From: Jason Ish Date: Mon, 26 Jun 2023 16:57:00 +0000 (-0600) Subject: eve/alert: warn on obsolete flags X-Git-Tag: suricata-6.0.14~86 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F9087%2Fhead;p=thirdparty%2Fsuricata.git eve/alert: warn on obsolete flags Log a warning on obsolete flags. If the flag is to enable, do the enable. But do not honor disable flags, as these could override the new settings and cause hard to debug issues. Ticket: #6175 --- diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 76b296de80..9202d308e7 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -35,6 +35,7 @@ #include "threadvars.h" #include "util-debug.h" +#include "util-error.h" #include "util-logopenfile.h" #include "util-misc.h" #include "util-unittest.h" @@ -871,6 +872,38 @@ static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint1 } } +/** + * \brief Set, but don't unset and warn about deprecated flags. + */ +static void SetDeprecatedFlag( + const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags) +{ + DEBUG_VALIDATE_BUG_ON(conf == NULL); + const char *setting = ConfNodeLookupChildValue(conf, name); + if (setting != NULL) { + if (ConfValIsTrue(setting)) { + if (flag == LOG_JSON_APP_LAYER) { + SCLogWarning(SC_WARN_DEPRECATED, + "Found deprecated eve-log.alert app-layer flag \"%s\", enabling " + "metadata.app-layer", + name); + } else if (flag == LOG_JSON_FLOW) { + SCLogWarning(SC_WARN_DEPRECATED, + "Found deprecated eve-log.alert \"flow\" flag, enabling metadata.flow"); + } else { + SCLogWarning(SC_WARN_DEPRECATED, + "Found deprecated eve-log.alert flag \"%s\", please update your " + "configuration", + name); + } + *out_flags |= flag; + } else { + SCLogWarning(SC_WARN_DEPRECATED, + "Ignoring deprecated eve-log.alert flag \"%s\", this flag has no effect", name); + } + } +} + #define DEFAULT_LOG_FILENAME "alert.json" static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx, @@ -909,17 +942,17 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx, /* Check for obsolete configuration flags to enable specific * protocols. These are now just aliases for enabling * app-layer logging. */ - SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "http", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags); /* And check for obsolete configuration flags for enabling * app-layer and flow as these have been moved under the * metadata key. */ - SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "flow", LOG_JSON_FLOW, &flags); + SetDeprecatedFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "flow", LOG_JSON_FLOW, &flags); const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");