Skip to content

Support Suricata transactional rule direction#1174

Open
tosto92 wants to merge 1 commit into
Security-Onion-Solutions:3/mainfrom
tosto92:codex/support-suricata-transactional-rules
Open

Support Suricata transactional rule direction#1174
tosto92 wants to merge 1 commit into
Security-Onion-Solutions:3/mainfrom
tosto92:codex/support-suricata-transactional-rules

Conversation

@tosto92

@tosto92 tosto92 commented May 28, 2026

Copy link
Copy Markdown

Summary

Adds support for Suricata transactional rules using the => direction operator.

Suricata supports transactional rules with source => destination, documented here:
https://docs.suricata.io/en/latest/rules/intro.html#transactional-rules

The SOC Suricata rule parser only recognized directions beginning with < or - and only accepted <> or ->. As a result, valid transactional rules failed validation before reaching Suricata.

Changes

  • Allow = to start the rule direction token.
  • Accept => as a valid Suricata direction alongside -> and <>.
  • Update invalid-direction error text.
  • Add parser coverage for transactional rules.
  • Add ruleset parsing coverage to verify imported/custom rules using => are accepted.

Impact

This allows valid Suricata transactional rules to be:

  • created or updated through the SOC web UI
  • imported from local/custom rulesets during Suricata ruleset sync

Suricata itself still performs final rule validation, so invalid transactional rule syntax or unsupported keyword combinations will continue to fail at the engine level.

Validation

go test -count=1 ./server/modules/suricata

Result:

ok   github.com/security-onion-solutions/securityonion-soc/server/modules/suricata

@defensivedepth

Copy link
Copy Markdown
Contributor

Thanks for the PR @tosto92

It has been queued for review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

FEATURE: Support Suricata Transactional rule dir

2 participants