Feature #7313
opentransforms: have option on how to handle failure
Added by Philippe Antoine over 1 year ago. Updated 10 days ago.
Description
Transforms like base64, pcrexform or urldecode may somehow fail.
Current default is to passthrough
But we could have an option to these keywords to behave differently, like return a NULL or 0-length buffer instead of the original one.
PA Updated by Philippe Antoine over 1 year ago Actions #1
Passthorugh may be a good idea sometimes like dns.query; pcrexform:"\.([^\.]+\.[^\.]+)$"; to extract the top domain if it is a subdomain or just passthrough if it is not a subdomain
PA Updated by Philippe Antoine about 1 year ago Actions #2
- Assignee changed from OISF Dev to Jeff Lucovsky
Jeff, you have been working on this for base64, so assigning to you
PA Updated by Philippe Antoine about 1 year ago Actions #3
- Related to Feature #7114: from_base64: allow matching on decode error added
PA Updated by Philippe Antoine 3 months ago Actions #4
- Status changed from New to Assigned
- Target version changed from TBD to 9.0.0-beta1
I think we should tackle this for 9
JL Updated by Jeff Lucovsky about 1 month ago Actions #5
- Description updated (diff)
PA Updated by Philippe Antoine 27 days ago Actions #6
- Status changed from Assigned to In Review
JL Updated by Jeff Lucovsky 17 days ago Actions #7
- Related to Feature #8470: detect/transform: Create anomaly log on transform failure added
JL Updated by Jeff Lucovsky 15 days ago Actions #8
passthrough on error is necessary to maintain pre-filter semantics.
PA Updated by Philippe Antoine 11 days ago Actions #9
Jeff Lucovsky wrote in #note-8:
passthrough on error is necessary to maintain pre-filter semantics.
I do not understand what this means. Could you expand on it ?
What are pre-filter semantics ?
JL Updated by Jeff Lucovsky 11 days ago Actions #10
The transform output is used during pre-filtering. Maintaining the buffer on transform error allows that prefiltering to continue to operate as before so that the remainder of the rule can be evaluated.
PA Updated by Philippe Antoine 10 days ago Actions #11
You are just stating that this feature is a breaking change, or am I missing something ?
(And I think it is a good breaking change)
JL Updated by Jeff Lucovsky 10 days ago Actions #12
Yes -- it'd be a breaking change.
I discussed this with @Victor Julien and we decided to leave the buffer unmodified for transform errors.
PA Updated by Philippe Antoine 10 days ago Actions #13
Rereading my comment https://redmine.openinfosecfoundation.org/issues/7313#note-1 I understand this, thanks :-)