Feature #6131
open
threshold.conf: reconcile current threshold.conf with current state of rules
Added by Juliana Fajardini Reichow 11 months ago.
Updated 11 months ago.
Description
Sometimes, Suricata will issue warnings for sids that used to exist, before.
8/6/2023 -- 08:23:27 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2044749, gid 1: unknown rule
It would be useful if it was possible to automatically true up what sids have been deleted from a threshold file, since suricata-update
is aware of the status of rules.
Currently, to achieve that, one would probably need to have a list of active/enabled sids and run that against their threshold contents.
This feature request arose from the discussion in:
https://forum.suricata.io/t/truing-up-deleted-rules-with-threshold-file/3578/4
[Edit by jish]
The idea here is Suricata-Update could be the owner of threshold.config, and modify as needed to provide a clean threshold.config to Suricata.
So Suricata-Update does already have some thresholding support, its just undocumented as its an artifact of the tool Suricata-Update was before it was Suricata-Update.
An example "threshold.config.in" would look something like: https://raw.githubusercontent.com/OISF/suricata-update/master/suricata/update/configs/threshold.in
In this case, it supports a normal threshold.config input, but also supports re for regular expression expansion based on the current state of the rules. It wouldn't be that hard to strip out lines that have no matching SID in the active ruleset.
I had been planning on removing this at some point, as its untested these days, however I think bringing threshold.config under Suricata-Update control could be beneficial here.
- Subject changed from true up deleted rules with threshold file to true up for deleted rules with threshold file
- Subject changed from true up for deleted rules with threshold file to threshold.conf: reconcile current threshold.conf with current state of rules
- Description updated (diff)
- Assignee changed from Shivani Bhardwaj to Jason Ish
- Target version changed from 1.3.0 to TBD
Also available in: Atom
PDF