Skip to content

detect: factorize code for DetectSetupDirection (transactional rules)#13046

Closed
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:detect-txal-filesize-7665-v2
Closed

detect: factorize code for DetectSetupDirection (transactional rules)#13046
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:detect-txal-filesize-7665-v2

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Apr 18, 2025

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7665

Describe changes:

  • detect: transactional rules allow filesize keyword

This means adding facility to allow non-sticky buffer keywords

  • Moving DetectSetupDirection call site to SigParseOptions instead of in each keyword and use a new flag SIGMATCH_SUPPORT_DIR
  • DetectSetupDirection now takes a pointer to a string, and may move the string forward to allow filesize: to_client, >100; so that DetectFilesizeSetup gets called with ">100"
  • SigMatchAppendSMToList now sets only_tc and only_ts as DetectBufferSetActiveList already does

(3 commits may be better but debugging, I ended up squashing everything)

Now making transactional rules support other direction-ambiguous keywords should be one-liner like adding SIGMATCH_SUPPORT_DIR to sigmatch_table[DETECT_KEYWORD].flags

SV_BRANCH=OISF/suricata-verify#2453

#13045 clean

@catenacyber
detect: factorize code for DetectSetupDirection
6992640 
Ticket: 7665

Instead of each keyword calling DetectSetupDirection, use a
new flag SIGMATCH_SUPPORT_DIR so that DetectSetupDirection gets
called, before parsing the rest of the keyword.

Allows to support filesize keyword in transactional signatures
@catenacyber catenacyber mentioned this pull request Apr 18, 2025
Closed
@suricata-qa
Copy link

suricata-qa commented Apr 18, 2025

Information: QA ran without warnings.

Pipeline 25721

@catenacyber catenacyber changed the title detect: factorize code for DetectSetupDirection detect: factorize code for DetectSetupDirection (transactional rules) Apr 19, 2025
@victorjulien victorjulien added the needs rebase Needs rebase to main label Apr 30, 2025
victorjulien
victorjulien requested changes Apr 30, 2025
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some questions inline, also needs a rebase

src/detect-parse.c
*/
static int DetectSetupDirection(Signature *s, char **str, bool only_dir)
{
if (strncmp(*str, "to_client", strlen("to_client")) == 0) {
Copy link
Member

@victorjulien victorjulien Apr 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will also match to_client_toto I think. Will that be detected correctly?

Copy link
Contributor Author

@catenacyber catenacyber Apr 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

After matching the prefix, we check further characters : optional spaces then comma or end of string

to_client_toto gets to line 887 SCLogError("expecting to_client [, other]");

src/detect-parse.c
*
* \retval 0 on success, -1 on failure
*/
static int DetectSetupDirection(Signature *s, char **str, bool only_dir)
Copy link
Member

@victorjulien victorjulien Apr 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not a single pointer char *str? We're not passing something back, are we?

Copy link
Contributor Author

@catenacyber catenacyber Apr 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're not passing something back, are we?

Yes, we are moving forward the string pointer, so that the keyword filesize only "sees" >100 when the signature had filesize: to_client, >100;

@catenacyber catenacyber mentioned this pull request Apr 30, 2025
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Apr 30, 2025

Rebased in #13120

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien victorjulien requested changes

Assignees

No one assigned

Labels

needs rebase Needs rebase to main

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@catenacyber @suricata-qa @victorjulien