Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: update file keywords v1 #9245

Closed
wants to merge 2 commits into from
Closed

doc: update file keywords v1 #9245

wants to merge 2 commits into from

Conversation

jmtaylor90
Copy link
Contributor

Make sure these boxes are signed before submitting your Pull Request -- thank you.

Link to redmine ticket:

Describe changes:

  • Update file.magic and file.name keyword information to reflect recent updates
  • Update libmagic dependency information and reference

Provide values to any of the below to override the defaults.

To use a pull request use a branch name like pr/N where N is the
pull request number.

Alternatively, SV_BRANCH may also be a link to an
OISF/suricata-verify pull-request.

SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

@jmtaylor90
doc: update file.name keyword information
1c500f3 
Signed-off-by: jason taylor <jtfas90@gmail.com>
@jmtaylor90
doc: update file.magic keyword information
537d7dd 
Signed-off-by: jason taylor <jtfas90@gmail.com>
@codecov
Copy link

codecov bot commented Jul 17, 2023

Codecov Report

Merging #9245 (537d7dd) into master (9fd77c7) will decrease coverage by 0.01%.
The diff coverage is n/a.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9245      +/-   ##
==========================================
- Coverage   82.40%   82.39%   -0.01%     
==========================================
  Files         968      968              
  Lines      273952   273952              
==========================================
- Hits       225760   225733      -27     
- Misses      48192    48219      +27
Flag Coverage Δ
fuzzcorpus 64.65% <ø> (+<0.01%) ⬆️
suricata-verify 60.78% <ø> (-0.03%) ⬇️
unittests 62.93% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@jufajardini jufajardini added the typo/doc update No code change : only doc or typo fixes label Jul 17, 2023
@jufajardini
Copy link
Contributor

Related to: https://redmine.openinfosecfoundation.org/issues/6194
but not sure if we need a new ticket for the doc update in this case.

jufajardini
jufajardini reviewed Jul 18, 2023
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but as this may be the solution requested by @catenacyber in https://redmine.openinfosecfoundation.org/issues/437, let's wait for his feedback, too :)

victorjulien
victorjulien reviewed Jul 18, 2023
View reviewed changes
doc/userguide/rules/file-keywords.rst

``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

**Note** The ``filename`` keyword is still supported but the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is no longer true:

filename:"secret"; is now equivalent to file.name; content:"secret"; nocase;

Similarly, fileext:
fileext:pdf; is equivalent to file.name; content:".pdf"; nocase; endswith;. Note the dot that is prepended to pdf.

This is handled at parsing, so at runtime this is identical in behavior and performance.

btw we're looking at backporting this optimization to 6: https://redmine.openinfosecfoundation.org/issues/6203

victorjulien
victorjulien reviewed Jul 18, 2023
View reviewed changes
doc/userguide/rules/file-keywords.rst

Matches on the information libmagic returns about a file.

Syntax::

filemagic:<string>;
file.magic:<string>;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This incorrect. filemagic is the legacy notation, that uses:
filemagic:"Windows";
file.magic is the new implementation:
file.magic; content:"Windows"; nocase;

Note that like with filename above, the difference exists only during parsing in 7.

victorjulien
victorjulien reviewed Jul 18, 2023
View reviewed changes
doc/userguide/rules/file-keywords.rst

``file.magic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

**Note** The ``filemagic`` keyword is still supported but the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perf should now be identical

victorjulien
victorjulien requested changes Jul 18, 2023
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see inline comments

@jmtaylor90 jmtaylor90 mentioned this pull request Aug 1, 2023
Closed
3 tasks
@jmtaylor90
Copy link
Contributor Author

continued in #9316

@jmtaylor90 jmtaylor90 closed this Aug 1, 2023
@jmtaylor90 jmtaylor90 deleted the doc-update-file-keywords-v1 branch August 8, 2023 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini jufajardini left review comments

@victorjulien victorjulien victorjulien requested changes

Assignees
No one assigned
Labels
typo/doc update No code change : only doc or typo fixes
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jmtaylor90 @jufajardini @victorjulien