Project

General

Profile

Actions

Feature #3204

closed

ja3(s): automatically enable when rules require it

Added by Victor Julien about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

With the ET 5.0 ruleset quite a few rules use the ja3_hash keyword. If the JA3 functionality is not enabled in the config, this will lead to ruleset loading errors. If Suricata-Update is in use, it's test phase will fail.

We should probably change the logic to enable JA3 on demand. This should be done in a thread safe way as the ruleset can be (re)loaded when traffic is already being processed.

Actions #1

Updated by Andreas Herz about 3 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD

Is there any harm to enable it by default and not just rely on the rules?
Could this happen to other keywords as well?
This would mean we have to always check this for each

Actions #2

Updated by Victor Julien about 3 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 5.0.0

The reason to not enable it unless we have to is to avoid the performance and memory use overhead.

Actions #3

Updated by Victor Julien about 3 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF