Packet alerts/v8 #7000
Packet alerts/v8 #7000
Conversation
Some unittests used SCMalloc for allocating new Packet the unittests. While this is valid, it leads to segmentation faults when we move to dynamic allocation of the maximum alerts allowed to be triggered by a single packet. This massive patch uses PacketGetFromAlloc, which initializes a Packet in such a way that any dynamic allocated structures within will also be initialized. Related to Task OISF#4207
The maximum of possible alerts triggered by a unique packet was hardcoded to 15. With usage of 'noalert' rules, that limit could be reached somewhat easily. Make that configurable via suricata.yaml. Conf Bug#4941 Task OISF#4207
Plus small clang formatting change.
When appending a new alert, there is no need to check if alerts.cnt > 0 since alerts.cnt is unsigned.
with the implementation of configurable packet-alert-max, a bug was found in the way we added alerts to the packet queue. But the new logic exposed a possible bug case when the same signature generated more than one alert for the same packet (from different transactions). This would lead to Suri call memmove with size 0.
|
Assigning it to @catenacyber so he can decide if his concerns have been addressed properly ^^ |
Codecov Report
@@ Coverage Diff @@
## master #7000 +/- ##
==========================================
- Coverage 77.70% 77.63% -0.08%
==========================================
Files 628 628
Lines 185656 185557 -99
==========================================
- Hits 144270 144057 -213
- Misses 41386 41500 +114
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: Passed without warnings. Pipeline 6248 |
|
Will re look into this... |
| @@ -4307,10 +4264,9 @@ static int SigTestWithin01 (void) | |||
| } | |||
|
|
|||
| /* packet 4 */ | |||
| p4 = SCMalloc(SIZE_OF_PACKET); | |||
| p4 = PacketGetFromAlloc(); | |||
There was a problem hiding this comment.
This pattern seems to remain in doc/devguide/codebase/testing.rst cf git grep SIZE_OF_PACKET
There was a problem hiding this comment.
hmmm, ok, will check. Thanks!
| /** | ||
| * \brief Check if a certain sid alerted, this is used in the test functions | ||
| * | ||
| * \param p Packet on which we want to check if the signature alerted or not | ||
| * \param sid Signature id of the signature that thas to be checked for a match | ||
| * \param sid Signature id of the signature that has to be checked for a match |
There was a problem hiding this comment.
commit should be fix typo unless it is some meta joke ;-)
There was a problem hiding this comment.
And I see no
Plus small clang formatting change.
There was a problem hiding this comment.
xD lol. the things that our brains do to us.
the formatting change thing is that extra line that was also deleted. Thanks <3
| @@ -32,7 +32,6 @@ void PacketAlertFinalize(DetectEngineCtx *, DetectEngineThreadCtx *, Packet *); | |||
| int PacketAlertAppend(DetectEngineThreadCtx *, const Signature *, | |||
| Packet *, uint64_t tx_id, uint8_t); | |||
| int PacketAlertCheck(Packet *, uint32_t); | |||
| int PacketAlertRemove(Packet *, uint16_t); | |||
There was a problem hiding this comment.
Love this kind of diff
| int match = 0; | ||
|
|
||
| if (pos > p->alerts.cnt) { | ||
| if (pos >= p->alerts.cnt) { |
There was a problem hiding this comment.
This change off-by-1 seems important for its own commit, is it not ?
There was a problem hiding this comment.
This was done by @victorjulien though. Is it ok if I change commit history to have this patch on its own commit?
| memcpy(&p->alerts.alerts[i], &p->alerts.alerts[i + 1], sizeof(PacketAlert)); | ||
| const uint16_t after = (p->alerts.cnt - 1) - pos; | ||
| if (after) { | ||
| const uint16_t after_start = pos + 1; |
There was a problem hiding this comment.
nit:
I would not name after_start
It confused me when I understood pos + 1
| memcpy(&p->alerts.alerts[i + 1], &p->alerts.alerts[i], sizeof(PacketAlert)); | ||
| } | ||
| /* find position to insert */ | ||
| for (i = p->alerts.cnt - 1; i >= 0 && p->alerts.alerts[i].num > s->num; i--) |
There was a problem hiding this comment.
would love to have i as uint16_t as everything else
| @@ -209,6 +208,7 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, | |||
| const uint16_t target_pos = i + 1; | |||
| const uint16_t space_post_target = packet_alert_max - 1 - i; | |||
| const uint16_t to_move = MIN(space_post_target, (p->alerts.cnt - i)); | |||
| BUG_ON(to_move == 0); | |||
There was a problem hiding this comment.
It can be 0 : if space_post_target is 0 which can be the case if you have like packet_alert_max= 3, you have 3 alerts with num 3,5,7 and you want to add one with num 6
Than no memmove, just replace the last one
Is it not the case ?
There was a problem hiding this comment.
It was indeed triggering before, but after the line 193 patch, it has stopped, to me.
It can be 0 : if space_post_target is 0 which can be the case if you have like packet_alert_max= 3, you have 3 alerts with num 3,5,7 and you want to add one with num 6
Would a test like this be a good addition, to check for this type of situation? It passes, for me.
jufajardini/suricata-verify@1a5688d
There was a problem hiding this comment.
but after the line 193 patch, it has stopped, to me.
You mean the patch at line 186, right ?
I think this check is wrong
if (p->alerts.cnt == packet_alert_max)
return 0;
in the sense, that if it prevents the BUG_ON which is good, we do not get the expected outcome.
That is if packet_alert_max == 3 and signatures 3,5,7,6 are added as alerts, in the end, we get 3,5,7 instead of 3,5,6
Would a test like this be a good addition, to check for this type of situation? It passes, for me.
I do not know enough about the context to tell if the S-V test is good or not : I do not know how Suricata will add the alerts, like 3,5,7,6 or 3,5,6,7...
So, there should be more a unit test...
Od do you know more about the context ? ie the order of the calls to PacketAlertAppend
There was a problem hiding this comment.
I was talking this -> if (p->alerts.cnt == 0 || p->alerts.alerts[p->alerts.cnt - 1].num <= s->num)
It used to be just p->alerts.alerts[p->alerts.cnt - 1].num < s->num and that could trigger the BUG_ON, but once I changed that, I didn't see it be triggered again.
There was a problem hiding this comment.
I'll try to add a unittest, too
There was a problem hiding this comment.
but after the line 193 patch, it has stopped, to me.
You mean the patch at line 186, right ? I think this check is wrong
if (p->alerts.cnt == packet_alert_max) return 0;in the sense, that if it prevents the
BUG_ONwhich is good, we do not get the expected outcome.That is if
packet_alert_max == 3and signatures 3,5,7,6 are added as alerts, in the end, we get 3,5,7 instead of 3,5,6
So the expected behavior if we have more sig matches than packet_alert_ max is to drop some older alert for the new? Is that so because once we have added an alert to the queue, it is already logged/ taken care of, so we can let go of it?
Would a test like this be a good addition, to check for this type of situation? It passes, for me.
I do not know enough about the context to tell if the S-V test is good or not : I do not know how Suricata will add the alerts, like 3,5,7,6 or 3,5,6,7... So, there should be more a unit test... Od do you know more about the context ? ie the order of the calls to
PacketAlertAppend
When I run that s-v test with gdb, the result is that signatures are appended 3,5,6,7, which means we do not append sig 7
There was a problem hiding this comment.
I'm thinking that with https://redmine.openinfosecfoundation.org/issues/4943 the behavior for PacketAlertAppend is to just append the signatures that Suri has decided should stay...
There was a problem hiding this comment.
So the expected behavior if we have more sig matches than packet_alert_ max is to drop some older alert for the new? Is that so because once we have added an alert to the queue, it is already logged/ taken care of, so we can let go of it?
There is a priority order on the signatures (which is not exactly their signature id I think)
So, we should keep the highest priority ones
There was a problem hiding this comment.
I see. This logic seem to be done elsewhere, at the moment...
| if (max <= 0 || max > UINT8_MAX) { | ||
| SCLogWarning(SC_ERR_INVALID_VALUE, | ||
| "Invalid value for packet-alert-max, default value set instead"); | ||
| packet_alert_max = PACKET_ALERT_MAX; |
There was a problem hiding this comment.
We thought it would be good to check if we don't have invalid values here, and Victor suggested that I followed this style found elsewhere...
There was a problem hiding this comment.
The check is necessary indeed.
The line packet_alert_max = PACKET_ALERT_MAX; does not seem to be.
There was a problem hiding this comment.
Ok, got it now, thanks for bearing with me xD
|
And doc is missing to describe |
|
Replaced by #7133 |
When createing a new PgsqlTransaction, we first increment PgsqlState's tx_id and then pass that onto the new tx tx_id. As it is not created they're first id 0, there's no need to adjust when freeing or searching. Bug OISF#7000
When we create a new transaction, we increment the State's tx_id and pass that to the tx.tx_id. so, when calling get_tx and free_tx, we shouldn't need to adjust the tx_id again. Related to Bug OISF#7000
Expose the raw stream earlier to the detection engine, as Pgsql can have multiple messages per transaction and usually will have a message complete within one TCP packet. Related to Bug OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly for detection purposes once the transactions are completed. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly, for detection purposes, as soonas the transactions are completed in the given direction. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly, for detection purposes, as soonas the transactions are completed in the given direction. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly, for detection purposes, as soonas the transactions are completed in the given direction. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly, for detection purposes, as soon as the transactions are completed in the given direction. Task OISF#7000
Once we are tracking tx progress per-direction for PGSQL, we can trigger the raw stream reassembly, for detection purposes, as soon as the transactions are completed in the given direction. Task OISF#7000
Previous PR: #6999
Describe changes:
PACKET_ALERT_MAX: 0(concern raised by @inashivb )Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4207
suricata-verify-pr: 743
OISF/suricata-verify#743