Draft
Conversation
This solution makes use of the petgraph crate to create a directed stable graph of flowbits and signatures. Following functions are exposed: 1. Nodes are created for flowbits as well as signatures per signature. 2. A weighted directed edge is added: from flowbit to signature iff the flowbit used a READ cmd in that sig from signature to flowbit iff the flowbit used a WRITE cmd in that sig The weight of the edge is the "on" bit corresponding to the flowbit cmd that is being evaluated. 3. The graph is then normalized i.e. the flowbit nodes are removed and a clean directed edge is created making a dependency graph among the signatures. This is done because flowbits are inconsequential in the final required solution. At this point, the weights of the edges going in and out of the flowbits are added (bitwise ORed). 4. The graph is checked for cycles. If a cycle is found, all the strongly connected components of the graph are retrieved and they are checked if the cycle caused in the graph is with edges that have the same weight. This only works if the cycle is between two nodes. STODO In case the cycle is formed by edges of different weights, the edge with higher weight is deleted. STODO is it the best solution? can we get to a situation where no other nodes are reachable? In a case where there's a legit cycle i.e. same weights on edges, currently, the ruleset is restored to the original. STODO Such cycles must result in an error as such dependencies cannot be satisfied during runtime anyway. If the graph did not have any cycles, this means that there is a Directed Acyclic Graph at this point and it is safe to move to the next step. 5. Finally, a BFS (Breadth First Search) is performed on the graph giving the exact order in which signatures should be such that no dependee comes before a dependant. Bug 7771 Bug 7638
before adding them to the Detection Context's signature list. The de_ctx->sig_list serves as a sorted signature list that is later passed on to the grouping fns. If no property of higher value changes the order of the signatures, the order coming from de_ctx->sig_list is final. Add the appropriate calls to resolve flowbit dependencies before adding them to the sig_list. This is especially important for flowbits with complex ordering involved. Bug 7771 Bug 7638
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #14909 +/- ##
==========================================
- Coverage 81.93% 81.93% -0.01%
==========================================
Files 986 987 +1
Lines 271105 271425 +320
Branches 31005 31038 +33
==========================================
+ Hits 222139 222401 +262
- Misses 46822 46880 +58
Partials 2144 2144
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 29906 |
|
Information: QA ran without warnings. Pipeline = 29924 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previous PR: #13773
Changes since v6:
Known TODOs:
Link to tickets:
SV_BRANCH=OISF/suricata-verify#2936