-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
detect: absent keyword to test absence of sticky buffer #11298
detect: absent keyword to test absence of sticky buffer #11298
Conversation
Ticket: 2224 It takes an argument to match only if the buffer is absent, or it can still match if the buffer is present, but we test the absence of some content
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11298 +/- ##
==========================================
+ Coverage 82.45% 82.46% +0.01%
==========================================
Files 961 961
Lines 251710 251866 +156
==========================================
+ Hits 207552 207708 +156
Misses 44158 44158
Flags with carried forward coverage won't be shown. Click here to find out more. |
ERROR: ERROR: QA failed on build_asan. Pipeline 21069 |
Information: QA ran without warnings. Pipeline 21072 |
------ | ||
|
||
The keyword ``absent`` checks that a sticky buffer does not exist. | ||
It can take an argument "only" to match only on absent buffer : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about http.referer; absent; sid:1; rev:1;
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tried that, but apparently a signature keyword must have either an argument or none, cannot be optional...
Clean in #11301 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2224
Describe changes:
absent
keyword to match on absent bufferSV_BRANCH=OISF/suricata-verify#1914
#11295 with more complete tests and fixes