suricata
suricata copied to clipboard
Iface preack v2
Make sure these boxes are signed before submitting your Pull Request -- thank you.
- [X] I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
- [X] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
- [X] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5067
Describe changes:
- Create new preack option for dcerpc.iface
- Allow dcerpc over smb requests to match without required bind_ack when preack enabled (if after that, a bind_ack is received rejecting the context, then the rule will stop matching next packets)
- Add preack option to documentation
As described in the related ticket, some Windows OS when using dcerpc over smb, sent request just after the bind, without waiting for the bind_ack. So in case the user wants to match that requests, I introduce a new option in the dcerpc.iface, this way the previous behaviour without the flag remains unaltered.
Also a few changes were made in the processing of the dcerpc.iface options, that now are allowed to include spaces. (<uuid>,any_frag
and <uuid>, any_frag
are both valid)
suricata-verify-pr: 729
Codecov Report
Merging #7334 (78200af) into master (2ebb525) will decrease coverage by
1.90%
. The diff coverage isn/a
.
@@ Coverage Diff @@
## master #7334 +/- ##
==========================================
- Coverage 77.68% 75.77% -1.91%
==========================================
Files 628 656 +28
Lines 185657 190065 +4408
==========================================
- Hits 144232 144031 -201
- Misses 41425 46034 +4609
Flag | Coverage Δ | |
---|---|---|
fuzzcorpus | 60.27% <ø> (+2.21%) |
:arrow_up: |
suricata-verify | 51.58% <ø> (-2.87%) |
:arrow_down: |
unittests | 61.01% <ø> (-2.02%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
Closing due to inactivity. If you're interested in picking this back up, please open a new PR addressing the comments. Thanks!