Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Packet alerts/v7 #6999

Closed
wants to merge 6 commits into from
Closed

Packet alerts/v7 #6999

wants to merge 6 commits into from

Conversation

jufajardini
Copy link
Contributor

#6943 addressing comments done on #6896

Describe changes:

  • remove redundant check alerts.cnt > 0 (type is unsigned)
  • add BUG_ON to check if we're not calling memmove with size 0
  • use last in queue logic for alerts for same sid (assuming it is not needed to check if tx_id differs)

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4207

suricata-verify-pr: 694

jufajardini and others added 6 commits February 11, 2022 16:28
@jufajardini
unittests: alloc Packet with PacketGetFromAlloc
822cf1b 
Some unittests used SCMalloc for allocating new Packet the unittests.
While this is valid, it leads to segmentation faults when we move to
dynamic allocation of the maximum alerts allowed to be triggered by a
single packet.

This massive patch uses PacketGetFromAlloc, which initializes a Packet
in such a way that any dynamic allocated structures within will also be
initialized.

Related to
Task OISF#4207
@jufajardini
decode: make packet_alert_max configurable
34580c3 
The maximum of possible alerts triggered by a unique packet was
hardcoded to 15. With usage of 'noalert' rules, that limit could be
reached somewhat easily. Make that configurable via suricata.yaml.

Conf Bug#4941

Task OISF#4207
@jufajardini
detect-engine-alert: fix tipo
e9b6f72 
Plus small clang formatting change.
@victorjulien @jufajardini
detect/alert: optimize alert queue processing
a9e8adb
@jufajardini
detect/alert: remove redundant check
a5de18f 
When appending a new alert, there is no need to check if alerts.cnt > 0
since alerts.cnt is unsigned.
@jufajardini
detect/alert: fix same sid alert w same packet bug
f75fd50 
with the implementation of configurable packet-alert-max, a bug was
found in the way we added alerts to the packet queue. But the new logic
exposed a possible bug case when the same signature generated more than
one alert for the same packet (from different transactions). This would
lead to Suri call memmove with size 0.
@jufajardini jufajardini requested a review from a team as a code owner February 14, 2022 10:30
This was referenced Feb 14, 2022
Closed
Closed
@codecov
Copy link

codecov bot commented Feb 14, 2022

Codecov Report

Merging #6999 (f75fd50) into master (b5166bd) will decrease coverage by 0.08%.
The diff coverage is 96.77%.

@@            Coverage Diff             @@
##           master    #6999      +/-   ##
==========================================
- Coverage   77.70%   77.61%   -0.09%     
==========================================
  Files         628      628              
  Lines      185656   185557      -99     
==========================================
- Hits       144270   144028     -242     
- Misses      41386    41529     +143
Flag Coverage Δ
fuzzcorpus 57.94% <73.52%> (-0.41%) ⬇️
suricata-verify 54.41% <89.28%> (-0.05%) ⬇️
unittests 63.00% <93.95%> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

inashivb
inashivb reviewed Feb 14, 2022
View reviewed changes
src/detect-engine-alert.c
@@ -189,8 +189,10 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, const Signature *s,
SCLogDebug("sid %"PRIu32"", s->id);

/* It should be usually the last, so check it before iterating */
if (p->alerts.cnt == 0 || p->alerts.alerts[p->alerts.cnt - 1].num < s->num) {
/* Same signatures can generate more than one alert, if it's a diff tx */
if (p->alerts.cnt == 0 || p->alerts.alerts[p->alerts.cnt - 1].num <= s->num) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: how do we know here if the alerts came from diff txs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this wasn't checked before, I assumed it was not needed...

inashivb
inashivb reviewed Feb 14, 2022
View reviewed changes
src/decode.c
{
intmax_t max = 0;
if (ConfGetInt("packet-alert-max", &max) == 1) {
if (max < 0 || max > UINT8_MAX) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: What happens in a case when max == 0?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we decided that if the user chose that, that was up to them... 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change behavior to Warning and default

@jufajardini jufajardini mentioned this pull request Feb 14, 2022
Closed
@jufajardini
Copy link
Contributor Author

Followed by: #7000

@jufajardini jufajardini deleted the packet-alerts/v7 branch May 2, 2022 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inashivb inashivb inashivb left review comments

Assignees

@catenacyber catenacyber

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jufajardini @inashivb @catenacyber @victorjulien