Feature #2996


Extend decode events and rules

Added by Andreas Herz over 2 years ago. Updated over 1 year ago.

Target version:


We already have several decode events and rules but there are still some missing. For example we have the stream.reassembly_overlap_different_data stream event and rule for that but we're missing the one for stream.reassembly_overlap where we have just the tcp.overlap counter.

Actions #1

Updated by Victor Julien over 2 years ago

  • Tracker changed from Optimization to Feature
  • Status changed from Assigned to New
  • Assignee changed from OISF Dev to Community Ticket
Actions #2

Updated by Shivani Bhardwaj about 2 years ago

Hey Andreas!
Could you please link a document where I can match what else are we missing? I'm just browsing through the code and finding these values. I do not see REASSEMBLY_OVERLAP in any enums so that's one. Also, if this issue is concerned with stream.reassembly_overlap only, let me know that as well.

Actions #3

Updated by Andreas Herz about 2 years ago

I also found this just by "accident" as I was looking into some overlap infos. I can start a list, maybe it's not very long.
Did you find any others?

Actions #4

Updated by Andreas Herz about 2 years ago

At least those are missing:

- tcp.reassembly_gap
- tcp.overlap
- tcp.insert_data_normal_fail
- tcp.insert_data_overlap_fail
- tcp.insert_list_fail

I guess this might be a bigger task to collect all possible events.

Actions #5

Updated by Victor Julien about 2 years ago

For every event there should be a rule in the rules/*-events.rules files.

Actions #6

Updated by Andreas Herz about 2 years ago

For those implemented yes, but some are missing or is there a specific reason why there is a StreamTcpSetEvent(p, STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA); but no StreamTcpSetEvent(p, STREAM_REASSEMBLY_OVERLAP); or StreamTcpSetEvent(p, STREAM_REASSEMBLY_LIST_FAIL);?

But tcp.reassembly_gap is covered by tcp.reassembly_gap so that's not missing.

If I look into StreamTcpThreadInit where we register the counter I see also some where it's quite obvious that we don't want to trigger an event for every StatsIncr of those.

I guess there is no easy way to determine which ones are missing beside the overlap and insert fails. It might be enough to cover those which we found and add even more if someone spots a missing one that might be handy for debugging.
That's why I stumbled upon that, while I wanted to dig into why there are sometimes high tcp.overlap values and with a rule it would help to narrow it down where they appear.


Actions #7

Updated by Andreas Herz about 2 years ago

  • Assignee changed from Community Ticket to Andreas Herz
Actions #8

Updated by Victor Julien about 2 years ago

Lets just add the missing ones, but commented out by default.

Actions #9

Updated by Andreas Herz almost 2 years ago

  • Status changed from New to Assigned

Also available in: Atom PDF