-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
File data/v3 #9237
File data/v3 #9237
Conversation
Issue: 4145
The pattern store has already done these checks before.
Issue: 4145 Adjust edge and window values after considering file size/inspected values.
Set file inspection sizes and marker for use with detect logic when opening files by name or as part of a range. Issue: 4145
Add file handler registration functions for consolidated file handling. Issue: 4145
Issue: 4145 Consolidate file handling for all protocols that use file objects for file_data. Make sure http_server_body / http.response_body for HTTP1 continue to inspect the actual body. For HTTP2, http.response_body acts as an internal alias for `file_data`.
Issue: 4145 Remove centralized protocol definitions for file handling in favor of consolidated file access handling.
All implementations were converted to use the logic, so the flag itself can be removed.
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9237 +/- ##
=======================================
Coverage 82.37% 82.37%
=======================================
Files 968 968
Lines 273815 273757 -58
=======================================
- Hits 225544 225502 -42
+ Misses 48271 48255 -16
Flags with carried forward coverage won't be shown. Click here to find out more. |
WARNING:
Pipeline 15187 |
|
||
for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) { | ||
if (file_protos_ts[i].alproto == ALPROTO_HTTP2) { | ||
// no filename on HTTP2 files |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jlucovsky do you know the consequences of this removal ?
Now, HTTP2 filename buffer is registered (even if it will always be empty)
And detect-parse.c has still error on "protocol HTTP2 doesn't support file name matching"
for a rule HTTP2 only like alert http2 any any -> any any (file.name; content:"/a/expl/2008.mp4"; startswith; endswith; sid:24; rev:1;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if this is a (new) bug then please create a ticket for it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, I thought at first, but I am not sure this is a bug, since there is the guard anyways in detect-parse.c
Do you have an opinion here ?
https://redmine.openinfosecfoundation.org/issues/5868
https://redmine.openinfosecfoundation.org/issues/4141
https://redmine.openinfosecfoundation.org/issues/4145