From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bz6tH1bg7z2yXl for ; Fri, 08 Aug 2025 15:11:03 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bz6tH1JKXz2yXK for ; Fri, 08 Aug 2025 15:11:03 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4bz6tF5jLlz2C for ; Fri, 08 Aug 2025 15:11:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1754665861; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=2H4WMHGa9SnP3m794ixbh/BOg0Vt4QhMvRyxXGNjmbw=; b=zcx2/e+6NiLt/o3h1IZTTTIuS63DZyoAOS366eu7MFiwh38oNNAIh+f6BTZSccaR0lekxU 1Y6pPPGvDvsNB8BA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1754665861; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=2H4WMHGa9SnP3m794ixbh/BOg0Vt4QhMvRyxXGNjmbw=; b=Ea+j8K158DZx7pnPY46jBAC356pGXLNKWkoelbVkhl/1BtgbQajUUTOp7So9jW9fDr+UWw ainDulW9P8ORg9e4jo0kQOXoJy/dEvlo/p/IrO4gWmIIAr86Ud5pF+NCO3vXUH8bggBRVG DVUn0yvze1HWkruwg4w4svQzPwAmkPEAuDdQkeLKSVcrwWLnzNfnnGP5nMksoc8XeDbsqd C1iyGgSWMutI7MA/0PiWt2J4o9L863TolMnBQ3cuZ6SMIem8HoA0I8smBfSgWAf/DKlrSi 9xgXlpqrjuYptkdEW2cZ31Xg9qxEX0xUlHVD8nSwuM+7LtISlno3J2AA8zKnIg== Received: by people01.haj.ipfire.org (Postfix, from userid 1000) id 4bz6tF3c77z2xHR; Fri, 08 Aug 2025 15:11:01 +0000 (UTC) To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 30cae58dd0be39699a95473e4abdbaace1d2f15f X-Git-Refname: refs/heads/next X-Git-Reftype: branch X-Git-Oldrev: ceb35099fa8af7c2ac85fa2487e1e5ec4e36d2ce X-Git-Newrev: 30cae58dd0be39699a95473e4abdbaace1d2f15f Message-Id: <4bz6tF3c77z2xHR@people01.haj.ipfire.org> Date: Fri, 08 Aug 2025 15:11:01 +0000 (UTC) From: Michael Tremer Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 30cae58dd0be39699a95473e4abdbaace1d2f15f (commit) via 9a46d0806f10011e66794fed4ba04c85beca7ed2 (commit) via 6de4f7200ae09c5978215f178657e9451be58439 (commit) via 0f388dc6d28383f9a5ac230f0dcea23b68b30f7d (commit) via b141bee7923d7c738189d98c716bc2e8aa827edd (commit) via 47d0118abbbdc2bfec798c6cb99e976820aec862 (commit) via 5015601b7a7128bfe1e4282c26f72c6cb5ecb031 (commit) via 5d503216b9757b228bc3020a976e9cd95b33b4fc (commit) via 1fa9c1c12894f502f301fd1d2656cbdfe78e4090 (commit) via 799b385d1075042ca0d0ab9485d149a208bc7762 (commit) via fb8caf7839080c860bd5cbd62d2d667b20dac970 (commit) via 2271a47bf31682be8c0bb9319277339a86cc70be (commit) from ceb35099fa8af7c2ac85fa2487e1e5ec4e36d2ce (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 30cae58dd0be39699a95473e4abdbaace1d2f15f Author: Michael Tremer Date: Fri Aug 8 15:10:39 2025 +0000 core198: Ship graphs.pl Signed-off-by: Michael Tremer commit 9a46d0806f10011e66794fed4ba04c85beca7ed2 Author: Michael Tremer Date: Tue Aug 5 11:44:51 2025 +0100 IPS: Rename bypassed to "Offloaded" Bypassed seems to suggest to some people that the traffic was never looked at, when in fact the IPS is rather offloading anything it is no longer interested in. I think this is a better phrase. Signed-off-by: Michael Tremer commit 6de4f7200ae09c5978215f178657e9451be58439 Author: Michael Tremer Date: Tue Aug 5 11:40:27 2025 +0100 suricata: Create the SGH cache directory Signed-off-by: Michael Tremer commit 0f388dc6d28383f9a5ac230f0dcea23b68b30f7d Author: Michael Tremer Date: Tue Aug 5 11:34:13 2025 +0100 suricata: Sync configuration with upstream There are not many big changes except that any new engines have been enabled and new defaults have beep carried over from upstream. Signed-off-by: Michael Tremer commit b141bee7923d7c738189d98c716bc2e8aa827edd Author: Michael Tremer Date: Fri Aug 8 15:06:58 2025 +0000 core198: Ship binutils Signed-off-by: Michael Tremer commit 47d0118abbbdc2bfec798c6cb99e976820aec862 Author: Michael Tremer Date: Fri Aug 8 14:28:42 2025 +0000 make.sh: Bump toolchain version Signed-off-by: Michael Tremer commit 5015601b7a7128bfe1e4282c26f72c6cb5ecb031 Author: Michael Tremer Date: Fri Aug 8 14:28:41 2025 +0000 binutils: Update to 2.45 Signed-off-by: Michael Tremer commit 5d503216b9757b228bc3020a976e9cd95b33b4fc Author: Michael Tremer Date: Fri Aug 8 15:03:50 2025 +0000 core198: Ship vectorscan Signed-off-by: Michael Tremer commit 1fa9c1c12894f502f301fd1d2656cbdfe78e4090 Author: Adolf Belka Date: Tue Jul 22 23:22:08 2025 +0200 vectorscan: Update to version 5.4.12 - Update from version 5.4.11 to 5.4.12 - Update of rootfile - Removal of patch for sse4.2 as changes now part of source tarball - Changelog 5.4.12 Multiple changes since last release, this will be the last 100% ABI and API compatible with Hyperscan release. Next versions will include major refactors and API extensions, it will be mostly backwards compatible however. Without particular order, platform support is now: * Linux (x86, Arm, Power) * FreeBSD 14 (x86, Arm, Power) * MacOS 14+ (x86, Arm) In total more than 200 configurations in the CI are tested for every PR. Other features: - Fat Runtime supported for Arm as well (ASIMD/SVE/SVE2). - Initial implementations for Arm SVE/SVE2 algorithms added, thanks to Yoan Picchi from Arm. - SIMDe support added, used as an alternative backend for existing platforms, but mostly interesting for allowing Vectorscan to build in new platforms without a supported SIMD engine. - Various speedups and optimizations. - Cppcheck and clang-tidy fixes throughout the code, both have been added to CI for multiple configurations, but only cppcheck triggers a build failure for now. Various bugfixes, most important listed: - Speed up truffle with 256b TBL instructions (#290) - Fix Clang Tidy warnings (#295) - Clang 17+ is more restrictive on rebind on MacOS/Boost, remove warning (#332) - partial_load_u64 will fail if buf == NULL/c_len == 0 (#331) - Bugfix/fix avx512vbmi regressions (#335) - fix missing hs_version.h header (closes #198) - hs_valid_platform: Fix check for SSE4.2 (#310) - Fixed out of bounds read in AVX512VBMI version of fdr_exec_fat_teddy … (#333) - Fix noodle SVE2 off by one bug (#313) - Make vectorscan accept \0 starting pattern (#312) - Fix 5.4.11's config step regression (#327) - Fix double shufti's vector end false positive (#325) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 799b385d1075042ca0d0ab9485d149a208bc7762 Author: Michael Tremer Date: Fri Aug 8 15:02:39 2025 +0000 core198: Ship suricata Signed-off-by: Michael Tremer commit fb8caf7839080c860bd5cbd62d2d667b20dac970 Author: Adolf Belka Date: Tue Jul 22 18:55:43 2025 +0200 suricata: Update to version 8.0.0 - Update from version 7.0.11 to 8.0.0 - Update of rootfile - patch file updated for disabling sid-2210059 - Changelog 8.0.0 Security #7658: http2: global tx (stream id 0) may open file and never close it(HIGH - CVE 2025-53538) Bug #7798: dpdk: auto count of threads assigns more threads than affined Bug #7791: http: BUG_ON assertion reached in packet path Bug #7790: affinity: intermittent unittest failures Bug #7789: dpdk: compilation warning of a function without prototype Bug #7783: smtp: incorrect inspection window Bug #7752: decode: no parent packet flow for ip-in-ipv6 Bug #7678: mpm/ac: error "Just ran out of space in the queue" Bug #7649: lib: suricata version in sys crate needs to be updated on build Bug #1484: src: BUG_ON(1) statements in the packet path Optimization #7643: excessive mtu messages at start up Optimization #7212: strtoul: replace with ByteExtractString variant Optimization #6264: mpm/ac-ks: reduce stack usage Optimization #4753: lua: fix inconsistency in the init "needs" key Documentation #7749: doc: update user manual seciton on RPMs Documentation #7723: doc/exceptions: review 'inspection' terminology Documentation #7648: rtd: set "latest" to last stable release starting with 8.0.0 Documentation #7078: devguide: document current ffi naming style Documentation #6955: devguide: update coding-style docs Documentation #6566: userguide: add description for missing EVE krb fields Documentation #6288: eve/schema: generate tables of data for app-layer protocols Documentation #6252: userguide/install: move Ubuntu distros to their own page Documentation #6069: userguide/install: move RPM distros to their own page Documentation #6022: devguide: explain how the engine identifies applayer protocols Documentation #5911: userguide: update & bring guide for installation on Windows to RtD Task #7758: decode: add stats counters for ipv4/ipv6 over ipv4 Task #7750: packaging: rpm for RHEL 10 Task #7632: suricata-lua-sys: tag with a non-prerelease version Task #6941: lua: review and document lua rule return types Task #6814: libsuricata: opt-in signal handling Task #6359: detect/analyzer: add more details for the ICMP icode keyword Task #6262: tracking: reduce stack usage 8.0.0-rc1 Feature #7715: rules: add option to skip flow tracking for a packet Feature #7714: detect: add pre_flow rule hook Feature #7713: detect: add tcp.wscale keyword to match on TCP wscale option values Feature #7712: detect: add pre_stream rule hook Feature #7702: commandline: add --list-app-layer-hooks option Feature #7645: pgsql: add CopyIn subprotocol/mode Feature #7635: eve: include transaction count Feature #7599: mime: add email.received keyword Feature #7597: mime: add email.url keyword Feature #7593: mime: add email.message_id keyword Feature #7507: rules: ftp.completion_code keyword Feature #7506: rules: ftp.reply_received keyword Feature #7505: rules: ftp.mode keyword Feature #7504: rules: ftp.dynamic_port keyword Feature #7372: Datajson: a dataset evolution Feature #7047: eve: add ip version field Feature #7036: DPDK NUMA setup: choose correct CPUs from worker-cpu-set Feature #6805: cpu-affinity: enhance CPU affinity logic with per-interface NUMA preferences Feature #6695: tls: log extensions Feature #6259: pgsql: add `query` detection keyword Feature #5692: http: brotli content encoding for HTTP/1.1 Feature #4099: app-layer: allow direct rule keyword registration Feature #3952: protocols: implement mDNS Feature #2290: lua: use script as transform Bug #7747: affinity: warnings in the granular thread affinity settings code Bug #7746: suricatasc does not handle reconnect Bug #7735: brotli: old crate version has integer underflow Bug #7732: http1: use cursor wrapper handling EOF for brotli Bug #7730: dcerpc: uint16 overflow (rust debug assertion) Bug #7725: decode/ipv4: missing ip-in-ip case handling Bug #7698: firewall: eve verdict field should state "accept" instead of alert Bug #7694: flow: elephant flow counts previous bytes revisiting an index Bug #7689: Dataset of type IP can't set IPv4 Bug #7687: flow: non-TCP protocol timeout handling leads to missing flows Bug #7681: flow: race condition at shutdown leads to duplicate flows Bug #7671: lua: suricata-lua-sys needs to honor MSAN oss-fuzz flags Bug #7668: http: lack of setting updated_ts leads to firewall bypass Bug #7665: transaction rules: support filesize Bug #7653: ips: deconflict pass flow and drop packet rules Bug #7647: pgsql: empty request logged if password message disabled Bug #7634: hyperscan: coverity warnings Bug #7579: detect/files: local_file_id not incremented if inspection buffer is NULL Bug #7568: pcap: continuous file reading fails on an empty directory Bug #7549: detect: using different sticky buffers for byte_extract and byte_jump leads to undefined value before doing the jump Bug #7498: rust: cleanup of extern "C" functions and no_mangle Bug #7479: segfault using dummy config output.eve-log.types.alert.payload-buffer-size = 0 Bug #7420: detect-engine: warning fgets could get negative value Bug #7390: byte_extract: issue with saved 'name' in distance keyword Bug #7374: dpdk: iface-copy should not be mandatory Bug #7344: build: build can sometimes fail copying the lua headers into place Bug #7285: Websocket compression mishandling Bug #7236: plugins: custom transaction loggers cannot be registered by a plugin Bug #7019: snmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4 Bug #7004: app-layer: wrong tx may be logged for stream rules Bug #6981: dpdk: compiler warnings about lossy integer precision Bug #6400: log of DNS answer is in wrong direction Bug #6186: Integer overflows 64 to 32 bytes Bug #5739: htp: handle alloc failure for user data Bug #5177: detect/analyzer: rule analyzer warns about http buffers usage Bug #4815: unix socket: ftp memcap missing from socket commands Bug #3436: suricatasc: crashing using command 'reopen-log-files' Optimization #7733: transforms: move base64 transform pure rust Optimization #7708: http1: add tx iterator Optimization #7529: detect/dns: move wrapper code from C to rust Optimization #7353: files: remove deprecated force-md5 config option Optimization #7292: CI: clang-format rechecks every main-7.0.x commit Optimization #7083: detect/dataset: skip adding localstatedir if fullpath is provided Task #7727: lua: suricata.log library Task #7673: libsuricata: rate_filter callback Task #7656: fast.lua: update script to reflect library use Task #7609: lua: suricata.util lib Task #7608: lua: turn tls into lib Task #7607: lua: turn ssh into lib Task #7606: lua: turn smtp into lib Task #7605: lua: turn ja3 into lib Task #7603: lua: turn hassh into lib Task #7598: mime: add email.x_mailer Task #7591: mime: add email.date keyword Task #7491: lua: turn file into lua lib Task #7490: lua: turn rule into lua lib Task #7487: lua: turn flowints into lib Task #7486: lua: turn flowvars into lib Task #7461: suricata-verify: pass all tests Task #7079: rust: unify rust ffi style Task #7026: app-protos: trigger raw stream inspection Task #6573: rust: set new minimum Rust version for Suricata 8 Task #3695: research: libhwloc for better autoconfiguration Documentation #7683: mime: add email.attachment keyword Documentation #7329: doc: explain the priority ports setting Documentation #7143: doc: legacy keyword http_host used in examples Documentation #5485: userguide: explain that the http.header_names buffer is normalized 8.0.0-beta1 Feature #7644: pgsql: add CopyOut subprotocol/mode Feature #7633: dpdk: refrain from creating TX queues on zero TX descriptors Feature #7620: smb: configurable logging Feature #7596: mime: add email.to keyword Feature #7595: mime: add email.subject keyword Feature #7592: mime: add email.from keyword Feature #7588: mime: add email.cc keyword Feature #7565: dcerpc: rpc interfaces info in request event Feature #7533: detect/ldap: add ldap.request.attribute_type and ldap.request.attribute keywords, and same for responses Feature #7532: detect/ldap: add keywords for LDAPResult Feature #7517: detect: smtp.mail_from keyword Feature #7516: detect: smtp.rcpt_to keyword Feature #7515: detect: smtp.helo keyword Feature #7513: detect/integers: add support for negated strings when enum is used Feature #7508: rules: ftp.reply keyword Feature #7503: rules: ftp.command_data keyword Feature #7502: rules: ftp.command keyword Feature #7485: rules: allow specifying explicit hooks Feature #7482: eve/flow: log tcp session reuse as a timeout reason Feature #7481: rules/actions: explicit action scopes Feature #7477: ldap: add support for AbandonRequest Feature #7471: detect/ldap: add ldap.distinguished_name keywords for request and response Feature #7453: detect/ldap: add ldap.request.operation and ldap.response.operation keywords Feature #7433: eve/alert: enrich decoder event rules Feature #7403: requires: add ability to check for a rule keyword Feature #7382: dpdk: create separate packet mempools per queue Feature #7381: dpdk: when running with ice driver fully start only when link state change event is caught Feature #7380: dpdk: provide "auto" option for RX/TX descriptors Feature #7373: dpdk: provide "auto" option to mempool-size property Feature #7337: dpdk: implement configuration of RSS using rte_flow rules for major cards Feature #7330: dpdk: support HW VLAN stripping Feature #7320: flow: add user registerable flow update callbacks Feature #7319: flow: add user registerable flow initialization callback Feature #7311: http1: log invalid status as string Feature #7291: sdp: implements sticky buffer Feature #7243: lua: expose dataset functions Feature #7240: libsuricata: use provided threads and packets Feature #7204: sip: rustify sticky buffers Feature #7203: ldap: extend parser for udp Feature #7202: ldap: frame support Feature #7170: hyperscan: Cache Hyperscan databases to disk to speed up the startup Feature #7120: threshold: add backoff type Feature #7108: tls: ALPN keyword Feature #7098: eve: add payload length field Feature #7074: lua: expose base64 functions Feature #7073: lua: expose hashing functions (md5/sha1/sha256) Feature #7055: tls: log ALPN Feature #7051: websocket: data frame Feature #7045: tls-store: add support client certs Feature #7017: dns: add OPT rdata struct and parsing Feature #7012: rules: add dns.response sticky buffer Feature #7011: dns: additional section parsing and logging Feature #6967: multi-tenancy: support thresholding per tenant Feature #6943: pcap: datalink type 229 not (yet) supported in module PcapFile Feature #6939: lua: incremement stat when a lua rule exhausts its instruction count Feature #6857: iprep: support seeing if rule is part of a rep list Feature #6856: http: anomaly when request line is missing protocol Feature #6832: pcap/log: Support BPFs for filtering pcap output Feature #6827: arp: implement decoder and logger Feature #6822: threshold: support tracking by flow Feature #6788: bypass: decouple stream.bypass dependency from TLS encrypted bypass Feature #6739: dpdk: warn the user if user-settings are adjusted to the device capabilities Feature #6666: dns: add keyword for dns rrtype: dns.rrtype Feature #6648: detect: integer: support bitmasks Feature #6647: detect: integers: support for enumerations Feature #6646: detect: integer: support negated ranges Feature #6645: detect: integer parsed with hexadecimal notation Feature #6637: requires: add skipped rules to stats Feature #6627: sdp: add protocol parser and logger Feature #6621: dns: add keyword for dns rcode: dns.rcode Feature #6550: profiling/rules: allow enabling profiling for pcap file runs Feature #6546: detect/transform: strip_pseudo_headers Feature #6497: dns: new detection buffer: dns.query.name Feature #6496: dns: new detection buffer: dns.answer.name Feature #6487: detect/transform: from_base64 Feature #6480: plugins: allow plugins to specify the version of suricata they are for Feature #6455: txbits: support for new type of bits Feature #6439: rules: add to_lowercase transform Feature #6426: http2: app-layer-event and normalization when userinfo is in the :authority pseudo header for the http.host header Feature #6396: rules: add protocol string support for mqtt Feature #6379: ja4: support for TLS and QUIC Feature #6374: sip: add sticky buffers for headers Feature #6366: pop3: protocol detection Feature #6290: http: support case insensitive testing of header name existence Feature #6260: flow: flow matching excluding packet recursion level Feature #6215: flow/output: log triggered exception policy Feature #6164: rules: allow matching on flow pkts and bytes Feature #6090: eve/alert: missing dcerpc metadata Feature #6079: eve/dcerpc: eve/smb: log dcerpc uuid with request/response txs Feature #5976: eve/stats: allow hiding counters whose value is 0 Feature #5972: rules: "requires" keyword representing the minimum version of suricata to support the rule Feature #5839: dpdk: power saving mode Feature #5816: stats: exception policy counters Feature #5773: doh: support DNS over HTTPS (DoH) Feature #5743: http2: add frame support Feature #5734: ssh: add frame support Feature #5665: rules: bidirectional transaction matching Feature #5647: rules: mark flow as elephant flow Feature #5646: rules: allow matching on flow pkts and bytes in either direction Feature #5489: research: multi version rules; or version dependent rules Feature #5466: detect: allow alert-then-pass logic Feature #5446: rules: allow ranges in dns.opcode value Feature #5234: tls: subjectAltName buffer Feature #5082: smb: keyword for matching the SMB files Feature #5075: smb: keyword for the SMB version Feature #4974: eve: log rule references Feature #4905: smtp: add stream app-layer frame support Feature #4904: dcerpc: frames support Feature #4853: eve: Add information about Suricata version Feature #4777: lua: implement sandboxing Feature #4776: lua: vendor latest lua stable Feature #4321: http2: Support link between packets in the same stream Feature #4102: plugins: support creating app-layer parser, logger and detect Feature #3958: enip: convert protocol parser to rust Feature #3487: mime: multi-part parser in Rust Feature #3351: sip: parse traffic over tcp Feature #2816: vlan: support more than 2 layers Feature #2696: http: implement parser in rust Feature #2695: websocket support Feature #2486: prefilter/fast_pattern logic for flowbits Feature #2377: deprecate: ssh.softwareversion and ssh.protoversion Feature #2280: http: rules that match both request and response Feature #1971: lua: make mandatory Feature #1520: multi-tenancy: verbose output clarity Feature #1199: protocol: LDAP support Feature #1125: smtp: improve protocol detection Feature #1065: rules: introduce vlan id keyword Feature #845: stats: track memory consumption Security #7615: datasets: signature keyword setting can cause high memory usage(MODERATE - CVE 2025-29916) Security #7613: decode_base64: signature can do large memory allocation(HIGH - CVE 2025-29917) Security #7526: detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre(HIGH - CVE 2025-29918) Security #7465: ldap: bound of number of transactions is not fully enforced Security #7464: doh2: buffer is not really limited to 65K as should be for DNS Security #7458: af-packet: defrag option can lead to truncated packets (HIGH - CVE 2025-29915) Security #7450: tracking: signature can allocate arbitrary amount of memory Security #7411: tcp: generic detection bypass using TCP urgent support (HIGH - CVE 2024-55629) Security #7393: tcp: segfault on StreamingBufferSlideToOffsetWithRegions (CRITICAL - CVE 2024-55627) Security #7366: bpf: oversized bpf file can lead to buffer overflow (MODERATE - CVE 2024-55626) Security #7280: dns: quadratic complexity in logging and invalid json as output(HIGH - CVE 2024-55628) Security #7267: ja4: non alphanumeric characters in alpn lead to panic (CRITICAL - CVE 2024-47522) Security #7229: detect: write to read-only memory in transforms (CRITICAL - CVE 2024-55605) Security #7209: thash: random factor not used; possible abusive hash collisions(CRITICAL - CVE 2024-47187) Security #7195: datasets: rule with unset makes suricata abort (HIGH - CVE 2024-45795) Security #7191: http: quadratic complexity in headers processing/finding (CRITICAL - CVE 2024-45797) Security #7183: smb: hashmap entries not removed for error responses Security #7104: http2: oom from duplicate headers(CRITICAL - CVE 2024-38535) Security #7085: eve: transactions can be logged an arbitrary number of times Security #7067: defrag: off by one leads to possible evasion (HIGH - CVE 2024-45796) Security #7040: defrag: id reuse can lead to invalid reassembly (CRITICAL - CVE 2024-37151) Security #7029: http/range: segv when http.memcap is reached (HIGH - CVE 2024-38536) Security #6987: modbus: txs without responses are never freed (MODERATE - CVE 2024-38534) Security #6902: base64: off-by-three overflow in DecodeBase64() (HIGH - CVE 2024-32664) Security #6900: http2: timeout logging headers(HIGH - CVE 2024-32663) Security #6892: http2: oom on copying compressed headers (CRITICAL - CVE 2024-32663) Security #6866: eve: excessive ssh long banner logging(HIGH - CVE 2024-28870) Security #6799: ssh: quadratic complexity in overlong banner (CRITICAL - CVE 2024-28870) Security #6796: output/filestore: slowdown because of running OutputTxLog on useless packets Security #6770: log: arbitrary-length value can be logged Security #6757: libhtp: quadratic complexity checking after request line missing protocol(CRITICAL - CVE 2024-28871) Security #6680: smb: pcap with many open files takes too much time Security #6675: ip-defrag: packet can be considered complete even with holes (MODERATE - CVE 2024-32867) Security #6669: ip defrag: re-assembly error in bsd policy (MODERATE - CVE 2024-32867) Security #6668: ip defrag: final overlapping packet can lead to "hole" in re-assembled data(MODERATE - CVE 2024-32867) Security #6493: ip defrag: several issues with overlap handling Security #6481: http2: quadratic complexity in find_or_create_tx not bounded by max-tx(CRITICAL - CVE 2024-23836) Security #6477: smtp: quadratic complexity from unbounded number of transaction per flow(CRITICAL - CVE 2024-23836) Security #6444: http1: quadratic complexity from infinite folded headers (CRITICAL - CVE 2024-23837) Security #6441: detect: heap use after free with http.request_header keyword (CRITICAL - CVE 2024-23839) Security #6411: pgsql: quadratic complexity leads to over consumption of memory (HIGH - CVE 2024-23835) Security #6299: mqtt: pcap with anomalies takes too long to process because of app-layer-event detection Security #5926: http2: evasion by splitting header fields over frames (HIGH - CVE 2024-24568) Security #5921: http1: configurable limit for maximum number of live transactions per flow(CRITICAL - CVE 2024-23836) Bug #7618: af-packet: setting bpf fails Bug #7577: detect/files: file.data does not use content passed when closing the file internally Bug #7567: dcerpc: assertion triggered !((res.needed + res.consumed < input_len)) Bug #7562: detect/flow: null deference in signature parsing Bug #7560: detect/krb5: undefined behavior with krb5.ticket_encryption when passing -INT32_MAX Bug #7556: quic: valid traffic blocked in IPS mode Bug #7554: tls: parser error on unACK'd data in FIN shutdown Bug #7552: app-layer: misdetection if response is seen first without request Bug #7548: dcerpc: avoid integer underflow Bug #7523: rules/prefilter: prefilter keyword ignored when in content rule Bug #7521: detect/ip-only: false positive alerts on pseudo packets ending a one direction flow Bug #7495: protocol detection: probing parsers do not finish as soon as possible Bug #7469: smtp: recognize when client initiated TLS Bug #7467: detect: checksum detection broken by stream.checksum-validation Bug #7466: lua: Flowvar memory leak Bug #7455: flow: flow timeout behavior non-deterministic Bug #7449: app-layer metadata does not get logged for stream rules and unidirectional protocols Bug #7447: NULL dereference in ThreadLogFileHashFreeFunc in bug-5198 SV test Bug #7444: dpdk: RSS key length missmatch on ice (E810) card with DPDK version 22.11.6 Bug #7440: eve/frame: incomplete frame logging Bug #7437: protocol detection : probing parsers are limited to 32 by use of bitflag Bug #7436: sip: remove UPDATE pattern as already used by HTTP/1.1 Bug #7435: fuzz: fix protocol detection target initialization sequence Bug #7422: tcp: GAP event set on unack'd data following a RST Bug #7418: requires: rules with unmet requirements are still loaded Bug #7417: rust: remove shared reference to static mutable Bug #7414: detect: decoder event rules fail to match on invalid packets Bug #7409: http: crash in strip_pseudo_headers transform Bug #7406: eve: Alerts with app_proto=tls no longer logs the tls app data Bug #7398: datasets: scan-build warning call to blocking fn inside critical section Bug #7394: ldap: support starttls with tls upgrade Bug #7365: flow-manager: multi Flow Manager memory leak problem Bug #7361: rules: unknown internal events not being detected as errors Bug #7359: eve/syslog: crashes on use Bug #7338: rust: different int types turn garbage on FFI boundary Bug #7334: asan/profiling: global-buffer-overflow error Bug #7333: tls: impossible to log alpns with 'custom' logging Bug #7332: tls: fix duplicate EVE field issuerdn Bug #7326: http: FN with prefilter if the first of multi buffer did not match Bug #7325: sdp: one or more time descriptions Bug #7323: mqtt: wrong and missing direction for keywords Bug #7318: flow: flow timeout pseudo packet triggers unexpected alert Bug #7315: template: remove usage of template-rust Bug #7314: misc/warnings: compile warnings during build Bug #7309: http: incorrect file direction handling Bug #7305: sdp: media's encryption key not logged Bug #7303: detect: memleak in case of errors during initialization Bug #7302: conf: memleak if yaml parser is initialized before checking if file exists Bug #7300: output: oversized records lead to invalid json Bug #7296: detect: transform base64 creates a 0-sized variable-length array Bug #7279: dns: protocol detection is not strict enough Bug #7270: conf: nullptr dereference if mem alloc fails for a node in yaml parser Bug #7264: detect/flow: ACK with data on 3whs fails to match 'flow:established' Bug #7256: ja3: Error: ja3: Buffer should not be NULL Bug #7253: fuzz: CIFuzz is not fuzzing PRs as it is supposed to Bug #7241: app-layer-protocol: negated matching false positive Bug #7238: app-layer: protocol flows are miscounted in case of error Bug #7235: tls: a rule stops working since 7.0.5 Bug #7230: dcerpc: invalid dcerpc header is not rejected Bug #7228: dns: no data logged, and no events with udp corrupt additional record Bug #7226: lua: use crate from crates.io instead of github to fix offline builds Bug #7218: profiling: packet profiling to log file is only active with rule profiling Bug #7213: frames: stream frame is not always the first one registered Bug #7210: docs: inconsistent spelling in documentation for RFB `security_result` key Bug #7206: cbindgen: comptability with newer version 0.27 Bug #7200: smtp: crash in ByteExtractString Bug #7199: detect: missing app-layer metadata in alerts Bug #7187: detect: dcerpc logging and matching issues Bug #7181: fuzz: File confyaml.c is missing Bug #7176: ldap: crash when encountering GAP Bug #7172: detect/integers: do not bother to free NULL pointer on setup/parse failure Bug #7169: lua/output: vendored lua search for modules in /usr/local/ rather than /usr/ Bug #7158: tcp: 'broken ack' event set on flow timeout Bug #7135: util/thash: debug assertion for memuse Bug #7126: decode/base64: Error message on packet path. Bug #7121: smb/ntlmssp: nonsense smb.ntlmssp.version values Bug #7115: dpdk: timestamping packets through TSC does not yield the same time as kernel time Bug #7113: pgsql: track 'progress' in tx per direction Bug #7111: protodetect: DNS flow direction is not correct sometimes Bug #7106: packet: app-layer-events incorrectly used on recycled packets Bug #7093: sip: wrong slice used for sip_take_line with tcp leads to quadratic oom Bug #7059: smtp: split name logged as 2 names Bug #7053: bypass: cannot bypass udp flow from first packet in second direction Bug #7049: util/radix-tree: Possible dereference of nullptr in case of unsuccess allocation of memory for node Bug #7048: af-packet: failure to start up on many threads plus high load Bug #7037: pcap/log: MacOS rotates file well before limit is reached Bug #7034: time: in offline mode, time can stay behind at pcap start Bug #7028: base64: heap buffer overflow in RFC 2045 and 4648 modes Bug #7025: websocket: wrong value for opcode ping/pong Bug #7022: unix-socket: iface-bypassed-stat crash Bug #7020: unix-socket: hostbit commands don't properly release host Bug #7013: rust: build with rust 1.78 with slice::from_raw_parts now requiring the pointer to be non-null Bug #7000: pgsql: trigger raw stream reassembly Bug #6994: sip/sdp: logget closes unopened array for empty medias Bug #6989: tls.random buffers don't work as expected Bug #6985: base64: coverity dead code warning Bug #6984: mqtt: do not log non-string messages? Bug #6983: eve/alert/metadata: no pgsql object encapsulation Bug #6973: detect: log relevant frames app-layer metdata Bug #6969: dataset: lookup function is not working with ip type Bug #6964: base64: consumed bytes are incorrectly set for different modes Bug #6959: http: improve handling of content encoding: gzip but request_body not actually compressed Bug #6957: Assert: BUG_ON(id <= 0 || id > (int)thread_store.threads_size); Bug #6954: eve: packet field packet_info.linktype is non-portable Bug #6948: detect/http.response_body: false positive because not enforcing direction to_client Bug #6942: decode/ppp: decoder.event.ppp.wrong_type on valid packet Bug #6940: lua: handle errors in lua rules Bug #6921: jsonbuilder: serializes Rust f64 NaNs to an invalid literal Bug #6918: pcre2: compile warning Bug #6913: reimplement systemd sd_notify w/o linking to libsystemd Bug #6906: smtp/mime: data command rejected by pipelining server does not reset data mode Bug #6904: mime: buffer overflow in GetFullValue() (util-decode-mime.c) Bug #6903: streaming buffer: heap overflows in StreamingBufferAppend()/StreamingBufferAppendNoTrack() Bug #6896: detect/port: upper boundary ports are not correctly handled Bug #6891: sip: usage of Vec instead of Vecdeque leads to quadratic complexity on cleanup Bug #6889: detect: slowdown in rule parsing Bug #6887: defrag: reassembled packet can have wrong datatype Bug #6883: rust: clippy 1.77 warning Bug #6881: detect/port: port grouping does not happen correctly if gap between a single and range port Bug #6877: Suricata 8 general protection fault ip:698117 sp:7fd537b08090 Bug #6875: output/alert: assertion failed p->flow != NULL Bug #6871: dpdk: fix compatibility issues for ice cards Bug #6864: detect: ipopts keyword false positive Bug #6861: profiling/rules: crash when profiling ends Bug #6846: eve/alerts: wrongly using tx id 0 when there is no tx Bug #6843: detect/port: port ranges are incorrect when a port is single as well as a part of range Bug #6839: coverity: warning in port grouping code Bug #6838: eve/filetypes: move from plugin api to eve api Bug #6837: netmap: error message Netmap pipes (with lb) Bug #6835: BUG_ON triggered from TmThreadsInjectFlowById Bug #6834: iprep: rule with '=,0' can't match Bug #6811: capture plugins: capture plugins unusable due to initialization order Bug #6790: dpdk: evaluate the correct handling of DPDK ports on shutdown Bug #6787: decode/pppoe: Suspicious pointer scaling Bug #6782: streaming/buffer: crash in HTTP body handling Bug #6778: detect/tls.certs: direction flag checked against wrong field Bug #6766: multi-tenancy: dead lock during tenant loading Bug #6762: hugepages: error for FreeBSD when kernel NUMA build option is not enabled Bug #6760: af-packet: hugepages Error for ARM64 and af-packet IPS mode Bug #6755: netmap: deadlock if netmap_open fails Bug #6753: detect/cip: missing return-value check for a 'scanf'-like function Bug #6745: util/mime: Memory leak at util-decode-mime.c:MimeDecInitParser Bug #6741: dpdk: automatic cache calculation is broken Bug #6737: dpdk: property configuration can lead to integer overflow Bug #6733: tcp: tcp flow flags changing incorrectly when ruleset contains content matching Bug #6732: eve/stats: parent interface object in stats contains VLAN-ID as keys Bug #6726: stream: stream.drop-invalid drops valid traffic Bug #6715: dpdk: NUMA warning on non-NUMA system Bug #6710: rules: failed rules after a skipped rule are recorded as skipped, not failed Bug #6678: datasets: discard datasets that hit the memcap while loading correctly Bug #6664: eve/smtp: attachment filenames not logged Bug #6661: detect/content-inspect: FN on negative distance Bug #6656: detect/requires: assertion failed !(ret == -4) Bug #6643: http: wrongly assuming http0.9 leads to missed headers Bug #6634: tls: Invalid ja3 due to double client hello Bug #6633: stats: flows with a detection-only alproto not accounted in this protocol Bug #6619: profiling: runtime much longer to run than it used to Bug #6618: endace: timestamp fixes Bug #6617: detect/filestore: flow, to_server was broken by moving files into transactions Bug #6615: detect/analyzer: misrepresenting negative distance value Bug #6592: mqtt: frames on TCP are not set properly when parsing multiple PDUs in one go Bug #6585: src: SCTIME_FROM_TIMESPEC() creates incorrect timestamps Bug #6584: src: SCTIME_ADD_SECS() macro zeros out ts.usec part Bug #6578: ssh: no alert on packet with Message Code: New Keys (21) Bug #6574: detect/filestore: memory leak on rule parsing Bug #6553: eve/alert: payload/payload_printable misrepresent data in case of overlaps Bug #6551: Invalid registration of prefiltering in stream size Bug #6547: http2: http.response_line has leading space Bug #6527: cppcheck 2.11 errors Bug #6501: eve/alert: missing TFTP metadata Bug #6500: eve/alert: missing FTP metadata Bug #6490: profiling: rule profiling doesn't support absolute paths Bug #6483: http.request_headers - odd behavior with multiple signtures Bug #6419: dpdk: Analyze hugepage allocation on startup more thoroughly Bug #6415: http: various header buffer not populated when malformed header value exists Bug #6414: detect-engine/port: recursive DetectPortInsert calls are expensive Bug #6408: Output plugins receive identifier, but not thread identifier Bug #6405: eve: ethernet src_mac should match src_ip Bug #6398: eve/stats: threads object in stats contains memcap_pressure scalars Bug #6393: detect/filestore: be more explicit about the U16_MAX limit per signature group head Bug #6390: detect/filestore: do not store if "both,flow" is triggered after the file was set to "nostore" Bug #6389: pgsql: u16 overflow found by oss-fuzz w/ quadfuzz Bug #6376: detect: huge increase on start up time with a lot of ip-only rules and bigger HOME_NET Bug #6347: log-pcap: crash with suricata.yaml setting max-file to 1 Bug #6305: drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP) Bug #6304: schema.json : if protocol such as ENIP is detection only, we do not have _tcp suffix in stats Bug #6281: dns: structure of query differs between "alert" and "dns" event types Bug #6280: base64: strict mode should only accept strings that can be reliably converted back Bug #6254: bypass: thread "FB" failed to start in time: flags 0003 Bug #6092: eve/alert: missing pgsql metadata Bug #6080: pgsql/probe: TCP on 5432 traffic incorrectly tagged as PGSQL Bug #5977: eve/alert: missing KRB5 metadata Bug #5539: landlock: coverity warnings Bug #5524: pgsql: parser should not error on parsing error, so as to keep on parsing the next PDUs Bug #5491: smtp: response 530 appears to generate an invalid response alert Bug #5486: eve: ethernet metadata is missing for some protocols or parts of a protocol Bug #5279: nom: use of count combinator can use too much memory Bug #5220: detect/base64_data: fast_pattern shouldn't be allowed Bug #5185: mime: URL extraction missing Bug #4921: detect/app-layer-protocol: unexpected results when one direction state "failed" Bug #4858: fuzz: Timeout with pcre Bug #4734: pfring: memory leak Bug #3910: datasets: for type string the memcap isn't applied to the string data Bug #3682: detect/bsize: error for impossible matching conditions Bug #2886: imap: protocol detection is incomplete Bug #2881: http.protocol parsing inaccuracy : accept spaces in URI Bug #2224: rules: negated http_* match returns false if buffer not populated Bug #1457: conf: non-standard units used for file size indication Optimization #7617: af-packet: set defrag based on passive or inline mode Optimization #7558: detect: convert rule group dumping to JsonBuilder Optimization #7358: CI: only run CodeQL python if the PR contains changed files that are python Optimization #7304: detect: improve support for multi-protocol keywords Optimization #7297: src: remove duplicate function declarations Optimization #7272: af-packet: improve startup time Optimization #7208: tcp/reassemble: GetBlock takes O(nlgn) in worst case Optimization #7185: stats: exceptions: use search-friendly log output Optimization #7178: rfb: rustify keywords and app-layer registration Optimization #7155: pcap: use larger read size buffer for a performance increase Optimization #7087: app-layer: track modified transactions Optimization #7065: base64: move the decoder to rust Optimization #7044: app-layer: clean up truncate callbacks and logic Optimization #7018: dns/tcp: allow triggering raw stream reassembly Optimization #7002: detect: move pseudo packet checks out of keyword Match funcs Optimization #6938: packet: optimize packet data storage Optimization #6937: compile: make code clean with -Wunused-macros Optimization #6878: conf: quadratic complexity in yaml loader Optimization #6873: byte_extract: convert keyword/option parsing to Rust Optimization #6855: src: var code cleanups Optimization #6852: mpm/ac: support endswith Optimization #6821: smtp: add 535 code Optimization #6795: detect/port: PortGroupWhitelist fn takes a lot of processing time Optimization #6792: detect/port: port grouping is quite slow in worst cases Optimization #6786: util-rohash.c : make code cleaner to make CodeQL happier Optimization #6775: detect: do not run tx detection on tcp non established packets Optimization #6773: app-layer/template: no limit on txs number Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) Optimization #6718: detect/frames: avoid rescanning in IPS mode Optimization #6702: streaming-buffer: Explore Rank Balanced trees Optimization #6575: detect/multi-buffer: use single definition of struct PrefilterMpmKrb5Name Optimization #6569: threading: fix condition signalling w/o taking lock first Optimization #6454: detect: force os to release memory on rule reload Optimization #6433: packetpool: improve return sync logic Optimization #6387: mqtt: move parser registration code to the rust side Optimization #6111: defrag: avoid passing null pointers to functions Optimization #5699: dcerpc: switch to incomplete api for tcp Optimization #5672: smb: avoid unbounded hash maps Optimization #5634: detect: unify ValidateCallback for MD5-like keywords Optimization #5566: pgsql: add events Optimization #5517: decode: big clean up (macros and functions) Optimization #5311: ftp: use unsigned integer for input_len Optimization #5047: sip: implement pattern based protocol detection Optimization #4798: af-packet: default to tpacket-v3 in IDS mode Optimization #3827: output: clean up logging initialization code Optimization #3449: eve: output calls fflush very often Optimization #3427: datasets: issue warning/info for data with type string that are not base64 Optimization #426: threshold: rule based thresholding data structure improvement Task #7604: lua: turn http into lib Task #7602: lua: turn dns into lib Task #7601: lua: turn dnp3 into lib Task #7492: lua: remove script_api_ver check from needs block Task #7489: lua: turn flow into lib Task #7488: lua: turn packet into lib Task #7456: engine/analysis: report rule state altered by flowbit rule Task #7426: flowint: add isnotset support Task #7350: firewall usecase: log app-layer metadata for for catch-all drop rules Task #7341: rust: use bindgen to generate Rust bindings to C functions Task #7287: schema: add missing tls fields certificate and chain Task #7246: libhtp 0.5.49 Task #7227: logging: document and cleanup low level logging registration Task #7219: rust/crates: update base64 Task #7167: dns: make the version field in a dns object required Task #7165: napatech: move into bundled plugin Task #7162: pfring: move into bundled plugin Task #7154: plugins: add template detection plugin Task #7152: plugins: add template logger plugin Task #7151: plugins: add template app-layer plugin Task #7130: rust: dependency "time" fails to build on Rust nightly Task #7058: fuzz/base64: check decoded strings for correctness in strict mode Task #6965: libhtp 0.5.48 Task #6962: yaml: unify 0 stats counter config option terminology Task #6961: lua: use a rust crate to vendor lua Task #6935: unittests: convert tests to new FAIL/PASS API - src/app-layer-htp.c Task #6888: contrib: remove obsolete items from contrib Task #6818: rust: snmp-parser 0.10.0 Task #6817: rust: kerberos-parser 0.8.0 Task #6769: libhtp 0.5.47 Task #6748: doc: mention X710 RX descriptor limitation Task #6712: dependencies: completely remove nss Task #6705: build-info: remove obsolete "rust support" line Task #6605: flash decompression: update/remove deprecation warnings Task #6603: pgsql: don't log password msg if password disabled Task #6586: mpm/ac-bs: remove implementation Task #6577: pgsql: add cancel request message Task #6544: logging: deprecate syslog Task #6543: logging: deprecate http-log Task #6542: logging: deprecate tls-log Task #6488: plugins: add example plugins to the suricata source tree Task #6432: tracking: autofp capture stalls due to packetpool depletion Task #6427: runmodes: remove reference to auto modes Task #6360: detect/analyzer: add more details for the icmp_id keyword Task #6355: detect/analyzer: add more details for the tcp.mss keyword Task #6354: detect/analyzer: add more details for the tcp ack keyword Task #6353: detect/analyzer: add more details for the tcp seq keyword Task #6352: detect/analyzer: add more details for the tcp window keyword Task #6318: unittests: convert tests to new FAIL/PASS API - detect-engine-address-ipv4.c Task #6312: detect/analyzer: add more details for the flow.age keyword Task #6309: detect/analyzer: add more details for the flowbits keyword Task #6287: suricatasc: rewrite in rust Task #6209: libhtp 0.5.46 Task #6107: unittests: convert tests to new FAIL/PASS API - util-memcmp.c Task #6050: base64: make a fuzz target Task #5626: doc: document file.data Task #5588: ips/tap: don't allow mixed tap and ips modes Task #5053: app-layer: dynamic alproto IDs Task #4742: build: make the auto-generated config.h not conflict with other config.h Task #4698: lib: Example program to bootstrap Suricata (an alternate main() for Suricata) Task #4683: detect: remove sigmatch_table in favor of a dynamic storage option Task #4105: plugins: Create template capture source plugin Task #4103: plugins: convert an app-layer to use the plugin API (snmp) Documentation #7540: doc/userguide: fix typo Documentation #7383: userguide: fix typo Documentation #7262: doc: remove mentions to suricata-6 Documentation #7260: userguide/config: fix consistency of dashes instead of underscores Documentation #7153: devguide: document adding a detection plugin Documentation #7150: devguide: document adding a logging plugin Documentation #7149: devguide: document adding a app-layer plugin Documentation #7031: userguide: document SignatureProperties sigtype Documentation #6911: manpages: use consistant date based on release and/or git commits Documentation #6908: userguide: document how to verify tar.gz signature Documentation #6781: http: document duplicate headers concatenation handling Documentation #6725: document pcap file variables Documentation #6708: userguide/payload: fix explanation about bsize ranges Documentation #6686: docs: port userguide build instruction changes from master-6.0.x Documentation #6685: userguide: explain noalert keyword Documentation #6629: docs: fix byte_test examples Documentation #6628: userguide: document generic aspects of integer keywords Documentation #6599: docs: update eBPF installation instructions Documentation #6589: docs: fix broken bulleted list style on rtd Documentation #6570: remove references in docs mentioning prehistoric Suricata versions Documentation #6568: devguide: document backports policies and process Documentation #6552: doc: add tcp timeout fix to upgrade guide Documentation #6548: http2: http.stat_msg - note about HTTP/2 behavior Documentation #6445: userguide: explain what flow_id is Documentation #6076: eve/schema: document quic Documentation #5651: detect/bsize: format should specify operators Documentation #5494: userguide: update tls eve-log fields 'not_before' and 'not_after' Documentation #5393: devguide: move github workflow document from redmine into devguide Documentation #5088: detect/file.name: keyword is not documented Documentation #4359: docs: elaborate documentation for rule profiling Documentation #3015: userguide: document "tag" keyword Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2271a47bf31682be8c0bb9319277339a86cc70be Author: Michael Tremer Date: Fri Aug 8 15:01:04 2025 +0000 make.sh: Start Core Update 198 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/cfgroot/graphs.pl | 2 +- config/rootfiles/common/aarch64/binutils | 11 +- config/rootfiles/common/aarch64/vectorscan | 4 +- config/rootfiles/common/riscv64/binutils | 11 +- config/rootfiles/common/suricata | 10 + config/rootfiles/common/x86_64/binutils | 11 +- config/rootfiles/core/{197 => 198}/exclude | 0 .../133 => core/198}/filelists/aarch64/binutils | 0 .../187 => core/198}/filelists/aarch64/vectorscan | 0 .../core/{197 => 198}/filelists/core-files | 0 config/rootfiles/core/198/filelists/files | 1 + .../180 => core/198}/filelists/riscv64/binutils | 0 .../rootfiles/core/{197 => 198}/filelists/suricata | 0 .../100 => core/198}/filelists/x86_64/binutils | 0 .../187 => core/198}/filelists/x86_64/vectorscan | 0 .../rootfiles/{oldcore/152 => core/198}/update.sh | 12 +- config/rootfiles/{core => oldcore}/197/exclude | 0 .../{core => oldcore}/197/filelists/aarch64/linux | 0 .../197/filelists/aarch64/lm_sensors | 0 .../197/filelists/aarch64/util-linux | 0 .../{core => oldcore}/197/filelists/apache2 | 0 .../{core => oldcore}/197/filelists/automake | 0 .../rootfiles/{core => oldcore}/197/filelists/bash | 0 .../rootfiles/{core => oldcore}/197/filelists/bind | 0 .../{core => oldcore}/197/filelists/btrfs-progs | 0 .../{core => oldcore}/197/filelists/core-files | 0 .../rootfiles/{core => oldcore}/197/filelists/curl | 0 .../{core => oldcore}/197/filelists/e2fsprogs | 0 .../{core => oldcore}/197/filelists/files | 0 .../{core => oldcore}/197/filelists/fontconfig | 0 .../{core => oldcore}/197/filelists/gettext | 0 .../{core => oldcore}/197/filelists/gnutls | 0 .../rootfiles/{core => oldcore}/197/filelists/jq | 0 .../{core => oldcore}/197/filelists/json-glib | 0 .../{core => oldcore}/197/filelists/libhtp | 0 .../{core => oldcore}/197/filelists/libjpeg | 0 .../{core => oldcore}/197/filelists/libpng | 0 .../{core => oldcore}/197/filelists/libssh | 0 .../{core => oldcore}/197/filelists/libtasn1 | 0 .../{core => oldcore}/197/filelists/libunistring | 0 .../rootfiles/{core => oldcore}/197/filelists/lvm2 | 0 .../{core => oldcore}/197/filelists/nettle | 0 .../{core => oldcore}/197/filelists/openssl | 0 .../{core => oldcore}/197/filelists/openvpn | 0 .../{core => oldcore}/197/filelists/pango | 0 .../{core => oldcore}/197/filelists/pciutils | 0 .../{core => oldcore}/197/filelists/readline | 0 .../{core => oldcore}/197/filelists/riscv64/linux | 0 .../197/filelists/riscv64/lm_sensors | 0 .../197/filelists/riscv64/util-linux | 0 .../{core => oldcore}/197/filelists/shadow | 0 .../{core => oldcore}/197/filelists/sqlite | 0 .../{core => oldcore}/197/filelists/strongswan | 0 .../{core => oldcore}/197/filelists/suricata | 0 .../{core => oldcore}/197/filelists/unbound | 0 .../{core => oldcore}/197/filelists/x86_64/linux | 0 .../197/filelists/x86_64/lm_sensors | 0 .../197/filelists/x86_64/util-linux | 0 config/rootfiles/{core => oldcore}/197/update.sh | 0 config/suricata/suricata.yaml | 698 ++++++++++++++++----- doc/language_issues.de | 1 + doc/language_issues.en | 2 +- doc/language_issues.es | 2 + doc/language_issues.fr | 2 +- doc/language_issues.it | 2 +- doc/language_issues.nl | 2 +- doc/language_issues.pl | 2 +- doc/language_issues.ru | 2 +- doc/language_issues.tr | 2 +- doc/language_issues.tw | 2 + doc/language_issues.zh | 2 + doc/language_missings | 9 + langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + lfs/binutils | 4 +- lfs/suricata | 10 +- lfs/vectorscan | 7 +- make.sh | 4 +- ...ch => suricata-8.0.0-disable-sid-2210059.patch} | 11 +- src/patches/vectorscan-5.4.11-sse4.2.patch | 16 - 80 files changed, 642 insertions(+), 202 deletions(-) copy config/rootfiles/core/{197 => 198}/exclude (100%) copy config/rootfiles/{oldcore/133 => core/198}/filelists/aarch64/binutils (100%) copy config/rootfiles/{oldcore/187 => core/198}/filelists/aarch64/vectorscan (100%) copy config/rootfiles/core/{197 => 198}/filelists/core-files (100%) create mode 100644 config/rootfiles/core/198/filelists/files copy config/rootfiles/{oldcore/180 => core/198}/filelists/riscv64/binutils (100%) copy config/rootfiles/core/{197 => 198}/filelists/suricata (100%) copy config/rootfiles/{oldcore/100 => core/198}/filelists/x86_64/binutils (100%) copy config/rootfiles/{oldcore/187 => core/198}/filelists/x86_64/vectorscan (100%) copy config/rootfiles/{oldcore/152 => core/198}/update.sh (95%) rename config/rootfiles/{core => oldcore}/197/exclude (100%) rename config/rootfiles/{core => oldcore}/197/filelists/aarch64/linux (100%) rename config/rootfiles/{core => oldcore}/197/filelists/aarch64/lm_sensors (100%) rename config/rootfiles/{core => oldcore}/197/filelists/aarch64/util-linux (100%) rename config/rootfiles/{core => oldcore}/197/filelists/apache2 (100%) rename config/rootfiles/{core => oldcore}/197/filelists/automake (100%) rename config/rootfiles/{core => oldcore}/197/filelists/bash (100%) rename config/rootfiles/{core => oldcore}/197/filelists/bind (100%) rename config/rootfiles/{core => oldcore}/197/filelists/btrfs-progs (100%) rename config/rootfiles/{core => oldcore}/197/filelists/core-files (100%) rename config/rootfiles/{core => oldcore}/197/filelists/curl (100%) rename config/rootfiles/{core => oldcore}/197/filelists/e2fsprogs (100%) rename config/rootfiles/{core => oldcore}/197/filelists/files (100%) rename config/rootfiles/{core => oldcore}/197/filelists/fontconfig (100%) rename config/rootfiles/{core => oldcore}/197/filelists/gettext (100%) rename config/rootfiles/{core => oldcore}/197/filelists/gnutls (100%) rename config/rootfiles/{core => oldcore}/197/filelists/jq (100%) rename config/rootfiles/{core => oldcore}/197/filelists/json-glib (100%) rename config/rootfiles/{core => oldcore}/197/filelists/libhtp (100%) rename config/rootfiles/{core => oldcore}/197/filelists/libjpeg (100%) rename config/rootfiles/{core => oldcore}/197/filelists/libpng (100%) rename config/rootfiles/{core => oldcore}/197/filelists/libssh (100%) rename config/rootfiles/{core => oldcore}/197/filelists/libtasn1 (100%) rename config/rootfiles/{core => oldcore}/197/filelists/libunistring (100%) rename config/rootfiles/{core => oldcore}/197/filelists/lvm2 (100%) rename config/rootfiles/{core => oldcore}/197/filelists/nettle (100%) rename config/rootfiles/{core => oldcore}/197/filelists/openssl (100%) rename config/rootfiles/{core => oldcore}/197/filelists/openvpn (100%) rename config/rootfiles/{core => oldcore}/197/filelists/pango (100%) rename config/rootfiles/{core => oldcore}/197/filelists/pciutils (100%) rename config/rootfiles/{core => oldcore}/197/filelists/readline (100%) rename config/rootfiles/{core => oldcore}/197/filelists/riscv64/linux (100%) rename config/rootfiles/{core => oldcore}/197/filelists/riscv64/lm_sensors (100%) rename config/rootfiles/{core => oldcore}/197/filelists/riscv64/util-linux (100%) rename config/rootfiles/{core => oldcore}/197/filelists/shadow (100%) rename config/rootfiles/{core => oldcore}/197/filelists/sqlite (100%) rename config/rootfiles/{core => oldcore}/197/filelists/strongswan (100%) rename config/rootfiles/{core => oldcore}/197/filelists/suricata (100%) rename config/rootfiles/{core => oldcore}/197/filelists/unbound (100%) rename config/rootfiles/{core => oldcore}/197/filelists/x86_64/linux (100%) rename config/rootfiles/{core => oldcore}/197/filelists/x86_64/lm_sensors (100%) rename config/rootfiles/{core => oldcore}/197/filelists/x86_64/util-linux (100%) rename config/rootfiles/{core => oldcore}/197/update.sh (100%) rename src/patches/suricata/{suricata-disable-sid-2210059.patch => suricata-8.0.0-disable-sid-2210059.patch} (51%) delete mode 100644 src/patches/vectorscan-5.4.11-sse4.2.patch Difference in files: diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index a64958c75a..2a4ccf8c40 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -1251,7 +1251,7 @@ sub updateipsthroughputgraph { "GPRINT:whitelisted_bytes_max:%9.2lf %sbps\\j", # Bypassed Packets - "STACK:bypassed_bytes$color{'color11'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}), + "STACK:bypassed_bytes$color{'color11'}A0:" . sprintf("%-30s", $Lang::tr{'offloaded'}), "GPRINT:bypassed_bytes_avg:%9.2lf %sbps", "GPRINT:bypassed_bytes_min:%9.2lf %sbps", "GPRINT:bypassed_bytes_max:%9.2lf %sbps\\j", diff --git a/config/rootfiles/common/aarch64/binutils b/config/rootfiles/common/aarch64/binutils index f4d8cb09cb..e961f8a887 100644 --- a/config/rootfiles/common/aarch64/binutils +++ b/config/rootfiles/common/aarch64/binutils @@ -426,7 +426,7 @@ usr/lib/bfd-plugins/libdep.so #usr/lib/ldscripts/armelfb_linux_eabi.xwe #usr/lib/ldscripts/armelfb_linux_eabi.xwer #usr/lib/ldscripts/stamp -usr/lib/libbfd-2.44.so +usr/lib/libbfd-2.45.so #usr/lib/libbfd.a #usr/lib/libbfd.la #usr/lib/libbfd.so @@ -445,15 +445,15 @@ usr/lib/libctf.so.0.0.0 #usr/lib/libgprofng.so usr/lib/libgprofng.so.0 usr/lib/libgprofng.so.0.0.0 -usr/lib/libopcodes-2.44.so +usr/lib/libopcodes-2.45.so #usr/lib/libopcodes.a #usr/lib/libopcodes.la #usr/lib/libopcodes.so #usr/lib/libsframe.a #usr/lib/libsframe.la #usr/lib/libsframe.so -usr/lib/libsframe.so.1 -usr/lib/libsframe.so.1.0.0 +usr/lib/libsframe.so.2 +usr/lib/libsframe.so.2.0.0 #usr/share/doc/gprofng #usr/share/doc/gprofng/examples.tar.gz #usr/share/info/as.info @@ -501,6 +501,9 @@ usr/lib/libsframe.so.1.0.0 #usr/share/locale/ga/LC_MESSAGES/gprof.mo #usr/share/locale/ga/LC_MESSAGES/ld.mo #usr/share/locale/ga/LC_MESSAGES/opcodes.mo +#usr/share/locale/gas.es +#usr/share/locale/gas.es/LC_MESSAGES +#usr/share/locale/gas.es/LC_MESSAGES/gas.mo #usr/share/locale/hr/LC_MESSAGES/bfd.mo #usr/share/locale/hr/LC_MESSAGES/binutils.mo #usr/share/locale/hu/LC_MESSAGES/gprof.mo diff --git a/config/rootfiles/common/aarch64/vectorscan b/config/rootfiles/common/aarch64/vectorscan index 160dc3ae7c..e0a4e67e01 100644 --- a/config/rootfiles/common/aarch64/vectorscan +++ b/config/rootfiles/common/aarch64/vectorscan @@ -6,8 +6,8 @@ #usr/include/hs/hs_version.h #usr/lib/libhs.so usr/lib/libhs.so.5 -usr/lib/libhs.so.5.4.11 +usr/lib/libhs.so.5.4.12 #usr/lib/libhs_runtime.so usr/lib/libhs_runtime.so.5 -usr/lib/libhs_runtime.so.5.4.11 +usr/lib/libhs_runtime.so.5.4.12 #usr/lib/pkgconfig/libhs.pc diff --git a/config/rootfiles/common/riscv64/binutils b/config/rootfiles/common/riscv64/binutils index 5153af16fe..06025b088f 100644 --- a/config/rootfiles/common/riscv64/binutils +++ b/config/rootfiles/common/riscv64/binutils @@ -426,7 +426,7 @@ usr/bin/strings #usr/lib/ldscripts/elf64lriscv_lp64f.xwe #usr/lib/ldscripts/elf64lriscv_lp64f.xwer #usr/lib/ldscripts/stamp -usr/lib/libbfd-2.44.so +usr/lib/libbfd-2.45.so #usr/lib/libbfd.a #usr/lib/libbfd.la #usr/lib/libbfd.so @@ -445,15 +445,15 @@ usr/lib/libctf.so.0.0.0 #usr/lib/libgprofng.so #usr/lib/libgprofng.so.0 #usr/lib/libgprofng.so.0.0.0 -usr/lib/libopcodes-2.44.so +usr/lib/libopcodes-2.45.so #usr/lib/libopcodes.a #usr/lib/libopcodes.la #usr/lib/libopcodes.so #usr/lib/libsframe.a #usr/lib/libsframe.la #usr/lib/libsframe.so -usr/lib/libsframe.so.1 -usr/lib/libsframe.so.1.0.0 +usr/lib/libsframe.so.2 +usr/lib/libsframe.so.2.0.0 #usr/share/doc/gprofng #usr/share/doc/gprofng/examples.tar.gz #usr/share/info/as.info @@ -501,6 +501,9 @@ usr/lib/libsframe.so.1.0.0 #usr/share/locale/ga/LC_MESSAGES/gprof.mo #usr/share/locale/ga/LC_MESSAGES/ld.mo #usr/share/locale/ga/LC_MESSAGES/opcodes.mo +#usr/share/locale/gas.es +#usr/share/locale/gas.es/LC_MESSAGES +#usr/share/locale/gas.es/LC_MESSAGES/gas.mo #usr/share/locale/hr/LC_MESSAGES/bfd.mo #usr/share/locale/hr/LC_MESSAGES/binutils.mo #usr/share/locale/hu/LC_MESSAGES/gprof.mo diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 8fe53f7e66..2bfc3babda 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -2,6 +2,8 @@ etc/suricata etc/suricata/suricata.yaml usr/bin/suricata usr/bin/suricata-watcher +#usr/bin/suricatactl +#usr/bin/suricatasc usr/sbin/convert-ids-backend-files #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS @@ -26,16 +28,20 @@ usr/share/suricata #usr/share/suricata/rules/dhcp-events.rules #usr/share/suricata/rules/dnp3-events.rules #usr/share/suricata/rules/dns-events.rules +#usr/share/suricata/rules/enip-events.rules #usr/share/suricata/rules/files.rules #usr/share/suricata/rules/ftp-events.rules #usr/share/suricata/rules/http-events.rules #usr/share/suricata/rules/http2-events.rules #usr/share/suricata/rules/ipsec-events.rules #usr/share/suricata/rules/kerberos-events.rules +#usr/share/suricata/rules/mdns-events.rules #usr/share/suricata/rules/modbus-events.rules #usr/share/suricata/rules/mqtt-events.rules #usr/share/suricata/rules/nfs-events.rules #usr/share/suricata/rules/ntp-events.rules +#usr/share/suricata/rules/pgsql-events.rules +#usr/share/suricata/rules/pop3-events.rules #usr/share/suricata/rules/quic-events.rules #usr/share/suricata/rules/rfb-events.rules #usr/share/suricata/rules/smb-events.rules @@ -43,9 +49,13 @@ usr/share/suricata #usr/share/suricata/rules/ssh-events.rules #usr/share/suricata/rules/stream-events.rules #usr/share/suricata/rules/tls-events.rules +#usr/share/suricata/rules/websocket-events.rules #usr/share/suricata/threshold.config var/cache/suricata +var/cache/suricata/sgh var/lib/suricata +#var/lib/suricata/cache +#var/lib/suricata/cache/sgh #var/lib/suricata/data var/log/suricata #var/log/suricata/certs diff --git a/config/rootfiles/common/x86_64/binutils b/config/rootfiles/common/x86_64/binutils index d56ff28144..08f4bea04c 100644 --- a/config/rootfiles/common/x86_64/binutils +++ b/config/rootfiles/common/x86_64/binutils @@ -178,7 +178,7 @@ usr/bin/strings #usr/lib/ldscripts/elf_x86_64.xwe #usr/lib/ldscripts/elf_x86_64.xwer #usr/lib/ldscripts/stamp -usr/lib/libbfd-2.44.so +usr/lib/libbfd-2.45.so #usr/lib/libbfd.a #usr/lib/libbfd.la #usr/lib/libbfd.so @@ -197,15 +197,15 @@ usr/lib/libctf.so.0.0.0 #usr/lib/libgprofng.so usr/lib/libgprofng.so.0 usr/lib/libgprofng.so.0.0.0 -usr/lib/libopcodes-2.44.so +usr/lib/libopcodes-2.45.so #usr/lib/libopcodes.a #usr/lib/libopcodes.la #usr/lib/libopcodes.so #usr/lib/libsframe.a #usr/lib/libsframe.la #usr/lib/libsframe.so -usr/lib/libsframe.so.1 -usr/lib/libsframe.so.1.0.0 +usr/lib/libsframe.so.2 +usr/lib/libsframe.so.2.0.0 #usr/share/doc/gprofng #usr/share/doc/gprofng/examples.tar.gz #usr/share/info/as.info @@ -253,6 +253,9 @@ usr/lib/libsframe.so.1.0.0 #usr/share/locale/ga/LC_MESSAGES/gprof.mo #usr/share/locale/ga/LC_MESSAGES/ld.mo #usr/share/locale/ga/LC_MESSAGES/opcodes.mo +#usr/share/locale/gas.es +#usr/share/locale/gas.es/LC_MESSAGES +#usr/share/locale/gas.es/LC_MESSAGES/gas.mo #usr/share/locale/hr/LC_MESSAGES/bfd.mo #usr/share/locale/hr/LC_MESSAGES/binutils.mo #usr/share/locale/hu/LC_MESSAGES/gprof.mo diff --git a/config/rootfiles/core/197/exclude b/config/rootfiles/core/198/exclude similarity index 100% rename from config/rootfiles/core/197/exclude rename to config/rootfiles/core/198/exclude diff --git a/config/rootfiles/core/198/filelists/aarch64/binutils b/config/rootfiles/core/198/filelists/aarch64/binutils new file mode 120000 index 0000000000..6da9d39e5e --- /dev/null +++ b/config/rootfiles/core/198/filelists/aarch64/binutils @@ -0,0 +1 @@ +../../../../common/aarch64/binutils \ No newline at end of file diff --git a/config/rootfiles/core/198/filelists/aarch64/vectorscan b/config/rootfiles/core/198/filelists/aarch64/vectorscan new file mode 120000 index 0000000000..e2115fe7ce --- /dev/null +++ b/config/rootfiles/core/198/filelists/aarch64/vectorscan @@ -0,0 +1 @@ +../../../../common/aarch64/vectorscan \ No newline at end of file diff --git a/config/rootfiles/core/197/filelists/core-files b/config/rootfiles/core/198/filelists/core-files similarity index 100% rename from config/rootfiles/core/197/filelists/core-files rename to config/rootfiles/core/198/filelists/core-files diff --git a/config/rootfiles/core/198/filelists/files b/config/rootfiles/core/198/filelists/files new file mode 100644 index 0000000000..9a71c3df6d --- /dev/null +++ b/config/rootfiles/core/198/filelists/files @@ -0,0 +1 @@ +var/ipfire/graphs.pl diff --git a/config/rootfiles/core/198/filelists/riscv64/binutils b/config/rootfiles/core/198/filelists/riscv64/binutils new file mode 120000 index 0000000000..c5f3990b61 --- /dev/null +++ b/config/rootfiles/core/198/filelists/riscv64/binutils @@ -0,0 +1 @@ +../../../../common/riscv64/binutils \ No newline at end of file diff --git a/config/rootfiles/core/197/filelists/suricata b/config/rootfiles/core/198/filelists/suricata similarity index 100% rename from config/rootfiles/core/197/filelists/suricata rename to config/rootfiles/core/198/filelists/suricata diff --git a/config/rootfiles/core/198/filelists/x86_64/binutils b/config/rootfiles/core/198/filelists/x86_64/binutils new file mode 120000 index 0000000000..7d0fda554d --- /dev/null +++ b/config/rootfiles/core/198/filelists/x86_64/binutils @@ -0,0 +1 @@ +../../../../common/x86_64/binutils \ No newline at end of file diff --git a/config/rootfiles/core/198/filelists/x86_64/vectorscan b/config/rootfiles/core/198/filelists/x86_64/vectorscan new file mode 120000 index 0000000000..f5bdb47f97 --- /dev/null +++ b/config/rootfiles/core/198/filelists/x86_64/vectorscan @@ -0,0 +1 @@ +../../../../common/x86_64/vectorscan \ No newline at end of file diff --git a/config/rootfiles/core/198/update.sh b/config/rootfiles/core/198/update.sh new file mode 100644 index 0000000000..ba5f239759 --- /dev/null +++ b/config/rootfiles/core/198/update.sh @@ -0,0 +1,71 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2025 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=198 + +# Remove old core updates from pakfire cache to save space... +for (( i=1; i<=$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services + +# Remove files + +# Extract files +extract_files + +# update linker config +ldconfig + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Filesytem cleanup +/usr/local/bin/filesystem-cleanup + +# Apply SSH configuration +/usr/local/bin/sshctrl + +# Start services +/etc/init.d/suricata restart + +# This update needs a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/197/exclude b/config/rootfiles/oldcore/197/exclude new file mode 100644 index 0000000000..8ee1c3c2f5 --- /dev/null +++ b/config/rootfiles/oldcore/197/exclude @@ -0,0 +1,35 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +boot/uEnv.txt +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/firewall/locationblock +var/ipfire/fwhosts/customlocationgrp +var/ipfire/ovpn +var/ipfire/urlfilter/blacklist +var/ipfire/urlfilter/settings +var/lib/alternatives +var/lib/location/database.db +var/lib/location/ipset +var/log/cache +var/log/dhcpcd.log +var/log/messages +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/197/filelists/aarch64/linux b/config/rootfiles/oldcore/197/filelists/aarch64/linux similarity index 100% rename from config/rootfiles/core/197/filelists/aarch64/linux rename to config/rootfiles/oldcore/197/filelists/aarch64/linux diff --git a/config/rootfiles/core/197/filelists/aarch64/lm_sensors b/config/rootfiles/oldcore/197/filelists/aarch64/lm_sensors similarity index 100% rename from config/rootfiles/core/197/filelists/aarch64/lm_sensors rename to config/rootfiles/oldcore/197/filelists/aarch64/lm_sensors diff --git a/config/rootfiles/core/197/filelists/aarch64/util-linux b/config/rootfiles/oldcore/197/filelists/aarch64/util-linux similarity index 100% rename from config/rootfiles/core/197/filelists/aarch64/util-linux rename to config/rootfiles/oldcore/197/filelists/aarch64/util-linux diff --git a/config/rootfiles/core/197/filelists/apache2 b/config/rootfiles/oldcore/197/filelists/apache2 similarity index 100% rename from config/rootfiles/core/197/filelists/apache2 rename to config/rootfiles/oldcore/197/filelists/apache2 diff --git a/config/rootfiles/core/197/filelists/automake b/config/rootfiles/oldcore/197/filelists/automake similarity index 100% rename from config/rootfiles/core/197/filelists/automake rename to config/rootfiles/oldcore/197/filelists/automake diff --git a/config/rootfiles/core/197/filelists/bash b/config/rootfiles/oldcore/197/filelists/bash similarity index 100% rename from config/rootfiles/core/197/filelists/bash rename to config/rootfiles/oldcore/197/filelists/bash diff --git a/config/rootfiles/core/197/filelists/bind b/config/rootfiles/oldcore/197/filelists/bind similarity index 100% rename from config/rootfiles/core/197/filelists/bind rename to config/rootfiles/oldcore/197/filelists/bind diff --git a/config/rootfiles/core/197/filelists/btrfs-progs b/config/rootfiles/oldcore/197/filelists/btrfs-progs similarity index 100% rename from config/rootfiles/core/197/filelists/btrfs-progs rename to config/rootfiles/oldcore/197/filelists/btrfs-progs diff --git a/config/rootfiles/oldcore/197/filelists/core-files b/config/rootfiles/oldcore/197/filelists/core-files new file mode 100644 index 0000000000..0dec37e538 --- /dev/null +++ b/config/rootfiles/oldcore/197/filelists/core-files @@ -0,0 +1,5 @@ +etc/system-release +etc/issue +etc/os-release +srv/web/ipfire/cgi-bin/credits.cgi +var/ipfire/langs diff --git a/config/rootfiles/core/197/filelists/curl b/config/rootfiles/oldcore/197/filelists/curl similarity index 100% rename from config/rootfiles/core/197/filelists/curl rename to config/rootfiles/oldcore/197/filelists/curl diff --git a/config/rootfiles/core/197/filelists/e2fsprogs b/config/rootfiles/oldcore/197/filelists/e2fsprogs similarity index 100% rename from config/rootfiles/core/197/filelists/e2fsprogs rename to config/rootfiles/oldcore/197/filelists/e2fsprogs diff --git a/config/rootfiles/core/197/filelists/files b/config/rootfiles/oldcore/197/filelists/files similarity index 100% rename from config/rootfiles/core/197/filelists/files rename to config/rootfiles/oldcore/197/filelists/files diff --git a/config/rootfiles/core/197/filelists/fontconfig b/config/rootfiles/oldcore/197/filelists/fontconfig similarity index 100% rename from config/rootfiles/core/197/filelists/fontconfig rename to config/rootfiles/oldcore/197/filelists/fontconfig diff --git a/config/rootfiles/core/197/filelists/gettext b/config/rootfiles/oldcore/197/filelists/gettext similarity index 100% rename from config/rootfiles/core/197/filelists/gettext rename to config/rootfiles/oldcore/197/filelists/gettext diff --git a/config/rootfiles/core/197/filelists/gnutls b/config/rootfiles/oldcore/197/filelists/gnutls similarity index 100% rename from config/rootfiles/core/197/filelists/gnutls rename to config/rootfiles/oldcore/197/filelists/gnutls diff --git a/config/rootfiles/core/197/filelists/jq b/config/rootfiles/oldcore/197/filelists/jq similarity index 100% rename from config/rootfiles/core/197/filelists/jq rename to config/rootfiles/oldcore/197/filelists/jq diff --git a/config/rootfiles/core/197/filelists/json-glib b/config/rootfiles/oldcore/197/filelists/json-glib similarity index 100% rename from config/rootfiles/core/197/filelists/json-glib rename to config/rootfiles/oldcore/197/filelists/json-glib diff --git a/config/rootfiles/core/197/filelists/libhtp b/config/rootfiles/oldcore/197/filelists/libhtp similarity index 100% rename from config/rootfiles/core/197/filelists/libhtp rename to config/rootfiles/oldcore/197/filelists/libhtp diff --git a/config/rootfiles/core/197/filelists/libjpeg b/config/rootfiles/oldcore/197/filelists/libjpeg similarity index 100% rename from config/rootfiles/core/197/filelists/libjpeg rename to config/rootfiles/oldcore/197/filelists/libjpeg diff --git a/config/rootfiles/core/197/filelists/libpng b/config/rootfiles/oldcore/197/filelists/libpng similarity index 100% rename from config/rootfiles/core/197/filelists/libpng rename to config/rootfiles/oldcore/197/filelists/libpng diff --git a/config/rootfiles/core/197/filelists/libssh b/config/rootfiles/oldcore/197/filelists/libssh similarity index 100% rename from config/rootfiles/core/197/filelists/libssh rename to config/rootfiles/oldcore/197/filelists/libssh diff --git a/config/rootfiles/core/197/filelists/libtasn1 b/config/rootfiles/oldcore/197/filelists/libtasn1 similarity index 100% rename from config/rootfiles/core/197/filelists/libtasn1 rename to config/rootfiles/oldcore/197/filelists/libtasn1 diff --git a/config/rootfiles/core/197/filelists/libunistring b/config/rootfiles/oldcore/197/filelists/libunistring similarity index 100% rename from config/rootfiles/core/197/filelists/libunistring rename to config/rootfiles/oldcore/197/filelists/libunistring diff --git a/config/rootfiles/core/197/filelists/lvm2 b/config/rootfiles/oldcore/197/filelists/lvm2 similarity index 100% rename from config/rootfiles/core/197/filelists/lvm2 rename to config/rootfiles/oldcore/197/filelists/lvm2 diff --git a/config/rootfiles/core/197/filelists/nettle b/config/rootfiles/oldcore/197/filelists/nettle similarity index 100% rename from config/rootfiles/core/197/filelists/nettle rename to config/rootfiles/oldcore/197/filelists/nettle diff --git a/config/rootfiles/core/197/filelists/openssl b/config/rootfiles/oldcore/197/filelists/openssl similarity index 100% rename from config/rootfiles/core/197/filelists/openssl rename to config/rootfiles/oldcore/197/filelists/openssl diff --git a/config/rootfiles/core/197/filelists/openvpn b/config/rootfiles/oldcore/197/filelists/openvpn similarity index 100% rename from config/rootfiles/core/197/filelists/openvpn rename to config/rootfiles/oldcore/197/filelists/openvpn diff --git a/config/rootfiles/core/197/filelists/pango b/config/rootfiles/oldcore/197/filelists/pango similarity index 100% rename from config/rootfiles/core/197/filelists/pango rename to config/rootfiles/oldcore/197/filelists/pango diff --git a/config/rootfiles/core/197/filelists/pciutils b/config/rootfiles/oldcore/197/filelists/pciutils similarity index 100% rename from config/rootfiles/core/197/filelists/pciutils rename to config/rootfiles/oldcore/197/filelists/pciutils diff --git a/config/rootfiles/core/197/filelists/readline b/config/rootfiles/oldcore/197/filelists/readline similarity index 100% rename from config/rootfiles/core/197/filelists/readline rename to config/rootfiles/oldcore/197/filelists/readline diff --git a/config/rootfiles/core/197/filelists/riscv64/linux b/config/rootfiles/oldcore/197/filelists/riscv64/linux similarity index 100% rename from config/rootfiles/core/197/filelists/riscv64/linux rename to config/rootfiles/oldcore/197/filelists/riscv64/linux diff --git a/config/rootfiles/core/197/filelists/riscv64/lm_sensors b/config/rootfiles/oldcore/197/filelists/riscv64/lm_sensors similarity index 100% rename from config/rootfiles/core/197/filelists/riscv64/lm_sensors rename to config/rootfiles/oldcore/197/filelists/riscv64/lm_sensors diff --git a/config/rootfiles/core/197/filelists/riscv64/util-linux b/config/rootfiles/oldcore/197/filelists/riscv64/util-linux similarity index 100% rename from config/rootfiles/core/197/filelists/riscv64/util-linux rename to config/rootfiles/oldcore/197/filelists/riscv64/util-linux diff --git a/config/rootfiles/core/197/filelists/shadow b/config/rootfiles/oldcore/197/filelists/shadow similarity index 100% rename from config/rootfiles/core/197/filelists/shadow rename to config/rootfiles/oldcore/197/filelists/shadow diff --git a/config/rootfiles/core/197/filelists/sqlite b/config/rootfiles/oldcore/197/filelists/sqlite similarity index 100% rename from config/rootfiles/core/197/filelists/sqlite rename to config/rootfiles/oldcore/197/filelists/sqlite diff --git a/config/rootfiles/core/197/filelists/strongswan b/config/rootfiles/oldcore/197/filelists/strongswan similarity index 100% rename from config/rootfiles/core/197/filelists/strongswan rename to config/rootfiles/oldcore/197/filelists/strongswan diff --git a/config/rootfiles/oldcore/197/filelists/suricata b/config/rootfiles/oldcore/197/filelists/suricata new file mode 120000 index 0000000000..f671f69933 --- /dev/null +++ b/config/rootfiles/oldcore/197/filelists/suricata @@ -0,0 +1 @@ +../../../common/suricata \ No newline at end of file diff --git a/config/rootfiles/core/197/filelists/unbound b/config/rootfiles/oldcore/197/filelists/unbound similarity index 100% rename from config/rootfiles/core/197/filelists/unbound rename to config/rootfiles/oldcore/197/filelists/unbound diff --git a/config/rootfiles/core/197/filelists/x86_64/linux b/config/rootfiles/oldcore/197/filelists/x86_64/linux similarity index 100% rename from config/rootfiles/core/197/filelists/x86_64/linux rename to config/rootfiles/oldcore/197/filelists/x86_64/linux diff --git a/config/rootfiles/core/197/filelists/x86_64/lm_sensors b/config/rootfiles/oldcore/197/filelists/x86_64/lm_sensors similarity index 100% rename from config/rootfiles/core/197/filelists/x86_64/lm_sensors rename to config/rootfiles/oldcore/197/filelists/x86_64/lm_sensors diff --git a/config/rootfiles/core/197/filelists/x86_64/util-linux b/config/rootfiles/oldcore/197/filelists/x86_64/util-linux similarity index 100% rename from config/rootfiles/core/197/filelists/x86_64/util-linux rename to config/rootfiles/oldcore/197/filelists/x86_64/util-linux diff --git a/config/rootfiles/core/197/update.sh b/config/rootfiles/oldcore/197/update.sh similarity index 100% rename from config/rootfiles/core/197/update.sh rename to config/rootfiles/oldcore/197/update.sh diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 443b8e19e5..6a4f31eac8 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -43,6 +43,7 @@ vars: GENEVE_PORTS: 6081 VXLAN_PORTS: 4789 TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" ## ## Ruleset specific options. @@ -63,7 +64,7 @@ default-log-dir: /var/log/suricata/ # Global stats configuration stats: - enabled: no + enabled: yes # The interval field (in seconds) controls the interval at # which stats are updated in the log. interval: 8 @@ -74,6 +75,9 @@ stats: #decoder-events-prefix: "decoder.event" # Add stream events as stats. #stream-events: false + exception-policy: + #per-app-proto-errors: false # default: false. True will log errors for + # each app-proto. Warning: VERY verbose # Plugins -- Experimental -- specify the filename for each plugin shared object plugins: @@ -88,15 +92,6 @@ outputs: append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # Stats.log contains data from various counters of the suricata engine. - - stats: - enabled: no - filename: stats.log - append: no # append to file (yes) or overwrite it (no) - totals: yes # stats for all threads merged together - threads: no # per thread stats - #null-values: yes # print counters that have value 0 - # Extensible Event Format (nicknamed EVE) event log in JSON format - eve-log: enabled: no @@ -105,6 +100,10 @@ outputs: # Enable for multi-threaded eve.json output; output files are amended with # an identifier, e.g., eve.9.json #threaded: false + # Specify the amount of buffering, in bytes, for + # this output type. The default value 0 means "no + # buffering". + #buffer-size: 0 #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above #identity: "suricata" @@ -116,10 +115,18 @@ outputs: # server: 127.0.0.1 # port: 6379 # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # mode: list ## possible values: list|lpush (default), rpush, channel|publish, xadd|stream # ## lpush and rpush are using a Redis list. "list" is an alias for lpush # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) + # ## xadd is using a Redis stream. "stream" is an alias for xadd + # key: suricata ## string denoting the key/channel/stream to use (default to suricata) + # stream-maxlen: 100000 ## Automatically trims the stream length to at most + ## this number of events. Set to 0 to disable trimming. + ## Only used when mode is set to xadd/stream. + # stream-trim-exact: false ## Trim exactly to the maximum stream length above. + ## Default: use inexact trimming (inexact by a few + ## tens of items) + ## Only used when mode is set to xadd/stream. # Redis pipelining set up. This will enable to only do a query every # 'batch-size' events. This should lower the latency induced by network # connection at the cost of some memory. There is no flushing implemented @@ -130,6 +137,8 @@ outputs: # Include top level metadata. Default yes. #metadata: no + # Include suricata version. Default no. + #suricata-version: yes # include the name of the input pcap file in pcap file processing mode pcap-file: false @@ -168,12 +177,28 @@ outputs: types: - alert: # payload: yes # enable dumping payload in Base64 - # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-buffer-size: 4 KiB # max size of payload buffer to output in eve-log # payload-printable: yes # enable dumping payload in printable (lossy) format + # payload-length: yes # enable dumping payload length, including the gaps # packet: yes # enable dumping of packet (without stream segments) # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # If you want metadata, use: + # metadata: + # Include the decoded application layer (ie. http, dns) + #app-layer: true + # Log the current state of the flow record. + #flow: true + #rule: + # Log the metadata field from the rule in a structured + # format. + #metadata: true + # Log the raw rule text. + #raw: false + #reference: false # include reference information from the rule # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + # websocket-payload: yes # Requires metadata; enable dumping of WebSocket Payload in Base64 + # websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format # Enable the logging of tagged packets for rules using the # "tag" keyword. @@ -186,6 +211,7 @@ outputs: - frame: # disabled by default as this is very verbose. enabled: no + # payload-buffer-size: 4 KiB # max size of frame payload buffer to output in eve-log - anomaly: # Anomaly log records describe unexpected conditions such # as truncated packets, packets with invalid IP/UDP/TCP @@ -229,13 +255,10 @@ outputs: # to dump all HTTP headers for every HTTP request and/or response # dump-all-headers: none - dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - #version: 2 + # Suricata 8.0 uses a new DNS logging format, to keep with + # the old format while you upgrade the version can be set + # to 2. See https://docs.suricata.io/en/latest/upgrade/8.0-dns-logging-changes.html + #version: 3 # Enable/disable this logger. Default: enabled. #enabled: yes @@ -256,13 +279,15 @@ outputs: # DNS record types to log, based on the query type. # Default: all. #types: [a, aaaa, cname, mx, ns, ptr, txt] + - mdns: - tls: extended: yes # enable this for extended logging information # output TLS transaction where the session is resumed using a # session id #session-resumption: no # custom controls which TLS fields that are included in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + # WARNING: enabling custom disables extended logging. + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname, client, client_certificate, client_chain, client_alpns, server_alpns, client_handshake, server_handshake] - files: force-magic: no # force logging magic on all logged files # force logging of checksums, available hash functions are md5, @@ -289,10 +314,15 @@ outputs: #md5: [body, subject] #- dnp3 + - websocket + #- enip - ftp - rdp - nfs - - smb + - smb: + # restrict to only certain types in the following list + #types: [file, tree_connect, negotiate, dcerpc, create, + # session_setup, ioctl, rename, set_file_path_info, generic] - tftp - ike - dcerpc @@ -302,6 +332,10 @@ outputs: - rfb - sip - quic + - ldap + - pop3 + - arp: + enabled: no # Many events can be logged. Disabled by default - dhcp: enabled: yes # When extended mode is on, all DHCP messages are logged @@ -312,14 +346,27 @@ outputs: - ssh - mqtt: # passwords: yes # enable output of passwords + # string-log-limit: 1KiB # limit size of logged strings in bytes. + # Can be specified in KiB, MiB, GiB. Just a number + # is parsed as bytes. Default is 1 KiB. + # Use a value of 0 to disable limiting. + # Note that the size is also bounded by + # the maximum parsed message size (see + # app-layer configuration) - http2 + # dns over http2 + - doh2 - pgsql: enabled: no # passwords: yes # enable output of passwords. Disabled by default + # If a password message is seen but this setting + # is disabled, "password_redacted": true is logged - stats: totals: yes # stats for all threads merged together threads: no # per thread stats deltas: no # include delta values + # Don't log stats counters that are zero. Default: true + #null-values: false # False will NOT log stats counters: 0 # bi-directional flows - flow # uni-directional flows @@ -340,13 +387,224 @@ outputs: # state-update: false # log packets triggering a TCP state update # spurious-retransmission: false # log spurious retransmission packets + # output module to store certificates chain to disk + - tls-store: + enabled: no + #certs-log-dir: certs # directory to store the certificates files + + # Packet log... log packets in pcap format. 2 modes of operation: "normal" + # and "multi". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or as specified by "dir". + # In multi mode, a file is created per thread. This will perform much + # better, but will create multiple files where 'normal' would create one. + # In multi mode the filename takes a few special variables: + # - %n -- thread number + # - %i -- thread id + # - %t -- timestamp (secs or secs.usecs based on 'ts-format' + # E.g. filename: pcap.%n.%t + # + # Note that it's possible to use directories, but the directories are not + # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the + # per thread directory. + # + # Also note that the limit and max-files settings are enforced per thread. + # So the size limit when using 8 threads with 1000 MiB files and 2000 files + # is: 8*1000*2000 ~ 16TiB. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000 MiB + + # If set to a value, ring buffer mode is enabled. Will keep maximum of + # "max-files" of size "limit" + max-files: 2000 + + # Compression algorithm for pcap files. Possible values: none, lz4. + # Note also that on Windows, enabling compression will *increase* disk I/O. + compression: none + + # Further options for lz4 compression. The compression level can be set + # to a value between 0 and 16, where higher values result in higher + # compression. + #lz4-checksum: no + #lz4-level: 0 + + mode: normal # normal or multi + + # Directory to place pcap files. If not provided the default log + # directory will be used. + #dir: /nsm_data/ + + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged. + # Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag" + # to log only flow tagged via the "tag" keyword + #conditional: all + + # A BPF filter that will be applied to all packets being + # logged. If set, packets must match this filter otherwise they + # will not be logged. + #bpf-filter: + + # a full alert log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Stats.log contains data from various counters of the Suricata engine. + - stats: + enabled: yes + filename: stats.log + append: yes # append to file (yes) or overwrite it (no) + totals: yes # stats for all threads merged together + threads: no # per thread stats + #null-values: yes # print counters that have value 0. Default: no + + # Output module for storing files on disk. Files are stored in + # directory names consisting of the first 2 characters of the + # SHA256 of the file. Each file is given its SHA256 as a filename. + # + # When a duplicate file is found, the timestamps on the existing file + # are updated. + # + # Unlike the older filestore, metadata is not written by default + # as each file should already have a "fileinfo" record in the + # eve-log. If write-fileinfo is set to yes, then each file will have + # one more associated .json files that consist of the fileinfo + # record. A fileinfo file will be written for each occurrence of the + # file seen using a filename suffix to ensure uniqueness. + # + # To prune the filestore directory see the "suricatactl filestore + # prune" command which can delete files over a certain age. + - file-store: + version: 2 + enabled: no + + # Set the directory for the filestore. Relative pathnames + # are contained within the "default-log-dir". + #dir: filestore + + # Write out a fileinfo record for each occurrence of a file. + # Disabled by default as each occurrence is already logged + # as a fileinfo record to the main eve-log. + #write-fileinfo: yes + + # Force storing of all files. Default: no. + #force-filestore: yes + + # Override the global stream-depth for sessions in which we want + # to perform file extraction. Set to 0 for unlimited; otherwise, + # must be greater than the global stream-depth value to be used. + #stream-depth: 0 + + # Uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write to the file. + #max-open-files: 1000 + + # Force logging of checksums: available hash functions are md5, + # sha1 and sha256. Note that SHA256 is automatically forced by + # the use of this output module as it uses the SHA256 as the + # file naming scheme. + #force-hash: [sha1, md5] + # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported. If more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # Log TCP data after stream normalization + # Two types: file or dir: + # - file logs into a single logfile. + # - dir creates 2 files per TCP session and stores the raw TCP + # data into them. + # Use 'both' to enable both file and dir modes. + # + # Note: limited by "stream.reassembly.depth" + - tcp-data: + enabled: no + type: file + filename: tcp-data.log + + # Log HTTP body data after normalization, de-chunking and unzipping. + # Two types: file or dir. + # - file logs into a single logfile. + # - dir creates 2 files per HTTP session and stores the + # normalized data into them. + # Use 'both' to enable both file and dir modes. + # + # Note: limited by the body limit settings + - http-body-data: + enabled: no + type: file + filename: http-data.log + + # Lua Output Support - execute lua script to generate alert and event + # output. + # Documented at: + # https://docs.suricata.io/en/latest/output/lua-output.html + - lua: + enabled: no + + # By default the Lua module search paths are empty. If you plan + # to use external modules these paths will need to be set. The + # examples below are likely suitable for finding modules + # installed with a package manager on a 64 bit Linux system, but + # may need tweaking. + #path: "/usr/share/lua/5.4/?.lua;/usr/share/lua/5.4/?/init.lua;/usr/lib64/lua/5.4/?.lua;/usr/lib64/lua/5.4/?/init.lua;./?.lua;./?/init.lua" + #cpath: "/usr/lib64/lua/5.4/?.so;/usr/lib64/lua/5.4/loadall.so;./?.so" + + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + +heartbeat: + # The output-flush-interval value governs how often Suricata will instruct the + # detection threads to flush their EVE output. Specify the value in seconds [1-60] + # and Suricata will initiate EVE log output flushes at that interval. A value + # of 0 means no EVE log output flushes are initiated. When the EVE output + # buffer-size value is non-zero, some EVE output that was written may remain + # buffered. The output-flush-interval governs how much buffered data exists. + # + # The default value is: 0 (never instruct detection threads to flush output) + #output-flush-interval: 0 + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. logging: # The default log level: can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option. # # This value is overridden by the SC_LOG_LEVEL env var. - default-log-level: Info + default-log-level: info # The default output format. Optional parameter, should default to # something reasonable if not provided. Can be overridden in an @@ -378,39 +636,24 @@ logging: - file: enabled: no level: info - filename: /var/log/suricata/suricata.log + filename: suricata.log # format: "[%i - %m] %z %d: %S: %M" # type: json - syslog: enabled: yes facility: local5 - format: "" - #format: "[%i] <%d> -- " + format: "[%i] <%d> -- " # type: json -## -## Netfilter configuration -## - -nfq: - mode: repeat - repeat-mark: 2147483648 - repeat-mask: 2147483648 - bypass-mark: 1073741824 - bypass-mask: 1073741824 -# route-queue: 2 -# batchcount: 20 - fail-open: no - ## ## Step 5: App Layer Protocol Configuration ## # Configure the app-layer parsers. # -# The error-policy setting applies to all app-layer parsers. Values can be -# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or -# "ignore" (the default). +# The exception policy error-policy setting applies to all app-layer parsers. +# Values can be "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", +# "reject" or "ignore" (the default). # # The protocol's section details each protocol. # @@ -428,7 +671,7 @@ app-layer: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 mqtt: enabled: yes - # max-msg-length: 1mb + # max-msg-length: 1 MiB # subscribe-topic-match-limit: 100 # unsubscribe-topic-match-limit: 100 # Maximum number of live MQTT transactions per flow @@ -444,16 +687,17 @@ app-layer: tls: enabled: yes detection-ports: - dp: "[443,444,465,853,993,995]" + dp: 443 - # Generate JA3 fingerprint from client hello. If not specified it + # Generate JA3/JA4 fingerprints from client hello. If not specified it # will be disabled by default, but enabled if rules require it. - ja3-fingerprints: auto + #ja3-fingerprints: auto + #ja4-fingerprints: auto # What to do when the encrypted communications start: - # - default: keep tracking TLS session, check for protocol anomalies, + # - track-only: keep tracking TLS session, check for protocol anomalies, # inspect tls_* keywords. Disables inspection of unmodified - # 'content' signatures. + # 'content' signatures. (default) # - bypass: stop processing this flow as much as possible. No further # TLS parsing and inspection. Offload flow bypass to kernel # or hardware if possible. @@ -476,12 +720,28 @@ app-layer: # max-tx: 1024 ftp: enabled: yes - # memcap: 64mb + # memcap: 64 MiB + websocket: + #enabled: yes + # Maximum used payload size, the rest is skipped + # Also applies as a maximum for uncompressed data + # max-payload-size: 64 KiB rdp: - enabled: yes + #enabled: yes ssh: enabled: yes - #hassh: yes + # hassh: no + + # What to do when the encrypted communications start: + # - track-only: keep tracking but stop inspection (default) + # - full: keep tracking and inspect as normal + # - bypass: stop processing this flow as much as possible. + # Offload flow bypass to kernel or hardware if possible. + # For the best performance, select 'bypass'. + # + # encryption-handling: track-only + doh2: + enabled: yes http2: enabled: yes # Maximum number of live HTTP2 streams in a flow @@ -528,7 +788,15 @@ app-layer: content-inspect-min-size: 32768 content-inspect-window: 4096 imap: + enabled: detection-only + pop3: enabled: yes + detection-ports: + dp: 110 + # Stream reassembly size for POP3. By default, track it completely. + stream-depth: 0 + # Maximum number of live POP3 transactions per flow + # max-tx: 256 smb: enabled: yes detection-ports: @@ -545,14 +813,6 @@ app-layer: tftp: enabled: yes dns: - # memcaps. Globally and per flow/state. - global-memcap: 32mb - state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 512 - tcp: enabled: yes detection-ports: @@ -563,15 +823,14 @@ app-layer: dp: 53 http: enabled: yes - memcap: 256mb # Byte Range Containers default settings # byterange: - # memcap: 100mb + # memcap: 100 MiB # timeout: 60 # memcap: Maximum memory capacity for HTTP - # Default is unlimited, values can be 64mb, e.g. + # Default is unlimited, values can be 64 MiB, e.g. # default-config: Used when no server-config matches # personality: List of personalities used by default @@ -596,16 +855,16 @@ app-layer: default-config: personality: IDS - # Can be specified in kb, mb, gb. Just a number indicates + # Can be specified in KiB, MiB, GiB. Just a number indicates # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb + request-body-limit: 100 KiB + response-body-limit: 100 KiB # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-minimal-inspect-size: 32 KiB + request-body-inspect-window: 4 KiB + response-body-minimal-inspect-size: 40 KiB + response-body-inspect-window: 16 KiB # response body decompression (0 disables) response-body-decompress-layer-limit: 2 @@ -624,8 +883,8 @@ app-layer: swf-decompression: enabled: no type: both - compress-depth: 100kb - decompress-depth: 100kb + compress-depth: 100 KiB + decompress-depth: 100 KiB # Use a random value for inspection sizes around the specified value. # This lowers the risk of some evasion techniques but could lead @@ -645,21 +904,23 @@ app-layer: #lzma-enabled: false # Memory limit usage for LZMA decompression dictionary # Data is decompressed until dictionary reaches this size - #lzma-memlimit: 1mb + #lzma-memlimit: 1 MiB # Maximum decompressed size with a compression ratio # above 2048 (only LZMA can reach this ratio, deflate cannot) - #compression-bomb-limit: 1mb + #compression-bomb-limit: 1 MiB # Maximum time spent decompressing a single transaction