suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

detect: rerun pkt rules to check match

Open catenacyber opened this issue 2 years ago • 3 comments

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/2836

Describe changes:

  • Run DetectEnginePktInspectionRun for every DetectRunTxInspectRule

suricata-verify-pr: 493

https://github.com/OISF/suricata-verify/pull/493

Replaces #6366 with rebase and commit message including ticket number

The issue here seems to be that the flowbit logic isn't run at the expected moment. Can you look into ways to get it to run it at the right time w/o brute forcing it?

Assuming there is a problem in flow bit (and not in filemagic which can be replaced by its sticky buffer version to have no problem), the options are :

  • prevent it before calling DetectRunTxInspectRule : seems more brute forcing to call a check earlier as it will called even more often
  • in DetectRunTxInspectRule :
    • using a DetectEngineAppInspectionEngine for flow bits : but it would need to be defined for each protocol
    • rerun DetectEnginePktInspectionRun if there is a match and we have stored_flags defined : chosen option to reduce the performance impact
    • I think it impacts all pkt keywords, not only flow bits, but flowvar and others as well (even if some keywords combinations do not make sense to me)
  • prevent it after returning from DetectRunTxInspectRule : a match seems definite at this point

catenacyber avatar Apr 27 '22 08:04 catenacyber

Codecov Report

Merging #7317 (42cdc12) into master (ddf9c9d) will increase coverage by 0.01%. The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #7317      +/-   ##
==========================================
+ Coverage   75.82%   75.83%   +0.01%     
==========================================
  Files         656      656              
  Lines      190051   190069      +18     
==========================================
+ Hits       144102   144148      +46     
+ Misses      45949    45921      -28
Flag Coverage Δ
fuzzcorpus 60.43% <66.66%> (+0.01%) :arrow_up:
suricata-verify 51.60% <100.00%> (+0.06%) :arrow_up:
unittests 61.01% <66.66%> (-0.01%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Apr 27 '22 08:04 codecov[bot]

ERROR:

ERROR: QA failed on tlpw1_files_sha256.

Pipeline 7244

suricata-qa avatar May 01 '22 06:05 suricata-qa

ERROR:

ERROR: QA failed on tlpw1_files_sha256.

Pipeline 7244 WARNING: THERE IS A KNOWN BAD BASELINE WITH PACKET DROPS. bE MINDFUL OF ANY RESULTS.

suricata-qa avatar Aug 23 '22 13:08 suricata-qa

ping @victorjulien ?

catenacyber avatar Nov 03 '22 13:11 catenacyber

ERROR:

ERROR: QA failed on tlpw1_files_sha256.

Pipeline 7244

suricata-qa avatar Nov 18 '22 01:11 suricata-qa

Replaced by https://github.com/OISF/suricata/pull/8193

catenacyber avatar Nov 21 '22 13:11 catenacyber