Project

General

Custom queries

Profile

Actions
Copy link

Task #7026

open

app-protos: trigger raw stream inspection

Added by Juliana Fajardini Reichow about 1 year ago. Updated 3 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
8.0.0-rc1
Effort:
Difficulty:
high
Label:

Description

For application layer protocols over TCP that have transactions, we need to trigger stream inspection once they have at least one full message parseable, to avoid missing alerts that happen early on in the stream (as seen with #7004).

Subtasks 5 (0 open5 closed)

Bug #7000: pgsql: trigger raw stream reassemblyClosedJuliana Fajardini ReichowActions
Bug #7001: pgsql: trigger raw stream reassembly (7.0.x backport)ClosedJuliana Fajardini ReichowActions
Optimization #7018: dns/tcp: allow triggering raw stream reassemblyClosedJuliana Fajardini ReichowActions
Optimization #7075: dns/tcp: allow triggering raw stream reassembly (7.0.x backport)ClosedJuliana Fajardini ReichowActions
Optimization #7076: pgsql: trigger raw stream reassembly when tx completedRejectedJuliana Fajardini ReichowActions

Related issues 4 (3 open1 closed)

Related to Suricata - Bug #7004: app-layer: wrong tx may be logged for stream rulesClosedShivani BhardwajActions
Related to Suricata - Documentation #4351: doc: explain the engine logic to trigger inspection of TCP dataAssignedShivani BhardwajActions
Related to Suricata - Task #7742: ftp: trigger raw stream inspectionNewShivani BhardwajActions
Related to Suricata - Task #7743: http: trigger raw stream inspectionNewShivani BhardwajActions
Actions
Copy link
 #5

Updated by Juliana Fajardini Reichow about 1 year ago

Enip: should wait for https://github.com/OISF/suricata/pull/10901 to be merged.

Actions
Copy link
 #14

Updated by Shivani Bhardwaj 3 months ago

I think this ticket should be rejected with an update in the title as this just reflects what shall be done to fix the bug stated in #7004. Thoughts?

Actions
Copy link
 #15

Updated by Victor Julien 3 months ago

Shivani Bhardwaj wrote in #note-14:

I think this ticket should be rejected with an update in the title as this just reflects what shall be done to fix the bug stated in #7004. Thoughts?

Not sure, implementing this affects more than tx logging.

Actions
Copy link
 #16

Updated by Shivani Bhardwaj 3 months ago

Victor Julien wrote in #note-15:

Not sure, implementing this affects more than tx logging.

I see. Thank you. I shall find that out then and see if the title needs improvement.

Actions
Copy link
 #26

Updated by Shivani Bhardwaj 3 days ago

  • Status changed from In Progress to Resolved
Actions
Copy link

Also available in: Atom PDF