OISF · catenacyber · Jun 20, 2023 · Aug 30, 2023 · Aug 30, 2023
@@ -290,6 +290,7 @@ flow.age
 --------
 
 Flow age in seconds (integer)
+This keyword does not wait for the end of the flow, but will be checked at each packet.
 
 Syntax::
 
@@ -305,4 +306,84 @@ Signature example::
 
  alert tcp any any -> any any (msg:"Flow longer than one hour"; flow.age:>3600; flowbits: isnotset, onehourflow; flowbits: onehourflow, name; sid:1; rev:1;)
 
-In this example, we combine `flow.age` and `flowbits` to get an alert on the first packet after the flow's age is older than one hour.
+In this example, we combine `flow.age` and `flowbits` to get an alert on the first packet after the flow's age is older than one hour.
+
+flow.pkts_toclient
+------------------
+
+Flow number of packets to client (integer)
+This keyword does not wait for the end of the flow, but will be checked at each packet.
+
+Syntax::
+
+ flow.pkts_toclient: [op]<number>
+
+The number of packets can be matched exactly, or compared using the _op_ setting::
+
+ flow.pkts_toclient:3    # exactly 3
+ flow.pkts_toclient:<3   # smaller than 3
+ flow.pkts_toclient:>=2  # greater than or equal to 2
+
+Signature example::
+
+ alert ip any any -> any any (msg:"Flow has 20 packets"; flow.pkts_toclient:20; sid:1;)
+
+flow.pkts_toserver
+------------------
+
+Flow number of packets to server (integer)
+This keyword does not wait for the end of the flow, but will be checked at each packet.
+
+Syntax::
+
+ flow.pkts_toserver: [op]<number>
+
+The number of packets can be matched exactly, or compared using the _op_ setting::
+
+ flow.pkts_toserver:3    # exactly 3
+ flow.pkts_toserver:<3   # smaller than 3
+ flow.pkts_toserver:>=2  # greater than or equal to 2
+
+Signature example::
+
+ alert ip any any -> any any (msg:"Flow has 20 packets"; flow.pkts_toserver:20; sid:1;)
+
+flow.bytes_toclient
+-------------------
+
+Flow number of bytes to client (integer)
+This keyword does not wait for the end of the flow, but will be checked at each packet.
+
+Syntax::
+
+ flow.bytes_toclient: [op]<number>
+
+The number of packets can be matched exactly, or compared using the _op_ setting::
+
+ flow.bytes_toclient:3    # exactly 3
+ flow.bytes_toclient:<3   # smaller than 3
+ flow.bytes_toclient:>=2  # greater than or equal to 2
+
+Signature example::
+
+ alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toclient:<2000; sid:1;)
+
+flow.bytes_toserver
+-------------------
+
+Flow number of bytes to server (integer)
+This keyword does not wait for the end of the flow, but will be checked at each packet.
+
+Syntax::
+
+ flow.bytes_toserver: [op]<number>
+
+The number of packets can be matched exactly, or compared using the _op_ setting::
+
+ flow.bytes_toserver:3    # exactly 3
+ flow.bytes_toserver:<3   # smaller than 3
+ flow.bytes_toserver:>=2  # greater than or equal to 2
+
+Signature example::
+
+ alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toserver:<2000; sid:1;)
@@ -44,7 +44,7 @@ impl StreamSlice {
     #[cfg(test)]
     pub fn from_slice(slice: &[u8], flags: u8, offset: u64) -> Self {
         Self {
-            input: slice.as_ptr() as *const u8,
+            input: slice.as_ptr(),
             input_len: slice.len() as u32,
             flags,
             offset

@@ -432,15 +432,15 @@ pub unsafe extern "C" fn ScByteMathParse(c_arg: *const c_char) -> *mut DetectByt
         }
     };
     match parse_bytemath(arg) {
-        Ok((_, detect)) => return Box::into_raw(Box::new(detect)) as *mut DetectByteMathData,
+        Ok((_, detect)) => return Box::into_raw(Box::new(detect)),
         Err(_) => return std::ptr::null_mut(),
     }
 }
 
 #[no_mangle]
 pub unsafe extern "C" fn ScByteMathFree(ptr: *mut DetectByteMathData) {
     if !ptr.is_null() {
-        let _ = Box::from_raw(ptr as *mut DetectByteMathData);
+        let _ = Box::from_raw(ptr);
     }
 }
 

@@ -84,7 +84,7 @@ pub fn detect_parse_iprep(i: &str) -> IResult<&str, DetectIPRepData> {
     let (i, name) = take_while(is_alphanumeric_or_slash)(i)?;
     // copy as to have final zero
     let namez = CString::new(name).unwrap();
-    let cat = unsafe { SRepCatGetByShortname(namez.as_ptr() as *const i8) };
+    let cat = unsafe { SRepCatGetByShortname(namez.as_ptr()) };
     if cat == 0 {
         return Err(Err::Error(make_error(i, ErrorKind::MapOpt)));
     }

