suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

detect/analyzer: add more details for tcp_mss - v6

Open 0xEniola opened this issue 1 year ago • 2 comments

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6355

Previous PR: #9777

Describe changes:

  • Incorporate feedback from previous PR.

Output:

{
  "raw": "alert tcp any any -> any any (msg: "Testing mss"; tcp.mss: 123-456; sid: 4;)",
  "id": 4,
  "gid": 1,
  "rev": 0,
  "msg": "Testing mss",
  "app_proto": "unknown",
  "requirements": [],
  "type": "pkt",
  "flags": [
    "src_any",
    "dst_any",
    "sp_any",
    "dp_any",
    "need_packet",
    "toserver",
    "toclient"
  ],
  "pkt_engines": [
    {
      "name": "packet",
      "is_mpm": false
    }
  ],
  "frame_engines": [],
  "lists": {
    "packet": {
      "matches": [
        {
          "name": "tcp.mss",
          "tcp_mss": {
            "operand": "range",
            "min": 123,
            "max": 456
          }
        }
      ]
    }
  }
}

{
  "raw": "alert tcp any any -> any any (msg: "Testing mss"; tcp.mss: >=439; sid: 5;)",
  "id": 5,
  "gid": 1,
  "rev": 0,
  "msg": "Testing mss",
  "app_proto": "unknown",
  "requirements": [],
  "type": "pkt",
  "flags": [
    "src_any",
    "dst_any",
    "sp_any",
    "dp_any",
    "need_packet",
    "toserver",
    "toclient"
  ],
  "pkt_engines": [
    {
      "name": "packet",
      "is_mpm": false
    }
  ],
  "frame_engines": [],
  "lists": {
    "packet": {
      "matches": [
        {
          "name": "tcp.mss",
          "tcp_mss": {
            "operand": "greater than or equal to",
            "value": 439
          }
        }
      ]
    }
  }
}

SV_BRANCH=https://github.com/OISF/suricata-verify/pull/1462

0xEniola avatar Nov 13 '23 15:11 0xEniola

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (b6cd66f) 82.48% compared to head (0ae40a8) 82.38%. Report is 261 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9778      +/-   ##
==========================================
- Coverage   82.48%   82.38%   -0.10%     
==========================================
  Files         968      968              
  Lines      273871   273901      +30     
==========================================
- Hits       225906   225659     -247     
- Misses      47965    48242     +277
Flag Coverage Δ
fuzzcorpus 64.32% <0.00%> (-0.22%) :arrow_down:
suricata-verify 60.97% <93.33%> (-0.05%) :arrow_down:
unittests 62.93% <0.00%> (-0.01%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Nov 13 '23 16:11 codecov[bot]

Adding the decision-required label here as @victorjulien wants to decide on how we tackle cases of keywords with a range.

jufajardini avatar Dec 05 '23 13:12 jufajardini

Replaced by https://github.com/OISF/suricata/pull/10824

catenacyber avatar Apr 12 '24 13:04 catenacyber