detect/filestore: fix options handling and impact #12312
Conversation
|
In the commit, use so our tracking can work (and the leaderboard counts them) |
|
Information: QA ran without warnings. Pipeline 24034 |
|
SV_REPO=OISF/suricata-verify#2202 Should be using |
The filestore keyword had an influence on the signature matching when it should not. For example, if Suricata is analysing a traffic with a GET http request to uri /example and have the 2 following signatures loaded: alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; sid:1; rev:1;) alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; filestore; sid:2; rev:1;) then the first signature will match and the second one will not. Also the options of filestore were not honored correctly. A signature like: alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; filestore:to_client,tx; sid:2; rev:1;) was not storing the file in the answer to the request. This patch updates the logic in filestore keyword handling to fix the problems. The patch first makes sure that a signature with filestore will hit even if there is no file in the current application layer context. Then the patch makes sure that postmatch handles the different options correctly. As filestore keyword is not anymore preventing a match, we need to update some unit tests that were using this "feature". Ticket: 7356 Ticket: 7357
regit
force-pushed
the
7357-filestore-keyword-v3.0
branch
from
162dafb to
e1a4441
Compare
Done, thanks for the check. |
|
Information: QA ran without warnings. Pipeline 24041 |
|
@victorjulien any update on this MR ? |
|
I think we need to discuss the functionality/expected behavior before the implementation : see https://redmine.openinfosecfoundation.org/issues/7356#note-4
As you said (in redmine), this is because there is no files in the to_server direction
I do not find such documentation. I understand the need is to store the file answered by the server if the request matches some URI... As tried in Ticket 7357 And bidirectional signatures should also be a cleaner way to support it in 8 cf #12405 |
| @@ -5809,12 +5809,12 @@ libhtp:\n\ | |||
| /* do detect */ | |||
| SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); | |||
|
|
|||
| FAIL_IF((PacketAlertCheck(p1, 1))); | |||
| FAIL_IF((PacketAlertCheck(p1, 2))); | |||
There was a problem hiding this comment.
What does this change mean ? Can there be a comment ?
| @@ -194,7 +194,22 @@ uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx | |||
| if (ffc == NULL) { | |||
| SCReturnInt(DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES); | |||
| } else if (ffc->head == NULL) { | |||
| SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH); | |||
There was a problem hiding this comment.
When do we get ffc != NULL && ffc->head == NULL ?
This still looks fishy to me as a signature with file.data that does not match today because of this SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH), will cause FP with this PR...
There was a problem hiding this comment.
Talking about fishy, I think it is a good catch ;) I'm going to add a suricata-verify test so we are sure this case is handled.
There was a problem hiding this comment.
Ok, but do you know, in plain English, when we have the cases :
ffc == NULL(protocol or direction not supporting files ?)ffc != NULL && ffc->head == NULLprotocol supporting files but tx does not have a file in this direction ? (that is what I expected but this seems a wrong expectation)
| det_ctx->filestore[det_ctx->filestore_cnt].tx_id = det_ctx->tx_id; | ||
| det_ctx->filestore_cnt++; | ||
| } | ||
| /* Other scopes than TX are going to be handled in post match without |
There was a problem hiding this comment.
But postmatch does not make signature fail to match, does it ?
I see (void)sigmatch_table[smd->type].Match(det_ctx, p, s, smd->ctx); return code ignored in DetectRunPostMatch
There was a problem hiding this comment.
Yes, before we were not going to postmatch as the filestore without file was the cases where ffc or ffc->head were null and as a result it was a NO_MATCH.
There was a problem hiding this comment.
I understand a bit more.
Why not handle FILESTORE_SCOPE_TX in postmatch as well ?
Is it not a problem if the signature matched so far but will not fully match in the end ?
| DEBUG_VALIDATE_BUG_ON(txd == NULL); | ||
| if (txd != NULL) { | ||
| if (toclient_dir) { | ||
| txd->file_flags |= FLOWFILE_STORE_TC; |
There was a problem hiding this comment.
I do not think we need to set AppLayerTxData file_flags here as we already set AppLayerStateData one, and in the end we use a logical or of both
I'm quoting the documentation here. First sentence of https://docs.suricata.io/en/latest/rules/file-keywords.html#filestore: Matched is past tense so signature is a full match. And Suricata is just going to take action on it.
The documentation specifies the scope of extraction is a parameter. What i'm just doing here is to implement it. Only "improvisation" is the usage of first sentence of the documentation (which is clear to me) to change behavior. |
| @@ -207,11 +235,33 @@ static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx, | |||
| { | |||
| SCEnter(); | |||
|
|
|||
| DEBUG_VALIDATE_BUG_ON(p->flow == NULL); | |||
|
|
|||
| if (det_ctx->filestore_cnt == 0) { | |||
There was a problem hiding this comment.
By the way, det_ctx->filestore_cnt looks fishy to me cf OISF/suricata-verify#1999
Its scope is one packet when a signature can take multiple packets to match...
Ok, I see, my English may not be so good. That means that |
At least what is sure is that your accent is better than mine ;)
Yes, I understand it like that too. |
|
Information: QA ran without warnings. Pipeline 24317 |
There was a problem hiding this comment.
Thanks for the work :-)
This requires a decision on the behavior of alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; filestore; sid:2; rev:1;) matching for a GET and alert ip any any -> any any ( filestore; sid: 1;) matching on SSH packets
CI :
Code : some remarks
Commits segmentation : to check again when it is no longer a draft
Commit messages :
Git ID set : looks fine for me
CLA : you already contributed
Doc update :
Redmine ticket : I think we should merge the tickets into one...
Rustfmt : no rust
Tests : left some remarks there, should have more tests that we do not do FPs
Dependencies added: none
|
We have 3 scopes for filestore:
The basic problem is that "this file" only makes sense in the context of actually inspecting a file. A rule that works on the IP layer, doesn't match a file and it has no knowledge about files. Similarly, "this tx" only makes sense if the rule actually inspects a tx. This is similar to the tx metadata logging issue for non-tx rules. I think we should reject rules that try to specify a mismatching scope. That leaves only the Scopes: |
Victor, what is your conclusion here ? Not sure I understand what you try to say. |
|
My understand of Victor's comment is that
So yeah, we should set the right signature flags based on the scope... |
My point is we should outright fail to load the mismatches in scope. Lets make explicit which ones can be mixed, reject all other sigs. |
|
I think the signature |
It does have mismatched scopes, I think. There is no file inspection. There can be multiple files in a single http tx with multipart. |
|
Oh, I see, thanks :-) |
Update of #12176
The filestore keyword had an influence on the signature matching when it should not. For example, if Suricata is analysing a traffic with a GET http request to uri /example and have the 2 following signatures loaded:
alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; sid:1; rev:1;) alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; filestore; sid:2; rev:1;)
then the first signature will match and the second one will not.
Also the options of filestore were not honored correctly. A signature like:
alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; filestore:to_client,tx; sid:2; rev:1;)
was not storing the file in the answer to the request.
This patch updates the logic in filestore keyword handling to fix the problems.
The patch first makes sure that a signature with filestore will hit even if there is no file in the current application layer context. Then the patch makes sure that postmatch handles the different options correctly.
As filestore keyword is not anymore preventing a match, we need to update some unit tests that were using this "feature".
Tickets: 7356 7357
Contribution style:
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
Our Contribution agreements:
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Changes (if applicable):
(including schema descriptions)
https://redmine.openinfosecfoundation.org/projects/suricata/issues
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7357
Describe changes:
SV_BRANCH=OISF/suricata-verify#2202