Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Printable/v14 #10261

Closed
wants to merge 14 commits into from
Closed

Printable/v14 #10261

wants to merge 14 commits into from

Conversation

victorjulien
Copy link
Member

@victorjulien
yaml: remove newline from error message
150420e
@victorjulien
stream: const args for StreamReassembleLog
15cb44f 
Needed a workaround cast for RBTREE use.
@victorjulien
eve/frame: implement payload-buffer-size option
49d14f8 
Modeled after the same option in eve/alert. Defaults to 4k.
@victorjulien
eve/alert: log payload directly from stream buffer
e5e236b 
This avoids looping over partly duplicate segments that cause
output data corruption by logging parts of the stream data multiple
times.

For data with GAPs now add a indicator '[4 bytes missing]' similar
to how Wireshark does it.

Bug: OISF#6553.
@victorjulien
eve/alert: init membuffer size on missing config
d0084b4 
Don't init buffer to 0 size but use the desired default of 4k.
@victorjulien
eve/frames: pass membuffer to API
00ce6ea 
In preparation of stream logging changes.
@victorjulien
eve/frame: improve frame payload logging
5f7da14 
Log using stream callback API, meaning that data will also
be logged if there are GAPs.

Also implement GAP indicators: '[123 bytes missing]'.
@victorjulien
unix-manager: add \n string to buffer using correct API call
ce43935
@victorjulien
membuffer: turn complex macros into functions
423161f 
For better readability and type checking.
@victorjulien
membuffer: use buffer pointer as flexible array member
8082689
@victorjulien
membuffer: return bytes written
22a545a
@victorjulien
eve/frame: break out of logging callback if buffer is full
be34adc
@victorjulien
eve/alert: break out of payload logging callback if buffer is full
25a3970
@victorjulien
membuffer: annotate printf style function
bcdcbe4
@victorjulien victorjulien requested a review from a team as a code owner January 26, 2024 12:29
@victorjulien victorjulien mentioned this pull request Jan 26, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Jan 26, 2024

Codecov Report

Attention: 22 lines in your changes are missing coverage. Please review.

Comparison is base (c3b3c11) 82.28% compared to head (bcdcbe4) 82.26%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10261      +/-   ##
==========================================
- Coverage   82.28%   82.26%   -0.03%     
==========================================
  Files         977      977              
  Lines      271950   271995      +45     
==========================================
- Hits       223784   223755      -29     
- Misses      48166    48240      +74
Flag Coverage Δ
fuzzcorpus 63.37% <80.66%> (-0.03%) ⬇️
suricata-verify 61.54% <84.00%> (+0.01%) ⬆️
unittests 62.81% <0.66%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information:

ERROR: QA failed on SURI_TLPW2_autofp_suri_time.

field baseline test %
SURI_TLPW2_autofp_stats_chk
.uptime 182 192 105.49%

Pipeline 17775

@jasonish
Copy link
Member

Bug 6553 is flagged as a backport, but in this PR we are adding extra data. Any thoughts on how this might affect log processing tools?

@victorjulien
Copy link
Member Author

Bug 6553 is flagged as a backport, but in this PR we are adding extra data. Any thoughts on how this might affect log processing tools?

Not sure. I think the old output also printed more in some cases than expected due to broken overlap printing. It's certainly a change, so maybe we need a more conservative approach for backports.

@victorjulien
Copy link
Member Author

Bug 6553 is flagged as a backport, but in this PR we are adding extra data. Any thoughts on how this might affect log processing tools?

Not sure. I think the old output also printed more in some cases than expected due to broken overlap printing. It's certainly a change, so maybe we need a more conservative approach for backports.

But anyway, this is for master. We can discuss the backport when the backport is done.

@victorjulien victorjulien added this to the 8.0 milestone Feb 12, 2024
@victorjulien victorjulien mentioned this pull request Mar 8, 2024
Closed
@victorjulien
Copy link
Member Author

replaced by #10592

@victorjulien victorjulien deleted the printable/v14 branch June 23, 2024 05:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlucovsky jlucovsky jlucovsky approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.
4 participants
@victorjulien @suricata-qa @jasonish @jlucovsky