suricata
suricata copied to clipboard
detect: option to run flowbits on stream
When a flowbit is set on application layer tests, this has
for consequence that there is no point in checking it per packet.
This patch adds the data
option to the flowbits keyword so
the evaluation is done at the stream level and not at the packet
one.
As a result, using the data option is preventing the bug https://redmine.openinfosecfoundation.org/issues/2836 to appear.
Ticket: #2836
Make sure these boxes are signed before submitting your Pull Request -- thank you.
- [x] I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
- [x] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
- [x] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/2836
Describe changes:
- Add data option to flowbits
suricata-verify-pr: 924
Information: QA ran without warnings.
Pipeline 8977
I wonder if a better solution would be to add more classes of "bits": txbits, statebits, framebits, etc, where the execution and lifetime would align better with the type of data that is inspected.