suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

doc: 3025 http keyword updates v3

Open jmtaylor90 opened this issue 1 year ago • 3 comments

Make sure these boxes are signed before submitting your Pull Request -- thank you.

  • [x] I have read the contributing guide lines at https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
  • [x] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/ (note: this is only required once)
  • [x] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/3025

Describe changes:

  • applied feedback from #10101
  • updated all http keywords documentation
  • RTD build of branch - https://rtd-test-suricata.readthedocs.io/en/latest/rules/http-keywords.html

Provide values to any of the below to override the defaults.

To use a pull request use a branch name like pr/N where N is the pull request number.

Alternatively, SV_BRANCH may also be a link to an OISF/suricata-verify pull-request.

SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

jmtaylor90 avatar Feb 07 '24 14:02 jmtaylor90

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (db99c45) 82.34% compared to head (e1c7f77) 82.33%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10329      +/-   ##
==========================================
- Coverage   82.34%   82.33%   -0.01%     
==========================================
  Files         978      978              
  Lines      272003   272003              
==========================================
- Hits       223971   223967       -4     
- Misses      48032    48036       +4
Flag Coverage Δ
fuzzcorpus 63.60% <ø> (ø)
suricata-verify 61.50% <ø> (+0.01%) :arrow_up:
unittests 62.84% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Feb 07 '24 15:02 codecov[bot]

I think it'd be beneficial to add a reference to 'HTTP Primer' explaining what 'sticky buffers' are. It seems to be explained briefly in '8.1.6.1 - Modifier Keywords'.

will add in next PR

jmtaylor90 avatar Feb 08 '24 20:02 jmtaylor90

This was massive, thanks for this undertaking!

Left mostly nit comments for typos and the likes., not very confident to review HTTP workings or rule keyword details...

I wonder if something can be done about the sections that have several notes, as I worry that the sheer amount may render some less visible.

Indeed, some of the keywords just have a number of details that are important. Without making the document a wall of text, I figured using the note:: option at least broke up the content a little but am open to suggestions on that

Once wondering if we could reorganize the keyword order alphabetically, or semantically, somehow (might be a separate task, if agreed upon).

I was wondering about ordering as well, I would be open to adding to this PR once decided on the ordering method.

Haven't reviewed changes per commit, so no comments on commit separation logic from me.

Thanks once again for this!

jmtaylor90 avatar Feb 15 '24 21:02 jmtaylor90

This was massive, thanks for this undertaking! Left mostly nit comments for typos and the likes., not very confident to review HTTP workings or rule keyword details... I wonder if something can be done about the sections that have several notes, as I worry that the sheer amount may render some less visible.

Indeed, some of the keywords just have a number of details that are important. Without making the document a wall of text, I figured using the note:: option at least broke up the content a little but am open to suggestions on that

Unfortunately, no suggestions, for now, might be the easiest solution, indeed.

Once wondering if we could reorganize the keyword order alphabetically, or semantically, somehow (might be a separate task, if agreed upon).

I was wondering about ordering as well, I would be open to adding to this PR once decided on the ordering method.

As a user, what ordering would make more sense to you? Or just alphabetically would be fine, as at least it's easier to know what should come next?

jufajardini avatar Feb 19 '24 14:02 jufajardini

This was massive, thanks for this undertaking! Left mostly nit comments for typos and the likes., not very confident to review HTTP workings or rule keyword details... I wonder if something can be done about the sections that have several notes, as I worry that the sheer amount may render some less visible.

Indeed, some of the keywords just have a number of details that are important. Without making the document a wall of text, I figured using the note:: option at least broke up the content a little but am open to suggestions on that

Unfortunately, no suggestions, for now, might be the easiest solution, indeed.

Once wondering if we could reorganize the keyword order alphabetically, or semantically, somehow (might be a separate task, if agreed upon).

I was wondering about ordering as well, I would be open to adding to this PR once decided on the ordering method.

As a user, what ordering would make more sense to you? Or just alphabetically would be fine, as at least it's easier to know what should come next?

I will have a new PR next week with the alphabetical ordering and the changes suggested so far. Thanks!

jmtaylor90 avatar Feb 29 '24 22:02 jmtaylor90

continued in https://github.com/OISF/suricata/pull/10599

jmtaylor90 avatar Mar 08 '24 22:03 jmtaylor90