detect: absent keyword to test absence of sticky buffer #11375
Conversation
Ticket: 2224 It takes an argument to match only if the buffer is absent, or it can still match if the buffer is present, but we test the absence of some content
|
Information: QA ran without warnings. Pipeline 21274 |
| if (sm->type == DETECT_CONTENT) { | ||
| const DetectContentData *cd = (DetectContentData *)sm->ctx; | ||
| if (has_absent && (cd->flags & DETECT_CONTENT_NEGATED) == 0) { | ||
| SCLogError("signature can't have a buffer both absent and with content"); |
There was a problem hiding this comment.
I wondering if this limitation should be lifted. I could easily imagine ppl wanting to express something like
"if there is no user agent, or if it exists and is XYZ, then match"
There was a problem hiding this comment.
It looks possible, but I had to put in some more changes so that the positive content does not get picked as fast_pattern...
|
The engine analysis output does not reflect the {
"raw": "alert http1 any any -> any any (http.referer; absent; sid:1;)",
"id": 1,
"gid": 1,
"rev": 0,
"app_proto": "http",
"requirements": [
"flow"
],
"type": "app_tx",
"flags": [
"src_any",
"dst_any",
"sp_any",
"dp_any",
"applayer",
"toserver"
],
"pkt_engines": [],
"frame_engines": [],
"engines": [
{
"name": "http_referer",
"direction": "toserver",
"is_mpm": false,
"app_proto": "http",
"progress": 2,
"matches": [
{
"name": "absent"
}
]
}
],
"lists": {}
}
{
"raw": "alert http1 any any -> any any (http.referer; absent:or_else; content:!\"ABC\"; sid:3;)",
"id": 3,
"gid": 1,
"rev": 0,
"app_proto": "http",
"requirements": [
"flow"
],
"type": "app_tx",
"flags": [
"src_any",
"dst_any",
"sp_any",
"dp_any",
"applayer",
"negated_mpm",
"toserver",
"prefilter"
],
"pkt_engines": [],
"frame_engines": [],
"engines": [
{
"name": "http_referer",
"direction": "toserver",
"is_mpm": true,
"app_proto": "http",
"progress": 2,
"matches": [
{
"name": "absent"
},
{
"name": "content",
"content": {
"pattern": "ABC",
"length": 3,
"nocase": false,
"negated": true,
"starts_with": false,
"ends_with": false,
"is_mpm": true,
"no_double_inspect": false,
"fast_pattern": false,
"relative_next": false
}
}
]
}
],
"lists": {},
"mpm": {
"buffer": "http_referer",
"pattern": "ABC",
"length": 3,
"nocase": false,
"negated": true,
"starts_with": false,
"ends_with": false,
"is_mpm": true,
"no_double_inspect": false,
"fast_pattern": false,
"relative_next": false
}
} |
|
Plus a SV test for the engine analysis. |
|
Does it make sense to allow this for each sticky buffer? I wonder for example, if we can have http w/o a http.method, so this rule may nonsense: |
I think it does make sense at first sight... Maybe it can be a later optimization... |
It does because there is
Adding it and the SV test |
|
Continued in #11423 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2224
Describe changes:
absentkeyword to match on absent bufferSV_BRANCH=OISF/suricata-verify#1942
#11301 with use of
SIGMATCH_OPTIONAL_OPT