Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Draft] Prototype approach for issue 3616 #5075

Closed
wants to merge 1 commit into from
Closed

[Draft] Prototype approach for issue 3616 #5075

wants to merge 1 commit into from

Conversation

jlucovsky
Copy link
Contributor

@jlucovsky jlucovsky commented Jun 15, 2020
edited
Loading

Link to redmine ticket: 3616

Describe changes:

  • Defer content body update until all transactions have been handled.

suricata-verify-pr: 348
#suricata-verify-repo:
#suricata-verify-branch:
#suricata-update-pr:
#suricata-update-repo:
#suricata-update-branch:
#libhtp-pr:
#libhtp-repo:
#libhtp-branch:

victorjulien
victorjulien reviewed Jun 16, 2020
View reviewed changes
src/detect.c Outdated
@@ -1486,6 +1507,8 @@ static void DetectRunTx(ThreadVars *tv,
tx.tx_ptr, tx.tx_id,
flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",
new_detect_flags);
if (alproto == ALPROTO_HTTP)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer a solution where we can avoid adding checks here.

One way would be to make sure HttpServerBodyGetDataCallback is still called only once, but we cache the output for the duration of the current run. DetectEngineInspectBufferHttpHeader does something similar for HTTP headers.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though I have to say I don't really like the solution http_header uses either. But it does put the cost where it belongs, in the keyword implementation. This way its not a cost that all the other keywords and protocols also have.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@victorjulien This implements your second suggestion -- please review when you have time.

@catenacyber
Copy link
Contributor

Is there a S-V test for this ?
Does it also fix https://redmine.openinfosecfoundation.org/issues/3691 ?

@victorjulien
Copy link
Member

@jlucovsky do we have an SV test?

@jlucovsky
Copy link
Contributor Author

@jlucovsky do we have an SV test?

OISF/suricata-verify#340

@jlucovsky
Copy link
Contributor Author

@jlucovsky do we have an SV test?

OISF/suricata-verify#340

OISF/suricata-verify#348

@jlucovsky jlucovsky force-pushed the 3616/1 branch 3 times, most recently from e37de7e to 1b7e0e1 Compare October 25, 2020 18:39
@jlucovsky
draft: Fix for issue 3616
e3c7561 
Update HTTP content body after all transactions have been handled. This
is to fix the issue described in 3616.

This is a draft PR and cleanup/reorganization/etc is needed. This PR
serves as a prototype approach for a solution.
@jlucovsky jlucovsky mentioned this pull request Nov 8, 2020
Closed
@jlucovsky
Copy link
Contributor Author

Continued in #5549

@jlucovsky jlucovsky closed this Nov 8, 2020
@jlucovsky jlucovsky mentioned this pull request Nov 8, 2020
Merged
@jlucovsky jlucovsky deleted the 3616/1 branch November 14, 2020 14:51
zer1t0 added a commit to zer1t0/suricata that referenced this pull request Mar 28, 2022
@zer1t0
smb: add smb.version keyword
492a83b 
Implements ticket feature OISF#5075
zer1t0 added a commit to zer1t0/suricata that referenced this pull request Mar 29, 2022
@zer1t0
smb: add smb.version keyword
e4ac8e0 
Fix feature in ticket OISF#5075
zer1t0 added a commit to zer1t0/suricata that referenced this pull request Apr 28, 2022
@zer1t0
smb: add smb.version keyword
8257575 
Ticket: OISF#5075
jmtaylor90 pushed a commit to jmtaylor90/suricata that referenced this pull request Sep 6, 2023
@zer1t0 @jmtaylor90
smb: add smb.version keyword
794eb53 
Ticket: OISF#5075
jmtaylor90 pushed a commit to jmtaylor90/suricata that referenced this pull request Sep 7, 2023
@zer1t0 @jmtaylor90
smb: add smb.version keyword
cbf4399 
Ticket: OISF#5075
jmtaylor90 pushed a commit to jmtaylor90/suricata that referenced this pull request Nov 22, 2023
@zer1t0 @jmtaylor90
smb: add smb.version keyword
9098099 
Ticket: OISF#5075
jmtaylor90 pushed a commit to jmtaylor90/suricata that referenced this pull request Nov 27, 2023
@zer1t0 @jmtaylor90
smb: add smb.version keyword
eb3335a 
Ticket: OISF#5075
jmtaylor90 pushed a commit to jmtaylor90/suricata that referenced this pull request Nov 27, 2023
@zer1t0 @jmtaylor90
smb: add smb.version keyword
02e97a3 
Ticket: OISF#5075
jmtaylor90 pushed a commit to jmtaylor90/suricata that referenced this pull request Nov 28, 2023
@zer1t0 @jmtaylor90
smb: add smb.version keyword
a056dbd 
Ticket: OISF#5075
jmtaylor90 pushed a commit to jmtaylor90/suricata that referenced this pull request Dec 7, 2023
@zer1t0 @jmtaylor90
smb: add smb.version keyword
9730018 
Ticket: OISF#5075
jmtaylor90 pushed a commit to jmtaylor90/suricata that referenced this pull request Dec 8, 2023
@zer1t0 @jmtaylor90
smb: add smb.version keyword
0b8be74 
Ticket: OISF#5075
jmtaylor90 pushed a commit to jmtaylor90/suricata that referenced this pull request Jan 18, 2024
@zer1t0 @jmtaylor90
smb: add smb.version keyword
de189d9 
Ticket: OISF#5075

Signed-off-by: jason taylor <jtfas90@gmail.com>
victorjulien pushed a commit to victorjulien/suricata that referenced this pull request Jan 19, 2024
@zer1t0 @victorjulien
smb: add smb.version keyword
415722d 
Ticket: OISF#5075

Signed-off-by: jason taylor <jtfas90@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jlucovsky @catenacyber @victorjulien