Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect: don't run pkt sigs on ffr pkts #12095

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

detect: don't run pkt sigs on ffr pkts #12095

wants to merge 1 commit into from
+4 −0

Conversation

victorjulien
Copy link
Member

Last packet from the TLS TCP session moves TCP state to CLOSED.

This flags the app-layer with APP_LAYER_PARSER_EOF_TS or APP_LAYER_PARSER_EOF_TC depending on the direction of the final packet. This flag will just have been set in a single direction.

This leads to the last packet updating the inspect id in that packets direction.

At the end of the TLS session a pseudo packet is created, because:

  • flow has ended
  • inspected tx id == 0, for at least one direction
  • total txs is 1

Then a packet rule matches:

alert tcp any any -> any 443 (flow: to_server;                  \
        flowbits:isset,tls_error;                               \
        sid:09901033; rev:1;                                    \
        msg:"Allow TLS error handling (outgoing packet)"; )

The SIG_MASK_REQUIRE_REAL_PKT is not preventing the match, as the flowbits keyword doesn't set it.

To avoid this match. This patch skips signatures of the SIG_TYPE_PKT for flow end packets.

Ticket: #7318.

SV_BRANCH=OISF/suricata-verify#2121

@victorjulien
detect: don't run pkt sigs on ffr pkts
8d0fa24 
Last packet from the TLS TCP session moves TCP state to CLOSED.

This flags the app-layer with APP_LAYER_PARSER_EOF_TS or
APP_LAYER_PARSER_EOF_TC depending on the direction of the final packet.
This flag will just have been set in a single direction.

This leads to the last packet updating the inspect id in that packets
direction.

At the end of the TLS session a pseudo packet is created, because:
 - flow has ended
 - inspected tx id == 0, for at least one direction
 - total txs is 1

Then a packet rule matches:

```
alert tcp any any -> any 443 (flow: to_server;                  \
        flowbits:isset,tls_error;                               \
        sid:09901033; rev:1;                                    \
        msg:"Allow TLS error handling (outgoing packet)"; )
```

The `SIG_MASK_REQUIRE_REAL_PKT` is not preventing the match, as the
`flowbits` keyword doesn't set it.

To avoid this match. This patch skips signatures of the `SIG_TYPE_PKT`
for flow end packets.

Ticket: OISF#7318.
@codecov Codecov
Copy link

codecov bot commented Nov 7, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.25%. Comparing base (dd71ef0) to head (8d0fa24).
Report is 19 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12095      +/-   ##
==========================================
- Coverage   83.25%   83.25%   -0.01%     
==========================================
  Files         910      906       -4     
  Lines      257571   257649      +78     
==========================================
+ Hits       214450   214501      +51     
- Misses      43121    43148      +27
Flag Coverage Δ
fuzzcorpus 61.24% <100.00%> (+0.07%) ⬆️
livemode 19.42% <50.00%> (+0.01%) ⬆️
pcap 44.37% <50.00%> (-0.10%) ⬇️
suricata-verify 62.74% <100.00%> (-0.05%) ⬇️
unittests 59.28% <50.00%> (-0.07%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 23284

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@victorjulien @suricata-qa