15 Commits

Author SHA1 Message Date
Clayton Casciato 1dcf90fa42 suricata: update 7.0.13 -> 8.0.4
8.0.0 [1]:
Increased Rust use (including libhtp, suricatactl, and suricatasc)
More protocols
Lua sandboxed and available by default

8.0.4 [2]: security, performance, accuracy, and stability fixes

Resolve startup warning [3]:
W: af-packet: eth0: AF_PACKET tpacket-v3 is recommended for non-inline
operation

Add "ja4" option for fingerprinting TLS and QUIC clients [4]

CFLAGS modification for (see [5]):
do_package_qa: QA Issue: File /usr/bin/.debug/suricata in package
suricata-dbg contains reference to TMPDIR [buildpaths]

SURICATA_LUA_SYS_HEADER_DST [6]

[1] https://suricata.io/2025/07/08/suricata-8-0-0-released/
[2] https://suricata.io/2026/03/17/suricata-8-0-4-and-7-0-15-released/
[3] https://docs.suricata.io/en/suricata-8.0.4/upgrade.html#id1
[4] https://github.com/OISF/suricata/pull/10836
[5] https://git.openembedded.org/openembedded-core/commit/?id=3239961e35434592c06ec2cae2885ab464d35744
[6] https://github.com/OISF/suricata/commit/3a7eef812198118fa0b96059e70074bec5a8cdbe

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
(added musl libunwind fix)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
2026-04-27 21:46:41 +03:00
Clayton Casciato c32a913012 suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute
Add option to prevent memory mappings that are both writable and
executable.

https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute=

Core Suricata developer:
https://github.com/jasonish/suricata-rpms/blob/a606a810325dd0a4f3ee45b2756b96bda28e590b/7.0/suricata-4.1.1-service.patch#L23

Fedora:
https://src.fedoraproject.org/rpms/suricata/c/cfb3b996f54d28018cd01f9c6b9ecb77e59f344d

Resolve SELinux AVC denial:
type=PROCTITLE proctitle=/usr/bin/suricata
-c /etc/suricata/suricata.yaml -i eth0

type=SYSCALL arch=aarch64 syscall=mprotect success=no
exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main
exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null)

type=AVC avc:  denied  { execmem } for  pid=283 comm=Suricata-Main
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
2026-01-16 23:24:59 +02:00
Clayton Casciato fbb8343cf8 suricata: update to 7.0.12
Also update libhtp to required version 0.5.52.

See suricata release notes for more details about changes and
CVEs fixed:

https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/
https://suricata.io/2024/03/19/suricata-7-0-4-and-6-0-17-released/
https://suricata.io/2024/04/23/suricata-7-0-5-and-6-0-19-released/
https://suricata.io/2024/06/27/suricata-7-0-6-and-6-0-20-released/
https://suricata.io/2024/10/01/suricata-7-0-7-released/
https://suricata.io/2024/12/12/suricata-7-0-8-released/
https://suricata.io/2025/03/18/suricata-7-0-9-released/
https://suricata.io/2025/07/08/suricata-7-0-11-released/
https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
2025-11-12 14:17:55 -05:00
Clayton Casciato ca34a66f82 suricata: fix "interface" arg in systemd service
Fix service startup

https://docs.suricata.io/en/suricata-7.0.0/command-line-options.html#cmdoption-i

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
2025-07-18 09:48:15 -04:00
Armin Kuster e3a61e6e81 libhtp: update to 0.5.50
drop CVE-2024-45797.patch now included

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2025-04-13 14:07:57 -04:00
Hitendra Prajapati 6b50c7c29e libhtp: fix CVE-2024-45797
Upstream-Status: Backport from https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-11-24 20:15:36 -05:00
Siddharth Doshi f0deac3787 Suricata: Security Fix for CVE-2024-37151, CVE-2024-38534, CVE-2024-38535, CVE-2024-38536
Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b, https://github.com/OISF/suricata/commit/a753cdbe84caee3b66d0bf49b2712d29a50d67ae, https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2, https://github.com/OISF/suricata/commit/2bd3bd0e318f19008e9fe068ab17277c530ffb92]

CVE's Fixed:
CVE-2024-37151 suricata: suricata: packet reassembly failure, which can lead to policy bypass
CVE-2024-38534 suricata: suricata: Crafted modbus traffic can lead to unlimited resource accumulation within a flow
CVE-2024-38535 suricata: Suricata: can run out of memory when parsing crafted HTTP/2 traffic
CVE-2024-38536 suricata: NULL pointer dereference when http.memcap is reached

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-07-29 20:07:01 -04:00
Armin Kuster 254b6094b5 suricata: Update to 7.0.0
refersh patches
update libhtp

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25 09:45:11 -04:00
Martin Jansa df8a1eb479 *.patch: fix malformed Upstream-Status and SOB lines
* as reported by openembedded-core/scripts/contrib/patchreview.py -v .

Malformed Signed-off-by 'Signed-Off-By:' (./recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch)
Malformed Signed-off-by 'Signed-Off-By:' (./recipes-mac/AppArmor/files/disable_perl_h_check.patch)

Missing Upstream-Status tag (./recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch)

Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/samhain/files/samhain-pid-path.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/suricata/files/fixup.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-scanners/clamav/files/fix2_libcurl_check.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/isic/files/configure_fix.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/krill/files/panic_workaround.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/opendnssec/files/libdns_conf_fix.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/opendnssec/files/libxml2_conf.patch

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-06-25 15:05:28 -04:00
Armin Kuster 818a8646a6 suricata: rust is in core
drop dynamic-layer

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-08-26 21:45:14 -07:00
Armin Kuster 7a1691c037 suricata: Drop 4.1.x its EOL
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-07-28 18:21:25 -07:00
Christopher Larson 36d656fe72 suricata: add tmpfiles.d config
This is needed to ensure our /var/log directory is created when using
systemd.

Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-11-27 13:38:58 -08:00
Armin Kuster 18de9e5bf9 suricata/libhtp: update to 4.1.5/0.5.31
same sources
refresh patch

drop rules tar ball

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-10-08 15:54:52 -07:00
Armin Kuster d75dc96fa3 suricata: update to 4.1.4
Backport patch to fix build against newer kernels.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-09-07 08:34:22 -07:00
Armin Kuster 1460d9b86d reorg ids: move ids recipes to recipes-ids
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31 10:37:09 -07:00