Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect log alert tx one 7199 v8.2 #12269

Closed
wants to merge 2 commits into from
Closed

Detect log alert tx one 7199 v8.2 #12269

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7449
https://redmine.openinfosecfoundation.org/issues/7199

Describe changes:

  • document more guess-applayer-tx
  • improves guess-applayer-tx for unidirectional protocol such as DNS

Provide values to any of the below to override the defaults.

SV_BRANCH=OISF/suricata-verify#2180

#12266 with suricata.yaml.in changes as proposed in #12260

@catenacyber
doc: improve documentation about guess-applayer-tx
5d22aa4 
Ticket: 7199
@catenacyber
detect: improve tx_id guessing for unidirectional protocols
5de2e64 
So we get:
1. request arrives - buffered due to not ackd
2. response arrives, acks request - request is now parsed, response isn't
3. ack for response, response parsed. Then detect runs for request,
generates alert. We now have 2 txs. txid will be 0 from AppLayerParserGetTransactionInspectId

But txid 1 is unidirectional in the other way, so we can use txid 0
metadata for logging

Ticket: 7199
@catenacyber catenacyber mentioned this pull request Dec 11, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Dec 11, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 92.30769% with 1 line in your changes missing coverage. Please review.

Project coverage is 83.22%. Comparing base (0e4faba) to head (5de2e64).
Report is 17 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #12269   +/-   ##
=======================================
  Coverage   83.22%   83.22%           
=======================================
  Files         912      912           
  Lines      257311   257322   +11     
=======================================
+ Hits       214154   214169   +15     
+ Misses      43157    43153    -4
Flag Coverage Δ
fuzzcorpus 61.07% <7.69%> (-0.01%) ⬇️
livemode 19.40% <0.00%> (-0.13%) ⬇️
pcap 44.34% <7.69%> (-0.02%) ⬇️
suricata-verify 62.83% <92.30%> (-0.01%) ⬇️
unittests 59.18% <7.69%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 23921

@catenacyber
Copy link
Contributor Author

@jufajardini @jasonish remind me, why do we want to test with SV task-7018-dns-ips-stream-rule that oisf.net gets logged when you want to alert on suricata ? This looks wrong to me.

Rule is https://github.com/OISF/suricata-verify/blob/master/tests/dns/task-7018-dns-ips-stream-rule/test.rules

The third and fourth alert https://github.com/OISF/suricata-verify/blob/master/tests/dns/task-7018-dns-ips-stream-rule/test.yaml#L138 (lines 121 - 141)

I understand why the code does that but I do not understand why we want to enforce this behavior with the test...

@jufajardini
Copy link
Contributor

jufajardini commented Dec 18, 2024
edited
Loading

@jufajardini @jasonish remind me, why do we want to test with SV task-7018-dns-ips-stream-rule that oisf.net gets logged when you want to alert on suricata ? This looks wrong to me.

Rule is https://github.com/OISF/suricata-verify/blob/master/tests/dns/task-7018-dns-ips-stream-rule/test.rules

The third and fourth alert https://github.com/OISF/suricata-verify/blob/master/tests/dns/task-7018-dns-ips-stream-rule/test.yaml#L138 (lines 121 - 141)

I understand why the code does that but I do not understand why we want to enforce this behavior with the test...

I see your point. I think I created a test that was descriptive of what we had, and that was the result.

I wonder if at some point we could have a more precise processing, and then we wouldn't even have that mismatch. In which case removing this check makes sense.

Indeed, when working on these tests, we wanted to showcase the current (undesirable) behavior: OISF/suricata-verify#1902 (comment)

@jasonish
Copy link
Member

@jufajardini @jasonish remind me, why do we want to test with SV task-7018-dns-ips-stream-rule that oisf.net gets logged when you want to alert on suricata ? This looks wrong to me.

Rule is https://github.com/OISF/suricata-verify/blob/master/tests/dns/task-7018-dns-ips-stream-rule/test.rules

The third and fourth alert https://github.com/OISF/suricata-verify/blob/master/tests/dns/task-7018-dns-ips-stream-rule/test.yaml#L138 (lines 121 - 141)

I understand why the code does that but I do not understand why we want to enforce this behavior with the test...

If I recall correctly, this was confusing behavior. Your alerting on suricata, but get an alert with oisf.net in the metadata. We're not necessarily enforcing it with a test, we're just capturing current behavior so we know when it changes, as that is important and should be explained/documented by updating a test at least.

@catenacyber catenacyber mentioned this pull request Dec 18, 2024
Closed
@catenacyber
Copy link
Contributor Author

Thanks, next version in #12306

I put a comment in the SV check that this was not the desired behavior and added a reference to the ticket 7004 about it...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@catenacyber @suricata-qa @jufajardini @jasonish @victorjulien