Skip to content

detect: add vlan.id keyword - v8#12333

Closed
AkakiAlice wants to merge 1 commit intoOISF:masterfrom
AkakiAlice:detect-vlan-id-1065-v8
Closed

detect: add vlan.id keyword - v8#12333
AkakiAlice wants to merge 1 commit intoOISF:masterfrom
AkakiAlice:detect-vlan-id-1065-v8

Conversation

@AkakiAlice
Copy link
Contributor

@AkakiAlice AkakiAlice commented Jan 2, 2025

Ticket: #1065

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/1065

Description:

  • Introduce vlan.id keyword

vlan_id.rs changes:

  • rustfmt

SV_BRANCH=OISF/suricata-verify#2208
Previous PR: #12324

@AkakiAlice
detect: add vlan.id keyword
6e4ae02 
vlan.id matches on Virtual Local Area Network IDs
It is an unsigned 16-bit integer
Valid range for the default configuration = [1-4094]
Supports prefiltering

Ticket: OISF#1065
@codecov
Copy link

codecov bot commented Jan 2, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 94.57014% with 12 lines in your changes missing coverage. Please review.

Project coverage is 83.20%. Comparing base (6f937c7) to head (6e4ae02).
Report is 5 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12333      +/-   ##
==========================================
- Coverage   83.26%   83.20%   -0.06%     
==========================================
  Files         912      914       +2     
  Lines      257643   257864     +221     
==========================================
+ Hits       214521   214564      +43     
- Misses      43122    43300     +178
Flag Coverage Δ
fuzzcorpus 61.10% <8.92%> (-0.04%) ⬇️
livemode 19.39% <8.92%> (-0.01%) ⬇️
pcap 44.40% <8.92%> (-0.02%) ⬇️
suricata-verify 62.90% <83.92%> (+0.03%) ⬆️
unittests 59.19% <64.25%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

catenacyber
catenacyber approved these changes Jan 2, 2025
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI : 🟢
Code : cool
Commits segmentation : ok
Commit messages : nice
Git ID set : looks fine for me
CLA : you already contributed
Doc update : excellent
Redmine ticket : ok
Rustfmt : ok for vlan_id.rs
Tests : nice
Dependencies added: none

victorjulien
victorjulien requested changes Jan 6, 2025
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see inline

rust/src/detect/vlan_id.rs
#[derive(Debug, PartialEq)]
pub struct DetectVlanIdData {
pub du16: DetectUintData<u16>,
pub layer: i8,
Copy link
Member

@victorjulien victorjulien Jan 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this need some documentation

doc/userguide/rules/vlan-keywords.rst
0 - 2 Match specific layer
``-3`` - ``-1`` Match specific layer with back to front indexing
all Match only if all layers match
count Match on the number of layers
Copy link
Member

@victorjulien victorjulien Jan 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

while I like that we can match on this, I do question integrating it with a vlan.id keyword. Should we have a vlan.layers keyword instead? I feel that these options are not only not about the id, they also bring their own syntax.

Copy link
Contributor

@catenacyber catenacyber Jan 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

About naming, should we have a unique naming scheme count for such keywords ?
Like vlan.layers.count ldap.responses.count...

@AkakiAlice AkakiAlice mentioned this pull request Jan 8, 2025
Closed
5 tasks
@AkakiAlice AkakiAlice closed this Jan 8, 2025
@AkakiAlice
Copy link
Contributor Author

AkakiAlice commented Jan 8, 2025

Replaced by: #12360

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@catenacyber catenacyber catenacyber approved these changes

@victorjulien victorjulien victorjulien requested changes

@jasonish jasonish Awaiting requested review from jasonish

@jufajardini jufajardini Awaiting requested review from jufajardini

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AkakiAlice @victorjulien @catenacyber