Flow bytes pkts either support/v4 #11897
Conversation
Add an extension to keywords flow.bytes.. and flow.pkts.. to allow matching on bytes or pkts in either direction. The syntax for this operation would look like the following: flow.bytes_either:1000 flow.pkts_either:20 These are implemented as generic uint types and thus allow all basic ops in the syntax like greater than, less than, etc alongwith the exact match. Feature 5646
inashivb
requested review from
catenacyber
and removed request for
jufajardini and
victorjulien
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11897 +/- ##
=======================================
Coverage 82.60% 82.61%
=======================================
Files 912 912
Lines 249342 249417 +75
=======================================
+ Hits 205968 206046 +78
+ Misses 43374 43371 -3
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
Information: QA ran without warnings. Pipeline 23041 |
| if (p->flow == NULL) { | ||
| return 0; | ||
| } | ||
| uint32_t nb = p->flow->tosrcpktcnt; |
There was a problem hiding this comment.
can avoid using nb and just use p->flow->tosrcpkt_cnt directly?
| if (p->flow == NULL) { | ||
| return 0; | ||
| } | ||
| uint64_t nb = p->flow->tosrcbytecnt; |
|
Still not entirely fan of the keyword itself, as I feel it is better to have it as an option somehow. But since the existing keywords map to eve, and adding the option there doesn't make sense, I don't know a better way right now. Or we'd have change eve to do something like: then keywords could be Hmmm... not a perfect match either. So, I remain undecided... |
Imho, this alternative seems easier to correlate and understand. |
| flow.pkts_either | ||
| ------------------ | ||
|
|
||
| Flow number of packets in either direction (integer) |
There was a problem hiding this comment.
nit:
| Flow number of packets in either direction (integer) | |
| Flow number of packets in either direction (integer). |
There was a problem hiding this comment.
I wonder if it is needed to add that it is either, but not the some of both - or if it is clear enough.
There was a problem hiding this comment.
I think mathematically either is different than both or/and sum. But, if it seems like it can confuse new people, sure. Do you have suggestions on incorporating it in the sentence?
| flow.pkts_either:3 # exactly 3 | ||
| flow.pkts_either:<3 # smaller than 3 | ||
| flow.pkts_either:>=2 # greater than or equal to 2 |
There was a problem hiding this comment.
Is this list non-exhaustive? Should we somehow indicate the other possible operations (even if by just adding a "for example", at the end of the sentence?
There was a problem hiding this comment.
Well, we do link to all the possible ops in the ref tag above. It leads to this elaborate doc: https://docs.suricata.io/en/latest/rules/integer-keywords.html#rules-integer-keywords.
Lmk if this does not seem enough
|
|
||
| Signature example:: | ||
|
|
||
| alert ip any any -> any any (msg:"Flow has greater than 3000 bytes in either dir"; flow.bytes_either:>3000; sid:1;) |
There was a problem hiding this comment.
nit:
| alert ip any any -> any any (msg:"Flow has greater than 3000 bytes in either dir"; flow.bytes_either:>3000; sid:1;) | |
| alert ip any any -> any any (msg:"Flow is greater than 3000 bytes in either dir"; flow.bytes_either:>3000; sid:1;) |
Just adding that the previous version of this PR had exactly this syntax for rule keywords to have direction as an option. eve was unchanged though |
|
As discussed internally, we'll keep the syntax of previous PR |
But, also keep flow.pkts_toserver and flow.pkts_toclient for now. Same for bytes. |
Link to ticket: https://redmine.openinfosecfoundation.org/issues/5646
SV_BRANCH=OISF/suricata-verify#2082
Previous PR: #11889
Changes since v3: