Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect: absent keyword to test absence of sticky buffer #11459

Closed
wants to merge 1 commit into from
Closed

detect: absent keyword to test absence of sticky buffer #11459

wants to merge 1 commit into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2224

Describe changes:

  • detect: adds absent keyword to match on absent buffer

SV_BRANCH=OISF/suricata-verify#1957

#11423 with clean history

@catenacyber
detect: absent keyword to test absence of sticky buffer
f1ee185 
Ticket: 2224

It takes an argument to match only if the buffer is absent,
or it can still match if the buffer is present, but we test
the absence of some content
@catenacyber catenacyber mentioned this pull request Jul 9, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Jul 9, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 90.32258% with 15 lines in your changes missing coverage. Please review.

Project coverage is 82.57%. Comparing base (eeec609) to head (f1ee185).
Report is 23 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11459      +/-   ##
==========================================
+ Coverage   82.44%   82.57%   +0.13%     
==========================================
  Files         938      938              
  Lines      248068   248441     +373     
==========================================
+ Hits       204513   205150     +637     
+ Misses      43555    43291     -264
Flag Coverage Δ
fuzzcorpus 60.67% <38.70%> (+0.56%) ⬆️
livemode 18.85% <16.12%> (+0.13%) ⬆️
pcap 43.82% <33.87%> (+0.10%) ⬆️
suricata-verify 61.56% <79.83%> (+0.14%) ⬆️
unittests 59.43% <68.38%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 21495

@inashivb inashivb self-requested a review July 12, 2024 05:45
inashivb
inashivb reviewed Jul 12, 2024
View reviewed changes
Copy link
Member

@inashivb inashivb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, Philippe! Looking very good. 🌟
Some questions inline.

src/detect-engine.c
@@ -2214,6 +2218,13 @@ uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx,
}
local_id++;
} while (1);
if (local_id == 0) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we only want to check on the first buffer?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah bc if the first one doesn't exist, others shouldn't either.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

adding a comment

src/detect-isdataat.c
"alert http any any -> any any "
"(msg:\"invalid absent only with negated content\"; http.user_agent; "
"absent; content:!\"one\"; sid:2;)");
FAIL_IF(s != NULL);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it designed to fail with any content following absent? If the http.user_agent is absent, nothing else can be matched against unless it's a sticky buffer?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes absent; means only match if the buffer is absent, so cannot have additional tests on it.

Otherwise, we can use absent: or_else;

src/detect-isdataat.c
@@ -56,11 +57,97 @@ static DetectParseRegex parse_regex;
int DetectIsdataatSetup (DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectIsdataatRegisterTests(void);
static void DetectAbsentRegisterTests(void);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why have you done entire absent lifecycle in the detect-isdataat.c file?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because it used to be implemented as isdataat:!0

What do you think ?

jufajardini
jufajardini reviewed Jul 12, 2024
View reviewed changes
doc/userguide/rules/payload-keywords.rst
Comment on lines +290 to +291
It can take an argument "or_else" to match on absent buffer or on what comes next such as negated content, for instance :

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or_else: So - match if absent OR if not absent, check something else?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

@catenacyber catenacyber mentioned this pull request Jul 15, 2024
Closed
@catenacyber
Copy link
Contributor Author

Continued in #11509

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inashivb inashivb inashivb left review comments

@jufajardini jufajardini jufajardini left review comments

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@catenacyber @suricata-qa @jufajardini @inashivb