next/635/20241112/v1 #12115
next/635/20241112/v1 #12115
Conversation
Remove hard-coded value for the memcap array and substitute compile-time value for array sizing. Issue: 845
Issue: 845 Maintain the memcap as an atomic counter so changes through the unix-socket interface can be supported.
This commit adds memcap/memuse handling to the unix-socket interface: - ftp - http-byterange - host New stats: - ippair: memuse, memcap - host: memuse, memcap - http-byterange: memuse, memcap
For library users and plugins that need to hook into the thread life cycle, perhaps to initialize some thread storage.
Provide a way for library/plugin users to register a callback that will be called prior to an EVE record being closed. The callback will be passed ThreadVars, Packet, and Flow pointers if available, as well as private user data.
Needed for changes to output-eve.h.
Allows initialization to be done early, so the table is ready for dynamic registration by plugins which are loaded before signature setup.
rust-bindings.h was not being installed with "make install-headers", and its now pulled in by a header used for plugin support, so make sure its installed. We first attempt to install the "dist" version if exists, otherwise install the "gen" one. Also install the "gen" even if the "dist" one exists, as its going to be newer.
Add documentation about the rule types introduced by 2696fda. Add doc tags around code definitions that are referenced in the docs. Task #https://redmine.openinfosecfoundation.org/issues/7031
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12115 +/- ##
==========================================
+ Coverage 83.23% 83.26% +0.02%
==========================================
Files 906 909 +3
Lines 257647 257883 +236
==========================================
+ Hits 214458 214724 +266
+ Misses 43189 43159 -30
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Thanks. Waiting for CI and QAlab results. |
|
Information: ERROR: QA failed on SURI_TLPR1_alerts_cmp.
Pipeline 23310 |
May I also request a re-review of the signature types table, before merge? Columns |
|
|
||
| .. container:: example-rule | ||
|
|
||
| alert :example-rule-emphasis:`http` any any -> any any (msg:"http, no content"; sid:601;) |
There was a problem hiding this comment.
this described pre-7 behavior I think, in 7+ this is pkt, see https://github.com/OISF/suricata-verify/pull/2066/files#diff-d0226a73eb0338d3e349b8142fcc97004510153ca21168e6d911bd8b2e48f6faR14
There was a problem hiding this comment.
Then I run a test just like that, it still renders as 'app_layer to me'. Only if we add flow:established do I see the change in behavior.
There was a problem hiding this comment.
But I think this should be mentioned in the docs.
There was a problem hiding this comment.
Yes, I just noticed the same:
["pkt","pass tls any any -> any 443 (flow:established; sid:5;)"]
["pkt","pass tcp any any -> any 443 (flow:established; app-layer-protocol:tls; sid:6;)"]
["app_layer","alert http any any -> any any (sid:1;)"]
["app_layer","alert http any any -> any any (sid:2; threshold:type limit, track by_src, count 1, seconds 60;)"]
["pd_only","alert tcp any any -> any any (sid:3; app-layer-protocol:http;)"]
["pd_only","alert tcp any any -> any any (sid:4; app-layer-protocol:http; threshold:type limit, track by_src, count 1, seconds 60;)"]There was a problem hiding this comment.
I think we should add such examples to the rule-types set of SV tests, and have a v8 for the docs with a note about this.
There was a problem hiding this comment.
Reminder: also document the app-layer-protocol and app-layer in the proto field difference.
|
2025200 is the only open rule I see with |
|
Doc PR needs another revision. |
Staging: