Project

General

Profile

Actions

Task #7693

open

runner: not/has-key check accept duplicate keys/arrays

Added by Juliana Fajardini Reichow 24 days ago. Updated 22 days ago.

Status:
In Progress
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
Python

Description

Suricata-verify can check for the existence or absence of JSON keys.
However, starting from the second level, it won't accept duplicate keys, and will only
process the last seen key for a given filter.

The goal of this task is to allow that has-key and not-has-key accept arrays, to fix that and offer more flexibility.

Examples:
It correctly handles:

- filter:
    count: 1
    match:
      dest_ip: 192.168.1.74
      dest_port: 5432
      event_type: pgsql
      pcap_cnt: 12
      pgsql.response.message: authentication_ok
      not-has-key: pgsql.request.password

or

  - filter:
      count: 1
      match:
        event_type: alert
        not-has-key: flow
        not-has-key: http
        not-has-key: alert.metadata
        not-has-key: alert.rule

But will only correctly process the second not-has-key with the duplicate key, here:

- filter:
    count: 1
    match:
      dest_ip: 192.168.1.74
      dest_port: 5432
      event_type: pgsql
      pcap_cnt: 12
      pgsql.response.message: authentication_ok
      not-has-key: pgsql.request.password
      not-has-key: pgsql.request

Currently, the above can only be tested/ checked using two different filters.

Actions #1

Updated by Juliana Fajardini Reichow 24 days ago

  • Tracker changed from Feature to Task
Actions #2

Updated by Juliana Fajardini Reichow 24 days ago

  • Assignee changed from OISF Dev to Community Ticket
Actions #3

Updated by Juliana Fajardini Reichow 22 days ago

  • Assignee changed from Community Ticket to Jéssica Teixeira Nogueira de Jesus
Actions #4

Updated by Jéssica Teixeira Nogueira de Jesus 22 days ago

  • Status changed from New to In Progress
Actions

Also available in: Atom PDF