Feature #2283: turn content modifiers into 'sticky buffers' - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #2283

closed

turn content modifiers into 'sticky buffers'

Added by Victor Julien over 7 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

OISF Dev

Target version:

5.0rc1

Effort:

Difficulty:

Label:

Description

Turn all content modifiers into sticky buffers with a '<proto>.<buffer>[.<modifier>]' notation.
Support this dot-notation for all existing sticky buffers.

In both cases the existing rule keywords need to keep working for backwards compatibility. New keywords only need to support the new notation.

Some examples:

content:"abc"; http_uri; -> http.uri; content:"abc";
content:"abc"; http_raw_uri; -> http.uri.raw; content:"abc";
content:"abc"; http_client_body; -> http.request_body; content:"abc";
dns_query; content:"abc"; -> dns.query; content:"abc";

Internally, these keywords need to be registered through the 'v2 API', so that they support transforms.

Examples can be found in https://github.com/OISF/suricata/pull/3632

Subtasks 4 (0 open — 4 closed)

Related issues 3 (2 open — 1 closed)

Updated by Victor Julien over 7 years ago

Assignee set to Jason Williams
Target version set to 70

Updated by Victor Julien over 7 years ago

Related to Task #2309: SuriCon 2017 brainstorm added

Updated by Victor Julien over 6 years ago

Related to Task #2685: SuriCon 2018 brainstorm added

Updated by Victor Julien over 6 years ago

Description updated (diff)
Assignee changed from Jason Williams to OISF Dev
Target version changed from 70 to 5.0beta1

Updated by Victor Julien about 6 years ago

Target version changed from 5.0beta1 to 5.0rc1

Updated by Victor Julien about 6 years ago

Status changed from New to Closed

Updated by Victor Julien about 6 years ago

Related to Feature #2952: modernize http_header_names added

Actions

Copy link

Also available in: Atom PDF

Project

General

Custom queries

Profile

Suricata

Feature #2283

turn content modifiers into 'sticky buffers'

Updated by Victor Julien over 7 years ago

Updated by Jason Williams over 7 years ago

Updated by Victor Julien over 7 years ago

Updated by Jason Williams about 7 years ago

Updated by Victor Julien over 6 years ago

Updated by Victor Julien over 6 years ago

Updated by Victor Julien about 6 years ago

Updated by Victor Julien about 6 years ago

Updated by Victor Julien about 6 years ago

Feature #2897: update http_content_type and others to new style sticky buffers	Closed	Jeff Lucovsky	Actions
Feature #2914: modernize tls sticky buffers	Closed	Jeff Lucovsky	Actions
Bug #2915: modernize ssh sticky buffers	Closed	Jeff Lucovsky	Actions
Feature #2930: http_protocol: use mpm and content inspect v2 apis	Closed	Giuseppe Longo	Actions

Related to Suricata - Task #2309: SuriCon 2017 brainstorm	Assigned	Victor Julien	Actions
Related to Suricata - Task #2685: SuriCon 2018 brainstorm	Assigned	Victor Julien	Actions
Related to Suricata - Feature #2952: modernize http_header_names	Closed	Victor Julien	Actions