New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
app proto v15 #2360
Merged
Merged
app proto v15 #2360
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Split function into multiple smaller ones.
When the current direction doesn't get a protocol detection, but the opposing direction did, previously we would send the current data to the parser. Then when we'd be invoked again (until the protocol detection finally failed) we'd get the same data + the new data. To make sure we'd not send the same data to the parser again, the flow kept track of how much was already sent to the app-layer using data_al_so_far. This patch changes the behaviour. Instead of sending the data for the current direction right away, we only do this when protocol detection is complete. This way we won't have to track anything.
The Flow::data_al_so_far was used for tracking data already parsed when protocol for the current direction wasn't known yet. As this behaviour has changed the tracking can be removed.
Add negated matches to match list instead of amatch. Allow matching on 'failed'. Introduce per packet flags for proto detection. Flags are used to only inspect once per direction. Flag packet on PD-failure too.
Improve protocol mismatch handling. Preserve both protos. Use otherdir if already sent to parser, use toclient otherwise.
Improve flags logic, update tests.
Set FAILED instead of using a flow flag. Flag packets in both sides when detection is done. Detection is only done in one direction.
Introduce 'Protocol detection'-only rules. These rules will only be fully evaluated when the protocol detection completed. To allow mixing of the app-layer-protocol keyword with other types of matches the keyword can also inspect the flow's app-protos per packet. Implement prefilter for the 'PD-only' rules.
Also add tests for PD-only conditions
Document app-layer-protocol and make a start with app-layer-event.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Protocol detection and matching update. Fixes bug https://redmine.openinfosecfoundation.org/issues/1690
Fixes negated app-layer-protocol matching and various other issues with the keyword. Improves tests. Implements prefilter.
Couple of things that changed:
Replaces #2359:
Prscript: