Skip to content

next/1237/20260225/v1 #14906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
victorjulien merged 5 commits into from
Feb 26, 2026
+114 −93
Merged

next/1237/20260225/v1 #14906

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
02f6340
github-ci: update cov builds
victorjulien Feb 24, 2026
edc19a1
detect/parse: convert unittest to fail/pass API
victorjulien Feb 24, 2026
e69b732
af-xdp: address compile warnings
victorjulien Feb 24, 2026
66473f6
doc: add more public datasets
jasonish Feb 24, 2026
569ba3d
hs/cache: cleaner and more detailed output
victorjulien Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 42 additions & 45 deletions .github/workflows/builds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1606,7 +1606,7 @@ jobs:
LLVM_PROFILE_FILE: "/tmp/dumpconfig.profraw"
- run: llvm-profdata-19 merge -o dumpconfig.profdata /tmp/dumpconfig.profraw
- run: llvm-profdata-19 merge -o combined.profdata $(find /tmp/ -name '*.profraw')
- run: llvm-cov-19 export ./src/suricata -instr-profile=combined.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" > coverage.lcov
- run: llvm-cov-19 export ./src/suricata -instr-profile=combined.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" --skip-branches > coverage.lcov
- run: |
cd rust
cargo test --no-run
Expand All @@ -1620,7 +1620,7 @@ jobs:
LLVM_PROFILE_FILE: "/tmp/ct.profraw"
CARGO_INCREMENTAL: 0
- run: llvm-profdata-19 merge -o ct.profdata /tmp/ct.profraw
- run: llvm-cov-19 export $(find rust/target/debug/deps/ -type f -regex 'rust/target/debug/deps/suricata\-[a-z0-9]+$') -instr-profile=ct.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" >> coverage.lcov
- run: llvm-cov-19 export $(find rust/target/debug/deps/ -type f -regex 'rust/target/debug/deps/suricata\-[a-z0-9]+$') -instr-profile=ct.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" --skip-branches >> coverage.lcov
- name: Upload coverage.lcov artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
Expand All @@ -1642,11 +1642,11 @@ jobs:
parallel: true
fail-on-error: false

ubuntu-22-04-cov-pcapunix:
name: Ubuntu 22.04 (unix socket mode coverage)
ubuntu-24-04-cov-pcapunix:
name: Ubuntu 24.04 (unix socket mode coverage)
runs-on: ubuntu-latest
container:
image: ubuntu:22.04
image: ubuntu:24.04
options: --privileged
needs: [prepare-deps, prepare-cbindgen]
steps:
Expand All @@ -1667,8 +1667,8 @@ jobs:
build-essential \
autoconf \
automake \
llvm-15-dev \
clang-15 \
llvm-19-dev \
clang-19 \
git \
hwloc \
libhwloc-dev \
Expand All @@ -1693,7 +1693,6 @@ jobs:
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
libpython2.7 \
make \
parallel \
python3-yaml \
Expand All @@ -1708,7 +1707,7 @@ jobs:
wget
# specific version to match up to the llvm version in ubuntu below
- name: Install Rust
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.75.0 -y
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.85.1 -y
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- run: git config --global --add safe.directory /__w/suricata/suricata
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
Expand All @@ -1725,24 +1724,24 @@ jobs:
- run: ./autogen.sh
- run: ./configure --with-gnu-ld --disable-shared --enable-gccprotect --localstatedir=/var --prefix=/usr --sysconfdir=/etc
env:
CC: "clang-15"
CXX: "clang++-15"
CC: "clang-19"
CXX: "clang++-19"
RUSTFLAGS: "-C instrument-coverage"
CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing"
CXXFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing"
ac_cv_func_malloc_0_nonnull: "yes"
ac_cv_func_realloc_0_nonnull: "yes"
- run: make -j ${{ env.CPUS }}
env:
CC: "clang-15"
CXX: "clang++-15"
CC: "clang-19"
CXX: "clang++-19"
RUSTFLAGS: "-C instrument-coverage"
- run: |
./qa/unix.sh "suricata-verify/"
env:
LLVM_PROFILE_FILE: "/tmp/unix.profraw"
- run: llvm-profdata-15 merge -o default.profdata $(find /tmp/ -name '*.profraw')
- run: llvm-cov-15 export ./src/suricata -instr-profile=default.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" > coverage.lcov
- run: llvm-profdata-19 merge -o default.profdata $(find /tmp/ -name '*.profraw')
- run: llvm-cov-19 export ./src/suricata -instr-profile=default.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" --skip-branches > coverage.lcov
- name: Upload coverage.lcov artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
Expand All @@ -1764,11 +1763,11 @@ jobs:
parallel: true
fail-on-error: false

ubuntu-22-04-cov-afpdpdk:
name: Ubuntu 22.04 (afpacket and dpdk coverage)
ubuntu-24-04-cov-afpdpdk:
name: Ubuntu 24.04 (afpacket and dpdk coverage)
runs-on: ubuntu-latest
container:
image: ubuntu:22.04
image: ubuntu:24.04
options: --privileged
needs: [prepare-deps, prepare-cbindgen]
steps:
Expand All @@ -1788,8 +1787,8 @@ jobs:
build-essential \
autoconf \
automake \
llvm-15-dev \
clang-15 \
llvm-19-dev \
clang-19 \
git \
hwloc \
libhwloc-dev \
Expand All @@ -1814,7 +1813,6 @@ jobs:
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
libpython2.7 \
make \
parallel \
python3-yaml \
Expand All @@ -1830,7 +1828,7 @@ jobs:
dpdk-dev
# specific version to match up to the llvm version in ubuntu below
- name: Install Rust
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.75.0 -y
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.85.1 -y
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- run: git config --global --add safe.directory /__w/suricata/suricata
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
Expand All @@ -1846,17 +1844,17 @@ jobs:
- run: ./autogen.sh
- run: ./configure --with-gnu-ld --enable-dpdk --disable-shared --enable-gccprotect --localstatedir=/var --prefix=/usr --sysconfdir=/etc
env:
CC: "clang-15"
CXX: "clang++-15"
CC: "clang-19"
CXX: "clang++-19"
RUSTFLAGS: "-C instrument-coverage"
CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing"
CXXFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing"
ac_cv_func_malloc_0_nonnull: "yes"
ac_cv_func_realloc_0_nonnull: "yes"
- run: make -j ${{ env.CPUS }}
env:
CC: "clang-15"
CXX: "clang++-15"
CC: "clang-19"
CXX: "clang++-19"
RUSTFLAGS: "-C instrument-coverage"
# IDS config
- run: |
Expand Down Expand Up @@ -1898,8 +1896,8 @@ jobs:
./.github/workflows/live/multi-tenant.sh "autofp"
env:
LLVM_PROFILE_FILE: "/tmp/mt-autofp.profraw"
- run: llvm-profdata-15 merge -o default.profdata $(find /tmp/ -name '*.profraw')
- run: llvm-cov-15 export ./src/suricata -instr-profile=default.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" > coverage.lcov
- run: llvm-profdata-19 merge -o default.profdata $(find /tmp/ -name '*.profraw')
- run: llvm-cov-19 export ./src/suricata -instr-profile=default.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" --skip-branches > coverage.lcov
- name: Upload coverage.lcov artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
Expand Down Expand Up @@ -2140,7 +2138,7 @@ jobs:
- run: llvm-profdata-19 merge -o nfq-ips-workers.profdata /tmp/nfq-ips-workers.profraw

- run: llvm-profdata-19 merge -o combined.profdata afp-ips.profdata nfq-ips.profdata afp-ips-autofp.profdata nfq-ips-workers.profdata afp-ips-bond1.profdata afp-ips-bond2.profdata
- run: llvm-cov-19 export ./src/suricata -instr-profile=combined.profdata -format=lcov --ignore-filename-regex="^(/github/home/.cargo/.*|/usr/.*|/rustc/.*)" > coverage.lcov
- run: llvm-cov-19 export ./src/suricata -instr-profile=combined.profdata -format=lcov --ignore-filename-regex="^(/github/home/.cargo/.*|/usr/.*|/rustc/.*)" --skip-branches > coverage.lcov
- name: Upload coverage.lcov artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
Expand Down Expand Up @@ -2269,11 +2267,11 @@ jobs:
- run: |
./.github/workflows/live/multi-tenant.sh "autofp"

ubuntu-22-04-cov-fuzz:
name: Ubuntu 22.04 (fuzz corpus coverage)
ubuntu-24-04-cov-fuzz:
name: Ubuntu 24.04 (fuzz corpus coverage)
runs-on: ubuntu-latest
container:
image: ubuntu:22.04
image: ubuntu:24.04
options: --privileged
needs: [prepare-deps, prepare-cbindgen]
steps:
Expand All @@ -2293,8 +2291,8 @@ jobs:
build-essential \
autoconf \
automake \
llvm-15-dev \
clang-15 \
llvm-19-dev \
clang-19 \
git \
hwloc \
libhwloc-dev \
Expand All @@ -2318,7 +2316,6 @@ jobs:
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
libpython2.7 \
make \
parallel \
python3-yaml \
Expand All @@ -2334,7 +2331,7 @@ jobs:
dpdk-dev
# packaged Rust version is too old for coverage, so get from rustup
- name: Install Rust
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.75.0 -y
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.85.1 -y
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- run: git config --global --add safe.directory /__w/suricata/suricata
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
Expand All @@ -2351,22 +2348,22 @@ jobs:
- run: ./configure --enable-warnings --with-gnu-ld --enable-fuzztargets --disable-shared --enable-gccprotect
env:
LIB_FUZZING_ENGINE: "fail_to_onefile_driver"
CC: "clang-15"
CXX: "clang++-15"
CC: "clang-19"
CXX: "clang++-19"
RUSTFLAGS: "-C instrument-coverage"
CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing -fsanitize=address -fno-omit-frame-pointer -fPIC -Wno-unused-parameter -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -Wimplicit-int-float-conversion -Wimplicit-int-conversion -Werror"
CXXFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing -fsanitize=address -fno-omit-frame-pointer -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -stdlib=libc++ -Wimplicit-int-float-conversion -Wimplicit-int-conversion"
ac_cv_func_malloc_0_nonnull: "yes"
ac_cv_func_realloc_0_nonnull: "yes"
- run: make -j ${{ env.CPUS }}
env:
CC: "clang-15"
CXX: "clang++-15"
CC: "clang-19"
CXX: "clang++-19"
RUSTFLAGS: "-C instrument-coverage"
SURICATA_LUA_SYS_CFLAGS: "-fsanitize=address"
- run: ./qa/run-ossfuzz-corpus.sh
- run: llvm-profdata-15 merge -o default.profdata $(find /tmp/ -name '*.profraw')
- run: llvm-cov-15 export ./src/suricata -instr-profile=default.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" > coverage.lcov
- run: llvm-profdata-19 merge -o default.profdata $(find /tmp/ -name '*.profraw')
- run: llvm-cov-19 export ./src/suricata -instr-profile=default.profdata -format=lcov --ignore-filename-regex="^/(root|usr|rustc|github)/.*" --skip-branches > coverage.lcov
- name: Upload coverage.lcov artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
Expand Down Expand Up @@ -2395,10 +2392,10 @@ jobs:
needs:
- fedora-43-sv-codecov
- ubuntu-24-04-cov-ut
- ubuntu-22-04-cov-pcapunix
- ubuntu-22-04-cov-afpdpdk
- ubuntu-24-04-cov-pcapunix
- ubuntu-24-04-cov-afpdpdk
- ubuntu-latest-namespace-ips
- ubuntu-22-04-cov-fuzz
- ubuntu-24-04-cov-fuzz
steps:
- name: Finalize Coveralls parallel build
uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b
Expand Down
43 changes: 33 additions & 10 deletions doc/userguide/public-data-sets.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,41 @@
Public Data Sets
================
Public Datasets (PCAPs)
=======================

Collections of pcaps for testing and profiling.
Collections of public datasets and packet captures for testing and
profiling. Not to be confused with Suricata ``datasets``.

DARPA sets: https://www.ll.mit.edu/r-d/datasets?author=All&rdarea=All&rdgroup=All&keywords=cyber&tag=All&items_per_page=10
`MIT Lincoln Laboratory <https://www.ll.mit.edu/r-d/datasets?keywords=cyber>`__
Cyber-focused datasets from MIT, including DARPA datasets.

MAWI sets (pkt headers only, no payloads): http://mawi.wide.ad.jp/mawi/samplepoint-F/2012/
`MAWI Samplepoint-F <http://mawi.wide.ad.jp/mawi/samplepoint-F/2012/>`__
WIDE transit-link traces (packet headers only; no payloads).

MACCDC: http://www.netresec.com/?page=MACCDC
`MACCDC <http://www.netresec.com/?page=MACCDC>`__
Mid-Atlantic Collegiate Cyber Defense Competition traffic captures.

Netresec: http://www.netresec.com/?page=PcapFiles
`Netresec <http://www.netresec.com/?page=PcapFiles>`__
Public pcap files for network forensics and malware analysis.

Wireshark: https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures
`Wireshark Sample Captures <https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures>`__
Curated sample captures useful for protocol testing.

Security Onion collection: https://docs.securityonion.net/en/2.4/pcaps.html
`Security Onion PCAP collection <https://docs.securityonion.net/en/2.4/pcaps.html>`__
Collection of links and downloads for lab datasets.

Stratosphere IPS. Malware Capture Facility Project: https://stratosphereips.org/category/dataset.html
`Stratosphere IPS Malware Capture Facility <https://stratosphereips.org/category/dataset.html>`__
Malware-oriented captures with related dataset material.

`UNSW-NB15 <https://research.unsw.edu.au/projects/unsw-nb15-dataset>`__
UNSW Cyber Range dataset with IXIA-generated benign/attack traffic,
raw pcap captures, and labeled flow-feature CSV files.

`CIC-IDS2017 <https://www.unb.ca/cic/datasets/ids-2017.html>`__
Intrusion Detection Evaluation Dataset

`CSE-CIC-IDS2018 <https://www.unb.ca/cic/datasets/ids-2018.html>`__
CSE-CIC-IDS2018 on AWS: A collaborative project between the
Communications Security Establishment (CSE) & the Canadian
Institute for Cybersecurity (CIC).

`CIC-DDoS2019 <https://www.unb.ca/cic/datasets/ddos-2019.html>`__
Dataset containing DDoS attacks resembling true real world data.
26 changes: 8 additions & 18 deletions src/detect-parse.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5112,26 +5112,16 @@ static int SigParseTestAppLayerTLS02(void)
*/
static int SigParseTestAppLayerTLS03(void)
{
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;

de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;

s = SigInit(de_ctx,"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
if (s != NULL) {
SigFree(de_ctx, s);
goto end;
}

result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; "
"tls.version:2.5; sid:410006; rev:1;)");
FAIL_IF_NOT_NULL(s);
DetectEngineCtxFree(de_ctx);
PASS;
}

static int SigParseTestUnbalancedQuotes01(void)
Expand Down
Loading
Loading