-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Packet alerts/v8 #7000
Closed
Closed
Packet alerts/v8 #7000
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
822cf1b
unittests: alloc Packet with PacketGetFromAlloc
jufajardini 00c8cde
decode: make packet_alert_max configurable
jufajardini f173952
detect-engine-alert: fix tipo
jufajardini 06c6e25
detect/alert: optimize alert queue processing
victorjulien 1827351
detect/alert: remove redundant check
jufajardini 7a420a9
detect/alert: fix same sid alert w same packet bug
jufajardini File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It can be 0 : if space_post_target is 0 which can be the case if you have like packet_alert_max= 3, you have 3 alerts with num 3,5,7 and you want to add one with num 6
Than no memmove, just replace the last one
cf #6896 (comment)
Is it not the case ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was indeed triggering before, but after the line 193 patch, it has stopped, to me.
Would a test like this be a good addition, to check for this type of situation? It passes, for me.
jufajardini/suricata-verify@1a5688d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean the patch at line 186, right ?
I think this check is wrong
in the sense, that if it prevents the
BUG_ONwhich is good, we do not get the expected outcome.That is if
packet_alert_max == 3and signatures 3,5,7,6 are added as alerts, in the end, we get 3,5,7 instead of 3,5,6I do not know enough about the context to tell if the S-V test is good or not : I do not know how Suricata will add the alerts, like 3,5,7,6 or 3,5,6,7...
So, there should be more a unit test...
Od do you know more about the context ? ie the order of the calls to
PacketAlertAppendThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was talking this ->
if (p->alerts.cnt == 0 || p->alerts.alerts[p->alerts.cnt - 1].num <= s->num)It used to be just
p->alerts.alerts[p->alerts.cnt - 1].num < s->numand that could trigger theBUG_ON, but once I changed that, I didn't see it be triggered again.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll try to add a unittest, too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the expected behavior if we have more sig matches than packet_alert_ max is to drop some older alert for the new? Is that so because once we have added an alert to the queue, it is already logged/ taken care of, so we can let go of it?
When I run that s-v test with gdb, the result is that signatures are appended 3,5,6,7, which means we do not append sig 7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking that with https://redmine.openinfosecfoundation.org/issues/4943 the behavior for
PacketAlertAppendis to just append the signatures that Suri has decided should stay...There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a priority order on the signatures (which is not exactly their signature id I think)
So, we should keep the highest priority ones
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. This logic seem to be done elsewhere, at the moment...