Task #8596
opendetect: limit number of flowbits usage in a signature
Description
Currently, there's no limit enforced on the number of times "flowbits" keyword could be used in a signature. A configurable limit is to be added with a reasonable allowed default.
Reason for need of a limit despite there being an 8k limit on signature:
- uncertainty on how many flowbits keywords could be accomodated
- flowbits name lengths can be variable
- flowbits command names are also of differing lengths
VJ Updated by Victor Julien about 1 month ago
To determine a good default lets start with seeing what the max per sig is in the rulesets in our index.
SB Updated by Shivani Bhardwaj about 1 month ago
- Difficulty set to low
SB Updated by Shivani Bhardwaj about 1 month ago
- Status changed from Assigned to In Review
VJ Updated by Victor Julien about 1 month ago
SB Updated by Shivani Bhardwaj about 1 month ago
ref: https://github.com/OISF/suricata/pull/15444#issuecomment-4543489714
Maximum number of times flowbits keyword used in a signature in the "open" rulesets that we ship with our index is 6. The rule is: https://rules.evebox.org/rule/et/open/2062740
Perhaps, 8 is a good default then? Thoughts?
Rulesets probed:
abuse.ch/feodotracker
abuse.ch/urlhaus
stamus/lateral
julioliraup/antiphishing
pawpatrules
aleksibovellan/nmap
abuse.ch/sslbl-ja3
abuse.ch/sslbl-blacklist
et/open
oisf/trafficid
etnetera/aggressive
ptrules/open
tgreen/hunting
IS Updated by Isaac Shaughnessy about 1 month ago
In the ET OPEN/PRO Rulesets the max is 6 flowbit keywords in a single signature. Anything less than 4 would require us to review rule logic for a decent number of signatures to maintain compatibility with the default config. Unless there is a performance reason to have a lower limit I think 8 is a good suggestion.
Summary of flowbit counts: ---------------------------------------- Number of signatures with 1 flowbits: 4369 Number of signatures with 2 flowbits: 1305 Number of signatures with 3 flowbits: 131 Number of signatures with 4 flowbits: 33 Number of signatures with 5 flowbits: 6 Number of signatures with 6 flowbits: 1 Number of signatures with 7 flowbits: 0 Number of signatures with 8+ flowbits: 0
SB Updated by Shivani Bhardwaj about 1 month ago
Isaac Shaughnessy wrote in #note-6:
In the ET OPEN/PRO Rulesets the max is 6 flowbit keywords in a single signature. Anything less than 4 would require us to review rule logic for a decent number of signatures to maintain compatibility with the default config. Unless there is a performance reason to have a lower limit I think 8 is a good suggestion.
[...]
thank you very much for the analysis, Isaac! Moving forward with a default of 8.
SB Updated by Shivani Bhardwaj 18 days ago
- Description updated (diff)
SB Updated by Shivani Bhardwaj 18 days ago
- Difficulty changed from low to medium