userguide: explain rule types and categorization - v9 #12209
Conversation
Add documentation about the rule types introduced by 2696fda. Add doc tags around code definitions that are referenced in the docs. Task #https://redmine.openinfosecfoundation.org/issues/7031
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #12209 +/- ##
==========================================
+ Coverage 83.17% 83.18% +0.01%
==========================================
Files 912 912
Lines 257111 257111
==========================================
+ Hits 213856 213885 +29
+ Misses 43255 43226 -29
Flags with carried forward coverage won't be shown. Click here to find out more. |
| * - IP Only | ||
| - Flow | ||
| - Once per direction | ||
| - On IP addresses on the flow | ||
| - Source/ Destination field of a rule | ||
| * - IP Only (contains negated address)(*) | ||
| - Flow | ||
| - Once per direction | ||
| - On IP addresses on the flow | ||
| - Source/ Destination field of a rule, containing negated address |
There was a problem hiding this comment.
Action is flow if flow exists. Packets that are not part of a flow, .... will always be inspected per packet.
| - Source/ Destination field of a rule | ||
| * - IP Only (contains negated address)(*) | ||
| - Flow | ||
| - Once per direction |
There was a problem hiding this comment.
Test this with rule profiling to confirm.
There was a problem hiding this comment.
Maybe we can have a SV test with like-ip-only
- alert rule: several alerts
- drop/pass: should be applied to the flow
| - Packet | ||
| - Per-packet basis | ||
| - Packet-level info (e.g.: header info) | ||
| - ``itype``, ``tcp.hdr``, ``tcp.seq``, ``ttl`` etc. |
There was a problem hiding this comment.
tcp-pkt - add as keyword example here
| - Flow, if stateful (**) | ||
| - Per stream chunk, if stateful, per-packet if not. | ||
| - Against the reassembled stream. If stream unavailable, match per-packet. | ||
| (stream payload or packet payload) |
There was a problem hiding this comment.
move to Inspected, be stream payload AND packet payload
There was a problem hiding this comment.
exposes the stream and/or payload data.
| * - Type | ||
| - Action Scope | ||
| - Inspected | ||
| - Matches |
|
|
||
| * - Type | ||
| - Action Scope | ||
| - Inspected |
There was a problem hiding this comment.
Inspection hook?
| - Keyword Examples (non-exhaustive) | ||
| * - Decoder Events Only | ||
| - Packet | ||
| - Per-packet basis |
There was a problem hiding this comment.
Per-broken/ invalid packet
| * - Decoder Events Only | ||
| - Packet | ||
| - Per-packet basis | ||
| - Packets that are broken on an IP level |
| - ``content`` with ``startswith`` or ``depth`` | ||
| * - Stream | ||
| - Flow, if stateful (**) | ||
| - Per stream chunk, if stateful, per-packet if not. |
There was a problem hiding this comment.
Stream chunks, or just packets (if not accepted by stream engine)
| * - Stream | ||
| - Flow, if stateful (**) | ||
| - Per stream chunk, if stateful, per-packet if not. | ||
| - Against the reassembled stream. If stream unavailable, match per-packet. |
There was a problem hiding this comment.
exposes stream reassembled payload or packet payload data
| - Application Layer (`app_layer`) | ||
| - Protocol Detection Only (`pd_only`) | ||
| - Decoder Events Only (`de_only`) |
| The rule examples provided further cover some such cases, but the table below | ||
| lists those keywords with more details: | ||
|
|
There was a problem hiding this comment.
check detect-flowbits.c:632. some cases will make a packet rule become a stateful / app_tx signature.
|
@njlavigne There will be a new version of this coming out soon to take into account a review done with Victor, but do feel free to add feedback, please, if you see anything weird or missing :) |
| aspects aforementioned. | ||
|
|
||
| .. list-table:: Suricata Rule Types | ||
| :widths: 10, 17, 18, 30, 25 |
There was a problem hiding this comment.
Review width for last 2 columns, especially.
There was a problem hiding this comment.
the rtd theme isn't properly rendering list-table widths properly - it's ignoring this, basically.
The best workaround I've found was using nested paragraphs, as it seems that the width is being based on the column header, and this seems to be working.
|
Given the embedded code, etc. I wonder if this is a little too deep to from the rule chapter. Is it better suited at the end with some "rule internals" or part of a Suricata internals guide? At first I was wondering devguide, but I do realize there is some internals that should be documented with a power user audience, and not necessarily a developer audience. |
|
Information: QA ran without warnings. Pipeline 23656 |
We have Making sense out of alerts, right after the two Rules chapters. Maybe we could have this part about the rule types before or after that one? I understand it has more advanced stuff, but I think semantically it also makes sense that it remains close to the other chapters. imho, the code excerpts that we show aren't mandatory to understand the contents - more to add hooks for those who like to dig... |
Maybe move it to the end of the rules chapter? My thought are:
To be fair, advanced rule writing could be its own book I'm sure! |
| - ``to_server``, ``to_client`` | ||
| - no type change | ||
| * - ``flow`` | ||
| - ``established``, ``not_established`` | ||
| - to `packet` |
There was a problem hiding this comment.
ip_only and like_ip_only behave differently here.
