Project

General

Profile

Actions
Copy link

Bug #6175

closed

eve/alert: deprecated fields can have unexpected side affects

Added by Jason Ish 11 months ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
TBD
Affected Versions:
6.0.13, 7.0.0-rc2
Effort:
Difficulty:
Label:
Needs backport to 6.0

Description

Back in Suricata 4.x days, app-layer protocols could be configured individually to appear in alert logs, for example "http", "tls", "ssh", "smtp", and "dnp3". With 5.0 these become aliases for "app-layer" flag which is a flag to enable all app-layer logging in alerts to simplify the config.

However, setting one of these to "no" can now disable app-layer logging completely as part of an alert. For example:

outputs:
  - eve-log:
      types:
        - alert:
            dnp3: no

Will actually disable all app-layer logging.

Suggested fixes:
- 7.0: Just warn if these keys are set. Don't do anything else.
- 6.0: Enable app-layer if one of these is set to true. Do nothing if set to default. Logging a warning if present no matter the value.

Subtasks 1 (0 open1 closed)

Bug #6181: eve/alert: deprecated fields can have unexpected side affects (6.0.x backport)ClosedJason IshActions
Actions
Copy link
 #2

Updated by Jason Ish 11 months ago

  • Status changed from New to In Review
Actions
Copy link
 #3

Updated by Jason Ish 11 months ago

  • Subtask #6181 added
Actions
Copy link
 #4

Updated by Jason Ish 11 months ago

  • Status changed from In Review to Resolved

Merged to master.

Actions
Copy link
 #5

Updated by Jason Ish 11 months ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF