applayer: incr flow counter if alproto for other dir was detected #12415

inashivb · 2025-01-17T10:35:36Z

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7238

@catenacyber
What do you think about this?
Can this lead to additional flows being miscalculated for any cases?

inashivb · 2025-01-17T10:52:11Z

For the pcap at hand, for example, on master, I see:

$ cat output/eve.json | jq -c 'select(.event_type=="flow" and .app_proto == "dcerpc")' | wc -l
9
$ cat output/eve.json | jq 'select(.event_type=="stats") | .stats.app_layer.flow.dcerpc_tcp'
0

Consider a case like the following. -> Opposing direction data comes in first -> At the beginning of Protocol Detection, the alproto for other side is unknown -> A successful call to TCPProtoDetectTriggerOpposingSide can however lead to detection of alproto for the other side -> Following this, a successful call is made to AppLayerParserParse However, the flow counter is not incremented for this case. This also does not map the number of flow events logged by Suricata for such a case. Increment the flow counter for a new flow for any applayer proto that is accepted by that specific protocol's parser. Related to Bug 7238

codecov · 2025-01-17T11:33:48Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.64%. Comparing base (8f6795d) to head (3ba44a3).
Report is 6 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #12415   +/-   ##
=======================================
  Coverage   80.63%   80.64%           
=======================================
  Files         918      918           
  Lines      258696   258700    +4     
=======================================
+ Hits       208598   208627   +29     
+ Misses      50098    50073   -25

Flag	Coverage Δ
fuzzcorpus	`56.81% <100.00%> (+<0.01%)`	⬆️
livemode	`19.40% <0.00%> (+<0.01%)`	⬆️
pcap	`44.28% <100.00%> (-0.02%)`	⬇️
suricata-verify	`63.25% <100.00%> (+0.02%)`	⬆️
unittests	`58.52% <100.00%> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

suricata-qa · 2025-01-17T15:35:03Z

WARNING:

field	baseline	test	%
	SURI_TLPW1_stats_chk
.app_layer.flow.smtp	7747	10699	138.11%
	SURI_TLPR1_stats_chk
.app_layer.flow.ftp	36200	38016	105.02%
.app_layer.flow.smtp	348555	661554	189.8%
.app_layer.flow.smb	41618	54492	130.93%
.app_layer.flow.dcerpc_tcp	43	111	258.14%
	IPS_AFP_stats_chk
.app_layer.flow.smtp	37800	74518	197.14%
.app_layer.flow.smb	243000	350989	144.44%
	TREX_GENERIC_stats_chk
.app_layer.flow.smtp	14747	29493	199.99%
.app_layer.flow.smb	141752	228671	161.32%

Pipeline 24250

inashivb requested a review from catenacyber January 17, 2025 10:35

inashivb force-pushed the flow-counter-update/v1 branch from 3c14f81 to 3ba44a3 Compare January 17, 2025 11:06

inashivb mentioned this pull request Jan 23, 2025

app-layer: update flow counter if an alproto is detected #12454

Closed

inashivb closed this Jan 23, 2025

inashivb deleted the flow-counter-update/v1 branch January 23, 2025 06:17

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

applayer: incr flow counter if alproto for other dir was detected #12415

applayer: incr flow counter if alproto for other dir was detected #12415

inashivb commented Jan 17, 2025

inashivb commented Jan 17, 2025

codecov bot commented Jan 17, 2025 •

edited

Loading

suricata-qa commented Jan 17, 2025

applayer: incr flow counter if alproto for other dir was detected #12415

applayer: incr flow counter if alproto for other dir was detected #12415

Conversation

inashivb commented Jan 17, 2025

inashivb commented Jan 17, 2025

codecov bot commented Jan 17, 2025 • edited Loading

Codecov Report

suricata-qa commented Jan 17, 2025

codecov bot commented Jan 17, 2025 •

edited

Loading