Actions
Feature #3204
closedja3(s): automatically enable when rules require it
Effort:
Difficulty:
Label:
Description
With the ET 5.0 ruleset quite a few rules use the ja3_hash keyword. If the JA3 functionality is not enabled in the config, this will lead to ruleset loading errors. If Suricata-Update is in use, it's test phase will fail.
We should probably change the logic to enable JA3 on demand. This should be done in a thread safe way as the ruleset can be (re)loaded when traffic is already being processed.
Updated by Andreas Herz about 5 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Is there any harm to enable it by default and not just rely on the rules?
Could this happen to other keywords as well?
This would mean we have to always check this for each
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 5.0.0
The reason to not enable it unless we have to is to avoid the performance and memory use overhead.
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to Closed
Actions