Contributing to Suricata-verify

Hello! I’m Tharushi, former Outreachy intern. I would like to continue contributing to SV and I was going through the tickets I was assigned to see if there’s any work left to be done.

I came across a SV feature request: To print a summary of failed tests at last.

In order to check whether it was already implemented, I got a pull from master and ran the SV tests from my Suricata source directory using ../path/to/suricata-verify/ .

It’s running for about half an hour now and it doesn’t seem to stop. Is this normal? IIRC, it didn’t take so long. I’m wondering whether my SV tests are running in an endless loop. I’m seeing the same tests being run again, and most of the time it appears as if the terminal is stuck after this geoip test.

Please let me know if I’m doing anything incorrectly here.

1 Like

Hey Tharushi!

Good to see you here :slight_smile:
I tried running s-v here and while I did notice more usage of memory and CPU, it went quite fast. Looking at the output you’ve shared, I see “requires at least version 7”. Is it possible that you checked out an older master branch? Afaik, the developer branch is at 7, currently…

Regarding the need for this feature, it is better to wait for mr @ish or maybe @sbhardwaj to answer, I do know we have a --quiet command line option, now, that will only print a summary…

But not sure if the issue you’re talking about has more than this to be done…

Glad to see you back!

Hi Tharushi!

Yes, as Juliana said, please check you are running master on both. Note that I just pushed a fix to suricata-verify to fix its default verbosity level which was made quieter by the side affect of a recent commit.

Unfortunately though, I’m not sure how useful that feature ticket is with our new quiet mode. It essentially gives you the same result as whats suggested in that ticket with less complexity. I’ll give it another thought, but will likely close that ticket out. Sorry about that.

Thank you Juliana and Jason for the prompt replies!

I’m running master on both and the git log I get locally is the same as what I see on the repo. Should I perhaps install suricata again?

It’s great to see the new quiet mode. I believe there’s no other work to be done in that with regard to the feature then. However, I would like to keep contributing to suricata! I’m wondering what else I could get started with. I checked on Redmine, but couldn’t find any open tickets on suricata-verify. Is there any other way I could contribute? Would you have any new features in mind @ish? :smiley:


Hey! :slight_smile:

If possible, yes, I would go with updating repos, configuring, everything again, and giving it another try!

1 Like

@Tharushi_Jayasekara you could also look at suricata-update (Our Python tool for rule management). Perhaps there is something here that might interest you? There are many open tickets: Issues - Open Information Security Foundation (They get auto assigned to me so please feel free to ask to work on any. I’m currently not working on anything in this list.)


Thank you @jufajardini, I will give it another try.

@sbhardwaj I found the open tickets to be very interesting! Thanks for directing me there.
Based on priority and difficulty, would you have any recommendations out of the issues I’ve listed out below (or the entire list)? I would like to get started with a relatively less complicated one because I’ve lost touch for now. I would appreciate your help in picking a ticket! :smiley:

  1. Feature #3289: option to verify 'better' standard/schema - Suricata-Update - Open Information Security Foundation
  2. Feature #3697: a command line option for suricata-update that would set downloaded rules to their default state - Suricata-Update - Open Information Security Foundation
  3. Bug #4259: Multiple modifications to a rule do not work - Suricata-Update - Open Information Security Foundation
  4. Bug #4374: Don't load configuration files from /etc/suricata if Suricata is rooted at /opt/suricata. - Suricata-Update - Open Information Security Foundation
1 Like

Hi Tharushi,

4259 and 4374 are probably best to start with. The other 2 are more subjective in nature.

For both of these, verification will need to be done to make sure they are both still an issue, I believe they are.

Thanks for picking these up.