https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022019-05-30T05:00:56ZOpen Information Security FoundationSuricata - Feature #2996: Extend decode events and ruleshttps://redmine.openinfosecfoundation.org/issues/2996?journal_id=123252019-05-30T05:00:56ZVictor Julienvictor@inliniac.net
<ul><li><strong>Tracker</strong> changed from <i>Optimization</i> to <i>Feature</i></li><li><strong>Status</strong> changed from <i>Assigned</i> to <i>New</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Community Ticket</i></li></ul> Suricata - Feature #2996: Extend decode events and ruleshttps://redmine.openinfosecfoundation.org/issues/2996?journal_id=127442019-06-30T19:57:29ZShivani Bhardwaj
<ul></ul><p>Hey Andreas!<br />Could you please link a document where I can match what else are we missing? I'm just browsing through the code and finding these values. I do not see REASSEMBLY_OVERLAP in any enums so that's one. Also, if this issue is concerned with stream.reassembly_overlap only, let me know that as well.</p> Suricata - Feature #2996: Extend decode events and ruleshttps://redmine.openinfosecfoundation.org/issues/2996?journal_id=127492019-06-30T20:41:22ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>I also found this just by "accident" as I was looking into some overlap infos. I can start a list, maybe it's not very long.<br />Did you find any others?</p> Suricata - Feature #2996: Extend decode events and ruleshttps://redmine.openinfosecfoundation.org/issues/2996?journal_id=127782019-07-01T20:39:39ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>At least those are missing:</p>
<p>- tcp.reassembly_gap<br />- tcp.overlap<br />- tcp.insert_data_normal_fail<br />- tcp.insert_data_overlap_fail<br />- tcp.insert_list_fail</p>
<p>I guess this might be a bigger task to collect all possible events.</p> Suricata - Feature #2996: Extend decode events and ruleshttps://redmine.openinfosecfoundation.org/issues/2996?journal_id=127992019-07-03T09:12:14ZVictor Julienvictor@inliniac.net
<ul></ul><p>For every event there should be a rule in the rules/*-events.rules files.</p> Suricata - Feature #2996: Extend decode events and ruleshttps://redmine.openinfosecfoundation.org/issues/2996?journal_id=128202019-07-05T21:52:35ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>For those implemented yes, but some are missing or is there a specific reason why there is a <strong>StreamTcpSetEvent(p, STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA);</strong> but no <strong>StreamTcpSetEvent(p, STREAM_REASSEMBLY_OVERLAP);</strong> or <strong>StreamTcpSetEvent(p, STREAM_REASSEMBLY_LIST_FAIL);</strong>?</p>
<p>But <strong>tcp.reassembly_gap</strong> is covered by <strong>tcp.reassembly_gap</strong> so that's not missing.</p>
<p>If I look into <strong>StreamTcpThreadInit</strong> where we register the counter I see also some where it's quite obvious that we don't want to trigger an event for every <strong>StatsIncr</strong> of those.</p>
<p>I guess there is no easy way to determine which ones are missing beside the overlap and insert fails. It might be enough to cover those which we found and add even more if someone spots a missing one that might be handy for debugging.<br />That's why I stumbled upon that, while I wanted to dig into why there are sometimes high tcp.overlap values and with a rule it would help to narrow it down where they appear.</p>
<p>Thoughts?</p> Suricata - Feature #2996: Extend decode events and ruleshttps://redmine.openinfosecfoundation.org/issues/2996?journal_id=137632019-09-24T20:40:46ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> changed from <i>Community Ticket</i> to <i>Andreas Herz</i></li></ul> Suricata - Feature #2996: Extend decode events and ruleshttps://redmine.openinfosecfoundation.org/issues/2996?journal_id=138732019-09-26T08:31:32ZVictor Julienvictor@inliniac.net
<ul></ul><p>Lets just add the missing ones, but commented out by default.</p> Suricata - Feature #2996: Extend decode events and ruleshttps://redmine.openinfosecfoundation.org/issues/2996?journal_id=143212019-10-21T20:35:13ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li></ul>