-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect origin keyword 6794 v3 #11787
base: master
Are you sure you want to change the base?
Detect origin keyword 6794 v3 #11787
Conversation
Add option of role to live device configuration. Possible roles are : trusted, untrusted, and unknown. Configurable via suricata.yaml. AF-Packet and DPDK runmodes supported, others default to unknown role.
Allows for matching against packets based on the role of the live device. The origin of a packet refers to the role of the live device where the flow originated from.
Adds the copy device to the live device structure. Valid only in IPS mode.
Allows for matching against packets based on the role of the copy live device. For IPS only. The destination of a packet refers to the role of the copy live device.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11787 +/- ##
==========================================
+ Coverage 82.53% 82.57% +0.03%
==========================================
Files 919 921 +2
Lines 248979 249432 +453
==========================================
+ Hits 205506 205971 +465
+ Misses 43473 43461 -12
Flags with carried forward coverage won't be shown. Click here to find out more. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fuzzers checks are ok! /o/
We should also add documentation for the new rule keywords, including rule examples and also their limitations. Not sure what that section should be titled, though. Role
keywords?
nit-ish: could you please add the ticket number at the end of the related commit messages?
After the commit body, a
Task #6794
should do :)
int LiveRegisterDeviceNameAndRole(const char *dev, const char *copy_dev, const char *role) | ||
{ | ||
LiveDeviceName *pd = NULL; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't we try to dedup the code in these two functions? their structures are so similar...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that's a good idea. I will take a look cleaning this up.
in IPS mode as device tenancy is not supported. Currently only | ||
supported when running with afpacket or dpdk. For example: | ||
|
||
:: | ||
dpdk: | ||
interfaces: | ||
- interface: 0000:3b:00.1 | ||
role: trusted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that in the suricata.yaml
file this setting can be configured in several places. Is there a master config setting place that applies to all of them? If so, I think that should be mentioned here. If not, I think that we should point out all places where this option can be defined, since not defining it results in role being unknown and could lead to user confusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe that there would be a master config as it is device / interface / capture mode specific. I have only been using DPDK & af-packet, but I suppose that wherever an interface is defined and a LiveDevice is created the role could be defined. I think I had covered all the potential spots where the role could be defined in suricata.yaml.in, but I will confirm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the configuration file itself is covered, my comment was more to list here all such cases, so that people know this from the documentation, what do you think?
"(trusted/untrusted) of the interface."; | ||
sigmatch_table[DETECT_DESTINATION].Match = DetectDestinationMatch; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
once we have the keyword docs, then we can add its URL reference here with url
attribute
Sounds good! I will add some documentation for the keywords. I didn't know what to call the section either 😄 I'm happy to go with your suggestion. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd really like to see
- suricata-verify tests
- The use cases for this.
* | ||
* \retval 0 on success. | ||
* \retval -1 on failure. | ||
*/ | ||
int LiveRegisterDeviceName(const char *dev) | ||
int LiveRegisterDeviceName(const char *dev, const char *copy_dev) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest adding a new function ... e.g., LiveRegisterDeviceNameWithCopy
and remove the changes to the source/runmode for the packet capture code. It's a bit complicated and one was missed (ipfw)
* | ||
* \retval 0 on success. | ||
* \retval -1 on failure. | ||
*/ | ||
int LiveRegisterDevice(const char *dev) | ||
int LiveRegisterDevice(const char *dev, const char *role) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similarly, suggest leaving this interface alone and adding LiveRegisterDeviceWithRole
.
Thanks for the feedback!
|
I think that some of this can be used for the keywords docs, or something that covers this :) |
Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.
Contribution style:
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
Our Contribution agreements:
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Changes (if applicable):
https://redmine.openinfosecfoundation.org/projects/suricata/issues
Link to ticket: https://redmine.openinfosecfoundation.org/issues/6794
Describe changes: