Project

General

Profile

Actions
Copy link

Optimization #7018

closed

Optimization #7026: app-protos: trigger raw stream reassembly

dns/tcp: allow triggering raw stream reassembly

Added by Juliana Fajardini Reichow 6 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Juliana Fajardini Reichow
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

As seen with #7004, DNS over TCP transactions might not be seen by the stream detection engine until a later stage, unless the app-proto triggers the raw parsing of the stream once it knows there's enough data to be parsed.

This could lead to whole transactions being overseen: they're marked as inspected by DetectRunTx, then AppLayerParserTransactionsCleanup frees them, and once it's time to stream rules to match, earlier transactions may not exist for the detection engine any longer, or exist as an id only, but not be retrievable for alert metadata logging.

This is especially true if for some reason we have a DNS rule that doesn't use any DNS keywords, as to the engine this is a payload/stream-only rule.

Subtasks 1 (0 open1 closed)

Optimization #7075: dns/tcp: allow triggering raw stream reassembly (7.0.x backport)ClosedJuliana Fajardini ReichowActions

Related issues 3 (2 open1 closed)

Related to Suricata - Bug #7004: app-layer: wrong tx may be logged for stream rulesIn ProgressJuliana Fajardini ReichowActions
Related to Suricata - Documentation #7031: devguide: document SignatureProperties sigtypeNewOISF DevActions
Related to Suricata - Bug #7000: pgsql: trigger raw stream reassemblyClosedJuliana Fajardini ReichowActions
Actions
Copy link
 #1

Updated by Juliana Fajardini Reichow 6 months ago

  • Related to Bug #7004: app-layer: wrong tx may be logged for stream rules added
Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow 6 months ago

  • Private changed from No to Yes
Actions
Copy link
 #3

Updated by Juliana Fajardini Reichow 6 months ago

  • Parent task set to #7026
Actions
Copy link
 #4

Updated by Juliana Fajardini Reichow 6 months ago

  • Subject changed from dns: allow triggering raw stream reassembly to dns/tcp: allow triggering raw stream reassembly
  • Description updated (diff)
Actions
Copy link
 #5

Updated by Juliana Fajardini Reichow 6 months ago

  • Description updated (diff)
Actions
Copy link
 #6

Updated by Juliana Fajardini Reichow 6 months ago

  • Description updated (diff)
Actions
Copy link
 #7

Updated by Juliana Fajardini Reichow 6 months ago

  • Tracker changed from Task to Bug
Actions
Copy link
 #8

Updated by Juliana Fajardini Reichow 6 months ago

  • Status changed from New to In Progress
Actions
Copy link
 #9

Updated by Juliana Fajardini Reichow 6 months ago

  • Status changed from In Progress to In Review
Actions
Copy link
 #10

Updated by Juliana Fajardini Reichow 6 months ago

Actions
Copy link
 #11

Updated by Juliana Fajardini Reichow 5 months ago

  • Related to Bug #7000: pgsql: trigger raw stream reassembly added
Actions
Copy link
 #12

Updated by Juliana Fajardini Reichow 5 months ago

  • Tracker changed from Bug to Optimization

Changing Tracker as per discussion with Philippe and Jason. If I understood it correctly.

Actions
Copy link
 #14

Updated by Juliana Fajardini Reichow 5 months ago

  • Status changed from In Review to Closed
Actions
Copy link
 #15

Updated by Juliana Fajardini Reichow 5 months ago

  • Status changed from Closed to Resolved
  • Label Needs backport to 7.0 added
Actions
Copy link
 #16

Updated by OISF Ticketbot 5 months ago

  • Subtask #7075 added
Actions
Copy link
 #17

Updated by OISF Ticketbot 5 months ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link
 #18

Updated by Juliana Fajardini Reichow 5 months ago

  • Private changed from Yes to No
Actions
Copy link
 #19

Updated by Victor Julien 4 months ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF