-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect pseudo/v3 #11088
Detect pseudo/v3 #11088
Conversation
If a signature uses a condition that requires a real packet, filter out pseudo packets as early as possible. To do this, the SignatureMask logic is used. This allows for the removal of checks for pseudo packets in individual keywords `Match` functions, which will be done in a follow up commit. Update analyzer to output the new flag. Ticket: OISF#7002.
Keep as debug validation check.
Use a typedef'd function pointer for packet Prefilter callbacks to make the code consistent with the other callbacks.
Add an argument to the packet prefilter registration function to include `SignatureMask` flags. This will be used at runtime to only call these prefilter engines when the mask check passes.
Often used with stream content, which can be inspected with pseudo packets.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11088 +/- ##
==========================================
+ Coverage 83.63% 83.75% +0.12%
==========================================
Files 922 922
Lines 250375 250434 +59
==========================================
+ Hits 209399 209761 +362
+ Misses 40976 40673 -303
Flags with carried forward coverage won't be shown. Click here to find out more. |
Information: QA ran without warnings. Pipeline 20651 |
@@ -170,7 +169,8 @@ void DetectStreamSizeFree(DetectEngineCtx *de_ctx, void *ptr) | |||
static void PrefilterPacketStreamsizeMatch( | |||
DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx) | |||
{ | |||
if (!(PacketIsTCP(p)) || PKT_IS_PSEUDOPKT(p)) | |||
DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems wrong, as stream_size can be used with timeout packets in rules, so prefilter should support it as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this PR a draft then ?
return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_STREAM_SIZE, | ||
SIG_MASK_REQUIRE_FLOW | SIG_MASK_REQUIRE_REAL_PKT, PrefilterPacketStreamSizeSet, | ||
PrefilterPacketStreamSizeCompare, PrefilterPacketStreamsizeMatch); | ||
return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_STREAM_SIZE, SIG_MASK_REQUIRE_FLOW, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This last commit needs to be squashed, right ?
There seems to be that there is a big feature that prefilter uses |
replaced by #11274 |
https://redmine.openinfosecfoundation.org/issues/7002 with a few minor cleanups.
Replace #11001: