output/reference: Include reference information in alert (if configured) #11668
Conversation
Issue: 4974 Optionally include rule references with the alert. Since there can be multiple reference keywords, they are collected into an array.
Issue: 4974
Issue: 4974
1. Use https instead of http everywhere
2. Organize and annotate references by
- Referenced by ET/Open and ET/Pro
- URL resolves and works as intended (to provide supplemental
information regarding a reference value, e.g., bug id, cve
value)
- URL no longer resolves
- URL resolves but doesn't work as intended (to provide
supplemental information)
- Not referenced by ET/Open nor ET/Pro
- URL resolves and works as intended (to provide supplemental
information regarding a reference value, e.g., bug id, cve
value)
- URL no longer resolves
- URL resolves but doesn't work as intended (to provide
supplemental information)
Issue: 4974 Remove unused parameters in output path for - AlertJsonMetadata - AlertJsonHeader
jlucovsky
requested review from
jufajardini,
victorjulien and
a team
as code owners
jlucovsky
changed the title
There was a problem hiding this comment.
Approved as #11656 (review)
git diff pr/11656 pr/11668 finds no diff, it is just the SV test that got updated, right @jlucovsky ?
|
Information: QA ran without warnings. Pipeline 22278 |
| if (kv->reference_len >= kv->key_len && strncmp(kv->reference, kv->key, kv->key_len) == 0) | ||
| snprintf(kv_store, size_needed, "%s", kv->reference); | ||
| else | ||
| snprintf(kv_store, size_needed, "%s%s", kv->key, kv->reference); | ||
| jb_append_string(jb, kv_store); |
There was a problem hiding this comment.
While trying to confirm whether one of Jason's comments had been addressed, I noticed that we leave the sizes check for when the values are parsed. Is that being done here?
There was a problem hiding this comment.
What's being done here is to account for many cases where the reference information includes the key. Usually, a reference is key,value --> url,www.google.com/some-link. Url is https:// so this reference is expanded to https://www.google.com/some-link
There are references that are incorrectly listed in a rules file such as url,https://www.google.com/some-link. The logic here detects that and avoids adding the url value if it's already present.
Yes, that and a rebase. |
|
Continued in #11758 |
Continuation of #11656
When configured, include the reference value in the alert. The configuration value is in the
alertsection: types.alert.reference. The default value is off/no. Set to yes to include the expanded reference from the rule in the alert record.Link to redmine ticket: 4974
Describe changes:
referencevalue to suricata.yaml.in (default no/off)references: [ "ref-1" [, "ref-2" [, ...]]]Updates:
BUG_ONchecks when using reference key/values.Provide values to any of the below to override the defaults.
SV_BRANCH=OISF/suricata-verify#2022