Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dcerpc incomplete 5699/v12 #12025

Closed
wants to merge 6 commits into from
Closed

Dcerpc incomplete 5699/v12 #12025

wants to merge 6 commits into from

Conversation

inashivb
Copy link
Member

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5699

Previous PR: #11848

Changes since v11:

  • unit test failure fixed
  • rebased on top of latest master

@inashivb
dcerpc: do not assume an upper bound on data
50f8bd3 
TCP data can be presented to the protocol parser in any way e.g. one
byte at a time, single complete PDU, fragmented PDU, multiple PDUs at
once. A limit of 1MB can be easily reached in some of such scenarios.
Remove the check that rejects data that is more than 1MB.
@inashivb
dcerpc: save version info in tx
087f7f4 
to make it available for logging.
@inashivb
dcerpc: use AppLayerResult::incomplete API
698c710 
Instead of own internal mechanism of buffering in case of fragmented
data, use AppLayerResult::incomplete API to let the AppLayer Parser take
care of it. This makes the memory use more efficient.
Remove any unneeded variables and code with the introduction of this
API.

Ticket 5699
@inashivb
dcerpc: remove fragmented data tests
d2111cb 
With the introduction of AppLayerResult::incomplete API, fragmented data
is no longer handled fully in the dcerpc code. Given that these code
paths are already covered by the following s-v tests, these tests can now be
safely removed.
- dce-gap-handling
- dcerpc-dce-iface-*

Ticket 5699
@inashivb
dcerpc: tidy up code
f88b0fc 
- remove unneeded variables
- remove unnecessary tracking of bytes in state
- modify calculations as indicated by failing tests
@inashivb
app-layer: fix smb/dcerpc test
ac0c022 
Test AppLayerTest08 has an invalid DCERPC request in many ways.
- header type is invalid
- fragment length is invalid

With the new changes of using the applayer::incomplete API in dcerpc
parser, this test failed due to dcerpc parser asking for more data which
does not lead to any condition that would ask for disabling applayer.
Applayer can be disabled from two code paths:
1. StreamTcpDisableAppLayer
2. StreamTcpSetSessionNoReassemblyFlag

These fns are called in the cases of:
- applayer parser not requiring inspection
- applayer parser asking to not reassemble data
- stream depth having been reached
- errors encountered by applayer during parsing

Since none of the these conditions are the aim of the given test, adjust
the byte array to actually contain valid data that goes through all the
conditions as expected in the FAIL/PASS macros.
@codecov Codecov
Copy link

codecov bot commented Oct 24, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.24%. Comparing base (1860aa8) to head (ac0c022).
Report is 100 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12025      +/-   ##
==========================================
- Coverage   83.24%   83.24%   -0.01%     
==========================================
  Files         910      910              
  Lines      258136   257861     -275     
==========================================
- Hits       214895   214665     -230     
+ Misses      43241    43196      -45
Flag Coverage Δ
fuzzcorpus 61.54% <100.00%> (+0.04%) ⬆️
livemode 19.39% <0.00%> (+<0.01%) ⬆️
pcap 44.41% <90.47%> (-0.02%) ⬇️
suricata-verify 62.73% <95.23%> (-0.01%) ⬇️
unittests 59.24% <63.63%> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.flow.dcerpc_tcp 40 106 265.0%

Pipeline 23172

@inashivb inashivb marked this pull request as draft October 24, 2024 11:07
@inashivb
Copy link
Member Author

Needs investigation of the stats difference and unittest converted to s-v

@catenacyber
Copy link
Contributor

Needs investigation of the stats difference

I would retry running QA to see if it persists

@catenacyber
Copy link
Contributor

Did you forget to use here OISF/suricata-verify#2127 ?

@inashivb
Copy link
Member Author

Did you forget to use here OISF/suricata-verify#2127 ?

Not really. I did that s-v test much later. That s-v test needs fixing and then I'll remove that unittest in this PR

@catenacyber
Copy link
Contributor

Ok, could you remind us the order of PRs in your DCERPC rabbit hole ? frames, incomplete, unit test, etc...

@inashivb
Copy link
Member Author

Ok, could you remind us the order of PRs in your DCERPC rabbit hole ? frames, incomplete, unit test, etc...

yes. 😭
ok so, I have to do the following in strictly in the order mentioned.

  1. Fix s-v test on the PR applayer: add test for dcerpc req http resp suricata-verify#2127
  2. Redo this PR removing the unit test and using the s-v test above. Provide justification for change in stats.
  3. Redo dcerpc frames PR dcerpc/tcp: add frames support #11678

@catenacyber
Copy link
Contributor

Good luck on this 3-level rabbit hole :-)

@inashivb inashivb mentioned this pull request Dec 4, 2024
Closed
@inashivb inashivb closed this Dec 4, 2024
@inashivb inashivb deleted the dcerpc-incomplete-5699/v12 branch December 4, 2024 11:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@inashivb @suricata-qa @catenacyber