Project

General

Profile

Actions

Feature #4062

open

createst: Allow to exclude certain fields

Added by Shivani Bhardwaj about 4 years ago. Updated about 2 months ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Outreachy, Python

Description

Certain fields from the filter blocks should be allowed to be skipped.

Expectation

createst.py mytest mypcap --exclude-fields dest_port,src_port

The final generated test.yaml should have filter blocks without these fields.

Example

Before

requires:
  min-version: 5.0.0
  features:
    - HAVE_LIBJANSSON

args:
 - -k none

checks:
- filter:
    count: 1
    match:
      alert:
        action: allowed
        category: access to a potentially vulnerable web application
        gid: 1
        rev: 1
        severity: 2
        signature: no1
        signature_id: 9000000
      app_proto: http
      dest_ip: 10.100.0.8
      dest_port: 44270
      event_type: alert
      http:
        hostname: www.abcdefghij.com
        http_content_type: text/html
        http_method: GET
        http_refer: http://www.abcdefghij.com/abdeltat/login
        http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
          Firefox/3.0.6
        length: 1483
        protocol: HTTP/1.1
        status: 401
        url: /publication/pub.home/home.html
      pcap_cnt: 14
      proto: TCP
      src_ip: 162.2.41.200
      src_port: 80

After

requires:
  min-version: 5.0.0
  features:
    - HAVE_LIBJANSSON

args:
 - -k none

checks:
- filter:
    count: 1
    match:
      alert:
        action: allowed
        category: access to a potentially vulnerable web application
        gid: 1
        rev: 1
        severity: 2
        signature: no1
        signature_id: 9000000
      app_proto: http
      dest_ip: 10.100.0.8
      event_type: alert
      http:
        hostname: www.abcdefghij.com
        http_content_type: text/html
        http_method: GET
        http_refer: http://www.abcdefghij.com/abdeltat/login
        http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
          Firefox/3.0.6
        length: 1483
        protocol: HTTP/1.1
        status: 401
        url: /publication/pub.home/home.html
      pcap_cnt: 14
      proto: TCP
      src_ip: 162.2.41.200
Actions

Also available in: Atom PDF