-
Notifications
You must be signed in to change notification settings - Fork 1.6k
detect/var: Restrict var usage to single buffer #13716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Issue: 1412 When in strict mode, issue an error and refuse to load the rule if variables produced from a different buffer are used with a separate buffer. When not in strict mode (default), issue a warning and load the rule. Only consider sig matches with compatible ids/lists.
Issue 1412 Add mention of byte_{extract,math,test,jump} variable usage and buffer scope and include how the command line option strict-rule-keywords affects validation.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #13716 +/- ##
==========================================
+ Coverage 82.99% 83.73% +0.74%
==========================================
Files 1001 1011 +10
Lines 272978 275100 +2122
==========================================
+ Hits 226556 230355 +3799
+ Misses 46422 44745 -1677
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
WARNING:
Pipeline = 27152 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor things :P
- If a byte keyword (such as ``byte_extract`` or ``byte_math``, etc) is used with | ||
a variable, and that variable usage is with a buffer other than the one used | ||
to create the variable, a warning is printed and the rule is loaded. The |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we clearly indicate the Suricata version, here?
* | ||
* \param arg The name of the variable being sought | ||
* \param s The signature to check for the variable | ||
* \param strict Match if and only iff the list sought and the list found equal. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
* \param strict Match if and only iff the list sought and the list found equal. | |
* \param strict Match if and only iff the list sought and the list found are equal. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do.
* \param s Pointer the signature to look in. | ||
* | ||
* \retval A pointer to the SigMatch if found, otherwise NULL. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe update the function description, too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do.
Continued in #13720 |
Continuation of #13622
Issue: 1412
Extend the checks added for 7549 to include buffers.
Only consider sig matches with compatible ids/lists.
Link to ticket: https://redmine.openinfosecfoundation.org/issues/1412
Describe changes:
buffers
init dataUpdates:
strict-rule-keywords
Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCH
variable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#2576
SU_REPO=
SU_BRANCH=