Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect: don't run pkt sigs on ffr pkts v2 #12257

Closed
wants to merge 1 commit into from
Closed

detect: don't run pkt sigs on ffr pkts v2 #12257

wants to merge 1 commit into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7318

Describe changes:

  • This patch skips signatures of the SIG_TYPE_PKT for flow end packets

#12095 rebased with rebased SV test

SV_BRANCH=OISF/suricata-verify#2173

@victorjulien @catenacyber
detect: don't run pkt sigs on ffr pkts
c47deec 
Last packet from the TLS TCP session moves TCP state to CLOSED.

This flags the app-layer with APP_LAYER_PARSER_EOF_TS or
APP_LAYER_PARSER_EOF_TC depending on the direction of the final packet.
This flag will just have been set in a single direction.

This leads to the last packet updating the inspect id in that packets
direction.

At the end of the TLS session a pseudo packet is created, because:
 - flow has ended
 - inspected tx id == 0, for at least one direction
 - total txs is 1

Then a packet rule matches:

```
alert tcp any any -> any 443 (flow: to_server;                  \
        flowbits:isset,tls_error;                               \
        sid:09901033; rev:1;                                    \
        msg:"Allow TLS error handling (outgoing packet)"; )
```

The `SIG_MASK_REQUIRE_REAL_PKT` is not preventing the match, as the
`flowbits` keyword doesn't set it.

To avoid this match. This patch skips signatures of the `SIG_TYPE_PKT`
for flow end packets.

Ticket: OISF#7318.
@catenacyber catenacyber mentioned this pull request Dec 10, 2024
Closed
inashivb
inashivb approved these changes Dec 10, 2024
View reviewed changes
Copy link
Member

@inashivb inashivb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@victorjulien victorjulien added this to the 8.0 milestone Dec 10, 2024
@victorjulien
Copy link
Member

#12258

@catenacyber catenacyber mentioned this pull request Dec 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inashivb inashivb inashivb approved these changes

@victorjulien victorjulien victorjulien approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @victorjulien @inashivb