Skip to content

Comments

Detect integers 6644 v9#10179

Closed
catenacyber wants to merge 5 commits intoOISF:masterfrom
catenacyber:detect-integers-6644-v9
Closed

Detect integers 6644 v9#10179
catenacyber wants to merge 5 commits intoOISF:masterfrom
catenacyber:detect-integers-6644-v9

Conversation

@catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6644 and all subtickets
https://redmine.openinfosecfoundation.org/issues/6645
https://redmine.openinfosecfoundation.org/issues/6646
https://redmine.openinfosecfoundation.org/issues/6647
https://redmine.openinfosecfoundation.org/issues/6648
https://redmine.openinfosecfoundation.org/issues/6628

Describe changes:

  • detect/integers: support hexadecimal notation for parsing
  • detect/integers: add mode for negated range
  • detect/integers: rust derive for enumerations
  • detect/integers: keywords now accept bitmasks
  • doc: detect/integers

#10175 with derive enumstring for u16 and u32 as well (as needed by the ENIP rust PR)

catenacyber and others added 5 commits January 16, 2024 15:42
So that we can write enip.revision: 0x203

Ticket: 6645
Ticket: 6647

Allows keywords using integers to use strings in signature
parsing based on a rust enumeration with a derive.
Ticket: 6648

Like &0x40=0x40 to test for a specific bit set
Ticket: 6628

Document the generic detection capabilities for integer keywords.
and make every integer keyword pointing to this section.
@suricata-qa
Copy link

ERROR:

ERROR: QA failed on TREX_GENERIC_rule_time.

Pipeline 17552

@catenacyber
Copy link
Contributor Author

ERROR:

ERROR: QA failed on TREX_GENERIC_rule_time.

Pipeline 17552

@ct0br0 would you have a profile for this ?

@catenacyber
Copy link
Contributor Author

And other PRs using this one do not show this deviation...

@ct0br0
Copy link

ct0br0 commented Jan 17, 2024

What do you mean by 'profile' ?

@ct0br0
Copy link

ct0br0 commented Jan 17, 2024

fwiw, did another run and the rule load time only took 1 more second instead of 3. (19 vs 20, or previously 22)

@catenacyber
Copy link
Contributor Author

What do you mean by 'profile' ?

Some perf report where I can get a flame graph to see where the time is spent ? Do you see what I mean ?

@zoomequipd
Copy link

Continuing convo from #10176 (comment) on correct PR

the integer-keyword.rst contains the following

Examples::

    bsize:integer value; # equality
    bsize:=integer value; # equality
    bsize:!integer value; # inequality
    bsize:!=integer value; # inequality
    bsize:>integer value; # greater than
    bsize:>=integer value; # greater than or equal
    bsize:<integer value; # lesser than
    bsize:<=integer value; # lesser than or equal
    bsize:integer value1-integer value2; # range between value1 and value2
    bsize:!integer value1-integer value2; # negated range between value1 and value2
    bsize:&mask=value; # bitmask mask is compared to value for equality
    bsize:&mask!=value; # bitmask mask is compared to value for inequality

Upon reading this, I thought that integer supporting keywords (bsize, dsize, urilen, etc) which currently use equality, inequality, greater than, etc would need to be updated/changed to support this new format.

My assumption is/was that equality would need to be rewritten from
bsize:10; to bsize:integer 10

based on comments in #10176 (comment), my thought was incorrect and I was misunderstanding the examples.

I would propose that example be rewritten to include more specific examples

Examples::

    bsize:19; # equality check of 19
    bsize:=19; # equality check of 19
    bsize:!20; # inequality check of 20
    bsize:!=20; # inequality check of 20
    bsize:>21; # greater than check of 21
    bsize:>=21; # greater than or equal 21
    bsize:<22; # lesser than check of 22
    bsize:<=22; # lesser than or equal 22
    bsize:19-22; # range between 19 and 2
    bsize:!19-22; # negated range between 19 and 22
    bsize:&0x40=0; # bitmask mask is compared to value for equality
    bsize:&0x40!=1; # bitmask mask is compared to value for inequality

current bitmaskly supported by byte_test, byte_match, byte_jump (maybe not byte_jump??) does a right shift by the number of trailing 0 (zeros) after the AND operation. Does this bitmask option perform the same behavior?

@catenacyber
Copy link
Contributor Author

Does this bitmask option perform the same behavior?

You can do bsize:&0xc0=0x80.

You should not do bsize:&0xc0=2.

And thanks for bringing this, now I will make the parser failing for bsize:&0xc0=2 as something that could never match

@catenacyber
Copy link
Contributor Author

Feedback incorporated in #10197

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

4 participants