Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect: absent keyword to test absence of sticky buffer #11298

Closed
wants to merge 4 commits into from
Closed

detect: absent keyword to test absence of sticky buffer #11298

wants to merge 4 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2224

Describe changes:

  • detect: adds absent keyword to match on absent buffer

SV_BRANCH=OISF/suricata-verify#1914

#11295 with more complete tests and fixes

@catenacyber
detect: absent keyword to test absence of sticky buffer
cce0812 
Ticket: 2224

It takes an argument to match only if the buffer is absent,
or it can still match if the buffer is present, but we test
the absence of some content
@catenacyber catenacyber mentioned this pull request Jun 12, 2024
Closed
@catenacyber catenacyber marked this pull request as draft June 12, 2024 13:22
@codecov Codecov
Copy link

codecov bot commented Jun 12, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 87.50000% with 21 lines in your changes missing coverage. Please review.

Project coverage is 82.46%. Comparing base (f0dbfe8) to head (c5dd189).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11298      +/-   ##
==========================================
+ Coverage   82.45%   82.46%   +0.01%     
==========================================
  Files         961      961              
  Lines      251710   251866     +156     
==========================================
+ Hits       207552   207708     +156     
  Misses      44158    44158
Flag Coverage Δ
fuzzcorpus 60.29% <45.45%> (-0.02%) ⬇️
livemode 18.68% <16.66%> (-0.01%) ⬇️
pcap 43.77% <38.63%> (-0.02%) ⬇️
suricata-verify 61.20% <75.00%> (+0.01%) ⬆️
unittests 59.96% <72.02%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

ERROR:

ERROR: QA failed on build_asan.

Pipeline 21069

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 21072

jasonish
jasonish reviewed Jun 12, 2024
View reviewed changes
doc/userguide/rules/payload-keywords.rst
------

The keyword ``absent`` checks that a sticky buffer does not exist.
It can take an argument "only" to match only on absent buffer :
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about http.referer; absent; sid:1; rev:1;?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried that, but apparently a signature keyword must have either an argument or none, cannot be optional...

@catenacyber catenacyber mentioned this pull request Jun 13, 2024
Closed
@catenacyber
Copy link
Contributor Author

Clean in #11301

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish left review comments

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @jasonish