detect: Ensure app-layer decode events are logged #6710
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit moves events for file decode and buffer count limits to a centralized location for easier handling. Issue: OISF#4482
This commit increases the duration of availability for packet pointer within the detect context. Issue: OISF#4482
This commit includes the packet decoder events. Issue: OISF#4482
This commit records the app-layer decode event for anomaly reporting. Issue: OISF#4482
Ticket: OISF#4898 This commit adds a brief description of tags used for events that occur during protocol layer decoding, e.g., SWF file handling.
Codecov Report
@@ Coverage Diff @@
## master #6710 +/- ##
==========================================
+ Coverage 77.12% 77.20% +0.08%
==========================================
Files 613 613
Lines 185666 185671 +5
==========================================
+ Hits 143194 143350 +156
+ Misses 42472 42321 -151
Flags with carried forward coverage won't be shown. Click here to find out more. |
| @@ -408,7 +408,9 @@ PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, | |||
| (*mask) |= SIG_MASK_REQUIRE_NO_PAYLOAD; | |||
| } | |||
|
|
|||
| if (p->events.cnt > 0 || app_decoder_events != 0 || p->app_layer_events != NULL) { | |||
| if (p->events.cnt > 0 || app_decoder_events || | |||
| (p->app_layer_events != NULL && p->app_layer_events->cnt) || | |||
There was a problem hiding this comment.
wonder if we should set a flag in Packet::flags on setting an event in either of these, to avoid the overhead of these checks (that also happen in logging I think)
PKT_HAS_APP_EVENTS or something like it
There was a problem hiding this comment.
Yes -- good idea.
|
Information:
Pipeline 5292 |
catenacyber
requested changes
Mar 10, 2022
|
(just adding the review for GitHub status filleting) |
|
Note: please make sure all tickets in the commits are mentioned in the PR: Please update PR body and remove the 'needs ticket' label when done. |
|
Information:
Pipeline 5292 |
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jan 24, 2024
"sigerror_ok" and "sigerror_requires" were not being reset after each rule which could lead to a rule load error being incorrectly tracked as skipped rather than failed. Also initialize "skippedsigs" to 0 along with "goodsigs" and "badsigs", while not directly related to this issue, could also throw off some stats. Ticket: OISF#6710
victorjulien
pushed a commit
to victorjulien/suricata
that referenced
this pull request
Jan 25, 2024
"sigerror_ok" and "sigerror_requires" were not being reset after each rule which could lead to a rule load error being incorrectly tracked as skipped rather than failed. Also initialize "skippedsigs" to 0 along with "goodsigs" and "badsigs", while not directly related to this issue, could also throw off some stats. Ticket: OISF#6710 (cherry picked from commit de3cbe4)
victorjulien
pushed a commit
to victorjulien/suricata
that referenced
this pull request
Jan 25, 2024
"sigerror_ok" and "sigerror_requires" were not being reset after each rule which could lead to a rule load error being incorrectly tracked as skipped rather than failed. Also initialize "skippedsigs" to 0 along with "goodsigs" and "badsigs", while not directly related to this issue, could also throw off some stats. Ticket: OISF#6710 (cherry picked from commit de3cbe4)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Continuation of #6709
This PR ensures that app-layer decode events are logged when anomaly logging is enabled.
Link to redmine ticket: 4898
Updates
Describe changes:
suricata-verify-pr: 589
#suricata-verify-repo:
#suricata-verify-branch:
#suricata-update-pr:
#suricata-update-repo:
#suricata-update-branch:
#libhtp-pr:
#libhtp-repo:
#libhtp-branch: