detect/entropy: Unique flowvar names #13621
Conversation
Issue: 7814
Support unique flow variable names for entropy-related values.
Since this is a breaking change from Suricata 8, unique names
are configurable (default value on) with this setting
logging:
entropy:
make-unique: on
When `make-unique` is on, entropy-related flow variable names are
structured as:
<sticky_buffer>_<sid>_<occurrence>
Occurrence is a small integer value corresponding to the number of
entropy values in the rule. The first entropy usage will create a flow
variable with an occurrence value of 1; the second will use 2, and so
on. This is necessary to disambiguate the flow variable names.
When `make-unique` is off (default = on), this format is used:
<sticky_buffer>
Discuss the new configuration variable that provides unique names for entropy values in logging output: logging.entropy.make-unique Issue: 7418
jlucovsky
requested review from
jufajardini,
victorjulien and
a team
as code owners
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #13621 +/- ##
==========================================
+ Coverage 83.69% 83.70% +0.01%
==========================================
Files 1011 1011
Lines 275071 275089 +18
==========================================
+ Hits 230210 230256 +46
+ Misses 44861 44833 -28
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 27036 |
| below will amend the sticky buffer name with the signature id of the rule that caused | ||
| the entropy value calculation. Additionally, if multiple ``entropy`` keywords are used | ||
| within a rule, the occurrence number is included in the log output. | ||
| The default value is ``on``. We strongly recommend changing using the default value of ``on``. |
There was a problem hiding this comment.
I'm a bit confused. Strongly recommend turning it off? Disabling, maybe?
|
|
||
| # Ensure that logged entropy values have unique names by appending the signature_id | ||
| # of the rule where used, e.g., file_data_12345. When off: file_data | ||
| # The default value is on |
There was a problem hiding this comment.
Should we also add the note here that we strongly advise the default value to be changed?
| ~~~~~~~ | ||
|
|
||
| When a rule causes an entropy value to be calculated for a flow, output for the flow will include | ||
| the calculated entropy value. The log output contains the sticky buffer name for which the |
There was a problem hiding this comment.
I wonder : have you considered adding a entropy event to eve.json ? (or even entropies)
That should better work for a flow with multiple transactions where you would like to know the entropy for a sticky buffer in each transaction (thinking like DNS or HTTP CnC)
Also, side question : if multiple rules need the entropy for the same sticky buffer, is it computed once and cached ? Or is it computed for each rule wanting it ?
There was a problem hiding this comment.
Also, side question : if multiple rules need the entropy for the same sticky buffer, is it computed once and cached ? Or is it computed for each rule wanting it ?
The entropy values are not cached.
|
Is this intended for 8.0.1? |
Yes. |
|
Continued in #13722 |
Continuation of #13591
Use unique variable names for each flowvar as they come from a global
namespace. The chosen name is:
<sticky_buffer>_<sid>_<occurrence>Describe changes:
Updates:
logging.entropy.make-uniqueIssue: 7814
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7814
Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#2588
SU_REPO=
SU_BRANCH=