Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect: add vlan.id keyword - v4 #12285

Closed
wants to merge 1 commit into from
Closed

detect: add vlan.id keyword - v4 #12285

wants to merge 1 commit into from

Conversation

AkakiAlice
Copy link
Contributor

Ticket: #1065

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/1065
Describe changes:

  • Introduce vlan.id keyword

Provide values to any of the below to override the defaults.

  • To use an LibHTP, Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_BRANCH=OISF/suricata-verify#2185
Previous PR= #12273

@AkakiAlice AkakiAlice mentioned this pull request Dec 13, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Dec 13, 2024

Codecov Report

Attention: Patch coverage is 81.71429% with 32 lines in your changes missing coverage. Please review.

Project coverage is 83.22%. Comparing base (0e4faba) to head (c7f71f3).
Report is 15 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12285      +/-   ##
==========================================
- Coverage   83.22%   83.22%   -0.01%     
==========================================
  Files         912      915       +3     
  Lines      257311   257802     +491     
==========================================
+ Hits       214154   214553     +399     
- Misses      43157    43249      +92
Flag Coverage Δ
fuzzcorpus 61.05% <10.10%> (-0.02%) ⬇️
livemode 19.39% <10.10%> (-0.14%) ⬇️
pcap 44.38% <10.10%> (+0.02%) ⬆️
suricata-verify 62.85% <62.62%> (+0.01%) ⬆️
unittests 59.19% <60.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@catenacyber
Copy link
Contributor

Thanks, what are the differences with the previous version ?

I see CI is still red, cf the check rust build that you can reproduce locally by running cargo clippy --fix in rust subdirectory

catenacyber
catenacyber reviewed Dec 15, 2024
View reviewed changes
doc/userguide/rules/vlan-id.rst
it matches all layers if a packet contains multiple VLAN layers. However, if a
specific layer is defined, it will only match that layer.

vlan.id uses :ref:`unsigned 16-bit integer <rules-integer-keywords>`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#12273 (comment)

Should we also mention here the max value, and the specification that defines that?

I think it is a good idea

catenacyber
catenacyber reviewed Dec 15, 2024
View reviewed changes
src/detect-vlan-id.c
const DetectVlanIdData *a = smctx;
v->u8[0] = a->du16.mode;
v->u8[1] = a->layer;
v->u16[2] = a->du16.arg1;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There should also be v->u16[3] = a->du16.arg2; (used for ranges like vlan.id:100-200)

catenacyber
catenacyber reviewed Dec 15, 2024
View reviewed changes
src/detect-vlan-id.h
#ifndef SURICATA_DETECT_VLAN_ID_H
#define SURICATA_DETECT_VLAN_ID_H

#define ANY_VLAN_LAYER INT8_MIN
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This definition should be in rust

catenacyber
catenacyber reviewed Dec 15, 2024
View reviewed changes
doc/userguide/rules/vlan-id.rst
@@ -0,0 +1,33 @@
Vlan.id Keyword
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI is red because you have to add this file in doc/userguide/rules/index.rst

@catenacyber
Copy link
Contributor

And last : Suggestion for even more expressivity : add support vlan.id: >100,all which matches only if all vlan layers match

@AkakiAlice AkakiAlice mentioned this pull request Dec 16, 2024
Closed
5 tasks
inashivb
inashivb reviewed Dec 16, 2024
View reviewed changes
rust/src/detect/vlan_id.rs
arg2: 0,
mode: DetectUintMode::DetectUintModeEqual,
},
layer: i8::MIN
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: Why is the default layer i8::MIN when a layer < -3 is unacceptable to the parser? ref: https://github.com/OISF/suricata/pull/12285/files#diff-19017a83531856b891bc67909647f1bdbf986c4fd068b0e107c149a0158cdd11R52

@inashivb
Copy link
Member

Has a newer revision linked above

@inashivb inashivb closed this Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inashivb inashivb inashivb left review comments

@catenacyber catenacyber catenacyber left review comments

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AkakiAlice @catenacyber @inashivb