Hello Matthias, Excellent. I merged this and back ported it into Core Update 201 as well.
@Stefan: Since we have now dropped the cleanup patch, are there any Rust dependencies that we no longer need and can therefore drop as well? -Michael > On 18 Mar 2026, at 13:39, Matthias Fischer <[email protected]> > wrote: > > The contents of ‘suricata-8.0.3-purge-hyperscan-cache.patch’ have been > integrated in 8.0.4, > and the sources for 'humantime' are now included under > '/rust/vendor/humantime'. > The lfs and the rootfile have been updated. > > Build is running without seen problems. > > Excerpt from changelog: > > "8.0.4 -- 2026-03-12 > > Security #8306: krb5: internal request/response buffering leads to quadratic > complexity (8.0.x backport)(HIGH - CVE 2026-31932) > Security #8297: detect/ssl: null deref with tls.alpn keyword (8.0.x > backport)(HIGH - CVE 2026-31931) > Security #8295: http2: unbounded number of http2 frames per transaction > (8.0.x backport)(CRITICAL - CVE 2026-31935) > Security #8293: smtp/mime: quadratic complexity while looking for url strings > (8.0.x backport)(HIGH - CVE 2026-31934) > Security #8287: krb5: TCP parser never advances past the first record in a > multi-record segment (8.0.x backport) > Bug #8371: dpdk: "auto" in mempool size undercalculates the mempool size for > Rx/Tx descriptors (8.0.x backport) > Bug #8369: ldap: add ldap.rules file (8.0.x backport) > Bug #8367: ndpi: crashing in StorageGetById() (8.0.x backport) > Bug #8362: http2: detection should use a better architecture than the Vec > escaped (8.0.x backport) > Bug #8357: ldap: abandon request incorrectly handled (8.0.x backport) > Bug #8326: hs: harden cache manipulation (8.0.x backport) > Bug #8317: ldap: no invalid_data event in case of invalid request (8.0.x > backport) > Bug #8312: firewall: af-packet IPS mode overwrites firewall mode (8.0.x > backport) > Bug #8309: plugins/ndpi: SIGSEGV in DetectnDPIProtocolPacketMatch (8.0.x > backport) > Bug #8280: build: when documentation tools are install, make dist attempt to > install files to prefix (8.0.x backport) > Bug #8268: Double log rotation with rotation flag/interval (8.0.x backport) > Bug #8260: lib: examples fail with debug validation as they create threads > after threads are sealed (8.0.x backport) > Bug #8252: dpdk: (x)stats are only accessible before port stop (8.0.x > backport) > Bug #8249: lua: calling metatable garbage collector with nil from a script > leadsd to a null pointer dereference (8.0.x backport) > Bug #8244: hyperscan: coverity warning on stat path check (8.0.x backport) > Bug #8230: detect/app-layer-event: alert generated for the wrong packet > (8.0.x backport) > Bug #8219: base64: base64_data with relative match after > base64_decode:relative fails (8.0.x backport) > Bug #8207: firewall: loading rules only through yaml fails (8.0.x backport) > Bug #8167: utils-spm-hs: missing deallocators on hs_compile failure (8.0.x > backport) > Bug #8164: decode/ipv6: set invalid event for wrong ip version (8.0.x > backport) > Bug #7982: detect/tls: zero characters in keywords such as alt name are > mishandled (8.0.x backport) > Optimization #8343: conf: stream.depth is unlimited when absent from the > suricata.yaml > Optimization #8299: stream/tcp: flag 1st seen pkt w stream established (8.0.x > backport) > Feature #8323: hs: add pruning stats details of removal reason (8.0.x > backport) > Feature #8316: firewall: support iprep in firewall mode (8.0.x backport) > Feature #8235: rules/transform: add gunzip transform (8.0.x backport) > Feature #8233: nfs: log detailed response for versions other than v3 (8.0.x > backport) > Feature #7893: hyperscan: support cache invalidation and removal (8.0.x > backport) > Task #8270: rust: suppress nugatory RUSTSEC-2026-0009 for time crate (8.0.x > backport) > Task #8194: psl: crate should be updated on every release (8.0.x backport) > Task #8159: build-scopes: add QA or SIMULATION mode (8.0.x backport) > Task #8097: libsuricata: add live example usage of the Suricata library > (8.0.x backport) > Documentation #8331: doc: explain dcerpc.opnum doesn't support operators > >,<,!,= (8.0.x backport) > Documentation #8263: doc/userguide: fix within-distance pointer graphics in > payload-keywords doc (8.0.x backport) > Documentation #8240: isdataat: document different semantics between absolute > and relative modes (8.0.x backport) > Documentation #8217: rules/endswith: doc wrong for offset/distance/within > warning (8.0.x backport) > Documentation #8114: doc: remove mention of suricata-7 in latest docs (8.0.x > backport) > Documentation #7932: devguide: add a chapter about Suricata's exception > policies (8.0.x backport)" > > Signed-off-by: Matthias Fischer <[email protected]> > --- > config/rootfiles/common/suricata | 2 +- > lfs/suricata | 11 +- > ...suricata-8.0.3-purge-hyperscan-cache.patch | 1341 ----------------- > 3 files changed, 3 insertions(+), 1351 deletions(-) > delete mode 100644 > src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch > > diff --git a/config/rootfiles/common/suricata > b/config/rootfiles/common/suricata > index 518920abd..2d77b74a9 100644 > --- a/config/rootfiles/common/suricata > +++ b/config/rootfiles/common/suricata > @@ -8,7 +8,6 @@ usr/sbin/convert-ids-backend-files > #usr/share/doc/suricata > #usr/share/doc/suricata/AUTHORS > #usr/share/doc/suricata/Basic_Setup.txt > -#usr/share/doc/suricata/GITGUIDE > #usr/share/doc/suricata/INSTALL > #usr/share/doc/suricata/NEWS > #usr/share/doc/suricata/README > @@ -35,6 +34,7 @@ usr/share/suricata > #usr/share/suricata/rules/http2-events.rules > #usr/share/suricata/rules/ipsec-events.rules > #usr/share/suricata/rules/kerberos-events.rules > +#usr/share/suricata/rules/ldap-events.rules > #usr/share/suricata/rules/mdns-events.rules > #usr/share/suricata/rules/modbus-events.rules > #usr/share/suricata/rules/mqtt-events.rules > diff --git a/lfs/suricata b/lfs/suricata > index a20450c31..419257017 100644 > --- a/lfs/suricata > +++ b/lfs/suricata > @@ -24,7 +24,7 @@ > > include Config > > -VER = 8.0.3 > +VER = 8.0.4 > > THISAPP = suricata-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = > ab87fde815338a7520badd2f4d8c8bfaccc778ecffbb13028fe9d561b1bf0e4ef2a43296b88fffb306df9e28fcd5997fa22c72ac887c40efbea799e0110fcb56 > +$(DL_FILE)_BLAKE2 = > a6c1958d82bb8c288c8d551d99851d19a89073397bda38bc90907950d17c35e40eb4845e9a88913bafc5c56bdad8c026e0fb665c494b102861c2b8f210c72d7f > > install : $(TARGET) > > @@ -71,13 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > cd $(DIR_APP) && patch -Np1 < > $(DIR_SRC)/src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch > - cd $(DIR_APP) && patch -Np1 < > $(DIR_SRC)/src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch > - > - # Temporary workaround because the suricata 8.0.3 tarball does not contain > the rust source as trusted vendor > - # for humantime and the module is required since applying the > purge-hyperscan-cache patchfile. > - # > - # So we have to copy our installed rust module into the desired directory > here. > - cd $(DIR_APP) && cp -avf /usr/share/cargo/registry/humantime* > $(DIR_APP)/rust/vendor > > cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \ > --prefix=/usr \ > diff --git a/src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch > b/src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch > deleted file mode 100644 > index 14f36985d..000000000 > --- a/src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch > +++ /dev/null > @@ -1,1341 +0,0 @@ > -commit 47fc78eeae9a365b4d36609154642ca72c9cb9fb > -Author: Lukas Sismis <[email protected]> > -Date: Mon Sep 15 11:40:30 2025 +0200 > - > - hs: update the file description > - > -diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c > -index 2e58676fa..fd54cf306 100644 > ---- a/src/util-mpm-hs-cache.c > -+++ b/src/util-mpm-hs-cache.c > -@@ -20,7 +20,7 @@ > - * > - * \author Lukas Sismis <[email protected]> > - * > -- * MPM pattern matcher that calls the Hyperscan regex matcher. > -+ * Hyperscan cache helper utilities for MPM cache files. > - */ > - > - #include "suricata-common.h" > -commit 2a313ff429eb49be5e4c3b9dadfca127fa64c5fe > -Author: Lukas Sismis <[email protected]> > -Date: Thu Oct 30 12:01:33 2025 +0100 > - > - hs: reduce cache filename size to max file limit > - > -diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c > -index fd54cf306..1e5001ba0 100644 > ---- a/src/util-mpm-hs-cache.c > -+++ b/src/util-mpm-hs-cache.c > -@@ -41,7 +41,7 @@ static const char *HSCacheConstructFPath(const char > *folder_path, uint64_t hs_db > - static char hash_file_path[PATH_MAX]; > - > - char hash_file_path_suffix[] = "_v1.hs"; > -- char filename[PATH_MAX]; > -+ char filename[NAME_MAX]; > - uint64_t r = snprintf( > - filename, sizeof(filename), "%020" PRIu64 "%s", hs_db_hash, > hash_file_path_suffix); > - if (r != (uint64_t)(20 + strlen(hash_file_path_suffix))) > -commit c282880174875fab6bcc62a2a60c85b58dfb0d32 > -Author: Lukas Sismis <[email protected]> > -Date: Thu Oct 30 12:04:35 2025 +0100 > - > - hs: change hash in the cache name to SHA256 > - > -diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c > -index 1e5001ba0..83bbee59c 100644 > ---- a/src/util-mpm-hs-cache.c > -+++ b/src/util-mpm-hs-cache.c > -@@ -34,17 +34,17 @@ > - > - #ifdef BUILD_HYPERSCAN > - > -+#include "rust.h" > - #include <hs.h> > - > --static const char *HSCacheConstructFPath(const char *folder_path, uint64_t > hs_db_hash) > -+static const char *HSCacheConstructFPath(const char *folder_path, const > char *hs_db_hash) > - { > - static char hash_file_path[PATH_MAX]; > - > - char hash_file_path_suffix[] = "_v1.hs"; > - char filename[NAME_MAX]; > -- uint64_t r = snprintf( > -- filename, sizeof(filename), "%020" PRIu64 "%s", hs_db_hash, > hash_file_path_suffix); > -- if (r != (uint64_t)(20 + strlen(hash_file_path_suffix))) > -+ uint64_t r = snprintf(filename, sizeof(filename), "%s%s", hs_db_hash, > hash_file_path_suffix); > -+ if (r != (uint64_t)(strlen(hs_db_hash) + strlen(hash_file_path_suffix))) > - return NULL; > - > - r = PathMerge(hash_file_path, sizeof(hash_file_path), folder_path, > filename); > -@@ -104,22 +104,22 @@ static char *HSReadStream(const char *file_path, > size_t *buffer_sz) > - * Function to hash the searched pattern, only things relevant to Hyperscan > - * compilation are hashed. > - */ > --static void SCHSCachePatternHash(const SCHSPattern *p, uint32_t *h1, > uint32_t *h2) > -+static void SCHSCachePatternHash(const SCHSPattern *p, SCSha256 *sha256) > - { > - BUG_ON(p->original_pat == NULL); > - BUG_ON(p->sids == NULL); > - > -- hashlittle2_safe(&p->len, sizeof(p->len), h1, h2); > -- hashlittle2_safe(&p->flags, sizeof(p->flags), h1, h2); > -- hashlittle2_safe(p->original_pat, p->len, h1, h2); > -- hashlittle2_safe(&p->id, sizeof(p->id), h1, h2); > -- hashlittle2_safe(&p->offset, sizeof(p->offset), h1, h2); > -- hashlittle2_safe(&p->depth, sizeof(p->depth), h1, h2); > -- hashlittle2_safe(&p->sids_size, sizeof(p->sids_size), h1, h2); > -- hashlittle2_safe(p->sids, p->sids_size * sizeof(SigIntId), h1, h2); > -+ SCSha256Update(sha256, (const uint8_t *)&p->len, sizeof(p->len)); > -+ SCSha256Update(sha256, (const uint8_t *)&p->flags, sizeof(p->flags)); > -+ SCSha256Update(sha256, (const uint8_t *)p->original_pat, p->len); > -+ SCSha256Update(sha256, (const uint8_t *)&p->id, sizeof(p->id)); > -+ SCSha256Update(sha256, (const uint8_t *)&p->offset, sizeof(p->offset)); > -+ SCSha256Update(sha256, (const uint8_t *)&p->depth, sizeof(p->depth)); > -+ SCSha256Update(sha256, (const uint8_t *)&p->sids_size, > sizeof(p->sids_size)); > -+ SCSha256Update(sha256, (const uint8_t *)p->sids, p->sids_size * > sizeof(SigIntId)); > - } > - > --int HSLoadCache(hs_database_t **hs_db, uint64_t hs_db_hash, const char > *dirpath) > -+int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char > *dirpath) > - { > - const char *hash_file_static = HSCacheConstructFPath(dirpath, > hs_db_hash); > - if (hash_file_static == NULL) > -@@ -161,7 +161,7 @@ freeup: > - return ret; > - } > - > --static int HSSaveCache(hs_database_t *hs_db, uint64_t hs_db_hash, const > char *dstpath) > -+static int HSSaveCache(hs_database_t *hs_db, const char *hs_db_hash, const > char *dstpath) > - { > - static bool notified = false; > - char *db_stream = NULL; > -@@ -220,14 +220,26 @@ cleanup: > - return ret; > - } > - > --uint64_t HSHashDb(const PatternDatabase *pd) > -+int HSHashDb(const PatternDatabase *pd, char *hash, size_t hash_len) > - { > -- uint32_t hash[2] = { 0 }; > -- hashword2(&pd->pattern_cnt, 1, &hash[0], &hash[1]); > -+ SCSha256 *hasher = SCSha256New(); > -+ if (hasher == NULL) { > -+ SCLogDebug("sha256 hashing failed"); > -+ return -1; > -+ } > -+ SCSha256Update(hasher, (const uint8_t *)&pd->pattern_cnt, > sizeof(pd->pattern_cnt)); > - for (uint32_t i = 0; i < pd->pattern_cnt; i++) { > -- SCHSCachePatternHash(pd->parray[i], &hash[0], &hash[1]); > -+ SCHSCachePatternHash(pd->parray[i], hasher); > -+ } > -+ > -+ if (!SCSha256FinalizeToHex(hasher, hash, hash_len)) { > -+ hasher = NULL; > -+ SCLogDebug("sha256 hashing failed"); > -+ return -1; > - } > -- return ((uint64_t)hash[1] << 32) | hash[0]; > -+ > -+ hasher = NULL; > -+ return 0; > - } > - > - void HSSaveCacheIterator(void *data, void *aux) > -@@ -244,7 +256,11 @@ void HSSaveCacheIterator(void *data, void *aux) > - return; > - } > - > -- if (HSSaveCache(pd->hs_db, HSHashDb(pd), iter_data->cache_path) == 0) { > -+ char hs_db_hash[SC_SHA256_LEN * 2 + 1]; // * 2 for hex +1 for nul > terminator > -+ if (HSHashDb(pd, hs_db_hash, ARRAY_SIZE(hs_db_hash)) != 0) { > -+ return; > -+ } > -+ if (HSSaveCache(pd->hs_db, hs_db_hash, iter_data->cache_path) == 0) { > - pd->cached = true; // for rule reloads > - iter_data->pd_stats->hs_dbs_cache_saved_cnt++; > - } > -diff --git a/src/util-mpm-hs-cache.h b/src/util-mpm-hs-cache.h > -index 237762d5a..225c5001a 100644 > ---- a/src/util-mpm-hs-cache.h > -+++ b/src/util-mpm-hs-cache.h > -@@ -35,8 +35,8 @@ struct HsIteratorData { > - const char *cache_path; > - }; > - > --int HSLoadCache(hs_database_t **hs_db, uint64_t hs_db_hash, const char > *dirpath); > --uint64_t HSHashDb(const PatternDatabase *pd); > -+int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char > *dirpath); > -+int HSHashDb(const PatternDatabase *pd, char *hash, size_t hash_len); > - void HSSaveCacheIterator(void *data, void *aux); > - #endif /* BUILD_HYPERSCAN */ > - > -diff --git a/src/util-mpm-hs.c b/src/util-mpm-hs.c > -index dde5bf36a..ad7178eb8 100644 > ---- a/src/util-mpm-hs.c > -+++ b/src/util-mpm-hs.c > -@@ -683,8 +683,11 @@ static int PatternDatabaseGetCached( > - return 0; > - } else if (cache_dir_path) { > - pd_cached = *pd; > -- uint64_t db_lookup_hash = HSHashDb(pd_cached); > -- if (HSLoadCache(&pd_cached->hs_db, db_lookup_hash, cache_dir_path) > == 0) { > -+ char hs_db_hash[SC_SHA256_LEN * 2 + 1]; // * 2 for hex +1 for nul > terminator > -+ if (HSHashDb(pd_cached, hs_db_hash, ARRAY_SIZE(hs_db_hash)) != 0) { > -+ return -1; > -+ } > -+ if (HSLoadCache(&pd_cached->hs_db, hs_db_hash, cache_dir_path) == > 0) { > - pd_cached->ref_cnt = 1; > - pd_cached->cached = true; > - if (HSScratchAlloc(pd_cached->hs_db) != 0) { > -commit 3e4fdb2118bfcb8b2644944daded2d8c67420499 > -Author: Lukas Sismis <[email protected]> > -Date: Sat Sep 13 11:23:16 2025 +0200 > - > - misc: time unit parsing function > - > -diff --git a/rust/Cargo.lock.in b/rust/Cargo.lock.in > -index d296a196e..d47cdd197 100644 > ---- a/rust/Cargo.lock.in > -+++ b/rust/Cargo.lock.in > -@@ -688,6 +688,12 @@ dependencies = [ > - "windows-sys 0.52.0", > - ] > - > -+[[package]] > -+name = "humantime" > -+version = "2.3.0" > -+source = "registry+https://github.com/rust-lang/crates.io-index"; > -+checksum = > "135b12329e5e3ce057a9f972339ea52bc954fe1e9358ef27f95e89716fbc5424" > -+ > - [[package]] > - name = "indexmap" > - version = "2.11.4" > -@@ -1551,6 +1557,7 @@ dependencies = [ > - "flate2", > - "hex", > - "hkdf", > -+ "humantime", > - "ipsec-parser", > - "kerberos-parser", > - "lazy_static", > -diff --git a/rust/Cargo.toml.in b/rust/Cargo.toml.in > -index 0fedea33f..22e166062 100644 > ---- a/rust/Cargo.toml.in > -+++ b/rust/Cargo.toml.in > -@@ -77,6 +77,7 @@ lazy_static = "~1.5.0" > - base64 = "~0.22.1" > - bendy = { version = "~0.3.3", default-features = false } > - asn1-rs = { version = "~0.6.2" } > -+humantime = "~2.3.0" > - ldap-parser = { version = "~0.5.0" } > - hex = "~0.4.3" > - psl = "2" > -diff --git a/rust/src/util.rs b/rust/src/util.rs > -index 9d45ae26d..2cb2da17c 100644 > ---- a/rust/src/util.rs > -+++ b/rust/src/util.rs > -@@ -17,6 +17,7 @@ > - > - //! Utility module. > - > -+use std::borrow::Cow; > - use std::ffi::CStr; > - use std::os::raw::c_char; > - > -@@ -26,6 +27,8 @@ use nom8::combinator::verify; > - use nom8::multi::many1_count; > - use nom8::{AsChar, IResult, Parser}; > - > -+use humantime::parse_duration; > -+ > - #[no_mangle] > - pub unsafe extern "C" fn SCCheckUtf8(val: *const c_char) -> bool { > - CStr::from_ptr(val).to_str().is_ok() > -@@ -63,10 +66,56 @@ pub unsafe extern "C" fn SCValidateDomain(input: *const > u8, in_len: u32) -> u32 > - return 0; > - } > - > -+/// Add 's' suffix if input is only digits, and convert to lowercase if > needed. > -+fn duration_unit_normalize(input: &str) -> Cow<'_, str> { > -+ if input.bytes().all(|b| b.is_ascii_digit()) { > -+ let mut owned = String::with_capacity(input.len() + 1); > -+ owned.push_str(input); > -+ owned.push('s'); > -+ return Cow::Owned(owned); > -+ } > -+ > -+ if input.bytes().any(|b| b.is_ascii_uppercase()) { > -+ Cow::Owned(input.to_ascii_lowercase()) > -+ } else { > -+ Cow::Borrowed(input) > -+ } > -+} > -+ > -+/// Reads a C string from `input`, parses it, and writes the result to > `*res`. > -+/// Returns 0 on success (result written to *res), -1 otherwise. > -+#[no_mangle] > -+pub unsafe extern "C" fn SCParseTimeDuration(input: *const c_char, res: > *mut u64) -> i32 { > -+ if input.is_null() || res.is_null() { > -+ return -1; > -+ } > -+ > -+ let input_str = match CStr::from_ptr(input).to_str() { > -+ Ok(s) => s, > -+ Err(_) => return -1, > -+ }; > -+ > -+ let trimmed = input_str.trim(); > -+ if trimmed.is_empty() { > -+ return -1; > -+ } > -+ > -+ let normalized = duration_unit_normalize(trimmed); > -+ match parse_duration(normalized.as_ref()) { > -+ Ok(duration) => { > -+ *res = duration.as_secs(); > -+ 0 > -+ } > -+ Err(_) => -1, > -+ } > -+} > -+ > - #[cfg(test)] > - mod tests { > - > - use super::*; > -+ use std::ffi::CString; > -+ use std::ptr::{null, null_mut}; > - > - #[test] > - fn test_parse_domain() { > -@@ -83,4 +132,73 @@ mod tests { > - let buf1: &[u8] = "a(x)y.com".as_bytes(); > - assert!(parse_domain(buf1).is_err()); > - } > -+ > -+ #[test] > -+ fn test_parse_time_valid() { > -+ unsafe { > -+ let mut v: u64 = 0; > -+ > -+ let s = CString::new("10").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0); > -+ assert_eq!(v, 10); > -+ > -+ let s = CString::new("0").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0); > -+ assert_eq!(v, 0); > -+ > -+ let s = CString::new("2H").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0); > -+ assert_eq!(v, 7200); > -+ > -+ let s = CString::new("1 day").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0); > -+ assert_eq!(v, 86400); > -+ > -+ let s = CString::new("1w").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0); > -+ assert_eq!(v, 604800); > -+ > -+ let s = CString::new("1 week").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0); > -+ assert_eq!(v, 604800); > -+ > -+ let s = CString::new("1y").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0); > -+ assert_eq!(v, 31557600); > -+ > -+ let s = CString::new("1 year").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0); > -+ assert_eq!(v, 31557600); > -+ > -+ // max > -+ let s = CString::new("18446744073709551615").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0); > -+ assert_eq!(v, u64::MAX); > -+ } > -+ } > -+ > -+ #[test] > -+ fn test_parse_time_duration_invalid() { > -+ unsafe { > -+ let mut v: u64 = 0; > -+ let s = CString::new("10q").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1); > -+ > -+ let s = CString::new("abc").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1); > -+ > -+ let s = CString::new("-300s").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1); > -+ > -+ let s = CString::new("1h -600s").unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1); > -+ > -+ assert_eq!(SCParseTimeDuration(null(), &mut v), -1); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), null_mut()), -1); > -+ > -+ let overflow_years = (u64::MAX / 31557600) + 1; > -+ let s = CString::new(format!("{}y", overflow_years)).unwrap(); > -+ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1); > -+ } > -+ } > - } > -diff --git a/rust/sys/src/sys.rs b/rust/sys/src/sys.rs > -index 3dbd2293e..7be2a12b4 100644 > ---- a/rust/sys/src/sys.rs > -+++ b/rust/sys/src/sys.rs > -@@ -701,6 +701,11 @@ extern "C" { > - name: *const ::std::os::raw::c_char, val: *mut f32, > - ) -> ::std::os::raw::c_int; > - } > -+extern "C" { > -+ pub fn SCConfGetTime( > -+ name: *const ::std::os::raw::c_char, val: *mut u64, > -+ ) -> ::std::os::raw::c_int; > -+} > - extern "C" { > - pub fn SCConfSet( > - name: *const ::std::os::raw::c_char, val: *const > ::std::os::raw::c_char, > -commit 85f0382072173c226426d4556a9d959ab0a90c34 > -Author: Lukas Sismis <[email protected]> > -Date: Sat Sep 13 23:55:02 2025 +0200 > - > - conf: add time parsing conf function > - > -diff --git a/src/conf.c b/src/conf.c > -index 3be82529d..c81da37b4 100644 > ---- a/src/conf.c > -+++ b/src/conf.c > -@@ -42,6 +42,7 @@ > - #include "util-debug.h" > - #include "util-path.h" > - #include "util-conf.h" > -+#include "rust.h" > - > - /** Maximum size of a complete domain name. */ > - #define NODE_NAME_MAX 1024 > -@@ -647,6 +648,36 @@ int SCConfGetFloat(const char *name, float *val) > - return 1; > - } > - > -+/** > -+ * \brief Retrieve a configuration value as a time duration in seconds. > -+ * > -+ * The configuration value is expected to be a string with a number > -+ * followed by an optional time-describing unit (e.g. s, seconds, weeks, > years). > -+ * If no unit is specified, seconds are assumed. > -+ * > -+ * \param name Name of configuration parameter to get. > -+ * \param val Pointer to an uint64_t that will be set the > -+ * configuration value in seconds. > -+ * > -+ * \retval 1 will be returned if the name is found and was properly > -+ * converted to a time duration, otherwise 0 will be returned. > -+ */ > -+int SCConfGetTime(const char *name, uint64_t *val) > -+{ > -+ const char *strval = NULL; > -+ > -+ if (SCConfGet(name, &strval) == 0) > -+ return 0; > -+ > -+ if (strval == NULL || strval[0] == '\0') > -+ return 0; > -+ > -+ if (SCParseTimeDuration(strval, val) != 0) > -+ return 0; > -+ > -+ return 1; > -+} > -+ > - /** > - * \brief Remove (and SCFree) the provided configuration node. > - */ > -diff --git a/src/conf.h b/src/conf.h > -index 348138998..0f3a881ac 100644 > ---- a/src/conf.h > -+++ b/src/conf.h > -@@ -67,6 +67,7 @@ int SCConfGetInt(const char *name, intmax_t *val); > - int SCConfGetBool(const char *name, int *val); > - int SCConfGetDouble(const char *name, double *val); > - int SCConfGetFloat(const char *name, float *val); > -+int SCConfGetTime(const char *name, uint64_t *val); > - int SCConfSet(const char *name, const char *val); > - int SCConfSetFromString(const char *input, int final); > - int SCConfSetFinal(const char *name, const char *val); > -commit fd3847db728536f6b345c33542f98a72fc058e8b > -Author: Lukas Sismis <[email protected]> > -Date: Mon Sep 15 11:36:01 2025 +0200 > - > - path: signal last use of the file (touch) > - > - To have a system-level overview of when was the last time the file was > - used, update the file modification timestamp to to the current time. > - > - This is needed to remove stale cache files of the system. > - > - Access time is not used as it may be, on the system level, disabled. > - > - Ticket: 7830 > - > -diff --git a/src/util-path.c b/src/util-path.c > -index 356c4a772..cde5a67ff 100644 > ---- a/src/util-path.c > -+++ b/src/util-path.c > -@@ -277,3 +277,23 @@ bool SCPathContainsTraversal(const char *path) > - #endif > - return strstr(path, pattern) != NULL; > - } > -+ > -+/** > -+ * \brief Update access and modification time of an existing file to 'now'. > -+ * \param path The file path to touch > -+ * \retval 0 on success, -1 on failure > -+ */ > -+int SCTouchFile(const char *path) > -+{ > -+ if (path == NULL || path[0] == '\0') { > -+ errno = EINVAL; > -+ return -1; > -+ } > -+#ifndef OS_WIN32 > -+ struct utimbuf ub; > -+ ub.actime = ub.modtime = time(NULL); > -+ if (utime(path, &ub) == 0) > -+ return 0; > -+#endif > -+ return -1; > -+} > -diff --git a/src/util-path.h b/src/util-path.h > -index b2b262490..e835d847d 100644 > ---- a/src/util-path.h > -+++ b/src/util-path.h > -@@ -59,5 +59,6 @@ bool SCIsRegularFile(const struct dirent *const dir_entry); > - char *SCRealPath(const char *path, char *resolved_path); > - const char *SCBasename(const char *path); > - bool SCPathContainsTraversal(const char *path); > -+int SCTouchFile(const char *path); > - > - #endif /* SURICATA_UTIL_PATH_H */ > -commit 7031c268655aec5c44420902bbda6f7aea8eba33 > -Author: Lukas Sismis <[email protected]> > -Date: Mon Sep 15 11:39:02 2025 +0200 > - > - hs: touch cache files on use to signal activity > - > - Ticket: 7830 > - > -diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c > -index 83bbee59c..41b308171 100644 > ---- a/src/util-mpm-hs-cache.c > -+++ b/src/util-mpm-hs-cache.c > -@@ -150,6 +150,10 @@ int HSLoadCache(hs_database_t **hs_db, const char > *hs_db_hash, const char *dirpa > - } > - > - ret = 0; > -+ /* Touch file to update modification time so active caches are > retained. */ > -+ if (SCTouchFile(hash_file_static) != 0) { > -+ SCLogDebug("Failed to update mtime for %s", hash_file_static); > -+ } > - goto freeup; > - } > - > -commit 08f5abe5e967bbcfbc0c11a797ef86125afd3db8 > -Author: Lukas Sismis <[email protected]> > -Date: Sun Dec 28 00:09:29 2025 +0100 > - > - detect-engine: make mpm & spm part of MT stub ctx > - > - As a intermediary step for Hyperscan (MPM) caching, > - the MPM config initialization should be part of the default > - detect engine context for later dynamic retrieval. > - > - Ticket: 7830 > - > -diff --git a/src/detect-engine.c b/src/detect-engine.c > -index b6d2d4237..12b1683c5 100644 > ---- a/src/detect-engine.c > -+++ b/src/detect-engine.c > -@@ -2495,6 +2495,20 @@ static DetectEngineCtx *DetectEngineCtxInitReal( > - de_ctx->filemagic_thread_ctx_id = -1; > - de_ctx->tenant_id = tenant_id; > - > -+ de_ctx->mpm_matcher = PatternMatchDefaultMatcher(); > -+ de_ctx->spm_matcher = SinglePatternMatchDefaultMatcher(); > -+ > -+ if (mpm_table[de_ctx->mpm_matcher].ConfigInit) { > -+ de_ctx->mpm_cfg = mpm_table[de_ctx->mpm_matcher].ConfigInit(); > -+ if (de_ctx->mpm_cfg == NULL) { > -+ goto error; > -+ } > -+ } > -+ if (DetectEngineMpmCachingEnabled() && > mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) { > -+ mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet( > -+ de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath()); > -+ } > -+ > - if (type == DETECT_ENGINE_TYPE_DD_STUB || type == > DETECT_ENGINE_TYPE_MT_STUB) { > - de_ctx->version = DetectEngineGetVersion(); > - SCLogDebug("stub %u with version %u", type, de_ctx->version); > -@@ -2511,23 +2525,8 @@ static DetectEngineCtx *DetectEngineCtxInitReal( > - } > - de_ctx->failure_fatal = (failure_fatal == 1); > - > -- de_ctx->mpm_matcher = PatternMatchDefaultMatcher(); > -- de_ctx->spm_matcher = SinglePatternMatchDefaultMatcher(); > -- SCLogConfig("pattern matchers: MPM: %s, SPM: %s", > -- mpm_table[de_ctx->mpm_matcher].name, > -- spm_table[de_ctx->spm_matcher].name); > -- > -- if (mpm_table[de_ctx->mpm_matcher].ConfigInit) { > -- de_ctx->mpm_cfg = mpm_table[de_ctx->mpm_matcher].ConfigInit(); > -- if (de_ctx->mpm_cfg == NULL) { > -- goto error; > -- } > -- } > -- if (DetectEngineMpmCachingEnabled() && > mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) { > -- mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet( > -- de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath()); > -- } > -- > -+ SCLogConfig("pattern matchers: MPM: %s, SPM: %s", > mpm_table[de_ctx->mpm_matcher].name, > -+ spm_table[de_ctx->spm_matcher].name); > - de_ctx->spm_global_thread_ctx = > SpmInitGlobalThreadCtx(de_ctx->spm_matcher); > - if (de_ctx->spm_global_thread_ctx == NULL) { > - SCLogDebug("Unable to alloc SpmGlobalThreadCtx."); > -commit 15c83be61ac3f47bf198fe24eb908db5a84b7ccd > -Author: Lukas Sismis <[email protected]> > -Date: Mon Sep 15 11:24:23 2025 +0200 > - > - hs: prune stale MPM cache files > - > - Hyperscan MPM can cache the compiled contexts to files. > - This however grows as rulesets change and leads to bloating > - the system. This addition prunes the stale cache files based > - on their modified file timestamp. > - > - Part of this work incorporates new model for MPM cache stats > - to split it out from the cache save function and aggregate > - cache-related stats in one place (newly added pruning). > - > - Ticket: 7830 > - > -diff --git a/doc/userguide/performance/hyperscan.rst > b/doc/userguide/performance/hyperscan.rst > -index 065163110..1060d3aef 100644 > ---- a/doc/userguide/performance/hyperscan.rst > -+++ b/doc/userguide/performance/hyperscan.rst > -@@ -83,6 +83,8 @@ if it is present on the system in case of the "auto" > setting. > - If the current suricata installation does not have hyperscan > - support, refer to :ref:`installation` > - > -+.. _hyperscan-cache-configuration: > -+ > - Hyperscan caching > - ~~~~~~~~~~~~~~~~~ > - > -@@ -104,6 +106,24 @@ To enable this function, in `suricata.yaml` configure: > - sgh-mpm-caching-path: /var/lib/suricata/cache/hs > - > - > -+To avoid cache files growing indefinitely, Suricata supports pruning of old > -+cache files. Suricata removes cache files older than the specified age > -+on startup/rule reloads, where age is determined by delta of the file > -+modification time and the current time. > -+Cache files that are actively being used will have their modification time > -+updated when loaded, so they won't be deleted. > -+ > -+In `suricata.yaml` configure: > -+ > -+:: > -+ > -+ detect: > -+ sgh-mpm-caching-max-age: 7d > -+ > -+The setting accepts a combination of time units (s,m,h,d,w,y), > -+e.g. `1w 3d 12h` for 1 week, 3 days and 12 hours. Setting the value to `0` > -+disables pruning. > -+ > - **Note**: > - You might need to create and adjust permissions to the default caching > folder > - path, especially if you are running Suricata as a non-root user. > -diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst > -index ef8d1e369..054e3eb38 100644 > ---- a/doc/userguide/upgrade.rst > -+++ b/doc/userguide/upgrade.rst > -@@ -68,6 +68,10 @@ Other Changes > - from unbounded to 2048. Configuration options, ``max-tx``, > - ``max-points``, and ``max-objects`` have been added for users who > - may need to change these defaults. > -+- Hyperscan caching (`detect.sgh-mpm-caching`), when enabled, prunes > -+ cache files that have not been used in the last 7 days by default. > -+ See :ref:`Hyperscan caching configuration > -+ <hyperscan-cache-configuration>` for more information. > - > - Upgrading to 8.0.1 > - ------------------ > -diff --git a/src/detect-engine-loader.c b/src/detect-engine-loader.c > -index ef0e8ef13..a97ebd6d2 100644 > ---- a/src/detect-engine-loader.c > -+++ b/src/detect-engine-loader.c > -@@ -502,10 +502,6 @@ skip_regular_rules: > - > - ret = 0; > - > -- if (mpm_table[de_ctx->mpm_matcher].CacheRuleset != NULL) { > -- mpm_table[de_ctx->mpm_matcher].CacheRuleset(de_ctx->mpm_cfg); > -- } > -- > - end: > - gettimeofday(&de_ctx->last_reload, NULL); > - if (SCRunmodeGet() == RUNMODE_ENGINE_ANALYSIS) { > -diff --git a/src/detect-engine.c b/src/detect-engine.c > -index 12b1683c5..28e0bc14a 100644 > ---- a/src/detect-engine.c > -+++ b/src/detect-engine.c > -@@ -2481,6 +2481,49 @@ const char *DetectEngineMpmCachingGetPath(void) > - return SGH_CACHE_DIR; > - } > - > -+void DetectEngineMpmCacheService(uint32_t op_flags) > -+{ > -+ DetectEngineCtx *de_ctx = DetectEngineGetCurrent(); > -+ if (!de_ctx) { > -+ return; > -+ } > -+ > -+ if (!de_ctx->mpm_cfg || !de_ctx->mpm_cfg->cache_dir_path) { > -+ goto error; > -+ } > -+ > -+ if (mpm_table[de_ctx->mpm_matcher].CacheStatsInit != NULL) { > -+ de_ctx->mpm_cfg->cache_stats = > mpm_table[de_ctx->mpm_matcher].CacheStatsInit(); > -+ if (de_ctx->mpm_cfg->cache_stats == NULL) { > -+ goto error; > -+ } > -+ } > -+ > -+ if (op_flags & DETECT_ENGINE_MPM_CACHE_OP_SAVE) { > -+ if (mpm_table[de_ctx->mpm_matcher].CacheRuleset != NULL) { > -+ mpm_table[de_ctx->mpm_matcher].CacheRuleset(de_ctx->mpm_cfg); > -+ } > -+ } > -+ > -+ if (op_flags & DETECT_ENGINE_MPM_CACHE_OP_PRUNE) { > -+ if (mpm_table[de_ctx->mpm_matcher].CachePrune != NULL) { > -+ mpm_table[de_ctx->mpm_matcher].CachePrune(de_ctx->mpm_cfg); > -+ } > -+ } > -+ > -+ if (mpm_table[de_ctx->mpm_matcher].CacheStatsPrint != NULL) { > -+ > mpm_table[de_ctx->mpm_matcher].CacheStatsPrint(de_ctx->mpm_cfg->cache_stats); > -+ } > -+ > -+ if (mpm_table[de_ctx->mpm_matcher].CacheStatsDeinit != NULL) { > -+ > mpm_table[de_ctx->mpm_matcher].CacheStatsDeinit(de_ctx->mpm_cfg->cache_stats); > -+ de_ctx->mpm_cfg->cache_stats = NULL; > -+ } > -+ > -+error: > -+ DetectEngineDeReference(&de_ctx); > -+} > -+ > - static DetectEngineCtx *DetectEngineCtxInitReal( > - enum DetectEngineType type, const char *prefix, uint32_t tenant_id) > - { > -@@ -2503,10 +2546,18 @@ static DetectEngineCtx *DetectEngineCtxInitReal( > - if (de_ctx->mpm_cfg == NULL) { > - goto error; > - } > -- } > -- if (DetectEngineMpmCachingEnabled() && > mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) { > -- mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet( > -- de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath()); > -+ > -+ if (DetectEngineMpmCachingEnabled() && > mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) { > -+ mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet( > -+ de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath()); > -+ > -+ if (mpm_table[de_ctx->mpm_matcher].CachePrune) { > -+ if (SCConfGetTime("detect.sgh-mpm-caching-max-age", > -+ &de_ctx->mpm_cfg->cache_max_age_seconds) != 1) { > -+ de_ctx->mpm_cfg->cache_max_age_seconds = 7ULL * 24ULL * > 60ULL * 60ULL; > -+ } > -+ } > -+ } > - } > - > - if (type == DETECT_ENGINE_TYPE_DD_STUB || type == > DETECT_ENGINE_TYPE_MT_STUB) { > -@@ -4885,6 +4936,8 @@ int DetectEngineReload(const SCInstance *suri) > - > - SCLogDebug("old_de_ctx should have been