Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decode/ethertype: Event on unknown ethertype #11850

Closed
wants to merge 4 commits into from
Closed

decode/ethertype: Event on unknown ethertype #11850

wants to merge 4 commits into from

Conversation

jlucovsky
Copy link
Contributor

Continuation of #11632

Issue: 7129

Create a decode/engine event if unknown ethertypes are observed.

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7129

Describe changes:

  • Add an event created when unknown ethertypes are observed
  • Update schema with event counter
  • Add rule for event.

Updates

  • Include the ethertype when ethernet information is logged.

Provide values to any of the below to override the defaults.

  • To use an LibHTP, Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#1954
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

@jlucovsky
decode/ethertype: Event on unknown ethertype
00652a9 
Issue: 7129

Create a decode/engine event if unknown ethertypes are observed.
@jlucovsky
doc/threshold: Threshold keyword clarifications
c3a49f3 
Issue: 7129
@jlucovsky
doc/decode-events: new: unknown event description
80687cc 
Issue: 7129

Document the unknown ethertype event.
@jlucovsky
output: Log ethernet type
b73296c 
Issue 7129

When configured with the existing "ethernet" switch, include the ether
type in the output.

This is most useful with anomaly records indicating unknown ethertypes.
@jlucovsky jlucovsky requested review from jufajardini, victorjulien and a team as code owners October 1, 2024 13:30
@jlucovsky jlucovsky mentioned this pull request Oct 1, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Oct 1, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.57%. Comparing base (45eb7e4) to head (b73296c).
Report is 331 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11850      +/-   ##
==========================================
- Coverage   82.60%   82.57%   -0.03%     
==========================================
  Files         912      912              
  Lines      249351   249361      +10     
==========================================
- Hits       205965   205903      -62     
- Misses      43386    43458      +72
Flag Coverage Δ
fuzzcorpus 60.46% <88.88%> (-0.14%) ⬇️
livemode 18.74% <88.88%> (+0.01%) ⬆️
pcap 44.07% <88.88%> (+0.01%) ⬆️
suricata-verify 62.01% <100.00%> (-0.03%) ⬇️
unittests 58.94% <66.66%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.uptime 649 623 95.99%

Pipeline 22938

@jlucovsky jlucovsky mentioned this pull request Oct 20, 2024
Open
catenacyber
catenacyber approved these changes Nov 21, 2024
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the work

CI : ✅
Code : good
Commits segmentation : ok, not sure if commit "doc/threshold: Threshold keyword clarifications" belongs here
Commit messages : good
Git ID set : looks fine for me
CLA : you already contributed
Doc update : nice addition 👏 not sure we should list all the currently recognized ether types as it will grow outdated
Redmine ticket : ok, should it target 8 ?
Rustfmt : no rust
Tests : nice, thanks (why does not json log 0x integers :-p)
Dependencies added: none

victorjulien
victorjulien requested changes Jan 6, 2025
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see inline

src/decode.h Show resolved Hide resolved
src/decode.h Show resolved Hide resolved
@jlucovsky jlucovsky mentioned this pull request Jan 28, 2025
Closed
@jlucovsky
Copy link
Contributor Author

Continued in #12495

@jlucovsky jlucovsky closed this Jan 28, 2025
@jlucovsky jlucovsky deleted the 7129/7 branch January 31, 2025 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien requested changes

@catenacyber catenacyber catenacyber approved these changes

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jlucovsky @suricata-qa @victorjulien @catenacyber