Skip to content

Detect count 5044 v3.3 #14346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
catenacyber wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Detect count 5044 v3.3 #14346

catenacyber wants to merge 4 commits into from
+435 −30

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Nov 18, 2025

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/5044

Describe changes:

  • adds a count option to multi-buffers, behaving like a keyword but syntax is email.received: count <3; instead of email.received; count: <3;
  • adds other modes to multi-buffers like all, all_or_absent, nb`, and precise indexing

SV_BRANCH=OISF/suricata-verify#2634

Draft :

  • Feedback about general design ?

#14279 needed rebase, #14345 good branch rebased

TODOs :

  • update doc if design is agreed
  • add support for all multi-buf keywords
  • add more tests
  • rustfmt removes one line in mod.rs

@catenacyber
rust: have detect uint precise index as a repr(C) struct
666d26f 
Also rename parse_uint_count as parse_multi_count

This allows to prepare multi-buffers using this code
@catenacyber
detect/multi: allow leading space before count
44c9e2e
@catenacyber
detect: add arguments for multi-buffer
9ac5323 
As for multi-integers, multi-buffers can now have the following
arguments
- count
- nb
- precise index
- all

Ticket: 5044
@catenacyber
detect/email: use multi-buffer optional arguments
45d9fbb 
Ticket: 5044
@catenacyber catenacyber mentioned this pull request Nov 18, 2025
Closed
@codecov
Copy link

codecov bot commented Nov 18, 2025

Codecov Report

❌ Patch coverage is 68.33333% with 76 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.18%. Comparing base (626027a) to head (45d9fbb).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14346      +/-   ##
==========================================
- Coverage   84.20%   84.18%   -0.02%     
==========================================
  Files        1012     1013       +1     
  Lines      261769   261981     +212     
==========================================
+ Hits       220415   220552     +137     
- Misses      41354    41429      +75
Flag Coverage Δ
fuzzcorpus 63.23% <21.79%> (-0.06%) ⬇️
livemode 18.71% <5.55%> (-0.02%) ⬇️
pcap 44.59% <10.68%> (-0.06%) ⬇️
suricata-verify 64.97% <68.10%> (+<0.01%) ⬆️
unittests 59.19% <18.06%> (-0.04%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

suricata-qa commented Nov 18, 2025

Information: QA ran without warnings.

Pipeline = 28484

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish will be requested when the pull request is marked ready for review jasonish is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien will be requested when the pull request is marked ready for review victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa