Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect log alert tx one 7199 v6 #2157

Closed
wants to merge 4 commits into from
Closed

Detect log alert tx one 7199 v6 #2157

wants to merge 4 commits into from

Conversation

catenacyber
Copy link
Collaborator

jufajardini and others added 2 commits December 2, 2024 11:06
@jufajardini @catenacyber
tests: add test for bug-7199
fe5dd99 
More of a change in behavior than a bug, but important to be documented

Related to
Bug https://redmine.openinfosecfoundation.org/issues/7199
@catenacyber
output: use detect.guess-applayer-tx for http-ish content test
c60c3c8 
Ticket: 7199
@catenacyber catenacyber added the requires suricata pr Depends on a PR in Suricata label Dec 2, 2024
This was referenced Dec 2, 2024
Closed
Closed
Closed
@catenacyber catenacyber force-pushed the detect-log-alert-tx-one-7199-v6 branch from 2f40758 to cde493b Compare December 2, 2024 10:25
victorjulien
victorjulien reviewed Dec 2, 2024
View reviewed changes
tests/pgsql/pgsql-bug-6983-ips/suricata.yaml
@@ -16,3 +16,6 @@ app-layer:
protocols:
pgsql:
enabled: yes

detect:
guess-applayer-tx: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should there also be a test.yaml update with this test?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, why should there be ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to include that the tx was guessed? (I guess?)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think it is important... Is it ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the point of the change if there is no test update with it?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TL;DR Otherwise this test pgsql-bug-6983-ips fails with the Suricata PR.

I think you are referring to Suricata change here : https://github.com/OISF/suricata/pull/12197/files#diff-ee484ae4b77e59eb8b6b50f628c84ab626bd6178a6d43e1219dbc9619be7e027L816

Over simplifying it : instead of using (alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) we now use de_ctx->force_applayer

pgsql-bug-6983-ips resorted to (alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) to have pgsql metadata in alerts.
With the Suricata PR, we now need de_ctx->force_applayer meaning detect.guess-applayer-tx: true in yaml

That comes from how I understood your comment OISF/suricata#12166 (comment)

We've decided it's worse to log the wrong one, than to log none.

Beyond pgsql-bug-6983-ips test, this SV PR has test bug-7199 to show the new benefits of the new behavior.

@catenacyber catenacyber force-pushed the detect-log-alert-tx-one-7199-v6 branch from cde493b to 18aba67 Compare December 2, 2024 15:55
@jufajardini jufajardini mentioned this pull request Dec 6, 2024
Closed
@jufajardini
Copy link
Contributor

Follow up, as agreed I'd do: #2168

@catenacyber
Copy link
Collaborator Author

So closing in favor of #2168

@catenacyber catenacyber closed this Dec 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini jufajardini left review comments

@victorjulien victorjulien victorjulien left review comments

Assignees
No one assigned
Labels
requires suricata pr Depends on a PR in Suricata
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @jufajardini @victorjulien