suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

Iface preack v2

Open zer1t0 opened this issue 2 years ago • 1 comments

Make sure these boxes are signed before submitting your Pull Request -- thank you.

  • [X] I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
  • [X] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
  • [X] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5067

Describe changes:

  • Create new preack option for dcerpc.iface
  • Allow dcerpc over smb requests to match without required bind_ack when preack enabled (if after that, a bind_ack is received rejecting the context, then the rule will stop matching next packets)
  • Add preack option to documentation

As described in the related ticket, some Windows OS when using dcerpc over smb, sent request just after the bind, without waiting for the bind_ack. So in case the user wants to match that requests, I introduce a new option in the dcerpc.iface, this way the previous behaviour without the flag remains unaltered.

Also a few changes were made in the processing of the dcerpc.iface options, that now are allowed to include spaces. (<uuid>,any_frag and <uuid>, any_frag are both valid)

suricata-verify-pr: 729

zer1t0 avatar Apr 28 '22 10:04 zer1t0

Codecov Report

Merging #7334 (78200af) into master (2ebb525) will decrease coverage by 1.90%. The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #7334      +/-   ##
==========================================
- Coverage   77.68%   75.77%   -1.91%     
==========================================
  Files         628      656      +28     
  Lines      185657   190065    +4408     
==========================================
- Hits       144232   144031     -201     
- Misses      41425    46034    +4609
Flag Coverage Δ
fuzzcorpus 60.27% <ø> (+2.21%) :arrow_up:
suricata-verify 51.58% <ø> (-2.87%) :arrow_down:
unittests 61.01% <ø> (-2.02%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Apr 28 '22 10:04 codecov[bot]

Closing due to inactivity. If you're interested in picking this back up, please open a new PR addressing the comments. Thanks!

victorjulien avatar May 05 '23 08:05 victorjulien