-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
analysis: report rule state altered by other rule - v2 #12311
base: master
Are you sure you want to change the base?
Conversation
Flowbits can make a rule such as a packet rule be treated as a stateful rule, without actually changing the rule type. Add a flag to allow reporting such cases via engine analysis. Task OISF#7456
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #12311 +/- ##
=========================================
Coverage ? 83.25%
=========================================
Files ? 912
Lines ? 257638
Branches ? 0
=========================================
Hits ? 214508
Misses ? 43130
Partials ? 0
Flags with carried forward coverage won't be shown. Click here to find out more. |
Information: QA ran without warnings. Pipeline 24033 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering why don't we try and combine the output of flowbits.json
or make that one more rich perhaps and point to the state event to look at in there somehow w one field in the rules.json
output?
|
||
/* inter-signature state dependency */ | ||
bool is_rule_state_dependant; | ||
uint32_t rule_state_dependant_id; | ||
uint32_t rule_state_variable_idx; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we get this info to analyzer w/o inflating this struct so much?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is fine. This is an init-time only helper struct
@@ -1047,6 +1047,16 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s) | |||
break; | |||
} | |||
|
|||
if (s->init_data->is_rule_state_dependant) { | |||
jb_open_object(ctx.js, "rule_state_dependant"); | |||
jb_set_uint(ctx.js, "rule_depends_on_sid", s->init_data->rule_state_dependant_id); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if there are multiple dependencies?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if there are multiple dependencies?
I thought of that at first, but from what I understood, only one rule can set
a flowbits variable, isn't that so?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a rule is only "dependent" on a certain rule or flowbit when you're checking whether a flowbit was set so essentially the isset
command. set
does not mean the rule is dependent.
- Combinations of
isset
that can show you multiple dependencies are as follows. Assumefb1
was set bysid: 1
andfb2
was set bysid: 2
and
support:flowbits: isset, fb1; flowbits: isset, fb2;
-> dependent onsid:1
andsid: 2
.
or
support:flowbits: isset, fb1|fb2;
-> also dependent onsid:1
andsid: 2
. - Suricata does not seem to have a reservation against two different rules setting a flowbit so maybe there are usecases for that too. So, yes, there can be multiple rules setting the same flowbit.
if (s->init_data->is_rule_state_dependant) { | ||
jb_open_object(ctx.js, "rule_state_dependant"); | ||
jb_set_uint(ctx.js, "rule_depends_on_sid", s->init_data->rule_state_dependant_id); | ||
jb_set_string(ctx.js, "rule_depends_on_flowbit", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can this just be flowbit
? Seems the key is a bit redundant with the object name.
Also, as Shivani is asking: this is 1-N essentially, can we list them all? I'm changing my mind a bit on this. I think being complete is probably best.
So
"rule_state_dependant": {
"sids": [ 1901, 124, 666 ],
"flowbits": [ "fb2", "abc" ],
},
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought only one rule could set
a flowbits rule, that's why I used this approach. Given that that's not the case, it's a bit more complicated to be done, but I'll follow that approach. I'll pursue understanding Shivani's comment about flowbits.json
and see if that helps, too, somehow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll pursue understanding Shivani's comment about flowbits.json and see if that helps, too, somehow.
From what I got from Victor's comment, I think your approach is what we want so you can skip that :)
Flowbits can make a rule such as a packet rule be treated as a stateful rule, without actually changing the rule type.
Add a flag to allow reporting such cases via engine analysis.
Task #7456
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7456
Previous PR: #12286
Output samples:
flowbits:set
ruleflowbits:isset
ruleDescribe changes:
init_data
mostly generic, in case there are other scenarios where this could happen - but at least when it's time to report this via theengine-analysis
, we need the info to fetch the variable nameset
command that does that, from what I could understandProvide values to any of the below to override the defaults.
SV_BRANCH=OISF/suricata-verify#2201