Project

General

Profile

Actions
Copy link

Task #7693

closed
JF CT

runner: not/has-key check accepts duplicate keys/arrays

Task #7693: runner: not/has-key check accepts duplicate keys/arrays

Added by Juliana Fajardini Reichow about 1 year ago. Updated 8 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Target version:
QA
Effort:
Difficulty:
Label:
Python

Description

Suricata-verify can check for the existence or absence of JSON keys.
However, starting from the second level, it won't accept duplicate keys, and will only
process the last seen key for a given filter.

The goal of this task is to allow that has-key and not-has-key accept arrays, to fix that and offer more flexibility.

Examples:
It correctly handles:

- filter:
    count: 1
    match:
      dest_ip: 192.168.1.74
      dest_port: 5432
      event_type: pgsql
      pcap_cnt: 12
      pgsql.response.message: authentication_ok
      not-has-key: pgsql.request.password

or 

  - filter:
      count: 1
      match:
        event_type: alert
        not-has-key: flow
        not-has-key: http
        not-has-key: alert.metadata
        not-has-key: alert.rule

But will only correctly process the second not-has-key with the duplicate key, here:

- filter:
    count: 1
    match:
      dest_ip: 192.168.1.74
      dest_port: 5432
      event_type: pgsql
      pcap_cnt: 12
      pgsql.response.message: authentication_ok
      not-has-key: pgsql.request.password
      not-has-key: pgsql.request

Currently, the above can only be tested/ checked using two different filters.

Related issues 1 (1 open0 closed)

Related to Suricata - Task #8149: suricata-verify: fail on invalid test.yamlIn ReviewPhilippe AntoineActions
Actions
Copy link

Also available in: PDF Atom