Optimization #7018
closed
Optimization #7026: app-protos: trigger raw stream reassembly
dns/tcp: allow triggering raw stream reassembly
Added by Juliana Fajardini Reichow 6 months ago.
Updated 4 months ago.
Description
As seen with #7004, DNS over TCP transactions might not be seen by the stream detection engine until a later stage, unless the app-proto triggers the raw parsing of the stream once it knows there's enough data to be parsed.
This could lead to whole transactions being overseen: they're marked as inspected by DetectRunTx, then AppLayerParserTransactionsCleanup frees them, and once it's time to stream rules to match, earlier transactions may not exist for the detection engine any longer, or exist as an id only, but not be retrievable for alert metadata logging.
This is especially true if for some reason we have a DNS rule that doesn't use any DNS keywords, as to the engine this is a payload/stream-only rule.
- Related to Bug #7004: app-layer: wrong tx may be logged for stream rules added
- Private changed from No to Yes
- Subject changed from dns: allow triggering raw stream reassembly to dns/tcp: allow triggering raw stream reassembly
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Tracker changed from Task to Bug
- Status changed from New to In Progress
- Status changed from In Progress to In Review
- Related to Bug #7000: pgsql: trigger raw stream reassembly added
- Tracker changed from Bug to Optimization
Changing Tracker as per discussion with Philippe and Jason. If I understood it correctly.
- Status changed from In Review to Closed
- Status changed from Closed to Resolved
- Label Needs backport to 7.0 added
- Label deleted (
Needs backport to 7.0)
- Private changed from Yes to No
- Status changed from Resolved to Closed
Also available in: Atom
PDF