Project

General

Profile

Actions

Feature #4062

open

createst: Allow to exclude certain fields

Added by Shivani Bhardwaj about 4 years ago. Updated about 2 months ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Outreachy, Python

Description

Certain fields from the filter blocks should be allowed to be skipped.

Expectation

createst.py mytest mypcap --exclude-fields dest_port,src_port

The final generated test.yaml should have filter blocks without these fields.

Example

Before

requires:
  min-version: 5.0.0
  features:
    - HAVE_LIBJANSSON

args:
 - -k none

checks:
- filter:
    count: 1
    match:
      alert:
        action: allowed
        category: access to a potentially vulnerable web application
        gid: 1
        rev: 1
        severity: 2
        signature: no1
        signature_id: 9000000
      app_proto: http
      dest_ip: 10.100.0.8
      dest_port: 44270
      event_type: alert
      http:
        hostname: www.abcdefghij.com
        http_content_type: text/html
        http_method: GET
        http_refer: http://www.abcdefghij.com/abdeltat/login
        http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
          Firefox/3.0.6
        length: 1483
        protocol: HTTP/1.1
        status: 401
        url: /publication/pub.home/home.html
      pcap_cnt: 14
      proto: TCP
      src_ip: 162.2.41.200
      src_port: 80

After

requires:
  min-version: 5.0.0
  features:
    - HAVE_LIBJANSSON

args:
 - -k none

checks:
- filter:
    count: 1
    match:
      alert:
        action: allowed
        category: access to a potentially vulnerable web application
        gid: 1
        rev: 1
        severity: 2
        signature: no1
        signature_id: 9000000
      app_proto: http
      dest_ip: 10.100.0.8
      event_type: alert
      http:
        hostname: www.abcdefghij.com
        http_content_type: text/html
        http_method: GET
        http_refer: http://www.abcdefghij.com/abdeltat/login
        http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
          Firefox/3.0.6
        length: 1483
        protocol: HTTP/1.1
        status: 401
        url: /publication/pub.home/home.html
      pcap_cnt: 14
      proto: TCP
      src_ip: 162.2.41.200
Actions #1

Updated by Shivani Bhardwaj about 4 years ago

  • Target version set to QA
Actions #2

Updated by Shreya Gupta about 4 years ago

@shivani, I am not able to assign this ticket to myself. I can't see any option to change the assignee. Can you please help me out?

Actions #3

Updated by Shivani Bhardwaj about 4 years ago

Shreya Gupta wrote in #note-2:

@shivani, I am not able to assign this ticket to myself. I can't see any option to change the assignee. Can you please help me out?

Could you please try again. Please log out and log in.

Actions #4

Updated by Tharushi Jayasekara about 4 years ago

  • Assignee changed from Community Ticket to Tharushi Jayasekara
Actions #5

Updated by Tharushi Jayasekara about 4 years ago

  • Status changed from New to In Review
Actions #6

Updated by Juliana Fajardini Reichow about 1 year ago

  • Status changed from In Review to New
  • Assignee changed from Tharushi Jayasekara to Community Ticket

Hi there, according to our guidelines for stale tickets, I'm unassigning this ticket.

Thanks for all your contributions to our project, and feel free to reach out in case you have time and want to contribute to Suricata again! <3 :) :)

Refer to:
https://forum.suricata.io/t/important-outreachy-contribution-phase-wrap-up-prs-claimed-tickets-and-more
https://docs.suricata.io/en/latest/devguide/codebase/contributing/contribution-process.html#stale-tickets-policy

Actions #7

Updated by Juliana Fajardini Reichow about 1 year ago

If you'd like to claim this ticket, some follow-up work has been done here, but still needs rework: https://github.com/OISF/suricata-verify/pull/997

Actions #8

Updated by Nancy Enos 2 months ago

  • Assignee changed from Community Ticket to Nancy Enos

i would like to work on this

Actions #9

Updated by Juliana Fajardini Reichow about 2 months ago

  • Status changed from New to In Review
Actions

Also available in: Atom PDF