Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect: Ensure app-layer decode events are logged #6709

Closed
wants to merge 9 commits into from
Closed

detect: Ensure app-layer decode events are logged #6709

wants to merge 9 commits into from

Conversation

jlucovsky
Copy link
Contributor

Based on #6663

This PR ensures that app-layer decode events are logged when anomaly logging is enabled.

Link to redmine ticket: 4898

Describe changes:

  • Move un-exposed events to app-layer events table
  • Propagate app-layer decode events to packet
  • Eliminates detection context event as events are now added to decoder event element of packet.

suricata-verify-pr: 589
#suricata-verify-repo:
#suricata-verify-branch:
#suricata-update-pr:
#suricata-update-repo:
#suricata-update-branch:
#libhtp-pr:
#libhtp-repo:
#libhtp-branch:

@jlucovsky
general: Correct typos
bd754be
@jlucovsky
detect/events: Move app layer events to centralized location
00430ef 
This commit moves events for file decode and buffer count limits to a
centralized location for easier handling.

Issue: OISF#4482
@jlucovsky
detect: Increase scope of det_ctx packet pointer
bb7cd53 
This commit increases the duration of availability for packet pointer
within the detect context.

Issue: OISF#4482
@jlucovsky
detect/general: Include decoder events
e966682 
This commit includes the packet decoder events.

Issue: OISF#4482
@jlucovsky
decode/event: Add area for storing decoder events
762ef9a 
Ticket: OISF#4898
@jlucovsky
detect/event: Record app-layer event
477d1c9 
This commit records the app-layer decode event for anomaly reporting.

Issue: OISF#4482
@jlucovsky
detect/events: Remove detection context event
fd86a3f 
Issue: OISF#4482
@jlucovsky
doc/eve: Add description for new anomaly field
f1b3b3f 
Ticket: OISF#4898

This commit adds a brief description of tags used for events that occur
during protocol layer decoding, e.g., SWF file handling.
@jlucovsky
output/anomaly: Record decoder detect events
282f784 
Ticket: OISF#4898
@jlucovsky jlucovsky requested review from norg and a team as code owners December 14, 2021 13:24
@codecov
Copy link

codecov bot commented Dec 14, 2021

Codecov Report

Merging #6709 (282f784) into master (e93dc24) will increase coverage by 0.08%.
The diff coverage is 85.71%.

@@            Coverage Diff             @@
##           master    #6709      +/-   ##
==========================================
+ Coverage   77.12%   77.21%   +0.08%     
==========================================
  Files         613      613              
  Lines      185666   185671       +5     
==========================================
+ Hits       143194   143363     +169     
+ Misses      42472    42308     -164
Flag Coverage Δ
fuzzcorpus 53.08% <50.00%> (+0.07%) ⬆️
suricata-verify 52.74% <100.00%> (+0.60%) ⬆️
unittests 63.08% <50.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@jlucovsky jlucovsky mentioned this pull request Dec 14, 2021
Closed
@jlucovsky
Copy link
Contributor Author

Continued in #6710

@jlucovsky jlucovsky closed this Dec 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@norg norg Awaiting requested review from norg

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jlucovsky