Feature #2409
closed
Push signatures without reloading the entire set.
Added by Mario Lefebvre almost 7 years ago.
Updated about 4 years ago.
Description
Good morning,
We discussed this yesterday at Flocon 2018 with Eric Leblond and Peter Manev.
We would like to see the Suricata engine to be able to load one or more new signatures without having to reload the entire set of signatures everytime via an API call. Reloading is heavy on the network to ship and non efficient. We want to keep the capability to reload the entire set as this can be convenient, but adding signatures as we produce them one at the time would better fit our inter-systems design. Also, some of our signatures are time sensitive and need to be pushed as fast as possible. Pushing a single signature should expedite the time of loading (reload time is currently 3 minutes for ~20000 sigs).
As a secondary requirement, it would be a bonus if new versions of a signature could be also managed the same way.
As a secondary requirement, it would be a bonus if deletion of signatures could be managed the same way. We have legal/policy constraints to remove some signatures depending of operations and would again prefer not have to reload the entire set as it is very heavy in our perspective.
Let me know if you need more details.
Related issues
2 (2 open — 0 closed)
- Assignee set to OISF Dev
- Target version set to TBD
- Effort set to high
- Difficulty set to high
- Assignee changed from OISF Dev to Anonymous
Due to the complexity of the detection engine, this is not easily possible. Perhaps it would be possible to do this for the simpler rule types, but it seems to be requested mostly for complex rule types. Assigning to 'community' as there are no plans to work on this.
- Related to Task #2685: SuriCon 2018 brainstorm added
Note similar functionality would be useful when updating fileMD5 entries
- Assignee set to Community Ticket
The datasets support allows live updates over unix-socket. So for the file md5 matching and the many other datasets usecases this is now supported. The rules stay static, but the datasets referenced by them are dynamic.
- Status changed from New to Closed
We've closed this as we don't see this happen w/o massive redesigns of how the detection engine works. We think the datasets work will support a good deal of the possible use cases. For others, we'll have to fall back to regular rule reloads.
- Related to Task #3288: Suricon 2019 brainstorm added
- Status changed from Closed to Rejected
Also available in: Atom
PDF