignore # The exception policy value can be "drop-flow",
+# # "pass-flow", "bypass", "drop-packet",
+# # "pass-packet", "reject" or "ignore" default is "ignore"
# async-oneside: false # don't enable async stream handling
# inline: no # stream inline mode
# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
@@ -1077,19 +1390,19 @@ flow-timeouts:
# # means it's slightly more permissive. Enabled by default.
#
# reassembly:
-# memcap: 256mb # Can be specified in kb, mb, gb. Just a number
+# memcap: 256 MiB # Can be specified in KiB, MiB, GiB. Just a number
# # indicates it's in bytes.
-# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
-# # "drop-packet", "pass-packet", "reject" or
-# # "ignore" default is "ignore"
-# depth: 1mb # Can be specified in kb, mb, gb. Just a number
+# memcap-policy: ignore # The exception policy value can be "drop-flow",
+# # "pass-flow", "bypass", "drop-packet", "pass-packet",
+# # "reject" or "ignore" default is "ignore"
+# depth: 1 MiB # Can be specified in KiB, MiB, GiB. Just a number
# # indicates it's in bytes.
# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
-# # this size. Can be specified in kb, mb,
-# # gb. Just a number indicates it's in bytes.
+# # this size. Can be specified in KiB, MiB, GiB.
+# # Just a number indicates it's in bytes.
# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
-# # this size. Can be specified in kb, mb,
-# # gb. Just a number indicates it's in bytes.
+# # this size. Can be specified in KiB, MiB, GiB.
+# # Just a number indicates it's in bytes.
# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
# # This lowers the risk of some evasion techniques but could lead
# # to detection change between runs. It is set to 'yes' by default.
@@ -1113,26 +1426,30 @@ flow-timeouts:
# # is used or when stream-event:reassembly_overlap_different_data;
# # is used in a rule.
#
+# max-regions: 8 # maximum number of concurrent regions per streaming buffer
+# # defaults to 8, if no configuration was provided. 0 means no limit.
+
stream:
- memcap: 256mb
- prealloc-sessions: 4096
+ memcap: 256 MiB
#memcap-policy: ignore
checksum-validation: yes # reject incorrect csums
midstream: true
midstream-policy: pass-flow
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
- bypass: yes # Bypass packets when stream.reassembly.depth is reached.
reassembly:
- memcap: 256mb
+ urgent:
+ policy: oob # drop, inline, oob (1 byte, see RFC 6093, 3.1), gap
+ oob-limit-policy: drop
+ memcap: 256 MiB
#memcap-policy: ignore
- depth: 1mb # reassemble 1mb into a stream
+ depth: 1 MiB # reassemble 1 MiB into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
- raw: yes
- segment-prealloc: 2048
- check-overlap-different-data: true
+ #raw: yes
+ #segment-prealloc: 2048
+ #check-overlap-different-data: true
# Host table:
#
@@ -1141,7 +1458,7 @@ stream:
host:
hash-size: 4096
prealloc: 1000
- memcap: 32mb
+ memcap: 32 MiB
# IP Pair table:
#
@@ -1150,7 +1467,7 @@ host:
#ippair:
# hash-size: 4096
# prealloc: 1000
-# memcap: 32mb
+# memcap: 32 MiB
# Decoder settings
@@ -1178,6 +1495,13 @@ decoder:
# maximum number of decoder layers for a packet
# max-layers: 16
+ # This option controls the use of packet recursion level in the flow
+ # (and defrag) hashing. This is enabled by default and should be
+ # disabled if packet pickup of tunneled packets occurs before the kernel
+ # has put the headers on, like when using netmap driver pickup.
+ recursion-level:
+ use-for-tracking: true
+
##
## Performance tuning and profiling
##
@@ -1199,15 +1523,26 @@ decoder:
# The option inspection-recursion-limit is used to limit the recursive calls
# in the content inspection code. For certain payload-sig combinations, we
# might end up taking too much time in the content inspection code.
-# If the argument specified is 0, the engine uses an internally defined
-# default limit. When a value is not specified, there are no limits on the recursion.
+# If the argument specified is 0, there are no limits on the recursion.
+# When a value is not specified, the default is 3000
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
- inspection-recursion-limit: 3000
+ # Cache MPM contexts to the disk to avoid rule compilation at the startup.
+ # Cache files are created in the standard library directory.
+ sgh-mpm-caching: yes
+ sgh-mpm-caching-path: /var/cache/suricata/sgh
+ # inspection-recursion-limit: 3000
+ # maximum number of times a tx will get logged for rules without app-layer keywords
+ # stream-tx-log-limit: 4
+ # Try to guess an app-layer transaction for rules without app-layer keywords,
+ # ONLY IF there is just one live transaction for the flow.
+ # This allows logging app-layer metadata in alert - the transaction may not
+ # be the relevant one for the alert.
+ # guess-applayer-tx: no
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
delayed-detect: yes
@@ -1219,12 +1554,17 @@ detect:
default: mpm
# the grouping values above control how many groups are created per
- # direction. Port whitelisting forces that port to get its own group.
+ # direction. Port priority setting forces that port to get its own group.
# Very common ports will benefit, as well as ports with many expensive
# rules.
grouping:
- #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
- #udp-whitelist: 53, 135, 5060
+ #tcp-priority-ports: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
+ #udp-priority-ports: 53, 135, 5060
+
+ # Thresholding hash table settings.
+ thresholds:
+ hash-size: 16384
+ memcap: 16 MiB
profiling:
# Log the rules that made it past the prefilter stage, per packet
@@ -1270,6 +1610,7 @@ spm-algo: auto
# Suricata is multi-threaded. Here the threading can be influenced.
threading:
set-cpu-affinity: no
+ autopin: no
# Tune cpu affinity of threads. Each family of threads can be bound
# to specific CPUs.
#
@@ -1282,25 +1623,39 @@ threading:
# verdict-cpu-set is used for IPS verdict threads
#
cpu-affinity:
- - management-cpu-set:
- cpu: [ 0 ] # include only these CPUs in affinity settings
- - receive-cpu-set:
- cpu: [ 0 ] # include only these CPUs in affinity settings
- - worker-cpu-set:
- cpu: [ "all" ]
- mode: "exclusive"
- # Use explicitly 3 threads and don't compute number by using
- # detect-thread-ratio variable:
- # threads: 3
- prio:
- low: [ 0 ]
- medium: [ "1-2" ]
- high: [ 3 ]
- default: "medium"
- #- verdict-cpu-set:
- # cpu: [ 0 ]
- # prio:
- # default: "high"
+ management-cpu-set:
+ cpu: [ 0 ] # include only these CPUs in affinity settings
+ receive-cpu-set:
+ cpu: [ 0 ] # include only these CPUs in affinity settings
+ # interface-specific-cpu-set:
+ # - interface: "enp4s0f0"
+ # cpu: [ 1,3,5,7,9 ]
+ # mode: "exclusive"
+ # prio:
+ # high: [ "all" ]
+ # default: "medium"
+ worker-cpu-set:
+ cpu: [ "all" ]
+ mode: "exclusive"
+ # Use explicitly 3 threads and don't compute number by using
+ # detect-thread-ratio variable:
+ # threads: 3
+ prio:
+ low: [ 0 ]
+ medium: [ "1-2" ]
+ high: [ 3 ]
+ default: "medium"
+ interface-specific-cpu-set:
+ - interface: "enp4s0f0" # 0000:3b:00.0 # net_bonding0 # ens1f0
+ cpu: [ 1,3,5,7,9 ]
+ mode: "exclusive"
+ prio:
+ high: [ "all" ]
+ default: "medium"
+ #verdict-cpu-set:
+ # cpu: [ 0 ]
+ # prio:
+ # default: "high"
#
# By default Suricata creates one "detect" thread per available CPU/CPU core.
# This setting allows controlling this behaviour. A ratio setting of 2 will
@@ -1318,4 +1673,63 @@ threading:
# set to this value, a fatal error occurs.
#
# Generally, the per-thread stack-size should not exceed 8MB.
- #stack-size: 8mb
+ #stack-size: 8 MiB
+
+##
+## Netfilter integration
+##
+
+# When running in NFQ inline mode, it is possible to use a simulated
+# non-terminal NFQUEUE verdict.
+# This permits sending all needed packet to Suricata via this rule:
+# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
+# And below, you can have your standard filtering ruleset. To activate
+# this mode, you need to set mode to 'repeat'
+# If you want a packet to be sent to another queue after an ACCEPT decision
+# set the mode to 'route' and set next-queue value.
+# On Linux >= 3.1, you can set batchcount to a value > 1 to improve performance
+# by processing several packets before sending a verdict (worker runmode only).
+# On Linux >= 3.6, you can set the fail-open option to yes to have the kernel
+# accept the packet if Suricata is not able to keep pace.
+# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
+# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
+# on packet of a flow that need to be bypassed. The Netfilter ruleset has to
+# directly accept all packets of a flow once a packet has been marked.
+nfq:
+ mode: repeat
+ repeat-mark: 2147483648
+ repeat-mask: 2147483648
+ bypass-mark: 1073741824
+ bypass-mask: 1073741824
+# route-queue: 2
+# batchcount: 20
+ fail-open: no
+
+##
+## Suricata as a Firewall options (experimental)
+##
+firewall:
+ # toggle to enable firewall mode
+ #enabled: no
+
+ # Firewall rule file are in their own path and are not managed
+ # by Suricata-Update.
+ #rule-path: /etc/suricata/firewall/
+
+ # List of files with firewall rules. Order matters, files are loaded
+ # in order and rules are applied in that order (per state, see docs)
+ #rule-files:
+ # - firewall.rules
+
+
+##
+## Include other configs
+##
+
+# Includes: Files included here will be handled as if they were in-lined
+# in this configuration file. Files with relative pathnames will be
+# searched for in the same directory as this configuration file. You may
+# use absolute pathnames too.
+#include:
+# - include1.yaml
+# - include2.yaml
diff --git a/doc/language_issues.de b/doc/language_issues.de
index a98202e8d7..76f7ab472e 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -148,6 +148,7 @@ WARNING: translation string unused: bitrate
WARNING: translation string unused: bleeding rules
WARNING: translation string unused: blue access use hint
WARNING: translation string unused: blue interface
+WARNING: translation string unused: bypassed
WARNING: translation string unused: bytes
WARNING: translation string unused: cache management
WARNING: translation string unused: cache size
diff --git a/doc/language_issues.en b/doc/language_issues.en
index f5bd78e2a7..2fec840757 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -357,7 +357,6 @@ WARNING: untranslated string: broken = Broken
WARNING: untranslated string: broken pipe = Broken pipe
WARNING: untranslated string: buffered memory = Buffered Memory
WARNING: untranslated string: buffers = buffers
-WARNING: untranslated string: bypassed = Bypassed
WARNING: untranslated string: bytes per second = Bytes per Second
WARNING: untranslated string: bytes received = Bytes Received
WARNING: untranslated string: bytes sent = Bytes Sent
@@ -1386,6 +1385,7 @@ WARNING: untranslated string: ntpd restarted = ntpd restarted
WARNING: untranslated string: number = Number:
WARNING: untranslated string: october = October
WARNING: untranslated string: off = off
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: ok = OK
WARNING: untranslated string: older = Older
WARNING: untranslated string: on = on
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 6ea6ee7df8..6863eda0ef 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -168,6 +168,7 @@ WARNING: translation string unused: bitrate
WARNING: translation string unused: bleeding rules
WARNING: translation string unused: blue access use hint
WARNING: translation string unused: blue interface
+WARNING: translation string unused: bypassed
WARNING: translation string unused: ca name must only contain characters or spaces
WARNING: translation string unused: cache management
WARNING: translation string unused: cache size
@@ -1060,6 +1061,7 @@ WARNING: untranslated string: indirect target selection = Indirect target select
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: mdstat = Mdstat
WARNING: untranslated string: no data = unknown string
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: online = Online
WARNING: untranslated string: ovpn ciphers = Ciphers
WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 6e8e6adcba..750463098e 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -999,7 +999,6 @@ WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit
WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit
WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305
WARNING: untranslated string: allowed subnets = Allowed Subnets
-WARNING: untranslated string: bypassed = Bypassed
WARNING: untranslated string: ca name must only contain characters and spaces = unknown string
WARNING: untranslated string: configuration file = Configuration File
WARNING: untranslated string: core notice 3 = available.
@@ -1063,6 +1062,7 @@ WARNING: untranslated string: malformed preshared key = Malformed Pre-Shared Key
WARNING: untranslated string: malformed private key = Malformed Private Key
WARNING: untranslated string: malformed public key = Malformed Public Key
WARNING: untranslated string: mdstat = Mdstat
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: online = Online
WARNING: untranslated string: oops something went wrong = Oops, something went wrong...
WARNING: untranslated string: ovpn ciphers = Ciphers
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 0658bae77e..139bd96574 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -996,7 +996,6 @@ WARNING: untranslated string: autonomous system = Autonomous System
WARNING: untranslated string: available = available
WARNING: untranslated string: block = Block
WARNING: untranslated string: broken = Broken
-WARNING: untranslated string: bypassed = Bypassed
WARNING: untranslated string: ca name must only contain characters and spaces = unknown string
WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
@@ -1283,6 +1282,7 @@ WARNING: untranslated string: no entries = No entries at the moment.
WARNING: untranslated string: none = none
WARNING: untranslated string: not affected = Not Affected
WARNING: untranslated string: not validating = Not validating
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: one month = One Month
WARNING: untranslated string: one week = One Week
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 05165cdfd8..d489dccff1 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -997,7 +997,6 @@ WARNING: untranslated string: autonomous system = Autonomous System
WARNING: untranslated string: available = available
WARNING: untranslated string: block = Block
WARNING: untranslated string: broken = Broken
-WARNING: untranslated string: bypassed = Bypassed
WARNING: untranslated string: ca name must only contain characters and spaces = unknown string
WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
@@ -1307,6 +1306,7 @@ WARNING: untranslated string: no entries = No entries at the moment.
WARNING: untranslated string: none = none
WARNING: untranslated string: not affected = Not Affected
WARNING: untranslated string: not validating = Not validating
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: one month = One Month
WARNING: untranslated string: one week = One Week
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 53afbcac37..d5285e233e 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -909,7 +909,6 @@ WARNING: untranslated string: available = available
WARNING: untranslated string: bit = bit
WARNING: untranslated string: block = Block
WARNING: untranslated string: broken = Broken
-WARNING: untranslated string: bypassed = Bypassed
WARNING: untranslated string: ca name must only contain characters and spaces = unknown string
WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
@@ -1440,6 +1439,7 @@ WARNING: untranslated string: none = none
WARNING: untranslated string: not affected = Not Affected
WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: notice = Notice
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: one month = One Month
WARNING: untranslated string: one week = One Week
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 3c8fbbab01..a2f6929a6c 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -907,7 +907,6 @@ WARNING: untranslated string: available = available
WARNING: untranslated string: bit = bit
WARNING: untranslated string: block = Block
WARNING: untranslated string: broken = Broken
-WARNING: untranslated string: bypassed = Bypassed
WARNING: untranslated string: ca name must only contain characters and spaces = unknown string
WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
@@ -1439,6 +1438,7 @@ WARNING: untranslated string: none = none
WARNING: untranslated string: not affected = Not Affected
WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: notice = Notice
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: one month = One Month
WARNING: untranslated string: one week = One Week
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index e7f30730c5..2137b2a042 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -984,7 +984,6 @@ WARNING: untranslated string: asn lookup failed = AS lookup failed
WARNING: untranslated string: autonomous system = Autonomous System
WARNING: untranslated string: available = available
WARNING: untranslated string: broken = Broken
-WARNING: untranslated string: bypassed = Bypassed
WARNING: untranslated string: ca name must only contain characters and spaces = unknown string
WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
@@ -1206,6 +1205,7 @@ WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: no entries = No entries at the moment.
WARNING: untranslated string: not affected = Not Affected
WARNING: untranslated string: not validating = Not validating
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: online = Online
WARNING: untranslated string: oops something went wrong = Oops, something went wrong...
WARNING: untranslated string: open connections = Open Connections
diff --git a/doc/language_issues.tw b/doc/language_issues.tw
index 8c7f37772e..53f97d670a 100644
--- a/doc/language_issues.tw
+++ b/doc/language_issues.tw
@@ -170,6 +170,7 @@ WARNING: translation string unused: bitrate
WARNING: translation string unused: bleeding rules
WARNING: translation string unused: blue access use hint
WARNING: translation string unused: blue interface
+WARNING: translation string unused: bypassed
WARNING: translation string unused: ca name must only contain characters or spaces
WARNING: translation string unused: cache management
WARNING: translation string unused: cache size
@@ -1068,6 +1069,7 @@ WARNING: untranslated string: indirect target selection = Indirect target select
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: max bandwidth = Maximum bandwidth
WARNING: untranslated string: no data = unknown string
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: online = Online
WARNING: untranslated string: ovpn ciphers = Ciphers
WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
diff --git a/doc/language_issues.zh b/doc/language_issues.zh
index 8c7f37772e..53f97d670a 100644
--- a/doc/language_issues.zh
+++ b/doc/language_issues.zh
@@ -170,6 +170,7 @@ WARNING: translation string unused: bitrate
WARNING: translation string unused: bleeding rules
WARNING: translation string unused: blue access use hint
WARNING: translation string unused: blue interface
+WARNING: translation string unused: bypassed
WARNING: translation string unused: ca name must only contain characters or spaces
WARNING: translation string unused: cache management
WARNING: translation string unused: cache size
@@ -1068,6 +1069,7 @@ WARNING: untranslated string: indirect target selection = Indirect target select
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: max bandwidth = Maximum bandwidth
WARNING: untranslated string: no data = unknown string
+WARNING: untranslated string: offloaded = Offloaded
WARNING: untranslated string: online = Online
WARNING: untranslated string: ovpn ciphers = Ciphers
WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
diff --git a/doc/language_missings b/doc/language_missings
index 7cf1c40735..80b0fbb038 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -159,6 +159,7 @@
< ids provider eol
< indirect target selection
< mdstat
+< offloaded
< online
< ovpn ciphers
< ovpn crypto settings
@@ -225,6 +226,7 @@
< malformed private key
< malformed public key
< mdstat
+< offloaded
< online
< oops something went wrong
< ovpn ciphers
@@ -691,6 +693,7 @@
< not affected
< not validating
< Number of Countries for the pie chart
