Skip to content

Better logging for cron; rule revision matching - v1#350

Closed
jasonish wants to merge 4 commits intoOISF:masterfrom
jasonish:rev/v1
Closed

Better logging for cron; rule revision matching - v1#350
jasonish wants to merge 4 commits intoOISF:masterfrom
jasonish:rev/v1

Conversation

@jasonish
Copy link
Member

@jasonish jasonish commented Jan 15, 2025
edited
Loading

  • matchers: remove debug print
  • engine: choose better Suricata logging levels for rule test
  • fix: bad variable name in metadata matcher
  • matching: allow a rule revision to be matched as well

Tickets:

Notes:

  • SIDs can now be disabled with a rev: 1:223330:3. The GID is required in this case.

@jasonish
matchers: remove debug print
befacae
@jasonish
engine: choose better Suricata logging levels for rule test
48c3d15 
The current default is to use SC_LOG_LEVEL=warning which can output
non-fatal warnings which is generally not what you want when running
from cron with "suricata-update -q".

Now, if "-q" is provided, run Suricata with SC_LOG_LEVEL=error which
is useful for cron to ony be notified of fata errors. Generally
end-users are not worried about rule warnings such as:

    ja3.hash should not be used together with nocase, since the rule
    is automatically lowercased anyway which makes nocase redundant.

This also allows for log level be set with SC_LOG_LEVEL, in which case
Suricata-Update  will not change the log level.

Additionally, make Suricata more verbose if Suricata-Update is run
with "-v".

Ticket: https://redmine.openinfosecfoundation.org/issues/7494
@jasonish
fix: bad variable name in metadata matcher
737b2d8
@jasonish
matching: allow a rule revision to be matched as well
09285c8 
A rule ID can now be matched with a revision given the following
format of:

<gid>:<sid>:<rev>

The <gid> has to be specified for a revision match, as a specifier
with 2 components is read as "gid" and "rev".

Ticket: https://redmine.openinfosecfoundation.org/issues/7425
@jasonish jasonish self-assigned this Jan 15, 2025
@jasonish jasonish marked this pull request as draft January 16, 2025 04:08
@jasonish
Copy link
Member Author

jasonish commented Jan 16, 2025

Back to draft, still have this with -q:

{"message": "done", "return": "OK"}

@jasonish jasonish marked this pull request as ready for review March 14, 2025 18:51
@jasonish
Copy link
Member Author

jasonish commented Mar 28, 2025

Replaced by #351

@jasonish jasonish closed this Mar 28, 2025
@jasonish jasonish deleted the rev/v1 branch April 8, 2025 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien

@inashivb inashivb Awaiting requested review from inashivb

Assignees

@jasonish jasonish

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonish