Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect revflow 7552 v5 #12716

Closed
wants to merge 2 commits into from
Closed

Detect revflow 7552 v5 #12716

wants to merge 2 commits into from
+9 −2

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7552

Describe changes:

  • Fix detection when reversing flow

SV_BRANCH=OISF/suricata-verify#2320

#12715 back to working version

@catenacyber
detect: reset signature groups when reversing flow
7cd0fff 
Ticket: 7552

When we use midstream, and the first packet we see of a flow is
a response from server, and we want to match on some signature
to client :
- we had first set sgh_toserver/FLOW_SGH_TOSERVER as we first
  thought this was a packet to server
- we then swap/reverse the flow, so sgh_toclient becomes sgh_toserver
  but it contains signatures to server and cannot match our
  to_client signature

The detect engine with DetectRunSetup will set again the
signatures group heads properly
@catenacyber
detect: delay tx cleanup in some edge case
2e985f1 
Ticket: 7552

f->sgh_toserver may be NULL but because FLOW_SGH_TOSERVER is unset
and thus, we want to delay cleanup until detection has really been
run with the right signature group head.

This may happen for a rule using
`alert tcp any any -> any any` and
a app-layer keyword to client
with a app-layer supporting both udp and tcp
with stream.midstream=true
and with the first packet of a flow being a server response

In this case, we swap the flow and reset its signature group heads
@catenacyber catenacyber mentioned this pull request Mar 5, 2025
Closed
@codecov Codecov
Copy link

codecov bot commented Mar 5, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.72%. Comparing base (5444697) to head (2e985f1).
Report is 24 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12716      +/-   ##
==========================================
- Coverage   80.74%   80.72%   -0.02%     
==========================================
  Files         936      936              
  Lines      259393   259399       +6     
==========================================
- Hits       209435   209394      -41     
- Misses      49958    50005      +47
Flag Coverage Δ
fuzzcorpus 56.99% <100.00%> (+0.02%) ⬆️
livemode 19.42% <0.00%> (-0.01%) ⬇️
pcap 44.20% <80.00%> (-0.06%) ⬇️
suricata-verify 63.53% <100.00%> (-0.02%) ⬇️
unittests 58.21% <87.50%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 24973

@victorjulien victorjulien added this to the 8.0 milestone Mar 6, 2025
@victorjulien victorjulien mentioned this pull request Mar 7, 2025
Merged
@victorjulien
Copy link
Member

Merged in #12730, thanks!

@catenacyber catenacyber mentioned this pull request Mar 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @victorjulien