Skip to content

Detect http trailers 8256 v10#15735

Open
catenacyber wants to merge 3 commits into
OISF:mainfrom
catenacyber:detect-http-trailers-8256-v10
Open

Detect http trailers 8256 v10#15735
catenacyber wants to merge 3 commits into
OISF:mainfrom
catenacyber:detect-http-trailers-8256-v10

Conversation

@catenacyber

@catenacyber catenacyber commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/8256

Describe changes:

  • detect: http.headers works on trailers even if it is not fast_pattern

To do so :

  • adds a max_progress field to DetectEngineAppInspectionEngine
  • adds a DetectAppLayerInspectEngineRegisterMax function to register an app engine with a min_progress < max_progress

SV_BRANCH=OISF/suricata-verify#2894

#15624 with needed rebase

@catenacyber
detect: AppInspectionEngine can have a min and max progress
31b63bb 
instead of a single progress.

Will help for keywords such as http.header which can act on
headers and trailers progress

Tx engines are inspected between min_progress and max_progress
So, we do not give up and says a signature does not match
when it will match on later max_progress

And we can match as early as possible, especially in IPS mode.
@catenacyber
detect: introduce DetectAppLayerInspectEngineRegister2
2bff3ae 
Function to register a app engine with two progresses
@catenacyber
detect: http.headers now works for trailers
8093610 
as it registers the app engine up to the trailers progress

Ticket: 8256
@catenacyber catenacyber mentioned this pull request Jun 26, 2026
Closed
@suricata-qa

suricata-qa commented Jun 26, 2026

Copy link
Copy Markdown

Information:

ERROR: QA failed on SURI_TLPW2_single_alerts_cmp.

ERROR: QA failed on SURI_TLPW2_autofp_alerts_cmp.

ERROR: QA failed on SURI_TLPR1_alerts_cmp.

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.flow.ftp_data 604 700 115.89%
.app_layer.error.ftp.parser 17 0 -

Pipeline = 32265

@codecov

codecov Bot commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 93.82716% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.94%. Comparing base (09f0851) to head (8093610).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15735      +/-   ##
==========================================
- Coverage   82.96%   82.94%   -0.03%     
==========================================
  Files        1003     1003              
  Lines      275031   275062      +31     
==========================================
- Hits       228192   228161      -31     
- Misses      46839    46901      +62
Flag Coverage Δ
fuzzcorpus 61.47% <86.41%> (+<0.01%) ⬆️
livemode 18.36% <38.27%> (-0.02%) ⬇️
netns 22.71% <64.19%> (-0.04%) ⬇️
pcap 45.35% <64.19%> (-0.04%) ⬇️
suricata-verify 66.89% <86.41%> (-0.05%) ⬇️
unittests 58.45% <67.90%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@catenacyber catenacyber added the needs baseline update QA will need a new base line label Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

needs baseline update QA will need a new base line

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa