Conversation
Especially fix setup-app-layer script to not forget this part
and used by bittorrent
And fix setup app layer script up for it
I created https://redmine.openinfosecfoundation.org/issues/6090 https://redmine.openinfosecfoundation.org/issues/6091 and https://redmine.openinfosecfoundation.org/issues/6092 |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #8922 +/- ##
==========================================
+ Coverage 82.30% 82.34% +0.04%
==========================================
Files 969 957 -12
Lines 273335 272773 -562
==========================================
- Hits 224961 224627 -334
+ Misses 48374 48146 -228
Flags with carried forward coverage won't be shown. Click here to find out more. |
victorjulien
left a comment
victorjulien
left a comment
There was a problem hiding this comment.
Main issue is the central table, see inline.
| if (!rs_mqtt_logger_log(state, tx, thread->mqttlog_ctx->flags, js)) | ||
| jb_open_object(js, "mqtt"); | ||
| if (!rs_mqtt_logger_log(tx, thread->mqttlog_ctx->flags, js)) | ||
| goto error; |
There was a problem hiding this comment.
No, the error handler just free's it. Its not used anymore.
There was a problem hiding this comment.
Indeed as Jason said.
To be more complete :
- When we log a MQTT event, if we fail to log the MQTT data, we do not log anything at all
- When we log an alert, if we fail to log the MQTT data, we still log the alert
| } | ||
| } | ||
|
|
||
| static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { |
There was a problem hiding this comment.
I don't really like this idea of handling these per protocol things be in a central table. Seems an anti-pattern wrt trying to make it as much a plugin as possible.
There was a problem hiding this comment.
The use of this central table is indeed the central point, and it is meant to allow the use of app-layer plugins
What do we want ?
I think we want
- to avoid duplicating boilerplate code (and remove C file, to get better rust stats)
- that every app-layer protocols log their metadata for alerts, and for their own events
The solution currently used is to have
- For alerts, output-json-alert.c has a big switch with boilerplate wrapper code calling hardcoded app-layer logging functions, and this is missing for several protocols
So, the use of a central table, for alerts,
- makes it easy to sport the missing protocols (and to add them, as is done in this PR for krb5 for instance)
- removes the boilerplate code (taking the mark, trying to log, closing or restoring the mark...)
- makes it easy to extend by plugins (that "just" need to extend the array)
- For app-layer events, we have registration of boilerplate-wrapper functions that are registered in a central table
static OutputTxLogger *list[ALPROTO_MAX]in output-tx.c
Here, this PR
- removes boilerplate code for simple logger (not ones using state, or flags...), like
JsonLogThreadInitalready exists but is not used by every protocol andJsonGenericLoggeris introduced making use of the new table for simple loggers
So @victorjulien what do you think ?
It looks like a design flaw to have different wrapper functions for logging alert and app-layer metadata (causing not to have app-layer metadata for every protocol/alert)
Most of the protocols/cases are simple, but some require more complexity
Should I make a first part of this PR with the uncontroversial changes ? (first commits, use of JsonLogThreadInit)
There was a problem hiding this comment.
I think a centralized store doesn't have to use a table of hardcoded entries, but could also be more dynamic, like with many other parts of the engine. The parsers could then all a registration function that adds their entry into the store.
There was a problem hiding this comment.
Well, not sure to see the point but this is quite easy to add :-)
| } | ||
| } | ||
|
|
||
| bool AlertJsonDns(void *txptr, JsonBuilder *js) |
There was a problem hiding this comment.
should this return false if both calls return NULL?
There was a problem hiding this comment.
Likely so, this is a behavioral change
There was a problem hiding this comment.
Likely so, this is a behavioral change
Not a big one right? It would allow the caller to reset to mark to prevent an empty dns object from being logger in alert.
There was a problem hiding this comment.
Does not look a big one
#9005 is the part without behavior changes
Then I intend to do the behavioral changes about alerts : addition of protocols missing alert metadata (like krb5) + behavioral change for dns alert metadata
| @@ -27,7 +27,6 @@ pub extern "C" fn rs_modbus_to_json(tx: &mut ModbusTransaction, js: &mut JsonBui | |||
|
|
|||
There was a problem hiding this comment.
this commit does a lot more than the commit message indicates
There was a problem hiding this comment.
Indeed, so, any ideas about the commit segmentation ?
One big commit ? One commit per protocol ? (but if so, the first commit introducing the generic changes should also be applied on some protocol, otherwise, commit-check will fail because of unused functions)
Should I split this PR ?
|
Information: QA ran without warnings. Pipeline 14069 |
Thanks for the review, sorry for taking long to respond. |
|
Continues in #8961 |
4 participants
Link to redmine ticket:
None, preliminary work for https://redmine.openinfosecfoundation.org/issues/5053 and app-layer plugins
Continuation of #8772
https://redmine.openinfosecfoundation.org/issues/5977
Describe changes:
Continues #8893 with rebase and adding ticket number to krb5 commit
OISF/suricata-verify#1196
Still to do :