Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect/content: account for distance variables #12773

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

detect/content: account for distance variables #12773

wants to merge 1 commit into from
+10 −3

Conversation

jlucovsky
Copy link
Contributor

Continuation of #12297; rebased and recreated to grab fresh QA stats.

In some cases (below), the depth and offset values are used twice. This commit disregards the distance variable (if any), when computing the final depth.

These rules are logically equivalent:

  1. alert tcp any any -> any 8080 (msg:"distance name"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:option_len; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:1;)
  2. alert tcp any any -> any 8080 (msg:"distance number"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:7; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:2;)

The differences:
Rule 1: content:!"|38|"; distance:option_len; within:1; //option_len == 7

Rule 2: content:!"|38|"; distance:7; within:1;

Rule 2 triggers an alert without this commit, but rule 1 doesn't.

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7390

Describe changes:

  • When a distance variable is involved, don't double add

Update:

  • Rebase
  • Update PR description

Provide values to any of the below to override the defaults.

  • To use an LibHTP, Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

@jlucovsky
detect/content: account for distance variables
e1c4646 
Under some cases (below), the depth and offset values are used
twice. This commit disregards the distance variable (if any), when
computing the final depth.

These rules are logically equivalent::
1. alert tcp any any -> any 8080 (msg:"distance name"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:option_len; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:1;)
2. alert tcp any any -> any 8080 (msg:"distance number"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:7; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:2;)

The differences:
Rule 1: content:!"|38|"; distance:option_len; within:1; //option_len == 7

Rule 2: content:!"|38|"; distance:7; within:1;

Without this commit, rule 2 triggers an alert but rule 1 doesn't.

Issue: 7390
@jlucovsky jlucovsky requested a review from victorjulien as a code owner March 15, 2025 14:55
@jlucovsky jlucovsky mentioned this pull request Mar 15, 2025
Closed
@codecov Codecov
Copy link

codecov bot commented Mar 15, 2025

Codecov Report

Attention: Patch coverage is 60.00000% with 4 lines in your changes missing coverage. Please review.

Project coverage is 80.87%. Comparing base (66e47a1) to head (e1c4646).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12773      +/-   ##
==========================================
- Coverage   80.87%   80.87%   -0.01%     
==========================================
  Files         936      936              
  Lines      259748   259755       +7     
==========================================
+ Hits       210061   210066       +5     
- Misses      49687    49689       +2
Flag Coverage Δ
fuzzcorpus 57.24% <60.00%> (-0.01%) ⬇️
livemode 19.41% <0.00%> (-0.03%) ⬇️
pcap 44.13% <50.00%> (+0.02%) ⬆️
suricata-verify 63.67% <60.00%> (-0.05%) ⬇️
unittests 58.15% <60.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

WARNING:

ERROR: QA failed on SURI_TLPR1_alerts_cmp.

field baseline test %
SURI_TLPW1_stats_chk
.detect.alert 153896 160324 104.18%
IPS_AFP_stats_chk
.detect.alert 129600 141480 109.17%

Pipeline 25141

@victorjulien
Copy link
Member

WARNING:

ERROR: QA failed on SURI_TLPR1_alerts_cmp.
field baseline test %
SURI_TLPW1_stats_chk
.detect.alert 153896 160324 104.18%
IPS_AFP_stats_chk
.detect.alert 129600 141480 109.17%

Pipeline 25141

This will need to be analyzed, it's the same as with the last PR. No point in further rebases until it is understood why this happens.

@jlucovsky jlucovsky marked this pull request as draft March 16, 2025 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jlucovsky @suricata-qa @victorjulien