Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output alert applayer v13.4 #9812

Closed
wants to merge 12 commits into from
Closed

Output alert applayer v13.4 #9812

wants to merge 12 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine tickets:
https://redmine.openinfosecfoundation.org/issues/3827
https://redmine.openinfosecfoundation.org/issues/5977
https://redmine.openinfosecfoundation.org/issues/6500
https://redmine.openinfosecfoundation.org/issues/6501
https://redmine.openinfosecfoundation.org/issues/5053

Describe changes:

  • Fix setup-app-layer script so that it adds app-layer metadata to alerts
  • add krb5 metadata to alerts
  • add ftp metadata to alerts
  • add tftp metadata to alerts
  • output/dns: do not add empty app-layer metadata
  • app-layer: do not require probing parser as fixed patterns can be enough
  • app-layer plugins

#9807 with S-V fixed for files

SV_BRANCH=pr/1465

OISF/suricata-verify#1465

catenacyber and others added 9 commits November 16, 2023 11:46
@catenacyber
output/alert: rewrite code for app-layer properties
da33595 
Especially fix setup-app-layer script to not forget this part

This allows, for simple loggers, to have a unique definition
of the actual logging function with the jsonbuilder.
This way, alerts, files, and app-layer event can share the code
to output the same data.

Ticket: OISF#3827
@catenacyber
output/ftp: have ftp properties in alerts
405d00c 
Ticket: 6500
@catenacyber
output/tftp: have tftp properties in alerts
604b682 
Ticket: 6501
@catenacyber
output/krb5: have krb5 properties in alerts
172a9bc 
Ticket: 5977
@catenacyber
output/dnp3: restrict function scope to one file
7c7aa8a
@catenacyber
output/dns: do not add empty app-layer metadata
1acb710
@catenacyber
output: generic simple tx json logger
4391e05 
Ticket: 3827
@catenacyber
app-layer: do not require probing parser
5636269 
as fixed patterns can be enough
@catenacyber
detect: make number of keywords dynamic
3ddee5e
@catenacyber catenacyber mentioned this pull request Nov 16, 2023
Closed
jasonish
jasonish reviewed Nov 16, 2023
View reviewed changes
src/detect-engine-helper.c
#include "detect-engine-prefilter.h"
#include "detect-parse.h"

int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All this helper stuff seems generally useful across many keywords... Should it not be integrated directly into detect-engine-register?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, will do

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Problem is detect.h depends on detect-engine-register.h for DETECT_TBLSIZE_STATIC
So we cannot have these defined in detect-engine-register.h as they depend on definition in detect.h

@catenacyber
detect: helper to have pure rust keywords
b3dc3ad 
Only implemented for snmp.version and mqtt.password
But should be implemented for more
@catenacyber
app-layer: allow at compile-time more app-layer
8a7459b 
So that we can have dynamically registered protocols.
Doing it at compile time, with CFLAGS=-DALPROTO_DYNAMIC_NB=1,
allows to keep the rest of the code using ALPROTO_MAX

Ticket: 5053
@catenacyber catenacyber force-pushed the output-alert-applayer-v13.4 branch from ec83079 to f22c4ae Compare November 16, 2023 20:02
@catenacyber catenacyber force-pushed the output-alert-applayer-v13.4 branch from f22c4ae to c52260d Compare November 16, 2023 20:06
@catenacyber
Copy link
Contributor Author

This also solves https://redmine.openinfosecfoundation.org/issues/4683

@codecov Codecov
Copy link

codecov bot commented Nov 16, 2023

Codecov Report

Merging #9812 (c52260d) into master (2f4027c) will decrease coverage by 0.02%.
The diff coverage is 82.17%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9812      +/-   ##
==========================================
- Coverage   82.37%   82.35%   -0.02%     
==========================================
  Files         968      957      -11     
  Lines      273866   273372     -494     
==========================================
- Hits       225585   225148     -437     
+ Misses      48281    48224      -57
Flag Coverage Δ
fuzzcorpus 64.28% <74.65%> (+0.06%) ⬆️
suricata-verify 60.90% <78.27%> (-0.08%) ⬇️
unittests 63.04% <22.56%> (+0.10%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 16578

This was referenced Nov 19, 2023
Closed
Merged
Closed
Closed
Closed
@catenacyber
Copy link
Contributor Author

Replaced by #9871

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish left review comments

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien will be requested when the pull request is marked ready for review victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @jasonish