Project

General

Profile

Actions
Copy link

Feature #4174

open
VJ VJ

tracking: app-layer frame inspection support

Feature #4174: tracking: app-layer frame inspection support

Added by Victor Julien over 5 years ago. Updated about 1 year ago.

Status:
In Progress
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Effort to make it possible to avoid raw tcp data inspection. Many rules looking for application records make assumptions about pdu's aligning with packets.

Rules should be able to do something like alert ftp ... (frame:ftp.command; content:"USER"; ... ).

Frames should be defined by the app-layer parsers.

Subtasks 37 (23 open14 closed)

Task #4871: tracking: implement frames for all parsersNewOISF DevActions
Feature #4872: nfs: add stream app-layer frame support ClosedSam MohammadActions
Feature #4904: dcerpc: frames supportClosedShivani BhardwajActions
Feature #4905: smtp: add stream app-layer frame support ClosedVictor JulienActions
Feature #4906: ftp: add stream app-layer frame support AssignedOISF DevActions
Feature #4984: dns: add frames supportClosedJason IshActions
Feature #4985: quic: support framesRejectedPhilippe AntoineActions
Feature #4986: pgsql: support framesAssignedJuliana Fajardini ReichowActions
Feature #5036: sip: add frames supportClosedVictor JulienActions
Feature #5716: rdp: add app-layer frame supportNewOISF DevActions
Feature #5717: rfb: add frame supportClosedHaleema KhanActions
Feature #5726: ike: add frame supportNewOISF DevActions
Feature #5727: krb: add frame supportNewOISF DevActions
Feature #5728: modbus: add frame supportNewOISF DevActions
Feature #5729: bittorrent-dht: add frame supportNewOISF DevActions
Feature #5730: dhcp: add frame supportNewOISF DevActions
Feature #5731: mqtt: add frame supportClosedHaleema KhanActions
Feature #5732: ntp: add frame supportNewOISF DevActions
Feature #5733: snmp: add frame supportNewOISF DevActions
Feature #5734: ssh: add frame supportClosedPhilippe AntoineActions
Feature #5743: http2: add frame supportClosedPhilippe AntoineActions
Feature #7177: http1: add frame supportAssignedPhilippe AntoineActions
Feature #4976: frames: implement/complete profiling supportNewOISF DevActions
Optimization #4977: frames: gap handling in inspectionClosedVictor JulienActions
Feature #4979: frames: implement dynamic logic to disable frames of a typeClosedVictor JulienActions
Documentation #4980: doc/frames: document frame rule keywordIn ProgressVictor JulienActions
Feature #4981: frames: add general <app_proto>.stream framesClosedVictor JulienActions
Feature #4983: frames: support UDPClosedVictor JulienActions
Optimization #4987: frames: unify handling of getting frame data, flagsAssignedVictor JulienActions
Feature #4988: frames: logging improvementsNewOISF DevActions
Feature #4982: frames: selective frame loggingNewOISF DevActions
Feature #4989: eve/alert: make frame logging configurableNewOISF DevActions
Feature #4990: eve/frames: make payload logging configurableNewOISF DevActions
Feature #5051: output/frames: allow tx logging to reference framesNewOISF DevActions
Feature #5826: frames: logging of events set on framesAssignedVictor JulienActions
Feature #5049: detect/frames: allow mixing with txsAssignedVictor JulienActions
Task #5050: research: rules/frames: settle on rule syntaxAssignedVictor JulienActions

Related issues 3 (2 open1 closed)

Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Documentation #4697: devguide: document app-layer frame supportClosedJuliana Fajardini ReichowActions
Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Actions
Copy link

Also available in: PDF Atom