Skip to content

Flowbit ordering cyclic/v3#13747

Closed
inashivb wants to merge 4 commits into
OISF:masterfrom
inashivb:flowbit-ordering-cyclic/v3
Closed

Flowbit ordering cyclic/v3#13747
inashivb wants to merge 4 commits into
OISF:masterfrom
inashivb:flowbit-ordering-cyclic/v3

Conversation

@inashivb

@inashivb inashivb commented Aug 26, 2025
edited
Loading

Copy link
Copy Markdown
Member

Previous PR: #13740

Changes since v2:

Known TODOs:

  • a problem discovered with the current algorithm by the s-v test firewall-01-tcp-pkt-state-flowbits
    For a given READ command (isset, isnotset) and a given WRITE command (set, unset, toggle)
    current algorithm marks a combination of following signatures as cyclic -- which shall be rejected in the final rev of this work
flowbit:READ,A; flowbit:WRITE,B; sid:1;
flowbit:WRITE,A; flowbit:READ, B, sid:2;

However, there may exist such flowbit combinations that are not cyclic. From the test firewall-01-tcp-pkt-state-flowbits,

pass tcp any 443 -> any any (flags:SA; flow:not_established; flowbits:isset,syn; flowbits:set,synack; sid:2;)
pass tcp any any -> any 443 (flags:A; flow:not_established; flowbits:isset,synack; flowbits:unset,syn; flowbits:unset,synack; sid:3;)
  • final leg of the solution to sort sigwrapper list per the order received from rust
  • tests
  • fn docs
  • some code cleanups

Link to tickets:

@inashivb
flowbits: add a validation callback during setup
8b890db 
This should make it possible to catch invalid combinations in the same
signature early. This patch covers checking the following invalid cmd
combinations:
- set + isset
- unset + isnotset
- set + toggle
- set + unset
- isset + isnotset

the same flowbit in the same signature which is basically an unnecessary
operation.
This helps bring down the difficulty of handling of actual complex flowbit chains.

Bug 7772
Bug 7773
Bug 7774
Bug 7817
Bug 7818
@inashivb
rust: add new dependencies petgraph and itertools
0f7d8c9
@inashivb
[WIP] rust: add flowbit dependency resolver
62e6f92 
This solution makes use of the petgraph crate to create a graph of
flowbits and signatures. Following steps are involved.
1. Nodes are created for flowbits as well as signatures
2. A directed edge is added:
   from flowbit to signature iff the flowbit use TODO cmd in that sig
   from signature to flowbit iff the flowbit used TODO cmd in that sig
3. The graph is then normalized i.e. the flowbit nodes are removed and a
   clean directed edge is created connecting a dependency graph among
   the signatures. This is done because flowbits are inconsequential in
   the final required solution.
4. The graph is checked for any cycles. In a case like that, the ruleset
   must be rejected as it cannot be satisfied during runtime anyway.
5. Finally, a BFS (Breadth First Search) is performed on the graph
   giving the exact order in which signatures should be such that no
   dependee comes before a dependant.

Bug 7771
Bug 7638
@inashivb
[WIP] detect/sigorder: resolve flowbit dependencies
cd2602d 
before adding them to the Detection Context's signature list. The
de_ctx->sig_list serves as a sorted signature list that is later passed
on to the grouping fns. If no property of high value changes the order
of the signatures, the order coming from de_ctx->sig_list is final.

Add the appropriate calls to resolve flowbit dependencies before adding
them to the sig_list. This is especially important for flowbits with
complex ordering involved.

Bug 7771
Bug 7638
@suricata-qa

suricata-qa commented Aug 26, 2025

Copy link
Copy Markdown

Information: QA skipped due to tag. Set to force a run.

Pipeline = skip

@catenacyber

catenacyber commented Aug 26, 2025

Copy link
Copy Markdown
Contributor

This looks awesome, is there not a SV PR for this ? (I thought I saw one but it is not referenced here)

Why is it a draft ? Do you expect something before tackling the known TODO ?

@inashivb

inashivb commented Aug 27, 2025

Copy link
Copy Markdown
Member Author

This looks awesome, is there not a SV PR for this ? (I thought I saw one but it is not referenced here)

Why is it a draft ? Do you expect something before tackling the known TODO ?

Because a part of the solution is still missing. There is indeed an sv PR but w/o the final leg of solution that won't pass.

There is now an additional challenge though (1st point of known TODOs) which will make one or more existing s-v tests fail with the final leg of solution. I'll anyway send a PR with that final part of the solution.

@inashivb inashivb mentioned this pull request Aug 27, 2025
Closed
@inashivb inashivb closed this Aug 27, 2025
@inashivb inashivb deleted the flowbit-ordering-cyclic/v3 branch August 27, 2025 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip qa

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@inashivb @suricata-qa @catenacyber