Encryption bypass 8336 v2 by catenacyber · Pull Request #15087 · OISF/suricata

catenacyber · 2026-03-22T20:12:51Z

Link to ticket: https://redmine.openinfosecfoundation.org/issues/8336

Describe changes:

detect: do not wait for more in log_flush
stream: log flush packets in the other order (as the comment stated)

Ticket: 8336 When a packet has flag PKT_PSEUDO_DETECTLOG_FLUSH, we do not expect to rerun detection on the same tx and direction again So, do not set mpm_in_progress whose purpose is to not store the state as we will run again. Allows transactional bidirectional signatures to work on thse log+flush pair of packets

Ticket: 8336 At the end of a TLS handshake, in IDS mode, the client acks, and we parse the server hello and use tls.encryption-handling to know what to do next (for example bypass) Everything is parsed, but we have not run detection yet on neither side. So, in IDS mode, we need to first flush the client side, as the comment on the function already stated.

coveralls · 2026-03-22T20:48:07Z

coverage: 79.309% (-0.006%) from 79.315%
when pulling 75f3c50 on catenacyber:encryption-bypass-8336-v2
into 6587e36 on OISF:main.

As we expect a log+flush packet in the other direction Ticket: 8336

codecov · 2026-03-22T21:23:41Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.58%. Comparing base (6587e36) to head (75f3c50).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15087      +/-   ##
==========================================
- Coverage   82.59%   82.58%   -0.01%     
==========================================
  Files         990      990              
  Lines      271761   271763       +2     
==========================================
- Hits       224465   224444      -21     
- Misses      47296    47319      +23

Flag	Coverage Δ
fuzzcorpus	`61.03% <100.00%> (+0.01%)`	⬆️
livemode	`18.38% <0.00%> (+0.01%)`	⬆️
netns	`18.34% <0.00%> (-0.03%)`	⬇️
pcap	`45.22% <100.00%> (-0.04%)`	⬇️
suricata-verify	`66.10% <100.00%> (-0.04%)`	⬇️
unittests	`58.83% <40.00%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

suricata-qa · 2026-03-22T23:20:02Z

Information: QA ran without warnings.

Pipeline = 30469

suricata-qa · 2026-03-22T23:20:04Z

Information: QA ran without warnings.

Pipeline = 30469

jasonish · 2026-03-24T21:57:53Z

    ts ^= StreamTcpInlineMode();
-    StreamTcpPseudoPacketCreateDetectLogFlush(tv, stt, p, ssn, pq, ts^0);
    StreamTcpPseudoPacketCreateDetectLogFlush(tv, stt, p, ssn, pq, ts^1);
+    StreamTcpPseudoPacketCreateDetectLogFlush(tv, stt, p, ssn, pq, ts ^ 0);


I guess clang-format doesn't enforce one style here.

This was indeed clang-format's doing, and I found it strange but 🤷

jasonish

Unsure about the mpm-in-progres change, but the rest aligns with some initial inspection I did of the issue.

catenacyber · 2026-03-25T13:52:42Z

Unsure about the mpm-in-progres change, but the rest aligns with some initial inspection I did of the issue.

Do you see another fix ? Or did you not look into transactional signatures at all ?

jasonish · 2026-03-25T16:33:56Z

Unsure about the mpm-in-progres change, but the rest aligns with some initial inspection I did of the issue.

Do you see another fix ? Or did you not look into transactional signatures at all ?

Didn't look. Unsure as I didn't look into it. Not "unsure" in that I'm not sure its the best idea.

catenacyber added 2 commits March 21, 2026 08:32

catenacyber requested a review from victorjulien as a code owner March 22, 2026 20:12

frames: do not free on lo+flush packet

75f3c50

As we expect a log+flush packet in the other direction Ticket: 8336

jasonish reviewed Mar 24, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Encryption bypass 8336 v2#15087

Encryption bypass 8336 v2#15087
catenacyber wants to merge 3 commits intoOISF:mainfrom
catenacyber:encryption-bypass-8336-v2

catenacyber commented Mar 22, 2026

Uh oh!

coveralls commented Mar 22, 2026 •

edited

Loading

Uh oh!

codecov Bot commented Mar 22, 2026 •

edited

Loading

Uh oh!

suricata-qa commented Mar 22, 2026

Uh oh!

suricata-qa commented Mar 22, 2026

Uh oh!

jasonish Mar 24, 2026

Uh oh!

catenacyber Mar 25, 2026

Uh oh!

jasonish left a comment

Uh oh!

catenacyber commented Mar 25, 2026

Uh oh!

jasonish commented Mar 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

Conversation

catenacyber commented Mar 22, 2026

Uh oh!

coveralls commented Mar 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented Mar 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

suricata-qa commented Mar 22, 2026

Uh oh!

suricata-qa commented Mar 22, 2026

Uh oh!

jasonish Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

catenacyber Mar 25, 2026

Choose a reason for hiding this comment

Uh oh!

jasonish left a comment

Choose a reason for hiding this comment

Uh oh!

catenacyber commented Mar 25, 2026

Uh oh!

jasonish commented Mar 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

coveralls commented Mar 22, 2026 •

edited

Loading

codecov Bot commented Mar 22, 2026 •

edited

Loading