Project

General

Profile

Actions
Copy link

Task #7693

closed
JF CT

runner: not/has-key check accepts duplicate keys/arrays

Task #7693: runner: not/has-key check accepts duplicate keys/arrays

Added by Juliana Fajardini Reichow about 1 year ago. Updated 8 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Target version:
QA
Effort:
Difficulty:
Label:
Python

Description

Suricata-verify can check for the existence or absence of JSON keys.
However, starting from the second level, it won't accept duplicate keys, and will only
process the last seen key for a given filter.

The goal of this task is to allow that has-key and not-has-key accept arrays, to fix that and offer more flexibility.

Examples:
It correctly handles:

- filter:
    count: 1
    match:
      dest_ip: 192.168.1.74
      dest_port: 5432
      event_type: pgsql
      pcap_cnt: 12
      pgsql.response.message: authentication_ok
      not-has-key: pgsql.request.password

or 

  - filter:
      count: 1
      match:
        event_type: alert
        not-has-key: flow
        not-has-key: http
        not-has-key: alert.metadata
        not-has-key: alert.rule

But will only correctly process the second not-has-key with the duplicate key, here:

- filter:
    count: 1
    match:
      dest_ip: 192.168.1.74
      dest_port: 5432
      event_type: pgsql
      pcap_cnt: 12
      pgsql.response.message: authentication_ok
      not-has-key: pgsql.request.password
      not-has-key: pgsql.request

Currently, the above can only be tested/ checked using two different filters.

Related issues 1 (1 open0 closed)

Related to Suricata - Task #8149: suricata-verify: fail on invalid test.yamlIn ReviewPhilippe AntoineActions

JF Updated by Juliana Fajardini Reichow about 1 year ago Actions
Copy link
 #1

  • Tracker changed from Feature to Task

JF Updated by Juliana Fajardini Reichow about 1 year ago Actions
Copy link
 #2

  • Assignee changed from OISF Dev to Community Ticket

JF Updated by Juliana Fajardini Reichow about 1 year ago Actions
Copy link
 #3

  • Assignee changed from Community Ticket to Jéssica Teixeira Nogueira de Jesus

JT Updated by Jéssica Teixeira Nogueira de Jesus about 1 year ago Actions
Copy link
 #4

  • Status changed from New to In Progress

JF Updated by Juliana Fajardini Reichow 5 months ago Actions
Copy link
 #5

  • Status changed from In Progress to New
  • Assignee changed from Jéssica Teixeira Nogueira de Jesus to Community Ticket

Hi there, considering our stale tickets policy, I'm unclaiming this ticket. Feel free to ask to work on this or another again, if you have time in the future :)

PA Updated by Philippe Antoine 9 days ago Actions
Copy link
 #6

  • Related to Task #8149: suricata-verify: fail on invalid test.yaml added

PA Updated by Philippe Antoine 9 days ago Actions
Copy link
 #7

  • Status changed from New to Closed

Done as part of #8149

JF Updated by Juliana Fajardini Reichow 8 days ago Actions
Copy link
 #8

  • Subject changed from runner: not/has-key check accept duplicate keys/arrays to runner: not/has-key check accepts duplicate keys/arrays
Actions
Copy link

Also available in: PDF Atom