New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add negation support for TLS and corresponding unit tests #5763
Conversation
Codecov Report
@@ Coverage Diff @@
## master #5763 +/- ##
==========================================
+ Coverage 76.87% 77.07% +0.19%
==========================================
Files 613 613
Lines 186697 186792 +95
==========================================
+ Hits 143529 143963 +434
+ Misses 43168 42829 -339
Flags with carried forward coverage won't be shown. Click here to find out more. |
Thanks for this @Fredamabob |
Hey, thanks for the feedback. I think rewriting it in Rust would be nice - but a larger task than expected. Do you think it'd be better to go with smaller changes to be safer, and open up another ticket for that? |
This PR is ok as is. |
|
||
Supported values: "1.0", "1.1", "1.2", "1.3" | ||
Supported values: "1.0", "1.1", "1.2", "1.3", "!1.0", "!1.1", "!1.2", "!1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this support multiple values ?
Like either 1.1 or 1.2 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. It will match on values 1.0->1.3, and !1.0->!1.3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was not what I was asking.
Is it possible with this keyword to match on TLS flows which will either be TLS 1.1 or TLS 1.2 (but not TLS 1.3, not TLS 1.0 and not SSLv2 or 3) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also found out recently about SIGMATCH_HANDLE_NEGATION
Is this related ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah alright, my bad. After a bit of testing with suricata-verify, it seems that the answer may be no...
SIGMATCH_HANDLE_NEGATION
appears to be very similar to the approach implemented here, it may be related - I am only aware of this now that you have mentioned it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catenacyber Hi, sorry about the late reply. I can look into this if you'd like, but it might take awhile for me to get back to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, no rush, just wanted to know if this PR still alive :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the long delay. I have updated it to use the flag SIGMATCH_HANDLE_NEGATION instead of using a new flag defined in detect-tls-version.h.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this improvement, I think CI will fail because of the PCRE1/PCRE2 thing cf other comment. Could you please take care of that ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I'll take a look into that later this week!
9448977
to
2e50e33
Compare
2e50e33
to
f8b4cdf
Compare
src/detect-tls-version.c
Outdated
pcre2len = sizeof(ver_ptr); | ||
res = pcre2_substring_copy_bynumber( | ||
parse_regex.match, 1, (PCRE2_UCHAR8 *)ver_ptr, &pcre2len); | ||
res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 1, ver_ptr, sizeof(ver_ptr)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should now use PCRE2 which got merged in master, and no longer PCRE1...
Basically, that means you should leave untouched DetectParsePcreExec
and such... and your PR should work
f8b4cdf
to
c4bab5b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
src/tests/detect-tls-version.c
Outdated
@@ -86,7 +102,7 @@ static int DetectTlsVersionTestDetect01(void) | |||
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; | |||
f.alproto = ALPROTO_TLS; | |||
|
|||
StreamTcpInitConfig(true); | |||
StreamTcpInitConfig(TRUE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
StreamTcpInitConfig
requires a bool
so please remove this and similar changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed these changes.
c4bab5b
to
105f2c4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test change requested. Also generally please implement changes in a new branch and PR. This makes it easier to review. Thanks!
/* | ||
* Test that a TLS version 1.0 packet will match on a !1.1 version signature | ||
*/ | ||
static int DetectTlsVersionTestDetect03(void) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we're actively trying to move away from these types of unittests in favor of suricata-verify tests. The unittests that mimic traffic and setting up all the layers (packet, stream, flow, etc) are generally taking too many shortcuts that hurt us later.
Make sure these boxes are signed before submitting your Pull Request -- thank you.
Link to ticket: https://redmine.openinfosecfoundation.org/issues/2269
Describe changes: