detect/entropy: Unique flowvar names #13722
Conversation
Issue: 7814
Support unique flow variable names for entropy-related values.
Since this is a breaking change from Suricata 8, unique names
are configurable (default value off) with this setting
logging:
entropy:
make-unique: on
When `make-unique` is on, entropy-related flow variable names are
structured as:
sid:<sid>;buffer:<buffer>;instance:<instance>
Instance is a small integer value corresponding to the number of
entropy values in the rule. The first entropy usage will create a flow
variable with an instance value of 1; the second will use 2, and so
on. This is necessary to disambiguate the flow variable names.
When `make-unique` is off (default = off), this format is used:
<sticky_buffer>
Discuss the new configuration variable that provides unique names for entropy values in logging output: logging.entropy.make-unique Issue: 7418
jlucovsky
requested review from
jufajardini,
victorjulien and
a team
as code owners
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #13722 +/- ##
==========================================
+ Coverage 82.99% 83.73% +0.73%
==========================================
Files 1001 1011 +10
Lines 272978 275083 +2105
==========================================
+ Hits 226556 230328 +3772
+ Misses 46422 44755 -1667
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 27165 |
| "metadata": { | ||
| "entropy": { | ||
| "file_data_391933_1": 4.265743301617466 | ||
| } | ||
| } |
There was a problem hiding this comment.
We gave up on the idea of having an array, here, so as to not have to append the instance to the name? Or was it too ugly to implement?
| entropy was calculated. Often, more context is needed and the configuration setting shown | ||
| below will amend the sticky buffer name with the signature id and instance number from the rule | ||
| that caused the entropy value calculation. The instance number changes for each ``entropy`` | ||
| keyword usage within a rule. The default value is ``off``. We strongly recommend changing |
There was a problem hiding this comment.
very nit:
| keyword usage within a rule. The default value is ``off``. We strongly recommend changing | |
| keyword usage within a rule. The default value is ``off``. We strongly recommend changing |
What is this instance number ? |
The instance number tracks the occurrence of the keyword in each rule. Not all rules will have multiple occurrences of the keyword in a single rule. |
So, I fear this does not remove ambiguity in case of multi-buffers, right ?
|
There was a problem hiding this comment.
Needs a rebase, and I would like to have a clear definition of "instance"
And maybe more tests with multi-buffer like
http.request_header; content: toto; entropy: >4; http.request_header; content: titi; entropy: <4; (and the first header titi does not have entropy < 4)
Continuation of #13621
Use unique variable names for each flowvar as they come from a global
namespace. The chosen name is:
sid:<signature_id>;buffer:<buffer-name>;instance:<instance#>Describe changes:
Updates:
logging.entropy.make-uniquesid:<signature_id>;buffer:<buffer-name>;instance:<instance#>Issue: 7814
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7814
Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#2588
SU_REPO=
SU_BRANCH=