Project

General

Profile

Actions

Bug #3155

closed

Odd Debug Logs for flowbit requirements

Added by Kenneth Kolano almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When using the -v switch the logs related to flowbit handling are a bit weird...

6/9/2019 -- 12:13:05 - <Debug> -- Found 349 required flowbits.
6/9/2019 -- 12:13:05 - <Debug> -- Found 53 rules to enable to for flowbit requirements
6/9/2019 -- 12:13:05 - <Debug> -- Found 350 required flowbits.
6/9/2019 -- 12:13:05 - <Debug> -- Found 0 rules to enable to for flowbit requirements
6/9/2019 -- 12:13:05 - <Debug> -- All required rules enabled.

...unclear why the flowbits related logs output twice, or why the counts for each are misaligned.


Related issues 1 (0 open1 closed)

Related to Suricata-Update - Optimization #3205: Improve flowbit loggingClosedRiju KhatriActions
Actions #1

Updated by Kenneth Kolano almost 5 years ago

I'm guessing that this is due to the first round of flowbits processing enabling a rule, and then the revised set of rules being reprocessed (i.e. a formerly disabled rule had a flowbit, which required additional ruled be enabled).

In any case the way this is logged could likely be revised to make what's happening more clear.

Actions #2

Updated by Shivani Bhardwaj almost 5 years ago

Kenneth Kolano wrote:

I'm guessing that this is due to the first round of flowbits processing enabling a rule, and then the revised set of rules being reprocessed (i.e. a formerly disabled rule had a flowbit, which required additional ruled be enabled).

Yes, you're absolutely right about why this happens.

In any case the way this is logged could likely be revised to make what's happening more clear.

How do you find the logging below? Does it make things clearer or worse? I would like to take a user's perspective into account before making any changes.

7/9/2019 -- 11:47:44 - <Debug> -- Checking flowbits for round 1 of rules
7/9/2019 -- 11:47:44 - <Debug> -- Found 202 required flowbits.
7/9/2019 -- 11:47:44 - <Debug> -- Found 43 rules to enable to for flowbit requirements
7/9/2019 -- 11:47:44 - <Debug> -- Enabling previously disabled rule for flowbits: # [1:2019401] ET POLICY Vulnerable Java Version 1.8.x Detected
7/9/2019 -- 11:47:44 - <Debug> -- Checking flowbits for round 2 of rules
7/9/2019 -- 11:47:44 - <Debug> -- Found 203 required flowbits.
7/9/2019 -- 11:47:45 - <Debug> -- Found 0 rules to enable to for flowbit requirements
7/9/2019 -- 11:47:45 - <Debug> -- All required rules enabled.
7/9/2019 -- 11:47:45 - <Info> -- Enabled 43 rules for flowbit dependencies.
Actions #3

Updated by Shivani Bhardwaj almost 5 years ago

  • Status changed from New to Assigned
Actions #4

Updated by Victor Julien over 4 years ago

  • Target version set to TBD
Actions #5

Updated by Kenneth Kolano over 4 years ago

Sorry for the delayed response here, but yes, the revised logging would be clearer.

Actions #6

Updated by Shivani Bhardwaj over 4 years ago

Actions #7

Updated by Shivani Bhardwaj over 4 years ago

  • Status changed from Assigned to Closed

Kenneth Kolano wrote:

Sorry for the delayed response here, but yes, the revised logging would be clearer.

Thanks, Kenneth. Tracking it here: https://redmine.openinfosecfoundation.org/issues/3205 as a development issue, closing this one.

Actions

Also available in: Atom PDF