-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
detect: don't run pkt sigs on ffr pkts #12095
Conversation
Last packet from the TLS TCP session moves TCP state to CLOSED. This flags the app-layer with APP_LAYER_PARSER_EOF_TS or APP_LAYER_PARSER_EOF_TC depending on the direction of the final packet. This flag will just have been set in a single direction. This leads to the last packet updating the inspect id in that packets direction. At the end of the TLS session a pseudo packet is created, because: - flow has ended - inspected tx id == 0, for at least one direction - total txs is 1 Then a packet rule matches: ``` alert tcp any any -> any 443 (flow: to_server; \ flowbits:isset,tls_error; \ sid:09901033; rev:1; \ msg:"Allow TLS error handling (outgoing packet)"; ) ``` The `SIG_MASK_REQUIRE_REAL_PKT` is not preventing the match, as the `flowbits` keyword doesn't set it. To avoid this match. This patch skips signatures of the `SIG_TYPE_PKT` for flow end packets. Ticket: OISF#7318.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #12095 +/- ##
==========================================
- Coverage 83.25% 83.25% -0.01%
==========================================
Files 910 906 -4
Lines 257571 257649 +78
==========================================
+ Hits 214450 214501 +51
- Misses 43121 43148 +27
Flags with carried forward coverage won't be shown. Click here to find out more. |
Information: QA ran without warnings. Pipeline 23284 |
@jufajardini can you remind me what |
Should it work the same for
using tls in rule's alproto instead of tcp |
That won't lead to a A There are several SV tests that fail if I include |
The patch makes sense to me but, |
With the PCAP from the initial report, the handshake was not complete. So it actually makes sense that the 1, and only 1 transaction on TLS would still be considered active on flow close.. However, I think the check could be made smarter to check the state of the transaction before always returning 1. However, in the specific PCAP the behaviour is correct I think. |
I had totally missed the handshake failure. Thanks for explaining! 🙇🏽♀️ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the work, almost good except SV test
CI : ✅
Code : good
Commits segmentation : ok
Commit messages : good
Git ID set : looks fine for me
CLA : you already contributed
Doc update : @jufajardini should there be a doc update about signature type packet not matching on pseudo packets ?
Redmine ticket : ok
Rustfmt : no rust
Tests : SV PR is failing for 7 🔴
Dependencies added: none
@jufajardini where can we find your presentation about signature types ?
Working on a new version of the PR atm. I'll take into account your comments here to try to add more examples. Current it this: #12114 I'll share a pdf with the presentation with you, as I think we haven't published those yet. |
I'll add something about this to the new docs. |
Thanks Juliana Why is a rule with flowbits a packet type ? |
Flowbits can change per packet, at least in theory. The flowbits analysis isn't sophisticated enough to see if this is true. |
#12169 plus OISF/suricata-verify#2148 shows what it could look like with |
from my checks, a rule like the above is |
The Packet type signature is one that requires inspection on a packet level info, for instance, the packet header. Checking the output of |
Rebased in #12257 with good SV test |
Last packet from the TLS TCP session moves TCP state to CLOSED.
This flags the app-layer with APP_LAYER_PARSER_EOF_TS or APP_LAYER_PARSER_EOF_TC depending on the direction of the final packet. This flag will just have been set in a single direction.
This leads to the last packet updating the inspect id in that packets direction.
At the end of the TLS session a pseudo packet is created, because:
Then a packet rule matches:
The
SIG_MASK_REQUIRE_REAL_PKT
is not preventing the match, as theflowbits
keyword doesn't set it.To avoid this match. This patch skips signatures of the
SIG_TYPE_PKT
for flow end packets.Ticket: #7318.
SV_BRANCH=OISF/suricata-verify#2121