Skip to content

detect: factorize code for DetectSetupDirection#13123

Closed
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:detect-txal-filesize-7665-v4
Closed

detect: factorize code for DetectSetupDirection#13123
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:detect-txal-filesize-7665-v4

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Apr 30, 2025

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7665

Describe changes:

  • detect: transactional rules allow filesize keyword

This means adding facility to allow non-sticky buffer keywords

  • Moving DetectSetupDirection call site to SigParseOptions instead of in each keyword and use a new flag SIGMATCH_SUPPORT_DIR
  • DetectSetupDirection now takes a pointer to a string, and may move the string forward to allow filesize: to_client, >100; so that DetectFilesizeSetup gets called with ">100"
  • SigMatchAppendSMToList now sets only_tc and only_ts as DetectBufferSetActiveList already does

(3 commits may be better but debugging, I ended up squashing everything)

Now making transactional rules support other direction-ambiguous keywords should be one-liner like adding SIGMATCH_SUPPORT_DIR to sigmatch_table[DETECT_KEYWORD].flags

SV_BRANCH=OISF/suricata-verify#2453

#13120 with cast like str = (char *)"to_client_toto"; in unit tests to fix compile without warnings

@catenacyber
detect: factorize code for DetectSetupDirection
bfe4678 
Ticket: 7665

Instead of each keyword calling DetectSetupDirection, use a
new flag SIGMATCH_SUPPORT_DIR so that DetectSetupDirection gets
called, before parsing the rest of the keyword.

Allows to support filesize keyword in transactional signatures
@catenacyber catenacyber mentioned this pull request Apr 30, 2025
Closed
@codecov
Copy link

codecov bot commented Apr 30, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 87.27273% with 14 lines in your changes missing coverage. Please review.

Project coverage is 83.04%. Comparing base (22abad7) to head (bfe4678).
Report is 61 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #13123   +/-   ##
=======================================
  Coverage   83.04%   83.04%           
=======================================
  Files         987      987           
  Lines      271868   271938   +70     
=======================================
+ Hits       225764   225835   +71     
+ Misses      46104    46103    -1
Flag Coverage Δ
fuzzcorpus 61.39% <37.31%> (-0.01%) ⬇️
livemode 18.96% <20.89%> (+<0.01%) ⬆️
pcap 44.78% <20.89%> (-0.02%) ⬇️
suricata-verify 64.75% <56.71%> (-0.02%) ⬇️
unittests 58.23% <82.72%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

suricata-qa commented Apr 30, 2025

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.uptime 627 652 103.99%

Pipeline 25945

@victorjulien victorjulien added this to the 8.0 milestone May 7, 2025
@victorjulien victorjulien mentioned this pull request May 7, 2025
Merged
@victorjulien
Copy link
Member

victorjulien commented May 7, 2025

Merged in #13179, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien victorjulien approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

8.0

Development

Successfully merging this pull request may close these issues.

3 participants

@catenacyber @suricata-qa @victorjulien