Detect rule hook/v9 #12690
Draft
Detect rule hook/v9 #12690
+2,027
−838
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Several rules matched on both directions even if events are set in a single direction.
Example output:
"match_policy": {
"actions": [
"alert",
"drop"
],
"scope": "flow"
},
Instead of having a per detection engine list of rule that couldn't be
prefiltered, put those into special "prefilter" engines.
For packet and frame rules this doesn't change much, it just removes
some hard coded logic from the detect engine.
For the packet non-prefilter rules in the "non-prefilter" special prefilter
engine, add additional filtering for the packet variant. It can prefilter on
alproto, dsize and dest port.
The frame non-prefilter rules are added to a single engine, that per
rule checks the alproto and the type.
For app-layer, there is an engine per progress value, per app-layer
protocol and per direction. This hooks app-layer non-prefilter rules
into the app inspect logic at the correct "progress" hook.
e.g. a rule like
dns.query; bsize:1;
Negated MPM rules will also fall into this category:
dns.query; content:!"abc";
Are part of a special "generic list" app engine for dns, at the
same progress hook as `dns.query`.
This all results in a lot fewer checks:
previous:
--------------------------------------------------------------------------
Date: 1/29/2025 -- 10:22:25. Sorted by: number of checks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 20 1 0 181919672 11.85 588808 221 60454 308.96 2691.46 308.07
2 50 1 0 223455914 14.56 453104 418 61634 493.17 3902.59 490.02
3 60 1 0 185990683 12.12 453104 418 60950 410.48 1795.40 409.20
4 51 1 0 192436011 12.54 427028 6084 61223 450.64 2749.12 417.42
5 61 1 0 180401533 11.75 427028 6084 61093 422.46 2177.04 397.10
6 70 1 0 153899099 10.03 369836 0 61282 416.13 0.00 416.13
7 71 1 0 123389405 8.04 369836 12833 44921 333.63 2430.23 258.27
8 41 1 0 63889876 4.16 155824 12568 39138 410.01 1981.97 272.10
9 40 1 0 64149724 4.18 155818 210 39792 411.70 4349.57 406.38
10 10 1 0 70848850 4.62 65558 0 39544 1080.70 0.00 1080.70
11 11 1 0 94743878 6.17 65558 32214 60547 1445.19 2616.14 313.92
this commit:
--------------------------------------------------------------------------
Date: 1/29/2025 -- 10:15:46. Sorted by: number of checks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 50 1 0 138776766 19.23 95920 418 167584 1446.80 3953.11 1435.83
2 60 1 0 97988084 13.58 95920 418 182817 1021.56 1953.63 1017.48
3 51 1 0 105318318 14.60 69838 6084 65649 1508.04 2873.38 1377.74
4 61 1 0 89571260 12.41 69838 6084 164632 1282.56 2208.41 1194.20
5 11 1 0 91132809 12.63 32779 32214 373569 2780.22 2785.58 2474.45
6 10 1 0 66095303 9.16 32779 0 56704 2016.39 0.00 2016.39
7 70 1 0 48107573 6.67 12928 0 42832 3721.19 0.00 3721.19
8 71 1 0 32308792 4.48 12928 12833 39565 2499.13 2510.05 1025.09
9 41 1 0 25546837 3.54 12886 12470 41479 1982.53 1980.84 2033.05
10 40 1 0 26069992 3.61 12886 210 38495 2023.13 4330.05 1984.91
11 20 1 0 639025 0.09 221 221 14750 2891.52 2891.52 0.00
To support hook based buffer names.
e.g. server hello done has no data
Per direction track progress to be able to have more fine grained control over where the detection engines and logging hooks in.
Generic:
<app_proto>:request_done and <app_proto>:response_done
Per protocol, it uses the registered progress (state) values. E.g.
tls:client_hello_done
A rule ruleset could be:
pass tls:client_hello_done any any -> any any (tls.sni; content:"www.google.com"; sid:21; alert;)
drop tls:client_hello_done any any -> any any (sid:22;)
The pass rule is evaluated when the client hello is parsed, and if it
doesn't match the drop rule will be evaluated.
Registers each generic lists as "<alproto>:<progress state>:generic"
(e.g. "tls:client_hello_done:generic").
Ticket: OISF#7485.
For registration of app-layer inspection, no longer use the 'needs' table from the script, but instead use the rule hook setting. Ticket: OISF#4783.
