Skip to content

detect: factorize code for DetectSetupDirection#13120

Closed
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:detect-txal-filesize-7665-v3
Closed

detect: factorize code for DetectSetupDirection#13120
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:detect-txal-filesize-7665-v3

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Apr 30, 2025

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7665

Describe changes:

  • detect: transactional rules allow filesize keyword

This means adding facility to allow non-sticky buffer keywords

  • Moving DetectSetupDirection call site to SigParseOptions instead of in each keyword and use a new flag SIGMATCH_SUPPORT_DIR
  • DetectSetupDirection now takes a pointer to a string, and may move the string forward to allow filesize: to_client, >100; so that DetectFilesizeSetup gets called with ">100"
  • SigMatchAppendSMToList now sets only_tc and only_ts as DetectBufferSetActiveList already does

(3 commits may be better but debugging, I ended up squashing everything)

Now making transactional rules support other direction-ambiguous keywords should be one-liner like adding SIGMATCH_SUPPORT_DIR to sigmatch_table[DETECT_KEYWORD].flags

SV_BRANCH=OISF/suricata-verify#2453

#13046 with needed rebase and unit tests for DetectSetupDirection and better behavior

@catenacyber
detect: factorize code for DetectSetupDirection
e8d46b5 
Ticket: 7665

Instead of each keyword calling DetectSetupDirection, use a
new flag SIGMATCH_SUPPORT_DIR so that DetectSetupDirection gets
called, before parsing the rest of the keyword.

Allows to support filesize keyword in transactional signatures
@catenacyber catenacyber mentioned this pull request Apr 30, 2025
Closed
@codecov
Copy link

codecov bot commented Apr 30, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 87.27273% with 14 lines in your changes missing coverage. Please review.

Project coverage is 83.01%. Comparing base (033e048) to head (e8d46b5).
Report is 4 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #13120      +/-   ##
==========================================
+ Coverage   82.94%   83.01%   +0.07%     
==========================================
  Files         988      988              
  Lines      271931   272001      +70     
==========================================
+ Hits       225546   225810     +264     
+ Misses      46385    46191     -194
Flag Coverage Δ
fuzzcorpus 61.36% <37.31%> (+0.12%) ⬆️
livemode 18.95% <20.89%> (+<0.01%) ⬆️
pcap 44.78% <20.89%> (-0.01%) ⬇️
suricata-verify 64.72% <56.71%> (-0.01%) ⬇️
unittests 58.21% <82.72%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@catenacyber catenacyber force-pushed the detect-txal-filesize-7665-v3 branch from 33bb76e to e8d46b5 Compare April 30, 2025 15:46
@suricata-qa
Copy link

suricata-qa commented Apr 30, 2025

Information: QA ran without warnings.

Pipeline 25941

@catenacyber catenacyber mentioned this pull request Apr 30, 2025
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Apr 30, 2025

Next in #13123

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish

@victorjulien victorjulien Awaiting requested review from victorjulien

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa