Project

General

Profile

Actions

Task #7061

open

content-inspect: expand accepted range of depth/offset/distance & related

Added by Jeff Lucovsky 5 months ago. Updated 4 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Refactor and cleanup
- Offset
- Depth
- Distance
and similar values throughout the keywords/transforms that support them.

65535 is a bounding value for many offset/depth usages but in other places, a signed 32 bit value is used.

The values supported should be examined for
- Consistency throughout the Suricata keyword set
- Relevance to the data blocks that they are applied to

We should be careful to document all changes
- Changes that result in more restrictive value ranges should be carefully considered and ample warning provided if existing usages won't be accepted
- Changes that relax value ranges should be called out in upgrade and documention.

Actions #1

Updated by Victor Julien 5 months ago

  • Subject changed from Consistency: Refactor/cleanup depth/offset/distance to content-inspect: refactor/cleanup depth/offset/distance
Actions #2

Updated by Victor Julien 5 months ago

  • Subject changed from content-inspect: refactor/cleanup depth/offset/distance to content-inspect: expand accepted range of depth/offset/distance & related

These keywords were originally designed towards inspecting IP packets, hence the 16 bit limits in many places. However nowadays we inspect many larger buffers like stream data, HTTP body data, etc. So we should be able to express this.

Actions #3

Updated by Victor Julien 4 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 8.0.0-beta1
Actions

Also available in: Atom PDF