Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect pseudo/v3 #11088

Closed
wants to merge 7 commits into from
Closed

Detect pseudo/v3 #11088

wants to merge 7 commits into from

Conversation

victorjulien
Copy link
Member

https://redmine.openinfosecfoundation.org/issues/7002 with a few minor cleanups.

Replace #11001:

  • rebase to master
  • add csum
  • stream_size fixup

@victorjulien
detect: skip pseudo packets if sig needs real pkt
ab39a7c 
If a signature uses a condition that requires a real packet, filter
out pseudo packets as early as possible. To do this, the SignatureMask
logic is used.

This allows for the removal of checks for pseudo packets in individual
keywords `Match` functions, which will be done in a follow up commit.

Update analyzer to output the new flag.

Ticket: OISF#7002.
@victorjulien
detect: remove pseudo checks from packet keywords
a75c622 
Keep as debug validation check.
@victorjulien
detect/prefilter: minor function ptr cleanup
bcaa5ae 
Use a typedef'd function pointer for packet Prefilter callbacks to make
the code consistent with the other callbacks.
@victorjulien
detect/prefilter: use sig mask to exclude pkt engines
2448013 
Add an argument to the packet prefilter registration function to include
`SignatureMask` flags. This will be used at runtime to only call these
prefilter engines when the mask check passes.
@victorjulien
detect/csum: general code cleanups
75a60f6
@victorjulien
detect/csum: remove pseudo packet checks
bf4c2a5
@victorjulien
detect/stream_size: allow match on pseudo packets
baf9d52 
Often used with stream content, which can be inspected with pseudo packets.
@victorjulien victorjulien mentioned this pull request May 16, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented May 16, 2024
edited

Codecov Report

Attention: Patch coverage is 77.71084% with 37 lines in your changes are missing coverage. Please review.

Project coverage is 83.75%. Comparing base (806052d) to head (baf9d52).
Report is 9 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11088      +/-   ##
==========================================
+ Coverage   83.63%   83.75%   +0.12%     
==========================================
  Files         922      922              
  Lines      250375   250434      +59     
==========================================
+ Hits       209399   209761     +362     
+ Misses      40976    40673     -303
Flag Coverage Δ
fuzzcorpus 64.21% <65.66%> (-0.02%) ⬇️
livemode 19.25% <4.81%> (+0.83%) ⬆️
suricata-verify 62.83% <34.33%> (+0.04%) ⬆️
unittests 62.24% <37.95%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 20651

@victorjulien victorjulien marked this pull request as ready for review May 16, 2024 17:56
victorjulien
victorjulien commented May 21, 2024
View reviewed changes
src/detect-stream_size.c
@@ -170,7 +169,8 @@ void DetectStreamSizeFree(DetectEngineCtx *de_ctx, void *ptr)
static void PrefilterPacketStreamsizeMatch(
DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
{
if (!(PacketIsTCP(p)) || PKT_IS_PSEUDOPKT(p))
DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p));
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems wrong, as stream_size can be used with timeout packets in rules, so prefilter should support it as well

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this PR a draft then ?

catenacyber
catenacyber reviewed May 31, 2024
View reviewed changes
src/detect-stream_size.c
return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_STREAM_SIZE,
SIG_MASK_REQUIRE_FLOW | SIG_MASK_REQUIRE_REAL_PKT, PrefilterPacketStreamSizeSet,
PrefilterPacketStreamSizeCompare, PrefilterPacketStreamsizeMatch);
return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_STREAM_SIZE, SIG_MASK_REQUIRE_FLOW,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This last commit needs to be squashed, right ?

@catenacyber
Copy link
Contributor

There seems to be that there is a big feature that prefilter uses SIG_MASK_REQUIRE_FLOW and other flags now (not only SIG_MASK_REQUIRE_REAL_PKT) right ?

@victorjulien victorjulien marked this pull request as draft June 7, 2024 12:16
@victorjulien victorjulien mentioned this pull request Jun 8, 2024
Open
@victorjulien
Copy link
Member Author

replaced by #11274

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
3 participants
@victorjulien @suricata-qa @catenacyber