Skip to content

next/833/20250417/v1 #13035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Apr 17, 2025
Merged

next/833/20250417/v1 #13035

merged 11 commits into from
Apr 17, 2025

Conversation

victorjulien
Copy link
Member

victorjulien and others added 11 commits April 17, 2025 08:22
@victorjulien
detect/alert: minor cleanup
4997958
@victorjulien
firewall: detect: add explanation
d6e61b6
@victorjulien
detect: don't set conflicting packet/flow actions
1643b01 
If for the same a packet a drop rule and a pass rule would match,
the applying of actions could be contradictionary:

- the drop would be applied to the packet
- the pass rule would also be considered, not overriding the drop,
  but still setting the flow pass flag.

This would lead to the packet being dropped, but the rest of the
flow getting passed, including retransmissions of the dropped
packet.

This patch only sets drop/pass actions if no conflicting action
has been set on the packet before. It respects the action-order.

Bug: OISF#7653.
@victorjulien
firewall: detect: set per rule table
e6bd69b 
For firewall mode, set the pseudo table in the rule and use this
in alert queue ordering, so that rule actions are applied in the
expected order:

        packet:filter -> packet:td -> app:filter -> app:td

This makes sure that a packet:td drop is applied before a app:filter
accept.
@victorjulien
firewall: detect: add feature flag for keywords supporting firewall
f96e972
@victorjulien
firewall: detect: set firewall support flag on select keywords
8f9c052
@victorjulien
detect/app-layer-protocol: allow matching on 'unknown'
e3c6554
@ozuriexv @victorjulien
doc: Update bypass docs to use new keyword format
deb7613 
Ticket: OISF#7143

Update documentation to reflect new sticky buffer keyword format
@AkakiAlice @victorjulien
detect: add email.received keyword
bda0890 
email.received matches on MIME EMAIL Received
This keyword maps to the EVE field email.received[]
It is a sticky buffer
Supports multiple buffer matching
Supports prefiltering

Ticket: OISF#7599
@jlucovsky @victorjulien
output/rotate: Serialize rotation flag handling
33445d0 
Issue: 3436

Serialize rotation flag handling to avoid corruption.
@jlucovsky @victorjulien
output/rotate: Remove extra rotation flag register
d59f5d6 
Issue: 3436

Remove duplicate register of the rotation flag. Eventually, this will
cause corruption when the file context has been freed and the rotation
flag is deregistered.
@github-actions GitHub Actions
Copy link

NOTE: This PR may contain new authors.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 25713

@victorjulien victorjulien merged commit d59f5d6 into OISF:master Apr 17, 2025
55 checks passed
This was referenced Apr 17, 2025
Closed
Closed
Closed
Closed
@victorjulien victorjulien deleted the next/833/20250417/v1 branch April 17, 2025 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish approved these changes

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Assignees
No one assigned
Labels
cla complete
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@victorjulien @suricata-qa @jasonish @ozuriexv @AkakiAlice @jlucovsky