Project

General

Profile

Actions

Bug #6175

closed

eve/alert: deprecated fields can have unexpected side affects

Added by Jason Ish over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 6.0

Description

Back in Suricata 4.x days, app-layer protocols could be configured individually to appear in alert logs, for example "http", "tls", "ssh", "smtp", and "dnp3". With 5.0 these become aliases for "app-layer" flag which is a flag to enable all app-layer logging in alerts to simplify the config.

However, setting one of these to "no" can now disable app-layer logging completely as part of an alert. For example:

outputs:
  - eve-log:
      types:
        - alert:
            dnp3: no

Will actually disable all app-layer logging.

Suggested fixes:
- 7.0: Just warn if these keys are set. Don't do anything else.
- 6.0: Enable app-layer if one of these is set to true. Do nothing if set to default. Logging a warning if present no matter the value.


Subtasks 1 (0 open1 closed)

Bug #6181: eve/alert: deprecated fields can have unexpected side affects (6.0.x backport)ClosedJason IshActions
Actions

Also available in: Atom PDF