Detect rule hook/v7 #12422
Detect rule hook/v7 #12422
Conversation
|
@njlavigne this may interest you. Some simple examples https://github.com/OISF/suricata-verify/pull/2239/files#diff-005b44165e67b794ef7ec85c2ed081eb9e1a2e8bcc7961f07a6da3a9678c1a2e |
| @@ -43,6 +43,58 @@ | |||
| #include "util-enum.h" | |||
| #include "util-validate.h" | |||
|
|
|||
| static SCEnumCharMap tls_state_client_table[] = { | |||
There was a problem hiding this comment.
each of these can be used in the rules
|
Information: QA ran without warnings. Pipeline 24264 |
victorjulien
force-pushed
the
detect-rule-hook/v7
branch
2 times, most recently
from
322afa3 to
6b41bab
Compare
|
Whoops forgot the unittests... |
victorjulien
force-pushed
the
detect-rule-hook/v7
branch
2 times, most recently
from
c95a068 to
671986d
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12422 +/- ##
========================================
Coverage 80.70% 80.70%
========================================
Files 925 926 +1
Lines 258914 259212 +298
========================================
+ Hits 208949 209203 +254
- Misses 49965 50009 +44
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 24284 |
victorjulien
force-pushed
the
detect-rule-hook/v7
branch
from
671986d to
03f7f04
Compare
src/util-lua-packet.c
Outdated
| LUA_ERROR("failed to get userdata"); | ||
| } | ||
| s->p = p; | ||
| luaL_getmetatable(luastate, "packet::metatable"); |
There was a problem hiding this comment.
I'm thinking we should prefix these names as wel... suricata:packet::metatable or whatever.
|
Information: QA ran without warnings. Pipeline 24318 |
victorjulien
force-pushed
the
detect-rule-hook/v7
branch
from
03f7f04 to
844ea95
Compare
|
Information: QA ran without warnings. Pipeline 24319 |
victorjulien
force-pushed
the
detect-rule-hook/v7
branch
from
844ea95 to
300605e
Compare
src/detect-lua.c
Outdated
| } | ||
| SCLuaSbLoadLibs(t->luastate); |
There was a problem hiding this comment.
I need this for the built-in lib to work with security.lua.allow-restricted-functions=true. Does this look OK @jasonish? Or should we only call
/* Setup our custom require. */
lua_pushcfunction(L, SCLuaSbRequire);
lua_setglobal(L, "require");somehow?
There was a problem hiding this comment.
I think we have to go through requiref.. Essentially a different module registration. This require doesn't know about our custom modules. But its required for output-scripts to. Just haven't gone down that path for enough yet.
There was a problem hiding this comment.
But does it work? Can you load our module and restricted modules?
There was a problem hiding this comment.
Tried only our own OISF/suricata-verify@671d95f
There was a problem hiding this comment.
My attempt and consolidating registration for use in sandboxed and non-sandboxed environments, to keep the ability to load external modules in non-sandboxed environments.
src/util-lua-packet.c
Outdated
| { "payload", LuaPacketPayload }, | ||
| { "pcap_cnt", LuaPacketPcapCnt }, | ||
| { "timestring", LuaPacketTimestring }, | ||
| { "timestamp", LuaPacketTimestamp }, |
There was a problem hiding this comment.
I've simply converted the SCPacketTimestamp, SCPacketTimestring and SCPacketTuple here. Is this the way to go or should we leave things like to string conversions of timestamp and addresses to the script?
There was a problem hiding this comment.
Would there be use for both types? Raw and then an as_string variant?
|
Information: QA ran without warnings. Pipeline 24325 |
|
This looks really useful to the point where I think we would consider recommending it to almost all of our users as the recommended way to write application layer rules. It seems like having rules triggered on a well-defined point in the connection state like this would avoid most cases where users need to drop down into packet-level details to debug some of the more challenging issues they face today which is a huge plus. The |
victorjulien
force-pushed
the
detect-rule-hook/v7
branch
from
300605e to
043a1df
Compare
|
ERROR: ERROR: QA failed on build_asan. Pipeline 24375 |
|
Information: QA ran without warnings. Pipeline 24377 |
victorjulien
force-pushed
the
detect-rule-hook/v7
branch
4 times, most recently
from
070070d to
4373f10
Compare
|
Information: QA ran without warnings. Pipeline 24428 |
victorjulien
force-pushed
the
detect-rule-hook/v7
branch
from
50b8f55 to
94c81f8
Compare
|
ERROR: ERROR: QA failed on build_fetch. Pipeline 24468 |
Example:
```
local packet = require "suricata.packet"
function init (args)
local needs = {}
return needs
end
function match (args)
p = packet.get()
payload = p:payload()
ts = p:timestring()
for line in payload:gmatch("([^\r\n]*)[\r\n]+") do
if line == "GET /index.html HTTP/1.0" then
ipver, srcip, dstip, proto, sp, dp = p:tuple()
SCLogNotice(string.format("%s %s->%s %d->%d (pcap_cnt:%d) match! %s", ts, srcip, dstip, sp, dp, p:pcap_cnt(), line));
return 1
end
end
return 0
end
```
Methods:
`get` creates the packet object.
