Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect log alert tx one 7449 v2 #12308

Closed
wants to merge 2 commits into from
Closed

Detect log alert tx one 7449 v2 #12308

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7449

Describe changes:

  • document more guess-applayer-tx
  • improves guess-applayer-tx for unidirectional protocol such as DNS

SV_BRANCH=OISF/suricata-verify#2198

#12306 rebased with review taken into account: function doc and right style for naming

@catenacyber
doc: improve documentation about guess-applayer-tx
27433df 
Ticket: 7199
@catenacyber
detect: improve tx_id guessing for unidirectional protocols
092c9e3 
So we get:
1. request arrives - buffered due to not ackd
2. response arrives, acks request - request is now parsed, response isn't
3. ack for response, response parsed. Then detect runs for request,
generates alert. We now have 2 txs. txid will be 0 from AppLayerParserGetTransactionInspectId

But txid 1 is unidirectional in the other way, so we can use txid 0
metadata for logging

Ticket: 7449
@catenacyber catenacyber mentioned this pull request Dec 19, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Dec 19, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (master@2c0d3b8). Learn more about missing BASE report.
Report is 9 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff            @@
##             master   #12308   +/-   ##
=========================================
  Coverage          ?   83.26%           
=========================================
  Files             ?      912           
  Lines             ?   257636           
  Branches          ?        0           
=========================================
  Hits              ?   214508           
  Misses            ?    43128           
  Partials          ?        0
Flag Coverage Δ
fuzzcorpus 61.10% <7.69%> (?)
livemode 19.39% <0.00%> (?)
pcap 44.43% <7.69%> (?)
suricata-verify 62.89% <100.00%> (?)
unittests 59.18% <7.69%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 24021

jasonish
jasonish reviewed Dec 20, 2024
View reviewed changes
src/detect.c Show resolved Hide resolved
jasonish
jasonish approved these changes Dec 20, 2024
View reviewed changes
Copy link
Member

@jasonish jasonish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks OK.

@catenacyber catenacyber mentioned this pull request Jan 2, 2025
Open
@catenacyber
Copy link
Contributor Author

Next version in #12332

@catenacyber catenacyber closed this Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish approved these changes

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @jasonish