Skip to content

next/666/70x/20241211/v1#12270

Merged
victorjulien merged 5 commits intoOISF:main-7.0.xfrom
victorjulien:next/666/70x/20241211/v1
Dec 12, 2024
Merged

next/666/70x/20241211/v1#12270
victorjulien merged 5 commits intoOISF:main-7.0.xfrom
victorjulien:next/666/70x/20241211/v1

Conversation

@victorjulien
Copy link
Member

@victorjulien victorjulien commented Dec 11, 2024

Lukas Sismis and others added 5 commits December 11, 2024 10:12
@lukashino
dpdk: set ice PMD RSS key length to 52 bytes for all DPDK versions
7267330 
ICE driver (Intel E810 NIC) requires/supports 52-byte long RSS key.
The 52 byte key length was mandatory from DPDK 23.11 when Suricata
was starting with independently configured ice PMD.

However, Suricata failed to start when ice PMD was part of
net_bonding PMD, requiring 52 byte RSS key even in DPDK versions
lower than 23.11. Since the support for the longer key is present
since DPDK 19.11 the key is set to 52 bytes for all versions.

Ticket: 7445
(cherry picked from commit 18ab9a6)
@victorjulien
detect: don't run pkt sigs on ffr pkts
c84599a 
Last packet from the TLS TCP session moves TCP state to CLOSED.

This flags the app-layer with APP_LAYER_PARSER_EOF_TS or
APP_LAYER_PARSER_EOF_TC depending on the direction of the final packet.
This flag will just have been set in a single direction.

This leads to the last packet updating the inspect id in that packets
direction.

At the end of the TLS session a pseudo packet is created, because:
 - flow has ended
 - inspected tx id == 0, for at least one direction
 - total txs is 1

Then a packet rule matches:

```
alert tcp any any -> any 443 (flow: to_server;                  \
        flowbits:isset,tls_error;                               \
        sid:09901033; rev:1;                                    \
        msg:"Allow TLS error handling (outgoing packet)"; )
```

The `SIG_MASK_REQUIRE_REAL_PKT` is not preventing the match, as the
`flowbits` keyword doesn't set it.

To avoid this match. This patch skips signatures of the `SIG_TYPE_PKT`
for flow end packets.

Ticket: OISF#7318.
(cherry picked from commit 0e4faba)
@catenacyber @victorjulien
detect: log app-layer metadata in alert with single tx
19a6386 
Ticket: 7199

Uses a config parameter detect.guess-applayer-tx to enable
this behavior (off by default)

This feature is requested for use cases with signatures not
using app-layer keywords but still targetting application
layer transactions, such as pass/drop rule combination,
or lua usage.

This overrides the previous behavior of checking if the signature
has a content match, by checking if there is only one live
transaction, in addition to the config parameter being set.

(cherry picked from commit f2c3776)
@victorjulien
detect: re-add app-layer to alerts on stream matches
b025fe2 
The `guess-applayer-tx` work also removed the stream match condition
for adding app-layer metadata to alerts. This is a behavior change that
is not desired at this point, so this commit reverts that part of the
changes.

We keep the exising logging of app-layer metadata if the match was in
the stream.
@catenacyber @victorjulien
doc: improve documentation about guess-applayer-tx
a578b09 
Ticket: 7199
@victorjulien victorjulien requested review from a team and jufajardini as code owners December 11, 2024 23:25
@codecov
Copy link

codecov bot commented Dec 11, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.19%. Comparing base (9be2eca) to head (a578b09).
Report is 5 commits behind head on main-7.0.x.

Additional details and impacted files 
@@              Coverage Diff               @@
##           main-7.0.x   #12270      +/-   ##
==============================================
- Coverage       83.19%   83.19%   -0.01%     
==============================================
  Files             922      922              
  Lines          260888   260900      +12     
==============================================
- Hits           217048   217047       -1     
- Misses          43840    43853      +13
Flag Coverage Δ
fuzzcorpus 64.19% <88.88%> (+<0.01%) ⬆️
suricata-verify 63.40% <100.00%> (+<0.01%) ⬆️
unittests 62.38% <55.55%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

suricata-qa commented Dec 12, 2024

Information: QA ran without warnings.

Pipeline 23885

@victorjulien victorjulien merged commit a578b09 into OISF:main-7.0.x Dec 12, 2024
This was referenced Dec 12, 2024
Merged
Closed
@victorjulien victorjulien deleted the next/666/70x/20241211/v1 branch December 12, 2024 08:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish jasonish approved these changes

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@victorjulien @suricata-qa @jasonish @catenacyber