Project

General

Profile

Actions
Copy link

Feature #2283

closed
VJ OD

turn content modifiers into 'sticky buffers'

Feature #2283: turn content modifiers into 'sticky buffers'

Added by Victor Julien over 8 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
5.0rc1
Effort:
Difficulty:
Label:

Description

Turn all content modifiers into sticky buffers with a '<proto>.<buffer>[.<modifier>]' notation.
Support this dot-notation for all existing sticky buffers.

In both cases the existing rule keywords need to keep working for backwards compatibility. New keywords only need to support the new notation.

Some examples:

content:"abc"; http_uri; -> http.uri; content:"abc";
content:"abc"; http_raw_uri; -> http.uri.raw; content:"abc";
content:"abc"; http_client_body; -> http.request_body; content:"abc";
dns_query; content:"abc"; -> dns.query; content:"abc";

Internally, these keywords need to be registered through the 'v2 API', so that they support transforms.

Examples can be found in https://github.com/OISF/suricata/pull/3632

Subtasks 4 (0 open4 closed)

Feature #2897: update http_content_type and others to new style sticky buffersClosedJeff LucovskyActions
Feature #2914: modernize tls sticky buffersClosedJeff LucovskyActions
Bug #2915: modernize ssh sticky buffersClosedJeff LucovskyActions
Feature #2930: http_protocol: use mpm and content inspect v2 apisClosedGiuseppe LongoActions

Related issues 3 (2 open1 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Suricata - Task #2685: SuriCon 2018 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #2952: modernize http_header_namesClosedVictor JulienActions

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #1

  • Assignee set to Jason Williams
  • Target version set to 70

JW Updated by Jason Williams over 8 years ago Actions
Copy link
 #2

1. flip the proto to the end

- this complicates the naming a little
- breaks the current "proto_buffer"; naming scheme

uri_http;
header_http;
user_agent_http;

2. use similar naming to 'raw'

- a little more typing
- looks fairly similar to what we already have

http_sticky_uri;
http_sticky_header;
http_sticky_user_agent;
http_raw_sticky_uri; - in instances where we have raw

3. put sticky at the end

- not a naming convention we have currently

http_uri_sticky;
http_header_sticky;
http_user_agent_sticky;

4. let suricata decide the function of the buffer

- this could possibly complicate the engine's parsing of the rules
- cleanest

content:"/example/"; http_uri; (old - modifier)
http_uri; content:"/example/"; (new - sticky)

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #3

  • Related to Task #2309: SuriCon 2017 brainstorm added

JW Updated by Jason Williams about 8 years ago Actions
Copy link
 #4

After some time thinking about this, perhaps the initial 'http_' portion of the buffer name is not needed?

our rule is already 'alert http...'

http_uri; -> uri;
http_user_agent; -> user_agent;
http_referer; -> referer;

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #5

  • Related to Task #2685: SuriCon 2018 brainstorm added

VJ Updated by Victor Julien about 7 years ago Actions
Copy link
 #6

  • Description updated (diff)
  • Assignee changed from Jason Williams to OISF Dev
  • Target version changed from 70 to 5.0beta1

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #7

  • Target version changed from 5.0beta1 to 5.0rc1

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #8

  • Status changed from New to Closed

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #9

Actions
Copy link

Also available in: PDF Atom