in usec #decompression-time-limit: 100000 # Maximum number of live transactions per flow #max-tx: 512 + # Maximum used number of HTTP1 headers in one request or response + #headers-limit: 1024 server-config: #- apache: # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates + # # Can be specified in KiB, MiB, GiB. Just a number indicates # # it's in bytes. # request-body-limit: 4096 # response-body-limit: 4096 @@ -671,7 +932,7 @@ app-layer: # - 192.168.0.0/24 # - 192.168.10.0/24 # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates + # # Can be specified in KiB, MiB, GiB. Just a number indicates # # it's in bytes. # request-body-limit: 4096 # response-body-limit: 4096 @@ -725,6 +986,21 @@ app-layer: sip: #enabled: yes + ldap: + tcp: + enabled: yes + detection-ports: + dp: 389, 3268 + udp: + enabled: yes + detection-ports: + dp: 389, 3268 + # Maximum number of live LDAP transactions per flow + # max-tx: 1024 + + mdns: + enabled: yes + # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 @@ -733,9 +1009,17 @@ datasets: # Default fallback memcap and hashsize values for datasets in case these # were not explicitly defined. defaults: - #memcap: 100mb + #memcap: 100 MiB #hashsize: 2048 + # Limits for per rule dataset instances to avoid rules using too many + # resources. + limits: + # Max value for per dataset `hashsize` setting + #single-hashsize: 65536 + # Max combined hashsize values for all datasets. + #total-hashsizes: 16777216 + rules: # Set to true to allow absolute filenames and filenames that use # ".." components to reference parent directories in rules that specify @@ -782,8 +1066,8 @@ security: - /var/lib/suricata lua: - # Allow Lua rules. Disabled by default. - #allow-rules: false + # Allow Lua rules. Enabled by default. + #allow-rules: true # Some logging modules will use that name in event as identifier. The default # value is the hostname @@ -856,11 +1140,15 @@ runmode: workers # activated in live capture mode. You can use the filename variable to set # the file name of the socket. unix-command: - enabled: no + enabled: auto #filename: custom.socket -# Magic file -magic-file: /usr/share/misc/magic.mgc +# Magic file. The extension .mgc is added to the value here. +magic-file: /usr/share/misc/magic + +# GeoIP2 database file. Specify path and filename of GeoIP2 database +# if using rules with "geoip" rule option. +#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb legacy: uricontent: enabled @@ -893,6 +1181,12 @@ legacy: # drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable). exception-policy: pass-packet +# IP Reputation +#reputation-categories-file: /etc/suricata/iprep/categories.txt +#default-reputation-path: /etc/suricata/iprep +#reputation-files: +# - reputation.list + # When run with the option --engine-analysis, the engine will read each of # the parameters below, and print reports for each of the enabled sections # and exit. The reports are printed to a file in the default log dir @@ -934,10 +1228,10 @@ host-os-policy: # Defrag settings: -# The memcap-policy value can be "drop-packet", "pass-packet", "reject" or -# "ignore" (which is the default). +# The exception policy memcap-policy value can be "drop-packet", "pass-packet", +# "reject" or "ignore" (which is the default). defrag: - memcap: 64mb + memcap: 64 MiB # memcap-policy: ignore hash-size: 65536 trackers: 65535 # number of defragmented flows to follow @@ -945,8 +1239,22 @@ defrag: prealloc: yes timeout: 60 +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + # Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# By default, the reserved memory (memcap) for flows is 32 MiB. This is the limit # for flow allocation inside the engine. You can change this value to allow # more memory usage for flows. # The hash-size determines the size of the hash used to identify flows inside @@ -962,19 +1270,24 @@ defrag: # the emergency bit and it will try again with more aggressive timeouts. # If that doesn't work, then it will try to kill the oldest flows using # last time seen flows. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# The memcap can be specified in KiB, MiB, GiB. Just a number indicates it's # in bytes. -# The memcap-policy can be "drop-packet", "pass-packet", "reject" or "ignore" -# (which is the default). +# The exception policy memcap-policy can be "drop-packet", "pass-packet", +# "reject" or "ignore" (which is the default). flow: - memcap: 256mb + memcap: 256 MiB #memcap-policy: ignore hash-size: 65536 prealloc: 10000 emergency-recovery: 30 #managers: 1 # default to one flow manager #recyclers: 1 # default to one flow recycler thread + # Track flows and count them as elephant flow if they exceed the rate defined + # by the byte count per interval configured below. + #rate-tracking: + # bytes: 1GiB + # interval: 10 # seconds is the only supported unit for interval so far # This option controls the use of VLAN ids in the flow (and defrag) # hashing. Normally this should be enabled, but in some (broken) @@ -1046,11 +1359,11 @@ flow-timeouts: # engine is configured. # # stream: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a +# memcap: 64 MiB # Can be specified in KiB, MiB, GiB. Just a # # number indicates it's in bytes. -# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", -# # "drop-packet", "pass-packet", "reject" or -# # "ignore" default is "ignore" +# memcap-policy: ignore # The exception policy value can be "drop-flow", +# # "pass-flow", "bypass", "drop-packet", +# # "pass-packet", "reject" or "ignore" default is "ignore" # checksum-validation: yes # To validate the checksum of received # # packet. If csum validation is specified as # # "yes", then packets with invalid csum values will not @@ -1062,9 +1375,9 @@ flow-timeouts: # # option # prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread # midstream: false # don't allow midstream session pickups -# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", -# # "drop-packet", "pass-packet", "reject" or -# # "ignore" default is "ignore" +# midstream-policy: ignore # The exception policy value can be "drop-flow", +# # "pass-flow", "bypass", "drop-packet", +# # "pass-packet", "reject" or "ignore" default is "ignore" # async-oneside: false # don't enable async stream handling # inline: no # stream inline mode # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine @@ -1077,19 +1390,19 @@ flow-timeouts: # # means it's slightly more permissive. Enabled by default. # # reassembly: -# memcap: 256mb # Can be specified in kb, mb, gb. Just a number +# memcap: 256 MiB # Can be specified in KiB, MiB, GiB. Just a number # # indicates it's in bytes. -# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", -# # "drop-packet", "pass-packet", "reject" or -# # "ignore" default is "ignore" -# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# memcap-policy: ignore # The exception policy value can be "drop-flow", +# # "pass-flow", "bypass", "drop-packet", "pass-packet", +# # "reject" or "ignore" default is "ignore" +# depth: 1 MiB # Can be specified in KiB, MiB, GiB. Just a number # # indicates it's in bytes. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. +# # this size. Can be specified in KiB, MiB, GiB. +# # Just a number indicates it's in bytes. # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. +# # this size. Can be specified in KiB, MiB, GiB. +# # Just a number indicates it's in bytes. # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. # # This lowers the risk of some evasion techniques but could lead # # to detection change between runs. It is set to 'yes' by default. @@ -1113,26 +1426,30 @@ flow-timeouts: # # is used or when stream-event:reassembly_overlap_different_data; # # is used in a rule. # +# max-regions: 8 # maximum number of concurrent regions per streaming buffer +# # defaults to 8, if no configuration was provided. 0 means no limit. + stream: - memcap: 256mb - prealloc-sessions: 4096 + memcap: 256 MiB #memcap-policy: ignore checksum-validation: yes # reject incorrect csums midstream: true midstream-policy: pass-flow inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - bypass: yes # Bypass packets when stream.reassembly.depth is reached. reassembly: - memcap: 256mb + urgent: + policy: oob # drop, inline, oob (1 byte, see RFC 6093, 3.1), gap + oob-limit-policy: drop + memcap: 256 MiB #memcap-policy: ignore - depth: 1mb # reassemble 1mb into a stream + depth: 1 MiB # reassemble 1 MiB into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes #randomize-chunk-range: 10 - raw: yes - segment-prealloc: 2048 - check-overlap-different-data: true + #raw: yes + #segment-prealloc: 2048 + #check-overlap-different-data: true # Host table: # @@ -1141,7 +1458,7 @@ stream: host: hash-size: 4096 prealloc: 1000 - memcap: 32mb + memcap: 32 MiB # IP Pair table: # @@ -1150,7 +1467,7 @@ host: #ippair: # hash-size: 4096 # prealloc: 1000 -# memcap: 32mb +# memcap: 32 MiB # Decoder settings @@ -1178,6 +1495,13 @@ decoder: # maximum number of decoder layers for a packet # max-layers: 16 + # This option controls the use of packet recursion level in the flow + # (and defrag) hashing. This is enabled by default and should be + # disabled if packet pickup of tunneled packets occurs before the kernel + # has put the headers on, like when using netmap driver pickup. + recursion-level: + use-for-tracking: true + ## ## Performance tuning and profiling ## @@ -1199,15 +1523,26 @@ decoder: # The option inspection-recursion-limit is used to limit the recursive calls # in the content inspection code. For certain payload-sig combinations, we # might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. When a value is not specified, there are no limits on the recursion. +# If the argument specified is 0, there are no limits on the recursion. +# When a value is not specified, the default is 3000 detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto - inspection-recursion-limit: 3000 + # Cache MPM contexts to the disk to avoid rule compilation at the startup. + # Cache files are created in the standard library directory. + sgh-mpm-caching: yes + sgh-mpm-caching-path: /var/cache/suricata/sgh + # inspection-recursion-limit: 3000 + # maximum number of times a tx will get logged for rules without app-layer keywords + # stream-tx-log-limit: 4 + # Try to guess an app-layer transaction for rules without app-layer keywords, + # ONLY IF there is just one live transaction for the flow. + # This allows logging app-layer metadata in alert - the transaction may not + # be the relevant one for the alert. + # guess-applayer-tx: no # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. delayed-detect: yes @@ -1219,12 +1554,17 @@ detect: default: mpm # the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get its own group. + # direction. Port priority setting forces that port to get its own group. # Very common ports will benefit, as well as ports with many expensive # rules. grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 + #tcp-priority-ports: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-priority-ports: 53, 135, 5060 + + # Thresholding hash table settings. + thresholds: + hash-size: 16384 + memcap: 16 MiB profiling: # Log the rules that made it past the prefilter stage, per packet @@ -1270,6 +1610,7 @@ spm-algo: auto # Suricata is multi-threaded. Here the threading can be influenced. threading: set-cpu-affinity: no + autopin: no # Tune cpu affinity of threads. Each family of threads can be bound # to specific CPUs. # @@ -1282,25 +1623,39 @@ threading: # verdict-cpu-set is used for IPS verdict threads # cpu-affinity: - - management-cpu-set: - cpu: [ 0 ] # include only these CPUs in affinity settings - - receive-cpu-set: - cpu: [ 0 ] # include only these CPUs in affinity settings - - worker-cpu-set: - cpu: [ "all" ] - mode: "exclusive" - # Use explicitly 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "medium" - #- verdict-cpu-set: - # cpu: [ 0 ] - # prio: - # default: "high" + management-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + receive-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + # interface-specific-cpu-set: + # - interface: "enp4s0f0" + # cpu: [ 1,3,5,7,9 ] + # mode: "exclusive" + # prio: + # high: [ "all" ] + # default: "medium" + worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + # Use explicitly 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + interface-specific-cpu-set: + - interface: "enp4s0f0" # 0000:3b:00.0 # net_bonding0 # ens1f0 + cpu: [ 1,3,5,7,9 ] + mode: "exclusive" + prio: + high: [ "all" ] + default: "medium" + #verdict-cpu-set: + # cpu: [ 0 ] + # prio: + # default: "high" # # By default Suricata creates one "detect" thread per available CPU/CPU core. # This setting allows controlling this behaviour. A ratio setting of 2 will @@ -1318,4 +1673,63 @@ threading: # set to this value, a fatal error occurs. # # Generally, the per-thread stack-size should not exceed 8MB. - #stack-size: 8mb + #stack-size: 8 MiB + +## +## Netfilter integration +## + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permits sending all needed packet to Suricata via this rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want a packet to be sent to another queue after an ACCEPT decision +# set the mode to 'route' and set next-queue value. +# On Linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On Linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if Suricata is not able to keep pace. +# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is +# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask +# on packet of a flow that need to be bypassed. The Netfilter ruleset has to +# directly accept all packets of a flow once a packet has been marked. +nfq: + mode: repeat + repeat-mark: 2147483648 + repeat-mask: 2147483648 + bypass-mark: 1073741824 + bypass-mask: 1073741824 +# route-queue: 2 +# batchcount: 20 + fail-open: no + +## +## Suricata as a Firewall options (experimental) +## +firewall: + # toggle to enable firewall mode + #enabled: no + + # Firewall rule file are in their own path and are not managed + # by Suricata-Update. + #rule-path: /etc/suricata/firewall/ + + # List of files with firewall rules. Order matters, files are loaded + # in order and rules are applied in that order (per state, see docs) + #rule-files: + # - firewall.rules + + +## +## Include other configs +## + +# Includes: Files included here will be handled as if they were in-lined +# in this configuration file. Files with relative pathnames will be +# searched for in the same directory as this configuration file. You may +# use absolute pathnames too. +#include: +# - include1.yaml +# - include2.yaml diff --git a/doc/language_issues.de b/doc/language_issues.de index a98202e8d7..76f7ab472e 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -148,6 +148,7 @@ WARNING: translation string unused: bitrate WARNING: translation string unused: bleeding rules WARNING: translation string unused: blue access use hint WARNING: translation string unused: blue interface +WARNING: translation string unused: bypassed WARNING: translation string unused: bytes WARNING: translation string unused: cache management WARNING: translation string unused: cache size diff --git a/doc/language_issues.en b/doc/language_issues.en index f5bd78e2a7..2fec840757 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -357,7 +357,6 @@ WARNING: untranslated string: broken = Broken WARNING: untranslated string: broken pipe = Broken pipe WARNING: untranslated string: buffered memory = Buffered Memory WARNING: untranslated string: buffers = buffers -WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: bytes per second = Bytes per Second WARNING: untranslated string: bytes received = Bytes Received WARNING: untranslated string: bytes sent = Bytes Sent @@ -1386,6 +1385,7 @@ WARNING: untranslated string: ntpd restarted = ntpd restarted WARNING: untranslated string: number = Number: WARNING: untranslated string: october = October WARNING: untranslated string: off = off +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: ok = OK WARNING: untranslated string: older = Older WARNING: untranslated string: on = on diff --git a/doc/language_issues.es b/doc/language_issues.es index 6ea6ee7df8..6863eda0ef 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -168,6 +168,7 @@ WARNING: translation string unused: bitrate WARNING: translation string unused: bleeding rules WARNING: translation string unused: blue access use hint WARNING: translation string unused: blue interface +WARNING: translation string unused: bypassed WARNING: translation string unused: ca name must only contain characters or spaces WARNING: translation string unused: cache management WARNING: translation string unused: cache size @@ -1060,6 +1061,7 @@ WARNING: untranslated string: indirect target selection = Indirect target select WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: mdstat = Mdstat WARNING: untranslated string: no data = unknown string +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: online = Online WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 6e8e6adcba..750463098e 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -999,7 +999,6 @@ WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: allowed subnets = Allowed Subnets -WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: ca name must only contain characters and spaces = unknown string WARNING: untranslated string: configuration file = Configuration File WARNING: untranslated string: core notice 3 = available. @@ -1063,6 +1062,7 @@ WARNING: untranslated string: malformed preshared key = Malformed Pre-Shared Key WARNING: untranslated string: malformed private key = Malformed Private Key WARNING: untranslated string: malformed public key = Malformed Public Key WARNING: untranslated string: mdstat = Mdstat +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: online = Online WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: ovpn ciphers = Ciphers diff --git a/doc/language_issues.it b/doc/language_issues.it index 0658bae77e..139bd96574 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -996,7 +996,6 @@ WARNING: untranslated string: autonomous system = Autonomous System WARNING: untranslated string: available = available WARNING: untranslated string: block = Block WARNING: untranslated string: broken = Broken -WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: ca name must only contain characters and spaces = unknown string WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) @@ -1283,6 +1282,7 @@ WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: none = none WARNING: untranslated string: not affected = Not Affected WARNING: untranslated string: not validating = Not validating +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: one hour = One Hour WARNING: untranslated string: one month = One Month WARNING: untranslated string: one week = One Week diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 05165cdfd8..d489dccff1 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -997,7 +997,6 @@ WARNING: untranslated string: autonomous system = Autonomous System WARNING: untranslated string: available = available WARNING: untranslated string: block = Block WARNING: untranslated string: broken = Broken -WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: ca name must only contain characters and spaces = unknown string WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) @@ -1307,6 +1306,7 @@ WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: none = none WARNING: untranslated string: not affected = Not Affected WARNING: untranslated string: not validating = Not validating +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: one hour = One Hour WARNING: untranslated string: one month = One Month WARNING: untranslated string: one week = One Week diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 53afbcac37..d5285e233e 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -909,7 +909,6 @@ WARNING: untranslated string: available = available WARNING: untranslated string: bit = bit WARNING: untranslated string: block = Block WARNING: untranslated string: broken = Broken -WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: ca name must only contain characters and spaces = unknown string WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) @@ -1440,6 +1439,7 @@ WARNING: untranslated string: none = none WARNING: untranslated string: not affected = Not Affected WARNING: untranslated string: not validating = Not validating WARNING: untranslated string: notice = Notice +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: one hour = One Hour WARNING: untranslated string: one month = One Month WARNING: untranslated string: one week = One Week diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 3c8fbbab01..a2f6929a6c 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -907,7 +907,6 @@ WARNING: untranslated string: available = available WARNING: untranslated string: bit = bit WARNING: untranslated string: block = Block WARNING: untranslated string: broken = Broken -WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: ca name must only contain characters and spaces = unknown string WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) @@ -1439,6 +1438,7 @@ WARNING: untranslated string: none = none WARNING: untranslated string: not affected = Not Affected WARNING: untranslated string: not validating = Not validating WARNING: untranslated string: notice = Notice +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: one hour = One Hour WARNING: untranslated string: one month = One Month WARNING: untranslated string: one week = One Week diff --git a/doc/language_issues.tr b/doc/language_issues.tr index e7f30730c5..2137b2a042 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -984,7 +984,6 @@ WARNING: untranslated string: asn lookup failed = AS lookup failed WARNING: untranslated string: autonomous system = Autonomous System WARNING: untranslated string: available = available WARNING: untranslated string: broken = Broken -WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: ca name must only contain characters and spaces = unknown string WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) @@ -1206,6 +1205,7 @@ WARNING: untranslated string: no data = unknown string WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: not affected = Not Affected WARNING: untranslated string: not validating = Not validating +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: online = Online WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: open connections = Open Connections diff --git a/doc/language_issues.tw b/doc/language_issues.tw index 8c7f37772e..53f97d670a 100644 --- a/doc/language_issues.tw +++ b/doc/language_issues.tw @@ -170,6 +170,7 @@ WARNING: translation string unused: bitrate WARNING: translation string unused: bleeding rules WARNING: translation string unused: blue access use hint WARNING: translation string unused: blue interface +WARNING: translation string unused: bypassed WARNING: translation string unused: ca name must only contain characters or spaces WARNING: translation string unused: cache management WARNING: translation string unused: cache size @@ -1068,6 +1069,7 @@ WARNING: untranslated string: indirect target selection = Indirect target select WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: max bandwidth = Maximum bandwidth WARNING: untranslated string: no data = unknown string +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: online = Online WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings diff --git a/doc/language_issues.zh b/doc/language_issues.zh index 8c7f37772e..53f97d670a 100644 --- a/doc/language_issues.zh +++ b/doc/language_issues.zh @@ -170,6 +170,7 @@ WARNING: translation string unused: bitrate WARNING: translation string unused: bleeding rules WARNING: translation string unused: blue access use hint WARNING: translation string unused: blue interface +WARNING: translation string unused: bypassed WARNING: translation string unused: ca name must only contain characters or spaces WARNING: translation string unused: cache management WARNING: translation string unused: cache size @@ -1068,6 +1069,7 @@ WARNING: untranslated string: indirect target selection = Indirect target select WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: max bandwidth = Maximum bandwidth WARNING: untranslated string: no data = unknown string +WARNING: untranslated string: offloaded = Offloaded WARNING: untranslated string: online = Online WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings diff --git a/doc/language_missings b/doc/language_missings index 7cf1c40735..80b0fbb038 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -159,6 +159,7 @@ < ids provider eol < indirect target selection < mdstat +< offloaded < online < ovpn ciphers < ovpn crypto settings @@ -225,6 +226,7 @@ < malformed private key < malformed public key < mdstat +< offloaded < online < oops something went wrong < ovpn ciphers @@ -691,6 +693,7 @@ < not affected < not validating < Number of Countries for the pie chart +< offloaded < okay < one hour < one month @@ -1352,6 +1355,7 @@ < not affected < not validating < Number of Countries for the pie chart +< offloaded < okay < one hour < one month @@ -2316,6 +2320,7 @@ < notice < not validating < Number of Countries for the pie chart +< offloaded < okay < one hour < one month @@ -3431,6 +3436,7 @@ < notice < not validating < Number of Countries for the pie chart +< offloaded < okay < one hour < one month @@ -4073,6 +4079,7 @@ < no entries < not affected < not validating +< offloaded < okay < online < oops something went wrong @@ -4290,6 +4297,7 @@ < guaranteed bandwidth < indirect target selection < max bandwidth +< offloaded < online < ovpn ciphers < ovpn crypto settings @@ -4337,6 +4345,7 @@ < guaranteed bandwidth < indirect target selection < max bandwidth +< offloaded < online < ovpn ciphers < ovpn crypto settings diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 210a701ffb..c2a6c30433 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1889,6 +1889,7 @@ 'o-yes' => 'Aktiv', 'october' => 'Oktober', 'off' => 'aus', +'offloaded' => 'Ausgelagert', 'ok' => 'OK', 'older' => 'Älter', 'on' => 'ein', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 57ccaa701a..3450fe6d78 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1956,6 +1956,7 @@ 'o-yes' => 'Activ', 'october' => 'October', 'off' => 'off', +'offloaded' => 'Offloaded', 'ok' => 'OK', 'okay' => 'Okay', 'older' => 'Older', diff --git a/lfs/binutils b/lfs/binutils index deddcfa5ed..1b2b5f3b3f 100644 --- a/lfs/binutils +++ b/lfs/binutils @@ -24,7 +24,7 @@ include Config -VER = 2.44 +VER = 2.45 THISAPP = binutils-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -96,7 +96,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 0eb031ace9fb5a7047b81b5a05b1760f7d332c8ed67f98899f153a45f181b83e661a484551af05c0a9b2adc422da84619103c7b1f3c9fad5327872832b5446aa +$(DL_FILE)_BLAKE2 = 1ce72346b1f531c89feb86b407e2c649151b506ffbd1a02d413411d36f7ede98fa9a1adf75dd941c01df5fe7e6bf151828b269eeb7c278315ca8004bff22eb7f install : $(TARGET) diff --git a/lfs/suricata b/lfs/suricata index 7c02ec83ad..05b708f1b9 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@ include Config -VER = 7.0.11 +VER = 8.0.0 THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 5bdfc3715bed2faa49cc9096a30fb0f58c81c0ebe6cb82629d5ccddd75cf68af6b3a1e9ae2ed54cbbeea48d40c2e1c3348b52c19856ba9550b6c687653de8b47 +$(DL_FILE)_BLAKE2 = be76000891acfd6746c05023abb633aff86d90a9a18ecf49758bf05cdc52ed7184f2ac87056dc19489dff0dda81c1139a8a608f682389533ae07a8295fab20c3 install : $(TARGET) @@ -70,7 +70,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-disable-sid-2210059.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \ --prefix=/usr \ --sysconfdir=/etc \ @@ -123,6 +123,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Set correct ownership for the cache directory. chown nobody:nobody /var/cache/suricata + # Create the Hyperscan cache directory + -mkdir -pv /var/cache/suricata/sgh + chown suricata:suricata /var/cache/suricata/sgh + # Create logging directory. -mkdir -p /var/log/suricata diff --git a/lfs/vectorscan b/lfs/vectorscan index b56243c42f..714f75d472 100644 --- a/lfs/vectorscan +++ b/lfs/vectorscan @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2024 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 5.4.11 +VER = 5.4.12 THISAPP = vectorscan-vectorscan-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -62,7 +62,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = a8f5a1230af0ddf7d9fb9299769ec1736d37ac3284f6a98b1e650af461206cf459eac35d13a47beb6683786c6529539b2d082edf426e7d4890ed11804c76268b +$(DL_FILE)_BLAKE2 = 7d2a5934423ea5ef7153ab04544e9819d3c95644352780f6614ec2e896cbde4d92cffe6433eab86a55be26c2dd968d4d0ea7867d7c1251d4631af9da33d39f31 install : $(TARGET) @@ -92,7 +92,6 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vectorscan-5.4.11-sse4.2.patch cd $(DIR_APP) && cmake . \ -DCMAKE_INSTALL_PREFIX:PATH=/usr \ -DBUILD_SHARED_LIBS=ON \ diff --git a/make.sh b/make.sh index c3de610b9b..91ae5f682b 100755 --- a/make.sh +++ b/make.sh @@ -23,7 +23,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name # If you update the version don't forget to update backupiso and add it to core update VERSION="2.29" # Version number -CORE="197" # Core Level (Filename) +CORE="198" # Core Level (Filename) SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir @@ -32,7 +32,7 @@ GIT_BRANCH="$(git rev-parse --abbrev-ref HEAD)" # Git Branch GIT_TAG="$(git tag | tail -1)" # Git Tag GIT_LASTCOMMIT="$(git rev-parse --verify HEAD)" # Last commit -TOOLCHAINVER="20250430" +TOOLCHAINVER="20250807" KVER_SUFFIX="-${SNAME}" diff --git a/src/patches/suricata/suricata-disable-sid-2210059.patch b/src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch similarity index 51% rename from src/patches/suricata/suricata-disable-sid-2210059.patch rename to src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch index 8955eec5e9..7968b9ade7 100644 --- a/src/patches/suricata/suricata-disable-sid-2210059.patch +++ b/src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch @@ -1,12 +1,11 @@ -diff -Nur a/rules/stream-events.rules b/rules/stream-events.rules ---- a/rules/stream-events.rules 2021-11-17 16:55:12.000000000 +0100 -+++ b/rules/stream-events.rules 2021-12-08 18:12:39.850189502 +0100 +--- suricata-8.0.0-beta1/rules/stream-events.rules.orig 2025-04-08 14:50:55.000000000 +0200 ++++ suricata-8.0.0-beta1/rules/stream-events.rules 2025-06-03 16:16:56.517635788 +0200 @@ -97,7 +97,7 @@ # rule to alert if a stream has excessive retransmissions alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;) # Packet on wrong thread. Fires at most once per flow. --alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;) -+#alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;) +-alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; threshold:type backoff, track by_flow, count 1, multiplier 10; sid:2210059; rev:2;) ++#alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; threshold:type backoff, track by_flow, count 1, multiplier 10; sid:2210059; rev:2;) # Packet with FIN+SYN set - alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;) + alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; threshold:type backoff, track by_flow, count 1, multiplier 2; classtype:protocol-command-decode; sid:2210060; rev:2;) diff --git a/src/patches/vectorscan-5.4.11-sse4.2.patch b/src/patches/vectorscan-5.4.11-sse4.2.patch deleted file mode 100644 index feb867aebe..0000000000 --- a/src/patches/vectorscan-5.4.11-sse4.2.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/src/hs_valid_platform.c b/src/hs_valid_platform.c -index 0af36b6c..12ae5d9a 100644 ---- a/src/hs_valid_platform.c -+++ b/src/hs_valid_platform.c -@@ -37,9 +37,9 @@ - - HS_PUBLIC_API - hs_error_t HS_CDECL hs_valid_platform(void) { -- /* Hyperscan requires SSSE3, anything else is a bonus */ -+ /* Vectorscan requires SSE4.2, anything else is a bonus */ - #if defined(ARCH_IA32) || defined(ARCH_X86_64) -- if (check_ssse3()) { -+ if (check_sse42()) { - return HS_SUCCESS; - } else { - return HS_ARCH_ERROR; hooks/post-receive -- IPFire 2.x development tree