analysis: report rule state altered by other rule - v1 #12286
+9
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Flowbits can make a rule such as a packet rule be treated as a stateful rule, without actually changing the rule type. Add a flag to allow report such cases via the engine analysis. Task OISF#7456
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #12286 +/- ##
========================================
Coverage 83.22% 83.23%
========================================
Files 912 912
Lines 257311 257630 +319
========================================
+ Hits 214154 214426 +272
- Misses 43157 43204 +47
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 23948 |
| @@ -1047,6 +1047,8 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s) | |||
| break; | |||
| } | |||
|
|
|||
| jb_set_bool(ctx.js, "rule_state_dependency", s->init_data->rule_state_dependency); | |||
There was a problem hiding this comment.
I think the immediate question ppl will have is "which rule?" followed by "why?". Perhaps more info can be added through the analyzer note part of the engine analysis
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Flowbits can make a rule such as a packet rule be treated as a stateful rule, without actually changing the rule type.
Add a flag to allow report such cases via the engine analysis.
Task #7456
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7456
Describe changes:
Wasn't sure about using this as another
SIG_INIT_FLAGor even as flag that could have other values, so decided to go with this as a proof of concept, sort of.The output will also be tested with SV tests that should accompany the rule types doc.
Moved on with this work before the rule types documentation as this should also be present in the
engine-analysisexamples seen there.Output example:
{ "raw": "alert ip any any -> any any (msg:\"Flowbit isset ored flowbits\"; flowbits:isset,fb1|fb5; sid:1801;)", "id": 1801, "gid": 1, "rev": 0, "msg": "Flowbit isset ored flowbits", "app_proto": "unknown", "requirements": [ "flow" ], "type": "pkt", "rule_state_dependency": true, "flags": [ "src_any", "dst_any", "sp_any", "dp_any", "need_flowvar", "toserver", "toclient" ], "pkt_engines": [ { "name": "packet", "is_mpm": false } ], "frame_engines": [], "engines": [], "lists": { "packet": { "matches": [ { "name": "flowbits", "flowbits": { "cmd": "isset", "names": [ "fb1", "fb5" ], "operator": "or" } } ] } } }