https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022021-09-15T08:15:08ZOpen Information Security FoundationSuricata - Bug #4685: detect: too many prefilter engines lead to FNshttps://redmine.openinfosecfoundation.org/issues/4685?journal_id=206642021-09-15T08:15:08ZVictor Julienvictor@inliniac.net
<ul><li><strong>File</strong> <a href="/attachments/2371">test.rules</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2371/test.rules">test.rules</a> added</li></ul><p>This is turning out to be a more complex issue. While the initial analysis is correct for a full ET ruleset, the issue is actually worse if a ruleset uses more keywords. Especially if transforms are added, its easy to exceed the 63 bits (1 is reserved) used for tracking which tx prefilter engines have run.</p>
<p>I'm attaching a example rulefile that leads to the <code>local_id</code> getting to 160 in 6.0.x and 100 in 5.0.x. The difference is due to duplicate engines for http1/http2 in 6.0.x.</p>
<p>Some thoughts on addressing this:<br />- the most direct way of fixing this is to expand the bit space. However this will be fairly complex due to how the data structure is ultimately in <code>AppLayerTxData</code> in Rust.<br />- perhaps we can track not per engine, but per 'progress' value. At a certain progress value all relevant engines <strong>should</strong> run so maybe it would be sufficient to track what ran based on this value.<br />- not really a solution but still a thing to state: we need to untangle the engines list by alproto somehow, as currently we skip most engines in the list due to them not being for our alproto.</p> Suricata - Bug #4685: detect: too many prefilter engines lead to FNshttps://redmine.openinfosecfoundation.org/issues/4685?journal_id=206712021-09-15T17:29:52ZJeff Lucovsky
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/4687">Bug #4687</a>: detect: too many prefilter engines lead to FNs</i> added</li></ul> Suricata - Bug #4685: detect: too many prefilter engines lead to FNshttps://redmine.openinfosecfoundation.org/issues/4685?journal_id=206732021-09-15T17:30:23ZJeff Lucovsky
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/4688">Bug #4688</a>: detect: too many prefilter engines lead to FNs</i> added</li></ul> Suricata - Bug #4685: detect: too many prefilter engines lead to FNshttps://redmine.openinfosecfoundation.org/issues/4685?journal_id=206882021-09-16T17:52:34ZJason Ishjason.ish@oisf.net
<ul><li><strong>Affected Versions</strong> <i>5.0.6, 6.0.3</i> added</li></ul> Suricata - Bug #4685: detect: too many prefilter engines lead to FNshttps://redmine.openinfosecfoundation.org/issues/4685?journal_id=207052021-09-17T14:46:20ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Closed</i></li></ul><p><a class="external" href="https://github.com/victorjulien/suricata/commit/932cf0b6a6ad1d34fffe8dd92c14b5bc32c9f6fe">https://github.com/victorjulien/suricata/commit/932cf0b6a6ad1d34fffe8dd92c14b5bc32c9f6fe</a></p> Suricata - Bug #4685: detect: too many prefilter engines lead to FNshttps://redmine.openinfosecfoundation.org/issues/4685?journal_id=216512021-12-15T07:54:05ZVictor Julienvictor@inliniac.net
<ul><li><strong>Private</strong> changed from <i>Yes</i> to <i>No</i></li></ul>