-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enip rust 3958 v4 #9850
Enip rust 3958 v4 #9850
Conversation
Even when on detection-only mode. So that we always have enip_tcp and enip_udp in stats and never just `enip`. Suricata needs to know beyond suricata.yaml configuration which protocols can be enabled on both tcp and udp... Ticket: 6304
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9850 +/- ##
==========================================
- Coverage 82.47% 82.45% -0.03%
==========================================
Files 973 976 +3
Lines 273962 273736 -226
==========================================
- Hits 225944 225698 -246
- Misses 48018 48038 +20
Flags with carried forward coverage won't be shown. Click here to find out more. |
42b5fac
to
8756a08
Compare
Ticket: 3958 - enip_command keyword accepts now string enumeration as values. - transactions are now bidirectional - there is a logger - gap support is improved with probing for resync - SEQUENCE_ADDR_ITEM value is fixed to 0x8002 instead of 0xB002 - frames support - app-layer events - add enip.status keyword
8756a08
to
31f086a
Compare
} | ||
|
||
#[no_mangle] | ||
pub unsafe extern "C" fn rs_enip_parse_command( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Public C API, so SCEnipParseCommand
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Basically apply this to any no_mange pub extern C fn.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably have a (tracking) ticket to clean this up for any existing code. Plus see if we can have a CI check?
WARNING:
Pipeline 16661 |
Information: QA ran without warnings. Pipeline 16664 |
"SEQUENCE_ADDR_ITEM value is fixed to 0x8002 instead of 0xB002" do we need this as a fix for 6/7 too? |
I guess so, but I have no pcap for test, just https://github.com/wireshark/wireshark/blob/136ca4287d66b84b2bbd46d616530abb458ddfdc/epan/dissectors/packet-enip.c#L89 Also, this PR does not pretend to handle |
Replaced by #9937 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3958
https://redmine.openinfosecfoundation.org/issues/6304
Describe changes:
_tcp
prefix when protocol isdetection-only
Alon the way, also
#9848 CI should be greener + enip.status keyword + enip identity parsing and logging
Draft as is this is not complete :
Provide values to any of the below to override the defaults.
OISF/suricata-verify#1485