Documentation #1892
openrule docs should include example rules
Description
Think it would be nice to add example rules for each rule keyword. Perhaps a minimal example and a real world one from the ETOpen set.
PM Updated by Peter Manev over 9 years ago
It think it will also be a good idea to make that part of the PR process (as well) where such a PR introduces new or updates keywords.
Otherwise the "how to" for new or updated keywords is not visible to the rulewriters or end users.
Easier said than done I suppose - it would be ideal if we can maybe have something like -
suricata --list-keywords-examples
where each listed keyword can have an example rule.
Maybe we could reuse a good part of the unittests to help out with that ?
AH Updated by Andreas Herz over 9 years ago
Wouldn't be such a list quite verbose? Maybe we can first add it to the docs and relate to them with the --list-keywords-examples?
VJ Updated by Victor Julien almost 8 years ago
- Effort set to high
- Difficulty set to low
I'm open to both. I also think it would be a nice idea to have per rule keyword manpages, based on the user docs. Like how for example git commands have their own manpages. These manpages should then have one or more example rules.
VJ Updated by Victor Julien almost 8 years ago
- Assignee deleted (
OISF Dev)
VJ Updated by Victor Julien almost 8 years ago
I've set effort to high as there are many keywords, but this can be a step-by-step thing. So per keyword effort is low.
VJ Updated by Victor Julien about 7 years ago
- Assignee set to Community Ticket
- Label Beginner added
VJ Updated by Victor Julien about 7 years ago
- Target version changed from Documentation to TBD
AH Updated by Andreas Herz over 6 years ago
- Tracker changed from Feature to Documentation
JF Updated by Juliana Fajardini Reichow over 4 years ago
- Related to Documentation #4706: Guide for rulewriting added
JF Updated by Juliana Fajardini Reichow over 1 year ago
- Label Outreachy added
If you are an Outreachy applicant and would like to work on this issue, please check our documentation docs.suricata.io for a rule keyword that doesn't have examples, and discuss with us if it would be a good candidate for this task :)