Clean up some minor points

- DPD signature now correctly includes `tcp-state` - Only match at beginning of DPD signature - Originator added to DPD signature, plus a requires-reverse-signature so that server data must get matched with client data - Split out any serialized data that starts with a number to hopefully reduce possible FPs - note this doesn't include floats because that can be inf - Trimmed pcaps
evantypanski · Dec 18, 2024 · ec7da53 · ec7da53
1 parent e8a0668
commit ec7da53
Show file tree

Hide file tree

Showing 63 changed files with 563 additions and 553 deletions.
diff --git a/scripts/dpd.sig b/scripts/dpd.sig
@@ -1,6 +1,16 @@
+signature resp-client {
+  ip-proto == tcp
+  payload /^.*\r\n/
+  tcp-state originator
+  requires-reverse-signature resp-serialized-server
+  event "Found possible Redis client data"
+  enable "spicy_Redis"
+}
+
 signature resp-serialized-server {
   ip-proto == tcp
-  payload /[+-:$*_#,(!=%`~>].*\r\n/
+  payload /^([-+_,].*\r\n|[:$*#(!=%`~>][+-]?[0-9]+(\.[0-9]*)?\r\n)/
+  tcp-state responder
   event "Found Redis server data"
   enable "spicy_Redis"
 }
diff --git a/testing/Baseline/tests.almost-redis/redis.log b/testing/Baseline/tests.almost-redis/redis.log
@@ -7,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd.command	cmd.key	cmd.value	response.err	response.data
 #types	time	string	addr	port	addr	port	string	string	string	bool	string
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	127.0.0.1	53099	127.0.0.1	6379	AUTH	-	-	F	OK
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	127.0.0.1	53099	127.0.0.1	6379	PING	-	-	F	OK
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	53099	127.0.0.1	6379	AUTH	-	-	F	OK
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	53099	127.0.0.1	6379	PING	-	-	F	OK
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/Baseline/tests.client-reply-off-2conn/redis.log b/testing/Baseline/tests.client-reply-off-2conn/redis.log
@@ -7,10 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd.command	cmd.key	cmd.value	response.err	response.data
 #types	time	string	addr	port	addr	port	string	string	string	bool	string
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	61211	::1	6379	PING	-	-	F	PONG
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	::1	61212	::1	6379	PING	-	-	F	PONG
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	61211	::1	6379	CLIENT	-	-	-	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	61211	::1	6379	PING	-	-	-	-
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	::1	61212	::1	6379	CLIENT	-	-	-	-
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	::1	61212	::1	6379	PING	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	61211	::1	6379	PING	-	-	F	PONG
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	61212	::1	6379	PING	-	-	F	PONG
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	61211	::1	6379	CLIENT	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	61211	::1	6379	PING	-	-	-	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	61212	::1	6379	CLIENT	-	-	-	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	61212	::1	6379	PING	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/Baseline/tests.client-reply-off/redis.log b/testing/Baseline/tests.client-reply-off/redis.log
@@ -7,12 +7,12 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd.command	cmd.key	cmd.value	response.err	response.data
 #types	time	string	addr	port	addr	port	string	string	string	bool	string
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	60761	::1	6379	PING	-	-	F	PONG
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	60761	::1	6379	CLIENT	-	-	-	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	60761	::1	6379	PING	-	-	-	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	60761	::1	6379	CLIENT	-	-	F	OK
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	60761	::1	6379	PING	-	-	F	PONG
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	60761	::1	6379	CLIENT	-	-	-	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	60761	::1	6379	PING	-	-	-	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	::1	60761	::1	6379	PING	-	-	F	PONG
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	60761	::1	6379	PING	-	-	F	PONG
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	60761	::1	6379	CLIENT	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	60761	::1	6379	PING	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	60761	::1	6379	CLIENT	-	-	F	OK
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	60761	::1	6379	PING	-	-	F	PONG
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	60761	::1	6379	CLIENT	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	60761	::1	6379	PING	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	60761	::1	6379	PING	-	-	F	PONG
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/Baseline/tests.client-skip-while-off/redis.log b/testing/Baseline/tests.client-skip-while-off/redis.log
@@ -7,11 +7,11 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd.command	cmd.key	cmd.value	response.err	response.data
 #types	time	string	addr	port	addr	port	string	string	string	bool	string
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	::1	56348	::1	6379	PING	-	-	F	PONG
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	::1	56348	::1	6379	CLIENT	-	-	-	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	::1	56348	::1	6379	PING	-	-	-	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	::1	56348	::1	6379	CLIENT	-	-	-	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	::1	56348	::1	6379	CLIENT	-	-	F	OK
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	::1	56348	::1	6379	PING	-	-	F	PONG
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	::1	56348	::1	6379	PING	-	-	F	PONG
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	56348	::1	6379	PING	-	-	F	PONG
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	56348	::1	6379	CLIENT	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	56348	::1	6379	PING	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	56348	::1	6379	CLIENT	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	56348	::1	6379	CLIENT	-	-	F	OK
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	56348	::1	6379	PING	-	-	F	PONG
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	56348	::1	6379	PING	-	-	F	PONG
 #close XXXX-XX-XX-XX-XX-XX