dcerpc incomplete/v4 #9276

inashivb · 2023-07-21T13:56:04Z

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5699

Previous PR: #9270

Changes since v3:

fix pre existing issue: error out on invalid header, use diff retvals (found by fuzzer post incomplete API changes)

Instead of own internal mechanism of buffering in case of fragmented data, use AppLayerResult::incomplete API to let the AppLayer Parser take care of it. This makes the memory use more efficient. Remove any unneeded variables and code with the introduction of this API. Ticket 5699

With the introduction of AppLayerResult::incomplete API, fragmented data is no longer handled fully in the dcerpc code making the tests about such data invalid. Ticket 5699

codecov · 2023-07-21T15:50:08Z

Codecov Report

Merging #9276 (2f73811) into master (9a33c53) will decrease coverage by 0.01%.
The diff coverage is 94.11%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9276      +/-   ##
==========================================
- Coverage   82.42%   82.41%   -0.01%     
==========================================
  Files         968      968              
  Lines      273952   273714     -238     
==========================================
- Hits       225807   225594     -213     
+ Misses      48145    48120      -25

Flag	Coverage Δ
fuzzcorpus	`64.71% <94.11%> (+0.02%)`	⬆️
suricata-verify	`60.79% <82.35%> (-0.02%)`	⬇️
unittests	`62.90% <82.35%> (-0.04%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

suricata-qa · 2023-07-21T19:10:03Z

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.app_layer.flow.dcerpc_tcp	4188	43	1.03%
.app_layer.tx.dcerpc_tcp	5949	4165	70.01%
.app_layer.error.dcerpc_tcp.parser	6248	10393	166.34%

Pipeline 15350

rust/src/dcerpc/dcerpc.rs

catenacyber

I think tests need to be adapted instead of simply removed

inashivb · 2023-11-21T14:35:29Z

This one is blocked bc:

I need to make a minimal reproducer of the pcap that causes the massive stats deviations and,
confirm/deny whether this PR is correct
Will update once I have something working on that front.

catenacyber · 2023-12-21T20:21:05Z

Did you get a minimal pcap reproducer for stats deviation ?
Can I help somehow here ?

inashivb · 2023-12-22T05:04:37Z

Did you get a minimal pcap reproducer for stats deviation ?

No. I couldn't pull out the particular full dcerpc stream(s) that caused this. But, I haven't checked in a while now.

Can I help somehow here ?

Yes, if you could tell how to go about extracting such streams from very large pcaps?
The one I'm concerned with for the stats deviation in this PR is 190GB.

Please note this is what I had tried:
Filter out all the dcerpc traffic with tshark and run Suricata with midstream enabled on it. But, my extracted pkts were broken so I did something wrong. Victor said we shouldn't hack it and extract full streams. I was unable to figure out the correct filter for that at the time.

Challenges I had faced:

tshark tries to load entire pcap at once so memory was an issue at first
Saving the pkts extracted w filter requires more than just saving the extracted pkts

rust/src/dcerpc/dcerpc.rs

catenacyber · 2023-12-22T07:51:53Z

Can I help somehow here ?

Yes, if you could tell how to go about extracting such streams from very large pcaps? The one I'm concerned with for the stats deviation in this PR is 190GB.

Please note this is what I had tried: Filter out all the dcerpc traffic with tshark and run Suricata with midstream enabled on it. But, my extracted pkts were broken so I did something wrong. Victor said we shouldn't hack it and extract full streams. I was unable to figure out the correct filter for that at the time.

I agree with Victor.
Can you have some filter based on ports ?

I also added some comments inline.
The bytes_consumed field seems to need more changes

ct0br0 · 2024-01-09T21:33:23Z

Extracting a pcap with ports 135, 139 and 445 from TLPR1 is around 415MB and has 4140 .app_layer.error.dcerpc_tcp.parser but splitting by IP only has 13 from 192.168.0.1 which isn't what I'd expect. I will see if I can find anything that may help more.

inashivb · 2024-01-10T05:22:11Z

Extracting a pcap with ports 135, 139 and 445 from TLPR1 is around 415MB and has 4140 .app_layer.error.dcerpc_tcp.parser but splitting by IP only has 13 from 192.168.0.1 which isn't what I'd expect. I will see if I can find anything that may help more.

Thanks a lot! Actually, I'm also interested in the 415MB pcap that has 4k+ dcerpc errors.

suricata-qa · 2024-01-24T22:00:04Z

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.app_layer.flow.dcerpc_tcp	4188	43	1.03%
.app_layer.tx.dcerpc_tcp	5949	4165	70.01%
.app_layer.error.dcerpc_tcp.parser	6248	10393	166.34%

Pipeline 15350

catenacyber · 2024-04-03T14:37:44Z

Closing this PR as stale, let me know if I can help here Shivani

inashivb added 3 commits July 21, 2023 16:35

dcerpc: remove fragmented data tests

1c10dc5

With the introduction of AppLayerResult::incomplete API, fragmented data is no longer handled fully in the dcerpc code making the tests about such data invalid. Ticket 5699

dcerpc: return error on invalid header

2f73811

inashivb marked this pull request as ready for review July 21, 2023 16:18

inashivb requested a review from jasonish as a code owner July 21, 2023 16:18

jlucovsky reviewed Jul 23, 2023

View reviewed changes