Closed
Conversation
|
WARNING: ERROR: QA failed on IPS_AFP_drop_chk.
Pipeline 13821 |
jufajardini
reviewed
May 19, 2023
src/app-layer-detect-proto.c
Outdated
| memset(pm_results_bf, 0, sizeof(pm_results_bf)); | ||
|
|
||
| // Do not take pm_ctx->pp_max_len of all probing parsers, | ||
| // but only the the probing parsers which matched a pattern. |
Contributor
Author
There was a problem hiding this comment.
Thanks, done (still waiting for my big questions to be answered)
For probing parsers used with a pattern, restrict the max depth to these probing parsers and not all probing parsers. Finishing protocol detection earlier allows to parse data earlier in the case we recognize only one side.
When an app-layer is recognized for one side, but the other is still unknown, and the parsing of the one side errors, it disables app-layer, and thus the ending pseudo-packets do not get a chance to conclude for app-layer detection on the unknown side. So count in stats the app-layer protocol that was recognized the first time.
When probing parser is only tried from one recognized side of the protocol, even if this parser failed, it never set probing parser done as no mask were used.
As these have no StateAlloc, AppLayerParserParse disables app-layer parsing, which prevents other side protocol detection...
catenacyber
force-pushed
the
smtp-server-detection-1125-v17
branch
from
af49503 to
fdc7c9b
Compare
|
WARNING: ERROR: QA failed on IPS_AFP_drop_chk.
Pipeline 14077 |
|
WARNING: ERROR: QA failed on IPS_AFP_drop_chk.
Pipeline 14077 |
Contributor
Author
|
Continues in #9500 |
This was referenced Nov 19, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/1125 preliminary work
Describe changes:
Modifies #8804 by needed rebase
Summing up :
statsfield about flows are not matching the count offlowwith app_proto because of so many corner casesUSERpattern matched)@victorjulien how should this be handled ? Create many tickets and find the right priority order to deal with them ?
Should it begin with just commit f27a6f1 but using port 110 instead of POP3 ? That would solve QA wrongly tagging POP3 flows as FTP