`payload` returns the packet payload as a buffer
`packet` returns the whole packet (includes headers)
`pcap_cnt` returns the `pcap_cnt` (pcap file mode only)
`tuple` returns various fields: srcip, dstip, proto, sp, dp
`timestamp` returns time as 2 numbers: seconds and microseconds
`timestring` returns a timestamp as a string
Ticket: OISF#7488.
Moving forward the packetlib is to be used. Ticket: OISF#7488.
Register internal libs for the case where loading external modules is allowed.
To support hook based buffer names.
e.g. server hello done has no data
Per direction track progress to be able to have more fine grained control over where the detection engines and logging hooks in.
Generic:
<app_proto>:request_done and <app_proto>:response_done
Per protocol, it uses the registered progress (state) values. E.g.
tls:client_hello_done
A rule ruleset could be:
pass tls:client_hello_done any any -> any any (tls.sni; content:"www.google.com"; sid:21; alert;)
drop tls:client_hello_done any any -> any any (sid:22;)
The pass rule is evaluated when the client hello is parsed, and if it
doesn't match the drop rule will be evaluated.
Registers each generic lists as "<alproto>:<progress state>:generic"
(e.g. "tls:client_hello_done:generic").
Ticket: OISF#7485.
For registration of app-layer inspection, no longer use the 'needs' table from the script, but instead use the rule hook setting. Ticket: OISF#4783.
Instead of having a per detection engine list of rule that couldn't be
prefiltered, put those into special "prefilter" engines.
For packet and frame rules this doesn't change much, it just removes
some hard coded logic from the detect engine.
For the packet non-prefilter rules in the "non-prefilter" special prefilter
engine, add additional filtering for the packet variant. It can prefilter on
alproto, dsize and dest port.
The frame non-prefilter rules are added to a single engine, that per
rule checks the alproto and the type.
For app-layer, there is an engine per progress value, per app-layer
protocol and per direction. This hooks app-layer non-prefilter rules
into the app inspect logic at the correct "progress" hook.
e.g. a rule like
dns.query; bsize:1;
Negated MPM rules will also fall into this category:
dns.query; content:!"abc";
Are part of a special "generic list" app engine for dns, at the
same progress hook as `dns.query`.
This all results in a lot fewer checks:
previous:
--------------------------------------------------------------------------
Date: 1/29/2025 -- 10:22:25. Sorted by: number of checks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 20 1 0 181919672 11.85 588808 221 60454 308.96 2691.46 308.07
2 50 1 0 223455914 14.56 453104 418 61634 493.17 3902.59 490.02
3 60 1 0 185990683 12.12 453104 418 60950 410.48 1795.40 409.20
4 51 1 0 192436011 12.54 427028 6084 61223 450.64 2749.12 417.42
5 61 1 0 180401533 11.75 427028 6084 61093 422.46 2177.04 397.10
6 70 1 0 153899099 10.03 369836 0 61282 416.13 0.00 416.13
7 71 1 0 123389405 8.04 369836 12833 44921 333.63 2430.23 258.27
8 41 1 0 63889876 4.16 155824 12568 39138 410.01 1981.97 272.10
9 40 1 0 64149724 4.18 155818 210 39792 411.70 4349.57 406.38
10 10 1 0 70848850 4.62 65558 0 39544 1080.70 0.00 1080.70
11 11 1 0 94743878 6.17 65558 32214 60547 1445.19 2616.14 313.92
this commit:
--------------------------------------------------------------------------
Date: 1/29/2025 -- 10:15:46. Sorted by: number of checks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 50 1 0 138776766 19.23 95920 418 167584 1446.80 3953.11 1435.83
2 60 1 0 97988084 13.58 95920 418 182817 1021.56 1953.63 1017.48
3 51 1 0 105318318 14.60 69838 6084 65649 1508.04 2873.38 1377.74
4 61 1 0 89571260 12.41 69838 6084 164632 1282.56 2208.41 1194.20
5 11 1 0 91132809 12.63 32779 32214 373569 2780.22 2785.58 2474.45
6 10 1 0 66095303 9.16 32779 0 56704 2016.39 0.00 2016.39
7 70 1 0 48107573 6.67 12928 0 42832 3721.19 0.00 3721.19
8 71 1 0 32308792 4.48 12928 12833 39565 2499.13 2510.05 1025.09
9 41 1 0 25546837 3.54 12886 12470 41479 1982.53 1980.84 2033.05
10 40 1 0 26069992 3.61 12886 210 38495 2023.13 4330.05 1984.91
11 20 1 0 639025 0.09 221 221 14750 2891.52 2891.52 0.00
victorjulien
force-pushed
the
detect-rule-hook/v7
branch
from
94c81f8 to
02c82c2
Compare
|
WARNING:
Pipeline 24469 |
Some initial support for rule hooks, where you can specify where the rule should be hooked into the engine.
Currently only:
SV_BRANCH=OISF/suricata-verify#2239
https://redmine.openinfosecfoundation.org/issues/7485