Optimization #7018
closedTask #7026: app-protos: trigger raw stream inspection
dns/tcp: allow triggering raw stream reassembly
Description
As seen with #7004, DNS over TCP transactions might not be seen by the stream detection engine until a later stage, unless the app-proto triggers the raw parsing of the stream once it knows there's enough data to be parsed.
This could lead to whole transactions being overseen: they're marked as inspected by DetectRunTx, then AppLayerParserTransactionsCleanup frees them, and once it's time to stream rules to match, earlier transactions may not exist for the detection engine any longer, or exist as an id only, but not be retrievable for alert metadata logging.
This is especially true if for some reason we have a DNS rule that doesn't use any DNS keywords, as to the engine this is a payload/stream-only rule.
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Related to Bug #7004: app-layer: wrong tx may be logged for stream rules added
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Private changed from No to Yes
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Parent task set to #7026
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Subject changed from dns: allow triggering raw stream reassembly to dns/tcp: allow triggering raw stream reassembly
- Description updated (diff)
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Description updated (diff)
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Description updated (diff)
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Tracker changed from Task to Bug
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Status changed from New to In Progress
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Status changed from In Progress to In Review
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Related to Documentation #7031: userguide: document SignatureProperties sigtype added
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Related to Bug #7000: pgsql: trigger raw stream reassembly added
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Tracker changed from Bug to Optimization
Changing Tracker as per discussion with Philippe and Jason. If I understood it correctly.
JF Updated by Juliana Fajardini Reichow almost 2 years ago
PR for review: https://github.com/OISF/suricata/pull/11265
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Status changed from In Review to Closed
Merged PR: https://github.com/OISF/suricata/pull/11271
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Status changed from Closed to Resolved
- Label Needs backport to 7.0 added
OT Updated by OISF Ticketbot almost 2 years ago
- Subtask #7075 added
OT Updated by OISF Ticketbot almost 2 years ago
- Label deleted (
Needs backport to 7.0)
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Private changed from Yes to No
VJ Updated by Victor Julien over 1 year ago
- Status changed from Resolved to Closed
PA Updated by Philippe Antoine over 1 year ago
Why is this closed but SV test task-7018-ids-dns-keywords does not pass ?
JF Updated by Juliana Fajardini Reichow over 1 year ago
- Related to Bug #7449: app-layer metadata does not get logged for stream rules and unidirectional protocols added