Actions
Task #7693
openrunner: not/has-key check accept duplicate keys/arrays
Effort:
Difficulty:
Label:
Python
Description
Suricata-verify can check for the existence or absence of JSON keys.
However, starting from the second level, it won't accept duplicate keys, and will only
process the last seen key for a given filter.
The goal of this task is to allow that has-key and not-has-key accept arrays, to fix that and offer more flexibility.
Examples:
It correctly handles:
- filter:
count: 1
match:
dest_ip: 192.168.1.74
dest_port: 5432
event_type: pgsql
pcap_cnt: 12
pgsql.response.message: authentication_ok
not-has-key: pgsql.request.password
or
- filter:
count: 1
match:
event_type: alert
not-has-key: flow
not-has-key: http
not-has-key: alert.metadata
not-has-key: alert.rule
But will only correctly process the second not-has-key with the duplicate key, here:
- filter:
count: 1
match:
dest_ip: 192.168.1.74
dest_port: 5432
event_type: pgsql
pcap_cnt: 12
pgsql.response.message: authentication_ok
not-has-key: pgsql.request.password
not-has-key: pgsql.request
Currently, the above can only be tested/ checked using two different filters.
Updated by Juliana Fajardini Reichow 24 days ago
- Tracker changed from Feature to Task
Updated by Juliana Fajardini Reichow 24 days ago
- Assignee changed from OISF Dev to Community Ticket
Updated by Juliana Fajardini Reichow 22 days ago
- Assignee changed from Community Ticket to Jéssica Teixeira Nogueira de Jesus
Updated by Jéssica Teixeira Nogueira de Jesus 22 days ago
- Status changed from New to In Progress
Actions