suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

Flow bytes pkts syntax + either support/v1

Open inashivb opened this issue 1 year ago • 8 comments

Link to ticket: https://redmine.openinfosecfoundation.org/issues/5646

SV_BRANCH=https://github.com/OISF/suricata-verify/pull/2017

Feedback requested on:

  1. The new syntax for flow.pkts and flow.bytes. This new syntax is in between the proposed syntax https://redmine.openinfosecfoundation.org/issues/5646 (for simplicity and compatibility) and the currently implemented one (so the common uint operations can be performed easily).
  2. The keyword is only in master so 8.0.0-beta1, if these changes seem fit, this may be an ok time to get these in w/o any issues.

Known issues:

  1. Doc update hasn't been done yet.
  2. Prefilter fn has not been updated yet so it may not work as intended.
  3. Tests for the parsing of arguments need to be done.

inashivb avatar Aug 23 '24 07:08 inashivb

Codecov Report

Attention: Patch coverage is 82.40000% with 22 lines in your changes missing coverage. Please review.

Project coverage is 82.61%. Comparing base (304271e) to head (1c57201). Report is 122 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11653      +/-   ##
==========================================
- Coverage   82.61%   82.61%   -0.01%     
==========================================
  Files         919      919              
  Lines      248997   249018      +21     
==========================================
+ Hits       205717   205732      +15     
- Misses      43280    43286       +6
Flag Coverage Δ
fuzzcorpus 60.83% <12.80%> (-0.05%) :arrow_down:
livemode 18.64% <12.80%> (-0.02%) :arrow_down:
pcap 44.15% <12.80%> (+<0.01%) :arrow_up:
suricata-verify 61.89% <82.40%> (-0.01%) :arrow_down:
unittests 58.98% <12.80%> (-0.03%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Aug 23 '24 07:08 codecov[bot]

Information:

ERROR: QA failed on SURI_TLPR1_suri_time.

field baseline test %
SURI_TLPR1_stats_chk
.uptime 642 668 104.05%

Pipeline 22213

suricata-qa avatar Aug 23 '24 09:08 suricata-qa

Information:

ERROR: QA failed on SURI_TLPW2_autofp_suri_time.

ERROR: QA failed on SURI_TLPR1_suri_time.

field baseline test %
SURI_TLPR1_stats_chk
.uptime 642 691 107.63%

Pipeline 22215

suricata-qa avatar Aug 23 '24 12:08 suricata-qa

I'd like to suggest using a different keyword than either.

We have

  • to_server
  • to_client I'd like to suggest any instead of either. We use any in other contexts and it's well understood and part of Suricata. It seems appropriate for this usage.

jlucovsky avatar Aug 26 '24 12:08 jlucovsky

The new syntax for flow.pkts and flow.bytes.

Maybe just add a new keyword flow.pkts_any as we do not want to break existing rules using flow.pkts_toclient

catenacyber avatar Aug 27 '24 12:08 catenacyber

The new syntax for flow.pkts and flow.bytes.

Maybe just add a new keyword flow.pkts_any as we do not want to break existing rules using flow.pkts_toclient

Ok. JFYI, this keyword is only present in master so far so not really being used anywhere that's why I proposed that if the syntax has to be changed, it should be before the release.

inashivb avatar Aug 28 '24 05:08 inashivb

Ok. JFYI, this keyword is only present in master so far so not really being used anywhere that's why I proposed that if the syntax has to be changed, it should be before the release.

It is used by paw pat rules (SSH exfiltration)

catenacyber avatar Aug 28 '24 06:08 catenacyber

Ok. JFYI, this keyword is only present in master so far so not really being used anywhere that's why I proposed that if the syntax has to be changed, it should be before the release.

It is used by paw pat rules (SSH exfiltration)

oh. Didn't know anybody did keywords from master. Thank you! TIL

inashivb avatar Aug 28 '24 06:08 inashivb