detect: add vlan.id keyword - v6 #12301

AkakiAlice · 2024-12-17T22:38:19Z

Ticket: #1065

Contribution style:

I have read the contributing guide lines at
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

I have signed the Open Information Security Foundation contribution agreement at
https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

I have updated the User Guide (in doc/userguide/) to reflect the changes made
I have updated the JSON schema (in etc/schema.json) to reflect all logging changes
(including schema descriptions)
I have created a ticket at
https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: https://redmine.openinfosecfoundation.org/issues/1065

Description:

Introduce vlan.id keyword

Documentation changes:

Add tables describing values and limits for id and layer: line 20, line 29;
Add a signature example for count: line 77.

vlan_id.rs changes:

Remove #no_mangle from the constants definitions: line 22;
Change constants definitions to pub const: line 22;
Change constants names to use the prefix DETECT_VLAN_ID: line 22;
Implement Jason's suggestion to use .ok()?: line 35, line 54;
Add feature count: line 46;
Add if to check count range: line 55;
Replace i8::MAX and i8::MIN with DETECT_VLAN_ID_ALL and DETECT_VLAN_ID_ANY: line 45, line 52, line 103;
Add rust unit tests for all and count: line 106, line 117.

detect-vlan-id.c changes:

Include rust.h: line 21;
Replace if chain with switch-case: line 32.

Commit message:

Add description.

SV_BRANCH=OISF/suricata-verify#2194
Previous PR= #12290

vlan.id matches on Virtual Local Area Network IDs It is an unsigned 16-bit integer Valid range for the default configuration = [1-4094] Supports prefiltering Ticket: OISF#1065

codecov · 2024-12-17T23:01:46Z

Codecov Report

Attention: Patch coverage is 82.29665% with 37 lines in your changes missing coverage. Please review.

Please upload report for BASE (master@2c0d3b8). Learn more about missing BASE report.
Report is 9 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #12301   +/-   ##
=========================================
  Coverage          ?   83.24%           
=========================================
  Files             ?      914           
  Lines             ?   257834           
  Branches          ?        0           
=========================================
  Hits              ?   214629           
  Misses            ?    43205           
  Partials          ?        0

Flag	Coverage Δ
fuzzcorpus	`61.05% <8.84%> (?)`
livemode	`19.39% <8.84%> (?)`
pcap	`44.38% <8.84%> (?)`
suricata-verify	`62.87% <64.60%> (?)`
unittests	`59.19% <61.24%> (?)`

Flags with carried forward coverage won't be shown. Click here to find out more.

catenacyber

CI : 🟢
Code : cool, just one nit
Commits segmentation : ok
Commit messages : nice
Git ID set : looks fine for me
CLA : you already contributed
Doc update : excellent
Redmine ticket : ok
Rustfmt : looks ok for vlan_id.rs
Tests : nice, thanks, added a remark there
Dependencies added: none

src/detect-vlan-id.c

rust/src/detect/vlan_id.rs

jufajardini

Thanks for highlighting so clearly the changes (and great job!) 👏🏽

I've shared complementary stuff on the comments :)

jufajardini · 2024-12-18T14:01:57Z

doc/userguide/rules/vlan-keywords.rst

+
+ vlan.id:300    # exactly 300
+ vlan.id:<300,0   # smaller than 300 at layer 0
+ vlan.id:>=200,1  # greater or equal than 200 at layer 1


nit (missed this the other review x_x ):

Suggested change

vlan.id:>=200,1 # greater or equal than 200 at layer 1

vlan.id:>=200,1 # greater than or equal to 200 at layer 1

jufajardini · 2024-12-18T14:03:12Z

doc/userguide/rules/vlan-keywords.rst

+The id can be matched exactly, or compared using the ``op`` setting::
+
+ vlan.id:300    # exactly 300
+ vlan.id:<300,0   # smaller than 300 at layer 0


Suggested change

vlan.id:<300,0 # smaller than 300 at layer 0

vlan.id:<300,0 # less than 300 at layer 0

jufajardini · 2024-12-18T14:47:04Z

doc/userguide/rules/vlan-keywords.rst

+Id values for vlan.id keyword:
+
+========  ================================================
+Value     Description
+========  ================================================
+1 - 4094  Valid range for vlan id
+0 - 3     Valid range of number of layers (with ``count``)
+========  ================================================


We can use the .. table:: Sphinx directive and have neat table titles, here and for the following one:

Suggested change

Id values for vlan.id keyword:

======== ================================================

Value Description

======== ================================================

1 - 4094 Valid range for vlan id

0 - 3 Valid range of number of layers (with ``count``)

======== ================================================

.. table:: **Id values for vlan.id keyword**

======== ================================================

Value Description

======== ================================================

1 - 4094 Valid range for vlan id

0 - 3 Valid range of number of layers (with ``count``)

======== ================================================

detect: add vlan.id keyword

4e44479

vlan.id matches on Virtual Local Area Network IDs It is an unsigned 16-bit integer Valid range for the default configuration = [1-4094] Supports prefiltering Ticket: OISF#1065

AkakiAlice requested review from jasonish, jufajardini and victorjulien as code owners December 17, 2024 22:38

inashivb mentioned this pull request Dec 18, 2024

detect: add vlan.id keyword - v5 #12290

Closed

5 tasks

catenacyber approved these changes Dec 18, 2024

View reviewed changes