From 48c3d15ebf2ff5c398e9b85c6068c9dc20f66e33 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 15 Jan 2025 09:40:22 -0600
Subject: [PATCH] engine: choose better Suricata logging levels for rule test

The current default is to use SC_LOG_LEVEL=warning which can output
non-fatal warnings which is generally not what you want when running
from cron with "suricata-update -q".

Now, if "-q" is provided, run Suricata with SC_LOG_LEVEL=error which
is useful for cron to ony be notified of fata errors. Generally
end-users are not worried about rule warnings such as:

    ja3.hash should not be used together with nocase, since the rule
    is automatically lowercased anyway which makes nocase redundant.

This also allows for log level be set with SC_LOG_LEVEL, in which case
Suricata-Update  will not change the log level.

Additionally, make Suricata more verbose if Suricata-Update is run
with "-v".

Ticket: https://redmine.openinfosecfoundation.org/issues/7494
---
 suricata/update/engine.py | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/suricata/update/engine.py b/suricata/update/engine.py
index 22ad9b3..2714a4d 100644
--- a/suricata/update/engine.py
+++ b/suricata/update/engine.py
@@ -95,7 +95,8 @@ def is_true(self, key, truthy=[]):
     @classmethod
     def load(cls, config_filename, suricata_path=None):
         env = build_env()
-        env["SC_LOG_LEVEL"] = "Error"
+        if "SC_LOG_LEVEL" not in env:
+            env["SC_LOG_LEVEL"] = "Error"
         if not suricata_path:
             suricata_path = get_path()
         if not suricata_path:
@@ -163,8 +164,29 @@ def get_version(path):
         return parse_version(output)
     return None
 
+
 def test_configuration(suricata_path, suricata_conf=None, rule_filename=None):
     """Test the Suricata configuration with -T."""
+
+    env = build_env()
+
+    # Choose a good Suricata log level, respecting SC_LOG_LEVEL if set.
+    if "SC_LOG_LEVEL" not in env:
+        try:
+            level = logging.getLevelName(logger.getEffectiveLevel())
+            if level == "WARNING":
+                # Suricata-Update was called with "-q", only output
+                # Suricata errors.
+                env["SC_LOG_LEVEL"] = "Error"
+            elif level == "DEBUG":
+                # Suricata-Update was called with "-v", increase
+                # Suricata logging to info.
+                env["SC_LOG_LEVEL"] = "Info"
+        finally:
+            # Default to warning.
+            if "SC_LOG_LEVEL" not in env:
+                env["SC_LOG_LEVEL"] = "Warning"
+
     tempdir = tempfile.mkdtemp()
     test_command = [
         suricata_path,
@@ -176,9 +198,6 @@ def test_configuration(suricata_path, suricata_conf=None, rule_filename=None):
     if rule_filename:
         test_command += ["-S", rule_filename]
 
-    env = build_env()
-    env["SC_LOG_LEVEL"] = "Warning"
-
     logger.debug("Running %s; env=%s", " ".join(test_command), str(env))
     rc = subprocess.Popen(test_command, env=env).wait()
     ret = True if rc == 0 else False
@@ -191,6 +210,5 @@ def test_configuration(suricata_path, suricata_conf=None, rule_filename=None):
 def build_env():
     env = os.environ.copy()
     env["SC_LOG_FORMAT"] = "%t - <%d> -- "
-    env["SC_LOG_LEVEL"] = "Error"
     env["ASAN_OPTIONS"] = "detect_leaks=0"
     return env