-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
detect: log app-layer metadata in alert with single tx #12195
detect: log app-layer metadata in alert with single tx #12195
Conversation
Ticket: 7199 Uses a config parameter detect.force-applayer-findtx to enable this behavior (off by default) This feature is requested for use cases with signatures not using app-layer keywords but still targetting application layer transactions, such as pass/drop rule combination, or lua usage. This overrides the previous behavior of checking if the signature has a content match, by checking if there is only one live transaction, in addition to the config parameter being set.
@@ -70,6 +70,21 @@ Alerts are event records for rule matches. They can be amended with | |||
metadata, such as the application layer record (HTTP, DNS, etc) an | |||
alert was generated for, and elements of the rule. | |||
|
|||
The alert is amended with application layer metadata for signatures | |||
using application layer keywords. It is also the case for protocols | |||
over UDP as each single packet is expected to contain a PDU. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@inashivb is this the case for DCERPC/UDP with fragments ?
Is DCERPC/UDP with fragments = multiple packets but only one tx for the reassembled stuff ?
@@ -2940,6 +2940,12 @@ static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) | |||
"and 255, will default to 4"); | |||
} | |||
} | |||
int force_applayer = 0; | |||
if ((ConfGetBool("detect.force-tie-applayer-tx", &force_applayer)) == 1) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we could use more strings and have an enumeration
- tie first
- tie last
- tie if only one
- tie never
And even combine with tie if content match (PACKET_ALERT_FLAG_STREAM_MATCH), tie if UDP...
void *tx_ptr = | ||
AppLayerParserGetTx(pflow->proto, pflow->alproto, pflow->alstate, txid); | ||
AppLayerTxData *txd = | ||
tx_ptr ? AppLayerParserGetTxData(pflow->proto, pflow->alproto, tx_ptr) | ||
: NULL; | ||
if (txd && txd->stream_logged < de_ctx->stream_tx_log_limit) { | ||
alert_flags |= PACKET_ALERT_FLAG_TX; | ||
if (pflow->proto != IPPROTO_UDP) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
feels a bit weird to be a in a block about stream logging, then seeing udp here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
stream_logged
and stream_tx_log_limit
are bad names I am afraid
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renaming variables and commenting in another commit
txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir); | ||
if ((s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP) || | ||
(de_ctx->force_applayer && | ||
AppLayerParserGetTxCnt(pflow, pflow->alstate) == txid + 1)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is missing the case where AppLayerParserGetTxCnt==1, like for TLS. In this case we can trust the TX is relevant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is missing the obvious case where AppLayerParserGetTxCnt==1,
I do not think it is missing : in this case txid==0, so AppLayerParserGetTxCnt==1==txid + 1
And I do not think it is obvious that we can trust the TX is relevant
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding test case in OISF/suricata-verify#2157
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is missing the obvious case where AppLayerParserGetTxCnt==1,
I do not think it is missing : in this case txid==0, so AppLayerParserGetTxCnt==1==txid + 1
And I do not think it is obvious that we can trust the TX is relevant
But this still relies on de_ctx->force_applayer
, while the idea is that you can just use that one tx
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
while the idea is that you can just use that one tx
Maybe for TLS, it is ok but in general no you cannot use that one tx by just checking AppLayerParserGetTxCnt==1
cf #12166 (comment)
signature alert ip any any -> any any (sid: 1; flow.age: >1; flow: to_server; )
packets :
- 3 way handshake
- first HTTP2 request
- acked
- after one second, second HTTP2 request begins with a packet with the start of big HTTP2 frame :
- parser returns
AppLayerResult::incomplete
, does not create tx - signature triggers
- the only transaction present is the first one (AppLayerParserGetTxCnt==1) but the first request had all its data before flow.age was 1 second old, so should not be logged
- parser returns
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And for TLS, I get the argument that you cannot log a wrong transaction as there will forever only be one, but it is not obvious to me that everyone will want the app-layer logged for a signature such as alert ip any any -> any any (sid: 1; flow.age: >1; flow: to_server; )
if the packet triggering it happens after the clear text TLS handshake...
Next in #12197 |
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7199
May also solve https://redmine.openinfosecfoundation.org/issues/7406 and https://redmine.openinfosecfoundation.org/issues/7350
Describe changes:
SV_BRANCH=OISF/suricata-verify#2146
#12168 with review taken into account