https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022022-03-04T06:07:26ZOpen Information Security FoundationSuricata - Feature #4226: bsize: apply as depth to patternshttps://redmine.openinfosecfoundation.org/issues/4226?journal_id=226342022-03-04T06:07:26ZVictor Julienvictor@inliniac.net
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Subject</strong> changed from <i>bsize is considerably slower than depth:x; isdataat:!1,relative</i> to <i>bsize: apply as depth to patterns</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Jeff Lucovsky</i></li><li><strong>Target version</strong> set to <i>7.0.0-beta1</i></li><li><strong>Affected Versions</strong> deleted (<del><i>git master</i></del>)</li><li><strong>Label</strong> <i>Needs backport</i> added</li></ul><p>If bsize setting is the exact length of a pattern, apply <code>startwith</code>/<code>endswith</code> logic. Otherwise, apply it as <code>depth</code>. For <code>dsize</code> (and <code>urilen</code>?) we already do this IIRC.</p>
<p>I think this could be backported as well. Technically its not a bug, but it would be a virtually "free" optimization that should be low risk.</p> Suricata - Feature #4226: bsize: apply as depth to patternshttps://redmine.openinfosecfoundation.org/issues/4226?journal_id=250182022-10-25T09:06:51ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>7.0.0-beta1</i> to <i>8.0.0-beta1</i></li></ul> Suricata - Feature #4226: bsize: apply as depth to patternshttps://redmine.openinfosecfoundation.org/issues/4226?journal_id=263242023-01-06T15:21:14ZBrandon Murphy
<ul></ul><p>Recently discovered that urilen is much faster than bsize applied to http.uri as well.</p>
<p>I'm not 100% sure if this feature, when implemented, would "solve" that.</p>
<code>urilen:9<>17</code> vs <code>http.uri; bsize:9<>17;</code> yielded drastically different and unexpected results in favor of urilen.
<p>Using urilen even seems to impact the number of checks a rule experiences. Is it possible that urilen supports some prefilter element that bsize when applied to http.uri does not?</p>
<p>Feel free to let me know if this should be a separate request - it just seems like it might be related.</p> Suricata - Feature #4226: bsize: apply as depth to patternshttps://redmine.openinfosecfoundation.org/issues/4226?journal_id=263262023-01-06T15:35:36ZJeff Lucovsky
<ul></ul><p>These do seem related so let's not create a new issue yet.</p> Suricata - Feature #4226: bsize: apply as depth to patternshttps://redmine.openinfosecfoundation.org/issues/4226?journal_id=263302023-01-08T16:21:37ZJeff Lucovsky
<ul></ul><blockquote>
<p>If bsize setting is the exact length of a pattern, apply startwith/endswith logic. Otherwise, apply it as depth. For dsize (and urilen?) we already do this IIRC.</p>
</blockquote>
<p>Is this due to the logic in <code>DetectUrilenApplyToContent</code>?</p> Suricata - Feature #4226: bsize: apply as depth to patternshttps://redmine.openinfosecfoundation.org/issues/4226?journal_id=305002023-10-31T20:46:58ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-1 priority-4 priority-default" href="/issues/6375">Optimization #6375</a>: detect: merge urilen and bsize implementations</i> added</li></ul>