Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File data/v3 #9237

Merged
merged 9 commits into from
Jul 16, 2023
Merged

File data/v3 #9237

merged 9 commits into from
Jul 16, 2023

Conversation

victorjulien
Copy link
Member

@victorjulien victorjulien commented Jul 14, 2023
edited
Loading

jlucovsky and others added 9 commits July 14, 2023 09:09
@jlucovsky @victorjulien
mpm: Use typedef for mpm registration
f1ddd31 
Issue: 4145
@victorjulien
detect/mpm: remove useless checks
3fb92ee 
The pattern store has already done these checks before.
@victorjulien
detect/engine: minor debug cleaup
9ca4ef5
@jlucovsky @victorjulien
file: Window and edge adjustments
82b585d 
Issue: 4145

Adjust edge and window values after considering file size/inspected
values.
@jlucovsky @victorjulien
file/htp: Add logic for file access
f2e2576 
Set file inspection sizes and marker for use with detect logic when
opening files by name or as part of a range.

Issue: 4145
@jlucovsky @victorjulien
detect/file: Filehandler registration logic
2fd0025 
Add file handler registration functions for consolidated file handling.

Issue: 4145
@jlucovsky @victorjulien
detect/file_data: Consolidate file handling
f735e30 
Issue: 4145

Consolidate file handling for all protocols that use file objects for
file_data.

Make sure http_server_body / http.response_body for HTTP1 continue
to inspect the actual body. For HTTP2, http.response_body acts as
an internal alias for `file_data`.
@jlucovsky @victorjulien
detect/file: Remove centralized proto definition
59fea84 
Issue: 4145

Remove centralized protocol definitions for file handling in favor of
consolidated file access handling.
@victorjulien
file: remove FILE_USE_DETECT flag
389f166 
All implementations were converted to use the logic, so the flag itself
can be removed.
@codecov
Copy link

codecov bot commented Jul 14, 2023

Codecov Report

Merging #9237 (389f166) into master (d4e674b) will increase coverage by 0.00%.
The diff coverage is 97.54%.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #9237   +/-   ##
=======================================
  Coverage   82.37%   82.37%           
=======================================
  Files         968      968           
  Lines      273815   273757   -58     
=======================================
- Hits       225544   225502   -42     
+ Misses      48271    48255   -16
Flag Coverage Δ
fuzzcorpus 64.56% <85.29%> (-0.01%) ⬇️
suricata-verify 60.85% <88.72%> (-0.02%) ⬇️
unittests 62.91% <82.35%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.tcp.overlap 1124925 1221170 108.56%

Pipeline 15187

@victorjulien victorjulien mentioned this pull request Jul 15, 2023
Merged
@victorjulien victorjulien merged commit 389f166 into OISF:master Jul 16, 2023
47 checks passed
@victorjulien victorjulien deleted the file-data/v3 branch July 17, 2023 10:41
catenacyber
catenacyber reviewed Aug 28, 2023
View reviewed changes
src/detect-filename.c

for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) {
if (file_protos_ts[i].alproto == ALPROTO_HTTP2) {
// no filename on HTTP2 files
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jlucovsky do you know the consequences of this removal ?

Now, HTTP2 filename buffer is registered (even if it will always be empty)

And detect-parse.c has still error on "protocol HTTP2 doesn't support file name matching" for a rule HTTP2 only like alert http2 any any -> any any (file.name; content:"/a/expl/2008.mp4"; startswith; endswith; sid:24; rev:1;)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if this is a (new) bug then please create a ticket for it

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I thought at first, but I am not sure this is a bug, since there is the guard anyways in detect-parse.c

Do you have an opinion here ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

@jlucovsky jlucovsky jlucovsky left review comments

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@victorjulien @suricata-qa @catenacyber @jlucovsky