Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect: add vlan.id keyword - v8 #12333

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

detect: add vlan.id keyword - v8 #12333

wants to merge 1 commit into from
+481 −0

Conversation

AkakiAlice
Copy link
Contributor

Ticket: #1065

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/1065

Description:

  • Introduce vlan.id keyword

vlan_id.rs changes:

  • rustfmt

SV_BRANCH=OISF/suricata-verify#2208
Previous PR: #12324

@AkakiAlice
detect: add vlan.id keyword
6e4ae02 
vlan.id matches on Virtual Local Area Network IDs
It is an unsigned 16-bit integer
Valid range for the default configuration = [1-4094]
Supports prefiltering

Ticket: OISF#1065
@codecov Codecov
Copy link

codecov bot commented Jan 2, 2025

Codecov Report

Attention: Patch coverage is 94.57014% with 12 lines in your changes missing coverage. Please review.

Project coverage is 83.20%. Comparing base (6f937c7) to head (6e4ae02).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12333      +/-   ##
==========================================
- Coverage   83.26%   83.20%   -0.06%     
==========================================
  Files         912      914       +2     
  Lines      257643   257864     +221     
==========================================
+ Hits       214521   214564      +43     
- Misses      43122    43300     +178
Flag Coverage Δ
fuzzcorpus 61.10% <8.92%> (-0.04%) ⬇️
livemode 19.39% <8.92%> (-0.01%) ⬇️
pcap 44.40% <8.92%> (-0.02%) ⬇️
suricata-verify 62.90% <83.92%> (+0.03%) ⬆️
unittests 59.19% <64.25%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

catenacyber
catenacyber approved these changes Jan 2, 2025
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI : 🟢
Code : cool
Commits segmentation : ok
Commit messages : nice
Git ID set : looks fine for me
CLA : you already contributed
Doc update : excellent
Redmine ticket : ok
Rustfmt : ok for vlan_id.rs
Tests : nice
Dependencies added: none

victorjulien
victorjulien requested changes Jan 6, 2025
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see inline

src/detect-vlan-id.c

static int PrefilterSetupVlanId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
{
return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_VLAN_ID, SIG_MASK_REQUIRE_FLOW,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we require flow here for a packet matching keyword? Shouldn't this be SIG_MASK_REQUIRE_REAL_PKT?

doc/userguide/rules/vlan-keywords.rst
=============== ================================================
[default] Match all layers
0 - 2 Match specific layer
``-3`` - ``-1`` Match specific layer with back to front indexing
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be good to clarify what front indexing means here. Perhaps with a small illustration to indicate how the indexing works, e.g.

[ethernet]
[vlan 666 (index 0 and -2)]
[vlan 123 (index 1 and -1)]
[ipv4]
[udp]

rust/src/detect/vlan_id.rs
#[derive(Debug, PartialEq)]
pub struct DetectVlanIdData {
pub du16: DetectUintData<u16>,
pub layer: i8,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this need some documentation

doc/userguide/rules/vlan-keywords.rst
0 - 2 Match specific layer
``-3`` - ``-1`` Match specific layer with back to front indexing
all Match only if all layers match
count Match on the number of layers
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

while I like that we can match on this, I do question integrating it with a vlan.id keyword. Should we have a vlan.layers keyword instead? I feel that these options are not only not about the id, they also bring their own syntax.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien requested changes

@catenacyber catenacyber catenacyber approved these changes

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AkakiAlice @victorjulien @catenacyber