Project

General

Profile

Actions
Copy link

Feature #4062

open
SB CT

createst: Allow to exclude certain fields

Feature #4062: createst: Allow to exclude certain fields

Added by Shivani Bhardwaj over 5 years ago. Updated 6 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Community Ticket
Target version:
QA
Effort:
Difficulty:
Label:
Outreachy, Python

Description

Certain fields from the filter blocks should be allowed to be skipped.

Expectation

createst.py mytest mypcap --exclude-fields dest_port,src_port

The final generated test.yaml should have filter blocks without these fields.

Example

Before

requires:
  min-version: 5.0.0
  features:
    - HAVE_LIBJANSSON

args:
 - -k none

checks:
- filter:
    count: 1
    match:
      alert:
        action: allowed
        category: access to a potentially vulnerable web application
        gid: 1
        rev: 1
        severity: 2
        signature: no1
        signature_id: 9000000
      app_proto: http
      dest_ip: 10.100.0.8
      dest_port: 44270
      event_type: alert
      http:
        hostname: www.abcdefghij.com
        http_content_type: text/html
        http_method: GET
        http_refer: http://www.abcdefghij.com/abdeltat/login
        http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
          Firefox/3.0.6
        length: 1483
        protocol: HTTP/1.1
        status: 401
        url: /publication/pub.home/home.html
      pcap_cnt: 14
      proto: TCP
      src_ip: 162.2.41.200
      src_port: 80

After

requires:
  min-version: 5.0.0
  features:
    - HAVE_LIBJANSSON

args:
 - -k none

checks:
- filter:
    count: 1
    match:
      alert:
        action: allowed
        category: access to a potentially vulnerable web application
        gid: 1
        rev: 1
        severity: 2
        signature: no1
        signature_id: 9000000
      app_proto: http
      dest_ip: 10.100.0.8
      event_type: alert
      http:
        hostname: www.abcdefghij.com
        http_content_type: text/html
        http_method: GET
        http_refer: http://www.abcdefghij.com/abdeltat/login
        http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
          Firefox/3.0.6
        length: 1483
        protocol: HTTP/1.1
        status: 401
        url: /publication/pub.home/home.html
      pcap_cnt: 14
      proto: TCP
      src_ip: 162.2.41.200

Some initial work has already been done here, but more is needed before merging: https://github.com/OISF/suricata-verify/pull/2135

SB Updated by Shivani Bhardwaj over 5 years ago Actions
Copy link
 #1

  • Target version set to QA

SG Updated by Shreya Gupta over 5 years ago Actions
Copy link
 #2

@shivani, I am not able to assign this ticket to myself. I can't see any option to change the assignee. Can you please help me out?

SB Updated by Shivani Bhardwaj over 5 years ago Actions
Copy link
 #3

Shreya Gupta wrote in #note-2:

@shivani, I am not able to assign this ticket to myself. I can't see any option to change the assignee. Can you please help me out?

Could you please try again. Please log out and log in.

TJ Updated by Tharushi Jayasekara over 5 years ago Actions
Copy link
 #4

  • Assignee changed from Community Ticket to Tharushi Jayasekara

TJ Updated by Tharushi Jayasekara over 5 years ago Actions
Copy link
 #5

  • Status changed from New to In Review

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #6

  • Status changed from In Review to New
  • Assignee changed from Tharushi Jayasekara to Community Ticket

Hi there, according to our guidelines for stale tickets, I'm unassigning this ticket.

Thanks for all your contributions to our project, and feel free to reach out in case you have time and want to contribute to Suricata again! <3 :) :)

Refer to:
https://forum.suricata.io/t/important-outreachy-contribution-phase-wrap-up-prs-claimed-tickets-and-more
https://docs.suricata.io/en/latest/devguide/codebase/contributing/contribution-process.html#stale-tickets-policy

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #7

If you'd like to claim this ticket, some follow-up work has been done here, but still needs rework: https://github.com/OISF/suricata-verify/pull/997

NE Updated by Nancy Enos over 1 year ago Actions
Copy link
 #8

  • Assignee changed from Community Ticket to Nancy Enos

i would like to work on this

JF Updated by Juliana Fajardini Reichow over 1 year ago Actions
Copy link
 #9

  • Status changed from New to In Review

JF Updated by Juliana Fajardini Reichow 6 months ago · Edited Actions
Copy link
 #10

  • Status changed from In Review to In Progress
  • Assignee changed from Nancy Enos to Community Ticket

Hi @Nancy Enos as this ticket has been "In Review" but with no new PRs for a while, I'll re-assign it as Community Ticket.
If you do have time to still work on this, just reach out. Thanks for the work you did, so far!

JF Updated by Juliana Fajardini Reichow 6 months ago · Edited Actions
Copy link
 #11

  • Description updated (diff)

NR Updated by Nirnay Roy 6 months ago Actions
Copy link
 #12

Is this issue up for grabs. I am an outreachy applicant.

JF Updated by Juliana Fajardini Reichow 6 months ago · Edited Actions
Copy link
 #13

Nirnay Roy wrote in #note-12:

Is this issue up for grabs. I am an outreachy applicant.

Hi, in case you are still interested, you can claim the ticket and work on it, thanks!

Actions
Copy link

Also available in: PDF Atom