Optimization #7018
closedOptimization #7026: app-protos: trigger raw stream reassembly
dns/tcp: allow triggering raw stream reassembly
Description
As seen with #7004, DNS over TCP transactions might not be seen by the stream detection engine until a later stage, unless the app-proto triggers the raw parsing of the stream once it knows there's enough data to be parsed.
This could lead to whole transactions being overseen: they're marked as inspected by DetectRunTx, then AppLayerParserTransactionsCleanup frees them, and once it's time to stream rules to match, earlier transactions may not exist for the detection engine any longer, or exist as an id only, but not be retrievable for alert metadata logging.
This is especially true if for some reason we have a DNS rule that doesn't use any DNS keywords, as to the engine this is a payload/stream-only rule.
Updated by Juliana Fajardini Reichow 8 months ago
- Related to Bug #7004: app-layer: wrong tx may be logged for stream rules added
Updated by Juliana Fajardini Reichow 8 months ago
- Private changed from No to Yes
Updated by Juliana Fajardini Reichow 8 months ago
- Subject changed from dns: allow triggering raw stream reassembly to dns/tcp: allow triggering raw stream reassembly
- Description updated (diff)
Updated by Juliana Fajardini Reichow 8 months ago
- Tracker changed from Task to Bug
Updated by Juliana Fajardini Reichow 8 months ago
- Status changed from New to In Progress
Updated by Juliana Fajardini Reichow 8 months ago
- Status changed from In Progress to In Review
Updated by Juliana Fajardini Reichow 7 months ago
- Related to Documentation #7031: userguide: document SignatureProperties sigtype added
Updated by Juliana Fajardini Reichow 7 months ago
- Related to Bug #7000: pgsql: trigger raw stream reassembly added
Updated by Juliana Fajardini Reichow 7 months ago
- Tracker changed from Bug to Optimization
Changing Tracker as per discussion with Philippe and Jason. If I understood it correctly.
Updated by Juliana Fajardini Reichow 7 months ago
PR for review: https://github.com/OISF/suricata/pull/11265
Updated by Juliana Fajardini Reichow 7 months ago
- Status changed from In Review to Closed
Merged PR: https://github.com/OISF/suricata/pull/11271
Updated by Juliana Fajardini Reichow 7 months ago
- Status changed from Closed to Resolved
- Label Needs backport to 7.0 added
Updated by Juliana Fajardini Reichow 7 months ago
- Private changed from Yes to No
Updated by Philippe Antoine 17 days ago
Why is this closed but SV test task-7018-ids-dns-keywords does not pass ?
Updated by Juliana Fajardini Reichow 17 days ago
- Related to Bug #7449: app-layer metadata does not get logged for stream rules and unidirectional protocols added