Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect/analyzer: add more details for tcp_seq - v2 #9677

Closed
wants to merge 1 commit into from
Closed

detect/analyzer: add more details for tcp_seq - v2 #9677

wants to merge 1 commit into from

Conversation

0xEniola
Copy link
Contributor

@0xEniola 0xEniola commented Oct 22, 2023
edited by jasonish
Loading

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6353

Previous PR: #9676

Describe changes:

  • Modify the commit message subject to comply with project's 50 character limit.

Output:

{
    "raw":"alert tcp any any -> any any (msg:\"Testing seq\"; seq:723833; sid:2;)",
    "id":2,
    "gid":1,
    "rev":0,
    "msg":"Testing seq",
    "app_proto":"unknown",
    "requirements":[],
    "type":"pkt",
    "flags": [
        "src_any",
        "dst_any",
        "sp_any",
        "dp_any",
        "need_packet",
        "toserver",
        "toclient"
    ],
    "pkt_engines": [
        {
            "name":"packet",
            "is_mpm":false
        }
    ],
    "frame_engines": [],
    "lists": {
        "packet": {
            "matches": [
                {
                    "name":"tcp.seq",
                    "seq": {
                        "number":723833
                    }
                }
            ]
        }
    }
}

SV_BRANCH=OISF/suricata-verify#1435

@0xEniola
detect/analyzer: add more details for tcp_seq
a3c5e76 
Log the matched Sequence number of a packet
Issue: OISF#6353
@0xEniola 0xEniola mentioned this pull request Oct 22, 2023
Closed
@github-actions
Copy link

NOTE: This PR may contain new authors:

Daniel Olatunji <[email protected]>

inashivb
inashivb approved these changes Oct 23, 2023
View reviewed changes
Copy link
Member

@inashivb inashivb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks! :)

@jufajardini jufajardini added the outreachy Contributions made by Outreachy applicants label Oct 23, 2023
jasonish
jasonish approved these changes Oct 25, 2023
View reviewed changes
Copy link
Member

@jasonish jasonish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An approval for me, but just wanted to drop a note that its a little odd that the name logged is "tcp.seq", but the new object is just "seq". But we can't use "tcp.seq" as an object name as downstream tools will break.

So as we add more "tcp.XXX" fields, we may want to refactor to group them under another object, but that gets complicated quickly.

@0xEniola
Copy link
Contributor Author

An approval for me, but just wanted to drop a note that its a little odd that the name logged is "tcp.seq", but the new object is just "seq". But we can't use "tcp.seq" as an object name as downstream tools will break.

So as we add more "tcp.XXX" fields, we may want to refactor to group them under another object, but that gets complicated quickly.

Actually, the name were met that way in their source file, so I couldn't do anything about that.

But I do understand what you mean.

@jasonish
Copy link
Member

An approval for me, but just wanted to drop a note that its a little odd that the name logged is "tcp.seq", but the new object is just "seq". But we can't use "tcp.seq" as an object name as downstream tools will break.
So as we add more "tcp.XXX" fields, we may want to refactor to group them under another object, but that gets complicated quickly.

Actually, the name were met that way in their source file, so I couldn't do anything about that.

But I do understand what you mean.

Yeah, doing anything more about it becomes a larger refactoring I think outside the scope of this one ticket.

@jufajardini jufajardini added the decision-required Waiting on deliberation from the team label Dec 5, 2023
@jufajardini
Copy link
Contributor

Adding the decision-required label here so we consider what Jason has mention before deciding if ready to merge or not.

@catenacyber catenacyber added the needs rebase Needs rebase to master label Jan 18, 2024
catenacyber
catenacyber requested changes Jan 18, 2024
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a rebase

@0xEniola 0xEniola mentioned this pull request Jan 30, 2024
Closed
@0xEniola 0xEniola closed this Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber requested changes

@inashivb inashivb inashivb approved these changes

@jasonish jasonish jasonish approved these changes

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
decision-required Waiting on deliberation from the team needs rebase Needs rebase to master outreachy Contributions made by Outreachy applicants
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@0xEniola @jasonish @jufajardini @catenacyber @inashivb