Skip to content

Detect generic uint 4112 v1#7117

Closed
catenacyber wants to merge 11 commits intoOISF:masterfrom
catenacyber:detect-generic-uint-4112-v1
Closed

Detect generic uint 4112 v1#7117
catenacyber wants to merge 11 commits intoOISF:masterfrom
catenacyber:detect-generic-uint-4112-v1

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Mar 6, 2022

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4112

Describe changes:

  • Makes use of generic DetectUint structure for dsize and dcerpc

Still TODO:

  • remove the C version to use only rust version
  • more keywords in C use specific versions

catenacyber added 11 commits March 4, 2022 11:00
@catenacyber
detect: generic function for u16
9f13439 
as is done for u8 and u32
@catenacyber
detect: adds generic DETECT_UINT_NE
71b6942 
Ie inequality test for integer

Also adds prefilter functions for u16
@catenacyber
detect: use generic functions for dsize
fe80a5e
@catenacyber
detect: better validation for generic int
577aeb0 
In case of greater/lesser or equal
@catenacyber
detect: fix unit tests for dsize
06eef95 
Despite what the comment said 1<>2 is not a valid range
as it is empty and cannot have any match.

Maybe we should even consider 1<>3 an invalid range as it
should rather be written as =2
@catenacyber
detect: move generic int detect function
a424e6c 
from http2 to a generic file
so that it can be reused by dcerpc and others
@catenacyber
detect: generic rust function detect_match for integers
dc67ef5
@catenacyber
detect: use generic instead of DETECT_DCE_IFACE_OP_LT
02ed457
@catenacyber
detect: rust generic integer not equal
eb07d89 
aka DetectUintModeNe
@catenacyber
detect: fix unit tests for http2 and dcerpc
73639fb
@catenacyber
detect: verify integer validity
2c0046e 
ie <0 is impossible
@catenacyber catenacyber requested review from a team, jasonish and victorjulien as code owners March 6, 2022 12:54
catenacyber
catenacyber commented Mar 6, 2022
View reviewed changes
rust/src/detect.rs
}

#[derive(Debug)]
pub struct DetectU32Data {
Copy link
Contributor Author

@catenacyber catenacyber Mar 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jasonish how do you recommend doing this ?
We will need the same structure and code for u8, u16, u32 and u64

Copy link
Member

@jasonish jasonish Mar 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess one could use an enum?

enum UintValue {
    U8(u8),
    U16(u6),
    U32(u32),
}

struct DetectUintData {
    pub val: UintValue,
    pub valrange: UintValue,
}

it will at least reduce non-common code that is only size specific.

Copy link
Contributor Author

@catenacyber catenacyber Mar 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this, val could be u8 and valrange u16 ...
I will look into it a bit more, see how other crates handled it...

Copy link
Contributor Author

@catenacyber catenacyber Mar 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that num-integer (used by suricata) uses macros for such as case cf https://github.com/rust-num/num-integer/blob/master/src/roots.rs#L165

@jasonish is not there a derive thing like suricata_derive::AppLayerEvent ?

Or maybe use crate https://docs.rs/num/0.4.0/num/integer/trait.Integer.html ?

Copy link
Member

@jasonish jasonish Mar 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that num-integer (used by suricata) uses macros for such as case cf https://github.com/rust-num/num-integer/blob/master/src/roots.rs#L165

@jasonish is not there a derive thing like suricata_derive::AppLayerEvent ?

No, we'd have to write that.

Or maybe use crate https://docs.rs/num/0.4.0/num/integer/trait.Integer.html ?

If these fit your needs, then I think they are good to use. We already have them in our deps. I don't think I've used them myself though.

Copy link
Contributor Author

@catenacyber catenacyber Mar 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Managing something with rust generics... let's talk in next version of PR ;-)

@catenacyber catenacyber marked this pull request as draft March 6, 2022 12:56
@catenacyber catenacyber mentioned this pull request Mar 6, 2022
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Mar 6, 2022

cc @inashivb as well.
Replaced by #7121

@catenacyber catenacyber closed this Mar 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien

@jasonish jasonish Awaiting requested review from jasonish

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @jasonish