Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dataset set postmatch 5576 v4 #2093

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Dataset set postmatch 5576 v4 #2093

wants to merge 4 commits into from

Conversation

catenacyber
Copy link
Collaborator

Ticket

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/5576

#2000 with more tests for complex cases

Do I get right the expected behavior of datasets-multibuf-postmatch ?
Rule alert http any any -> any any (msg:"HTTP learning"; http.request_header; content:"toto"; dataset:set,http_match,type string,save http_match.csv; sid:1;)
will save in dataset only the headers having the content toto and (not the user agent curl for instance)

@catenacyber catenacyber added the requires suricata pr Depends on a PR in Suricata label Oct 15, 2024
@catenacyber catenacyber mentioned this pull request Oct 15, 2024
Closed
@catenacyber catenacyber force-pushed the dataset-set-postmatch-5576-v4 branch from 9e66688 to c004733 Compare October 15, 2024 12:41
@catenacyber catenacyber mentioned this pull request Oct 15, 2024
Closed
@catenacyber catenacyber force-pushed the dataset-set-postmatch-5576-v4 branch from c004733 to 61a9767 Compare October 15, 2024 14:08
@catenacyber catenacyber mentioned this pull request Oct 15, 2024
Closed
@catenacyber catenacyber force-pushed the dataset-set-postmatch-5576-v4 branch from 61a9767 to 2fdca6f Compare October 15, 2024 19:51
@catenacyber catenacyber mentioned this pull request Oct 29, 2024
Open
@catenacyber catenacyber force-pushed the dataset-set-postmatch-5576-v4 branch from 2fdca6f to e842b6a Compare October 29, 2024 10:36
This was referenced Oct 29, 2024
Closed
Closed
@catenacyber catenacyber force-pushed the dataset-set-postmatch-5576-v4 branch from e842b6a to 3936e33 Compare November 18, 2024 13:41
@catenacyber catenacyber mentioned this pull request Nov 18, 2024
Closed
@catenacyber catenacyber force-pushed the dataset-set-postmatch-5576-v4 branch from 3936e33 to a502637 Compare December 2, 2024 09:43
This was referenced Dec 2, 2024
Closed
Open
Andreas Herz and others added 4 commits December 5, 2024 13:33
@catenacyber
tests: add test to verify unmatched signatures does not write to dataset
c8aca8c 
Related to https://redmine.openinfosecfoundation.org/issues/5576
@catenacyber
datasets: test with multibuffer and set postmatch
e424e5b 
Ticket: 5576
@catenacyber
datasets: test with delayed set postmatch
4204b64 
Ticket: 5576

Signature full match does not happen on first packet inspected,
but signature gets stored as partially matching so far,
and then postmatch retreieves the buffer to set in the dataset.
@catenacyber
datasets: test with multi-buffer and occurences in different packets
3f7329a 
Ticket: 5576
@catenacyber catenacyber force-pushed the dataset-set-postmatch-5576-v4 branch from a502637 to 3f7329a Compare December 5, 2024 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
requires suricata pr Depends on a PR in Suricata
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@catenacyber