suricata
suricata copied to clipboard
detect: rerun pkt rules to check match
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/2836
Describe changes:
- Run
DetectEnginePktInspectionRun
for everyDetectRunTxInspectRule
suricata-verify-pr: 493
https://github.com/OISF/suricata-verify/pull/493
Replaces #6366 with rebase and commit message including ticket number
The issue here seems to be that the flowbit logic isn't run at the expected moment. Can you look into ways to get it to run it at the right time w/o brute forcing it?
Assuming there is a problem in flow bit (and not in filemagic which can be replaced by its sticky buffer version to have no problem), the options are :
- prevent it before calling
DetectRunTxInspectRule
: seems more brute forcing to call a check earlier as it will called even more often - in
DetectRunTxInspectRule
:- using a
DetectEngineAppInspectionEngine
for flow bits : but it would need to be defined for each protocol - rerun
DetectEnginePktInspectionRun
if there is a match and we havestored_flags
defined : chosen option to reduce the performance impact - I think it impacts all pkt keywords, not only flow bits, but flowvar and others as well (even if some keywords combinations do not make sense to me)
- using a
- prevent it after returning from
DetectRunTxInspectRule
: a match seems definite at this point
Codecov Report
Merging #7317 (42cdc12) into master (ddf9c9d) will increase coverage by
0.01%
. The diff coverage is100.00%
.
@@ Coverage Diff @@
## master #7317 +/- ##
==========================================
+ Coverage 75.82% 75.83% +0.01%
==========================================
Files 656 656
Lines 190051 190069 +18
==========================================
+ Hits 144102 144148 +46
+ Misses 45949 45921 -28
Flag | Coverage Δ | |
---|---|---|
fuzzcorpus | 60.43% <66.66%> (+0.01%) |
:arrow_up: |
suricata-verify | 51.60% <100.00%> (+0.06%) |
:arrow_up: |
unittests | 61.01% <66.66%> (-0.01%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
ERROR:
ERROR: QA failed on tlpw1_files_sha256.
Pipeline 7244
ERROR:
ERROR: QA failed on tlpw1_files_sha256.
Pipeline 7244 WARNING: THERE IS A KNOWN BAD BASELINE WITH PACKET DROPS. bE MINDFUL OF ANY RESULTS.
ping @victorjulien ?
ERROR:
ERROR: QA failed on tlpw1_files_sha256.
Pipeline 7244
Replaced by https://github.com/OISF/suricata/pull/8193