Next/20201230/v10

doc/userguide/Makefile.am

@@ -31,11 +31,11 @@ EXTRA_DIST = \
 	what-is-suricata.rst
 
 if HAVE_SURICATA_MAN
-dist_man1_MANS = suricata.1
+dist_man1_MANS = suricata.1 suricatasc.1 suricatactl.1 suricatactl-filestore.1
 endif
 
 if HAVE_SPHINXBUILD
-dist_man1_MANS = suricata.1
+dist_man1_MANS = suricata.1 suricatasc.1 suricatactl.1 suricatactl-filestore.1
 
 if HAVE_PDFLATEX
 EXTRA_DIST += userguide.pdf
@@ -70,22 +70,23 @@ userguide.pdf: _build/latex/Suricata.pdf
 
 pdf: userguide.pdf
 
-_build/man/suricata.1:
+_build/man: manpages/suricata.rst manpages/suricatasc.rst manpages/suricatactl.rst manpages/suricatactl-filestore.rst
 	sysconfdir=$(sysconfdir) \
 	localstatedir=$(localstatedir) \
 	version=$(PACKAGE_VERSION) \
 		$(SPHINX_BUILD) -W -b man -d _build/doctrees \
 		$(top_srcdir)/doc/userguide _build/man
+	touch _build/man
 
-suricata.1: _build/man/suricata.1
-	cp _build/man/suricata.1 suricata.1
+$(dist_man1_MANS): _build/man
+	cp _build/man/$@ .
 
-man: _build/man/suricata.1
+man: $(dist_man1_MANS)
 
 # Remove build artifacts that aren't tracked by autotools.
 clean-local:
 	rm -rf $(top_builddir)/doc/userguide/_build
-	rm -f $(top_builddir)/doc/userguide/suricata.1
+	rm -f $(top_builddir)/doc/userguide/suricata*.1
 	rm -f $(top_builddir)/doc/userguide/userguide.pdf
 
 endif # HAVE_SPHINXBUILD

doc/userguide/configuration/multi-tenant.rst

@@ -215,3 +215,10 @@ unregister-tenant-handler <tenant id> vlan <vlan id>
 
 The registration of tenant and tenant handlers can be done on a
 running engine.
+
+Eve JSON output
+---------------
+
+When multi-tenant support is configured and the detect engine is active then
+all EVE-types that report based on flows will also report the corresponding
+``tenant_id`` for events matching a tenant configuration.

doc/userguide/lua/lua-functions.rst

@@ -792,6 +792,15 @@ SCRuleIds
 
   sid, rev, gid = SCRuleIds()
 
+SCRuleAction
+~~~~~~~~~~~~
+
+::
+
+  action = SCRuleAction()
+
+returns one of 'pass', 'reject', 'drop' or 'alert'
+
 SCRuleMsg
 ~~~~~~~~~
 

doc/userguide/output/eve/eve-json-output.rst

@@ -501,5 +501,12 @@ YAML::
       # Seed value for the ID output. Valid values are 0-65535.
       community-id-seed: 0
 
+Multi Tenancy
+-------------
+
+Suricata can be configured to support multiple tenants with different detection
+engine configurations. When these tenants are configured and the detection
+engine is running then all EVE logging will also report the ``tenant_id`` field
+for traffic matching a specific tenant.
 
 .. _deprecation policy: https://suricata-ids.org/about/deprecation-policy/

ebpf/xdp_lb.c

@@ -23,6 +23,9 @@
 #include <linux/if_ether.h>
 #include <linux/if_packet.h>
 #include <linux/if_vlan.h>
+/* Workaround to avoid the need of 32bit headers */
+#define _LINUX_IF_H
+#define IFNAMSIZ 16
 #include <linux/if_tunnel.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>

rust/src/smb/nbss_records.rs

@@ -87,3 +87,139 @@ named!(pub parse_nbss_record_partial<NbssRecord>,
             data:data,
         })
 ));
+
+#[cfg(test)]
+mod tests {
+
+    use super::*;
+
+    #[test]
+    fn test_parse_nbss_record() {
+        let buff:&[u8] = &[
+        /* message type */ 0x00,
+        /* length */       0x00, 0x00, 0x55,
+        /* data */         0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00,
+                           0x98, 0x53, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
+                           0xfe, 0x00, 0x00, 0x00, 0x00, 0x11, 0x05, 0x00, 0x03,
+                           0x0a, 0x00, 0x01, 0x00, 0x04, 0x11, 0x00, 0x00, 0x00,
+                           0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfd, 0xe3,
+                           0x00, 0x80, 0x2a, 0x55, 0xc4, 0x38, 0x89, 0x03, 0xcd,
+                           0x01, 0x2c, 0x01, 0x00, 0x10, 0x00, 0xfe, 0x82, 0xf1,
+                           0x64, 0x0b, 0x66, 0xba, 0x4a, 0xbb, 0x81, 0xe1, 0xea,
+                           0x54, 0xae, 0xb8, 0x66];
+
+        let result = parse_nbss_record(&buff);
+        match result {
+            Ok((remainder, p)) => {
+                assert_eq!(p.message_type, NBSS_MSGTYPE_SESSION_MESSAGE);
+                assert_eq!(p.length, 85);
+                assert_eq!(p.data.len(), 85);
+                assert_ne!(p.message_type, NBSS_MSGTYPE_KEEP_ALIVE);
+
+                // this packet had an acceptable length, we don't need more
+                assert_eq!(p.needs_more(), false);
+
+                // does this really look like smb?
+                assert_eq!(p.is_smb(), true);
+
+                // there should be nothing left
+                assert_eq!(remainder.len(), 0);
+            }
+            Err(nom::Err::Error((remainder, err))) => {
+                panic!("Result should not be an error: {:?}.", err);
+            }
+            Err(nom::Err::Incomplete(_)) => {
+                panic!("Result should not have been incomplete.");
+            }
+            _ => {
+                panic!("Unexpected behavior!");
+            }
+        }
+
+        // Non-SMB packet scenario
+        let buff_not_smb:&[u8] = &[
+            /* message type */ 0x00,
+            /* length */       0x00, 0x00, 0x55,
+            /* data !SMB */    0xff, 0x52, 0x4e, 0x41, 0x72, 0x00, 0x00, 0x00, 0x00,
+                               0x98, 0x53, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
+                               0xfe, 0x00, 0x00, 0x00, 0x00, 0x11, 0x05, 0x00, 0x03,
+                               0x0a, 0x00, 0x01, 0x00, 0x04, 0x11, 0x00, 0x00, 0x00,
+                               0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfd, 0xe3,
+                               0x00, 0x80, 0x2a, 0x55, 0xc4, 0x38, 0x89, 0x03, 0xcd,
+                               0x01, 0x2c, 0x01, 0x00, 0x10, 0x00, 0xfe, 0x82, 0xf1,
+                               0x64, 0x0b, 0x66, 0xba, 0x4a, 0xbb, 0x81, 0xe1, 0xea,
+                               0x54, 0xae, 0xb8, 0x66];
+
+        let result_not_smb = parse_nbss_record(&buff_not_smb);
+        match result_not_smb {
+            Ok((remainder, p_not_smb)) => {
+                assert_eq!(p_not_smb.message_type, NBSS_MSGTYPE_SESSION_MESSAGE);
+                assert_eq!(p_not_smb.length, 85);
+                assert_eq!(p_not_smb.data.len(), 85);
+                assert_ne!(p_not_smb.message_type, NBSS_MSGTYPE_KEEP_ALIVE);
+
+                // this packet had an acceptable length, we don't need more
+                assert_eq!(p_not_smb.needs_more(), false);
+
+                // this packet doesn't have the SMB keyword
+                // is_smb must be false
+                assert_eq!(p_not_smb.is_smb(), false);
+
+                // there should be nothing left
+                assert_eq!(remainder.len(), 0);
+            }
+            Err(nom::Err::Error((remainder, err))) => {
+                panic!("Result should not be an error: {:?}.", err);
+            }
+            Err(nom::Err::Incomplete(_)) => {
+                panic!("Result should not have been incomplete.");
+            }
+            _ => {
+                panic!("Unexpected behavior!");
+            }
+        }
+    }
+
+    #[test]
+    fn test_parse_nbss_record_partial() {
+        let buff:&[u8] = &[
+        /* message type */  0x00,
+        /* length */        0x00, 0x00, 0x29,
+        /* data < lenght*/  0xff, 0x53, 0x4d, 0x42, 0x04, 0x00, 0x00, 0x00,
+                            0x00, 0x18, 0x43, 0xc8, 0x00, 0x00, 0x00, 0x00,
+                            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                            0x02, 0x08, 0xbd, 0x20, 0x02, 0x08, 0x06, 0x00,
+                            0x02, 0x40, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00];
+
+        let result = parse_nbss_record_partial(&buff);
+        match result {
+            Ok((remainder, p)) => {
+                assert_eq!(p.message_type, NBSS_MSGTYPE_SESSION_MESSAGE);
+                assert_eq!(p.length, 41);
+                assert_ne!(p.data.len(), 41);
+                assert_ne!(p.message_type, NBSS_MSGTYPE_KEEP_ALIVE);
+
+                // this packet had an acceptable length, we don't need more
+                assert_eq!(p.needs_more(), false);
+
+                // does this really look like smb?
+                assert_eq!(p.is_smb(), true);
+
+                // there should be nothing left
+                assert_eq!(remainder.len(), 0);
+            }
+            Err(nom::Err::Error((remainder, err))) => {
+                panic!("Result should not be an error: {:?}.", err);
+            }
+            Err(nom::Err::Incomplete(_)) => {
+                panic!("Result should not have returned as incomplete.");
+            }
+            _ => {
+                panic!("Unexpected behavior!");
+            }
+        }
+
+    }
+}

src/Makefile.am

@@ -75,6 +75,7 @@ decode-icmpv4.c decode-icmpv4.h \
 decode-icmpv6.c decode-icmpv6.h \
 decode-ipv4.c decode-ipv4.h \
 decode-ipv6.c decode-ipv6.h \
+decode-nsh.c decode-nsh.h \
 decode-null.c decode-null.h \
 decode-ppp.c decode-ppp.h \
 decode-pppoe.c decode-pppoe.h \

src/decode-ethernet.h

@@ -48,6 +48,7 @@
 #define ETHERNET_TYPE_ERSPAN          0x88BE
 #define ETHERNET_TYPE_DCE             0x8903 /* Data center ethernet,
                                               * Cisco Fabric Path */
+#define ETHERNET_TYPE_NSH 0x894F
 
 typedef struct EthernetHdr_ {
     uint8_t eth_dst[6];

src/decode-events.c

@@ -535,6 +535,32 @@ const struct DecodeEvents_ DEvents[] = {
             CHDLC_PKT_TOO_SMALL,
     },
 
+    /* NSH events */
+    {
+            "decoder.nsh.header_too_small",
+            NSH_HEADER_TOO_SMALL,
+    },
+    {
+            "decoder.nsh.unsupported_version",
+            NSH_UNSUPPORTED_VERSION,
+    },
+    {
+            "decoder.nsh.bad_header_length",
+            NSH_BAD_HEADER_LENGTH,
+    },
+    {
+            "decoder.nsh.reserved_type",
+            NSH_RESERVED_TYPE,
+    },
+    {
+            "decoder.nsh.unsupported_type",
+            NSH_UNSUPPORTED_TYPE,
+    },
+    {
+            "decoder.nsh.unknown_payload",
+            NSH_UNKNOWN_PAYLOAD,
+    },
+
     /* STREAM EVENTS */
     {
             "stream.3whs_ack_in_wrong_dir",

src/decode-events.h

@@ -200,8 +200,16 @@ enum {
     /* Cisco HDLC events. */
     CHDLC_PKT_TOO_SMALL,
 
+    /* NSH events */
+    NSH_HEADER_TOO_SMALL,
+    NSH_UNSUPPORTED_VERSION,
+    NSH_BAD_HEADER_LENGTH,
+    NSH_RESERVED_TYPE,
+    NSH_UNSUPPORTED_TYPE,
+    NSH_UNKNOWN_PAYLOAD,
+
     /* END OF DECODE EVENTS ON SINGLE PACKET */
-    DECODE_EVENT_PACKET_MAX = CHDLC_PKT_TOO_SMALL,
+    DECODE_EVENT_PACKET_MAX = NSH_UNKNOWN_PAYLOAD,
 
     /* STREAM EVENTS */
     STREAM_3WHS_ACK_IN_WRONG_DIR,