Skip to content

detect/entropy: Unique flowvar names #13591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

detect/entropy: Unique flowvar names #13591

wants to merge 2 commits into from

Conversation

jlucovsky
Copy link
Contributor

Continuation of #13575

Use unique variable names for each flowvar as they come from a global
namespace. The chosen name is: <sticky_buffer>_<sid>

Describe changes:

  • Use a unique name for flowvar by appending the signature id to the name.

Updates:

  • Add a config setting to control whether unique names are generated: logging.entropy.make-unique
  • Document new configuration setting and how output is affected.

Issue: 7814

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7814

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2588
SU_REPO=
SU_BRANCH=

jlucovsky added 2 commits July 12, 2025 08:51
@jlucovsky
detect/entropy: Unique flowvar names
54c81b1 
Issue: 7814

Support unique flow variable names for entropy-related values.

Since this is a breaking change from Suricata 8, unique names
are configurable (default value off) with this setting

        logging:
          entropy:
            make-unique: on

When `make-unique` is on, entropy-related flow variable names are
structured as:
     <sticky_buffer>_<sid>

The default setting of `make-unique` (off) uses this format:
     <sticky_buffer>
@jlucovsky
doc/entropy: Describe unique names conf var
82c2674 
Discuss the new configuration variable that provides unique
names for entropy values in logging output: logging.entropy.make-unique

Issue: 7418
@jlucovsky jlucovsky requested review from jufajardini, victorjulien and a team as code owners July 12, 2025 13:14
@jlucovsky jlucovsky mentioned this pull request Jul 12, 2025
Closed
@codecov Codecov
Copy link

codecov bot commented Jul 12, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.67%. Comparing base (07b7f36) to head (82c2674).
Report is 1 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #13591      +/-   ##
==========================================
+ Coverage   83.63%   83.67%   +0.03%     
==========================================
  Files        1011     1011              
  Lines      275071   275080       +9     
==========================================
+ Hits       230050   230166     +116     
+ Misses      45021    44914     -107
Flag Coverage Δ
fuzzcorpus 62.73% <27.27%> (+0.07%) ⬆️
livemode 19.01% <0.00%> (-0.01%) ⬇️
pcap 44.70% <0.00%> (-0.02%) ⬇️
suricata-verify 65.08% <100.00%> (+0.01%) ⬆️
unittests 59.18% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline = 26871

victorjulien
victorjulien reviewed Jul 14, 2025
View reviewed changes
suricata.yaml.in

# Ensure that logged entropy values have unique names by appending the signature_id
# of the rule where used
#entropy:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

think this belongs in eve

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's really a global setting and is independent of an output module.

The variable name must be determined during rule setup time -- as entropy usages are encountered -- to ensure that the variable names are not overwritten (with the sid, the names are unique).

@catenacyber
Copy link
Contributor

Use a unique name for flowvar by appending the signature id to the name.

I am not sure this is unique see OISF/suricata-verify#2588 (comment)

  • a flow may have multiple txs
  • a tx may have multiple files (for example I could write a signature to detect a HTTP POST with 2 files : one having a low entropy, and the other file having a high entropy)

@jlucovsky jlucovsky mentioned this pull request Jul 19, 2025
Closed
@jlucovsky
Copy link
Contributor Author

Continued in #13621

@jlucovsky jlucovsky closed this Jul 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien left review comments

@jufajardini jufajardini Awaiting requested review from jufajardini

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jlucovsky @suricata-qa @catenacyber @victorjulien