WIP packet: track hooks that this packet triggers hooks: set flow_start hook in packet detect: pack prefilter engine struct For future expansion of the fields. detect/prefilter: put pkt mask in struct In preparation for adding more pkt fields. WIP detect: implement pkt:flow_start hook SQUASH detect flow start hook
Firewall rules are like normal rule, with some key differences.
They are loaded separate, and first, from:
```yaml
firewall-rule-path: /etc/suricata/firewall/
firewall-rule-files:
- fw.rules
```
Differences with regular "threat detection" rules:
1. these rules are evaluated before threat detection rules
2. these rules are evaluated in the order as they appear in the rule file
3. currently only rules specifying an explicit hook at supported
a. as a consequence, no rules will be treated as (like) IP-only, PD-only or
DE-only
Preparation for explicit action scope parsing.
Mostly for QA purposes.
|
cc @njlavigne |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12690 +/- ##
==========================================
- Coverage 80.75% 80.72% -0.03%
==========================================
Files 934 936 +2
Lines 259594 260010 +416
==========================================
+ Hits 209634 209900 +266
- Misses 49960 50110 +150
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
ERROR: ERROR: QA failed on ASAN_TLPR1_cfg. Pipeline 24930 |
victorjulien
force-pushed
the
detect-rule-hook/v9
branch
from
e3837a8 to
95d5eaa
Compare
|
ERROR: ERROR: QA failed on ASAN_TLPR1_cfg. Pipeline 24933 |
|
ERROR: ERROR: QA failed on ASAN_TLPR1_cfg. Pipeline 24934 |
|
Information: QA ran without warnings. Pipeline 24935 |
tls.version isn't hooked to a specific state by default. Allow it to register at the rule hook.
|
Information: QA ran without warnings. Pipeline 24936 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SV_BRANCH=OISF/suricata-verify#2308
This is a start of the firewall specific ruleset as discussed in #12167:
It has a separate rule section for firewall rule files
Rules loaded in these files are different from regular ("threat detection") rules, in that:
The rules are currently quite restricted.
An example
Wrt implementation, this PR keeps both firewall and "threat detection" rules in a single list, where the firewall rules go first.
Some option questions:
the behavior of "pass" - this is currently unmodified, meaning that a "firewall pass" would also skip threat detection. This doesn't seem to be what we want, as we'd like to say "accepted by firewall rules, now eval against threat detection". Perhaps there should be different classes of "pass" or a new firewall only action like "accept", that accepts but then still evals the threat detection rules.
I suppose this would need to be fine grained enough to distinguish between "pass but do threat detect" and "pass and skip any further inspection". Like how in iptables you'd have ACCEPT for straight accepting, and NFQUEUE for "accept if suricata agrees".
default policy drop - this is kind of tricky, as we have the different hooks. A hook would be equivalent to a "chain" in iptables I think, so a default drop should be per hook? I'm not really seeing this yet, esp if there are quite a few hooks for a single protocol like http.
There is also still some weirdness around inspection order.
Firewall:
TD:
Per packet, we would first inspect 1 and 2 as these are firewall packet hook rules. Then we would inspect 33, as this is a threat detect packet rule. Then we would eval the firewall app-tx rules. (ignore for now that this would require midstream with the client hello in the first packet for this to happen for a single packet)
I think the per hook order of 1. firewall, 2. threat detect is correct, but not sure about the case I described here.
So some more thinking is needed, would love some thoughts.
Oh for testing I added
--firewall-rules-exclusive, which is like-Sbut loads a rulefile as a firewall rule.Engine analysis also tries to be helpful
{ "class": "firewall", "raw": "pass:packet tcp:flow_start any any -> any any (tcp.flags:!S; sid:10001;)", "id": 10001, "gid": 1, "rev": 0, "app_proto": "unknown", "requirements": [ "tcp_flags_init_deinit", "real_pkt" ], "match_policy": { "actions": [ "pass" ], "scope": "packet" }, "type": "pkt", "flags": [ "src_any", "dst_any", "sp_any", "dp_any", "noalert", "need_packet", "toserver", "toclient" ], "pkt_engines": [ { "name": "packet", "is_mpm": false } ], "frame_engines": [], "lists": { "packet": { "matches": [ { "name": "tcp.flags" } ] } } }(though I just realized it doesn't work with the exclusive commandline option yet)