Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flow bytes pkts syntax/v7 #12206

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Flow bytes pkts syntax/v7 #12206

wants to merge 3 commits into from
+345 −194

Conversation

inashivb
Copy link
Member

@inashivb inashivb commented Dec 3, 2024

Previous PR: #12199

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/5646

SV_BRANCH=OISF/suricata-verify#2145

Changes since v6:

  • fixed prefilter code as detected by scan-build
  • rebased on top of latest master

@codecov Codecov
Copy link

codecov bot commented Dec 3, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 77.39130% with 52 lines in your changes missing coverage. Please review.

Project coverage is 83.17%. Comparing base (e9173f3) to head (5320e79).

Additional details and impacted files 
@@           Coverage Diff            @@
##           master   #12206    +/-   ##
========================================
  Coverage   83.17%   83.17%            
========================================
  Files         912      912            
  Lines      257111   257242   +131     
========================================
+ Hits       213856   213968   +112     
- Misses      43255    43274    +19
Flag Coverage Δ
fuzzcorpus 60.98% <40.00%> (-0.03%) ⬇️
livemode 19.40% <21.73%> (-0.01%) ⬇️
pcap 44.00% <21.73%> (-0.39%) ⬇️
suricata-verify 62.78% <76.52%> (+0.01%) ⬆️
unittests 59.16% <21.73%> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@inashivb
flow/pkts: make syntax cleaner and compact
eac315f 
Currently, the syntax includes direction as a part of the keyword which
is against how usually keywords are done. By making direction as a
mandatory argument, it is possible to make the syntax cleaner and the
implementation more compact and easily extendable.
Pros:
- Registration table sees lesser entries
- If the options have to be extended, it can be done trivially
- In accordance w existing keyword implementations

Note that this commit also retains the existing direction specific
keywords.
@inashivb
doc: update syntax for flow.pkts & flow.bytes
f1e76fc
@inashivb
flow/pkts: allow matching on either direction
5320e79 
For flow.bytes and flow.pkts keywords, allow matching in either
direction.

Feature 5646
@inashivb inashivb force-pushed the flow-bytes-pkts-syntax/v7 branch from 0e3cb2b to 5320e79 Compare December 3, 2024 13:04
@inashivb inashivb marked this pull request as ready for review December 3, 2024 15:09
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 23663

catenacyber
catenacyber reviewed Dec 17, 2024
View reviewed changes
doc/userguide/rules/flow-keywords.rst

Signature example::

alert ip any any -> any any (msg:"Flow has 20 packets"; flow.pkts_toserver:20; sid:1;)

flow.bytes_toclient
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess doc should not be removed if the keyword still exist

You can just have a quick mention of it saying it has the same behavior as flow.bytes: toclient,

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok. My idea of removing the doc for old syntax was to increase adaptation of the new syntax only. Old syntax is for backwards compatibility so the existing rulesets using it do not break and that's it. Lmk wdyt?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jufajardini thoughts ?

I see base64_decode doc has a sentence : We recommend using the base64 transform instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@inashivb @suricata-qa @victorjulien @catenacyber