Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 7318/v3 #2148

Closed
wants to merge 6 commits into from
Closed

Bug 7318/v3 #2148

wants to merge 6 commits into from

Conversation

victorjulien
Copy link
Member

Various tests related to changes in handling of flow timeout packets.

@victorjulien victorjulien mentioned this pull request Nov 28, 2024
Closed
victorjulien
victorjulien commented Nov 28, 2024
View reviewed changes
tests/bug-5443/test.yaml
@@ -0,0 +1,22 @@
requires:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually this is an unrelated test

victorjulien
victorjulien commented Nov 28, 2024
View reviewed changes
tests/firewall/firewall-06-tls-sni-enforce/test.yaml
@@ -6,11 +6,24 @@ args:

checks:
- filter:
min-version: 8
count: 24
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this I think makes sense, the sig is

drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:3;)

If there are no "real" packets, why raise alerts?

victorjulien
victorjulien commented Nov 28, 2024
View reviewed changes
tests/bug-5464-verdict-06/test.yaml
@@ -9,6 +9,22 @@ args:

checks:
- filter:
min-version: 8
count: 25
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule here is

alert http any any -> any any (sid: 1;)

Should it match on the stream end packets?

@catenacyber are there cases where only at the end of the stream, with the pseudo packets we detect the app protocol? I guess we could, if data stays un-ack'd, then stream terminates, FFR will force handling of un-ACK'd data, detect protocol.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also guess we could indeed...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

45b19c6

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It matched in master on sid 2, in OISF/suricata#12169 it won't match.

@victorjulien victorjulien mentioned this pull request Nov 28, 2024
Closed
@victorjulien
tests: add alproto detection on unacked data
45b19c6 
Data is unacked, so is only processed by flow timeout packets. This is when alert will be generated.
@catenacyber
Copy link
Collaborator

I think this should get closed in favor of the other couple of Suricata + SV PR

@victorjulien
Copy link
Member Author

#2174 has just the sig packet type test updates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@victorjulien @catenacyber @inashivb