Project

General

Profile

Actions
Copy link

Optimization #6850

closed
JF OD

investigate: overall, some modules may be way more verbose than needed

Optimization #6850: investigate: overall, some modules may be way more verbose than needed

Added by Juliana Fajardini Reichow about 2 years ago. Updated 4 days ago.

Status:
Rejected
Priority:
Normal
Assignee:
OISF Dev
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

With stream events, some other fields added from app-layer, we may add way too much data to alert events.

Investigate what truly makes sense, and other modules that also do that.

Related issues 2 (1 open1 closed)

Related to Suricata - Security #6770: log: arbitrary-length value can be loggedClosedOISF DevActions
Related to Suricata - Task #6851: eve/syslog: stats message too long for many default configurationsNewOISF DevActions

JF Updated by Juliana Fajardini Reichow about 2 years ago Actions
Copy link
 #1

  • Related to Security #6770: log: arbitrary-length value can be logged added

JI Updated by Jason Ish about 2 years ago Actions
Copy link
 #2

  • Related to Task #6851: eve/syslog: stats message too long for many default configurations added

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #3

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1

PA Updated by Philippe Antoine 2 months ago Actions
Copy link
 #4

  • Status changed from New to Feedback

I am not sure I understand what is meant here..?

JF Updated by Juliana Fajardini Reichow 2 months ago Actions
Copy link
 #5

Philippe Antoine wrote in #note-4:

I am not sure I understand what is meant here..?

It's indeed a vague ticket. Maybe it would be better if left as an umbrella ticket?

The point is that it is possible to make alert events (and possibly others) rather verbose, depending on what's enabled, and that some thought should be given to:
- are there things that could be removed from this output?
- which modules can impact alert's verbosity?

But maybe this should be a broader effort?

JI Updated by Jason Ish 5 days ago Actions
Copy link
 #6

Juliana Fajardini Reichow wrote in #note-5:

Philippe Antoine wrote in #note-4:

I am not sure I understand what is meant here..?

It's indeed a vague ticket. Maybe it would be better if left as an umbrella ticket?

The point is that it is possible to make alert events (and possibly others) rather verbose, depending on what's enabled, and that some thought should be given to:
- are there things that could be removed from this output?
- which modules can impact alert's verbosity?

But maybe this should be a broader effort?

I think this is hard to reason about without specific examples of where things go too large; otherwise, we're kind of making guesses, and then it likely needs to be attacked in a way that makes sense for the specific protocol.

I'd lean towards closing this until some examples can be presented.

JF Updated by Juliana Fajardini Reichow 5 days ago Actions
Copy link
 #7

  • Status changed from Feedback to Rejected

Won't oppose. Maybe we could add this as a specific topic for the next Brainstorming session?
I think I created this ticket after some discussion with Victor, but again, if I can't come up with examples, it's not useful.
Closing, then.

JF Updated by Juliana Fajardini Reichow 4 days ago Actions
Copy link
 #8

  • Private changed from Yes to No
Actions
Copy link

Also available in: PDF Atom