Project

General

Profile

Actions
Copy link

Feature #2283

closed

turn content modifiers into 'sticky buffers'

Added by Victor Julien over 6 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
5.0rc1
Effort:
Difficulty:
Label:

Description

Turn all content modifiers into sticky buffers with a '<proto>.<buffer>[.<modifier>]' notation.
Support this dot-notation for all existing sticky buffers.

In both cases the existing rule keywords need to keep working for backwards compatibility. New keywords only need to support the new notation.

Some examples:

content:"abc"; http_uri; -> http.uri; content:"abc";
content:"abc"; http_raw_uri; -> http.uri.raw; content:"abc";
content:"abc"; http_client_body; -> http.request_body; content:"abc";
dns_query; content:"abc"; -> dns.query; content:"abc";

Internally, these keywords need to be registered through the 'v2 API', so that they support transforms.

Examples can be found in https://github.com/OISF/suricata/pull/3632

Subtasks 4 (0 open4 closed)

Feature #2897: update http_content_type and others to new style sticky buffersClosedJeff LucovskyActions
Feature #2914: modernize tls sticky buffersClosedJeff LucovskyActions
Bug #2915: modernize ssh sticky buffersClosedJeff LucovskyActions
Feature #2930: http_protocol: use mpm and content inspect v2 apisClosedGiuseppe LongoActions

Related issues 3 (2 open1 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Suricata - Task #2685: SuriCon 2018 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #2952: modernize http_header_namesClosedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien over 6 years ago

  • Assignee set to Jason Williams
  • Target version set to 70
Actions
Copy link
 #2

Updated by Jason Williams over 6 years ago

1. flip the proto to the end

- this complicates the naming a little
- breaks the current "proto_buffer"; naming scheme

uri_http;
header_http;
user_agent_http;

2. use similar naming to 'raw'

- a little more typing
- looks fairly similar to what we already have

http_sticky_uri;
http_sticky_header;
http_sticky_user_agent;
http_raw_sticky_uri; - in instances where we have raw

3. put sticky at the end

- not a naming convention we have currently

http_uri_sticky;
http_header_sticky;
http_user_agent_sticky;

4. let suricata decide the function of the buffer

- this could possibly complicate the engine's parsing of the rules
- cleanest

content:"/example/"; http_uri; (old - modifier)
http_uri; content:"/example/"; (new - sticky)

Actions
Copy link
 #3

Updated by Victor Julien over 6 years ago

  • Related to Task #2309: SuriCon 2017 brainstorm added
Actions
Copy link
 #4

Updated by Jason Williams about 6 years ago

After some time thinking about this, perhaps the initial 'http_' portion of the buffer name is not needed?

our rule is already 'alert http...'

http_uri; -> uri;
http_user_agent; -> user_agent;
http_referer; -> referer;

Actions
Copy link
 #5

Updated by Victor Julien over 5 years ago

  • Related to Task #2685: SuriCon 2018 brainstorm added
Actions
Copy link
 #6

Updated by Victor Julien about 5 years ago

  • Description updated (diff)
  • Assignee changed from Jason Williams to OISF Dev
  • Target version changed from 70 to 5.0beta1
Actions
Copy link
 #7

Updated by Victor Julien almost 5 years ago

  • Target version changed from 5.0beta1 to 5.0rc1
Actions
Copy link
 #8

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Closed
Actions
Copy link
 #9

Updated by Victor Julien almost 5 years ago

Actions
Copy link

Also available in: Atom PDF