debian/0000775000000000000000000000000012524671271007177 5ustar debian/compat0000664000000000000000000000000212204702126010362 0ustar 9 debian/suricata.dirs0000664000000000000000000000004612204702126011662 0ustar etc/suricata usr/bin var/log/suricata debian/suricata.init0000664000000000000000000001017612326221560011674 0ustar #!/bin/sh -e # ### BEGIN INIT INFO # Provides: suricata # Required-Start: $time $network $local_fs $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Next Generation IDS/IPS # Description: Intrusion detection system that will # capture traffic from the network cards and will # match against a set of known attacks. ### END INIT INFO . /lib/lsb/init-functions # Source function library. if test -f /etc/default/suricata; then . /etc/default/suricata else echo "/etc/default/suricata is missing... bailing out!" fi # We'll add up all the options above and use them NAME=suricata DAEMON=/usr/bin/$NAME # Use this if you want the user to explicitly set 'RUN' in # /etc/default/ if [ "x$RUN" != "xyes" ] ; then log_failure_msg "$NAME disabled, please adjust the configuration to your needs " log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it." exit 0 fi check_root() { if [ "$(id -u)" != "0" ]; then log_failure_msg "You must be root to start, stop or restart $NAME." exit 4 fi } check_nfqueue() { if [ ! -e /proc/net/netfilter/nfnetlink_queue ]; then log_failure_msg "NFQUEUE support not found !" log_failure_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel" exit 5 fi } check_run_dir() { if [ ! -d /var/run/suricata ]; then mkdir /var/run/suricata chmod 0755 /var/run/suricata fi } check_root case "$LISTENMODE" in nfqueue) IDMODE="IPS (nfqueue)" LISTEN_OPTIONS=" -q $NFQUEUE" check_nfqueue ;; pcap) IDMODE="IDS (pcap)" LISTEN_OPTIONS=" -i $IFACE" ;; af-packet) IDMODE="IDS (af-packet)" LISTEN_OPTIONS=" --af-packet" ;; *) echo "Unsupported listen mode $LISTENMODE, aborting" exit 1 ;; esac SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D" # See how we were called. case "$1" in start) if [ -f $PIDFILE ]; then PID1=`cat $PIDFILE` if kill -0 "$PID1" 2>/dev/null; then echo "$NAME is already running with PID $PID1" exit 0 fi fi check_run_dir echo -n "Starting suricata in $IDMODE mode..." if [ -f /usr/lib/libtcmalloc_minimal.so.0 ] && [ "x$TCMALLOC" = "xYES" ]; then export LD_PRELOAD="/usr/lib/libtcmalloc_minimal.so.0" #echo "Using googles tcmalloc for minor performance boost!?!" fi $DAEMON $SURICATA_OPTIONS > /var/log/suricata/suricata-start.log 2>&1 & echo " done." ;; stop) echo -n "Stopping suricata: " if [ -f $PIDFILE ]; then PID2=`cat $PIDFILE` else echo " No PID file found; not running?" exit 0; fi start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON if [ -n "$PID2" ]; then kill "$PID2" ret=$? sleep 2 if kill -0 "$PID2" 2>/dev/null; then ret=$? echo -n "Waiting . " cnt=0 while kill -0 "$PID2" 2>/dev/null; do ret=$? cnt=`expr "$cnt" + 1` if [ "$cnt" -gt 10 ]; then kill -9 "$PID2" break fi sleep 2 echo -n ". " done fi fi if [ -e $PIDFILE ]; then rm $PIDFILE > /dev/null 2>&1 fi echo " done." ;; status) # Check if running... if [ -s $PIDFILE ]; then PID3=`cat $PIDFILE` if kill -0 "$PID3" 2>/dev/null; then echo "$NAME is running with PID $PID3" exit 0 else echo "PID file $PIDFILE exists, but process not running!" fi else echo "$NAME not running!" fi ;; restart) $0 stop $0 start ;; force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0 debian/source/0000775000000000000000000000000012204702126010464 5ustar debian/source/format0000664000000000000000000000001412204702126011672 0ustar 3.0 (quilt) debian/watch0000664000000000000000000000055512204702126010222 0ustar # watch control file for uscan # run the "uscan" command to check for upstream updates and more. # See uscan(1) for format # Compulsory line, this is a version 3 file version=3 #http://www.openinfosecfoundation.org/downloads/ suricata-([\d\.]