Detect integers multi 7480 v2 #13823

catenacyber · 2025-09-09T14:19:42Z

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7480

Describe changes:

detect/integers: generalize multi-integers

SV_BRANCH=OISF/suricata-verify#2644

Draft :
Feedback welcome about general design

TODOs:

need to do all keywords
need more SV test(s) esp wrt to tx progress
maybe add more features, that is more variants to DetectUintIndex, like
- count
- number of matches
- absent (count=0) or_absent
- slice of indexes, etc... (see detect: count keywords for multi-buffer #13783)

List of keywords to do : ./src/suricata --list-keywords=csv | grep uint | grep multi | cut -d\; -f1

nfs_procedure (C inclusive)
filesize (file iterator)
vlan.id (c prefilter)
enip.cip_attribute (array of arrays)
enip.cip_class (array of arrays)
enip.cip_status (array of arrays)
enip.cip_instance (array of arrays)
enip.cip_extendedstatus (array of arrays)
mqtt.reason_code (2 arrays ...)
mqtt.flags (flags)
mqtt.connect.flags (flags)

to be able to use it outside of ldap Ticket: 7480

Ticket: 7480

And make ldap use them Ticket: 7480

And make ldap use it Ticket: 7480

and make ldap use it Ticket: 7480

as we do not pop Ticket: 7480

Ticket: 7480

Ticket: 7480 Describing the usage of index

Ticket: 7480

Removing one parameter that is always the same

Ticket: 7480

codecov · 2025-09-09T15:14:04Z

Codecov Report

❌ Patch coverage is 85.88235% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.73%. Comparing base (0662736) to head (e4d37a3).
⚠️ Report is 17 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #13823      +/-   ##
==========================================
+ Coverage   83.71%   83.73%   +0.01%     
==========================================
  Files        1011     1011              
  Lines      275116   275097      -19     
==========================================
+ Hits       230321   230345      +24     
+ Misses      44795    44752      -43

Flag	Coverage Δ
fuzzcorpus	`63.03% <71.97%> (+0.02%)`	⬆️
livemode	`19.11% <0.00%> (+0.11%)`	⬆️
pcap	`44.73% <2.54%> (+0.04%)`	⬆️
suricata-verify	`65.10% <74.19%> (+0.01%)`	⬆️
unittests	`59.18% <33.92%> (+0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

suricata-qa · 2025-09-09T20:50:03Z

Information: QA ran without warnings.

Pipeline = 27366

catenacyber · 2025-09-11T20:22:50Z

Next in #13838

catenacyber added 11 commits September 4, 2025 15:16

detect: rename LdapIndex to something generic

8b17247

to be able to use it outside of ldap Ticket: 7480

rust/detect: move DetectUintIndex definition to generic file

1128c68

Ticket: 7480

rust/detect: create generic DetectUintArrayData

0b4fcb7

And make ldap use them Ticket: 7480

rust/detect: generic detect_parse_array_uint_enum

9344d06

And make ldap use it Ticket: 7480

rust/detect: generic detect_uint_match_at_index

3d7d707

and make ldap use it Ticket: 7480

rust/ldap: use Vec instead of Vecdeque

54e136b

as we do not pop Ticket: 7480

dns/detect: rrtype can now use index

a1a5cd0

Ticket: 7480

doc: multi-integers section for rules

b5c60aa

Ticket: 7480 Describing the usage of index

mqtt/detect: mqtt.type can now use index

fee6b27

Ticket: 7480

rust/detect: simpler detect_uint_match_at_index

b0535bb

Removing one parameter that is always the same

http2/detect: http2.priority can now use index

6e25abf

Ticket: 7480

catenacyber mentioned this pull request Sep 9, 2025

Detect integers multi 7480 v1 #13802

Closed

catenacyber added this to the 9.0 milestone Sep 9, 2025

http2/detect: http2.window can now use index

01aef0e

Ticket: 7480

catenacyber force-pushed the detect-integers-multi-7480-v2 branch from 366e49f to 01aef0e Compare September 9, 2025 14:28

fixup! doc: multi-integers section for rules

e4d37a3

catenacyber mentioned this pull request Sep 11, 2025

detect: count keywords for multi-buffer #13783

Closed

catenacyber closed this Sep 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Detect integers multi 7480 v2 #13823

Detect integers multi 7480 v2 #13823

Uh oh!

catenacyber commented Sep 9, 2025 •

edited

Loading

Uh oh!

codecov bot commented Sep 9, 2025 •

edited

Loading

Uh oh!

suricata-qa commented Sep 9, 2025

Uh oh!

catenacyber commented Sep 11, 2025

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

Uh oh!

Detect integers multi 7480 v2 #13823

Detect integers multi 7480 v2 #13823

Uh oh!

Conversation

catenacyber commented Sep 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Sep 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

suricata-qa commented Sep 9, 2025

Uh oh!

catenacyber commented Sep 11, 2025

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

catenacyber commented Sep 9, 2025 •

edited

Loading

codecov bot commented Sep 9, 2025 •

edited

Loading