transform/subslice: Add subslice transform #14643
transform/subslice: Add subslice transform #14643
Conversation
Issue: 7672
The subslice transform creates a slice of the input buffer.
Specify the subslice desired -- nbytes and truncate are optional:
subslice: offset <,nbytes> <,truncate>
offset: Specifies the starting offset for the new subslice. When
negative, expresses how far from the end of the input buffer to begin.
When nbytes is *not* specified, start must be > 0.
nbytes: Specifies the size of the subslice. When negative, specifies the
byte count preceding the offset to include. Nbytes must be > 0.
When nbytes is not specified, the size of the subslice will be the size
of the input buffer - offset.
truncate: Specify behavior when offset + nbytes exceeds buffer length.
When present, trims nbytes such that offset + nbytes equals buffer
length. When not present, an empty buffer is produced.
Examples:
subslice: 1; - The subslice will be a copy of the input
buffer but omits the input buffer's first byte
"This is Suricata" -> "his is Suricata"
subslice: 0, 13; - The slice is created from the first 13 bytes
of the input buffer
"This is Suricata" -> "This is Suric"
subslice: 10, -5; - The subslice is created starting at offset 10
and continues to 5 bytes before the end of the input buffer
"This is Suricata" -> "r"
subslice: -3; - The subslice will be the last 3 bytes of the
input buffer.
"This is Suricata" -> "ata"
Add documentation for the subslice transform. Issue: 7672
jlucovsky
requested review from
a team,
jasonish,
jufajardini and
victorjulien
as code owners
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #14643 +/- ##
==========================================
+ Coverage 82.11% 82.37% +0.25%
==========================================
Files 1011 1012 +1
Lines 262812 267341 +4529
==========================================
+ Hits 215812 220214 +4402
- Misses 47000 47127 +127
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 29172 |
|
Information: QA ran without warnings. Pipeline = 29301 |
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
Thanks for the work,
CI : ✅
Code : looking now
Commits segmentation : I would squash but ok
Commit messages : nice
Git ID set : looks fine for me
CLA : you already contributed
Doc update : cool
Redmine ticket : ok
Rustfmt : no rust
Tests : left some comments on SV PR
Dependencies added: none
| than the input buffer size. When specified, the result will | ||
| be trimmed as though ``offset + nbyfes == buffer_length``. When | ||
| not specified [DEFAULT], an empty buffer will be produced on | ||
| which ``bsize:0`` will match. [OPTIONAL] |
There was a problem hiding this comment.
Can you explicit more the behavior of truncate when we have negative values ?
There was a problem hiding this comment.
Will add discussion.
| # The default is to truncate (on). Set to off to not truncate and produce an | ||
| # empty buffer (bsize:0 will match). | ||
| subslice: | ||
| truncate: on |
There was a problem hiding this comment.
We do not need this anymore, right ?
There was a problem hiding this comment.
Correct. Will remove.
| truncate: true, | ||
| }) | ||
| } | ||
| _ => None, |
There was a problem hiding this comment.
Could you log a friendly error ?
|
|
||
| // copy result into output | ||
| let len = slice.len(); | ||
| output[..len].copy_from_slice(slice); |
There was a problem hiding this comment.
Does this work in-place ? If input and output are the same pointer/buffer ?
| let len = data.len() as isize; | ||
|
|
||
| // Reject impossible offsets | ||
| if ctx.offset.abs() > len { |
There was a problem hiding this comment.
even if ctx.truncate ?
There was a problem hiding this comment.
This condition catches an offset value (+ or -) that exceeds the length of the buffer.
Suppose the buffer is "This is Suricata" (length 16 chars)
subslice: -17, -3, truncate
- Subslice begins before the buffer (does this make sense?)
- Subslice terminates 3 chars from the end
Should the transform treat this as thoughsubslice: 0, -3becausetruncatewas used?
There was a problem hiding this comment.
Suppose the buffer is "This is Suricata" (length 16 chars)
I would expect subslice: -17, -truncate to give me the full buffer. Truncate goes both ways : end and beginning
Do you expect differently ?
There was a problem hiding this comment.
agreed -- i'll update things.
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
See inline like
Correct. Will remove.
|
Continued in #14751 |
3 participants
Continuation of #14625
The subslice transform creates a slice of the input buffer.
Examples:
subslice: 1; - The subslice will be a copy of the input
buffer but omit the input buffer's first byte
"This is Suricata" -> "his is Suricata"
subslice: 0, 13; - The slice is created from the first 13 bytes
of the input buffer
"This is Suricata" -> "This is Suric"
subslice: 10, -5; - This is the same as subslice[5, 5]
"This is Suricata" -> "is Su"
subslice: -3; - The subslice will be the last 3 bytes of the
input buffer.
"This is Suricata" -> "ata"
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7672
Describe changes:
Updates:
[3],[3, 8]`DetectTransformSubsliceDatato be attributed withrepr(C)nbytevalues to mean "bytes from the end" .start=0is an error unlessnbytesis specifiedend=0is always an error.subslice.truncateto control behavior whenoffset + nbytes > lengthtruncateoption.Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#2749
SU_REPO=
SU_BRANCH=