Skip to content

Detect rule types/v21#8928

Closed
victorjulien wants to merge 4 commits into
OISF:masterfrom
victorjulien:detect-rule-types/v21
Closed

Detect rule types/v21#8928
victorjulien wants to merge 4 commits into
OISF:masterfrom
victorjulien:detect-rule-types/v21

Conversation

@victorjulien
Copy link
Copy Markdown
Member

@victorjulien victorjulien commented May 25, 2023

SV_BRANCH=pr/1219

replaces #8906

@victorjulien
detect: minor cleanup
681b4c3
@victorjulien
detect/pcre: remove redundant applayer flag set
f6f2c22
@victorjulien
detect: use explicit rule types
fb3aa08 
Instead of using flags to indicate a rule type, use an explicit `type`
field.

Define the following fields:

- SIG_TYPE_IPONLY: sig meets IP-only criteria and is handled by the IP-only
  engine.
- SIG_TYPE_PDONLY: sig inspects protocol detection results only.
- SIG_TYPE_DEONLY: sig inspects decoder events only.
- SIG_TYPE_PKT:    sig is inspected per packet.
- SIG_TYPE_PKT_STREAM: sig is inspected against either packet payload or
  stream payload.
- SIG_TYPE_STREAM: sig is inspected against the reassembled stream
- SIG_TYPE_APPLAYER: sig is inspected against an app-layer property, but not
  against a tx engine.
- SIG_TYPE_APP_TX: sig is inspected the tx aware inspection engine(s).

Ticket: OISF#6085.
@victorjulien
detect/analyzer: add the type
69cbc0a 
Per rule type record properties of the type.

Example output:

    "type": "ip_only",
@codecov
Copy link
Copy Markdown

codecov Bot commented May 25, 2023

Codecov Report

Merging #8928 (69cbc0a) into master (afef35b) will increase coverage by 0.00%.
The diff coverage is 81.88%.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #8928   +/-   ##
=======================================
  Coverage   82.34%   82.34%           
=======================================
  Files         969      969           
  Lines      273336   273431   +95     
=======================================
+ Hits       225090   225169   +79     
- Misses      48246    48262   +16
Flag Coverage Δ
fuzzcorpus 64.74% <47.76%> (-0.02%) ⬇️
suricata-verify 60.50% <81.34%> (+0.02%) ⬆️
unittests 62.93% <47.10%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link
Copy Markdown

suricata-qa commented May 25, 2023
edited by victorjulien
Loading

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.flow.memuse 526058088 1107314472 210.49%

image

Pipeline 14072

This was referenced May 26, 2023
Closed
Closed
Closed
Closed
Merged
@victorjulien
Copy link
Copy Markdown
Member Author

victorjulien commented May 31, 2023

Merged in #8945 after minor fixups.

@catenacyber catenacyber mentioned this pull request Jun 9, 2023
Closed
@victorjulien victorjulien deleted the detect-rule-types/v21 branch July 17, 2023 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@victorjulien @suricata-qa