Feature #7559
openAllow rule comment at end of rule line using #
Description
Currently, comments are not allowed behind rules (see https://redmine.openinfosecfoundation.org/issues/2856). A previous user experienced issues with this, thinking it should be supported but later closed the issue when he found out it was by design.
I am not sure whether there are good reasons to have this by design, but I would like to present a use-case for comments behind rules that might be compelling enough to permit this by design.
Currently, I am working on a linter for Suricata rules and one common feature shared by many linters is that they allow you to suppress issues on a per-line (or per-rule) basis. To do this, I intended to use comments behind rules (similar to how PyRight suppresses issues), an example of which is given below and which is further detailed on https://suricata-check.teuwen.net/ignore.html
alert ip any any -> any any (msg:"Test"; sid:1;) # suricata-check: ignore C.*'The current behavior (Suricata v7) is the rule fails to be parsed, whereas it is not considered invalid without the comment.
Error: detect-parse: no terminating ";" found
Error: detect: error parsing signature "alert ip any any -> any any (msg:"Test"; sid:1;) # suricata-check: ignore C.*" from file /tmp/6297954521506998625.rules at line 1
Error: suricata: Loading signatures failed.I do not foresee complications caused by adding this feature, except that care has to be taken when parsing rules that include the comment character \# inside the rule (e.g. msg field). I managed to work around this issue for my linter, so I imagine the same would be possible within the Suricata codebase.
Since I'm not familiar with the codebase of Suricata itself, I cannot estimate how much effort it is to implement, but I imagine it is relatively simple and could possibly be implemented by stripping the comment of lines.