New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
detect-file-data: always inspect http body - v2 #9063
Conversation
Run inspection even if the HTTP response body is not done. This optimization causes file_data inspection to occur after the file has been pruned. Ticket: OISF#5868
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9063 +/- ##
==========================================
- Coverage 82.35% 82.33% -0.02%
==========================================
Files 969 969
Lines 273655 273643 -12
==========================================
- Hits 225359 225314 -45
- Misses 48296 48329 +33
Flags with carried forward coverage won't be shown. Click here to find out more. |
WARNING:
Pipeline 14779 |
I'm missing an analysis of the issue. |
I've done some analysis and what I'm coming to is the following: there is a fundamental mismatch between how file_data works for HTTP1 and file tracking, as file_data in this case actually inspects the HTTP body, and not the extracted files. For this reason there is a As a result of this mismatch, the file is "pruned" (meaning buffer slides forward) before the file.data inspection happens. The problem is not that the file.data happens too late, nor is the logic in removed in this PR an "optimization". Ideally we move to |
Right now it's looking good except one s-v test fails (http-body-inspect). I posted an update to #8785 that includes performance measurements. |
Understood, so it needs to be fixed from another direction. Any pointers there? I also wonder if we could get a comment on the special logic for HTTP in |
Forcing
when http1 seems to do the trick as well. |
This uses |
This would apply different sliding logic in For the 6.0 fix. |
Run inspection even if the HTTP response body is not done. This
optimization causes file_data inspection to occur after the file has
been pruned.
Ticket: https://redmine.openinfosecfoundation.org/issues/5868
Previous PR:
Changes from last PR:
SV_BRANCH=pr/1225