Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detect non pf/v1 #12567

Draft
wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

Detect non pf/v1 #12567

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
79bc16d
smtp/events: set direction on rules
victorjulien Feb 15, 2025
964feb7
detect: don't register duplicate app inspect engines
victorjulien Jan 27, 2025
746b002
detect/nfs: don't double register nfq_request generic list
victorjulien Jan 27, 2025
e7d9b4a
detect/tls: don't double register tls_validity generic list
victorjulien Feb 13, 2025
02955c4
detect: move non-pf rules into special prefilter engines
victorjulien Dec 28, 2023
7fbb0cd
SQUASH profiling/rulegroups: remove non-pf logic
victorjulien Feb 18, 2025
7cc0050
FIXUP misc cleanups
victorjulien Feb 18, 2025
96fb25e
SQUASH move non-prefilter into util func
victorjulien Feb 18, 2025
60e0629
WIP tx non-pf optimization
victorjulien Feb 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions rules/smtp-events.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,12 @@
#
alert smtp any any -> any any (msg:"SURICATA SMTP invalid reply"; flow:established,to_client; app-layer-event:smtp.invalid_reply; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220000; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP unable to match reply with request"; flow:established,to_client; app-layer-event:smtp.unable_to_match_reply_with_request; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220001; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP max command line len exceeded"; flow:established; app-layer-event:smtp.max_command_line_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220002; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP max command line len exceeded"; flow:established,to_server; app-layer-event:smtp.max_command_line_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220002; rev:2;)
alert smtp any any -> any any (msg:"SURICATA SMTP max reply line len exceeded"; flow:established,to_client; app-layer-event:smtp.max_reply_line_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220003; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP invalid pipelined sequence"; flow:established,to_server; app-layer-event:smtp.invalid_pipelined_sequence; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220004; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP bdat chunk len exceeded"; flow:established; app-layer-event:smtp.bdat_chunk_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220005; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP bdat chunk len exceeded"; flow:established,to_server; app-layer-event:smtp.bdat_chunk_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220005; rev:2;)
alert smtp any any -> any any (msg:"SURICATA SMTP no server welcome message"; flow:established,to_client; app-layer-event:smtp.no_server_welcome_message; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220006; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP tls rejected"; flow:established; app-layer-event:smtp.tls_rejected; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220007; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP tls rejected"; flow:established,to_client; app-layer-event:smtp.tls_rejected; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220007; rev:2;)
alert smtp any any -> any any (msg:"SURICATA SMTP data command rejected"; flow:established,to_client; app-layer-event:smtp.data_command_rejected; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220008; rev:1;)

# SMTP MIME events
Expand All @@ -30,5 +30,5 @@ alert smtp any any -> any any (msg:"SURICATA SMTP Mime boundary length exceeded"
alert smtp any any -> any any (msg:"SURICATA SMTP duplicate fields"; flow:established,to_server; app-layer-event:smtp.duplicate_fields; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220018; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP unparsable content"; flow:established,to_server; app-layer-event:smtp.unparsable_content; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220019; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP filename truncated"; flow:established,to_server; app-layer-event:smtp.mime_long_filename; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220020; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP failed protocol change"; flow:established; app-layer-event:smtp.failed_protocol_change; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220021; rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP failed protocol change"; flow:established,to_client; app-layer-event:smtp.failed_protocol_change; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220021; rev:2;)
# next sid 2220022
2 changes: 2 additions & 0 deletions src/app-layer-frames.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@

#include "rust.h"

/** special value for matching any type */
#define FRAME_ANY_TYPE 62
/** max 63 to fit the 64 bit per protocol space */
#define FRAME_STREAM_TYPE 63

Expand Down
4 changes: 4 additions & 0 deletions src/decode.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,9 @@ enum PktSrcEnum {

#include "util-validate.h"

/* for now a uint8_t is enough -- here in decode as it's part of the packet */
#define SignatureMask uint8_t

/* forward declarations */
struct DetectionEngineThreadCtx_;
typedef struct AppLayerThreadCtx_ AppLayerThreadCtx;
Expand Down Expand Up @@ -508,6 +511,7 @@ typedef struct Packet_
/* coccinelle: Packet:flowflags:FLOW_PKT_ */

uint8_t app_update_direction; // enum StreamUpdateDir
SignatureMask sig_mask;

/* Pkt Flags */
uint32_t flags;
Expand Down
4 changes: 1 addition & 3 deletions src/detect-engine-build.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1983,8 +1983,6 @@ int SigPrepareStage4(DetectEngineCtx *de_ctx)

PrefilterSetupRuleGroup(de_ctx, sgh);

SigGroupHeadBuildNonPrefilterArray(de_ctx, sgh);

sgh->id = idx;
cnt++;
}
Expand All @@ -1995,7 +1993,7 @@ int SigPrepareStage4(DetectEngineCtx *de_ctx)
if (de_ctx->decoder_event_sgh != NULL) {
/* no need to set filestore count here as that would make a
* signature not decode event only. */
SigGroupHeadBuildNonPrefilterArray(de_ctx, de_ctx->decoder_event_sgh);
PrefilterSetupRuleGroup(de_ctx, de_ctx->decoder_event_sgh);
}

int dump_grouping = 0;
Expand Down
5 changes: 3 additions & 2 deletions src/detect-engine-frame.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,9 @@ void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead
SCLogDebug("pcap_cnt %" PRIu64, p->pcap_cnt);
PrefilterEngine *engine = sgh->frame_engines;
do {
BUG_ON(engine->alproto == ALPROTO_UNKNOWN);
if (engine->alproto == alproto && engine->ctx.frame_type == frame->type) {
if ((engine->alproto == alproto || engine->alproto == ALPROTO_UNKNOWN) &&
(engine->ctx.frame_type == frame->type ||
engine->ctx.frame_type == FRAME_ANY_TYPE)) {
SCLogDebug("frame %p engine %p", frame, engine);
PREFILTER_PROFILING_START(det_ctx);
engine->cb.PrefilterFrame(det_ctx, engine->pectx, p, frames, frame);
Expand Down
Loading
Loading