Project

General

Profile

Actions

Feature #2409

closed

Push signatures without reloading the entire set.

Added by Mario Lefebvre over 3 years ago. Updated 11 months ago.

Status:
Rejected
Priority:
Normal
Target version:
Effort:
high
Difficulty:
high
Label:

Description

Good morning,
We discussed this yesterday at Flocon 2018 with Eric Leblond and Peter Manev.

We would like to see the Suricata engine to be able to load one or more new signatures without having to reload the entire set of signatures everytime via an API call. Reloading is heavy on the network to ship and non efficient. We want to keep the capability to reload the entire set as this can be convenient, but adding signatures as we produce them one at the time would better fit our inter-systems design. Also, some of our signatures are time sensitive and need to be pushed as fast as possible. Pushing a single signature should expedite the time of loading (reload time is currently 3 minutes for ~20000 sigs).
As a secondary requirement, it would be a bonus if new versions of a signature could be also managed the same way.
As a secondary requirement, it would be a bonus if deletion of signatures could be managed the same way. We have legal/policy constraints to remove some signatures depending of operations and would again prefer not have to reload the entire set as it is very heavy in our perspective.

Let me know if you need more details.


Related issues

Related to Task #2685: SuriCon 2018 brainstormNewVictor JulienActions
Related to Task #3288: Suricon 2019 brainstormNewVictor JulienActions
Actions #1

Updated by Andreas Herz over 3 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Victor Julien about 3 years ago

  • Effort set to high
  • Difficulty set to high
Actions #3

Updated by Victor Julien almost 3 years ago

  • Assignee changed from OISF Dev to Anonymous

Due to the complexity of the detection engine, this is not easily possible. Perhaps it would be possible to do this for the simpler rule types, but it seems to be requested mostly for complex rule types. Assigning to 'community' as there are no plans to work on this.

Actions #4

Updated by Victor Julien almost 3 years ago

  • Related to Task #2685: SuriCon 2018 brainstorm added
Actions #5

Updated by Kenneth Kolano almost 3 years ago

Note similar functionality would be useful when updating fileMD5 entries

Actions #6

Updated by Andreas Herz over 2 years ago

  • Assignee set to Community Ticket
Actions #7

Updated by Victor Julien almost 2 years ago

The datasets support allows live updates over unix-socket. So for the file md5 matching and the many other datasets usecases this is now supported. The rules stay static, but the datasets referenced by them are dynamic.

Actions #8

Updated by Andreas Herz almost 2 years ago

  • Status changed from New to Closed
Actions #9

Updated by Victor Julien almost 2 years ago

We've closed this as we don't see this happen w/o massive redesigns of how the detection engine works. We think the datasets work will support a good deal of the possible use cases. For others, we'll have to fall back to regular rule reloads.

Actions #10

Updated by Victor Julien almost 2 years ago

  • Related to Task #3288: Suricon 2019 brainstorm added
Actions #11

Updated by Victor Julien 11 months ago

  • Status changed from Closed to Rejected
Actions

Also available in: Atom PDF