Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backports/708/v4 #12268

Closed
wants to merge 4 commits into from
Closed

Backports/708/v4 #12268

wants to merge 4 commits into from

Conversation

victorjulien
Copy link
Member

replace #12267, add in #12264

SV_BRANCH=OISF/suricata-verify#2179

victorjulien and others added 4 commits December 11, 2024 16:48
@victorjulien @inashivb
detect: don't run pkt sigs on ffr pkts
a19fe14 
Last packet from the TLS TCP session moves TCP state to CLOSED.

This flags the app-layer with APP_LAYER_PARSER_EOF_TS or
APP_LAYER_PARSER_EOF_TC depending on the direction of the final packet.
This flag will just have been set in a single direction.

This leads to the last packet updating the inspect id in that packets
direction.

At the end of the TLS session a pseudo packet is created, because:
 - flow has ended
 - inspected tx id == 0, for at least one direction
 - total txs is 1

Then a packet rule matches:

```
alert tcp any any -> any 443 (flow: to_server;                  \
        flowbits:isset,tls_error;                               \
        sid:09901033; rev:1;                                    \
        msg:"Allow TLS error handling (outgoing packet)"; )
```

The `SIG_MASK_REQUIRE_REAL_PKT` is not preventing the match, as the
`flowbits` keyword doesn't set it.

To avoid this match. This patch skips signatures of the `SIG_TYPE_PKT`
for flow end packets.

Ticket: OISF#7318.
(cherry picked from commit 0e4faba)
@catenacyber @victorjulien
detect: log app-layer metadata in alert with single tx
6a9face 
Ticket: 7199

Uses a config parameter detect.guess-applayer-tx to enable
this behavior (off by default)

This feature is requested for use cases with signatures not
using app-layer keywords but still targetting application
layer transactions, such as pass/drop rule combination,
or lua usage.

This overrides the previous behavior of checking if the signature
has a content match, by checking if there is only one live
transaction, in addition to the config parameter being set.

(cherry picked from commit f2c3776)
@victorjulien
detect: re-add app-layer to alerts on stream matches
cea8a86 
The `guess-applayer-tx` work also removed the stream match condition
for adding app-layer metadata to alerts. This is a behavior change that
is not desired at this point, so this commit reverts that part of the
changes.

We keep the exising logging of app-layer metadata if the match was in
the stream.
@catenacyber @victorjulien
doc: improve documentation about guess-applayer-tx
58f97bf 
Ticket: 7199
@victorjulien victorjulien requested review from jufajardini and a team as code owners December 11, 2024 20:59
This was referenced Dec 11, 2024
Closed
Closed
@codecov Codecov
Copy link

codecov bot commented Dec 11, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.18%. Comparing base (9be2eca) to head (58f97bf).
Report is 5 commits behind head on main-7.0.x.

Additional details and impacted files 
@@              Coverage Diff               @@
##           main-7.0.x   #12268      +/-   ##
==============================================
- Coverage       83.19%   83.18%   -0.01%     
==============================================
  Files             922      922              
  Lines          260888   260900      +12     
==============================================
- Hits           217048   217033      -15     
- Misses          43840    43867      +27
Flag Coverage Δ
fuzzcorpus 64.19% <88.88%> (+<0.01%) ⬆️
suricata-verify 63.40% <100.00%> (+<0.01%) ⬆️
unittests 62.38% <55.55%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

jufajardini
jufajardini approved these changes Dec 11, 2024
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we don't want to add anything about the stream matching rules still leading to logged metadata, looks good to me.

suricata.yaml.in
Comment on lines +1680 to +1684
# try to tie an app-layer transaction for rules without app-layer keywords
# if there is only one live transaction for the flow
# allows to log app-layer metadata in alert
# but the transaction may not be the relevant one.
# guess-applayer-tx: no
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed we're going against our own guidelines of using true / false in such options. To fix later...

jasonish
jasonish approved these changes Dec 11, 2024
View reviewed changes
Copy link
Member

@jasonish jasonish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, netmap CI failure it intermittent.

@victorjulien victorjulien mentioned this pull request Dec 11, 2024
Merged
@victorjulien
Copy link
Member Author

Merged in #12270, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini jufajardini approved these changes

@jasonish jasonish jasonish approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@victorjulien @jasonish @jufajardini @catenacyber