Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect generic uint 4112 v3 #7150

Closed
wants to merge 19 commits into from
Closed

Detect generic uint 4112 v3 #7150

wants to merge 19 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4112

Describe changes:

  • Makes use of generic DetectUint structure for dsize and dcerpc

Still TODO:

  • more keywords in C use specific versions
  • Commit history likely to rework...

Replaces #7121 with remove the C version to use only rust version

@catenacyber
detect: generic function for u16
1be1a82 
as is done for u8 and u32
@catenacyber
detect: adds generic DETECT_UINT_NE
9909290 
Ie inequality test for integer

Also adds prefilter functions for u16
@catenacyber
detect: use generic functions for dsize
108e73a
@catenacyber
detect: better validation for generic int
6c1268f 
In case of greater/lesser or equal
@catenacyber
detect: fix unit tests for dsize
db1d563 
Despite what the comment said 1<>2 is not a valid range
as it is empty and cannot have any match.

Maybe we should even consider 1<>3 an invalid range as it
should rather be written as =2
@catenacyber
detect: move generic int detect function
310d8fe 
from http2 to a generic file
so that it can be reused by dcerpc and others
@catenacyber
detect: generic rust function detect_match for integers
52ee506
@catenacyber
detect: use generic instead of DETECT_DCE_IFACE_OP_LT
1069d2f
@catenacyber
detect: rust generic integer not equal
1f92f60 
aka DetectUintModeNe
@catenacyber
detect: fix unit tests for http2 and dcerpc
f050c21
@catenacyber
detect: verify integer validity
62d492e 
ie <0 is impossible
@catenacyber
smb: fix detection for dcerpc iface without version
d54af4e
@catenacyber
detect: using rust generics for DetectUintData<T>
2ed4677
@catenacyber
detect: move ffi functions from http2 to generic detect
802ba53
@catenacyber
detect: move generic uint from C to only rust
ccad2b3
@catenacyber
detext: fix tests compilation
6fa4387
@catenacyber
dcerpc: fix test case
751a146
@catenacyber
detect: force completion on generic uints
9cf77cd
@catenacyber catenacyber requested review from victorjulien, jasonish and a team as code owners March 18, 2022 14:50
@catenacyber catenacyber mentioned this pull request Mar 18, 2022
Closed
@catenacyber
Copy link
Contributor Author

+576 −1,110

Begins to look good 😊

@codecov
Copy link

codecov bot commented Mar 18, 2022
edited
Loading

Codecov Report

Merging #7150 (912faf6) into master (3a490fb) will increase coverage by 0.07%.
The diff coverage is 87.03%.

@@            Coverage Diff             @@
##           master    #7150      +/-   ##
==========================================
+ Coverage   78.06%   78.14%   +0.07%     
==========================================
  Files         628      628              
  Lines      185266   184899     -367     
==========================================
- Hits       144635   144488     -147     
+ Misses      40631    40411     -220
Flag Coverage Δ
fuzzcorpus 60.21% <85.36%> (+0.22%) ⬆️
suricata-verify 54.64% <51.68%> (+0.04%) ⬆️
unittests 63.14% <60.37%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@catenacyber
Copy link
Contributor Author

I do not know why sip-method S-V test failed only once on MacOS (not failing locally)

jasonish
jasonish reviewed Mar 18, 2022
View reviewed changes
rust/src/detect.rs
Comment on lines +41 to +46
#[repr(C)]
pub struct DetectUintData<T> {
pub arg1: T,
pub arg2: T,
pub mode: DetectUintMode,
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, I didn't know this could work with cbindgen.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I first tried to use some kind of typedef alias like pub type DetectUintDataU32 DetectUintData<u32>, but making cbindgen export types caused other problems...

jasonish
jasonish reviewed Mar 18, 2022
View reviewed changes
rust/src/detect.rs
pub mode: DetectUintMode,
}

fn detect_parse_uint_start_equal<T: std::str::FromStr + std::cmp::PartialOrd + num::Bounded>(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if a custom trait would clean up these function definitions.. Something like:

pub trait DetectIntType: std::str::FromStr + std::cmp::PartialOrd + num::PrimInt + num::Bounded {}

impl<T> DetectIntType for T where T: std::str::FromStr + std::cmp::PartialOrd + num::PrimInt + num::Bounded {}

then most of these methods can use <T: DetectIntType> instead of the string of traits.

@catenacyber catenacyber mentioned this pull request Mar 18, 2022
Open
@catenacyber
Copy link
Contributor Author

I think windows is segfaulting because I call C's free on rust's Box::into_raw output...

@jasonish what do you think of it ?

@jasonish
Copy link
Member

I think windows is segfaulting because I call C's free on rust's Box::into_raw output...

@jasonish what do you think of it ?

You have to free memory that came from Rust back in Rust itself. Pass the pointer back and and call Box::from_raw, Rust will take ownership of it and drop it as expected.

Probably the simplest example of this is jb_clone and jb_free: https://github.com/OISF/suricata/blob/master/rust/src/jsonbuilder.rs#L632, but all our parsers do this as well.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 6597

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 6601

@victorjulien
Copy link
Member

I do not know why sip-method S-V test failed only once on MacOS (not failing locally)

This test has been flaky before.

victorjulien
victorjulien requested changes Mar 21, 2022
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs some further work, see inline discussion between Jason and Philippe

@catenacyber catenacyber mentioned this pull request Mar 23, 2022
Closed
@catenacyber
Copy link
Contributor Author

Replaced by #7167

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish left review comments

@victorjulien victorjulien victorjulien requested changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@catenacyber @jasonish @suricata-qa @victorjulien