Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect validate callbacks 5634 v3 #11902

Closed
wants to merge 2 commits into from
Closed

Detect validate callbacks 5634 v3 #11902

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/5634

Describe changes:

  • detect: change the ValidateCallback prototype to deduplicate code
  • detect: use one function for md5-like keywords (quic-cyu-hash, ssh-hassh, tls-ja3-hash...)

#11699 with review taken into account :

  • adding doc upgrade to say that never matching rules will now error
  • keeping DetectContentData_ in detect-content.h

This was done on the way to convert quic keywords to rust like #11575

With this PR, it should be easy to add a wrapper for rust for this ValidateCallback stuff

@catenacyber
detect: use content in validate callback api
695d404 
Ticket: 5634

Just an optimization to have less code, and to later have
an easier way for rust keywords to use it
@catenacyber
detect: generic callback for md5-like keywords
792b8b1 
Ticket: 5634
@catenacyber catenacyber mentioned this pull request Oct 8, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Oct 8, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 87.76978% with 17 lines in your changes missing coverage. Please review.

Project coverage is 82.62%. Comparing base (6ae5ae7) to head (792b8b1).
Report is 29 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11902      +/-   ##
==========================================
+ Coverage   82.60%   82.62%   +0.01%     
==========================================
  Files         912      912              
  Lines      249342   249181     -161     
==========================================
- Hits       205968   205875      -93     
+ Misses      43374    43306      -68
Flag Coverage Δ
fuzzcorpus 60.64% <87.05%> (+<0.01%) ⬆️
livemode 18.73% <5.75%> (+0.01%) ⬆️
pcap 44.13% <30.21%> (+0.05%) ⬆️
suricata-verify 62.03% <51.79%> (+<0.01%) ⬆️
unittests 58.96% <46.04%> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 23042

victorjulien
victorjulien reviewed Oct 12, 2024
View reviewed changes
src/detect-engine.c
@@ -1315,7 +1316,20 @@ bool DetectEngineBufferRunValidateCallback(
{
const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
if (map && map->ValidateCallback) {
return map->ValidateCallback(s, sigerror);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this logic seems to turn a generic validation callback mechanism into a specific one for content. That does not look correct.

victorjulien
victorjulien reviewed Oct 12, 2024
View reviewed changes
src/detect-engine.h
bool supports_transforms;
bool multi_instance; /**< buffer supports multiple buffer instances per tx */
void (*SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *);
bool (*ValidateCallback)(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

validation should be possible for non-content as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, what can we validate besides content ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all other keywords :)

examples would be bsize, byte*, etc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, so we could have DetectMd5ValidateCallback forbid the usage of other stuff than content for instance... Interesting

(As of today, we only use content though, right ?)

victorjulien
victorjulien requested changes Oct 12, 2024
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see inline

@inashivb inashivb self-requested a review October 14, 2024 05:12
@catenacyber catenacyber mentioned this pull request Oct 15, 2024
Open
@catenacyber
Copy link
Contributor Author

Next version in #11963

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien requested changes

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@inashivb inashivb Awaiting requested review from inashivb

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @victorjulien