Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect integers 6644 v14 #10246

Closed
wants to merge 5 commits into from
Closed

Detect integers 6644 v14 #10246

wants to merge 5 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6644 and all subtickets
https://redmine.openinfosecfoundation.org/issues/6645
https://redmine.openinfosecfoundation.org/issues/6646
https://redmine.openinfosecfoundation.org/issues/6647
https://redmine.openinfosecfoundation.org/issues/6648
https://redmine.openinfosecfoundation.org/issues/6628

Describe changes:

  • detect/integers: support hexadecimal notation for parsing
  • detect/integers: add mode for negated range
  • detect/integers: rust derive for enumerations
  • detect/integers: keywords now accept bitmasks
  • doc: detect/integers

#10241 rebased to get green CI again

catenacyber and others added 5 commits January 25, 2024 13:32
@catenacyber
detect: integer keywords now support hexadecimal
12528d3 
So that we can write enip.revision: 0x203

Ticket: 6645
@catenacyber
detect: integer keywords now accept negated ranges
57d3f23 
Ticket: 6646
@catenacyber
detect/integer: rust derive for enumerations
0c93e3d 
Ticket: 6647

Allows keywords using integers to use strings in signature
parsing based on a rust enumeration with a derive.
@catenacyber
detect: integer keywords now accept bitmasks
b009cd0 
Ticket: 6648

Like &0x40=0x40 to test for a specific bit set
@catenacyber
doc: integer keywords
77f0023 
Ticket: 6628

Document the generic detection capabilities for integer keywords.
and make every integer keyword pointing to this section.
@catenacyber catenacyber mentioned this pull request Jan 25, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Jan 25, 2024

Codecov Report

Attention: 3 lines in your changes are missing coverage. Please review.

Comparison is base (c3b3c11) 82.28% compared to head (77f0023) 82.28%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10246      +/-   ##
==========================================
- Coverage   82.28%   82.28%   -0.01%     
==========================================
  Files         977      978       +1     
  Lines      271950   272068     +118     
==========================================
+ Hits       223784   223873      +89     
- Misses      48166    48195      +29
Flag Coverage Δ
fuzzcorpus 63.38% <42.85%> (-0.02%) ⬇️
suricata-verify 61.48% <42.85%> (-0.04%) ⬇️
unittests 62.83% <97.61%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

jufajardini
jufajardini reviewed Jan 25, 2024
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doc changes look good to me.

Proposed changes are very welcome, imho.

@suricata-qa
Copy link

Information:

ERROR: QA failed on SURI_TLPW1_files_sha256.

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.error.http.parser 1108 724 65.34%

Pipeline 17748

@victorjulien victorjulien self-assigned this Jan 26, 2024
@victorjulien victorjulien mentioned this pull request Jan 26, 2024
Closed
@victorjulien victorjulien added this to the 8.0 milestone Jan 26, 2024
@zoomequipd
Copy link

hey @catenacyber I had an question about the bitmask operation that went unanswered in a previous PR. (sorry, just now catching up on this feature)

Currently bitmask operations supported by byte_test, byte_match, byte_jump (maybe not byte_jump??) does a right shift by the number of trailing 0 (zeros) after the AND operation. Does this bitmask option perform the same behavior?

it might be worth noting it if does or does not within the bitmask section of the docs.

@catenacyber
Copy link
Contributor Author

hey @catenacyber I had an question about the bitmask operation that went unanswered in a previous PR. (sorry, just now catching up on this feature)

Currently bitmask operations supported by byte_test, byte_match, byte_jump (maybe not byte_jump??) does a right shift by the number of trailing 0 (zeros) after the AND operation. Does this bitmask option perform the same behavior?

it might be worth noting it if does or does not within the bitmask section of the docs.

@zoomequipd I had answered here #10179 (comment) ;-)

You can do bsize:&0xc0=0x80.

You should not do bsize:&0xc0=2.

I can add a note about the difference with byte_test

@victorjulien victorjulien mentioned this pull request Jan 30, 2024
Merged
@victorjulien
Copy link
Member

Merged in #10277, thanks!

This was referenced Jan 30, 2024
Closed
Closed
@victorjulien
Copy link
Member

hey @catenacyber I had an question about the bitmask operation that went unanswered in a previous PR. (sorry, just now catching up on this feature)

Currently bitmask operations supported by byte_test, byte_match, byte_jump (maybe not byte_jump??) does a right shift by the number of trailing 0 (zeros) after the AND operation. Does this bitmask option perform the same behavior?

it might be worth noting it if does or does not within the bitmask section of the docs.

@zoomequipd do you see a reason for us to adopt that same approach here, as opposed to keeping it as-is and documenting it?

@catenacyber
Copy link
Contributor Author

Also, this bitmask for integer keywords is more like the "and" operator of byte_test ;-)

@zoomequipd
Copy link

@zoomequipd do you see a reason for us to adopt that same approach here, as opposed to keeping it as-is and documenting it?

I asked the newer rule writers with ET, they all agreed that consistency would be preferred.

While the right shift behavior is a bit of a nuance itself, it's at least used, currently, everywhere bitmask is used. Not using it would create yet another nuance specific to one keyword's implementation. As a rule writer it is difficult to remember and track such nuances, even when documented.

As such, it'd be our preference to be consistent and implement the right shift operation.

@victorjulien
Copy link
Member

@zoomequipd do you see a reason for us to adopt that same approach here, as opposed to keeping it as-is and documenting it?

I asked the newer rule writers with ET, they all agreed that consistency would be preferred.

While the right shift behavior is a bit of a nuance itself, it's at least used, currently, everywhere bitmask is used. Not using it would create yet another nuance specific to one keyword's implementation. As a rule writer it is difficult to remember and track such nuances, even when documented.

As such, it'd be our preference to be consistent and implement the right shift operation.

Can you explain the use case of the right shift? I think we implemented it from the snort language, but I can't find any reasoning about it.

@catenacyber
Copy link
Contributor Author

it's at least used, currently, everywhere bitmask is used.

It is not used in byte_test and operator. (If you wish, I can rename the detect/integer as "and operator")
And it is not used in byte_jump bitmask documentation (but not sure it works either)

@zoomequipd
Copy link

zoomequipd commented Feb 6, 2024
edited
Loading

It is not used in byte_test and operator.

Correct? It's used with the 'bitmask' option, which i'm pretty sure can be applied to any operation, but is most frequently used with the =
https://redmine.openinfosecfoundation.org/issues/3283

(If you wish, I can rename the detect/integer as "and operator")

That'd be fine? If it's going to support the bitmask option, the bitmask option should support the right shift behavior. I will say, the bitmask option does come in hand when attempting to check values less than a whole byte.

And it is not used in byte_jump bitmask documentation (but not sure it works either)

byte_jump doesn't implement bitmask option at all https://redmine.openinfosecfoundation.org/issues/6693

Can you explain the use case of the right shift? I think we implemented it from the snort language, but I can't find any reasoning about it.

I cannot, I just work with what the tools provide.

@catenacyber
Copy link
Contributor Author

That'd be fine? If it's going to support the bitmask option, the bitmask option should support the right shift behavior. I will say, the bitmask option does come in hand when attempting to check values less than a whole byte.

Disclaimer : I am not sure we speak about the same things...
I could add a "bitmask option" to the integer keywords. I do not see the use case it solves better than the and operator...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini jufajardini left review comments

@victorjulien victorjulien victorjulien approved these changes

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

Assignees

@victorjulien victorjulien

Labels
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.
5 participants
@catenacyber @suricata-qa @zoomequipd @victorjulien @jufajardini