Skip to content

ssh: do not enforce pcap_cnt#1631

Closed
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:tcp-skip-not-established-v1
Closed

ssh: do not enforce pcap_cnt#1631
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:tcp-skip-not-established-v1

Conversation

@catenacyber
Copy link
Collaborator

@catenacyber catenacyber commented Feb 6, 2024

Ticket

Redmine ticket: None

Prerequisite for OISF/suricata#10307 and next

@catenacyber
ssh: do not enforce pcap_cnt
8a437c3 
As this is an invalid tcp packet, that should not run any tx
detection on it.
@catenacyber catenacyber added tests pass These new tests should pass prerequisite prerequisite before Suricata PR labels Feb 6, 2024
@catenacyber catenacyber mentioned this pull request Feb 6, 2024
Closed
jufajardini
jufajardini approved these changes Feb 6, 2024
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks for adding an explanation in the commit message!

@jasonish
Copy link
Member

jasonish commented Feb 9, 2024

Should we then be checking that pcap_cnt doesn't exist on the event? Not sure if S-V handles this case, but its probably worth doing than just removing the check.

@catenacyber
Copy link
Collaborator Author

catenacyber commented Feb 9, 2024

I think the important test is that we get the alert.
Getting it on packet 7, or pseudo packet timing out the flow is less important.

If we really want to test this, are we sure we want to consider packet 7 as invalid and not run tx detection on it ?

@jasonish
Copy link
Member

jasonish commented Feb 9, 2024

If we really want to test this, are we sure we want to consider packet 7 as invalid and not run tx detection on it ?

I don't know specifically. But S-V is about detecting changes in behaviour as well. If it used to be 7, and some fix made the field go away, I think that should be encoded in the test, to detect if it ever comes back unintentionally.

@catenacyber catenacyber mentioned this pull request Feb 11, 2024
Closed
@catenacyber
Copy link
Collaborator Author

catenacyber commented Feb 11, 2024

Continued in #1640

@catenacyber
Copy link
Collaborator Author

catenacyber commented Feb 11, 2024

If we really want to test this, are we sure we want to consider packet 7 as invalid and not run tx detection on it ?

I don't know specifically. But S-V is about detecting changes in behaviour as well. If it used to be 7, and some fix made the field go away, I think that should be encoded in the test, to detect if it ever comes back unintentionally.

Did something in next version of the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jufajardini jufajardini jufajardini approved these changes

Assignees

No one assigned

Labels

prerequisite prerequisite before Suricata PR tests pass These new tests should pass

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@catenacyber @jasonish @jufajardini