Project

General

Profile

Actions

Optimization #2405

closed

files: Use FileTruncateAllOpenFiles for every app layer protocol

Added by Maurizio Abba about 6 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

eve-log is able to add a parameter "gaps" for files where suricata saw a reassembly gap. Unfortunately, this flag is set by RUST parsers only.
This optimization involves being able to show this flag also for http/smtp.

To accomplish this result, we need to act on two sides:
1) use the "direction" parameter in StateTruncate handler. This parameter is actually a series of STREAM_* flags. One of the flags set by stream-tcp-reassemble is STREAM_GAP.
2) Add the parameter "flags" to FileTruncateAllOpenFiles function in util-file. "direction" variable will be passed as "flags". If the flag STREAM_GAP is present, we will set the related FILE_HAS_GAPS flag in the flags array of the File * pointer.

There is a caveat. setting the flag FILE_HAS_GAPS will cause the state to be updated to FILE_STATE_TRUNCATED (cfr. util-file.c:FileCloseFilePtr). Ths will cause the file logging to be performed even if the detection has not terminated yet (ex. when gaps happen before the minimal inspect size for buffer is reached). To force the detection phase, we prevent the state update to FILE_STATE_TRUNCATED. It must be noticed that the file->state will be updated anyway inside the logging module (cfr. output-file.c:OutputFileLog and output-filedata.c:OutputFiledataLog).

If anybody has a better idea in how to do it, please shout!

Actions #1

Updated by Victor Julien about 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Maurizio Abba
Actions #2

Updated by Andreas Herz about 6 years ago

  • Target version set to TBD
Actions #3

Updated by Victor Julien over 4 years ago

  • Status changed from Assigned to New
  • Assignee changed from Maurizio Abba to OISF Dev
Actions #4

Updated by Victor Julien about 1 year ago

  • Subject changed from Use FileTruncateAllOpenFiles for every app layer protocol to files: Use FileTruncateAllOpenFiles for every app layer protocol
  • Status changed from New to Closed
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 7.0.0-beta1

This has been done as part of the file-tx work.

Actions

Also available in: Atom PDF