Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better logging for cron; rule revision matching - v1 #350

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Better logging for cron; rule revision matching - v1 #350

wants to merge 4 commits into from

Conversation

jasonish
Copy link
Member

@jasonish jasonish commented Jan 15, 2025
edited
Loading

  • matchers: remove debug print
  • engine: choose better Suricata logging levels for rule test
  • fix: bad variable name in metadata matcher
  • matching: allow a rule revision to be matched as well

Tickets:

Notes:

  • SIDs can now be disabled with a rev: 1:223330:3. The GID is required in this case.

@jasonish
matchers: remove debug print
befacae
@jasonish
engine: choose better Suricata logging levels for rule test
48c3d15 
The current default is to use SC_LOG_LEVEL=warning which can output
non-fatal warnings which is generally not what you want when running
from cron with "suricata-update -q".

Now, if "-q" is provided, run Suricata with SC_LOG_LEVEL=error which
is useful for cron to ony be notified of fata errors. Generally
end-users are not worried about rule warnings such as:

    ja3.hash should not be used together with nocase, since the rule
    is automatically lowercased anyway which makes nocase redundant.

This also allows for log level be set with SC_LOG_LEVEL, in which case
Suricata-Update  will not change the log level.

Additionally, make Suricata more verbose if Suricata-Update is run
with "-v".

Ticket: https://redmine.openinfosecfoundation.org/issues/7494
@jasonish
fix: bad variable name in metadata matcher
737b2d8
@jasonish
matching: allow a rule revision to be matched as well
09285c8 
A rule ID can now be matched with a revision given the following
format of:

<gid>:<sid>:<rev>

The <gid> has to be specified for a revision match, as a specifier
with 2 components is read as "gid" and "rev".

Ticket: https://redmine.openinfosecfoundation.org/issues/7425
@jasonish jasonish self-assigned this Jan 15, 2025
@jasonish jasonish marked this pull request as draft January 16, 2025 04:08
@jasonish
Copy link
Member Author

Back to draft, still have this with -q:

{"message": "done", "return": "OK"}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien

@inashivb inashivb Awaiting requested review from inashivb

Assignees

@jasonish jasonish

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jasonish