*)\.tar\.gz http://www.openinfosecfoundation.org/index.php/download-suricata [^"]*/download/suricata-([\d\.]*)\.tar\.gz debian/suricata.manpages0000664000000000000000000000002212204702126012506 0ustar debian/suricata.8 debian/suricata.default0000664000000000000000000000126012204702126012344 0ustar # Default config for Suricata # set to yes to start the server in the init.d script RUN=no # Configuration file to load SURCONF=/etc/suricata/suricata-debian.yaml # Listen mode: pcap, nfqueue or af-packet # depending on this value, only one of the two following options # will be used (af-packet uses neither). # Please note that IPS mode is only available when using nfqueue LISTENMODE=nfqueue # Interface to listen on (for pcap mode) IFACE=eth0 # Queue number to listen on (for nfqueue mode) NFQUEUE=0 # Load Google TCMALLOC if libtcmalloc-minimal0 is installed # This _might_ give you very very small performance gain.... TCMALLOC="YES" # Pid file PIDFILE=/var/run/suricata.pid debian/control0000664000000000000000000000266212326221560010600 0ustar Source: suricata Section: net Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Pierre Chifflier Build-Depends: debhelper (>= 9), autotools-dev, dh-autoreconf, libhtp-dev (>= 0.2.3), libhtp-dev (<< 0.5), libnet1-dev | libnet-dev, libnspr4-dev, libnss3-dev, libpcap-dev, libpcre3-dev, libyaml-dev, libnetfilter-queue-dev, libprelude-dev, zlib1g-dev | libz-dev, libcap-ng-dev, libmagic-dev, libjansson-dev, libluajit-5.1-dev [i386 amd64 powerpc mips armel armhf], python X-Python-Version: >= 2.6 Standards-Version: 3.9.5 Homepage: http://www.openinfosecfoundation.org/ Package: suricata Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends} Conflicts: libhtp1 (>= 0.5) Recommends: oinkmaster, snort-rules-default, python Description: Next Generation Intrusion Detection and Prevention Tool Suricata is a network Intrusion Detection System (IDS). It is based on rules (and is fully compatible with snort rules) to detect a variety of attacks / probes by searching packet content. . This new Engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards. . This version has inline (NFQUEUE) support enabled. debian/changelog0000664000000000000000000001645412524671220011055 0ustar suricata (1.4.7-1ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: Fix possible wrap in uint32_t addition in DER parser. Patch thanks to Debian. - CVE-2015-0971 * SECURITY UPDATE: dcerpc: fix error handling for alloc errors - CVE-2015-0928 -- Jamie Strandboge Wed, 13 May 2015 08:11:38 -0500 suricata (1.4.7-1ubuntu1) trusty; urgency=low * Fixed init script nfnetlink_queue detection for newer kernels. (LP: #1250439) -- Rafael David Tinoco Thu, 24 Apr 2014 09:45:07 -0500 suricata (1.4.7-1) unstable; urgency=low * Imported Upstream version 1.4.7 * Bump Standards Version to 3.9.5 * Run autoreconf during build to fix some errors caused by different autotools versions -- Pierre Chifflier Sun, 29 Dec 2013 11:29:57 +0100 suricata (1.4.6-1) unstable; urgency=low * Imported Upstream version 1.4.6 -- Pierre Chifflier Sun, 06 Oct 2013 18:52:34 +0200 suricata (1.4.5-1) unstable; urgency=low * Imported Upstream version 1.4.5 * Prepare transition for suricata 2.0 by conflicting with libhtp >= 0.5 -- Pierre Chifflier Tue, 20 Aug 2013 16:44:45 +0200 suricata (1.4.3-1) unstable; urgency=low * Imported Upstream version 1.4.3 -- Pierre Chifflier Thu, 04 Jul 2013 11:50:13 +0200 suricata (1.4.2-1) unstable; urgency=low * Imported Upstream version 1.4.2 -- Pierre Chifflier Wed, 29 May 2013 16:24:52 +0200 suricata (1.4.1-1) unstable; urgency=low * Imported Upstream version 1.4.1 * Install python control script (add dependency on python, and use dh_python2 for build) * Bump Standards Version to 3.9.4 * Fix removal of pid file in init script (Closes: #700547) Thanks to Игорь Козинов . * Add support for af-packet mode in init script (Closes: #697928). Thanks to Jamie Strandboge . -- Pierre Chifflier Tue, 21 May 2013 12:42:45 +0200 suricata (1.4-3) unstable; urgency=low * Add configure flag for luajit only on supported architectures -- Pierre Chifflier Sat, 22 Dec 2012 16:38:41 +0100 suricata (1.4-2) unstable; urgency=low * Fix error in init script, stop trying to manage suricata pid file * Use arch-specific build dependencies for libluajit-5.1-dev, it is not available on all architectures -- Pierre Chifflier Sat, 22 Dec 2012 15:39:57 +0100 suricata (1.4-1) unstable; urgency=low * Imported Upstream version 1.4 * Enable Jansson and LuaJIT support, and add libjansson-dev libluajit-5.1-dev to build-deps * Add python to recommends, for the suricatasc script * Create /var/run/suricata directory when starting daemon -- Pierre Chifflier Fri, 14 Dec 2012 00:02:51 +0100 suricata (1.3.5-1) unstable; urgency=low * Imported Upstream version 1.3.5 -- Pierre Chifflier Thu, 06 Dec 2012 21:13:56 +0100 suricata (1.3.4-1) unstable; urgency=low * Imported Upstream version 1.3.4 -- Pierre Chifflier Sat, 17 Nov 2012 09:56:08 +0100 suricata (1.3.3-1) unstable; urgency=low * Imported Upstream version 1.3.3 -- Pierre Chifflier Sat, 03 Nov 2012 09:38:36 +0100 suricata (1.3.2-1) unstable; urgency=low * Imported Upstream version 1.3.2 -- Pierre Chifflier Sat, 13 Oct 2012 12:18:33 +0200 suricata (1.3-1) unstable; urgency=low * Imported Upstream version 1.3 * Add build-dependency on libnss3-dev and libnspr4-dev * Bump Standards Version to 3.9.3 -- Pierre Chifflier Sun, 22 Jul 2012 22:27:36 +0200 suricata (1.2.1-2) unstable; urgency=low * Use override targets in rules files (Closes: #666330) * Add support for parallel build in debian/rules -- Pierre Chifflier Thu, 12 Apr 2012 01:56:48 +0200 suricata (1.2.1-1) unstable; urgency=low * Imported Upstream version 1.2.1 * Add libmagic-dev to build-deps * Convert to DH version 9 - Switch from hardening-wrapper to dpkg-buildflags -- Pierre Chifflier Mon, 23 Jan 2012 21:47:26 +0100 suricata (1.1.1-2) unstable; urgency=low * Add *.config files to default installation * Trigger rebuild with libhtp versioned symbols -- Pierre Chifflier Thu, 05 Jan 2012 08:20:24 +0100 suricata (1.1.1-1) unstable; urgency=low * Imported Upstream version 1.1.1 * Add configure option --enable-af-packet -- Pierre Chifflier Wed, 07 Dec 2011 21:52:53 +0100 suricata (1.1-1) unstable; urgency=low * Imported Upstream version 1.1 * Add instructions on getting new rules using oinkmaster * Add Recommends on oinkmaster * Move snort-rules-default to Recommends -- Pierre Chifflier Thu, 17 Nov 2011 23:20:51 +0100 suricata (1.0.5-1) unstable; urgency=low * Imported Upstream version 1.0.5 -- Pierre Chifflier Wed, 27 Jul 2011 08:20:25 +0200 suricata (1.0.4-1) unstable; urgency=low * Imported Upstream version 1.0.4 * Bump Standards Version to 3.9.2 * Enable hardening-wrapper -- Pierre Chifflier Sat, 25 Jun 2011 13:45:44 +0200 suricata (1.0.3-1) unstable; urgency=low * Imported Upstream version 1.0.3 -- Pierre Chifflier Wed, 13 Apr 2011 16:59:32 +0200 suricata (1.0.2-2) unstable; urgency=low * Add init script (thanks to Edward Fjellskål) * Switch to dpkg-source 3.0 (quilt) format -- Pierre Chifflier Sun, 19 Dec 2010 18:35:50 +0100 suricata (1.0.2-1) unstable; urgency=low * New Upstream version 1.0.2 (Closes: #598389) -- Pierre Chifflier Wed, 29 Sep 2010 10:02:52 +0200 suricata (1.0.1-1) unstable; urgency=low * Imported Upstream version 1.0.1 (Closes: #591559) * Bump Standards version to 3.9.1 * Create /var/log/suricata (Closes: #590861) -- Pierre Chifflier Wed, 11 Aug 2010 14:45:14 +0200 suricata (1.0.0-1) unstable; urgency=low * Imported Upstream version 1.0.0 * Remove arch=native flag from build (Closes: #587714) * Bump Standards version to 3.9.0 -- Pierre Chifflier Thu, 01 Jul 2010 21:28:41 +0200 suricata (0.9.2-1) unstable; urgency=low * Imported Upstream version 0.9.2 -- Pierre Chifflier Sat, 19 Jun 2010 17:39:14 +0200 suricata (0.9.1-1) unstable; urgency=low * Imported Upstream version 0.9.1 * Update watch file -- Pierre Chifflier Wed, 26 May 2010 23:09:07 +0200 suricata (0.9.0-1) unstable; urgency=low * Imported Upstream version 0.9.0 * Add libcap-ng-dev to build-deps -- Pierre Chifflier Sun, 09 May 2010 10:43:44 +0200 suricata (0.8.2-1) unstable; urgency=low * Imported Upstream version 0.8.2 * Force selection of external libhtp during build * Enable Prelude support * Update watch file -- Pierre Chifflier Sun, 02 May 2010 10:50:05 +0200 suricata (0.8.0-2) unstable; urgency=low * Update debian/copyright to include all files -- Pierre Chifflier Sun, 21 Feb 2010 21:45:33 +0100 suricata (0.8.0-1) unstable; urgency=low * Initial release (Closes: #563422) -- Pierre Chifflier Sat, 30 Jan 2010 18:25:05 +0100 debian/suricata.80000664000000000000000000000426612204702126011100 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH SURICATA 8 "February 2010" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME suricata \- Next Generation Intrusion Detection and Prevention Tool .SH SYNOPSIS .B suricata .RI [ options ] .br .SH DESCRIPTION .B suricata is a network Intrusion Detection System (IDS). It is based on rules (and is fully compatible with snort rules) to detect a variety of attacks / probes by searching packet content. This new Engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards. It supports acquiring packets through NFQUEUE, PCAP (live or offline) etc. .PP .SH OPTIONS .IP "-c config_file" Use configuration file .I config_file .IP "-i interface" Sniff packets on .I interface. .IP "-r file" Read the tcpdump-formatted file .I tcpdump-file. This will cause Suricata to read and process the file fed to it. This is useful for offline analysis. .IP "-q queue_id" Sniff packets sent by the kernel through NFQUEUE. This allows running Suricata in inline mode (IPS) for packets captured by iptables using the NFQUEUE target. .IP "-s signatures" Path to the signatures file. .IP "-l log_dir" Path to the default log directory. .IP "-D" Run as daemon .IP "--init-errors-fatal" Enable fatal failure on signature init error. .SH SEE ALSO .BR tcpdump (1), .BR pcap (3). .SH AUTHOR suricata was written by the Open Information Security Foundation. .PP This manual page was written by Pierre Chifflier , for the Debian project (and may be used by others). debian/rules0000775000000000000000000000323212257773527010271 0ustar #!/usr/bin/make -f # -*- makefile -*- # debian/rules file for Suricata # Written by Pierre Chifflier # This file was originally written by Joey Hess and Craig Small. # As a special exception, when this file is copied by dh-make into a # dh-make output file, you may use that output file without restriction. # This special exception was added by Craig Small in version 0.37 of dh-make. # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,+bindnow DEB_DESTDIR = $(CURDIR)/debian/suricata ARCH ?= $(shell dpkg --print-architecture) DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) LUAJIT_ARCHS = i386 amd64 powerpc mips armel armhf ifneq (,$(findstring $(ARCH),$(LUAJIT_ARCHS))) ENABLE_LUAJIT="--enable-luajit" endif CONFIGURE_ARGS = --enable-af-packet --enable-nfqueue --enable-prelude \ --enable-non-bundled-htp --enable-gccprotect --disable-gccmarch-native \ --with-libnss-includes=/usr/include/nss --with-libnss-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-libnspr-includes=/usr/include/nspr --with-libnspr-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ $(ENABLE_LUAJIT) override_dh_auto_install: dh_auto_install --destdir=$(DEB_DESTDIR) rm -rf $(DEB_DESTDIR)/usr/lib/python*;\ (cd scripts/suricatasc &&\ python -B setup.py install --install-layout=deb --prefix $(DEB_DESTDIR)/usr) override_dh_auto_configure: dh_auto_configure -- $(CONFIGURE_ARGS) sed \ -e 's|^default-rule-path: .*$$|default-rule-path: /etc/snort/rules|' \ suricata.yaml > suricata-debian.yaml override_dh_clean: rm -f suricata-debian.yaml dh_clean %: dh $@ --parallel --with autotools-dev,autoreconf,python2 debian/patches/0000775000000000000000000000000012524671271010626 5ustar debian/patches/CVE-2015-0928_pt2.patch0000664000000000000000000000510312524653406014035 0ustar Origin: backport, 5cd7bb2f140d03506b3280aaa71f612701d1a964 From 5cd7bb2f140d03506b3280aaa71f612701d1a964 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 23 Jan 2015 12:09:29 +0100 Subject: [PATCH] dcerpc: fix error handling for alloc errors Fix error handling of stub parsers. In case of SCRealloc error the function would return a non-error code. This could possibly lead to memory corruption. Reported-By: The Yahoo pentest team --- src/app-layer-dcerpc-udp.c | 5 +++-- src/app-layer-dcerpc.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) Index: suricata-1.4.7/src/app-layer-dcerpc-udp.c =================================================================== --- suricata-1.4.7.orig/src/app-layer-dcerpc-udp.c +++ suricata-1.4.7/src/app-layer-dcerpc-udp.c @@ -44,6 +44,8 @@ enum { DCERPC_FIELD_MAX, }; +/** \internal + * \retval stub_len or 0 in case of error */ static uint32_t FragmentDataParser(Flow *f, void *dcerpcudp_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { @@ -83,7 +85,7 @@ static uint32_t FragmentDataParser(Flow *stub_data_buffer = SCRealloc(*stub_data_buffer, *stub_data_buffer_len + stub_len); if (*stub_data_buffer == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); - goto end; + SCReturnUInt(0); } memcpy(*stub_data_buffer + *stub_data_buffer_len, input, stub_len); @@ -103,7 +105,6 @@ static uint32_t FragmentDataParser(Flow } #endif -end: SCReturnUInt((uint32_t)stub_len); } Index: suricata-1.4.7/src/app-layer-dcerpc.c =================================================================== --- suricata-1.4.7.orig/src/app-layer-dcerpc.c +++ suricata-1.4.7/src/app-layer-dcerpc.c @@ -1075,6 +1075,8 @@ static uint32_t DCERPCParseREQUEST(DCERP SCReturnUInt((uint32_t)(p - input)); } +/** \internal + * \retval stub_len or 0 in case of error */ static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); uint8_t **stub_data_buffer = NULL; @@ -1130,7 +1132,7 @@ static uint32_t StubDataParser(DCERPC *d *stub_data_buffer = SCRealloc(*stub_data_buffer, *stub_data_buffer_len + stub_len); if (*stub_data_buffer == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); - goto end; + SCReturnUInt(0); } memcpy(*stub_data_buffer + *stub_data_buffer_len, input, stub_len); @@ -1152,7 +1154,6 @@ static uint32_t StubDataParser(DCERPC *d } #endif -end: SCReturnUInt((uint32_t)stub_len); } debian/patches/CVE-2015-0971.patch0000664000000000000000000000617212524646534013261 0ustar From fa73a0bb8f312fd0a95cc70f6b3ee4e4997bdba7 Mon Sep 17 00:00:00 2001 From: Pierre Chifflier Date: Sat, 18 Apr 2015 14:24:45 +0200 Subject: [PATCH] Fix possible wrap in uint32_t addition in DER parser Signed-off-by: Pierre Chifflier --- src/util-decode-der.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) Index: suricata-1.4.7/src/util-decode-der.c =================================================================== --- suricata-1.4.7.orig/src/util-decode-der.c +++ suricata-1.4.7/src/util-decode-der.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 ANSSI + * Copyright (C) 2011-2015 ANSSI * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -462,8 +462,11 @@ static Asn1Generic * DecodeAsn1DerIA5Str return NULL; } } - if (length > max_size) + if (length == UINT32_MAX || length > max_size) { + if (errcode) + *errcode = ERR_DER_ELEMENT_SIZE_TOO_BIG; return NULL; + } a = Asn1GenericNew(); if (a == NULL) @@ -504,8 +507,11 @@ static Asn1Generic * DecodeAsn1DerOctetS return NULL; } } - if (length > max_size) + if (length == UINT32_MAX || length > max_size) { + if (errcode) + *errcode = ERR_DER_ELEMENT_SIZE_TOO_BIG; return NULL; + } a = Asn1GenericNew(); if (a == NULL) @@ -557,8 +563,11 @@ static Asn1Generic * DecodeAsn1DerPrinta return NULL; } } - if (length > max_size) + if (length == UINT32_MAX || length > max_size) { + if (errcode) + *errcode = ERR_DER_ELEMENT_SIZE_TOO_BIG; return NULL; + } a = Asn1GenericNew(); if (a == NULL) @@ -609,7 +618,9 @@ static Asn1Generic * DecodeAsn1DerSequen } } node->length = d_length + (d_ptr - buffer); - if (node->length > max_size) { + if (node->length > max_size || node->length < d_length /* wrap */) { + if (errcode) + *errcode = ERR_DER_ELEMENT_SIZE_TOO_BIG; SCFree(node); return NULL; } @@ -623,6 +634,10 @@ static Asn1Generic * DecodeAsn1DerSequen child = DecodeAsn1DerGeneric(d_ptr, el_max_size, depth, seq_index, errcode); if (child == NULL) { + if (errcode && *errcode != 0) { + DerFree(node); + return NULL; + } break; } Asn1SequenceAppend(node, child); @@ -666,7 +681,7 @@ static Asn1Generic * DecodeAsn1DerSet(co } node->length = d_length + (d_ptr - buffer); - if (node->length > max_size) { + if (node->length > max_size || node->length < d_length /* wrap */) { if (errcode) *errcode = ERR_DER_ELEMENT_SIZE_TOO_BIG; SCFree(node); @@ -677,6 +692,10 @@ static Asn1Generic * DecodeAsn1DerSet(co el_max_size = max_size - (d_ptr-buffer); child = DecodeAsn1DerGeneric(d_ptr, el_max_size, depth, seq_index, errcode); + if (child == NULL) { + DerFree(node); + return NULL; + } node->data = child; debian/patches/CVE-2015-0928_pt1.patch0000664000000000000000000000704012524653073014036 0ustar From 647985d20d7da4fb1a27c74e3c6767d54826bc8a Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 23 