Skip to content

Add payload-only-classtypes filtering to suricata conf to filter payl… #14680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Aboussejra wants to merge 1 commit into from
Closed

Add payload-only-classtypes filtering to suricata conf to filter payl… #14680

Aboussejra wants to merge 1 commit into from

Conversation

@Aboussejra
Copy link

@Aboussejra Aboussejra commented Jan 23, 2026
edited
Loading

…oad dump by classtype if needed

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/8245

Describe changes:

Add a new configuration option to filter payload extraction in EVE JSON alerts based on the rule's classtype.

Currently, when payload: yes is enabled in the alert output, payloads are extracted for all alerts. In some environments we want payloads to be extracted only for specific rules (and we use classtypes for that).

I envision adding an optional payload-only-classtypes configuration parameter under the alert output type that accepts a list of classtype names.

When configured:

  • Payloads are only extracted for alerts whose classtype matches one in the list
  • If the list is empty or not configured, the default behavior is preserved (payloads extracted for all alerts when payload: yes)

Suricata-verify MR: OISF/suricata-verify#2885

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=

@Aboussejra Aboussejra requested review from a team and victorjulien as code owners January 23, 2026 09:34
@Aboussejra Aboussejra force-pushed the payload-classtype-filter-feature-8245-v1 branch from 6601c45 to 7981bf4 Compare January 23, 2026 09:40
catenacyber
catenacyber requested changes Jan 23, 2026
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the work.

I think this feature needs

  • a ticket
  • some SV test
  • some documentation addition

@Aboussejra
Copy link
Author

Aboussejra commented Jan 23, 2026

Thanks for the work.

I think this feature needs

* a ticket

* some SV test

* some documentation addition

Sure ! I am working on it ! ticket is here https://redmine.openinfosecfoundation.org/issues/8245

I am currently looking at SV to add a test and will link it as soon as I did it.

Understood for the documentation part, I will look into it !

@Aboussejra Aboussejra mentioned this pull request Jan 23, 2026
Closed
@Aboussejra
Copy link
Author

Aboussejra commented Jan 23, 2026

Suricata-verify MR is at OISF/suricata-verify#2885

@Aboussejra Aboussejra force-pushed the payload-classtype-filter-feature-8245-v1 branch from 7981bf4 to 8e345a2 Compare January 23, 2026 14:28
@catenacyber
Copy link
Contributor

catenacyber commented Jan 23, 2026

Please open a new v2 PR, see https://docs.suricata.io/en/latest/devguide/contributing/code-submission-process.html#pull-requests

@Aboussejra
Copy link
Author

Aboussejra commented Jan 23, 2026

Indeed, opened here:
#14682

@Aboussejra Aboussejra closed this Jan 23, 2026
@Aboussejra Aboussejra mentioned this pull request Jan 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@catenacyber catenacyber catenacyber requested changes

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Aboussejra @catenacyber