detect-flowbits: adding details for flowbits v4 #9691
Conversation
| if (cd->or_list_size == 0) { | ||
| jb_set_string(js, "name", VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_BIT)); | ||
| } else if (cd->or_list_size > 0) { | ||
| jb_set_uint(js, "ored_flowbits", cd->or_list_size); |
There was a problem hiding this comment.
not sure about the use of "ored", IMO, "flowbits" should be fine.
| jb_open_object(js, "flowbits"); | ||
| switch (cd->cmd) { | ||
| case DETECT_FLOWBITS_CMD_NOALERT: | ||
| jb_set_string(js, "action", "noalert"); |
There was a problem hiding this comment.
Note that this behavior is diff in 6.0.x, so you may have to check the tests
nvm we're just adding it so it doesn't matter
| jb_set_string(js, "name", VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_BIT)); | ||
| } else if (cd->or_list_size > 0) { | ||
| jb_set_uint(js, "ored_flowbits", cd->or_list_size); | ||
| jb_open_array(js, "ored_variables"); |
There was a problem hiding this comment.
I think we should keep the output simple. Like
flowbits:
name: [fb1]
or
flowbits:
name: [fb1, fb2] # in case of an or operation
Also, one thing to note is that even in an or list, not all flowbits may have matched. From what I gather, we want to log the postmatch stuff so we should only log the names of the flowbit that matched? I'll check today and get back if there's a better way to retrieve it.
Also, need to look if or list may be specific to certain cmds.
There was a problem hiding this comment.
I'm not sure I understand what you mean by changing the output. Currently, I have output being stored in name and the ored variables in ored_variables. Should I just have the name output? Also, or list is specific only to isset and isnotset cmds from what I understand.
There was a problem hiding this comment.
There's no such thing as ored variables. Those are also flowbit names separated by | which signifies or operator. And, there are flowbit names which are individually present in a rule.
I still have to check the code a bit so please wait on it. I'll get to it very soon now.
There was a problem hiding this comment.
Hi @hadiqaalamdar !
After looking at the code, a few things to consider:
- A rule can have multiple flowbits, what would it's layout look like in
rules.jsonif we were to proceed with the current code? - Flowbit oring is supported only for
issetandisnotsetcmds. When you think about it, it makes sense why.
- Even in case of oring, there will be just one match because of how theoroperator works.
- We currently do not store which flowbit out of the or'd flowbits actually was responsible for a match, we'll have to. (somewhere inDetectFlowbitsData)
In conclusion,
- We do
notneed to store a list in case of or operator's usage. - We may need a list to sanitize the output in case multiple flowbits are used in the same rule. [This can be done after we have something working]
- We need lots of tests for all the scenarios. Please refer to pre-existing s-v tests about flowbits.
Recommendation:
Questions to ask yourself before proceeding.
- What are flowbits?
- What all commands are supported by flowbits?
- What do flowbits rules look like?
- What should the output of engine-analysis be in my view?
- Write a suricata-verify test with all the different rules you can come up with about flowbits.
These would help you get a clearer idea about what needs to be done. If needed, feel free to ask your mentors for brief overview of concepts and/or validate your understanding.
Please know that we understand this one is a complicated task so you can take your time. 😉
|
NOTE: This PR may contain new authors: |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9691 +/- ##
==========================================
- Coverage 82.39% 82.39% -0.01%
==========================================
Files 968 968
Lines 274337 274370 +33
==========================================
+ Hits 226047 226055 +8
- Misses 48290 48315 +25
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
@inashivb Edit: Also, should all flowbit names be stored in the same |
Hi @hadiqaalamdar !
Yes, that was my suggestion. The thing is for a rule like
Now, please note the following rule In this case, we check if Conclusion:
Your next steps:
Does this help you, Hadiqa? |
|
Thank you for your detailed response. I'll keep working on this and let you know if I have any further questions |
I think that the only bit where things seem still a bit fuzzy is this: |
Now, to create the json array when we have more than one variable in the same rule, we can still use |
@jufajardini from what I understand, I should create one
My thinking is that this should cover both Rule 1 and Rule 2. Please let me know if I'm missing something. |
From your explanation, this sounds about right! |
|
Just a comment on the format of the JSON. For the simple case we have: "name": "flowbits",
"flowbits": {
"cmd": "isset",
"name": "fb2"
}This looks OK, I'm not so sure about the OR case.. I'd rather see something like: "name": "flowbits",
"flowbits": {
"cmd": "isset",
"names": [
"fb1",
"fb2"
],
"operator": "or"
}Or the following is often used to express such conditions as well: "name": "flowbits",
"flowbits": {
"cmd": "isset",
"or": ["fb1", "fb2"],
} |
|
I'll give this a try, thank you! |
This was exactly my suggestion. Wasn't sure on the name of the |
Hi there, I know there was a lot of back and forth for the discussions here, so please let us know if you are having trouble following up on what we mentioned here, ok? |
Hi, sorry for the delay. I will continue to work on this and share an update this week. |
|
New PR: #9971 |
Task #6309
Link to redmine ticket:
Previous PR: #9688
Describe changes:
Output from console:
SV BRANCH = OISF/suricata-verify#1441