Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat/classtype unknown/v17 #4285

Closed
wants to merge 33 commits into from
Closed

Feat/classtype unknown/v17 #4285

wants to merge 33 commits into from

Conversation

victorjulien
Copy link
Member

@victorjulien
detect/classtype: fix parsing error checking
941e309
@victorjulien
detect/classtype: warn on duplicate classtype
e92b91c 
Issue warning instead of erroring and invalidating the rule.

It's not a very serious issue, so don't error out.
@victorjulien
detect/classtype: clean up error handling
6a001e8
@victorjulien
detect/priority: minor cleanups
e8054e5
@victorjulien
detect: use BIT_U32 macros for INIT flags
25a997f
@victorjulien
detect/priority: change duplicate priority behavior
9c783df 
Introduce Signature init_flag to indicate priority has been set.
This will be needed in a follow-up classtype update.

Detect duplicate priority instances in a keyword, and use the
highest priority in the rule. Do issue a warning in this case.
@victorjulien
detect/classtype: change duplicate classtype behavior
3eeef3a 
Detect duplicate instances and use the one with the highest
priority.

Use new priority flag to make the logic around explicit priority
sets easier to follow.

Minor code cleanups. Also clean up unittests.
@victorjulien
classtype: reduce scope of functions
ad173fe
@victorjulien
classtype: put UNITTESTS guards where appropriate
bd23e63
@victorjulien
classtype: small memory reduction
81dbe0f 
Reduce memory use by making sure SCClassConfClasstype
has a more optimal memory layout.
@victorjulien
classtype: increase id size
a166740 
Switch from u8 to u16 to allow for more classtypes.

Rename Signature::class to Signature::class_id to make it clear
it is an id.
@victorjulien
detect/classtype: allow undefined classtypes
45a5d84 
Effect of classification on Suricata's working is minimal. Impact
of adding undefined classtypes is large: rules will fail to load
completely. This also leads multiple lines of log output per rule,
which in a large ruleset can lead to excessive output.

This patch changes the classtype keyword behavior. Instead of erroring
and invalidating a rule, we will merely warn.

The undefined classtype is then defined with a default priority,
so other rules using the classtype will not also warn. This way
there will be just a single warning per missing classtype.
@victorjulien
detect/priority: use global define for default prio
a7d8317
@victorjulien
detect/classtype: show file and line for unknown classtype
ec6b75c
@victorjulien
classtype: use global defines for size limits
5fd6224
@victorjulien
classtype: handle missing classification.config
e2991ae 
Still initialize the classtype hash table so that the classtypes
rules use can be added to it.

The file missing now reports a warning instead of error, as we
will continue to work.
@victorjulien
detect/classtype: check size of rule input
d2a0b28
@victorjulien
detect/reference: code cleanups
cfc421b
@victorjulien
reference: use global defines for size limits
fe11b26
@victorjulien
reference: change scope of add func to global
4b0ad3c
@victorjulien
detect/reference: allow undefined references
9c35a38 
References are currently not used in Suricata, so erroring out on
rules using a undefined reference is too harsh.

Just issue a warning once per unique missing reference.
@victorjulien
detect: use named enum for keyword types
32ba2e1
@victorjulien
detect/parse: add --strict-rule-keywords option
da9980b 
Add --strict-rule-keywords commandline option to enable strict rule
parsing.

It can be used without options or with a comma separated list:
--strict-rule-keywords
--strict-rule-keywords=all
--strict-rule-keywords=classtype,reference

Parsing implementations can use SigMatchStrictEnabled to check
if strict parsing is enabled for them and act accordingly.

SQUASH strict option
@victorjulien
detect/classtype: implement strict parsing option
436b0c0
@victorjulien
detect/reference: implement strict parsing option
a5746a4
@victorjulien
tls/ja3: allow dynamic enabling of ja3
bd67d02
@victorjulien
tls/ja3: don't disable; allowing runtime enabling
2a652da
@victorjulien
tls/ja3: add way to check active config
7e4f4a7
@victorjulien
tls/ja3: try to enable ja3 if rule keywords need it
f02b94d
@victorjulien
tls/ja3: allow 'auto' setting for ja3
16da334
@victorjulien
detect/parser: minor cleanup
d44b271
@victorjulien
detect/parse: allow signature parsing to fail silently
45f7d93 
A sigmatches 'Setup' function may indicate it intends to fail
silently after the first error. It will return -2 instead of -1
in this case.

This is tracked in the DetectEngineCtx object, so errors will
be shown again at rule reloads.
@victorjulien
detect/ja3: print error for one rule only
9258ff3 
Use 'silent error' logic for any other rules using ja3 as well.
@victorjulien victorjulien requested a review from a team as a code owner October 8, 2019 16:58
@jasonish
Copy link
Member

jasonish commented Oct 9, 2019

With respect to the commit "detect/ja3: print error for one rule only", I'm still seeing multiple errors. After install and rule update I changed ja_fingerprints to no, and I still get this in my output:

10395] 8/10/2019 -- 18:45:27 - (detect-tls-ja3-hash.c:133) <Error> (DetectTlsJa3HashSetup) -- [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled
[10395] 8/10/2019 -- 18:45:27 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls any any -> any any (msg:"ET JA3 Hash - Adium 1.5.10 (b)"; ja3_hash; content:"e4adf57bf4a7a2dc08e9495f1b05c0ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027977; rev:1; metadata:created_at 2019_09_10, updated_at 2019_09_10;)" from file /opt/suricata/var/lib/suricata/rules/suricata.rules at line 6669
[10395] 8/10/2019 -- 18:45:27 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls any any -> any any (msg:"ET JA3 Hash - AIM"; ja3_hash; content:"49a6cf42956937669a01438f26e7c609"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027978; rev:1; metadata:created_at 2019_09_10, updated_at 2019_09_10;)" from file /opt/suricata/var/lib/suricata/rules/suricata.rules at line 6670

Plus many more.

@victorjulien
Copy link
Member Author

Weird, it appears using -S behaves a bit different than the 'normal' way in this regard. Spotted the error, will fix up.

This was referenced Oct 9, 2019
Closed
Closed
@victorjulien
Copy link
Member Author

Merged as part of #4288

@victorjulien victorjulien deleted the feat/classtype-unknown/v17 branch October 17, 2019 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@victorjulien @jasonish