-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: alert/noalert and config keyword extensions #10157
Conversation
Replaces default "alert" logic and removed SIG_FLAG_NOALERT. Instead, "noalert" unsets ACTION_ALERT. Same for flowbits:noalert and friends. In signature ordering rules w/o action are sorted as if they have 'alert', which is the same behavior as before, but now implemented explicitly. Ticket: OISF#5466.
This can be used to implement alert then pass logic. Add support for alert-then-pass to alert handling routines. Ticket: OISF#5466.
Information: ERROR: QA failed on SURI_TLPW2_autofp_suri_time.
Pipeline 17500 |
bd7f928
to
441efc0
Compare
441efc0
to
cb11aa8
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #10157 +/- ##
==========================================
- Coverage 82.19% 82.08% -0.11%
==========================================
Files 974 974
Lines 271825 271901 +76
==========================================
- Hits 223416 223190 -226
- Misses 48409 48711 +302
Flags with carried forward coverage won't be shown. Click here to find out more. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the alert addition from #10154, this adds a way to disable stream reassembly completely and app-layer parsing (for TCP only atm).
Shouldn't we document this, as well as the alert
keyword? (in the same section as noalert
, the latter should go, I think).
Apart from that, all alert-related work seems to look good, to me. Only two minor nit comments (inline).
I saw that we have a SV test with a drop noalert
rule that works as expected (bug-4663
), wondering if there are other cases to ensure we cover with tests.
|
||
void DetectNoalertRegister (void) | ||
void DetectNoalertRegister(void) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're registering alert
and noalert
here, shouldn't we rename the function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM mostly. Some questions, mostly nit, inline.
if ((s->action & ACTION_ALERT) == 0) { | ||
jb_append_string(ctx.js, "noalert"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, now, during engine analysis, we log noalert
flag even if it was not explicitly mentioned but just an alert was not mentioned? e.g. pass tcp any any -> any 22 (sid:2; gid:10000003; msg:\"PASS SSH\";)
logs noalert
in flags. Is this the intention?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it was a quick hack but we should really add the actions, which we don't do yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On further thought, I do think adding noalert
for a pass
makes sense. We don't alert if the rule matches.
CONFIG_TYPE_FILE, /* file logging */ | ||
CONFIG_TYPE_PCAP, /* pcap logging */ | ||
CONFIG_TYPE_DROP, /* drop logging */ | ||
CONFIG_TYPE_REASSEMBLY, /**< stream reassembly */ | ||
CONFIG_TYPE_APP_PARSER, /**< app parsing */ | ||
CONFIG_TYPE_APP_FILES, /**< app files */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Lots of TBD types here. Should they be marked?
- Should the scope be made a part of type like it is for
APP
types?
What do you think? |
What would you suggest as an alternative?
While this would be nice it will also be quite some work. Currently memcap is not tracked/handled with per flow/session limits, so changing that would require quite a bit of work.
I conceptualize subsys as "capture", "decode", "stream", "app", "detect" and "output". (where logging == output here, I guess I thought it to be clearer at the time) In any case, |
Yes. Or even
I see. Thank you!
ok. I didn't see it that way indeed.
|
Information: QA ran without warnings. Pipeline 17531 |
Is there a redmine ticket for this ? |
For the pass-alert thing: https://redmine.openinfosecfoundation.org/issues/5466 |
Any update on this ? |
Information: QA ran without warnings. Pipeline 17531 |
Replaced by #11260. |
Other than the
alert
addition from #10154, this adds a way to disable stream reassembly completely and app-layer parsing (for TCP only atm).E.g.
Sid 1 and 2 both disable all stream reassembly for that flow.
Sid 3 only disables app parsers for on port 80. Content inspection still works (sid 4).
Would like some feedback on how to express things, and on what toggles to add.