Feature #4062
Updated by Juliana Fajardini Reichow 12 days ago
Certain fields from the filter blocks should be allowed to be skipped.
Expectation
<pre><code class="shell">
createst.py mytest mypcap --exclude-fields dest_port,src_port
</code></pre>
The final generated test.yaml should have filter blocks without these fields.
Example
*Before*
<pre><code class="yaml">
requires:
min-version: 5.0.0
features:
- HAVE_LIBJANSSON
args:
- -k none
checks:
- filter:
count: 1
match:
alert:
action: allowed
category: access to a potentially vulnerable web application
gid: 1
rev: 1
severity: 2
signature: no1
signature_id: 9000000
app_proto: http
dest_ip: 10.100.0.8
dest_port: 44270
event_type: alert
http:
hostname: www.abcdefghij.com
http_content_type: text/html
http_method: GET
http_refer: http://www.abcdefghij.com/abdeltat/login
http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
Firefox/3.0.6
length: 1483
protocol: HTTP/1.1
status: 401
url: /publication/pub.home/home.html
pcap_cnt: 14
proto: TCP
src_ip: 162.2.41.200
src_port: 80
</code></pre>
*After*
<pre><code class="yaml">
requires:
min-version: 5.0.0
features:
- HAVE_LIBJANSSON
args:
- -k none
checks:
- filter:
count: 1
match:
alert:
action: allowed
category: access to a potentially vulnerable web application
gid: 1
rev: 1
severity: 2
signature: no1
signature_id: 9000000
app_proto: http
dest_ip: 10.100.0.8
event_type: alert
http:
hostname: www.abcdefghij.com
http_content_type: text/html
http_method: GET
http_refer: http://www.abcdefghij.com/abdeltat/login
http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
Firefox/3.0.6
length: 1483
protocol: HTTP/1.1
status: 401
url: /publication/pub.home/home.html
pcap_cnt: 14
proto: TCP
src_ip: 162.2.41.200
</code></pre>
-----
Some initial work has already been done here, but more is needed before merging: https://github.com/OISF/suricata-verify/pull/2135