Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect multiprotocol keywords 7304 v2 #12229

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Detect multiprotocol keywords 7304 v2 #12229

wants to merge 2 commits into from
+191 −17

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7304

Describe changes:

  • cleaner code for multi app-layer keywords such as ja4

Is there something to do with DCERPC/SMB stuff ? cc @inashivb

I think file keywords have their own logic and it is ok.

#12149 with better commit messages

@catenacyber
detect: clean support for multi-protocol keywords
93e5c37 
such as ja4.

Why ?

We do not want to see hard-coded protocol constants such as
ALPROTO_QUIC directly used in generic code in detect-parse.c

How ?
From the keyword point of view, this commit adds the function
DetectSignatureSetMultiAppProto which is similar to
DetectSignatureSetAppProto but takes multiple alprotos.
It restricts the signature alprotos to a set of possible alprotos
and errors out if the interstion gets empty.

The data structure SignatureInitData gets extended with
a fixed-length array, as the use case is a sparse number of protocols

Ticket: 7304
@catenacyber
detect/ja: use multi-protocol support
7b24101 
instead of hardcoding list : removes usage of ALPROTO_QUIC and
ALPROTO_TLS in generic SigValidate

Ticket: 7304
@catenacyber catenacyber mentioned this pull request Dec 5, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Dec 5, 2024

Codecov Report

Attention: Patch coverage is 89.74359% with 12 lines in your changes missing coverage. Please review.

Project coverage is 83.17%. Comparing base (09ba69c) to head (7b24101).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12229      +/-   ##
==========================================
- Coverage   83.19%   83.17%   -0.02%     
==========================================
  Files         912      912              
  Lines      257166   257267     +101     
==========================================
+ Hits       213938   213991      +53     
- Misses      43228    43276      +48
Flag Coverage Δ
fuzzcorpus 61.01% <80.26%> (+<0.01%) ⬆️
livemode 19.40% <1.31%> (-0.02%) ⬇️
pcap 44.01% <18.42%> (-0.39%) ⬇️
suricata-verify 62.74% <26.31%> (-0.05%) ⬇️
unittests 59.19% <67.52%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 23713

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@catenacyber @suricata-qa