Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect/lua: don't treat a crashed script as no match - v3 #11045

Closed
wants to merge 3 commits into from
Closed

detect/lua: don't treat a crashed script as no match - v3 #11045

wants to merge 3 commits into from

Conversation

jasonish
Copy link
Member

@jasonish jasonish commented May 8, 2024
edited

If a rule script crashed, the return value was treated as a no
match. This would make a negation of the rule match and alert.

Instead cleanup and exit early if the rule script crashed and don't
run negation logic.

A stat, detect.lua_errors has been added to count how many times a
script crashes.

Also consolidates the running of the Lua script and return value
handling to a common function.

Bug: https://redmine.openinfosecfoundation.org/issues/6940

SV_BRANCH=OISF/suricata-verify#1826

@jasonish jasonish requested review from victorjulien and a team as code owners May 8, 2024 20:07
@jasonish
rust: temporary: disable debug assertions
13c0c8c
@jasonish
detect/lua: don't treat a crashed script as no match
5a89e71 
If a rule script crashed, the return value was treated as a no
match. This would make a negation of the rule match and alert.

Instead cleanup and exit early if the rule script crashed and don't
run negation logic.

A stat, detect.lua_errors has been added to count how many times a
script crashes.

Also consolidates the running of the Lua script and return value
handling to a common function.

Bug: OISF#6940
@jasonish
detect-lua: small cleanups
9e5339d 
- remove unused headers
- cleanup/rename flags
@codecov Codecov
Copy link

codecov bot commented May 8, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.66%. Comparing base (abb7424) to head (9e5339d).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11045      +/-   ##
==========================================
+ Coverage   80.63%   80.66%   +0.02%     
==========================================
  Files         922      922              
  Lines      250137   250138       +1     
==========================================
+ Hits       201699   201767      +68     
+ Misses      48438    48371      -67
Flag Coverage Δ
fuzzcorpus 64.32% <100.00%> (+0.05%) ⬆️
livemode 18.55% <100.00%> (-0.01%) ⬇️
unittests 62.27% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information:

ERROR: QA failed on SURI_TLPW2_autofp_suri_time.

field baseline test %
SURI_TLPW2_autofp_stats_chk
.uptime 138 145 105.07%

Pipeline 20546

@suricata-qa
Copy link

Information:

ERROR: QA failed on SURI_TLPR1_suri_time.

field baseline test %
SURI_TLPR1_stats_chk
.uptime 645 687 106.51%

Pipeline 20547

jufajardini
jufajardini reviewed May 10, 2024
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Such a nice clean up and reorg work <3

@victorjulien
Copy link
Member

Git message still talks about detect.lua_errors.

@victorjulien
Copy link
Member

Looks good otherwise.

catenacyber
catenacyber reviewed May 14, 2024
View reviewed changes
src/detect.h
@@ -1227,6 +1227,9 @@ typedef struct DetectEngineThreadCtx_ {
AppLayerDecoderEvents *decoder_events;
uint16_t events;

/** stats id for lua rule errors */
uint16_t lua_rule_errors;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is u16 enough ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the count id

side thought: we should probably use a dedicated type for it

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the count id

Thanks Victor :-)

@catenacyber
Copy link
Contributor

Why is CI so red ?

@jasonish jasonish mentioned this pull request May 15, 2024
Closed
@jasonish
Copy link
Member Author

Continued at #11083.

@jasonish jasonish closed this May 15, 2024
@jasonish jasonish deleted the lua-rule-errors/v3 branch May 29, 2024 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini jufajardini left review comments

@catenacyber catenacyber catenacyber left review comments

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
5 participants
@jasonish @suricata-qa @victorjulien @catenacyber @jufajardini