Project

General

Profile

Actions
Copy link

Feature #7313

open
PA JL

transforms: have option on how to handle failure

Feature #7313: transforms: have option on how to handle failure

Added by Philippe Antoine over 1 year ago. Updated 10 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Transforms like base64, pcrexform or urldecode may somehow fail.

Current default is to passthrough
But we could have an option to these keywords to behave differently, like return a NULL or 0-length buffer instead of the original one.

Related issues 2 (2 open0 closed)

Related to Suricata - Feature #7114: from_base64: allow matching on decode errorIn ReviewJeff LucovskyActions
Related to Suricata - Feature #8470: detect/transform: Create anomaly log on transform failureNewActions

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #1

Passthorugh may be a good idea sometimes like dns.query; pcrexform:"\.([^\.]+\.[^\.]+)$"; to extract the top domain if it is a subdomain or just passthrough if it is not a subdomain

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #2

  • Assignee changed from OISF Dev to Jeff Lucovsky

Jeff, you have been working on this for base64, so assigning to you

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #3

  • Related to Feature #7114: from_base64: allow matching on decode error added

PA Updated by Philippe Antoine 3 months ago Actions
Copy link
 #4

  • Status changed from New to Assigned
  • Target version changed from TBD to 9.0.0-beta1

I think we should tackle this for 9

JL Updated by Jeff Lucovsky about 1 month ago Actions
Copy link
 #5

  • Description updated (diff)

PA Updated by Philippe Antoine 27 days ago Actions
Copy link
 #6

  • Status changed from Assigned to In Review

JL Updated by Jeff Lucovsky 17 days ago Actions
Copy link
 #7

  • Related to Feature #8470: detect/transform: Create anomaly log on transform failure added

JL Updated by Jeff Lucovsky 15 days ago Actions
Copy link
 #8

passthrough on error is necessary to maintain pre-filter semantics.

PA Updated by Philippe Antoine 11 days ago Actions
Copy link
 #9

Jeff Lucovsky wrote in #note-8:

passthrough on error is necessary to maintain pre-filter semantics.

I do not understand what this means. Could you expand on it ?
What are pre-filter semantics ?

JL Updated by Jeff Lucovsky 11 days ago Actions
Copy link
 #10

The transform output is used during pre-filtering. Maintaining the buffer on transform error allows that prefiltering to continue to operate as before so that the remainder of the rule can be evaluated.

PA Updated by Philippe Antoine 10 days ago Actions
Copy link
 #11

You are just stating that this feature is a breaking change, or am I missing something ?

(And I think it is a good breaking change)

JL Updated by Jeff Lucovsky 10 days ago Actions
Copy link
 #12

Yes -- it'd be a breaking change.
I discussed this with @Victor Julien and we decided to leave the buffer unmodified for transform errors.

PA Updated by Philippe Antoine 10 days ago Actions
Copy link
 #13

Rereading my comment https://redmine.openinfosecfoundation.org/issues/7313#note-1 I understand this, thanks :-)

Actions
Copy link

Also available in: PDF Atom