Project

General

Profile

Actions

Optimization #3213

open

improve rule parsing warnings

Added by Victor Julien almost 3 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Rule parsing warnings, as opposed to errors, do often not contain enough information to quickly determine which rule generated the warning. Errors themselves are similar, but they will lead to a followup message containing the raw sig.

Since this isn't so for warnings it can lead to implementation specific hacks, like:

          if (s->id > 0) {
              SCLogWarning(SC_ERR_UNKNOWN_VALUE, "signature sid:%u uses " 
                      "unknown classtype: \"%s\", using default priority %d. " 
                      "This message won't be shown again for this classtype",
                      s->id, parsed_ct_name, DETECT_DEFAULT_PRIO);
          } else if (de_ctx->rule_file != NULL) {
              SCLogWarning(SC_ERR_UNKNOWN_VALUE, "signature at %s:%u uses " 
                      "unknown classtype: \"%s\", using default priority %d. " 
                      "This message won't be shown again for this classtype",
                      de_ctx->rule_file, de_ctx->rule_line,
                      parsed_ct_name, DETECT_DEFAULT_PRIO);
          } else {
              SCLogWarning(SC_ERR_UNKNOWN_VALUE, "unknown classtype: \"%s\", " 
                      "using default priority %d. " 
                      "This message won't be shown again for this classtype",
                      parsed_ct_name, DETECT_DEFAULT_PRIO);
          }

It would be good to create a wrapper for this, so we can get consistent behavior and less verbose code.

Actions #1

Updated by Andreas Herz almost 3 years ago

  • Assignee set to OISF Dev

Do you have an example how the end result should look like?

Actions

Also available in: Atom PDF