Dataset set postmatch 5576 v9 #11834

catenacyber · 2024-09-25T16:09:34Z

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/5576

Describe changes:

detect/dataset: delay set operation after signature full match

SV_BRANCH=OISF/suricata-verify#2000

#11719 with rebase after unset operation has been added

So, now Victor, you will ask me for more tests

rule with multibuffer + content + dataset vs traffic having multiple buffers but only one matching
rule with dataset + pcap with transaction spanning over multiple packets (like detect/flowvar: adds test for flowvar persistence suricata-verify#1999 but with dataset instead of flowvar)

Right ?

Will be useful for dataset, when it needs to find a transaction buffer again.

suricata-qa · 2024-09-25T16:20:03Z

ERROR:

ERROR: QA failed on build_asan.

Pipeline 22812

The set operation of dataset keyword was done even if signature did not fully match, which is not the expected behavior. We want dataset to behave like flowbits for instance. This patch changes the behavior of the dataset keyword to do a match and a post match for the set operation. The postmatch retrieves the data, using the list identifier associated to the buffer for this signature. This avoids to store the buffer(s), when we do not have a dedicated storage (per signature and per tx) that can own and clean arbitrary buffers over multiple packets, in the case the transaction spans over multiple packets with different tx progresses for instance. If detection runs on one packet, the InspectionBuffer are cached and fast to get. The most expensive case if for multi buffers, where we need to run detection again, to see which occurences match all payload keywords and should be added in the dataset. Ticket: OISF#5576

codecov · 2024-09-25T16:34:48Z

Codecov Report

Attention: Patch coverage is 88.31169% with 9 lines in your changes missing coverage. Please review.

Project coverage is 82.56%. Comparing base (45eb7e4) to head (3eea1e0).
Report is 50 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11834      +/-   ##
==========================================
- Coverage   82.60%   82.56%   -0.04%     
==========================================
  Files         912      912              
  Lines      249351   249413      +62     
==========================================
- Hits       205965   205918      -47     
- Misses      43386    43495     +109

Flag	Coverage Δ
fuzzcorpus	`60.44% <79.22%> (-0.16%)`	⬇️
livemode	`18.75% <48.05%> (+0.02%)`	⬆️
pcap	`44.08% <6.49%> (+0.02%)`	⬆️
suricata-verify	`62.03% <88.31%> (-0.01%)`	⬇️
unittests	`58.92% <6.49%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

suricata-qa · 2024-09-26T02:40:03Z

Information: QA ran without warnings.

Pipeline 22853

victorjulien · 2024-10-08T08:46:58Z

I would like to avoid rerunning transforms and detection. One alternative way could be to explore having a immediate dataset operation that stores the data in a temporary location (det_ctx for example) and then uses that from post-match.

catenacyber · 2024-10-08T20:37:08Z

I would like to avoid rerunning transforms and detection.

Ok...
Note that transforms should be cached in the regular case ;-)

One alternative way could be to explore having an immediate dataset operation that stores the data in a temporary location (det_ctx for example) and then uses that from post-match.

This is problematic as https://redmine.openinfosecfoundation.org/issues/7197 shows it for flowvar
If the rule match spans over multiple packets (because of different tx progress), we do not have a good location to store it
What do you suggest ?

catenacyber · 2024-10-15T12:44:00Z

Next in #11962

catenacyber added 2 commits September 25, 2024 18:01

ci/live: test for sid 1 existence, not in last position

e553009

detect: postmatch can run AppLayerTxMatch callbacks

8bd7e82

Will be useful for dataset, when it needs to find a transaction buffer again.

catenacyber requested review from jasonish and victorjulien as code owners September 25, 2024 16:09

catenacyber mentioned this pull request Sep 25, 2024

Dataset set postmatch 5576 v8 #11719

Closed

catenacyber force-pushed the dataset-set-postmatch-5576-v9 branch from e9282b2 to 3eea1e0 Compare September 25, 2024 16:21

inashivb self-requested a review October 14, 2024 05:41

catenacyber mentioned this pull request Oct 15, 2024

Dataset set postmatch 5576 v10 #11962

Draft

catenacyber closed this Oct 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dataset set postmatch 5576 v9 #11834

Dataset set postmatch 5576 v9 #11834

catenacyber commented Sep 25, 2024

suricata-qa commented Sep 25, 2024

codecov bot commented Sep 25, 2024 •

edited

Loading

suricata-qa commented Sep 26, 2024

victorjulien commented Oct 8, 2024

catenacyber commented Oct 8, 2024

catenacyber commented Oct 15, 2024

Dataset set postmatch 5576 v9 #11834

Dataset set postmatch 5576 v9 #11834

Conversation

catenacyber commented Sep 25, 2024

suricata-qa commented Sep 25, 2024

codecov bot commented Sep 25, 2024 • edited Loading

Codecov Report

suricata-qa commented Sep 26, 2024

victorjulien commented Oct 8, 2024

catenacyber commented Oct 8, 2024

catenacyber commented Oct 15, 2024

codecov bot commented Sep 25, 2024 •

edited

Loading