Actions
Task #7693
open
JF
CT
runner: not/has-key check accept duplicate keys/arrays
Task #7693:
runner: not/has-key check accept duplicate keys/arrays
Effort:
Difficulty:
Label:
Python
Description
Suricata-verify can check for the existence or absence of JSON keys.
However, starting from the second level, it won't accept duplicate keys, and will only
process the last seen key for a given filter.
The goal of this task is to allow that has-key and not-has-key accept arrays, to fix that and offer more flexibility.
Examples:
It correctly handles:
- filter:
count: 1
match:
dest_ip: 192.168.1.74
dest_port: 5432
event_type: pgsql
pcap_cnt: 12
pgsql.response.message: authentication_ok
not-has-key: pgsql.request.password
or
- filter:
count: 1
match:
event_type: alert
not-has-key: flow
not-has-key: http
not-has-key: alert.metadata
not-has-key: alert.rule
But will only correctly process the second not-has-key with the duplicate key, here:
- filter:
count: 1
match:
dest_ip: 192.168.1.74
dest_port: 5432
event_type: pgsql
pcap_cnt: 12
pgsql.response.message: authentication_ok
not-has-key: pgsql.request.password
not-has-key: pgsql.request
Currently, the above can only be tested/ checked using two different filters.
JF Updated by Juliana Fajardini Reichow 12 months ago
- Tracker changed from Feature to Task
JF Updated by Juliana Fajardini Reichow 12 months ago
- Assignee changed from OISF Dev to Community Ticket
JF Updated by Juliana Fajardini Reichow 12 months ago
- Assignee changed from Community Ticket to Jéssica Teixeira Nogueira de Jesus
JT Updated by Jéssica Teixeira Nogueira de Jesus 12 months ago
- Status changed from New to In Progress
JF Updated by Juliana Fajardini Reichow 4 months ago
- Status changed from In Progress to New
- Assignee changed from Jéssica Teixeira Nogueira de Jesus to Community Ticket
Hi there, considering our stale tickets policy, I'm unclaiming this ticket. Feel free to ask to work on this or another again, if you have time in the future :)
Actions