There was a problem hiding this comment.
Are there cases where a "packet" type rule changes to a stream-type rule when a content keyword is added? What type is a rule that contains both content and flow:to_server?
| Although both are related to matching on application layer protocols, since | ||
| Suricata 7, a Protocol Detection rule (that uses the ``app-layer-protocol`` | ||
| keyword) is not internally classified the same as a simple rule matching on | ||
| the application layer protocol on the `protocol` field. |
There was a problem hiding this comment.
These two rule types are similar but work differently - could you provide any guidance as to when you might prefer to use one over the other? What are they intended to be used for?
| .. note:: | ||
| (*) IP Only signatures with negated addresses are `like` IP-only signatures, but | ||
| currently handled differently due to limitations of the algorithm processing | ||
| IP Only rules. |
There was a problem hiding this comment.
What is the significance of this to me as a rule writer? Are these two types functionally different, or is the only difference just an internal optimization?
If you use the idea above for a section per rule type, special notices like this could go into those sections which might help it flow naturally with the other information you are providing per rule type.
| The ``SignatureSetType()`` overall flow is described below: | ||
|
|
||
| .. image:: intro/OverallAlgoHorizontal-20241127.png | ||
| :width: 600 | ||
| :alt: A flowchart representing the SignatureSetType function. |
There was a problem hiding this comment.
Overall I think this new page does a good job of outlining what each rule type does when applied to traffic, but for rule writers the other piece of relevant background is "what influences a signature be a particular type" and to me that part still isn't as clear. I think the flow chart is great and helps with this but the branch conditions like "Is PDOnly" and "Is IpOnly" don't have enough supporting detail to understand when they will apply.
I think it would help to include a short description for each rule type stating at a high level what the types are used for, for example
The IPONLY rule type is used for rules that match only on source & destination IPs and port numbers, and not on any other flow or content modifier.
It probably wouldn't fit in the table so it would likely need to go somewhere else, like in a short section introducing each type. Maybe could combine that with the examples so that each type would have a small section that combines both an explainer and the examples for that type.
| .. list-table:: Suricata Rule Types, and their Engine Analysis Term | ||
| :header-rows: 1 |
There was a problem hiding this comment.
Have you considered merging the two rule type tables into one table?
There was a problem hiding this comment.
I know it's not ideal as is, but I wanted to avoid having even more columns, as some of the cels in the other column are quite busy with text and Read the Docs doesn't offer a lot of flexibility for adjusting column width...
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| Aside from the scope of action of a signature, certain rule conditions will | ||
| require that it matches against a *real packet* (as opposed to a *pseudo packet*). |
There was a problem hiding this comment.
Is it worth saying what the difference is here (or link to it, if it's explained elsewhere in the docs)?
| * - ``flow`` | ||
| - ``to_server``, ``to_client`` | ||
| - no type change |
There was a problem hiding this comment.
You can correct me if I'm wrong, but I believe there is at least one example where this does change - I think a rule that would otherwise be "iponly" type does change to something else when a flow:to_server or flow:to_client is added.
| - ``to_server``, ``to_client`` | ||
| - no type change | ||
| * - ``flow`` | ||
| - ``established``, ``not_established`` | ||
| - to `packet` |
There was a problem hiding this comment.
Are there cases where a "packet" type rule changes to a stream-type rule when a content keyword is added? What type is a rule that contains both content and flow:to_server?
| * - Application Layer Protocol Transactions | ||
| - Flow | ||
| - Per transaction update | ||
| - On buffer keywords | ||
| - Application layer protocol-related, e.g. ``http.host``, ``rfb.secresult``, | ||
| ``dcerpc.stub_data``, ``frame`` keywords |
There was a problem hiding this comment.
What exactly is a transaction is a topic that would be very relevant here, for understanding how these rules will be matched against traffic. You have a good explanation of them here...I understand that the developer guide is aimed at a different audience than this page (aimed at rule writers), but they would both benefit from understanding that.
Thanks for tagging me, please feel free to keep doing it for changes you think I'd be interested in! |
Previous PR: #12184
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7031
Please check the built version: https://suri-rtd-test.readthedocs.io/en/doc-sigtypes-et-properties-v9/rules/rule-types.html
Describe changes:
Many of the examples and conclusions documented here were derived from tests and checks as seen on OISF/suricata-verify#2153