-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed the typo of the buffer name for sip.stat_code #11846
Conversation
NOTE: This PR may contain new authors. |
@@ -56,7 +56,7 @@ | |||
|
|||
#define KEYWORD_NAME "sip.stat_code" | |||
#define KEYWORD_DOC "sip-keywords.html#sip-stat-code" | |||
#define BUFFER_NAME "sip.method" | |||
#define BUFFER_NAME "sip.stat_code" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this.
Question for the team: can this lead to wrong detection when using sip.stat_code
and sip.method
keywords ?
Note: this was fixed in master by moving the code to rust
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question for the team: can this lead to wrong detection when using
sip.stat_code
andsip.method
keywords ?
Don't know anything about sip
but we do have s-v tests for this which pass in master
, main-7.0.x
and this PR:
sip-stat-code
which passes. I can confirm that it passes correctly. Wireshark filtersip.Status-Code==100
shows exactly the number of matches expected.sip-method
which passes. I can confirm that this passes correctly too. Wireshark filtersip.Method==REGISTER
shows exactly the number of matches expected.
I haven't tried to look how the BUFFER_NAME
impacts the parsing and storage of the respective fields..
What we would want to test here I guess is a test with at the same time both Maybe we are only safe because these are not in the same direction |
I think that rule and |
Created https://redmine.openinfosecfoundation.org/issues/7295 for this |
And I created OISF/suricata-verify#2072 as a test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your first contribution to Suricata! :)
Could you please:
- make commit message as follows:
sip/stat_code: fix buffer name
Bug #7295
- change the commit author to the format
FirstName LastName <[email protected]>
. This name should match the name you sign contribution agreement with. - rebase on latest
main-7.0.x
. - submit a new PR w the changes asked above. Please do not remove the PR body and tick all the boxes that apply.
I was doing it in #11857 |
I apologize :'-) |
I thank you for having fixed this in master already Giuseppe ;-) |
@starrysec can you please rework this in a next PR:
|
Fixed the typo of the buffer name for sip.stat_code, The correct name is sip.stat_code, not sip.method.
SV_BRANCH=OISF/suricata-verify#2072