freed"); > - > -+ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE | > DETECT_ENGINE_MPM_CACHE_OP_PRUNE); > -+ > - SCLogNotice("rule reload complete"); > - > - #ifdef HAVE_MALLOC_TRIM > -diff --git a/src/detect-engine.h b/src/detect-engine.h > -index 2c56475f6..2d45d3253 100644 > ---- a/src/detect-engine.h > -+++ b/src/detect-engine.h > -@@ -88,6 +88,7 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, > void **); > - TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *); > - bool DetectEngineMpmCachingEnabled(void); > - const char *DetectEngineMpmCachingGetPath(void); > -+void DetectEngineMpmCacheService(uint32_t op_flags); > - /* faster as a macro than a inline function on my box -- VJ */ > - #define DetectEngineGetMaxSigId(de_ctx) ((de_ctx)->signum) > - void DetectEngineResetMaxSigId(DetectEngineCtx *); > -diff --git a/src/detect.h b/src/detect.h > -index 62c888e6a..49fbfe3eb 100644 > ---- a/src/detect.h > -+++ b/src/detect.h > -@@ -1750,6 +1750,9 @@ extern SigTableElmt *sigmatch_table; > - > - /** Remember to add the options in SignatureIsIPOnly() at detect.c > otherwise it wont be part of a signature group */ > - > -+#define DETECT_ENGINE_MPM_CACHE_OP_PRUNE BIT_U32(0) > -+#define DETECT_ENGINE_MPM_CACHE_OP_SAVE BIT_U32(1) > -+ > - /* detection api */ > - TmEcode Detect(ThreadVars *tv, Packet *p, void *data); > - uint8_t DetectPreFlow(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, > Packet *p); > -diff --git a/src/runmode-unix-socket.c b/src/runmode-unix-socket.c > -index c2405f057..706a35b7e 100644 > ---- a/src/runmode-unix-socket.c > -+++ b/src/runmode-unix-socket.c > -@@ -967,6 +967,8 @@ TmEcode UnixSocketRegisterTenantHandler(json_t *cmd, > json_t* answer, void *data) > - return TM_ECODE_FAILED; > - } > - > -+ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE); > -+ > - json_object_set_new(answer, "message", json_string("handler added")); > - return TM_ECODE_OK; > - } > -@@ -1054,6 +1056,8 @@ TmEcode UnixSocketUnregisterTenantHandler(json_t *cmd, > json_t* answer, void *dat > - return TM_ECODE_FAILED; > - } > - > -+ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_PRUNE); > -+ > - json_object_set_new(answer, "message", json_string("handler removed")); > - return TM_ECODE_OK; > - } > -@@ -1126,6 +1130,8 @@ TmEcode UnixSocketRegisterTenant(json_t *cmd, json_t* > answer, void *data) > - return TM_ECODE_FAILED; > - } > - > -+ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE); > -+ > - json_object_set_new(answer, "message", json_string("adding tenant > succeeded")); > - return TM_ECODE_OK; > - } > -@@ -1193,6 +1199,8 @@ TmEcode UnixSocketReloadTenant(json_t *cmd, json_t* > answer, void *data) > - return TM_ECODE_FAILED; > - } > - > -+ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE | > DETECT_ENGINE_MPM_CACHE_OP_PRUNE); > -+ > - json_object_set_new(answer, "message", json_string("reloading tenant > succeeded")); > - return TM_ECODE_OK; > - } > -@@ -1226,6 +1234,7 @@ TmEcode UnixSocketReloadTenants(json_t *cmd, json_t > *answer, void *data) > - return TM_ECODE_FAILED; > - } > - > -+ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE | > DETECT_ENGINE_MPM_CACHE_OP_PRUNE); > - SCLogNotice("reload-tenants complete"); > - > - json_object_set_new(answer, "message", json_string("reloading tenants > succeeded")); > -@@ -1284,6 +1293,8 @@ TmEcode UnixSocketUnregisterTenant(json_t *cmd, > json_t* answer, void *data) > - return TM_ECODE_FAILED; > - } > - > -+ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_PRUNE); > -+ > - /* walk free list, freeing the removed de_ctx */ > - DetectEnginePruneFreeList(); > - > -diff --git a/src/suricata.c b/src/suricata.c > -index c6f94c3ce..a106c56f7 100644 > ---- a/src/suricata.c > -+++ b/src/suricata.c > -@@ -2688,6 +2688,8 @@ void PostConfLoadedDetectSetup(SCInstance *suri) > - gettimeofday(&de_ctx->last_reload, NULL); > - DetectEngineAddToMaster(de_ctx); > - DetectEngineBumpVersion(); > -+ DetectEngineMpmCacheService( > -+ DETECT_ENGINE_MPM_CACHE_OP_SAVE | > DETECT_ENGINE_MPM_CACHE_OP_PRUNE); > - } > - } > - > -diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c > -index 41b308171..58a2aa6ab 100644 > ---- a/src/util-mpm-hs-cache.c > -+++ b/src/util-mpm-hs-cache.c > -@@ -37,21 +37,22 @@ > - #include "rust.h" > - #include <hs.h> > - > --static const char *HSCacheConstructFPath(const char *folder_path, const > char *hs_db_hash) > --{ > -- static char hash_file_path[PATH_MAX]; > -+#define HS_CACHE_FILE_VERSION "2" > -+#define HS_CACHE_FILE_SUFFIX "_v" HS_CACHE_FILE_VERSION ".hs" > - > -- char hash_file_path_suffix[] = "_v1.hs"; > -+static int16_t HSCacheConstructFPath( > -+ const char *dir_path, const char *db_hash, char *out_path, uint16_t > out_path_size) > -+{ > - char filename[NAME_MAX]; > -- uint64_t r = snprintf(filename, sizeof(filename), "%s%s", hs_db_hash, > hash_file_path_suffix); > -- if (r != (uint64_t)(strlen(hs_db_hash) + strlen(hash_file_path_suffix))) > -- return NULL; > -+ uint64_t r = snprintf(filename, sizeof(filename), "%s" > HS_CACHE_FILE_SUFFIX, db_hash); > -+ if (r != (uint64_t)(strlen(db_hash) + strlen(HS_CACHE_FILE_SUFFIX))) > -+ return -1; > - > -- r = PathMerge(hash_file_path, sizeof(hash_file_path), folder_path, > filename); > -+ r = PathMerge(out_path, out_path_size, dir_path, filename); > - if (r) > -- return NULL; > -+ return -1; > - > -- return hash_file_path; > -+ return 0; > - } > - > - static char *HSReadStream(const char *file_path, size_t *buffer_sz) > -@@ -121,8 +122,11 @@ static void SCHSCachePatternHash(const SCHSPattern *p, > SCSha256 *sha256) > - > - int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char > *dirpath) > - { > -- const char *hash_file_static = HSCacheConstructFPath(dirpath, > hs_db_hash); > -- if (hash_file_static == NULL) > -+ char hash_file_static[PATH_MAX]; > -+ int ret = (int)HSCacheConstructFPath( > -+ dirpath, hs_db_hash, hash_file_static, > sizeof(hash_file_static)); > -+ > -+ if (ret != 0) > - return -1; > - > - SCLogDebug("Loading the cached HS DB from %s", hash_file_static); > -@@ -131,7 +135,6 @@ int HSLoadCache(hs_database_t **hs_db, const char > *hs_db_hash, const char *dirpa > - > - FILE *db_cache = fopen(hash_file_static, "r"); > - char *buffer = NULL; > -- int ret = 0; > - if (db_cache) { > - size_t buffer_size; > - buffer = HSReadStream(hash_file_static, &buffer_size); > -@@ -170,15 +173,20 @@ static int HSSaveCache(hs_database_t *hs_db, const > char *hs_db_hash, const char > - static bool notified = false; > - char *db_stream = NULL; > - size_t db_size; > -- int ret = -1; > -+ int ret; > - > - hs_error_t err = hs_serialize_database(hs_db, &db_stream, &db_size); > - if (err != HS_SUCCESS) { > - SCLogWarning("Failed to serialize Hyperscan database: %s", > HSErrorToStr(err)); > -+ ret = -1; > - goto cleanup; > - } > - > -- const char *hash_file_static = HSCacheConstructFPath(dstpath, > hs_db_hash); > -+ char hash_file_static[PATH_MAX]; > -+ ret = (int)HSCacheConstructFPath( > -+ dstpath, hs_db_hash, hash_file_static, > sizeof(hash_file_static)); > -+ if (ret != 0) > -+ goto cleanup; > - SCLogDebug("Caching the compiled HS at %s", hash_file_static); > - if (SCPathExists(hash_file_static)) { > - // potentially signs that it might not work as expected as we got > into > -@@ -198,6 +206,7 @@ static int HSSaveCache(hs_database_t *hs_db, const char > *hs_db_hash, const char > - hash_file_static); > - notified = true; > - } > -+ ret = -1; > - goto cleanup; > - } > - size_t r = fwrite(db_stream, sizeof(db_stream[0]), db_size, > db_cache_out); > -@@ -217,7 +226,6 @@ static int HSSaveCache(hs_database_t *hs_db, const char > *hs_db_hash, const char > - goto cleanup; > - } > - > -- ret = 0; > - cleanup: > - if (db_stream) > - SCFree(db_stream); > -@@ -270,4 +278,187 @@ void HSSaveCacheIterator(void *data, void *aux) > - } > - } > - > -+void HSCacheFilenameUsedIterator(void *data, void *aux) > -+{ > -+ PatternDatabase *pd = (PatternDatabase *)data; > -+ struct HsInUseCacheFilesIteratorData *iter_data = (struct > HsInUseCacheFilesIteratorData *)aux; > -+ if (pd->no_cache || !pd->cached) > -+ return; > -+ > -+ char hs_db_hash[SC_SHA256_LEN * 2 + 1]; // * 2 for hex +1 for nul > terminator > -+ if (HSHashDb(pd, hs_db_hash, ARRAY_SIZE(hs_db_hash)) != 0) { > -+ return; > -+ } > -+ > -+ char *fpath = SCCalloc(PATH_MAX, sizeof(char)); > -+ if (fpath == NULL) { > -+ SCLogWarning("Failed to allocate memory for cache file path"); > -+ return; > -+ } > -+ if (HSCacheConstructFPath(iter_data->cache_path, hs_db_hash, fpath, > PATH_MAX)) { > -+ SCFree(fpath); > -+ return; > -+ } > -+ > -+ int r = HashTableAdd(iter_data->tbl, (void *)fpath, > (uint16_t)strlen(fpath)); > -+ if (r < 0) { > -+ SCLogWarning("Failed to add used cache file path %s to hash table", > fpath); > -+ SCFree(fpath); > -+ } > -+} > -+ > -+/** > -+ * \brief Check if HS cache file is stale by age. > -+ * > -+ * \param mtime File modification time. > -+ * \param cutoff Time cutoff (files older than this will be removed). > -+ * > -+ * \retval true if file should be pruned, false otherwise. > -+ */ > -+static bool HSPruneFileByAge(time_t mtime, time_t cutoff) > -+{ > -+ return mtime < cutoff; > -+} > -+ > -+/** > -+ * \brief Check if HS cache file is version-compatible. > -+ * > -+ * \param filename Cache file name. > -+ * > -+ * \retval true if file should be pruned, false otherwise. > -+ */ > -+static bool HSPruneFileByVersion(const char *filename) > -+{ > -+ if (strlen(filename) < strlen(HS_CACHE_FILE_SUFFIX)) { > -+ return true; > -+ } > -+ > -+ const char *underscore = strrchr(filename, '_'); > -+ if (underscore == NULL || strcmp(underscore, HS_CACHE_FILE_SUFFIX) != > 0) { > -+ return true; > -+ } > -+ > -+ return false; > -+} > -+ > -+int SCHSCachePruneEvaluate(MpmConfig *mpm_conf, HashTable *inuse_caches) > -+{ > -+ if (mpm_conf == NULL || mpm_conf->cache_dir_path == NULL) > -+ return -1; > -+ if (mpm_conf->cache_max_age_seconds == 0) > -+ return 0; // disabled > -+ > -+ const time_t now = time(NULL); > -+ if (now == (time_t)-1) { > -+ return -1; > -+ } else if (mpm_conf->cache_max_age_seconds >= (uint64_t)now) { > -+ return 0; > -+ } > -+ > -+ DIR *dir = opendir(mpm_conf->cache_dir_path); > -+ if (dir == NULL) { > -+ return -1; > -+ } > -+ > -+ struct dirent *ent; > -+ char path[PATH_MAX]; > -+ uint32_t considered = 0, removed = 0; > -+ const time_t cutoff = now - (time_t)mpm_conf->cache_max_age_seconds; > -+ while ((ent = readdir(dir)) != NULL) { > -+ const char *name = ent->d_name; > -+ size_t namelen = strlen(name); > -+ if (namelen < 3 || strcmp(name + namelen - 3, ".hs") != 0) > -+ continue; > -+ > -+ if (PathMerge(path, ARRAY_SIZE(path), mpm_conf->cache_dir_path, > name) != 0) > -+ continue; > -+ > -+ struct stat st; > -+ if (stat(path, &st) != 0 || !S_ISREG(st.st_mode)) > -+ continue; > -+ > -+ considered++; > -+ > -+ const bool prune_by_age = HSPruneFileByAge(st.st_mtime, cutoff); > -+ const bool prune_by_version = HSPruneFileByVersion(name); > -+ if (!prune_by_age && !prune_by_version) > -+ continue; > -+ > -+ void *cache_inuse = HashTableLookup(inuse_caches, path, > (uint16_t)strlen(path)); > -+ if (cache_inuse != NULL) > -+ continue; // in use > -+ > -+ if (unlink(path) == 0) { > -+ removed++; > -+ SCLogDebug("File %s removed because of %s%s%s", path, > prune_by_age ? "age" : "", > -+ prune_by_age && prune_by_version ? " and " : "", > -+ prune_by_version ? "incompatible version" : ""); > -+ } else { > -+ SCLogWarning("Failed to prune \"%s\": %s", path, > strerror(errno)); > -+ } > -+ } > -+ closedir(dir); > -+ > -+ PatternDatabaseCache *pd_cache_stats = mpm_conf->cache_stats; > -+ if (pd_cache_stats) { > -+ pd_cache_stats->hs_dbs_cache_pruned_cnt = removed; > -+ pd_cache_stats->hs_dbs_cache_pruned_considered_cnt = considered; > -+ pd_cache_stats->hs_dbs_cache_pruned_cutoff = cutoff; > -+ pd_cache_stats->cache_max_age_seconds = > mpm_conf->cache_max_age_seconds; > -+ } > -+ return 0; > -+} > -+ > -+void *SCHSCacheStatsInit(void) > -+{ > -+ PatternDatabaseCache *pd_cache_stats = SCCalloc(1, > sizeof(PatternDatabaseCache)); > -+ if (pd_cache_stats == NULL) { > -+ SCLogError("Failed to allocate memory for Hyperscan cache stats"); > -+ return NULL; > -+ } > -+ return pd_cache_stats; > -+} > -+ > -+void SCHSCacheStatsPrint(void *data) > -+{ > -+ if (data == NULL) { > -+ return; > -+ } > -+ > -+ PatternDatabaseCache *pd_cache_stats = (PatternDatabaseCache *)data; > -+ > -+ char time_str[64]; > -+ struct tm tm_s; > -+ struct tm *tm_info = > SCLocalTime(pd_cache_stats->hs_dbs_cache_pruned_cutoff, &tm_s); > -+ if (tm_info != NULL) { > -+ strftime(time_str, ARRAY_SIZE(time_str), "%Y-%m-%d %H:%M:%S", > tm_info); > -+ } else { > -+ snprintf(time_str, ARRAY_SIZE(time_str), "%" PRIu64 " seconds", > -+ pd_cache_stats->cache_max_age_seconds); > -+ } > -+ > -+ if (pd_cache_stats->hs_cacheable_dbs_cnt) { > -+ SCLogInfo("Rule group caching - loaded: %u newly cached: %u total > cacheable: %u", > -+ pd_cache_stats->hs_dbs_cache_loaded_cnt, > pd_cache_stats->hs_dbs_cache_saved_cnt, > -+ pd_cache_stats->hs_cacheable_dbs_cnt); > -+ } > -+ if (pd_cache_stats->hs_dbs_cache_pruned_considered_cnt) { > -+ SCLogInfo("Rule group cache pruning removed %u/%u of HS caches due > to " > -+ "version-incompatibility (not v%s) or " > -+ "age (older than %s)", > -+ pd_cache_stats->hs_dbs_cache_pruned_cnt, > -+ pd_cache_stats->hs_dbs_cache_pruned_considered_cnt, > HS_CACHE_FILE_VERSION, > -+ time_str); > -+ } > -+} > -+ > -+void SCHSCacheStatsDeinit(void *data) > -+{ > -+ if (data == NULL) { > -+ return; > -+ } > -+ PatternDatabaseCache *pd_cache_stats = (PatternDatabaseCache *)data; > -+ SCFree(pd_cache_stats); > -+} > -+ > - #endif /* BUILD_HYPERSCAN */ > -diff --git a/src/util-mpm-hs-cache.h b/src/util-mpm-hs-cache.h > -index 225c5001a..24b4eece0 100644 > ---- a/src/util-mpm-hs-cache.h > -+++ b/src/util-mpm-hs-cache.h > -@@ -35,9 +35,24 @@ struct HsIteratorData { > - const char *cache_path; > - }; > - > -+/** > -+ * \brief Data structure to store in-use cache files. > -+ * Used in cache pruning to avoid deleting files that are still in use. > -+ */ > -+struct HsInUseCacheFilesIteratorData { > -+ HashTable *tbl; // stores file paths of in-use cache files > -+ const char *cache_path; > -+}; > -+ > - int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char > *dirpath); > - int HSHashDb(const PatternDatabase *pd, char *hash, size_t hash_len); > - void HSSaveCacheIterator(void *data, void *aux); > -+void HSCacheFilenameUsedIterator(void *data, void *aux); > -+int SCHSCachePruneEvaluate(MpmConfig *mpm_conf, HashTable *inuse_caches); > -+ > -+void *SCHSCacheStatsInit(void); > -+void SCHSCacheStatsPrint(void *data); > -+void SCHSCacheStatsDeinit(void *data); > - #endif /* BUILD_HYPERSCAN */ > - > - #endif /* SURICATA_UTIL_MPM_HS_CACHE__H */ > -diff --git a/src/util-mpm-hs-core.h b/src/util-mpm-hs-core.h > -index 699dd6956..8392127cf 100644 > ---- a/src/util-mpm-hs-core.h > -+++ b/src/util-mpm-hs-core.h > -@@ -93,6 +93,10 @@ typedef struct PatternDatabaseCache_ { > - uint32_t hs_cacheable_dbs_cnt; > - uint32_t hs_dbs_cache_loaded_cnt; > - uint32_t hs_dbs_cache_saved_cnt; > -+ uint32_t hs_dbs_cache_pruned_cnt; > -+ uint32_t hs_dbs_cache_pruned_considered_cnt; > -+ time_t hs_dbs_cache_pruned_cutoff; > -+ uint64_t cache_max_age_seconds; > - } PatternDatabaseCache; > - > - const char *HSErrorToStr(hs_error_t error_code); > -diff --git a/src/util-mpm-hs.c b/src/util-mpm-hs.c > -index ad7178eb8..df4a66b2e 100644 > ---- a/src/util-mpm-hs.c > -+++ b/src/util-mpm-hs.c > -@@ -835,18 +835,53 @@ static int SCHSCacheRuleset(MpmConfig *mpm_conf) > - mpm_conf->cache_dir_path); > - return -1; > - } > -- PatternDatabaseCache pd_stats = { 0 }; > -- struct HsIteratorData iter_data = { .pd_stats = &pd_stats, > -+ PatternDatabaseCache *pd_stats = mpm_conf->cache_stats; > -+ struct HsIteratorData iter_data = { .pd_stats = pd_stats, > - .cache_path = mpm_conf->cache_dir_path }; > - SCMutexLock(&g_db_table_mutex); > - HashTableIterate(g_db_table, HSSaveCacheIterator, &iter_data); > - SCMutexUnlock(&g_db_table_mutex); > -- SCLogNotice("Rule group caching - loaded: %u newly cached: %u total > cacheable: %u", > -- pd_stats.hs_dbs_cache_loaded_cnt, > pd_stats.hs_dbs_cache_saved_cnt, > -- pd_stats.hs_cacheable_dbs_cnt); > - return 0; > - } > - > -+static uint32_t FilenameTableHash(HashTable *ht, void *data, uint16_t len) > -+{ > -+ const char *fname = data; > -+ uint32_t hash = hashlittle_safe(data, strlen(fname), 0); > -+ hash %= ht->array_size; > -+ return hash; > -+} > -+ > -+static void FilenameTableFree(void *data) > -+{ > -+ SCFree(data); > -+} > -+ > -+static int SCHSCachePrune(MpmConfig *mpm_conf) > -+{ > -+ if (!mpm_conf || !mpm_conf->cache_dir_path) { > -+ return -1; > -+ } > -+ > -+ SCLogDebug("Pruning the Hyperscan cache folder %s", > mpm_conf->cache_dir_path); > -+ // we need to initialize hash map of in-use cache files > -+ HashTable *inuse_caches = > -+ HashTableInit(INIT_DB_HASH_SIZE, FilenameTableHash, NULL, > FilenameTableFree); > -+ if (inuse_caches == NULL) { > -+ return -1; > -+ } > -+ struct HsInUseCacheFilesIteratorData iter_data = { .tbl = inuse_caches, > -+ .cache_path = mpm_conf->cache_dir_path }; > -+ > -+ SCMutexLock(&g_db_table_mutex); > -+ HashTableIterate(g_db_table, HSCacheFilenameUsedIterator, &iter_data); > -+ SCMutexUnlock(&g_db_table_mutex); > -+ > -+ int r = SCHSCachePruneEvaluate(mpm_conf, inuse_caches); > -+ HashTableFree(inuse_caches); > -+ return r; > -+} > -+ > - /** > - * \brief Init the mpm thread context. > - * > -@@ -1178,7 +1213,11 @@ void MpmHSRegister(void) > - mpm_table[MPM_HS].AddPattern = SCHSAddPatternCS; > - mpm_table[MPM_HS].AddPatternNocase = SCHSAddPatternCI; > - mpm_table[MPM_HS].Prepare = SCHSPreparePatterns; > -+ mpm_table[MPM_HS].CacheStatsInit = SCHSCacheStatsInit; > -+ mpm_table[MPM_HS].CacheStatsPrint = SCHSCacheStatsPrint; > -+ mpm_table[MPM_HS].CacheStatsDeinit = SCHSCacheStatsDeinit; > - mpm_table[MPM_HS].CacheRuleset = SCHSCacheRuleset; > -+ mpm_table[MPM_HS].CachePrune = SCHSCachePrune; > - mpm_table[MPM_HS].Search = SCHSSearch; > - mpm_table[MPM_HS].PrintCtx = SCHSPrintInfo; > - mpm_table[MPM_HS].PrintThreadCtx = SCHSPrintSearchStats; > -diff --git a/src/util-mpm.h b/src/util-mpm.h > -index c2c434152..859ceae12 100644 > ---- a/src/util-mpm.h > -+++ b/src/util-mpm.h > -@@ -90,6 +90,8 @@ typedef struct MpmPattern_ { > - > - typedef struct MpmConfig_ { > - const char *cache_dir_path; > -+ uint64_t cache_max_age_seconds; /* 0 means disabled/no pruning policy */ > -+ void *cache_stats; > - } MpmConfig; > - > - typedef struct MpmCtx_ { > -@@ -175,7 +177,11 @@ typedef struct MpmTableElmt_ { > - int (*AddPatternNocase)(struct MpmCtx_ *, const uint8_t *, uint16_t, > uint16_t, uint16_t, > - uint32_t, SigIntId, uint8_t); > - int (*Prepare)(MpmConfig *, struct MpmCtx_ *); > -+ void *(*CacheStatsInit)(void); > -+ void (*CacheStatsPrint)(void *data); > -+ void (*CacheStatsDeinit)(void *data); > - int (*CacheRuleset)(MpmConfig *); > -+ int (*CachePrune)(MpmConfig *); > - /** \retval cnt number of patterns that matches: once per pattern max. > */ > - uint32_t (*Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, > PrefilterRuleStore *, const uint8_t *, uint32_t); > - void (*PrintCtx)(struct MpmCtx_ *); > -diff --git a/suricata.yaml.in b/suricata.yaml.in > -index a0ab5a066..d7ce7c2cc 100644 > ---- a/suricata.yaml.in > -+++ b/suricata.yaml.in > -@@ -1810,6 +1810,10 @@ detect: > - # Cache files are created in the standard library directory. > - sgh-mpm-caching: yes > - sgh-mpm-caching-path: @e_sghcachedir@ > -+ # Maximum age for cached MPM databases before they are pruned. > -+ # Accepts a combination of time units (s,m,h,d,w,y). > -+ # Omit to use the default, 0 to disable. > -+ # sgh-mpm-caching-max-age: 7d > - # inspection-recursion-limit: 3000 > - # maximum number of times a tx will get logged for rules without > app-layer keywords > - # stream-tx-log-limit: 4 > -commit 56c1552c3e8425ca07ce3b6ba88f2215b984c5fb > -Author: Lukas Sismis <[email protected]> > -Date: Mon Nov 3 19:47:16 2025 +0100 > - > - hs: warn about the same cache directory > - > - This is especially relevant for multi-instance simultaneous setups > - as we might risk read/write races. > - > -diff --git a/doc/userguide/performance/hyperscan.rst > b/doc/userguide/performance/hyperscan.rst > -index 1060d3aef..a64322730 100644 > ---- a/doc/userguide/performance/hyperscan.rst > -+++ b/doc/userguide/performance/hyperscan.rst > -@@ -127,3 +127,7 @@ disables pruning. > - **Note**: > - You might need to create and adjust permissions to the default caching > folder > - path, especially if you are running Suricata as a non-root user. > -+ > -+**Note**: > -+If you're running multiple Suricata instances, use separate cache folders > -+for each one to avoid read/write conflicts when they run at the same time. > -- > 2.53.0 > >
