OISF · victorjulien · Oct 16, 2024 · Oct 11, 2024 · Oct 14, 2024 · Oct 14, 2024
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout PR code
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -41,7 +41,7 @@ jobs:
       - run: echo ${{ github.event.number }} > new-authors/pr-number.txt
       - run: ls -l
       - name: Upload new authors
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
         with:
           name: new-authors
           path: new-authors

@@ -37,11 +37,11 @@ jobs:
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
     steps:
     - name: Checkout repository
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/[email protected].10
+      uses: github/codeql-action/[email protected].12
       with:
         languages: ${{ matrix.language }}
         queries: security-extended
@@ -62,4 +62,4 @@ jobs:
        ./configure --enable-warnings
        make
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/[email protected].10
+      uses: github/codeql-action/[email protected].12
@@ -74,7 +74,7 @@ jobs:
           cd $HOME/.cargo/bin
           curl -OL https://github.com/eqrion/cbindgen/releases/download/v0.24.3/cbindgen
           chmod 755 cbindgen
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
       # The action above is supposed to do this for us, but it doesn't appear to stick.
@@ -97,7 +97,7 @@ jobs:
               make -ik distclean > /dev/null
           done
       - run: sccache -s
-      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
         name: Uploading build log
         if: always()
         with:

@@ -52,7 +52,7 @@ jobs:
           cargo install --target x86_64-unknown-linux-musl --debug cbindgen
           cp $HOME/.cargo/bin/cbindgen .
       - name: Uploading prep archive
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
         with:
           name: cbindgen
           path: .
@@ -114,7 +114,7 @@ jobs:
               texlive-latex-extra \
               zlib1g \
               zlib1g-dev
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
       - run: git config --global --add safe.directory /__w/suricata/suricata
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
         with:

@@ -89,7 +89,7 @@ jobs:
       # My patience simply ran too short to keep on looking. See follow-on
       # action to manually fix this up.
       - name: Checkout - might be merge commit!
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
         # Use last commit of branch, not potential merge commit!

@@ -78,7 +78,7 @@ jobs:
 
       # Now checkout Suricata for the bundle script.
       - name: Checking out Suricata
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
       - run: git config --global --add safe.directory /__w/suricata/suricata
 
       - name: Fetching libhtp
@@ -112,7 +112,7 @@ jobs:
           cd ..
           tar zcf suricata-verify.tar.gz suricata-verify
       - name: Uploading prep archive
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
         with:
           name: prep
           path: |

@@ -80,7 +80,7 @@ jobs:
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
       - name: Install Cargo Audit
         run: cargo install cargo-audit
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
       - name: Configure Suricata
         run: |
           ./scripts/bundle.sh libhtp
@@ -158,7 +158,7 @@ jobs:
                 sudo \
                 which \
                 zlib-devel
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
       - name: Install Minimum Supported Rust Version
         run: |
           curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(awk -F '"' '/rust-version/ { print $2 }' rust/Cargo.toml.in)

@@ -71,7 +71,7 @@ jobs:
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
       - name: Install cbindgen
         run: cargo install --debug cbindgen
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
       - run: git config --global --add safe.directory /__w/suricata/suricata
       - run: ./scripts/bundle.sh
       - run: ./autogen.sh

@@ -67,7 +67,7 @@ jobs:
                 software-properties-common \
                 zlib1g \
                 zlib1g-dev
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
       - run: git config --global --add safe.directory /__w/suricata/suricata
       - run: ./scripts/bundle.sh
       - run: ./autogen.sh

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: "Run analysis"
         uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
@@ -43,14 +43,14 @@ jobs:
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       # Optional.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.1.2
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.1.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload SARIF results"
-        uses: github/codeql-action/upload-sarif@a196a714b8d0d287c2c86f37b12ba3dcd939d879 # v1
+        uses: github/codeql-action/upload-sarif@ea2cd92c21b192add69983116b8b3222b09da33b # v1
         with:
           sarif_file: results.sarif
@@ -51,6 +51,7 @@
 #include "util-conf.h"
 #include "detect-flowbits.h"
 #include "util-var-name.h"
+#include "detect-icmp-id.h"
 
 static int rule_warnings_only = 0;
 
@@ -924,6 +925,13 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
                 jb_close(js);
                 break;
             }
+            case DETECT_ICMP_ID: {
+                const DetectIcmpIdData *cd = (const DetectIcmpIdData *)smd->ctx;
+                jb_open_object(js, "id");
+                jb_set_uint(js, "number", SCNtohs(cd->id));
+                jb_close(js);
+                break;
+            }
         }
         jb_close(js);
 

@@ -46,7 +46,7 @@
 #include "util-conf.h"
 
 /* Magic numbers to make the rules of a certain order fall in the same group */
-#define DETECT_PGSCORE_RULE_PORT_WHITELISTED 111 /* Rule port group contains a whitelisted port */
+#define DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */
 #define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99  /* Rule contains an MPM fast pattern */
 #define DETECT_PGSCORE_RULE_MPM_NEGATED      77  /* Rule contains a negated MPM */
 #define DETECT_PGSCORE_RULE_NO_MPM           55  /* Rule does not contain MPM */
@@ -487,27 +487,11 @@ static int SignatureCreateMask(Signature *s)
             {
                 DetectFlagsData *fl = (DetectFlagsData *)sm->ctx;
 
-                if (fl->flags & TH_SYN) {
+                if (fl->flags & MASK_TCP_INITDEINIT_FLAGS) {
                     s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
                     SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
                 }
-                if (fl->flags & TH_RST) {
-                    s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
-                    SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
-                }
-                if (fl->flags & TH_FIN) {
-                    s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
-                    SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
-                }
-                if (fl->flags & TH_URG) {
-                    s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
-                    SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
-                }
-                if (fl->flags & TH_ECN) {
-                    s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
-                    SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
-                }
-                if (fl->flags & TH_CWR) {
+                if (fl->flags & MASK_TCP_UNUSUAL_FLAGS) {
                     s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
                     SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
                 }
@@ -969,7 +953,7 @@ static void RulesDumpGrouping(const DetectEngineCtx *de_ctx,
     fclose(fp);
 }
 
-static int RulesGroupByProto(DetectEngineCtx *de_ctx)
+static int RulesGroupByIPProto(DetectEngineCtx *de_ctx)
 {
     Signature *s = de_ctx->sig_list;
 
@@ -980,15 +964,16 @@ static int RulesGroupByProto(DetectEngineCtx *de_ctx)
         if (s->type == SIG_TYPE_IPONLY)
             continue;
 
-        int p;
-        for (p = 0; p < 256; p++) {
+        /* traverse over IP protocol list from libc */
+        for (int p = 0; p < 256; p++) {
             if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
                 continue;
             }
             if (!(s->proto.proto[p / 8] & (1<<(p % 8)) || (s->proto.flags & DETECT_PROTO_ANY))) {
                 continue;
             }
 
+            /* Signatures that are ICMP, SCTP, not IP only are handled here */
             if (s->flags & SIG_FLAG_TOCLIENT) {
                 SigGroupHeadAppendSig(de_ctx, &sgh_tc[p], s);
             }
@@ -1079,15 +1064,14 @@ static int RulesGroupByProto(DetectEngineCtx *de_ctx)
     return 0;
 }
 
-static int PortIsWhitelisted(const DetectEngineCtx *de_ctx,
-                             const DetectPort *a, int ipproto)
+static int PortIsPriority(const DetectEngineCtx *de_ctx, const DetectPort *a, int ipproto)
 {
-    DetectPort *w = de_ctx->tcp_whitelist;
+    DetectPort *w = de_ctx->tcp_priorityports;
     if (ipproto == IPPROTO_UDP)
-        w = de_ctx->udp_whitelist;
+        w = de_ctx->udp_priorityports;
 
     while (w) {
-        /* Make sure the whitelist port falls in the port range of a */
+        /* Make sure the priority port falls in the port range of a */
         DEBUG_VALIDATE_BUG_ON(a->port > a->port2);
         if (a->port == w->port && w->port2 == a->port2) {
             return 1;
@@ -1098,7 +1082,7 @@ static int PortIsWhitelisted(const DetectEngineCtx *de_ctx,
     return 0;
 }
 
-static int RuleSetWhitelist(Signature *s)
+static int RuleSetScore(Signature *s)
 {
     DetectPort *p = NULL;
     if (s->flags & SIG_FLAG_TOSERVER)
@@ -1109,27 +1093,27 @@ static int RuleSetWhitelist(Signature *s)
         return 0;
 
     /* for sigs that don't use 'any' as port, see if we want to
-     * whitelist poor sigs */
+     * prioritize poor sigs */
     int wl = 0;
     if (!(p->port == 0 && p->port2 == 65535)) {
         /* pure pcre, bytetest, etc rules */
         if (RuleInspectsPayloadHasNoMpm(s)) {
-            SCLogDebug("Rule %u MPM has 1 byte fast_pattern. Whitelisting SGH's.", s->id);
+            SCLogDebug("Rule %u MPM has 1 byte fast_pattern. Prioritizing SGH's.", s->id);
             wl = DETECT_PGSCORE_RULE_MPM_FAST_PATTERN;
 
         } else if (RuleMpmIsNegated(s)) {
-            SCLogDebug("Rule %u MPM is negated. Whitelisting SGH's.", s->id);
+            SCLogDebug("Rule %u MPM is negated. Prioritizing SGH's.", s->id);
             wl = DETECT_PGSCORE_RULE_MPM_NEGATED;
 
             /* one byte pattern in packet/stream payloads */
         } else if (s->init_data->mpm_sm != NULL &&
                    s->init_data->mpm_sm_list == DETECT_SM_LIST_PMATCH &&
                    RuleGetMpmPatternSize(s) == 1) {
-            SCLogDebug("Rule %u No MPM. Payload inspecting. Whitelisting SGH's.", s->id);
+            SCLogDebug("Rule %u No MPM. Payload inspecting. Prioritizing SGH's.", s->id);
             wl = DETECT_PGSCORE_RULE_NO_MPM;
 
         } else if (DetectFlagsSignatureNeedsSynOnlyPackets(s)) {
-            SCLogDebug("Rule %u Needs SYN, so inspected often. Whitelisting SGH's.", s->id);
+            SCLogDebug("Rule %u Needs SYN, so inspected often. Prioritizing SGH's.", s->id);
             wl = DETECT_PGSCORE_RULE_SYN_ONLY;
         }
     }
@@ -1247,7 +1231,7 @@ static int CreateGroupedPortList(DetectEngineCtx *de_ctx, DetectPort *port_list,
 
     /* insert the ports into the tmplist, where it will
      * be sorted descending on 'cnt' and on whether a group
-     * is whitelisted. */
+     * is prioritized. */
     tmplist = port_list;
     SortGroupList(&groups, &tmplist, SortCompare);
     uint32_t left = unique_groups;
@@ -1535,8 +1519,7 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u
 
         int wl = s->init_data->score;
         while (p) {
-            int pwl = PortIsWhitelisted(de_ctx, p, ipproto) ? DETECT_PGSCORE_RULE_PORT_WHITELISTED
-                                                            : 0;
+            int pwl = PortIsPriority(de_ctx, p, ipproto) ? DETECT_PGSCORE_RULE_PORT_PRIORITIZED : 0;
             pwl = MAX(wl,pwl);
 
             DetectPort *lookup = DetectPortHashLookup(de_ctx, p);
@@ -1633,11 +1616,11 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u
     }
 #if 0
     for (iter = list ; iter != NULL; iter = iter->next) {
-        SCLogInfo("PORT %u-%u %p (sgh=%s, whitelisted=%s/%d)",
+        SCLogInfo("PORT %u-%u %p (sgh=%s, prioritized=%s/%d)",
                 iter->port, iter->port2, iter->sh,
                 iter->flags & PORT_SIGGROUPHEAD_COPY ? "ref" : "own",
-                iter->sh->init->whitelist ? "true" : "false",
-                iter->sh->init->whitelist);
+                iter->sh->init->score ? "true" : "false",
+                iter->sh->init->score);
     }
 #endif
     SCLogPerf("%s %s: %u port groups, %u unique SGH's, %u copies",
@@ -1802,7 +1785,7 @@ int SigPrepareStage1(DetectEngineCtx *de_ctx)
         DetectContentPropagateLimits(s);
         SigParseApplyDsizeToContent(s);
 
-        RuleSetWhitelist(s);
+        RuleSetScore(s);
 
         /* if keyword engines are enabled in the config, handle them here */
         if (!g_skip_prefilter && de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO &&
@@ -1907,7 +1890,7 @@ int SigPrepareStage2(DetectEngineCtx *de_ctx)
     de_ctx->flow_gh[0].udp = RulesGroupByPorts(de_ctx, IPPROTO_UDP, SIG_FLAG_TOCLIENT);
 
     /* Setup the other IP Protocols (so not TCP/UDP) */
-    RulesGroupByProto(de_ctx);
+    RulesGroupByIPProto(de_ctx);
 
     /* now for every rule add the source group to our temp lists */
     for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {

@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2010 Open Information Security Foundation
+/* Copyright (C) 2007-2024 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -24,14 +24,13 @@
 #ifndef SURICATA_DETECT_PROTO_H
 #define SURICATA_DETECT_PROTO_H
 
-#define DETECT_PROTO_ANY            (1 << 0) /**< Indicate that given protocol
-                                              is considered as IP */
-#define DETECT_PROTO_ONLY_PKT       (1 << 1) /**< Indicate that we only care
-                                              about packet payloads. */
-#define DETECT_PROTO_ONLY_STREAM    (1 << 2) /**< Indicate that we only care
-                                              about stream payloads. */
-#define DETECT_PROTO_IPV4           (1 << 3) /**< IPv4 only */
-#define DETECT_PROTO_IPV6           (1 << 4) /**< IPv6 only */
+// clang-format off
+#define DETECT_PROTO_ANY               BIT_U8(0) /**< Indicate that given protocol is considered as IP */
+#define DETECT_PROTO_ONLY_PKT          BIT_U8(1) /**< Indicate that we only care about packet payloads. */
+#define DETECT_PROTO_ONLY_STREAM       BIT_U8(2) /**< Indicate that we only care about stream payloads. */
+#define DETECT_PROTO_IPV4              BIT_U8(3) /**< IPv4 only */
+#define DETECT_PROTO_IPV6              BIT_U8(4) /**< IPv6 only */
+// clang-format on
 
 typedef struct DetectProto_ {
     uint8_t proto[256/8]; /**< bit array for 256 protocol bits */