suricata

Commit Graph

Author	SHA1	Message	Date
Victor Julien	3a7d09edfc	detect/frame: get data using stream callback Inspect only data that has already been consumed by the app-layer parser. This allows for simpler progress tracking.	3 years ago
Victor Julien	60bfade351	eve: implement frame logging This is mostly to assist development and QA. It produces too much data for practical use.	3 years ago
Victor Julien	1556e86c7d	app/frames: initial support The idea of stream frames is that the applayer parsers can tag PDUs and other arbitrary frames in the stream while parsing. These frames can then be inspected from the rule language. This will allow rules that are more precise and less costly. The frames are stored per direction in the `AppLayerParserState` and will only be initialized when actual frames are in use. The per direction storage has a fixed size static portion and dynamic support for a larger number. This is done for effeciency. When the Stream Buffer slides, frames are updated as they use offsets relative to the stream. A negative offset is used for frames that started before the current window. Frames have events to inspect/log parser errors that don't fit the TX model. Frame id starts at 1. So implementations can keep track of frame ids where 0 is not set. Frames affect TCP window sliding. The frames keep a "left edge" which signifies how much data to keep for frames that are still in progress.	3 years ago

Author

SHA1

Message

Date

Victor Julien

3a7d09edfc

detect/frame: get data using stream callback

Inspect only data that has already been consumed by the
app-layer parser. This allows for simpler progress tracking.

Victor Julien

60bfade351

eve: implement frame logging

This is mostly to assist development and QA. It produces too much data
for practical use.

Victor Julien

1556e86c7d

app/frames: initial support

The idea of stream frames is that the applayer parsers can tag PDUs and
other arbitrary frames in the stream while parsing. These frames can then
be inspected from the rule language. This will allow rules that are more
precise and less costly.

The frames are stored per direction in the `AppLayerParserState` and will only
be initialized when actual frames are in use. The per direction storage has a
fixed size static portion and dynamic support for a larger number. This is done
for effeciency.

When the Stream Buffer slides, frames are updated as they use offsets relative
to the stream. A negative offset is used for frames that started before the
current window.

Frames have events to inspect/log parser errors that don't fit the TX model.

Frame id starts at 1. So implementations can keep track of frame ids where 0
is not set.

Frames affect TCP window sliding. The frames keep a "left edge" which
signifies how much data to keep for frames that are still in progress.

3 Commits (73ed780095deff40dd625412ac706337be54dc88)