Bug #2091: nonexistent/misspelled custom fields accepted during parsing of suricata.yaml - Suricata - Open Information Security Foundation

Bug #2091

nonexistent/misspelled custom fields accepted during parsing of suricata.yaml

Added by Peter Manev over 2 years ago. Updated 3 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

This is Suricata version 4.0dev (rev 9ff8882)

If there is misspelled or nonexistent custom field in eve.json's section Suricata would not error out/warn on start - example:


        - http:
            custom: [accept, accept-charset, accept-encoding, accept-language,
            proxy-authenticate, referrer, refresh, retry-after, server,
            set-cookie, trailer, transfer-encoding, upgrade, vary, warning,
            www-authenticate, mychemicalromance]
        - smtp:
            custom: [received, sensitivity, organization, content-md5, date, mychemicalromance]

History

Updated by Andreas Herz over 2 years ago

Assignee set to OISF Dev
Target version set to TBD

Updated by Andreas Herz 3 months ago

But it doesn't hurt either right?

Updated by Jason Ish 3 months ago

Andreas Herz wrote:

But it doesn't hurt either right?

Doesn't hurt, but may improve user experience. Just in case you entered "receved" by accident and can't figure out why you are not seeing that in the output.

Updated by Peter Manev 3 months ago

Also it may not err on a filed we don't parse or support yet and leave the user with the wrong impression that everything is ok and expecting to see those values.

Also available in: Atom PDF

Project

General

Profile

Suricata

Issues

Custom queries