Project

General

Profile

Actions

Feature #2409

closed

Push signatures without reloading the entire set.

Added by Mario Lefebvre almost 7 years ago. Updated about 4 years ago.

Status:
Rejected
Priority:
Normal
Target version:
Effort:
high
Difficulty:
high
Label:

Description

Good morning,
We discussed this yesterday at Flocon 2018 with Eric Leblond and Peter Manev.

We would like to see the Suricata engine to be able to load one or more new signatures without having to reload the entire set of signatures everytime via an API call. Reloading is heavy on the network to ship and non efficient. We want to keep the capability to reload the entire set as this can be convenient, but adding signatures as we produce them one at the time would better fit our inter-systems design. Also, some of our signatures are time sensitive and need to be pushed as fast as possible. Pushing a single signature should expedite the time of loading (reload time is currently 3 minutes for ~20000 sigs).
As a secondary requirement, it would be a bonus if new versions of a signature could be also managed the same way.
As a secondary requirement, it would be a bonus if deletion of signatures could be managed the same way. We have legal/policy constraints to remove some signatures depending of operations and would again prefer not have to reload the entire set as it is very heavy in our perspective.

Let me know if you need more details.


Related issues 2 (2 open0 closed)

Related to Suricata - Task #2685: SuriCon 2018 brainstormAssignedVictor JulienActions
Related to Suricata - Task #3288: Suricon 2019 brainstormAssignedVictor JulienActions
Actions

Also available in: Atom PDF