Project

General

Profile

Actions

Feature #7313

open
PA JL

transforms: have option on how to handle failure

Feature #7313: transforms: have option on how to handle failure

Added by Philippe Antoine over 1 year ago. Updated 2 months ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Transforms like base64, pcrexform or urldecode may somehow fail.

Current default is to passthrough
But we could have an option to these keywords to behave differently, like return a NULL or 0-length buffer instead of the original one.


Related issues 2 (2 open0 closed)

Related to Suricata - Feature #7114: from_base64: allow matching on decode errorIn ReviewJeff LucovskyActions
Related to Suricata - Feature #8470: detect/transform: Create anomaly log on transform failureNewActions

PA Updated by Philippe Antoine over 1 year ago Actions #1

Passthorugh may be a good idea sometimes like dns.query; pcrexform:"\.([^\.]+\.[^\.]+)$"; to extract the top domain if it is a subdomain or just passthrough if it is not a subdomain

PA Updated by Philippe Antoine over 1 year ago Actions #2

  • Assignee changed from OISF Dev to Jeff Lucovsky

Jeff, you have been working on this for base64, so assigning to you

PA Updated by Philippe Antoine over 1 year ago Actions #3

  • Related to Feature #7114: from_base64: allow matching on decode error added

PA Updated by Philippe Antoine 5 months ago Actions #4

  • Status changed from New to Assigned
  • Target version changed from TBD to 9.0.0-beta1

I think we should tackle this for 9

JL Updated by Jeff Lucovsky 3 months ago Actions #5

  • Description updated (diff)

PA Updated by Philippe Antoine 3 months ago Actions #6

  • Status changed from Assigned to In Review

JL Updated by Jeff Lucovsky 3 months ago Actions #7

  • Related to Feature #8470: detect/transform: Create anomaly log on transform failure added

JL Updated by Jeff Lucovsky 3 months ago Actions #8

passthrough on error is necessary to maintain pre-filter semantics.

PA Updated by Philippe Antoine 3 months ago Actions #9

Jeff Lucovsky wrote in #note-8:

passthrough on error is necessary to maintain pre-filter semantics.

I do not understand what this means. Could you expand on it ?
What are pre-filter semantics ?

JL Updated by Jeff Lucovsky 3 months ago Actions #10

The transform output is used during pre-filtering. Maintaining the buffer on transform error allows that prefiltering to continue to operate as before so that the remainder of the rule can be evaluated.

PA Updated by Philippe Antoine 2 months ago Actions #11

You are just stating that this feature is a breaking change, or am I missing something ?

(And I think it is a good breaking change)

JL Updated by Jeff Lucovsky 2 months ago Actions #12

Yes -- it'd be a breaking change.
I discussed this with @Victor Julien and we decided to leave the buffer unmodified for transform errors.

PA Updated by Philippe Antoine 2 months ago Actions #13

Rereading my comment https://redmine.openinfosecfoundation.org/issues/7313#note-1 I understand this, thanks :-)

Actions

Also available in: PDF Atom