suricata
suricata copied to clipboard
App layer error close txs 4318 v6
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/4318
Describe changes:
- app-layer: clean and "close" all txs if protocol reaches error state
Still need to test this, and check current app-layer parser returning error
Modifies #7243 with adding ticket number in message
Codecov Report
Merging #7513 (bea2797) into master (8377b9d) will decrease coverage by
0.09%
. The diff coverage is100.00%
.
@@ Coverage Diff @@
## master #7513 +/- ##
==========================================
- Coverage 75.83% 75.74% -0.10%
==========================================
Files 655 657 +2
Lines 186236 186373 +137
==========================================
- Hits 141239 141161 -78
- Misses 44997 45212 +215
Flag | Coverage Δ | |
---|---|---|
fuzzcorpus | 59.97% <100.00%> (-0.11%) |
:arrow_down: |
suricata-verify | 52.16% <88.88%> (-0.09%) |
:arrow_down: |
unittests | 60.77% <88.88%> (-0.04%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
Information: QA ran without warnings.
Pipeline 7759
One example where I am not sure how it should be dealt with :
if a HTP2 client does not send the magic banner, the app-layer parser returns an error. Should it return an error ? or Should it try to parse further frames ?
It looks like we have two cases here :
- both client and server were recognized using the app-layer protocol
- or client and server do not talk the same protocol
PS : the banner can be split over multiple TCP packets, and the server side may have created multiple transactions before getting the error
Another case : SSH where a record has its length <= 1
Information: QA ran without warnings.
Pipeline 7759
Not sure of this