Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect-flowbits: add details for flowbits v8 #10026

Closed
wants to merge 3 commits into from
Closed

detect-flowbits: add details for flowbits v8 #10026

wants to merge 3 commits into from

Conversation

hadiqaalamdar
Copy link
Contributor

Task #6309

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6309
Previous PR: #10018

Describe changes:

  • added the recommended changes from the last PR.
  • Changed the is_or flag to bool. The operator string is working correctly for or operator.
  • rebased with Shivani's PR: Minor flowbit cleanup/v1 #10021

SV_BRANCH=OISF/suricata-verify#1532

inashivb and others added 3 commits December 9, 2023 12:58
@inashivb
detect/flowbits: remove DETECT_FLOWBITS_CMD_NOALERT
090122c 
DETECT_FLOWBITS_CMD_NOALERT is misleading as it gives an impression that
noalert is a flowbit specific command that'll be used and dealt with at
some point but as soon as noalert is found in the rule lang, signature
flag for noalert is set and control is returned. It never gets added to
cmd of the flowbits object.
@hadiqaalamdar
detect/analyzer: add details to flowbits keyword
9a24326 
Task OISF#6309
@hadiqaalamdar
detect/analyzer: add details to flowbits keyword
e7b1810 
Task OISF#6309
@hadiqaalamdar hadiqaalamdar mentioned this pull request Dec 11, 2023
Closed
3 tasks
@codecov Codecov
Copy link

codecov bot commented Dec 11, 2023

Codecov Report

Merging #10026 (e7b1810) into master (c82d934) will decrease coverage by 0.06%.
The diff coverage is 100.00%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10026      +/-   ##
==========================================
- Coverage   82.47%   82.42%   -0.06%     
==========================================
  Files         970      970              
  Lines      271372   271403      +31     
==========================================
- Hits       223821   223702     -119     
- Misses      47551    47701     +150
Flag Coverage Δ
fuzzcorpus 64.37% <10.52%> (-0.22%) ⬇️
suricata-verify 61.32% <97.36%> (-0.01%) ⬇️
unittests 62.87% <10.52%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@hadiqaalamdar hadiqaalamdar mentioned this pull request Dec 11, 2023
Closed
jufajardini
jufajardini requested changes Dec 11, 2023
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good to me, but the intermediary commit that still contains the NOALERT cmd type isn't necessary - as leads to the CI check. Could you please squash the commits?
I'll leave to Shivani the part about how to handle the and cases, as she'll probably be able to give insight on that much faster.

inashivb
inashivb requested changes Dec 12, 2023
View reviewed changes
Copy link
Member

@inashivb inashivb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, Hadiqa! :)
Some minor comments inline. looking good from first sight.

  1. Please squash commits as asked by Juliana.
  2. Leave and for now. It is ok. It's not a separate command like or anyway.
  3. Handle nits.

Make sure to submit clean PRs for both s-v and suricata. It'll make easier for us to review. Thanks!

src/detect-engine-analyzer.c

jb_open_object(js, "flowbits");
switch (cd->cmd) {
/* noalert has been removed and never gets to DumpMatches */
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we haven't like removed anything. It just wasn't supposed to be here so we can remove this comment, I think.

src/detect-engine-analyzer.c
}
}
jb_close(js); // array
if (is_or == true) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this could just be if (is_or)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totally didn't think of that D:

@hadiqaalamdar hadiqaalamdar mentioned this pull request Dec 13, 2023
Closed
3 tasks
@hadiqaalamdar
Copy link
Contributor Author

New PR: #10044

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini jufajardini requested changes

@inashivb inashivb inashivb requested changes

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hadiqaalamdar @jufajardini @inashivb