Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

next/758/20250307/v1 #12730

Merged
merged 2 commits into from
Mar 7, 2025
Merged

next/758/20250307/v1 #12730

merged 2 commits into from
Mar 7, 2025

Conversation

victorjulien
Copy link
Member

@catenacyber @victorjulien
detect: reset signature groups when reversing flow
d74bc77 
Ticket: 7552

When we use midstream, and the first packet we see of a flow is
a response from server, and we want to match on some signature
to client :
- we had first set sgh_toserver/FLOW_SGH_TOSERVER as we first
  thought this was a packet to server
- we then swap/reverse the flow, so sgh_toclient becomes sgh_toserver
  but it contains signatures to server and cannot match our
  to_client signature

The detect engine with DetectRunSetup will set again the
signatures group heads properly
@catenacyber @victorjulien
detect: delay tx cleanup in some edge case
d8ddef4 
Ticket: 7552

f->sgh_toserver may be NULL but because FLOW_SGH_TOSERVER is unset
and thus, we want to delay cleanup until detection has really been
run with the right signature group head.

This may happen for a rule using
`alert tcp any any -> any any` and
a app-layer keyword to client
with a app-layer supporting both udp and tcp
with stream.midstream=true
and with the first packet of a flow being a server response

In this case, we swap the flow and reset its signature group heads
inashivb
inashivb approved these changes Mar 7, 2025
View reviewed changes
Copy link
Member

@inashivb inashivb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@codecov Codecov
Copy link

codecov bot commented Mar 7, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.77%. Comparing base (6477b31) to head (d8ddef4).
Report is 2 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #12730   +/-   ##
=======================================
  Coverage   80.76%   80.77%           
=======================================
  Files         936      936           
  Lines      259724   259730    +6     
=======================================
+ Hits       209765   209795   +30     
+ Misses      49959    49935   -24
Flag Coverage Δ
fuzzcorpus 56.90% <100.00%> (+0.02%) ⬆️
livemode 19.41% <0.00%> (+<0.01%) ⬆️
pcap 44.12% <80.00%> (-0.03%) ⬇️
suricata-verify 63.65% <100.00%> (+0.02%) ⬆️
unittests 58.15% <87.50%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

jasonish
jasonish approved these changes Mar 7, 2025
View reviewed changes
Copy link
Member

@jasonish jasonish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Staging looks OK.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 25010

@victorjulien victorjulien merged commit d8ddef4 into OISF:master Mar 7, 2025
60 checks passed
@victorjulien victorjulien mentioned this pull request Mar 7, 2025
Closed
@victorjulien victorjulien deleted the next/758/20250307/v1 branch March 7, 2025 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish approved these changes

@inashivb inashivb inashivb approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@victorjulien @suricata-qa @jasonish @inashivb @catenacyber