Jan 2015 12:12:53 +0100 Subject: [PATCH] dcerpc: don't exit() on malloc failure In 2 places we would exit() if malloc failed. We should never exit in such cases. This patch silently handles it. --- src/app-layer-dcerpc.c | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) Index: suricata-1.4.7/src/app-layer-dcerpc.c =================================================================== --- suricata-1.4.7.orig/src/app-layer-dcerpc.c +++ suricata-1.4.7/src/app-layer-dcerpc.c @@ -638,17 +638,14 @@ static uint32_t DCERPCParseBINDACKCTXIte dcerpc->dcerpcbindbindack.uuid_entry = (DCERPCUuidEntry *) SCCalloc(1, sizeof(DCERPCUuidEntry)); - if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) { - SCLogError(SC_ERR_MEM_ALLOC, - "Error allocating memory\n"); - exit(EXIT_FAILURE); + if (dcerpc->dcerpcbindbindack.uuid_entry != NULL) { + memcpy(dcerpc->dcerpcbindbindack.uuid_entry, + uuid_entry, + sizeof(DCERPCUuidEntry)); + TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.accepted_uuid_list, + dcerpc->dcerpcbindbindack.uuid_entry, + next); } - memcpy(dcerpc->dcerpcbindbindack.uuid_entry, - uuid_entry, - sizeof(DCERPCUuidEntry)); - TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.accepted_uuid_list, - dcerpc->dcerpcbindbindack.uuid_entry, - next); break; } } @@ -774,17 +771,14 @@ static uint32_t DCERPCParseBINDACKCTXIte dcerpc->dcerpcbindbindack.uuid_entry = (DCERPCUuidEntry *) SCCalloc(1, sizeof(DCERPCUuidEntry)); - if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) { - SCLogError(SC_ERR_MEM_ALLOC, - "Error allocating memory\n"); - exit(EXIT_FAILURE); + if (dcerpc->dcerpcbindbindack.uuid_entry != NULL) { + memcpy(dcerpc->dcerpcbindbindack.uuid_entry, + uuid_entry, + sizeof(DCERPCUuidEntry)); + TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.accepted_uuid_list, + dcerpc->dcerpcbindbindack.uuid_entry, + next); } - memcpy(dcerpc->dcerpcbindbindack.uuid_entry, - uuid_entry, - sizeof(DCERPCUuidEntry)); - TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.accepted_uuid_list, - dcerpc->dcerpcbindbindack.uuid_entry, - next); break; } } debian/patches/series0000664000000000000000000000010412524671177012043 0ustar CVE-2015-0971.patch CVE-2015-0928_pt1.patch CVE-2015-0928_pt2.patch debian/copyright0000664000000000000000000000711012204702126011116 0ustar This work was packaged for Debian by: Pierre Chifflier on Sat, 30 Jan 2010 18:25:05 +0100 It was downloaded from http://www.openinfosecfoundation.org/ Copyright: Open Information Security Foundation Team License: This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License version 2 as published by the Free Software Foundation see `/usr/share/common-licenses/GPL-2'. The Debian packaging is: Copyright (C) 2010 Pierre Chifflier and is licensed under the GPL version 2, see `/usr/share/common-licenses/GPL-2'. Other files/licences: src/queue.h is Copyright (c) 1991, 1993 The Regents of the University of California and is licensed under BSD (3-clause) license. src/util-fix_checksum.h src/util-fix_checksum.c are Copyright (c) 2001 Daniel Hartmeier, Copyright (c) 2002 - 2008 Henning Brauer and are licensed under BSD (2-clause) license. src/action-globals.h src/alert-debuglog.c src/alert-debuglog.h src/alert-fastlog.c src/alert-fastlog.h src/alert-unified-alert.c src/alert-unified-alert.h src/alert-unified-log.c src/alert-unified-log.h src/app-layer-detect-proto.c src/app-layer-http.c src/app-layer-parser.c src/app-layer-tls.c src/debug.h src/decode.c src/decode-ethernet.c src/decode-ethernet.h src/decode-events.h src/decode.h src/decode-icmpv4.c src/decode-icmpv4.h src/decode-icmpv6.c src/decode-icmpv6.h src/decode-ipv4.h src/decode-ipv6.c src/decode-ipv6.h src/decode-sll.c src/decode-sll.h src/decode-tcp.c src/decode-tcp.h src/decode-udp.c src/decode-udp.h src/detect-content.c src/detect-engine-address-ipv4.c src/detect-engine-address-ipv4.h src/detect-engine-address-ipv6.c src/detect-engine-address-ipv6.h src/detect-engine.c src/detect-engine-port.c src/detect-engine-proto.c src/detect-flowvar.c src/detect-pktvar.c src/detect-uricontent.c src/flow-alert-sid.h src/flow-bit.h src/flow.c src/flow.h src/flow-hash.c src/flow-hash.h src/flow-private.h src/flow-queue.c src/flow-queue.h src/flow-util.c src/flow-util.h src/log-httplog.c src/log-httplog.h src/packet-queue.c src/packet-queue.h src/pkt-var.h src/respond-reject.c src/respond-reject.h src/respond-reject-libnet11.c src/respond-reject-libnet11.h src/source-nfq.c src/source-nfq.h src/source-nfq-prototypes.h src/source-pcap.c src/source-pcap-file.c src/source-pcap-file.h src/source-pcap.h src/source-pfring.c src/source-pfring.h src/stream.c src/stream-tcp.c src/stream-tcp.h src/stream-tcp-reassemble.c src/stream-tcp-reassemble.h src/suricata.c src/suricata-common.h src/suricata.h src/threadvars.h src/tm-modules.c src/tmqh-flow.h src/tmqh-nfq.c src/tmqh-nfq.h src/tmqh-packetpool.h src/tmqh-simple.h src/tm-queuehandlers.c src/tm-queuehandlers.h src/util-binsearch.h src/util-bloomfilter.c src/util-bloomfilter-counting.c src/util-bloomfilter-counting.h src/util-bloomfilter.h src/util-cidr.h src/util-hash.c src/util-hash.h src/util-hashlist.c src/util-hashlist.h src/util-mpm-b2g.c src/util-mpm-b3g.c src/util-mpm.h src/util-mpm-wumanber.c src/util-mpm-wumanber.h src/util-pool.c src/util-pool.h src/util-print.c src/util-print.h Copyright (c) 2008 by Victor Julien doxygen.cfg Copyright 2005 Dorr H. Clark - Santa Clara University This software source is made available under the "THE BEER-WARE LICENSE" dclark@applmath.scu.edu wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return. - Dorr H. Clark debian/README.Debian0000664000000000000000000000260112204702126011224 0ustar Suricata for Debian ------------------- The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field. This is considered as a beta release. To run the engine with default configuration on interface eth0 (in live mode), run the following command (as root): suricata -c /etc/suricata/suricata.yaml -i eth0 To run in live NFQUEUE mode, use (as root): suricata -c /etc/suricata/suricata.yaml -q $QUEUE_ID You can also run suricata on a PCAP file: suricata -c /etc/suricata/suricata.yaml -r file.pcap Updating Rules -------------- The default configuration use the snort-rules-default package (with all rules loaded), and all logging modules activated. You should edit /etc/suricata/suricata.yaml and adjust it to fit your needs. Using rules from the snort-rules-default package will not provide up-to-date rules. The recommended method is to install oinkmaster, configure it to get Emerging Threats (ET), ET Pro or VRT rules. Edit ``/etc/oinkmaster.conf`` and use the following URL: http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz For more help, see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster -- Pierre Chifflier Thu, 17 Nov 2011 22:58:00 +0100 debian/suricata.install0000664000000000000000000000014612204702126012370 0ustar suricata-debian.yaml /etc/suricata classification.config /etc/suricata reference.config /etc/suricata