[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-3.1.1-29-g666bba8

OISF Git noreply at openinfosecfoundation.org
Wed Aug 31 21:23:40 UTC 2016

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".

The branch, master has been updated
       via  666bba8121155292c5fcab97b0630af5d537c2c7 (commit)
       via  ecf4a2862c474145d435018e1cd999d35ca1d43a (commit)
       via  6b078e4f51800ac4cba3660dedfe210474491bc6 (commit)
      from  2eb941f9d9296c6812761c0645b4174a41e806d1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 666bba8121155292c5fcab97b0630af5d537c2c7
Author: Victor Julien <victor at inliniac.net>
Date:   Tue Aug 30 21:44:44 2016 +0200

    detect: implement continue detect for dcepayload
    Also fix a corner case in start detection.
    Bug 1853.

commit ecf4a2862c474145d435018e1cd999d35ca1d43a
Author: Victor Julien <victor at inliniac.net>
Date:   Tue Aug 30 20:54:35 2016 +0200

    detect: cleanup

commit 6b078e4f51800ac4cba3660dedfe210474491bc6
Author: Victor Julien <victor at inliniac.net>
Date:   Tue Aug 30 19:35:18 2016 +0200

    detect: fix ICMP error handling issue
    The first packet in both directions of a flow looks up the rule group
    (sgh) and stores it in the flow. This makes sure the lookup doesn't
    have to be performed for each packet.
    ICMPv4 error messages are connected to the TCP or UDP flow they apply
    to. In the case of such an ICMP error being the first packet in a
    flow's direction, this would lead to an issue.
    The packet would look up the rule group based on the ICMP protocol,
    not based on the embedded TCP/UDP. This makes sense, as the ICMP
    packet is inspected as ICMP packet. The consequence however, was that
    this rule group pointer (sgh) would be stored in the flow. This is
    wrong, as TCP/UDP packets that follow the ICMP packet would have no sgh
    or the wrong sgh.
    In normal traffic this shouldn't normally happen, but it could be
    used to evade Suricata's inspection.


Summary of changes:
 src/detect-engine-state.c | 111 +++++++++++++++++++++++++++++++++-------------
 src/detect-engine-state.h |  53 +++++++++++-----------
 src/detect.c              |   7 ++-
 3 files changed, 112 insertions(+), 59 deletions(-)


More information about the Oisf-devel mailing list