Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rule: Don't drop flow if rule matches on packet properties. #9459

Closed
wants to merge 1 commit into from
Closed

rule: Don't drop flow if rule matches on packet properties. #9459

wants to merge 1 commit into from

Conversation

jlucovsky
Copy link
Contributor

@jlucovsky jlucovsky commented Sep 7, 2023
edited by inashivb
Loading

This commit modifies the logic used to determine the disposition of a flow/packet.

If the rule contains packet match properties, the flow shouldn't be dropped.

Link to redmine ticket: 5578

Describe changes:

  • When deciding how to handle the drop action, check if the rule applies to packet properties.

Provide values to any of the below to override the defaults.

To use a pull request use a branch name like pr/N where N is the
pull request number.

Alternatively, SV_BRANCH may also be a link to an
OISF/suricata-verify pull-request.

SV_BRANCH=OISF/suricata-verify#1414

@suricata-qa
Copy link

Information:

ERROR: QA failed on IPS_AFP_drop_chk.

field baseline test %
IPS_AFP_stats_chk
.tcp.reassembly_gap 54000 108000 200.0%
.flow_bypassed.local_pkts 0 25920 -
.flow_bypassed.local_bytes 0 2833920 -
.detect.alerts_suppressed 1058400 1112400 105.1%

Pipeline 15863

@jlucovsky
detect/alert: Drop packet if rule is pkt only
a1450db 
This commit modifies the logic used to determine the disposition of a
flow/packet.

If the rule contains packet match properties, the flow shouldn't be
dropped.

Issue: 5578
@suricata-qa
Copy link

Information:

ERROR: QA failed on IPS_AFP_drop_chk.

field baseline test %
IPS_AFP_stats_chk
.tcp.reassembly_gap 54000 108000 200.0%
.flow_bypassed.local_pkts 0 25920 -
.flow_bypassed.local_bytes 0 2833920 -
.detect.alerts_suppressed 1058400 1112400 105.1%

Pipeline 15874

@jufajardini
Copy link
Contributor

I wish I could signal to watch this PR, to better understand this.
And this makes me wonder if we should try and document those flags....

@jlucovsky jlucovsky marked this pull request as ready for review September 28, 2023 12:10
@jlucovsky jlucovsky requested a review from a team as a code owner September 28, 2023 12:10
inashivb
inashivb reviewed Sep 29, 2023
View reviewed changes
Copy link
Member

@inashivb inashivb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This patch makes sense to me.
I have added the s-v tests done by Victor to the PR body and re-triggered the CI.

@inashivb
Copy link
Member

The s-v test seems to pass. The test http2-deflate on Ubuntu 22.04 is failing. The test seems flaky to me but would be nice if you checked.

@jlucovsky
Copy link
Contributor Author

Continued in #9664

@jlucovsky jlucovsky closed this Oct 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inashivb inashivb inashivb left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jlucovsky @suricata-qa @jufajardini @inashivb