Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Next/665/20241210/v4 #12259

Merged
merged 6 commits into from
Dec 10, 2024
Merged

Next/665/20241210/v4 #12259

merged 6 commits into from
Dec 10, 2024

Conversation

victorjulien
Copy link
Member

catenacyber and others added 6 commits December 10, 2024 14:40
@catenacyber @victorjulien
rust/ftp: handle NULL inputs
e62c7d7 
Completes Ticket 7013
@catenacyber @victorjulien
app-layer: track modified/processed txs
b02557a 
To optimize detection, and logging, to avoid going through
all the live transactions when only a few were modified.

Two boolean fields are added to the tx data: updated_tc and ts
The app-layer parsers are now responsible to set these when
needed, and the logging and detection uses them to skip
transactions that were not updated.

There may some more optimization remaining by when we set
both updated_tc and updated_ts in functions returning
a mutable transaction, by checking if all the callers
are called in one direction only (request or response)

Ticket: 7087
@victorjulien
dpdk: set ice PMD RSS key length to 52 bytes for all DPDK versions
18ab9a6 
ICE driver (Intel E810 NIC) requires/supports 52-byte long RSS key.
The 52 byte key length was mandatory from DPDK 23.11 when Suricata
was starting with independently configured ice PMD.

However, Suricata failed to start when ice PMD was part of
net_bonding PMD, requiring 52 byte RSS key even in DPDK versions
lower than 23.11. Since the support for the longer key is present
since DPDK 19.11 the key is set to 52 bytes for all versions.

Ticket: 7444
@catenacyber @victorjulien
detect: log app-layer metadata in alert with single tx
f2c3776 
Ticket: 7199

Uses a config parameter detect.guess-applayer-tx to enable
this behavior (off by default)

This feature is requested for use cases with signatures not
using app-layer keywords but still targetting application
layer transactions, such as pass/drop rule combination,
or lua usage.

This overrides the previous behavior of checking if the signature
has a content match, by checking if there is only one live
transaction, in addition to the config parameter being set.
@catenacyber @victorjulien
detect: rename stream_log variables
f426ee3 
to better reflect their true meaning
@victorjulien
detect: don't run pkt sigs on ffr pkts
0e4faba 
Last packet from the TLS TCP session moves TCP state to CLOSED.

This flags the app-layer with APP_LAYER_PARSER_EOF_TS or
APP_LAYER_PARSER_EOF_TC depending on the direction of the final packet.
This flag will just have been set in a single direction.

This leads to the last packet updating the inspect id in that packets
direction.

At the end of the TLS session a pseudo packet is created, because:
 - flow has ended
 - inspected tx id == 0, for at least one direction
 - total txs is 1

Then a packet rule matches:

```
alert tcp any any -> any 443 (flow: to_server;                  \
        flowbits:isset,tls_error;                               \
        sid:09901033; rev:1;                                    \
        msg:"Allow TLS error handling (outgoing packet)"; )
```

The `SIG_MASK_REQUIRE_REAL_PKT` is not preventing the match, as the
`flowbits` keyword doesn't set it.

To avoid this match. This patch skips signatures of the `SIG_TYPE_PKT`
for flow end packets.

Ticket: OISF#7318.
catenacyber
catenacyber approved these changes Dec 10, 2024
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks consistent with the already approved PRs

@codecov Codecov
Copy link

codecov bot commented Dec 10, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 94.83871% with 8 lines in your changes missing coverage. Please review.

Project coverage is 83.22%. Comparing base (38d7900) to head (0e4faba).
Report is 6 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff            @@
##           master   #12259    +/-   ##
========================================
  Coverage   83.21%   83.22%            
========================================
  Files         912      912            
  Lines      257183   257311   +128     
========================================
+ Hits       214025   214154   +129     
+ Misses      43158    43157     -1
Flag Coverage Δ
fuzzcorpus 61.07% <90.96%> (+0.01%) ⬆️
livemode 19.52% <4.51%> (+0.10%) ⬆️
pcap 44.36% <70.96%> (-0.05%) ⬇️
suricata-verify 62.84% <81.29%> (+0.04%) ⬆️
unittests 59.18% <41.93%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

jasonish
jasonish approved these changes Dec 10, 2024
View reviewed changes
Copy link
Member

@jasonish jasonish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Staging looks OK.

@victorjulien victorjulien merged commit 0e4faba into OISF:master Dec 10, 2024
61 checks passed
This was referenced Dec 10, 2024
Closed
Closed
Closed
Closed
@catenacyber catenacyber mentioned this pull request Dec 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber approved these changes

@jasonish jasonish jasonish approved these changes

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@victorjulien @jasonish @catenacyber