Project

General

Profile

Actions

Optimization #3396

open

Safer defaults when faced with error / fallback

Added by Tiago F. about 5 years ago. Updated over 1 year ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Hi,

I recently had a situations where:

- Had a noisy rule that wanted to disable
- ET PRO was having an issue where one of their rules were failing to parse

Because of the ruleset problem, suricata-update would fallback and use a previous good set of rules. This means, however, that changes made in local files (specifically disable.conf) would not be updated.

In my particular case, the solution would be for ET to fix the problem so that a new rules file could be created with the changes in local files.

Ideally, my local changes would find a way into rules EVEN if a ruleset is failing to parse (don't know what's the behavior in case of failure to download).

suricata-update 1.1.0

Actions #1

Updated by Shivani Bhardwaj almost 5 years ago

  • Status changed from New to Assigned
Actions #2

Updated by Jason Ish about 3 years ago

In this case was Suricata-Update failing or was it the Suricata test phase that was failing. I'm wondering if --no-test would have been a work-around for this case.

Actions #3

Updated by Philippe Antoine over 1 year ago

  • Target version set to 1.3.0
Actions #4

Updated by Shivani Bhardwaj over 1 year ago

  • Target version changed from 1.3.0 to TBD
Actions

Also available in: Atom PDF