Skip to content

ike: log attributes as objects - v1 #13907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

ike: log attributes as objects - v1 #13907

wants to merge 5 commits into from
+247 −122

Conversation

jasonish
Copy link
Member

Ticket: https://redmine.openinfosecfoundation.org/issues/7902

SV_BRANCH=OISF/suricata-verify#2665

Also:

  • Don't log empty "ike" server objects

@jasonish
ike/detect: info log message should be debug
d03633d
@jasonish
ike: log attributes as objects
a3f862d 
IKE attributes are an array of TLV style objects, this means there can
be duplicate types seen on the wire. However, Suricata logs these as a
mapping with the type as the key. This can result in the JSON
containing duplicate keys.

To address this, log the attributes as an array of objects, allow
duplicates to exist, for example:

  "client": {
    "proposals": [
      {
        "sa_life_duration": "Unknown",
        "sa_life_duration_raw": 86400,
      }
    }
  }

is now logged as:

  "client": {
    "proposals": [
      {"key": "sa_life_duration", "value": "Unknown", "raw": 86400}
    ]
  }

Ticket: OISF#7902
@jasonish
doc: upgrade notes for changes to ike output
76929e9
@jasonish
scripts/evedoc.py: handle union types in schema
c11b007 
Update EVE documentation script to handle union types like:

    "type": ["string", "number"]
@jasonish
ike: don't log empty server objects
a12361e
@jasonish jasonish requested review from jufajardini and a team as code owners September 25, 2025 21:19
@jasonish
Copy link
Member Author

This is the proposed solution for Suricata 9, but its a breaking change so we don't want to backport it as-is.

For 8 and 7 (as currently invalid JSON can be produced), I'm recommending we default to something like:

       "encrypted_payloads": false,
       "client": {
         "proposals": [
           {
             "alg_enc": "EncAesCbc",
             "alg_enc_raw": 7,
             "sa_key_length": "Unknown",
             "sa_key_length_raw": 128,
             "alg_hash": "HashSha",
             "alg_hash_raw": 2,
             "sa_life_duration": "Unknown",
             "sa_life_duration_raw": 86400,
             "alg_dh": "GroupAlternate1024BitModpGroup",
             "alg_dh_raw": 2,
             "alg_auth": "AuthPreSharedKey",
             "alg_auth_raw": 1,
             "sa_life_type": "LifeTypeSeconds",
             "sa_life_type_raw": 1,
             "sa_life_duration_1": "Unknown",
             "sa_life_duration_1_raw": 65535
           }
         ]

With an opt-in to the new format:

types:
  - ike:
      # Logging attributes as an array of objects (Suricata 9.0 style)
      #object-attributes: true

I do feel its too early to declare an ike v2 logging style.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.uptime 652 629 96.47%

Pipeline = 27713

@victorjulien
Copy link
Member

I do feel its too early to declare an ike v2 logging style.

I think we need to define some criteria for this. To me, a breaking change like this seems good reason to bump a version.

@jasonish
Copy link
Member Author

jasonish commented Sep 26, 2025
edited
Loading

I do feel its too early to declare an ike v2 logging style.

I think we need to define some criteria for this. To me, a breaking change like this seems good reason to bump a version.

We could bump it in 9 with the assumption v2 might change before 9 is final - without a complete holistic look at the ike logging, I think its a little early to declare v2 as final. And the priority here should be to fix the creation of invalid JSON, not necessarily define a new version of IKE logging we can lock down.

Scenario I want to avoid:

  • Add v2 logging now. Backport a v2 toggle to 7 and 8.
  • Identify enhancements or other changes in 9 that might be breaking
  • Now we need to bump to v3 before Suricata 9 is released.

@jasonish jasonish mentioned this pull request Sep 29, 2025
Open
@jasonish
Copy link
Member Author

Replaced by #13927

@jasonish jasonish closed this Sep 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jasonish @suricata-qa @victorjulien