Project

General

Profile

Actions
Copy link

Feature #4174

open
VJ VJ

tracking: app-layer frame inspection support

Feature #4174: tracking: app-layer frame inspection support

Added by Victor Julien over 5 years ago. Updated about 1 year ago.

Status:
In Progress
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Effort to make it possible to avoid raw tcp data inspection. Many rules looking for application records make assumptions about pdu's aligning with packets.

Rules should be able to do something like alert ftp ... (frame:ftp.command; content:"USER"; ... ).

Frames should be defined by the app-layer parsers.

Subtasks 37 (23 open14 closed)

Task #4871: tracking: implement frames for all parsersNewOISF DevActions
Feature #4872: nfs: add stream app-layer frame support ClosedSam MohammadActions
Feature #4904: dcerpc: frames supportClosedShivani BhardwajActions
Feature #4905: smtp: add stream app-layer frame support ClosedVictor JulienActions
Feature #4906: ftp: add stream app-layer frame support AssignedOISF DevActions
Feature #4984: dns: add frames supportClosedJason IshActions
Feature #4985: quic: support framesRejectedPhilippe AntoineActions
Feature #4986: pgsql: support framesIn ProgressJuliana Fajardini ReichowActions
Feature #5036: sip: add frames supportClosedVictor JulienActions
Feature #5716: rdp: add app-layer frame supportNewOISF DevActions
Feature #5717: rfb: add frame supportClosedHaleema KhanActions
Feature #5726: ike: add frame supportNewOISF DevActions
Feature #5727: krb: add frame supportNewOISF DevActions
Feature #5728: modbus: add frame supportNewOISF DevActions
Feature #5729: bittorrent-dht: add frame supportNewOISF DevActions
Feature #5730: dhcp: add frame supportNewOISF DevActions
Feature #5731: mqtt: add frame supportClosedHaleema KhanActions
Feature #5732: ntp: add frame supportNewOISF DevActions
Feature #5733: snmp: add frame supportNewOISF DevActions
Feature #5734: ssh: add frame supportClosedPhilippe AntoineActions
Feature #5743: http2: add frame supportClosedPhilippe AntoineActions
Feature #7177: http1: add frame supportAssignedPhilippe AntoineActions
Feature #4976: frames: implement/complete profiling supportNewOISF DevActions
Optimization #4977: frames: gap handling in inspectionClosedVictor JulienActions
Feature #4979: frames: implement dynamic logic to disable frames of a typeClosedVictor JulienActions
Documentation #4980: doc/frames: document frame rule keywordIn ProgressVictor JulienActions
Feature #4981: frames: add general <app_proto>.stream framesClosedVictor JulienActions
Feature #4983: frames: support UDPClosedVictor JulienActions
Optimization #4987: frames: unify handling of getting frame data, flagsAssignedVictor JulienActions
Feature #4988: frames: logging improvementsNewOISF DevActions
Feature #4982: frames: selective frame loggingNewOISF DevActions
Feature #4989: eve/alert: make frame logging configurableNewOISF DevActions
Feature #4990: eve/frames: make payload logging configurableNewOISF DevActions
Feature #5051: output/frames: allow tx logging to reference framesNewOISF DevActions
Feature #5826: frames: logging of events set on framesAssignedVictor JulienActions
Feature #5049: detect/frames: allow mixing with txsAssignedVictor JulienActions
Task #5050: rules/frames: settle on rule syntaxAssignedVictor JulienActions

Related issues 3 (2 open1 closed)

Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Documentation #4697: devguide: document app-layer frame supportClosedJuliana Fajardini ReichowActions
Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
 #1

  • Related to Task #4097: Suricon 2020 brainstorm added

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #2

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #3

  • Status changed from Assigned to In Progress

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #4

  • Related to Task #4871: tracking: implement frames for all parsers added

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #5

  • Subject changed from tracking: app_record / pdu inspection support to tracking: app-layer frame inspection support
  • Description updated (diff)

VJ Updated by Victor Julien almost 4 years ago Actions
Copy link
 #6

  • Related to Task #4772: tracking: parity between fields logged and fields available for detection added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #7

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #8

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #9

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1
Actions
Copy link

Also available in: PDF Atom