Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backports/708/v1 #12263

Closed
wants to merge 2 commits into from
Closed

Backports/708/v1 #12263

wants to merge 2 commits into from

Conversation

victorjulien
Copy link
Member

@victorjulien victorjulien commented Dec 11, 2024
edited by inashivb
Loading

Need the stream addition to make SV pass (task-7018-* tests)

SV_BRANCH=OISF/suricata-verify#2178

@catenacyber @victorjulien
detect: log app-layer metadata in alert with single tx
63033e3 
Ticket: 7199

Uses a config parameter detect.guess-applayer-tx to enable
this behavior (off by default)

This feature is requested for use cases with signatures not
using app-layer keywords but still targetting application
layer transactions, such as pass/drop rule combination,
or lua usage.

This overrides the previous behavior of checking if the signature
has a content match, by checking if there is only one live
transaction, in addition to the config parameter being set.

(cherry picked from commit f2c3776)
@victorjulien victorjulien requested review from jufajardini and a team as code owners December 11, 2024 11:11
@inashivb inashivb requested a review from catenacyber December 11, 2024 11:15
@codecov Codecov
Copy link

codecov bot commented Dec 11, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.19%. Comparing base (9be2eca) to head (f5322d2).

Additional details and impacted files 
@@              Coverage Diff               @@
##           main-7.0.x   #12263      +/-   ##
==============================================
- Coverage       83.19%   83.19%   -0.01%     
==============================================
  Files             922      922              
  Lines          260888   260898      +10     
==============================================
- Hits           217048   217043       -5     
- Misses          43840    43855      +15
Flag Coverage Δ
fuzzcorpus 64.19% <87.50%> (+<0.01%) ⬆️
suricata-verify 63.39% <100.00%> (-0.01%) ⬇️
unittests 62.38% <56.25%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

jufajardini
jufajardini approved these changes Dec 11, 2024
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks consistent with the original work.

@catenacyber catenacyber mentioned this pull request Dec 11, 2024
Closed
catenacyber
catenacyber requested changes Dec 11, 2024
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not consistent with original work because of added commit
detect: readd app-layer to alerts on stream matches

@catenacyber
Copy link
Contributor

And more important, SV testing does not include bug-7199

@jasonish
Copy link
Member

I think that second commit needs more of a description in it as its not consistent with whats being backported.

@victorjulien
Copy link
Member Author

w/o it we break tests, this indicates a regression. The commit fixes the regression.

@victorjulien
detect: re-add app-layer to alerts on stream matches
f5322d2 
The `guess-applayer-tx` work also removed the stream match condition
for adding app-layer metadata to alerts. This is a behavior change that
is not desired at this point, so this commit reverts that part of the
changes.

We keep the exising logging of app-layer metadata if the match was in
the stream.
@jasonish
Copy link
Member

It appears this change of behaviour is not address in the upgrade guide, should it be something for the upgrade guide in master?

@jufajardini
Copy link
Contributor

It appears this change of behaviour is not address in the upgrade guide, should it be something for the upgrade guide in master?

Is that about the live transactions? If yes, #12266 adds that, but Victor want the docs for post-merge of the staging branch

@catenacyber
Copy link
Contributor

catenacyber commented Dec 11, 2024
edited
Loading

Victor want the docs for post-merge of the staging branch

I think he meant post merge of #12259 and before release

@victorjulien victorjulien mentioned this pull request Dec 11, 2024
Closed
@victorjulien
Copy link
Member Author

replaced by #12267

@catenacyber catenacyber mentioned this pull request Dec 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber requested changes

@jufajardini jufajardini jufajardini approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@victorjulien @catenacyber @jasonish @jufajardini