Flow bytes pkts either support/v4 #11897
Conversation
Add an extension to keywords flow.bytes.. and flow.pkts.. to allow matching on bytes or pkts in either direction. The syntax for this operation would look like the following: flow.bytes_either:1000 flow.pkts_either:20 These are implemented as generic uint types and thus allow all basic ops in the syntax like greater than, less than, etc alongwith the exact match. Feature 5646
inashivb
requested review from
catenacyber
and removed request for
jufajardini and
victorjulien
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11897 +/- ##
=======================================
Coverage 82.60% 82.61%
=======================================
Files 912 912
Lines 249342 249417 +75
=======================================
+ Hits 205968 206046 +78
+ Misses 43374 43371 -3
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 23041 |
| if (p->flow == NULL) { | ||
| return 0; | ||
| } | ||
| uint32_t nb = p->flow->tosrcpktcnt; |
There was a problem hiding this comment.
can avoid using nb and just use p->flow->tosrcpkt_cnt directly?
| if (p->flow == NULL) { | ||
| return 0; | ||
| } | ||
| uint64_t nb = p->flow->tosrcbytecnt; |
|
Still not entirely fan of the keyword itself, as I feel it is better to have it as an option somehow. But since the existing keywords map to eve, and adding the option there doesn't make sense, I don't know a better way right now. Or we'd have change eve to do something like: then keywords could be Hmmm... not a perfect match either. So, I remain undecided... |
Link to ticket: https://redmine.openinfosecfoundation.org/issues/5646
SV_BRANCH=OISF/suricata-verify#2082
Previous PR: #11889
Changes since v3: