Project

General

Profile

Actions
Copy link

Bug #2091

open

nonexistent/misspelled custom fields accepted during parsing of suricata.yaml

Added by Peter Manev over 5 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

This is Suricata version 4.0dev (rev 9ff8882)

If there is misspelled or nonexistent custom field in eve.json's section Suricata would not error out/warn on start - example:


        - http:
            custom: [accept, accept-charset, accept-encoding, accept-language,
            proxy-authenticate, referrer, refresh, retry-after, server,
            set-cookie, trailer, transfer-encoding, upgrade, vary, warning,
            www-authenticate, mychemicalromance]
        - smtp:
            custom: [received, sensitivity, organization, content-md5, date, mychemicalromance]

Actions
Copy link
 #1

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Andreas Herz about 3 years ago

But it doesn't hurt either right?

Actions
Copy link
 #3

Updated by Jason Ish about 3 years ago

Andreas Herz wrote:

But it doesn't hurt either right?

Doesn't hurt, but may improve user experience. Just in case you entered "receved" by accident and can't figure out why you are not seeing that in the output.

Actions
Copy link
 #4

Updated by Peter Manev about 3 years ago

Also it may not err on a filed we don't parse or support yet and leave the user with the wrong impression that everything is ok and expecting to see those values.

Actions
Copy link

Also available in: Atom PDF