Detect multiprotocol keywords 7304 v2 #12229
Conversation
such as ja4. Why ? We do not want to see hard-coded protocol constants such as ALPROTO_QUIC directly used in generic code in detect-parse.c How ? From the keyword point of view, this commit adds the function DetectSignatureSetMultiAppProto which is similar to DetectSignatureSetAppProto but takes multiple alprotos. It restricts the signature alprotos to a set of possible alprotos and errors out if the interstion gets empty. The data structure SignatureInitData gets extended with a fixed-length array, as the use case is a sparse number of protocols Ticket: 7304
instead of hardcoding list : removes usage of ALPROTO_QUIC and ALPROTO_TLS in generic SigValidate Ticket: 7304
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12229 +/- ##
==========================================
- Coverage 83.19% 83.17% -0.02%
==========================================
Files 912 912
Lines 257166 257267 +101
==========================================
+ Hits 213938 213991 +53
- Misses 43228 43276 +48
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 23713 |
| for (size_t i = 0; i < SIG_ALPROTO_MAX; i++) { | ||
| if (s->init_data->alprotos[i] == ALPROTO_UNKNOWN) { | ||
| break; | ||
| } | ||
| // first disable the ones that do not match | ||
| bool found = false; | ||
| while (*alprotos != ALPROTO_UNKNOWN) { | ||
| if (s->init_data->alprotos[i] == *alprotos) { | ||
| found = true; | ||
| break; | ||
| } | ||
| alprotos++; |
There was a problem hiding this comment.
This looks like we'll exhaust alprotos on checks against the first alproto entry of the signature if there was no match. Is this the intention?
There was a problem hiding this comment.
Not sure I follow what you mean here...
There is a double loop with the current signature alprotos, and the new ones...
There was a problem hiding this comment.
I mean for a say, s->init_data->alprotos = [proto1, proto2, proto3, ALPROTO_UNKNOWN]
and alprotos = [proto4, proto3, ALPROTO_UNKNOWN] coming to this part of the code,
First pass of the for loop looking for proto1 will bring alprotos pointer out of the array. We won't go over proto2 and proto3 in the s->init_data->alprotos, is this possible/intended?
There was a problem hiding this comment.
Thanks for spotting this
As far as I can tell, DCERPC/SMB will always fall in the default |
|
Another thought: why do we not just have a protocol compatibility matrix and look through it if a protocol is compatible with another one and what should be the final signature protocol in that case? |
DCERPC/SMB is not totally default as can be seen in
My question is like Could we get rid of this hardcoded behavior and have dcerpc keywords just call
Because of ja3/ja4 which are both quic and tls... (files keywords also, etc...) |
I think I'm misunderstanding what you mean by "default" here. Could you please explain?
yes, you could just call |
|
DCERPC/SMB has not a default behavior where default means not a specific case in the Looking into the code to understand what is going on, I find some problems :
Just having the smb keyword first or after dcerpc one...
Looking at rules from dcerpc-smb-test-01 which are the same except their beginning : So is it correct that Also wondering why I created ALPROTO_DOH2 when DCERPC over SMB, is kind of the same as DNS over HTTP2... |
|
Next in #12310 |
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7304
Describe changes:
Is there something to do with DCERPC/SMB stuff ? cc @inashivb
I think file keywords have their own logic and it is ok.
#12149 with better commit messages