Project

General

Profile

Actions

Feature #6131

open

threshold.conf: reconcile current threshold.conf with current state of rules

Added by Juliana Fajardini Reichow over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Sometimes, Suricata will issue warnings for sids that used to exist, before.

8/6/2023 -- 08:23:27 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2044749, gid 1: unknown rule

It would be useful if it was possible to automatically true up what sids have been deleted from a threshold file, since suricata-update
is aware of the status of rules.

Currently, to achieve that, one would probably need to have a list of active/enabled sids and run that against their threshold contents.

This feature request arose from the discussion in:
https://forum.suricata.io/t/truing-up-deleted-rules-with-threshold-file/3578/4

[Edit by jish]
The idea here is Suricata-Update could be the owner of threshold.config, and modify as needed to provide a clean threshold.config to Suricata.

Actions #1

Updated by Jason Ish over 1 year ago

So Suricata-Update does already have some thresholding support, its just undocumented as its an artifact of the tool Suricata-Update was before it was Suricata-Update.

An example "threshold.config.in" would look something like: https://raw.githubusercontent.com/OISF/suricata-update/master/suricata/update/configs/threshold.in

In this case, it supports a normal threshold.config input, but also supports re for regular expression expansion based on the current state of the rules. It wouldn't be that hard to strip out lines that have no matching SID in the active ruleset.

I had been planning on removing this at some point, as its untested these days, however I think bringing threshold.config under Suricata-Update control could be beneficial here.

Actions #2

Updated by Juliana Fajardini Reichow over 1 year ago

  • Subject changed from true up deleted rules with threshold file to true up for deleted rules with threshold file
Actions #3

Updated by Jason Ish over 1 year ago

  • Subject changed from true up for deleted rules with threshold file to threshold.conf: reconcile current threshold.conf with current state of rules
Actions #4

Updated by Jason Ish over 1 year ago

  • Description updated (diff)
Actions #5

Updated by Jason Ish over 1 year ago

  • Assignee changed from Shivani Bhardwaj to Jason Ish
  • Target version changed from 1.3.0 to TBD
Actions

Also available in: Atom PDF