tracking: app-layer frame inspection support
Effort to make it possible to avoid raw tcp data inspection. Many rules looking for application records make assumptions about pdu's aligning with packets.
Rules should be able to do something like
alert ftp ... (frame:ftp.command; content:"USER"; ... ).
Frames should be defined by the app-layer parsers.
- Related to Task #4097: Suricon 2020 brainstorm added
- Status changed from Assigned to In Progress
- Related to Task #4871: tracking: implement frames for all parsers added
- Subject changed from tracking: app_record / pdu inspection support to tracking: app-layer frame inspection support
- Description updated (diff)
- Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Also available in: Atom