Skip to content

Detect http trailers 8256 v3#14823

Open
catenacyber wants to merge 5 commits intoOISF:mainfrom
catenacyber:detect-http-trailers-8256-v3
Open

Detect http trailers 8256 v3#14823
catenacyber wants to merge 5 commits intoOISF:mainfrom
catenacyber:detect-http-trailers-8256-v3

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Feb 16, 2026

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/8256

Describe changes:

  • detect: http.headers works on trailers even if it is not fast_pattern
    To do so :
  • convert many variables/fields/args describing a tx_progress to use u8 instead of int or other
  • adds a max_progress field to DetectEngineAppInspectionEngine
  • adds a DetectAppLayerInspectEngineRegisterMax function to register an app engine with a min_progress < max_progress

SV_BRANCH=OISF/suricata-verify#2894

#14724 with review taken into accoutn and rebased to rerun QA to get more data/pcaps

@catenacyber
detect: convert tx_progress to uint8_t
8fb08a4
@catenacyber
detect: AppInspectionEngine can have a min and max progress
5008190 
instead of a single progress.

Will help for keywords such as http.header which can act on
headers and trailers progress

Tx engines are inspected between min_progress and max_progress
So, we do not give up and says a signature does not match
when it will match on later max_progress

And we can match as early as possible, especially in IPS mode.
@catenacyber
detect: introduce DetectAppLayerInspectEngineRegisterMax
5df6422 
Function to register a app engine with a min and max progress
@catenacyber
detect: http.headers now works for trailers
f728a4e 
as it registers the app engine up to the trailers progress

Ticket: 8256
@catenacyber
detect/file: reorder struct fields to reduce padding
7a3bfba 
and make scan-build happy
@catenacyber catenacyber mentioned this pull request Feb 16, 2026
Closed
@catenacyber catenacyber marked this pull request as ready for review February 16, 2026 21:33
@catenacyber catenacyber added the needs baseline update QA will need a new base line label Feb 16, 2026
@catenacyber
Copy link
Contributor Author

catenacyber commented Feb 16, 2026

So, my investigation shows that this PR is good and current main branch does in fact two alerts for the same sid and transaction in some case I did not manage to characterize

@suricata-qa
Copy link

suricata-qa commented Feb 17, 2026

ERROR:

ERROR: QA failed on SURI_TLPR1_alerts_cmp.

Pipeline = 29616

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

needs baseline update QA will need a new base line

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa