OISF · victorjulien · Feb 3, 2026 · Nov 27, 2025 · Nov 27, 2025 · Jan 29, 2026
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout PR code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0

@@ -38,11 +38,11 @@ jobs:
         language: [ 'cpp', 'rust' ]
     steps:
     - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4.31.6
+      uses: github/codeql-action/init@v4.32.0
       with:
         languages: ${{ matrix.language }}
         queries: security-extended
@@ -62,4 +62,4 @@ jobs:
        ./configure --enable-warnings --enable-unittests
        make
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4.31.6
+      uses: github/codeql-action/analyze@v4.32.0
@@ -39,11 +39,11 @@ jobs:
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
     steps:
     - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4.31.6
+      uses: github/codeql-action/init@v4.32.0
       with:
         languages: ${{ matrix.language }}
         queries: security-extended
@@ -64,4 +64,4 @@ jobs:
        ./configure --enable-warnings
        make
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4.31.6
+      uses: github/codeql-action/analyze@v4.32.0
@@ -74,7 +74,7 @@ jobs:
           cd $HOME/.cargo/bin
           curl -OL https://github.com/eqrion/cbindgen/releases/download/v0.24.3/cbindgen
           chmod 755 cbindgen
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
       # The action above is supposed to do this for us, but it doesn't appear to stick.

@@ -113,7 +113,7 @@ jobs:
               texlive-latex-extra \
               zlib1g \
               zlib1g-dev
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - run: git config --global --add safe.directory /__w/suricata/suricata
       - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:

@@ -91,7 +91,7 @@ jobs:
       # My patience simply ran too short to keep on looking. See follow-on
       # action to manually fix this up.
       - name: Checkout - might be merge commit!
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
         # Use last commit of branch, not potential merge commit!

@@ -6,7 +6,7 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@v6.0.2
     - uses: cachix/install-nix-action@v31
       with:
         nix_path: nixpkgs=channel:nixos-24.11

@@ -65,7 +65,7 @@ jobs:
 
       # Now checkout Suricata for the bundle script.
       - name: Checking out Suricata
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - run: git config --global --add safe.directory /__w/suricata/suricata
 
       - name: Fetching suricata-update

@@ -73,7 +73,7 @@ jobs:
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
       - name: Install Cargo Audit
         run: cargo install cargo-audit
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Configure Suricata
         run: |
           ./autogen.sh
@@ -143,7 +143,7 @@ jobs:
                 sudo \
                 which \
                 zlib-devel
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Install Minimum Supported Rust Version
         run: |
           curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(awk -F '"' '/rust-version/ { print $2 }' rust/Cargo.toml.in)

@@ -64,7 +64,7 @@ jobs:
       - run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.93.0 -y
       - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH
       - run: cargo install bindgen-cli --version 0.66.0
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - run: git config --global --add safe.directory /__w/suricata/suricata
       - run: ./scripts/bundle.sh
       - run: ./autogen.sh

@@ -69,7 +69,7 @@ jobs:
                 software-properties-common \
                 zlib1g \
                 zlib1g-dev
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - run: git config --global --add safe.directory /__w/suricata/suricata
       - run: ./scripts/bundle.sh
       - run: ./autogen.sh

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: "Run analysis"
         uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
@@ -51,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload SARIF results"
-        uses: github/codeql-action/upload-sarif@f0ac9bfbe331b3cc7be1482df79cca2865cb79b6 # v1
+        uses: github/codeql-action/upload-sarif@f985be5b50bd175586d44aac9ac52926adf12893 # v1
         with:
           sarif_file: results.sarif
@@ -76,6 +76,8 @@ Output types::
       #redis:
       #  server: 127.0.0.1
       #  port: 6379
+      #  username: null ## ACL username; if null (default), no username is used
+      #  password: null ## AUTH password; if null (default), authentication is disabled
       #  async: true ## if redis replies are read asynchronously
       #  mode: list ## possible values: list|lpush (default), rpush, channel|publish, xadd|stream
       #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush

@@ -21,6 +21,8 @@ outputs:
       #redis:
       #  server: 127.0.0.1
       #  port: 6379
+      #  username: null ## ACL username; if null (default), no username is used
+      #  password: null ## AUTH password; if null (default), authentication is disabled
       #  async: true ## if redis replies are read asynchronously
       #  mode: list ## possible values: list|lpush (default), rpush, channel|publish, xadd|stream
       #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush

@@ -916,6 +916,13 @@ extern "C" {
         offset: u16, direction: u8,
     ) -> ::std::os::raw::c_int;
 }
+extern "C" {
+    pub fn SCAppLayerProtoDetectPMRegisterPatternCIwPP(
+        ipproto: u8, alproto: AppProto, pattern: *const ::std::os::raw::c_char, depth: u16,
+        offset: u16, direction: u8, PPFunc: ProbingParserFPtr, pp_min_depth: u16,
+        pp_max_depth: u16,
+    ) -> ::std::os::raw::c_int;
+}
 extern "C" {
     pub fn SCAppLayerRequestProtocolTLSUpgrade(f: *mut Flow) -> bool;
 }

@@ -460,6 +460,21 @@ static AppLayerProtoDetectProbingParserPort *AppLayerProtoDetectGetProbingParser
     SCReturnPtr(pp_port, "AppLayerProtoDetectProbingParserPort *");
 }
 
+bool AppLayerProtoDetectHasProbingParsers(uint8_t ipproto, uint16_t port, AppProto alproto)
+{
+    AppLayerProtoDetectProbingParserPort *p =
+            AppLayerProtoDetectGetProbingParsers(alpd_ctx.ctx_pp, ipproto, port);
+    if (p == NULL)
+        return false;
+    AppLayerProtoDetectProbingParserElement *dp = p->dp;
+    while (dp) {
+        if (dp->alproto == alproto) {
+            return true;
+        }
+        dp = dp->next;
+    }
+    return false;
+}
 
 /**
  * \brief Call the probing expectation to see if there is some for this flow.
@@ -1645,6 +1660,16 @@ int SCAppLayerProtoDetectPMRegisterPatternCSwPP(uint8_t ipproto, AppProto alprot
     SCReturnInt(r);
 }
 
+int SCAppLayerProtoDetectPMRegisterPatternCIwPP(uint8_t ipproto, AppProto alproto,
+        const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction,
+        ProbingParserFPtr PPFunc, uint16_t pp_min_depth, uint16_t pp_max_depth)
+{
+    SCEnter();
+    int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto, pattern, depth, offset,
+            direction, 0 /* case-insensitive */, PPFunc, pp_min_depth, pp_max_depth);
+    SCReturnInt(r);
+}
+
 int SCAppLayerProtoDetectPMRegisterPatternCI(uint8_t ipproto, AppProto alproto, const char *pattern,
         uint16_t depth, uint16_t offset, uint8_t direction)
 {

@@ -89,6 +89,9 @@ int SCAppLayerProtoDetectPMRegisterPatternCSwPP(uint8_t ipproto, AppProto alprot
  */
 int SCAppLayerProtoDetectPMRegisterPatternCI(uint8_t ipproto, AppProto alproto, const char *pattern,
         uint16_t depth, uint16_t offset, uint8_t direction);
+int SCAppLayerProtoDetectPMRegisterPatternCIwPP(uint8_t ipproto, AppProto alproto,
+        const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction,
+        ProbingParserFPtr PPFunc, uint16_t pp_min_depth, uint16_t pp_max_depth);
 
 /***** Setup/General Registration *****/
 
@@ -195,6 +198,8 @@ void AppLayerRegisterExpectationProto(uint8_t proto, AppProto alproto);
 
 void AppProtoDetectListNames(void);
 
+bool AppLayerProtoDetectHasProbingParsers(uint8_t ipproto, uint16_t port, AppProto alproto);
+
 /***** Unittests *****/
 
 #ifdef UNITTESTS

@@ -912,6 +912,20 @@ static AppProto FTPUserProbingParser(
     return ALPROTO_FTP;
 }
 
+static AppProto FTPQuitProbingParser(
+        const Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
+{
+    // another check for minimum length
+    if (len < 5) {
+        return ALPROTO_UNKNOWN;
+    }
+    // begins by QUIT
+    if (SCMemcmp(input, "QUIT", 4) != 0) {
+        return ALPROTO_FAILED;
+    }
+    return ALPROTO_FTP;
+}
+
 static AppProto FTPServerProbingParser(
         const Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
 {
@@ -951,6 +965,7 @@ static int FTPRegisterPatternsForProtocolDetection(void)
                 STREAM_TOSERVER, FTPUserProbingParser, 5, 5) < 0) {
         return -1;
     }
+
     if (SCAppLayerProtoDetectPMRegisterPatternCI(
                 IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER) < 0) {
         return -1;
@@ -964,9 +979,9 @@ static int FTPRegisterPatternsForProtocolDetection(void)
     if (!SCAppLayerProtoDetectPPParseConfPorts(
                 "tcp", IPPROTO_TCP, "ftp", ALPROTO_FTP, 0, 5, NULL, FTPServerProbingParser)) {
         // STREAM_TOSERVER here means use 21 as flow destination port
-        // and NULL, FTPServerProbingParser means use probing parser to client
-        SCAppLayerProtoDetectPPRegister(IPPROTO_TCP, "21", ALPROTO_FTP, 0, 5, STREAM_TOSERVER, NULL,
-                FTPServerProbingParser);
+        // and FTPServerProbingParser is probing parser to client
+        SCAppLayerProtoDetectPPRegister(IPPROTO_TCP, "21", ALPROTO_FTP, 0, 5, STREAM_TOSERVER,
+                FTPQuitProbingParser, FTPServerProbingParser);
     }
     return 0;
 }

@@ -1679,6 +1679,17 @@ static int SMTPStateGetEventInfoById(
     return 0;
 }
 
+// This probing parser checks the port after ambiguous patterns
+// that may be used by other protocols such as FTP
+static AppProto SMTPClientProbingParserCheckPort(
+        const Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
+{
+    if (AppLayerProtoDetectHasProbingParsers(IPPROTO_TCP, f->dp, ALPROTO_FTP)) {
+        return ALPROTO_FAILED;
+    }
+    return ALPROTO_SMTP;
+}
+
 static AppProto SMTPServerProbingParser(
         const Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
 {
@@ -1729,10 +1740,11 @@ static int SMTPRegisterPatternsForProtocolDetection(void)
                 IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0, STREAM_TOSERVER) < 0) {
         return -1;
     }
-    if (SCAppLayerProtoDetectPMRegisterPatternCI(
-                IPPROTO_TCP, ALPROTO_SMTP, "QUIT", 4, 0, STREAM_TOSERVER) < 0) {
+    if (SCAppLayerProtoDetectPMRegisterPatternCIwPP(IPPROTO_TCP, ALPROTO_SMTP, "QUIT", 4, 0,
+                STREAM_TOSERVER, SMTPClientProbingParserCheckPort, 4, 4) < 0) {
         return -1;
     }
+
     if (!SCAppLayerProtoDetectPPParseConfPorts(
                 "tcp", IPPROTO_TCP, "smtp", ALPROTO_SMTP, 0, 5, NULL, SMTPServerProbingParser)) {
         // STREAM_TOSERVER means here use 25 as flow destination port

@@ -1034,10 +1034,10 @@ static bool PrefilterFlowbitIsPrefilterable(const Signature *s)
  * found. Part of a rb-tree. */
 typedef struct PrefilterFlowbit {
     uint32_t *rule_id;     /**< array of signature iid that are part of this prefilter */
+    RB_ENTRY(PrefilterFlowbit) __attribute__((__packed__)) rb;
     uint32_t id;           /**< flowbit id */
     uint32_t rule_id_size; /**< size in elements of `rule_id` */
     uint32_t rule_id_cnt;  /**< usage in elements of `rule_id` */
-    RB_ENTRY(PrefilterFlowbit) __attribute__((__packed__)) rb;
 } __attribute__((__packed__)) PrefilterFlowbit;
 
 static int PrefilterFlowbitCompare(const PrefilterFlowbit *a, const PrefilterFlowbit *b)