Skip to content

detect: don't run pkt sigs on ffr pkts#12264

Closed
inashivb wants to merge 1 commit intoOISF:main-7.0.xfrom
inashivb:backports-7.0.8-flow-timeout/v1
Closed

detect: don't run pkt sigs on ffr pkts#12264
inashivb wants to merge 1 commit intoOISF:main-7.0.xfrom
inashivb:backports-7.0.8-flow-timeout/v1

Conversation

@inashivb
Copy link
Member

Last packet from the TLS TCP session moves TCP state to CLOSED.

This flags the app-layer with APP_LAYER_PARSER_EOF_TS or
APP_LAYER_PARSER_EOF_TC depending on the direction of the final packet.
This flag will just have been set in a single direction.

This leads to the last packet updating the inspect id in that packets
direction.

At the end of the TLS session a pseudo packet is created, because:
 - flow has ended
 - inspected tx id == 0, for at least one direction
 - total txs is 1

Then a packet rule matches:

```
alert tcp any any -> any 443 (flow: to_server;                  \
        flowbits:isset,tls_error;                               \
        sid:09901033; rev:1;                                    \
        msg:"Allow TLS error handling (outgoing packet)"; )
```

The `SIG_MASK_REQUIRE_REAL_PKT` is not preventing the match, as the
`flowbits` keyword doesn't set it.

To avoid this match. This patch skips signatures of the `SIG_TYPE_PKT`
for flow end packets.

Ticket: OISF#7318.
(cherry picked from commit 0e4faba)
@codecov
Copy link

codecov bot commented Dec 11, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.18%. Comparing base (9be2eca) to head (a19fe14).

Additional details and impacted files
@@              Coverage Diff               @@
##           main-7.0.x   #12264      +/-   ##
==============================================
- Coverage       83.19%   83.18%   -0.02%     
==============================================
  Files             922      922              
  Lines          260888   260890       +2     
==============================================
- Hits           217048   217017      -31     
- Misses          43840    43873      +33     
Flag Coverage Δ
fuzzcorpus 64.19% <100.00%> (-0.01%) ⬇️
suricata-verify 63.37% <100.00%> (-0.02%) ⬇️
unittests 62.38% <50.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consistent with work in master #12258

@catenacyber catenacyber mentioned this pull request Dec 11, 2024
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 23796

@jasonish jasonish mentioned this pull request Dec 11, 2024
@victorjulien victorjulien mentioned this pull request Dec 11, 2024
@victorjulien
Copy link
Member

part of #12268

@inashivb inashivb deleted the backports-7.0.8-flow-timeout/v1 branch December 12, 2024 05:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

5 participants