Skip to content

detect: factorize code for DetectSetupDirection #13120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

detect: factorize code for DetectSetupDirection #13120

wants to merge 1 commit into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7665

Describe changes:

  • detect: transactional rules allow filesize keyword

This means adding facility to allow non-sticky buffer keywords

  • Moving DetectSetupDirection call site to SigParseOptions instead of in each keyword and use a new flag SIGMATCH_SUPPORT_DIR
  • DetectSetupDirection now takes a pointer to a string, and may move the string forward to allow filesize: to_client, >100; so that DetectFilesizeSetup gets called with ">100"
  • SigMatchAppendSMToList now sets only_tc and only_ts as DetectBufferSetActiveList already does

(3 commits may be better but debugging, I ended up squashing everything)

Now making transactional rules support other direction-ambiguous keywords should be one-liner like adding SIGMATCH_SUPPORT_DIR to sigmatch_table[DETECT_KEYWORD].flags

SV_BRANCH=OISF/suricata-verify#2453

#13046 with needed rebase and unit tests for DetectSetupDirection and better behavior

@catenacyber
detect: factorize code for DetectSetupDirection
e8d46b5 
Ticket: 7665

Instead of each keyword calling DetectSetupDirection, use a
new flag SIGMATCH_SUPPORT_DIR so that DetectSetupDirection gets
called, before parsing the rest of the keyword.

Allows to support filesize keyword in transactional signatures
@catenacyber catenacyber mentioned this pull request Apr 30, 2025
Closed
@codecov Codecov
Copy link

codecov bot commented Apr 30, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 87.27273% with 14 lines in your changes missing coverage. Please review.

Project coverage is 83.01%. Comparing base (033e048) to head (e8d46b5).
Report is 4 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #13120      +/-   ##
==========================================
+ Coverage   82.94%   83.01%   +0.07%     
==========================================
  Files         988      988              
  Lines      271931   272001      +70     
==========================================
+ Hits       225546   225810     +264     
+ Misses      46385    46191     -194
Flag Coverage Δ
fuzzcorpus 61.36% <37.31%> (+0.12%) ⬆️
livemode 18.95% <20.89%> (+<0.01%) ⬆️
pcap 44.78% <20.89%> (-0.01%) ⬇️
suricata-verify 64.72% <56.71%> (-0.01%) ⬇️
unittests 58.21% <82.72%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@catenacyber catenacyber force-pushed the detect-txal-filesize-7665-v3 branch from 33bb76e to e8d46b5 Compare April 30, 2025 15:46
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 25941

@catenacyber catenacyber mentioned this pull request Apr 30, 2025
Closed
@catenacyber
Copy link
Contributor Author

Next in #13123

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@catenacyber @suricata-qa