ja3(s): automatically enable when rules require it
With the ET 5.0 ruleset quite a few rules use the ja3_hash keyword. If the JA3 functionality is not enabled in the config, this will lead to ruleset loading errors. If Suricata-Update is in use, it's test phase will fail.
We should probably change the logic to enable JA3 on demand. This should be done in a thread safe way as the ruleset can be (re)loaded when traffic is already being processed.
- Assignee set to OISF Dev
- Target version set to TBD
Is there any harm to enable it by default and not just rely on the rules?
Could this happen to other keywords as well?
This would mean we have to always check this for each
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 5.0.0
The reason to not enable it unless we have to is to avoid the performance and memory use overhead.
- Status changed from Assigned to Closed
Also available in: Atom