Feature #2996
open
Extend decode events and rules
Added by Andreas Herz over 5 years ago.
Updated almost 5 years ago.
Description
We already have several decode events and rules but there are still some missing. For example we have the stream.reassembly_overlap_different_data stream event and rule for that but we're missing the one for stream.reassembly_overlap where we have just the tcp.overlap counter.
- Tracker changed from Optimization to Feature
- Status changed from Assigned to New
- Assignee changed from OISF Dev to Community Ticket
Hey Andreas!
Could you please link a document where I can match what else are we missing? I'm just browsing through the code and finding these values. I do not see REASSEMBLY_OVERLAP in any enums so that's one. Also, if this issue is concerned with stream.reassembly_overlap only, let me know that as well.
I also found this just by "accident" as I was looking into some overlap infos. I can start a list, maybe it's not very long.
Did you find any others?
At least those are missing:
- tcp.reassembly_gap
- tcp.overlap
- tcp.insert_data_normal_fail
- tcp.insert_data_overlap_fail
- tcp.insert_list_fail
I guess this might be a bigger task to collect all possible events.
For every event there should be a rule in the rules/*-events.rules files.
For those implemented yes, but some are missing or is there a specific reason why there is a StreamTcpSetEvent(p, STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA); but no StreamTcpSetEvent(p, STREAM_REASSEMBLY_OVERLAP); or StreamTcpSetEvent(p, STREAM_REASSEMBLY_LIST_FAIL);?
But tcp.reassembly_gap is covered by tcp.reassembly_gap so that's not missing.
If I look into StreamTcpThreadInit where we register the counter I see also some where it's quite obvious that we don't want to trigger an event for every StatsIncr of those.
I guess there is no easy way to determine which ones are missing beside the overlap and insert fails. It might be enough to cover those which we found and add even more if someone spots a missing one that might be handy for debugging.
That's why I stumbled upon that, while I wanted to dig into why there are sometimes high tcp.overlap values and with a rule it would help to narrow it down where they appear.
Thoughts?
- Assignee changed from Community Ticket to Andreas Herz
Lets just add the missing ones, but commented out by default.
- Status changed from New to Assigned
Also available in: Atom
PDF