Actions
Bug #6175
closedeve/alert: deprecated fields can have unexpected side affects
Description
Back in Suricata 4.x days, app-layer protocols could be configured individually to appear in alert logs, for example "http", "tls", "ssh", "smtp", and "dnp3". With 5.0 these become aliases for "app-layer" flag which is a flag to enable all app-layer logging in alerts to simplify the config.
However, setting one of these to "no" can now disable app-layer logging completely as part of an alert. For example:
outputs: - eve-log: types: - alert: dnp3: no
Will actually disable all app-layer logging.
Suggested fixes:
- 7.0: Just warn if these keys are set. Don't do anything else.
- 6.0: Enable app-layer if one of these is set to true. Do nothing if set to default. Logging a warning if present no matter the value.
Actions