Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

output/reference: Include reference information in alert (if configured) #11767

Closed
wants to merge 4 commits into from
Closed

output/reference: Include reference information in alert (if configured) #11767

wants to merge 4 commits into from

Conversation

jlucovsky
Copy link
Contributor

Continuation of #11758

When configured, include the reference value in the alert. The configuration value is in the alert section: types.alert.reference. The default value is off/no. Set to yes to include the expanded reference from the rule in the alert record.

Link to redmine ticket: 4974

Describe changes:

  • Add reference value to suricata.yaml.in (default no/off)
  • Set flag in output logger if the config setting is on
  • Format the reference as a sequence, e.g., references: [ "ref-1" [, "ref-2" [, ...]]]

Updates:

  • Removed unneeded parameters in output path
  • Unneeded BUG_ON checks when using reference key/values.
  • Rebase
  • When the reference content contains a scheme (e.g., HTTP://), that is used to override the reference's key value.
  • Another rebase

Provide values to any of the below to override the defaults.

SV_BRANCH=OISF/suricata-verify#2037

jlucovsky and others added 4 commits September 12, 2024 15:45
@jlucovsky
alert/reference: Optionally add reference(s)
0db6d96 
Issue: 4974

Optionally include rule references with the alert. Since there can be
multiple reference keywords, they are collected into an array.
@jlucovsky
doc: Document reference config setting
1014e92 
Issue: 4974
@jlucovsky
config: Update reference keys
96a7eb6 
Issue: 4974

1. Use https instead of http everywhere
2. Organize and annotate references by
    - Referenced by ET/Open and ET/Pro
        - URL resolves and works as intended (to provide supplemental
          information regarding a reference value, e.g., bug id, cve
          value)
        - URL no longer resolves
        - URL resolves but doesn't work as intended (to provide
          supplemental information)
    - Not referenced by ET/Open nor ET/Pro
        - URL resolves and works as intended (to provide supplemental
          information regarding a reference value, e.g., bug id, cve
          value)
        - URL no longer resolves
        - URL resolves but doesn't work as intended (to provide
          supplemental information)
@jlucovsky
output/json: Remove unneeded parameters
027030b 
Issue: 4974

Remove unused parameters in output path for
- AlertJsonMetadata
- AlertJsonHeader
@jlucovsky jlucovsky mentioned this pull request Sep 12, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Sep 12, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 93.10345% with 4 lines in your changes missing coverage. Please review.

Project coverage is 82.53%. Comparing base (31bed10) to head (027030b).
Report is 9 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11767      +/-   ##
==========================================
- Coverage   82.62%   82.53%   -0.09%     
==========================================
  Files         919      919              
  Lines      248979   249007      +28     
==========================================
- Hits       205722   205529     -193     
- Misses      43257    43478     +221
Flag Coverage Δ
fuzzcorpus 60.32% <63.79%> (-0.55%) ⬇️
livemode 18.71% <12.06%> (-0.01%) ⬇️
pcap 44.13% <56.89%> (-0.01%) ⬇️
suricata-verify 61.90% <86.20%> (+0.01%) ⬆️
unittests 58.99% <48.27%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 22591

victorjulien
victorjulien reviewed Sep 13, 2024
View reviewed changes
src/output-json-alert.c
const size_t size_needed = kv->key_len + kv->reference_len + 1;
char kv_store[size_needed];
snprintf(kv_store, size_needed, "%s%s", kv->key, kv->reference);
jb_append_string(jb, kv_store);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thought: would it make sense to add a jb_append_printf-ish function that would take a format string? It would also perhaps allow dropping the stack buffer, although I'm not sure if that would just move to the jb_... func instead or can be avoided completely.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are 8 places where jb_append_printf (or jb_set_printf) would be useful.

I used git grep -B 5 -e jb_set_string -e jb_append_string|grep snprintf -A 3

@victorjulien victorjulien added this to the 8.0 milestone Sep 13, 2024
@victorjulien victorjulien mentioned this pull request Sep 18, 2024
Merged
@victorjulien
Copy link
Member

Merged in #11792, thanks!

@jlucovsky jlucovsky deleted the 4974/21 branch September 30, 2024 14:26
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@victorjulien victorjulien victorjulien approved these changes

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.
3 participants
@jlucovsky @suricata-qa @victorjulien