Skip to content

Detect count 5044 v3.1 #14279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Detect count 5044 v3.1 #14279

wants to merge 4 commits into from
+435 −30

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Nov 6, 2025
edited
Loading

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/5044

Describe changes:

  • adds a count option to multi-buffers, behaving like a keyword but syntax is email.received: count <3; instead of email.received; count: <3;
  • adds other modes to multi-buffers like all, all_or_absent, nb`, and precise indexing

SV_BRANCH=OISF/suricata-verify#2634

Draft :

  • Feedback about general design ?

TODOs :

  • update doc if design is agreed
  • add support for all multi-buf keywords
  • add more tests
  • rustfmt removes one line in mod.rs

@catenacyber catenacyber mentioned this pull request Nov 6, 2025
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Nov 6, 2025

There are

  • 2 preparatory commits
  • The big/interesting commit for design
  • a last commit adding the support for one multi-buffer keyword email.received (to be done for every multi-buffer keyword once design is ok)

@catenacyber catenacyber marked this pull request as draft November 6, 2025 15:18
@catenacyber catenacyber force-pushed the detect-count-5044-v3.1 branch from 8dc2646 to f2e7c75 Compare November 6, 2025 15:23
@catenacyber
rust: have detect uint precise index as a repr(C) struct
f33ead4 
Also rename parse_uint_count as parse_multi_count

This allows to prepare multi-buffers using this code
@catenacyber
detect/multi: allow leading space before count
06d02a5
@catenacyber
detect: add arguments for multi-buffer
0d9c48a 
As for multi-integers, multi-buffers can now have the following
arguments
- count
- nb
- precise index
- all

Ticket: 5044
@catenacyber
detect/email: use multi-buffer optional arguments
70205bc 
Ticket: 5044
@catenacyber catenacyber force-pushed the detect-count-5044-v3.1 branch from f2e7c75 to 70205bc Compare November 6, 2025 16:24
@codecov
Copy link

codecov bot commented Nov 6, 2025

Codecov Report

❌ Patch coverage is 68.33333% with 76 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.19%. Comparing base (c61f1cb) to head (70205bc).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14279      +/-   ##
==========================================
- Coverage   84.21%   84.19%   -0.03%     
==========================================
  Files        1013     1014       +1     
  Lines      262126   262324     +198     
==========================================
+ Hits       220752   220854     +102     
- Misses      41374    41470      +96
Flag Coverage Δ
fuzzcorpus 63.27% <21.79%> (-0.07%) ⬇️
livemode 18.69% <5.55%> (-0.03%) ⬇️
pcap 44.55% <10.68%> (-0.05%) ⬇️
suricata-verify 64.89% <68.10%> (+<0.01%) ⬆️
unittests 59.20% <18.06%> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

suricata-qa commented Nov 6, 2025

Information: QA ran without warnings.

Pipeline = 28375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa