detect/bsize: Validate against content buffer when available #5576
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit updates the bsize documentation 1. Describe what happens when "content" immediately precedes "bsize" 2. Include the operators and 3. Include examples using the operators.
This commit causes the signature to be invalid if a content keyword immediately precedes bsize and the bsize value is incompatible with the content length.
This commit adds test cases that validate behavior when "content" immediately precedes "bsize".
catenacyber
reviewed
Nov 19, 2020
catenacyber
reviewed
Nov 19, 2020
|
Continued in #5585 |
regit
added a commit
to regit/suricata
that referenced
this pull request
Oct 29, 2022
The set operation of dataset keyword was not done only signature when there is a full match. This was not correct with regards to expectation. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. In the match, the buffer data that needs to end up in the set is captured and in post match the dataset is updated (if ever the signature is fully matching). Ticket: OISF#5576
3 tasks
catenacyber
pushed a commit
to catenacyber/suricata
that referenced
this pull request
Aug 1, 2024
The set operation of dataset keyword was not done only signature when there is a full match. This was not correct with regards to expectation. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. In the match, the buffer data that needs to end up in the set is captured and in post match the dataset is updated (if ever the signature is fully matching). Ticket: OISF#5576
catenacyber
pushed a commit
to catenacyber/suricata
that referenced
this pull request
Aug 1, 2024
The set operation of dataset keyword was done even if signature did not fully match. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. In the match, the buffer data that needs to end up in the set is captured and in post match the dataset is updated (if ever the signature is fully matching). Ticket: OISF#5576
catenacyber
pushed a commit
to catenacyber/suricata
that referenced
this pull request
Aug 12, 2024
The set operation of dataset keyword was done even if signature did not fully match. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. In the match, the buffer data that needs to end up in the set is captured and in post match the dataset is updated (if ever the signature is fully matching). Ticket: OISF#5576
catenacyber
pushed a commit
to catenacyber/suricata
that referenced
this pull request
Aug 27, 2024
The set operation of dataset keyword was done even if signature did not fully match. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. In the match, the buffer data that needs to end up in the set is captured and in post match the dataset is updated (if ever the signature is fully matching). Ticket: OISF#5576
catenacyber
pushed a commit
to catenacyber/suricata
that referenced
this pull request
Sep 3, 2024
The set operation of dataset keyword was done even if signature did not fully match. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. The postmatch retrieves the data and set it in the buffer. Increases postmatch capability to do applayertxmatch, and this get the data from a tx buffer. Ticket: OISF#5576
catenacyber
pushed a commit
to catenacyber/suricata
that referenced
this pull request
Sep 3, 2024
The set operation of dataset keyword was done even if signature did not fully match. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. The postmatch retrieves the data and adds it in the dataset. Increases postmatch capability to do applayertxmatch, and thus get the data from a tx buffer. Ticket: OISF#5576
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Sep 4, 2024
The set operation of dataset keyword was done even if signature did not fully match, which is not the expected behavior. We want dataset to behave like flowbits for instance. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. The postmatch retrieves the data, using the list identifier associated to the buffer for this signature. This avoids to store the buffer(s), when we do not have a dedicated storage (per signature and per tx) that can own and clean arbitrary buffers over multiple packets, in the case the transaction spans over multiple packets with different tx progresses for instance. If detection runs on one packet, the InspectionBuffer are cached and fast to get. The most expensive case if for multi buffers, where we need to run detection again, to see which occurences match all payload keywords and should be added in the dataset. Ticket: OISF#5576
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Sep 25, 2024
The set operation of dataset keyword was done even if signature did not fully match, which is not the expected behavior. We want dataset to behave like flowbits for instance. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. The postmatch retrieves the data, using the list identifier associated to the buffer for this signature. This avoids to store the buffer(s), when we do not have a dedicated storage (per signature and per tx) that can own and clean arbitrary buffers over multiple packets, in the case the transaction spans over multiple packets with different tx progresses for instance. If detection runs on one packet, the InspectionBuffer are cached and fast to get. The most expensive case if for multi buffers, where we need to run detection again, to see which occurences match all payload keywords and should be added in the dataset. Ticket: OISF#5576
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Sep 25, 2024
The set operation of dataset keyword was done even if signature did not fully match, which is not the expected behavior. We want dataset to behave like flowbits for instance. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. The postmatch retrieves the data, using the list identifier associated to the buffer for this signature. This avoids to store the buffer(s), when we do not have a dedicated storage (per signature and per tx) that can own and clean arbitrary buffers over multiple packets, in the case the transaction spans over multiple packets with different tx progresses for instance. If detection runs on one packet, the InspectionBuffer are cached and fast to get. The most expensive case if for multi buffers, where we need to run detection again, to see which occurences match all payload keywords and should be added in the dataset. Ticket: OISF#5576
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Oct 15, 2024
The set operation of dataset keyword was done even if signature did not fully match, which is not the expected behavior. We want dataset to behave like flowbits for instance. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. The postmatch retrieves the data, using the list identifier associated to the buffer for this signature. This avoids to store the buffer(s), when we do not have a dedicated storage (per signature and per tx) that can own and clean arbitrary buffers over multiple packets, in the case the transaction spans over multiple packets with different tx progresses for instance. If detection runs on one packet, the InspectionBuffer are cached and fast to get. The most expensive case if for multi buffers, where we need to run detection again, to see which occurences match all payload keywords and should be added in the dataset. Ticket: OISF#5576
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Oct 15, 2024
The set operation of dataset keyword was done even if signature did not fully match, which is not the expected behavior. We want dataset to behave like flowbits for instance. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. The postmatch retrieves the data, using the list identifier associated to the buffer for this signature. This avoids to store the buffer(s), when we do not have a dedicated storage (per signature and per tx) that can own and clean arbitrary buffers over multiple packets, in the case the transaction spans over multiple packets with different tx progresses for instance. If detection runs on one packet, the InspectionBuffer are cached and fast to get. The most expensive case if for multi buffers, where we need to run detection again, to see which occurences match all payload keywords and should be added in the dataset. Ticket: OISF#5576
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Oct 15, 2024
The set operation of dataset keyword was done even if signature did not fully match, which is not the expected behavior. We want dataset to behave like flowbits for instance. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. The postmatch retrieves the data, using the list identifier associated to the buffer for this signature. This avoids to store the buffer(s), when we do not have a dedicated storage (per signature and per tx) that can own and clean arbitrary buffers over multiple packets, in the case the transaction spans over multiple packets with different tx progresses for instance. If detection runs on one packet, the InspectionBuffer are cached and fast to get. The most expensive case if for multi buffers, where we need to run detection again, to see which occurences match all payload keywords and should be added in the dataset. Ticket: OISF#5576
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Continuation of #5028
This PR adds additional validation when using the
bsizekeyword. If a one or morecontentkeywords immediately precedesbsize, then thebsizevalue is checked against each to see if a match is possible using the operation (=, <, >, <>) and the value.An error is raised if
bsizevalue prevents a match, e.g., the content length exceeds thebsizevalue. Thebsizeoperation and values are used to do the evaluation.Link to redmine ticket: 3682
Describe changes:
suricata-verify-pr: 238
#suricata-verify-repo:
#suricata-verify-branch:
#suricata-update-pr:
#suricata-update-repo:
#suricata-update-branch:
#libhtp-pr:
#libhtp-repo:
#libhtp-branch: