New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: add multi buffer matching documentation v4 #9180
Conversation
Signed-off-by: jason taylor <jtfas90@gmail.com>
Signed-off-by: jason taylor <jtfas90@gmail.com>
@@ -18,6 +18,8 @@ Example:: | |||
|
|||
filename:"secret"; | |||
|
|||
``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How did you list all these ? (Did you run a git grep ?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How did you list all these ? (Did you run a git grep ?)
I looked at the commit history for the patch set, though now I realize I would have missed any later commits. I went back and looked again and did miss something. So I will have an additional commit to this PR for review.
I do have a question about:
src/detect-quic-cyu-hash.c: DetectBufferTypeSupportsMultiInstance(BUFFER_NAME);
src/detect-quic-cyu-string.c: DetectBufferTypeSupportsMultiInstance(BUFFER_NAME);
Should () contain the respective quic buffer names instead of BUFFER_NAME?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There must be a macro #define BUFFER_NAME a few lines up...
Signed-off-by: jason taylor <jtfas90@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Explanation looks way more complete now, thanks for that! :)
Noticed one thing that needs fixing, and one nit aspect.
|
||
.. container:: example-rule | ||
|
||
`alert http2 any any -> any any (msg:"HTTP2 Multiple Header Buffer Example"; flow:established,to_server; http.request_header; content:"method|3a 20|GET"; http.request_header; content:"authority|3a 20|example.com"; classtype:misc-activity; sid:1; rev:1;) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: rule is missing closing `
**Note:** This is new behavior, in versions of Suricata prior to | ||
version 7 multiple statements of the same sticky buffer did not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
**Note:** This is new behavior, in versions of Suricata prior to | |
version 7 multiple statements of the same sticky buffer did not | |
**Note:** This is new behavior. In versions of Suricata prior to | |
version 7, multiple statements of the same sticky buffer did not |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9180 +/- ##
==========================================
- Coverage 82.34% 82.34% -0.01%
==========================================
Files 968 968
Lines 273546 273546
==========================================
- Hits 225258 225246 -12
- Misses 48288 48300 +12
Flags with carried forward coverage won't be shown. Click here to find out more. |
continued in #9199 |
Make sure these boxes are signed before submitting your Pull Request -- thank you.
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6032
Describe changes:
Provide values to any of the below to override the defaults.
To use a pull request use a branch name like
pr/N
whereN
is thepull request number.
Alternatively,
SV_BRANCH
may also be a link to anOISF/suricata-verify pull-request.