+< offloaded
< okay
< one hour
< one month
@@ -1352,6 +1355,7 @@
< not affected
< not validating
< Number of Countries for the pie chart
+< offloaded
< okay
< one hour
< one month
@@ -2316,6 +2320,7 @@
< notice
< not validating
< Number of Countries for the pie chart
+< offloaded
< okay
< one hour
< one month
@@ -3431,6 +3436,7 @@
< notice
< not validating
< Number of Countries for the pie chart
+< offloaded
< okay
< one hour
< one month
@@ -4073,6 +4079,7 @@
< no entries
< not affected
< not validating
+< offloaded
< okay
< online
< oops something went wrong
@@ -4290,6 +4297,7 @@
< guaranteed bandwidth
< indirect target selection
< max bandwidth
+< offloaded
< online
< ovpn ciphers
< ovpn crypto settings
@@ -4337,6 +4345,7 @@
< guaranteed bandwidth
< indirect target selection
< max bandwidth
+< offloaded
< online
< ovpn ciphers
< ovpn crypto settings
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 210a701ffb..c2a6c30433 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1889,6 +1889,7 @@
'o-yes' => 'Aktiv',
'october' => 'Oktober',
'off' => 'aus',
+'offloaded' => 'Ausgelagert',
'ok' => 'OK',
'older' => 'Älter',
'on' => 'ein',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 57ccaa701a..3450fe6d78 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1956,6 +1956,7 @@
'o-yes' => 'Activ',
'october' => 'October',
'off' => 'off',
+'offloaded' => 'Offloaded',
'ok' => 'OK',
'okay' => 'Okay',
'older' => 'Older',
diff --git a/lfs/binutils b/lfs/binutils
index deddcfa5ed..1b2b5f3b3f 100644
--- a/lfs/binutils
+++ b/lfs/binutils
@@ -24,7 +24,7 @@
include Config
-VER = 2.44
+VER = 2.45
THISAPP = binutils-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -96,7 +96,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 0eb031ace9fb5a7047b81b5a05b1760f7d332c8ed67f98899f153a45f181b83e661a484551af05c0a9b2adc422da84619103c7b1f3c9fad5327872832b5446aa
+$(DL_FILE)_BLAKE2 = 1ce72346b1f531c89feb86b407e2c649151b506ffbd1a02d413411d36f7ede98fa9a1adf75dd941c01df5fe7e6bf151828b269eeb7c278315ca8004bff22eb7f
install : $(TARGET)
diff --git a/lfs/suricata b/lfs/suricata
index 7c02ec83ad..05b708f1b9 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -24,7 +24,7 @@
include Config
-VER = 7.0.11
+VER = 8.0.0
THISAPP = suricata-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 5bdfc3715bed2faa49cc9096a30fb0f58c81c0ebe6cb82629d5ccddd75cf68af6b3a1e9ae2ed54cbbeea48d40c2e1c3348b52c19856ba9550b6c687653de8b47
+$(DL_FILE)_BLAKE2 = be76000891acfd6746c05023abb633aff86d90a9a18ecf49758bf05cdc52ed7184f2ac87056dc19489dff0dda81c1139a8a608f682389533ae07a8295fab20c3
install : $(TARGET)
@@ -70,7 +70,7 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-disable-sid-2210059.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch
cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
--prefix=/usr \
--sysconfdir=/etc \
@@ -123,6 +123,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Set correct ownership for the cache directory.
