Skip to content

Comments

Websockets 2695 v15#10176

Closed
catenacyber wants to merge 15 commits intoOISF:masterfrom
catenacyber:websockets-2695-v15
Closed

Websockets 2695 v15#10176
catenacyber wants to merge 15 commits intoOISF:masterfrom
catenacyber:websockets-2695-v15

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Jan 16, 2024
edited
Loading

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2695

Describe changes:

SV_BRANCH=pr/1571

OISF/suricata-verify#1571

#10173 with rebase on top of #10175 (to get green CI for check rust)

I think this is good enough for a first version even if there may be improvements (that should happen in later tickets) :

  • using latest HTTP/1 transaction in a single rule, instead of splitting rule and using flowbits. Should the Websocket state own the last HTTP1 transaction ? And if so, need to see with DOH2 as well the mechanism to get the right transaction for each keyword...
  • support websockets over HTTP/2 : need more design
    This is a big one as websockets over HTTP/2 only use a single HTTP/2 stream and not the whole TCP connection which keeps having newer regular HTTP/2 streams (or other websocket ones). That means a HTTP2 transactions will own a Websocket State + some streaming buffer as TCP...

@catenacyber catenacyber mentioned this pull request Jan 16, 2024
Closed
@suricata-qa
Copy link

suricata-qa commented Jan 16, 2024

WARNING:

field baseline test %
build_asan

Pipeline 17539

catenacyber and others added 15 commits January 16, 2024 15:42
@catenacyber
detect: integer keywords now support hexadecimal
8d03e62 
So that we can write enip.revision: 0x203

Ticket: 6645
@catenacyber
detect: integer keywords now accept negated ranges
1647eb1 
Ticket: 6646
@catenacyber
detect/integer: rust derive for enumerations
3cd5173 
Ticket: 6647

Allows keywords using integers to use strings in signature
parsing based on a rust enumeration with a derive.
@catenacyber
detect: integer keywords now accept bitmasks
c7139e8 
Ticket: 6648

Like &0x40=0x40 to test for a specific bit set
@catenacyber
doc: integer keywords
f789d1f 
Ticket: 6628

Document the generic detection capabilities for integer keywords.
and make every integer keyword pointing to this section.
@catenacyber
output/dnp3: restrict function scope to one file
39f5ab6
@catenacyber
output/dns: do not add empty app-layer metadata
10d4869
@catenacyber
output: generic simple tx json logger
21d2ed0 
Ticket: 3827
@catenacyber
enip: register on default 44818/tcp port
afa5d66 
if no config option is found,
as is done for udp

Ticket: 6304
@catenacyber
http2: add settings from newer RFCs
961fb8c 
Including the one for websocket over HTTP/2
@catenacyber
protodetect: remove unused field
72bf9c4 
port is used in AppLayerProtoDetectProbingParserPort
and not in AppLayerProtoDetectProbingParserElement
@catenacyber
protodetect: allows not port-based probing parsers
cd5ab14 
As for WebSocket which is detected only by protocol change.
@catenacyber
protodetect: run expected probing parser
d9d9cd8 
When there is a protocol change, and a specific protocol is
expected, like WebSeocket, always run it, no matter the port.
@catenacyber
app-layer: websockets protocol support
3af8469 
Ticket: 2695
@catenacyber
websocket: configurable logging of payload in alerts
68dc6ec
@catenacyber
Copy link
Contributor Author

catenacyber commented Jan 16, 2024
edited
Loading

CI should be red/SV is failing because OISF/suricata-verify#1571 is missing to use OISF/suricata-verify#1490

@suricata-qa
Copy link

suricata-qa commented Jan 17, 2024

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.tcp.pseudo 2810 3014 107.26%

Pipeline 17554

@zoomequipd
Copy link

zoomequipd commented Jan 18, 2024

Question based on the changes to the docs:

does this mean that we need to rewrite our use of integer-keywords (dsize, bsize, urilen, etc)?

based on the examples

 bsize:10; --> bsize:integer 10;

is that right or am i misunderstanding?

@catenacyber
Copy link
Contributor Author

catenacyber commented Jan 18, 2024

Question based on the changes to the docs:

does this mean that we need to rewrite our use of integer-keywords (dsize, bsize, urilen, etc)?

based on the examples

 bsize:10; --> bsize:integer 10;

is that right or am i misunderstanding?

#10179 is the PR for integer keywords.

You do not need to rewrite anything bsize:10; works
bsize:integer 10; does not work.

So, the doc looks unclear. How would you spell it ?

@zoomequipd
Copy link

zoomequipd commented Jan 18, 2024

#10179 is the PR for integer keywords.

sorry, I was looking through this PR and noticed it, would you prefer this convo to occur on #10179?

@catenacyber
Copy link
Contributor Author

catenacyber commented Jan 18, 2024

#10179 is the PR for integer keywords.

sorry, I was looking through this PR and noticed it, would you prefer this convo to occur on #10179?

Ideally yes but we can keep it here no big deal...

@zoomequipd zoomequipd mentioned this pull request Jan 18, 2024
Closed
@zoomequipd
Copy link

zoomequipd commented Jan 21, 2024
edited
Loading

support websockets over HTTP/2 : need pcap

was the pcap I shared via redmine not sufficient or do you just want another ticket for that feature?

@victorjulien victorjulien marked this pull request as draft January 22, 2024 08:28
@catenacyber
Copy link
Contributor Author

catenacyber commented Jan 22, 2024

support websockets over HTTP/2 : need pcap

was the pcap I shared via redmine not sufficient or do you just want another ticket for that feature?

@zoomequipd thanks for the pcap, it is enough for now, this was just a bad copy/paste from old data, my mistake.

This is a big one as websockets over HTTP/2 only use a single HTTP/2 stream and not the whole TCP connection which keeps having newer regular HTTP/2 streams (or other websocket ones). That means a HTTP2 transactions will own a Websocket State + some streaming buffer as TCP...

This still stands...

@catenacyber catenacyber marked this pull request as ready for review January 23, 2024 08:17
@catenacyber catenacyber mentioned this pull request Feb 12, 2024
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Feb 12, 2024

Rebased in #10375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish

@jufajardini jufajardini Awaiting requested review from jufajardini

@victorjulien victorjulien Awaiting requested review from victorjulien

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@catenacyber @suricata-qa @zoomequipd