Ftp max tx comment in suricata.yaml and rule for ftp.too_many_transactions event#15213
Ftp max tx comment in suricata.yaml and rule for ftp.too_many_transactions event#15213alinse-pltzr wants to merge 2 commits into
Conversation
jufajardini
left a comment
jufajardini
left a comment
There was a problem hiding this comment.
Thanks for your contribution :)
Could you please edit your PR description to add an SV branch in the format as seen here: #15209 (otherwise, the CI checks won't pick it up).
Also, please have a look at our guidelines for commit messages, and adjust them accordingly :)
https://docs.suricata.io/en/latest/devguide/contributing/code-submission-process.html#commits
|
These changes are fine; however, the FTP parser isn't generating the "too many transactions" event. I'll create a ticket for that: https://redmine.openinfosecfoundation.org/issues/8489 |
alinse-pltzr
force-pushed
the
ftp-max-tx-comment-and-rule
branch
from
8b362b3 to
48fce40
Compare
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
So, this is fine, but is is missing the ftp-parser generating the event so that the rule can trigger
|
Do you mind if I cherry-pick your commits into a PR that also raises the event? |
No, I m ok with that :) thanks for adding the event |
|
Superseded by #15292 |
5 participants
Background:
1024is configured (see: https://github.com/OISF/suricata/blob/main/src/app-layer-ftp.c#L53 )ftp.too_many_transactionsevent is currently missingsuricata.yamlindicating the config option exists whereas for other protocols with a configurable max-tx there is a comment insuricata.yamlDescribe changes:
SV_BRANCH: OISF/suricata-verify#3037