Actions
Optimization #3406
closedfilestore rules are loaded without warning when filestore is not enabled
Effort:
Difficulty:
Label:
Description
Not sure what is best - warning or to handle it similar to https://redmine.openinfosecfoundation.org/issues/3204.
pevma@DonPedro:~/Work/Suricata/QA/tmp$ cat test-fs.rules alert http any any -> any any (msg:"test http filestore"; file.name; content:".exe"; filestore; sid:10; rev:1;) pevma@DonPedro:~/Work/Suricata/QA/tmp$ sudo /opt/suritest/bin/suricata -T -S test-fs.rules [1305249] 11/12/2019 -- 12:18:49 - (suricata.c:1905) <Info> (ParseCommandLine) -- Running suricata under test mode [1305249] 11/12/2019 -- 12:18:49 - (suricata.c:1083) <Notice> (LogVersion) -- This is Suricata version 5.0.1-dev (eceb7dcba 2019-12-10) running in SYSTEM mode [1305249] 11/12/2019 -- 12:18:50 - (suricata.c:3060) <Notice> (main) -- Configuration provided was successfully loaded. Exiting. pevma@DonPedro:~/Work/Suricata/QA/tmp$ sudo /opt/suritest/bin/suricata --dump-config |grep store outputs.5 = tls-store outputs.5.tls-store = (null) outputs.5.tls-store.enabled = no outputs.12 = file-store outputs.12.file-store = (null) outputs.12.file-store.version = 2 outputs.12.file-store.enabled = no outputs.12.file-store.xff = (null) outputs.12.file-store.xff.enabled = no outputs.12.file-store.xff.mode = extra-data outputs.12.file-store.xff.deployment = reverse outputs.12.file-store.xff.header = X-Forwarded-For outputs.13 = file-store outputs.13.file-store = (null) outputs.13.file-store.enabled = no pevma@DonPedro:~/Work/Suricata/QA/tmp$
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
- Target version set to 5.0.2
I'm trying to think what good default behavior would be. I think fully rejecting the rules could be too harsh, as some ppl might add it to just store the file if filestore is enabled, but otherwise just get an alert. So perhaps a warning would be best.
Maybe a special case would be a rule that is 'noalert' and has no other side effects (e.g. setting a flowbit). Those can probably be rejected.
Lets start with a warning. Should probably be a one time warning to avoid flooding the log if a large ruleset uses the filestore keyword.
Updated by Victor Julien almost 5 years ago
- Target version changed from 5.0.2 to 5.0.3
Updated by Victor Julien almost 5 years ago
- Status changed from Assigned to In Review
Updated by Jeff Lucovsky almost 5 years ago
- Status changed from In Review to Closed
Actions