-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
detect/dataset: delay set operation after signature full match #11623
Conversation
The set operation of dataset keyword was done even if signature did not fully match. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. In the match, the buffer data that needs to end up in the set is captured and in post match the dataset is updated (if ever the signature is fully matching). Ticket: OISF#5576
Information: ERROR: QA failed on SURI_TLPW2_single_alerts_cmp. ERROR: QA failed on SURI_TLPW2_autofp_alerts_cmp. ERROR: QA failed on SURI_TLPR1_alerts_cmp. ERROR: QA failed on IPS_AFP_drop_chk.
Pipeline 22065 |
Are these stat deviations expected, @catenacyber ? |
uint32_t nb; | ||
uint32_t cap; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: What do these indicate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
number of elements and capacity
/* Okay so far so good, lets get this into a SigMatch | ||
* and put it in the Signature. */ | ||
if (cmd == DETECT_DATASET_CMD_SET) { | ||
// for set operation, we need one match, and one postmatch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: Why can't it be just a postmatch?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
postmatch does not have a direct access to the content of the sticky buffer(s) (+ transforms)...
Does that answer your question ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
postmatch does not have a direct access to the content of the sticky buffer(s) (+ transforms)...
oh.
Does that answer your question ?
yes. thank you very much! 🙇🏽♀️
Continued in #11662 |
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/5576
Describe changes:
SV_BRANCH=OISF/suricata-verify#2000
#11600 with patch working for multi buffers as well
Side note: the limitation described for flowvar in https://redmine.openinfosecfoundation.org/issues/7197 also applies here to dataset, and needs a bigger design...