Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect: absent keyword to test absence of sticky buffer 2224 v23 #11906

Closed
wants to merge 2 commits into from
Closed

detect: absent keyword to test absence of sticky buffer 2224 v23 #11906

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2224

Describe changes:

  • detect: adds absent keyword to match on absent buffer

SV_BRANCH=OISF/suricata-verify#1957

#11509 with code review taken into account

@catenacyber
http1/detect: code simplification
f9fad93 
- DetectEngineInspectBufferHttpHeader is only used with ALPROTO_HTTP1
- engine->progress should be HTP_REQUEST_HEADERS or HTP_RESPONSE_HEADERS based on the direction
@catenacyber catenacyber changed the title Detect negated content absent buffer 2224 v23 detect: absent keyword to test absence of sticky buffer 2224 v23 Oct 8, 2024
@catenacyber catenacyber mentioned this pull request Oct 8, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Oct 8, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 73.71795% with 41 lines in your changes missing coverage. Please review.

Project coverage is 79.18%. Comparing base (6ae5ae7) to head (cdd48e4).
Report is 29 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11906      +/-   ##
==========================================
- Coverage   82.60%   79.18%   -3.42%     
==========================================
  Files         912      912              
  Lines      249342   249070     -272     
==========================================
- Hits       205968   197228    -8740     
- Misses      43374    51842    +8468
Flag Coverage Δ
fuzzcorpus 60.69% <38.40%> (+0.05%) ⬆️
livemode 18.72% <16.00%> (-0.01%) ⬇️
pcap 44.11% <33.60%> (+0.03%) ⬆️
suricata-verify ?
unittests 59.00% <68.58%> (+0.07%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 23045

@catenacyber
detect: absent keyword to test absence of sticky buffer
cdd48e4 
Ticket: 2224

It takes an argument to match only if the buffer is absent,
or it can still match if the buffer is present, but we test
the absence of some content.

For multi buffers, absent matches if there are 0 buffers.

For file keywords, absent matches if there is no file.
@catenacyber catenacyber force-pushed the detect-negated-content-absent-buffer-2224-v23 branch from 5cbee48 to cdd48e4 Compare October 9, 2024 13:10
@catenacyber
Copy link
Contributor Author

Force-pushed with just the commit reworded.

Still the question of transforms : do you see a use case of buffer + transform + absent keyword ?
Or should we explicitly forbid it ?

@catenacyber catenacyber marked this pull request as draft October 9, 2024 13:11
@catenacyber catenacyber mentioned this pull request Oct 9, 2024
Closed
5 tasks
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 23073

@inashivb inashivb self-requested a review October 10, 2024 07:00
@catenacyber catenacyber mentioned this pull request Oct 15, 2024
Open
@catenacyber
Copy link
Contributor Author

Clean in #11964

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

@inashivb inashivb Awaiting requested review from inashivb

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@catenacyber @suricata-qa