Flow bytes pkts syntax/v5 #12180
Flow bytes pkts syntax/v5 #12180
Conversation
Currently, the syntax includes direction as a part of the keyword which is against how usually keywords are done. By making direction as a mandatory argument, it is possible to make the syntax cleaner and the implementation more compact and easily extendable. Pros: - Registration table sees lesser entries - If the options have to be extended, it can be done trivially - In accordance w existing keyword implementations Note that this commit also retains the existing direction specific keywords.
For flow.bytes and flow.pkts keywords, allow matching in either direction. Feature 5646
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12180 +/- ##
==========================================
+ Coverage 49.75% 49.97% +0.21%
==========================================
Files 912 912
Lines 257055 257169 +114
==========================================
+ Hits 127895 128516 +621
+ Misses 129160 128653 -507
Flags with carried forward coverage won't be shown. Click here to find out more. |
| @@ -23,114 +23,141 @@ | |||
| #include "detect-engine-uint.h" | |||
| #include "detect-parse.h" | |||
|
|
|||
| static int DetectFlowPktsToClientMatch( | |||
| #define DETECT_FLOW_TO_SERVER 1 | |||
There was a problem hiding this comment.
generally the code using TOCLIENT and TOSERVER (no _), shall we do that here too?
| return -1; | ||
| char copy[strlen(rawstr) + 1]; |
There was a problem hiding this comment.
this is a common pattern in our parser, but wonder if we should replace it by a heap allocation? SCStrdup. @catenacyber input size is limited by max rule size, and perhaps other limits. Any thoughts?
| } | ||
|
|
||
| if (dir_set) { | ||
| DetectU32Data *du32 = DetectU32Parse(token); |
There was a problem hiding this comment.
feel it would be cleaner to separate the strtok_r loop from acting on the results of the loop
| if (SigMatchAppendSMToList(de_ctx, s, DETECT_FLOW_PKTS_TO_SERVER, (SigMatchCtx *)du32, | ||
| DETECT_SM_LIST_MATCH) == NULL) { | ||
| DetectFlowPktsToServerFree(de_ctx, du32); | ||
| DetectFlow *df = SCCalloc(1, sizeof(DetectFlow)); |
There was a problem hiding this comment.
do we need this before the strtok_r loop? If not we can alloc it later and have simple error handling.
| @@ -23,114 +23,151 @@ | |||
| #include "detect-engine-uint.h" | |||
| #include "detect-parse.h" | |||
|
|
|||
| static int DetectFlowPktsToClientMatch( | |||
| #define DETECT_FLOW_TO_SERVER 1 | |||
There was a problem hiding this comment.
think this might be cleaner as an enum
| if (DetectU32Match(p->flow->tosrcpktcnt, df->pkt_data)) { | ||
| return 1; | ||
| } | ||
| if (DetectU32Match(p->flow->todstpktcnt, df->pkt_data)) { |
There was a problem hiding this comment.
nit: return DetectU32Match(p->flow->todstpktcnt, df->pkt_data);
|
Information: QA ran without warnings. Pipeline 23602 |
Previous PR: #11897
Redmine ticket: https://redmine.openinfosecfoundation.org/issues/5646
SV_BRANCH=OISF/suricata-verify#2145
Changes since v4:
flow.bytes:<dir>,<op><num>andflow.pkts..flow.bytes_toserverand friends