Project

General

Profile

Actions

Optimization #2405

open

Use FileTruncateAllOpenFiles for every app layer protocol

Added by Maurizio Abba over 4 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

eve-log is able to add a parameter "gaps" for files where suricata saw a reassembly gap. Unfortunately, this flag is set by RUST parsers only.
This optimization involves being able to show this flag also for http/smtp.

To accomplish this result, we need to act on two sides:
1) use the "direction" parameter in StateTruncate handler. This parameter is actually a series of STREAM_* flags. One of the flags set by stream-tcp-reassemble is STREAM_GAP.
2) Add the parameter "flags" to FileTruncateAllOpenFiles function in util-file. "direction" variable will be passed as "flags". If the flag STREAM_GAP is present, we will set the related FILE_HAS_GAPS flag in the flags array of the File * pointer.

There is a caveat. setting the flag FILE_HAS_GAPS will cause the state to be updated to FILE_STATE_TRUNCATED (cfr. util-file.c:FileCloseFilePtr). Ths will cause the file logging to be performed even if the detection has not terminated yet (ex. when gaps happen before the minimal inspect size for buffer is reached). To force the detection phase, we prevent the state update to FILE_STATE_TRUNCATED. It must be noticed that the file->state will be updated anyway inside the logging module (cfr. output-file.c:OutputFileLog and output-filedata.c:OutputFiledataLog).

If anybody has a better idea in how to do it, please shout!

Actions #1

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Maurizio Abba
Actions #2

Updated by Andreas Herz over 4 years ago

  • Target version set to TBD
Actions #3

Updated by Victor Julien about 3 years ago

  • Status changed from Assigned to New
  • Assignee changed from Maurizio Abba to OISF Dev
Actions

Also available in: Atom PDF