Project

General

Profile

Actions

Optimization #7018

closed

Optimization #7026: app-protos: trigger raw stream reassembly

dns/tcp: allow triggering raw stream reassembly

Added by Juliana Fajardini Reichow 8 months ago. Updated 17 days ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

As seen with #7004, DNS over TCP transactions might not be seen by the stream detection engine until a later stage, unless the app-proto triggers the raw parsing of the stream once it knows there's enough data to be parsed.

This could lead to whole transactions being overseen: they're marked as inspected by DetectRunTx, then AppLayerParserTransactionsCleanup frees them, and once it's time to stream rules to match, earlier transactions may not exist for the detection engine any longer, or exist as an id only, but not be retrievable for alert metadata logging.

This is especially true if for some reason we have a DNS rule that doesn't use any DNS keywords, as to the engine this is a payload/stream-only rule.


Subtasks 1 (0 open1 closed)

Optimization #7075: dns/tcp: allow triggering raw stream reassembly (7.0.x backport)ClosedJuliana Fajardini ReichowActions

Related issues 4 (3 open1 closed)

Related to Suricata - Bug #7004: app-layer: wrong tx may be logged for stream rulesIn ProgressJuliana Fajardini ReichowActions
Related to Suricata - Documentation #7031: userguide: document SignatureProperties sigtypeIn ReviewJuliana Fajardini ReichowActions
Related to Suricata - Bug #7000: pgsql: trigger raw stream reassemblyClosedJuliana Fajardini ReichowActions
Related to Suricata - Bug #7449: app-layer metadata does not get logged for stream rules and unidirectional protocolsIn ReviewPhilippe AntoineActions
Actions

Also available in: Atom PDF