Skip to content

Detect integers multi 7480 v4.1 #13872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 16 commits into from
Closed

Detect integers multi 7480 v4.1 #13872

wants to merge 16 commits into from

Conversation

@catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7480

Describe changes:

  • detect/integers: generalize multi-integers

SV_BRANCH=OISF/suricata-verify#2653

#13838 with better history, more SV tests, fixes...

@victorjulien should I do a first PR with commits up to rust/detect: generic detect_uint_match_at_index ?

More TODOs:

List of keywords to do : ./src/suricata --list-keywords=csv | grep uint | grep multi | cut -d\; -f1

  • nfs_procedure (first cherry-pick da81b7e)
  • filesize (file iterator)
  • vlan.id (c prefilter)
  • enip.cip_attribute (array of arrays)
  • enip.cip_class (array of arrays)
  • enip.cip_status (array of arrays)
  • enip.cip_instance (array of arrays)
  • enip.cip_extendedstatus (array of arrays)
  • mqtt.reason_code (2 arrays ...)
  • mqtt.flags (bitflags)
  • mqtt.connect.flags (bitflags)

@catenacyber
detect: rename LdapIndex to something generic
f570a32 
to be able to use it outside of ldap

Ticket: 7480

No behavior change, just code restyling
@catenacyber
rust/detect: move DetectUintIndex definition to generic file
145ca3c 
Ticket: 7480

No behavior change, just code restyling
@catenacyber
rust/detect: create generic DetectUintArrayData
4439285 
And make ldap use them

Ticket: 7480

No behavior change, just code restyling
@catenacyber
rust/detect: generic detect_parse_array_uint_enum
e2866a1 
And make ldap use it

Ticket: 7480

No behavior change, just code restyling
@catenacyber
rust/ldap: use Vec instead of Vecdeque
ae98927 
as we do not pop

Ticket: 7480

May have a behavior change, but only in terms of performance
@catenacyber
rust/detect: generic detect_uint_match_at_index
23bc458 
and make ldap use it

Ticket: 7480

No behavior change, just code restyling
@catenacyber
dns/detect: rrtype can now use index
ca3f6d6 
Ticket: 7480
@catenacyber
doc: multi-integers section for rules
e728787 
Ticket: 7480

Describing the usage of index
@catenacyber
mqtt/detect: mqtt.type can now use index
5f111f3 
Ticket: 7480
@catenacyber
http2/detect: http2.priority can now use index
6cccbc6 
Ticket: 7480
@catenacyber
http2/detect: http2.window can now use index
61c6ce5 
Ticket: 7480
@catenacyber
detect/uint: wait for end of progress to match on all
7fabf16 
As is done for absent keyword for instance
@catenacyber
detect/integers: all1 index to match only on non-empty arrays
02f5c7d
@catenacyber
detect/integers: nb index to match a specific number of times
478480e 
For example
dns.rrtype: !A,nb>3
will match if we have more than 3 dns records which are not A
@catenacyber
detect/integers: index or_absent and or_oob
07a5905 
To match if array is empty, or index is out of bounds
@catenacyber
detect/integers: subslice for multi-integers
5673968
@catenacyber catenacyber mentioned this pull request Sep 18, 2025
Closed
@catenacyber catenacyber added this to the 9.0 milestone Sep 18, 2025
@catenacyber catenacyber marked this pull request as draft September 18, 2025 13:12
@catenacyber catenacyber mentioned this pull request Sep 18, 2025
Closed
@catenacyber
Copy link
Contributor Author

Replaced by #13873

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees

No one assigned

Labels

None yet

Milestone

9.0

Development

Successfully merging this pull request may close these issues.

1 participant

@catenacyber