Fw updates/v7#15108
Conversation
Allows for quickly checking if sig operates on frames during parsing.
Make `Signature::proto` an optional member, meaning that if it is NULL we can skip the check. This can be done for `alert ip`, as no check is needed, and for `alert tcp` and `alert udp` as having a rule in a sgh for those means that the protocol matches. Some exceptions are rules that require: - ipv4/ipv6 specific matching - frames, due to sharing prefilter between tcp and udp - ip-only rules, due to those not being per sgh
Support `alert ether` for matching all ethernet packets. Add `alert arp` for matching ARP packets. Ticket: OISF#8313.
Sticky buffer to inspect the ethernet header.
Example rule:
alert ether any any -> any any ( \
ether.hdr; content:"|08 06|"; offset:12; depth:2; \
sid:1;)
Ticket: OISF#8327.
To indicate it's not just like `alert ip`.
`alert pkthdr` was initially just an alias for `alert ip`, as that was really just a way of stating that "any" should be matched. However with the Ethernet matching in place, it no long makes sense to treat `alert ip` as "any". Since `pkthdr` is used to match on decoder events, also for packets that completely failed to parse, it should no longer be treated as `alert ip` but rather as it's own distinct logic.
Cannot be combined with --firewall-rules-exclusive
victorjulien
requested review from
a team,
jasonish and
jufajardini
as code owners
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #15108 +/- ##
==========================================
- Coverage 82.63% 82.61% -0.03%
==========================================
Files 990 992 +2
Lines 271599 271754 +155
==========================================
+ Hits 224429 224497 +68
- Misses 47170 47257 +87
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 30558 |
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
Thanks for the work,
CI : ✅
Code : looking
Commits segmentation : looks cool
Commit messages : nice
Git ID set : looks fine for me
CLA : you already contributed :-p
Doc update : seems nice
Redmine ticket(s) : ok
Rustfmt : no rust
Tests : enable pcre and urilen for firewall mode but no SV test about it and I heard we absolutely must add SV tests before marking a keyword supported for firewall mode
Dependencies added: none
| /** addresses, ports and proto this sig matches on */ | ||
| DetectProto proto; | ||
| /** rule protocol: can be NULL if the check can be skipped */ | ||
| DetectProto *proto; |
There was a problem hiding this comment.
Is the memory gain really worth it ?
I have the feeling it gains like 1 Mbyte on a ruleset with 50k signatures...
There was a problem hiding this comment.
And I think you feel this is right and I trust you, but the commit message may bring some more numbers...
There was a problem hiding this comment.
It was worth it at the time, but it's been over 2 years.
| static bool SigValidateEthernet(const Signature *s) | ||
| { | ||
| if (s->init_data->proto.flags & DETECT_PROTO_ETHERNET) { | ||
| if ((s->flags & (SIG_FLAG_SP_ANY | SIG_FLAG_DP_ANY)) != |
There was a problem hiding this comment.
Should we not also test that ip addresses are any ?
And reject alert arp 192.168.1.1 any -> ...
| { "ip", 0, 0, DETECT_PROTO_ANY, 0 }, | ||
| { "pkthdr", 0, 0, DETECT_PROTO_ANY, 0 }, | ||
| { "ether", 0, 0, DETECT_PROTO_ETHERNET, 0 }, | ||
| { "arp", 0, 0, DETECT_PROTO_ETHERNET, ETHERNET_TYPE_ARP }, |
There was a problem hiding this comment.
This arp and ether should be in the docs doc/userguide/rules/intro.rst section Protocol
| InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); | ||
| if (buffer->inspect == NULL) { | ||
| if (!PacketIsEthernet(p)) { | ||
| // DETECT_PROTO_ETHERNET does not prefilter |
There was a problem hiding this comment.
Should it ?
Is there not a mask somewhere ?
There was a problem hiding this comment.
For now I'm mostly caring about correctness than we can express what we need. Such optimizations can follow later.
| ~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| Traditionally the rule language was only about matching on IP packets. For packets | ||
| that caused decoder events in the layers before IP a special protocol `pkthdr` was |
There was a problem hiding this comment.
the layers before IP
We also have like `msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small``
So, this seems more than "the layers before IP", right ?
There was a problem hiding this comment.
A bad ICMP event should use alert ip as we require a valid IP before checking ICMP. alert pkthdr is really meant for when alert ip doesn't make sense as there is no or no valid IP.
|
|
||
| accept:packet arp:all any any -> any any (sid:200;) | ||
|
|
||
| Other ethernet types can be accepted by using generic ethernet rules, with the ``ether.hdr`` keyword. |
There was a problem hiding this comment.
What happens for a packet which has ethernet/vlan/arp ?
Or a packet that is vxlan encapsulating ARP ?
There was a problem hiding this comment.
Good question. The vlan/arp case currently doesn't work, as it is essentially just checking the ether_type. Looking into it.
For VXLAN we split out the encapsulated packet, so that should work, but it didn't. Fixing as well.
|
Comments addressed in #15122 |
4 participants
SV_BRANCH=OISF/suricata-verify#2953
#15079 rebased with review comments addressed. Also added a NFQ based fw test that doesn't need the arp support, so that can be backported more easily.