suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

detect/bytemath: Support out of order options

Open jlucovsky opened this issue 1 year ago • 1 comments

Continuation of #7802

The intent of this PR is to support arbitrary order options for byte_math. During the investigation phase, it was suggested that the parser be converted to Rust for simplification. Thus, the PCRE based parser for byte_math was removed and replaced with a Rust based parser. @jasonish's prototype rules parser work helped guide this PR.

The C unittests were retained and many were added to the Rust based parser.

Issue: 5077

Link to redmine ticket: 5077

Describe changes:

  • Converts the PCRE based parser to Rust.
  • Adds unit tests to the new Rust modules
  • Removes the PCRE parser from detect-bytemath.c
  • Adjusts the C source modules to refer to the Rust definitions

Updates

  • Modified parser to accept rvalue values of 0 and updated Snort diff document.

#suricata-verify-pr: #suricata-verify-repo: #suricata-verify-branch: #suricata-update-pr: #suricata-update-repo: #suricata-update-branch: #libhtp-pr: #libhtp-repo: #libhtp-branch:

jlucovsky avatar Sep 21 '22 15:09 jlucovsky

Codecov Report

Merging #7894 (5cb1cc7) into master (a9a17c8) will increase coverage by 0.19%. The diff coverage is 71.42%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7894      +/-   ##
==========================================
+ Coverage   75.85%   76.05%   +0.19%     
==========================================
  Files         666      666              
  Lines      186269   185823     -446     
==========================================
+ Hits       141301   141321      +20     
+ Misses      44968    44502     -466
Flag Coverage Δ
fuzzcorpus 60.77% <76.19%> (+0.28%) :arrow_up:
suricata-verify 52.70% <38.46%> (+0.11%) :arrow_up:
unittests 60.68% <57.69%> (+0.08%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Sep 21 '22 15:09 codecov[bot]

WARNING:

field baseline test %
SURI_TLPW1_stats_chk
.tcp.rst 126232 102873 81.5%
SURI_TLPR1_stats_chk
.app_layer.error.http.parser 1548 1103 71.25%
.app_layer.error.ftp-data.gap 0 1 -

Pipeline 9394

suricata-qa avatar Sep 21 '22 21:09 suricata-qa

continued in #7904

jlucovsky avatar Sep 22 '22 12:09 jlucovsky