Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect/http: fix progress for headers keywords #11977

Closed
wants to merge 1 commit into from
Closed

detect/http: fix progress for headers keywords #11977

wants to merge 1 commit into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7326

Describe changes:

  • detect/http: fix progress for headers keywords

SV_BRANCH=OISF/suricata-verify#2094

Should we have the generic fix of DetectAppLayerMultiRegister using only one tx progress ?

#11968 with better commit message

@catenacyber
detect/http: fix progress for headers keywords
be07102 
Ticket: 7326

Having a lower progress than the right one, made prefilter
bail out too early, not having found a buffer in the multi-buffer
that mathed the prefilter.

Hence, we got false negatives, if http.request_header or
http.response_header was used as fast pattern, and if the request
or response came in multiple packets, and the first of these packets
did not have enough data (like only http request line),
and the next packets did have the matching data.
@catenacyber catenacyber mentioned this pull request Oct 16, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Oct 16, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.66%. Comparing base (37fa2a6) to head (be07102).
Report is 36 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11977      +/-   ##
==========================================
- Coverage   82.77%   82.66%   -0.12%     
==========================================
  Files         910      910              
  Lines      249016   249016              
==========================================
- Hits       206134   205848     -286     
- Misses      42882    43168     +286
Flag Coverage Δ
fuzzcorpus 60.56% <100.00%> (-0.21%) ⬇️
livemode 18.71% <100.00%> (ø)
pcap 44.13% <100.00%> (+0.04%) ⬆️
suricata-verify 62.17% <100.00%> (-0.03%) ⬇️
unittests 59.01% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPW2_autofp_stats_chk
.flow.end.tcp_state.last_ack 0 1 -

Pipeline 23121

@inashivb
Copy link
Member

Hi @catenacyber ! Could you please tell what does "right one" mean in your commit message "Having a lower progress than the right one.."?

@catenacyber
Copy link
Contributor Author

Could you please tell what does "right one" mean in your commit message "Having a lower progress than the right one.."?

Ok will do

The "right one" is the progress where you can actually get occurrences of the multi buffer

If you register a multi-buffer with a progress lower than the one where you actually get these, and you have some packets that reach this lower progress, but not the values of the multi-buffer (for example the HTTP request line, but not the http headers), prefilter will see that there are 0 values for the multi-buffer and conclude that this signature will never match for this transaction...

Does that explanation make things clearer ?

@catenacyber catenacyber mentioned this pull request Oct 29, 2024
Closed
@catenacyber
Copy link
Contributor Author

Next in #12056

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @inashivb