chown nobody:nobody /var/cache/suricata
+ # Create the Hyperscan cache directory
+ -mkdir -pv /var/cache/suricata/sgh
+ chown suricata:suricata /var/cache/suricata/sgh
+
# Create logging directory.
-mkdir -p /var/log/suricata
diff --git a/lfs/vectorscan b/lfs/vectorscan
index b56243c42f..714f75d472 100644
--- a/lfs/vectorscan
+++ b/lfs/vectorscan
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 5.4.11
+VER = 5.4.12
THISAPP = vectorscan-vectorscan-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -62,7 +62,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = a8f5a1230af0ddf7d9fb9299769ec1736d37ac3284f6a98b1e650af461206cf459eac35d13a47beb6683786c6529539b2d082edf426e7d4890ed11804c76268b
+$(DL_FILE)_BLAKE2 = 7d2a5934423ea5ef7153ab04544e9819d3c95644352780f6614ec2e896cbde4d92cffe6433eab86a55be26c2dd968d4d0ea7867d7c1251d4631af9da33d39f31
install : $(TARGET)
@@ -92,7 +92,6 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vectorscan-5.4.11-sse4.2.patch
cd $(DIR_APP) && cmake . \
-DCMAKE_INSTALL_PREFIX:PATH=/usr \
-DBUILD_SHARED_LIBS=ON \
diff --git a/make.sh b/make.sh
index c3de610b9b..91ae5f682b 100755
--- a/make.sh
+++ b/make.sh
@@ -23,7 +23,7 @@ NAME="IPFire" # Software name
SNAME="ipfire" # Short name
# If you update the version don't forget to update backupiso and add it to core update
VERSION="2.29" # Version number
-CORE="197" # Core Level (Filename)
+CORE="198" # Core Level (Filename)
SLOGAN="www.ipfire.org" # Software slogan
CONFIG_ROOT=/var/ipfire # Configuration rootdir
@@ -32,7 +32,7 @@ GIT_BRANCH="$(git rev-parse --abbrev-ref HEAD)" # Git Branch
GIT_TAG="$(git tag | tail -1)" # Git Tag
GIT_LASTCOMMIT="$(git rev-parse --verify HEAD)" # Last commit
-TOOLCHAINVER="20250430"
+TOOLCHAINVER="20250807"
KVER_SUFFIX="-${SNAME}"
diff --git a/src/patches/suricata/suricata-disable-sid-2210059.patch b/src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch
similarity index 51%
rename from src/patches/suricata/suricata-disable-sid-2210059.patch
rename to src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch
index 8955eec5e9..7968b9ade7 100644
--- a/src/patches/suricata/suricata-disable-sid-2210059.patch
+++ b/src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch
@@ -1,12 +1,11 @@
-diff -Nur a/rules/stream-events.rules b/rules/stream-events.rules
---- a/rules/stream-events.rules 2021-11-17 16:55:12.000000000 +0100
-+++ b/rules/stream-events.rules 2021-12-08 18:12:39.850189502 +0100
+--- suricata-8.0.0-beta1/rules/stream-events.rules.orig 2025-04-08 14:50:55.000000000 +0200
++++ suricata-8.0.0-beta1/rules/stream-events.rules 2025-06-03 16:16:56.517635788 +0200
@@ -97,7 +97,7 @@
# rule to alert if a stream has excessive retransmissions
alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
# Packet on wrong thread. Fires at most once per flow.
--alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
-+#alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
+-alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; threshold:type backoff, track by_flow, count 1, multiplier 10; sid:2210059; rev:2;)
++#alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; threshold:type backoff, track by_flow, count 1, multiplier 10; sid:2210059; rev:2;)
# Packet with FIN+SYN set
- alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)
+ alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; threshold:type backoff, track by_flow, count 1, multiplier 2; classtype:protocol-command-decode; sid:2210060; rev:2;)
diff --git a/src/patches/vectorscan-5.4.11-sse4.2.patch b/src/patches/vectorscan-5.4.11-sse4.2.patch
deleted file mode 100644
index feb867aebe..0000000000
--- a/src/patches/vectorscan-5.4.11-sse4.2.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/src/hs_valid_platform.c b/src/hs_valid_platform.c
-index 0af36b6c..12ae5d9a 100644
---- a/src/hs_valid_platform.c
-+++ b/src/hs_valid_platform.c
-@@ -37,9 +37,9 @@
-
- HS_PUBLIC_API
- hs_error_t HS_CDECL hs_valid_platform(void) {
-- /* Hyperscan requires SSSE3, anything else is a bonus */
-+ /* Vectorscan requires SSE4.2, anything else is a bonus */
- #if defined(ARCH_IA32) || defined(ARCH_X86_64)
-- if (check_ssse3()) {
-+ if (check_sse42()) {
- return HS_SUCCESS;
- } else {
- return HS_ARCH_ERROR;
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2025-08-08 15:11 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4bz6tF3c77z2xHR@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox