Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File hashing 4279 v4 #5929

Closed
wants to merge 4 commits into from
Closed

File hashing 4279 v4 #5929

wants to merge 4 commits into from

Conversation

rtkjweeks
Copy link

@rtkjweeks rtkjweeks commented Feb 25, 2021
edited

Make sure these boxes are signed before submitting your Pull Request -- thank you.

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4279

Previous PR:
#5882

Describe changes:

suricata-verify-pr: 430
#suricata-verify-repo:
#suricata-verify-branch:
#suricata-update-pr:
#suricata-update-repo:
#suricata-update-branch:
#libhtp-pr:
#libhtp-repo:
#libhtp-branch:

rtkrruvinskiy and others added 3 commits February 25, 2021 16:19
@rtkrruvinskiy @rtkjweeks
files: allow hashes for truncated files
6463155 
Files are truncated when they exceed stream reassembly depth. However, for some
purposes, a hash of the prefix of the file is still useful, as
long as we know the size of this prefix. We therefore change the logging logic
to output the hash in the case of file truncation.
@rtkjweeks
files: file-hash-byte-limit option
8d00920 
Allow capping number of bytes of files used for file hash. This is to allow
for consistency and avoid relying on whatever the stream reassembly limit
happens to be. If 0 or not present, the original behaviour of hashing up to the
stream reassembly limit remains. If the value is greater than the stream
reassembly limit, the stream reassembly limit takes precedence.
@rtkjweeks
files: update the function documentation
68db5de
@rtkjweeks rtkjweeks mentioned this pull request Feb 25, 2021
Closed
3 tasks
@rtkjweeks rtkjweeks force-pushed the file-hashing-4279-v4 branch 2 times, most recently from 5ef4d2e to eba5b5c Compare February 26, 2021 18:27
@codecov
Copy link

codecov bot commented Feb 26, 2021
edited

Codecov Report

Merging #5929 (4edf0dc) into master (0ac5c53) will decrease coverage by 0.00%.
The diff coverage is 77.36%.

@@            Coverage Diff             @@
##           master    #5929      +/-   ##
==========================================
- Coverage   76.69%   76.68%   -0.01%     
==========================================
  Files         604      604              
  Lines      187657   187837     +180     
==========================================
+ Hits       143926   144046     +120     
- Misses      43731    43791      +60
Flag Coverage Δ
fuzzcorpus 52.54% <34.48%> (-0.02%) ⬇️
suricata-verify 49.89% <84.80%> (+0.05%) ⬆️
unittests 63.07% <64.37%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

jasonish
jasonish reviewed Sep 3, 2021
View reviewed changes
rust/src/ffi/hashing.rs
Comment on lines +222 to +231
if !bytes_hashed.is_null() {
if g_hash_byte_limit > 0 {
let bytes_remaining = match g_hash_byte_limit > *bytes_hashed {
true => g_hash_byte_limit - *bytes_hashed,
false => 0,
};
if len > bytes_remaining {
len = bytes_remaining;
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the length logic being put into a low level hashing function which is not file-store specific. I think this accounting should be moved out of here.

jasonish
jasonish requested changes Sep 3, 2021
View reviewed changes
Copy link
Member

@jasonish jasonish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general I'm in favour of this approach, I just don't want specifics of filestore to leak into the lower level hashing API.

@jasonish
Copy link
Member

Ping @rtkjweeks, any plans to continue on this?

victorjulien added a commit to victorjulien/suricata that referenced this pull request Mar 23, 2023
@victorjulien
detect/urilen: fix applying urilen as depth
169a8bf 
If urilen induced depth was set, later DetectContentPropagateLimits()
would apply a wrong depth setting, leading to a false negative in
some cases.

Bug: OISF#5929.
victorjulien added a commit to victorjulien/suricata that referenced this pull request Mar 23, 2023
@victorjulien
detect/urilen: fix applying urilen as depth
6ffd33e 
If urilen induced depth was set, later DetectContentPropagateLimits()
would apply a wrong depth setting, leading to a false negative in
some cases.

Bug: OISF#5929.
victorjulien added a commit to victorjulien/suricata that referenced this pull request Mar 23, 2023
@victorjulien
detect/urilen: fix applying urilen as depth
63b97cf 
If urilen induced depth was set, later DetectContentPropagateLimits()
would apply a wrong depth setting, leading to a false negative in
some cases.

Bug: OISF#5929.
victorjulien added a commit to victorjulien/suricata that referenced this pull request Mar 24, 2023
@victorjulien
detect/urilen: fix applying urilen as depth
ba7db25 
If urilen induced depth was set, later DetectContentPropagateLimits()
would apply a wrong depth setting, leading to a false negative in
some cases.

Bug: OISF#5929.
victorjulien added a commit to victorjulien/suricata that referenced this pull request Mar 28, 2023
@victorjulien
detect/urilen: fix applying urilen as depth
7838fc8 
If urilen induced depth was set, later DetectContentPropagateLimits()
would apply a wrong depth setting, leading to a false negative in
some cases.

Bug: OISF#5929.
(cherry picked from commit ba7db25)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish requested changes

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini will be requested when the pull request is marked ready for review jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien will be requested when the pull request is marked ready for review victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
4 participants
@rtkjweeks @jasonish @victorjulien @rtkrruvinskiy