@@ -46,7 +46,7 @@ pub unsafe extern "C" fn Base64Encode(
     if encoded.len() + 1 > *output_len as usize {
         return Base64ReturnCode::SC_BASE64_OVERFLOW;
     }
-    let output = std::slice::from_raw_parts_mut(&mut *(output as *mut u8), *output_len as usize);
+    let output = std::slice::from_raw_parts_mut(&mut *output, *output_len as usize);
     output[0..encoded.len()].copy_from_slice(encoded.as_bytes());
     output[encoded.len()] = 0;
     *output_len = encoded.len() as c_ulong;

@@ -593,7 +593,7 @@ pub fn pgsql_parse_startup_packet(i: &[u8]) -> IResult<&[u8], PgsqlFEMessage> {
     let (i, b) = take(len - PGSQL_LENGTH_FIELD)(i)?;
     let (_, message) =
         match proto_major {
-            1 | 2 | 3 => {
+            1..=3 => {
                 let (b, proto_major) = be_u16(b)?;
                 let (b, proto_minor) = be_u16(b)?;
                 let (b, params) = pgsql_parse_startup_parameters(b)?;

@@ -160,7 +160,8 @@ pub enum Protocol {
 // rdp-spec, section 2.2.1.1.1
 bitflags! {
     pub struct ProtocolFlags: u32 {
-        const PROTOCOL_RDP = Protocol::ProtocolRdp as u32;
+        //Protocol::ProtocolRdp is 0 as always supported
+        //and bitflags crate does not like zero-bit flags
         const PROTOCOL_SSL = Protocol::ProtocolSsl as u32;
         const PROTOCOL_HYBRID = Protocol::ProtocolHybrid as u32;
         const PROTOCOL_RDSTLS = Protocol::ProtocolRdsTls as u32;
@@ -1089,7 +1090,7 @@ mod tests_negotiate_49350 {
                 cookie: None,
                 negotiation_request: Some(NegotiationRequest {
                     flags: NegotiationRequestFlags::empty(),
-                    protocols: ProtocolFlags::PROTOCOL_RDP,
+                    protocols: ProtocolFlags { bits: Protocol::ProtocolRdp as u32 },
                 }),
                 data: Vec::new(),
             }),
@@ -1179,7 +1180,7 @@ mod tests_core_49350 {
             ),
             client_dig_product_id: Some(String::from("")),
             connection_hint: Some(ConnectionHint::ConnectionHintNotProvided),
-            server_selected_protocol: Some(ProtocolFlags::PROTOCOL_RDP),
+            server_selected_protocol: Some(ProtocolFlags { bits: Protocol::ProtocolRdp as u32 }),
             desktop_physical_width: None,
             desktop_physical_height: None,
             desktop_orientation: None,

@@ -166,6 +166,7 @@ noinst_HEADERS = \
 	detect-flowbits.h \
 	detect-flow.h \
 	detect-flow-age.h \
+	detect-flow-pkts.h \
 	detect-flowint.h \
 	detect-flowvar.h \
 	detect-fragbits.h \
@@ -777,6 +778,7 @@ libsuricata_c_a_SOURCES = \
 	detect-flowbits.c \
 	detect-flow.c \
 	detect-flow-age.c \
+	detect-flow-pkts.c \
 	detect-flowint.c \
 	detect-flowvar.c \
 	detect-fragbits.c \

@@ -114,6 +114,7 @@
 #include "detect-rev.h"
 #include "detect-flow.h"
 #include "detect-flow-age.h"
+#include "detect-flow-pkts.h"
 #include "detect-tcp-window.h"
 #include "detect-ftpbounce.h"
 #include "detect-isdataat.h"
@@ -561,6 +562,10 @@ void SigTableSetup(void)
     DetectReplaceRegister();
     DetectFlowRegister();
     DetectFlowAgeRegister();
+    DetectFlowPktsToClientRegister();
+    DetectFlowPktsToServerRegister();
+    DetectFlowBytesToClientRegister();
+    DetectFlowBytesToServerRegister();
     DetectWindowRegister();
     DetectRpcRegister();
     DetectFtpbounceRegister();

@@ -110,6 +110,10 @@ enum DetectKeywordId {
     DETECT_FRAME,
 
     DETECT_FLOW_AGE,
+    DETECT_FLOW_PKTS_TO_CLIENT,
+    DETECT_FLOW_PKTS_TO_SERVER,
+    DETECT_FLOW_BYTES_TO_CLIENT,
+    DETECT_FLOW_BYTES_TO_SERVER,
 
     DETECT_AL_TLS_VERSION,
     DETECT_AL_TLS_SUBJECT,