Actions
Task #7693
openrunner: not/has-key check accept duplicate keys/arrays
Effort:
Difficulty:
Label:
Python
Description
Suricata-verify can check for the existence or absence of JSON keys.
However, starting from the second level, it won't accept duplicate keys, and will only
process the last seen key for a given filter.
The goal of this task is to allow that has-key
and not-has-key
accept arrays, to fix that and offer more flexibility.
Examples:
It correctly handles:
- filter:
count: 1
match:
dest_ip: 192.168.1.74
dest_port: 5432
event_type: pgsql
pcap_cnt: 12
pgsql.response.message: authentication_ok
not-has-key: pgsql.request.password
or
- filter:
count: 1
match:
event_type: alert
not-has-key: flow
not-has-key: http
not-has-key: alert.metadata
not-has-key: alert.rule
But will only correctly process the second not-has-key
with the duplicate key, here:
- filter:
count: 1
match:
dest_ip: 192.168.1.74
dest_port: 5432
event_type: pgsql
pcap_cnt: 12
pgsql.response.message: authentication_ok
not-has-key: pgsql.request.password
not-has-key: pgsql.request
Currently, the above can only be tested/ checked using two different filters.
Updated by Juliana Fajardini Reichow about 19 hours ago
- Tracker changed from Feature to Task
Updated by Juliana Fajardini Reichow about 19 hours ago
- Assignee changed from OISF Dev to Community Ticket
Actions