Feature #2409
closedPush signatures without reloading the entire set.
Description
Good morning,
We discussed this yesterday at Flocon 2018 with Eric Leblond and Peter Manev.
We would like to see the Suricata engine to be able to load one or more new signatures without having to reload the entire set of signatures everytime via an API call. Reloading is heavy on the network to ship and non efficient. We want to keep the capability to reload the entire set as this can be convenient, but adding signatures as we produce them one at the time would better fit our inter-systems design. Also, some of our signatures are time sensitive and need to be pushed as fast as possible. Pushing a single signature should expedite the time of loading (reload time is currently 3 minutes for ~20000 sigs).
As a secondary requirement, it would be a bonus if new versions of a signature could be also managed the same way.
As a secondary requirement, it would be a bonus if deletion of signatures could be managed the same way. We have legal/policy constraints to remove some signatures depending of operations and would again prefer not have to reload the entire set as it is very heavy in our perspective.
Let me know if you need more details.
Updated by Andreas Herz almost 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien over 6 years ago
- Effort set to high
- Difficulty set to high
Updated by Victor Julien almost 6 years ago
- Assignee changed from OISF Dev to Anonymous
Due to the complexity of the detection engine, this is not easily possible. Perhaps it would be possible to do this for the simpler rule types, but it seems to be requested mostly for complex rule types. Assigning to 'community' as there are no plans to work on this.
Updated by Victor Julien almost 6 years ago
- Related to Task #2685: SuriCon 2018 brainstorm added
Updated by Kenneth Kolano almost 6 years ago
Note similar functionality would be useful when updating fileMD5 entries
Updated by Victor Julien about 5 years ago
The datasets support allows live updates over unix-socket. So for the file md5 matching and the many other datasets usecases this is now supported. The rules stay static, but the datasets referenced by them are dynamic.
Updated by Victor Julien almost 5 years ago
We've closed this as we don't see this happen w/o massive redesigns of how the detection engine works. We think the datasets work will support a good deal of the possible use cases. For others, we'll have to fall back to regular rule reloads.
Updated by Victor Julien almost 5 years ago
- Related to Task #3288: Suricon 2019 brainstorm added
Updated by Victor Julien almost 4 years ago
- Status changed from Closed to Rejected