Bug #3155
closedOdd Debug Logs for flowbit requirements
Description
When using the -v switch the logs related to flowbit handling are a bit weird...
6/9/2019 -- 12:13:05 - <Debug> -- Found 349 required flowbits. 6/9/2019 -- 12:13:05 - <Debug> -- Found 53 rules to enable to for flowbit requirements 6/9/2019 -- 12:13:05 - <Debug> -- Found 350 required flowbits. 6/9/2019 -- 12:13:05 - <Debug> -- Found 0 rules to enable to for flowbit requirements 6/9/2019 -- 12:13:05 - <Debug> -- All required rules enabled.
...unclear why the flowbits related logs output twice, or why the counts for each are misaligned.
Updated by Kenneth Kolano about 5 years ago
I'm guessing that this is due to the first round of flowbits processing enabling a rule, and then the revised set of rules being reprocessed (i.e. a formerly disabled rule had a flowbit, which required additional ruled be enabled).
In any case the way this is logged could likely be revised to make what's happening more clear.
Updated by Shivani Bhardwaj about 5 years ago
Kenneth Kolano wrote:
I'm guessing that this is due to the first round of flowbits processing enabling a rule, and then the revised set of rules being reprocessed (i.e. a formerly disabled rule had a flowbit, which required additional ruled be enabled).
Yes, you're absolutely right about why this happens.
In any case the way this is logged could likely be revised to make what's happening more clear.
How do you find the logging below? Does it make things clearer or worse? I would like to take a user's perspective into account before making any changes.
7/9/2019 -- 11:47:44 - <Debug> -- Checking flowbits for round 1 of rules
7/9/2019 -- 11:47:44 - <Debug> -- Found 202 required flowbits.
7/9/2019 -- 11:47:44 - <Debug> -- Found 43 rules to enable to for flowbit requirements
7/9/2019 -- 11:47:44 - <Debug> -- Enabling previously disabled rule for flowbits: # [1:2019401] ET POLICY Vulnerable Java Version 1.8.x Detected
7/9/2019 -- 11:47:44 - <Debug> -- Checking flowbits for round 2 of rules
7/9/2019 -- 11:47:44 - <Debug> -- Found 203 required flowbits.
7/9/2019 -- 11:47:45 - <Debug> -- Found 0 rules to enable to for flowbit requirements
7/9/2019 -- 11:47:45 - <Debug> -- All required rules enabled.
7/9/2019 -- 11:47:45 - <Info> -- Enabled 43 rules for flowbit dependencies.
Updated by Shivani Bhardwaj about 5 years ago
- Status changed from New to Assigned
Updated by Kenneth Kolano about 5 years ago
Sorry for the delayed response here, but yes, the revised logging would be clearer.
Updated by Shivani Bhardwaj about 5 years ago
- Related to Optimization #3205: Improve flowbit logging added
Updated by Shivani Bhardwaj about 5 years ago
- Status changed from Assigned to Closed
Kenneth Kolano wrote:
Sorry for the delayed response here, but yes, the revised logging would be clearer.
Thanks, Kenneth. Tracking it here: https://redmine.openinfosecfoundation.org/issues/3205 as a development issue, closing this one.