Detect bidir 5665 v13 #11323
Detect bidir 5665 v13 #11323
Conversation
Ticket: 5665 This is done with `alert ip any any => any any` The => operator means that we will need both directions
By using keywords bidir.toclient and bidir.toserver, the following keywords are forced to the direction even if they can match on both directions. Ticket: 5665
Do not require a rule to use bidir.toserver after the usage of bidir.toclient for unambiguous keywords, where the rule writer does not want to explicit the redundant direction.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11323 +/- ##
========================================
Coverage 82.48% 82.49%
========================================
Files 934 934
Lines 252239 252386 +147
========================================
+ Hits 208070 208208 +138
- Misses 44169 44178 +9
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 21126 |
|
Comment w/o having reviewed yet: I think we should be extremely restrictive in our parsing. Just accept only the explicitly accepted combinations, and block anything else. Then we can slowly expand support. |
What I tried, but apparently failed, to do for frames. |
:-p I have been doing that since the first version see detect-bidir-impossible SV test with its signatures Let me know if I missed some |
| @@ -252,6 +257,25 @@ as the direction specifies that we do not want to evaluate the response packet. | |||
|
|
|||
| There is no 'reverse' style direction, i.e. there is no ``<-``. | |||
|
|
|||
| Here is an example of a bidirectional rule: | |||
There was a problem hiding this comment.
This is very confusing to me. bidirectional and both dir seem to be interchangeably used throughout the code.
The pre-existing <> operator uses flags like SIG_FLAG_INIT_BIDIREC.. I'm unable to decipher the difference. Could you please explain?
There was a problem hiding this comment.
The existing <> is just duplicating the signature in both directions specified by the header
alert tcp 1.2.3.4 any <> 5.6.7.8 80 (sid: 1; etc...)
becomes
alert tcp 1.2.3.4 any -> 5.6.7.8 80 (sid: 1; etc...)
alert tcp 5.6.7.8 80 -> 1.2.3.4 any (sid: 1; etc...)
I do not know the use case for it...
This PR with => allows to match on both sides of a transaction like
alert http any any => any any (msg:"matching both uri and status"; sid: 1; http.uri; content: "/download"; http.stat_code; content: "200";)
matching the URI from the client, and the status from the server
Let me know if you have a better wording...
There was a problem hiding this comment.
Thank you very much!
After reading up what bidirectional means, I think it makes more sense for the <> operator as we use the same rule in both the directions.
Suggestions for your work:
- transaction scoped rule (flags and varnames could be like
*tx_scope*) - full transaction match rule (flags and varnames could be like
*full_tx_match*) - transaction span rule (flags and varnames could be like
*tx_span*)
Interested in hearing your and others' thoughts.
Also, we should make sure that if we make changes, the <> varnames and flags are all named alike as should be the new ones, I think.
There was a problem hiding this comment.
Thanks Shivani for the proposals.
I think it is still good to use somehow the word direction to indicate that these rules do not have a direction like others...
|
@jufajardini could you please review the documentation ? |
Do we see more bidirectional keywords coming? If yes, maybe we could have a separate section, like we have for Flow, Meta keywords, etc. If not, then maybe a subsection of the I think that to help illustrate the difference between |
| directionality for adresses and ports is used, | ||
| but such a rule can match a bidirectional transaction, using keywords | ||
| matching in each direction. | ||
| However, it is also possible to have a rule match both directions (``<>``):: |
There was a problem hiding this comment.
Considering Shivani's comments, Philippe's answers, and just this last sentence that we have in our docs, I'm thinking that maybe changing this to:
| However, it is also possible to have a rule match both directions (``<>``):: | |
| However, it is also possible to have a rule match either directions (``<>``):: |
There was a problem hiding this comment.
I'm wondering if maybe we can't come up with a different name for this new feature, as maybe bidirectional is already too known for the interchangeability of source and destination? Or would this be too disruptive for us?
There was a problem hiding this comment.
If you find a good name, let me know ;-)
doc/userguide/rules/intro.rst
Outdated
| Bidirectional rules have some limitations : | ||
| - They are only meant to work on transactions with first a request to the server, | ||
| and then a response to the client, and not the other way around. | ||
| - They cannot have ``fast_pattern`` or ``prefilter`` on a keyword which is on | ||
| the direction to client. | ||
| - They will not work with ambiguous keywords, which work for both directions. | ||
| - They will refuse to load if a single directional rule is enough. | ||
|
|
There was a problem hiding this comment.
Maybe this could become a note, or a subsection, as it's something specific to bidirectional rules?
| @@ -278,8 +278,9 @@ Bidirectional rules can use direction-abmibuous keywords, by first using | |||
| Bidirectional rules have some limitations : | |||
| - They are only meant to work on transactions with first a request to the server, | |||
| and then a response to the client, and not the other way around. | |||
| - They cannot have ``fast_pattern`` or ``prefilter`` on a keyword which is on | |||
| the direction to client. | |||
| - They cann have ``fast_pattern`` or ``prefilter`` on a keyword which is on | |||
| It is also possible to have a double arrow (``=>``) which means that the | ||
| directionality for adresses and ports is used, | ||
| but such a rule can match a bidirectional transaction, using keywords | ||
| matching in each direction. |
There was a problem hiding this comment.
suggestion of alternative text: "There is also the double arrow (=>), which respects the directionality as ->, but allows matching on bidirectional transactions, used with keywords matching each direction."
Question: would it be possible to say that using => has a similar effect as having two rules (one for each side of the bidir transaction) and setting flowbits to only have an alert in case both match?
There was a problem hiding this comment.
would it be possible to say that using => has a similar effect as having two rules (one for each side of the bidir transaction) and setting flowbits to only have an alert in case both match?
It is the goal indeed cf tests/detect-bidir-flowbits/ in OISF/suricata-verify#1922
The goal is to be better as these are txbits, not flowbits ;-)
| - They are only meant to work on transactions with first a request to the server, | ||
| and then a response to the client, and not the other way around. | ||
| - They cann have ``fast_pattern`` or ``prefilter`` on a keyword which is on | ||
| the direction to client only if they do not have any have streaming buffers |
There was a problem hiding this comment.
| the direction to client only if they do not have any have streaming buffers | |
| the direction to client only if they do not have any streaming buffers |
There was a problem hiding this comment.
if they do have ;-)
I do not see anymore coming.
Adding something |
|
Thanks for the tips, continued in #11497 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5665
Describe changes:
SV_BRANCH=OISF/suricata-verify#1922
Draft again because of second commit
General feedback expected :-)
TODO :
bidir.toclient?#11293 rebased with some new test in SV