detect: factorize code for DetectSetupDirection (transactional rules) #13046
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ticket: 7665 Instead of each keyword calling DetectSetupDirection, use a new flag SIGMATCH_SUPPORT_DIR so that DetectSetupDirection gets called, before parsing the rest of the keyword. Allows to support filesize keyword in transactional signatures
|
Information: QA ran without warnings. Pipeline 25721 |
catenacyber
changed the title
victorjulien
requested changes
Apr 30, 2025
| */ | ||
| static int DetectSetupDirection(Signature *s, char **str, bool only_dir) | ||
| { | ||
| if (strncmp(*str, "to_client", strlen("to_client")) == 0) { |
There was a problem hiding this comment.
this will also match to_client_toto I think. Will that be detected correctly?
There was a problem hiding this comment.
yes
After matching the prefix, we check further characters : optional spaces then comma or end of string
to_client_toto gets to line 887 SCLogError("expecting to_client [, other]");
| * | ||
| * \retval 0 on success, -1 on failure | ||
| */ | ||
| static int DetectSetupDirection(Signature *s, char **str, bool only_dir) |
There was a problem hiding this comment.
why not a single pointer char *str? We're not passing something back, are we?
There was a problem hiding this comment.
We're not passing something back, are we?
Yes, we are moving forward the string pointer, so that the keyword filesize only "sees" >100 when the signature had filesize: to_client, >100;
|
Rebased in #13120 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7665
Describe changes:
This means adding facility to allow non-sticky buffer keywords
DetectSetupDirectioncall site toSigParseOptionsinstead of in each keyword and use a new flagSIGMATCH_SUPPORT_DIRDetectSetupDirectionnow takes a pointer to a string, and may move the string forward to allowfilesize: to_client, >100;so thatDetectFilesizeSetupgets called with ">100"SigMatchAppendSMToListnow setsonly_tcandonly_tsasDetectBufferSetActiveListalready does(3 commits may be better but debugging, I ended up squashing everything)
Now making transactional rules support other direction-ambiguous keywords should be one-liner like adding
SIGMATCH_SUPPORT_DIRtosigmatch_table[DETECT_KEYWORD].flagsSV_BRANCH=OISF/suricata-verify#2453
#13045 clean