Project

General

Profile

Actions

Feature #435

closed

list keyword commandline options

Added by Victor Julien almost 11 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Low
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Option or options to list keywords available, including whether or not they are compatible with "ip only", if they inspect "state" etc. Maybe just a --list-keywords with output like:

Name        | Features           | Description
flowbits    | ip-only compatible | Set/check flowbits in a flow.
tls.subject | state inspecting   | Match TLS/SSL certificate Subject field
Actions #1

Updated by Victor Julien over 10 years ago

  • Target version changed from 1.3beta2 to 1.4
Actions #2

Updated by Victor Julien over 10 years ago

  • Target version changed from 1.4 to 1.4beta3
Actions #3

Updated by Victor Julien over 10 years ago

  • Priority changed from Normal to Low
Actions #4

Updated by Eric Leblond about 10 years ago

  • Assignee changed from OISF Dev to Eric Leblond
Actions #5

Updated by Eric Leblond about 10 years ago

  • % Done changed from 0 to 80
Actions #6

Updated by Eric Leblond about 10 years ago

  • % Done changed from 80 to 60

I forgot an important part: the keyword code has to be updated to add the features and description information.

Actions #7

Updated by Eric Leblond about 10 years ago

  • % Done changed from 60 to 80

Proposed update: https://github.com/inliniac/suricata/pull/195

A few keywords are missing:

tag;;ALPROTO_UNKNOWN;none;;
uricontent;;ALPROTO_HTTP;payload inspecting rule;;
replace;;ALPROTO_UNKNOWN;payload inspecting rule;;
rawbytes;;ALPROTO_UNKNOWN;No option:payload inspecting rule;;
byte_test;;ALPROTO_UNKNOWN;payload inspecting rule;;
byte_jump;;ALPROTO_UNKNOWN;payload inspecting rule;;
ftpbounce;;ALPROTO_FTP;none;;
flowvar;;ALPROTO_UNKNOWN;none;;
pktvar;;ALPROTO_UNKNOWN;payload inspecting rule;;
noalert;;ALPROTO_UNKNOWN;No option;;
ipv4-csum;;ALPROTO_UNKNOWN;none;;
tcpv4-csum;;ALPROTO_UNKNOWN;none;;
tcpv6-csum;;ALPROTO_UNKNOWN;none;;
udpv4-csum;;ALPROTO_UNKNOWN;none;;
udpv6-csum;;ALPROTO_UNKNOWN;none;;
icmpv4-csum;;ALPROTO_UNKNOWN;none;;
icmpv6-csum;;ALPROTO_UNKNOWN;none;;
tos;;ALPROTO_UNKNOWN;none;;
icmp_id;;ALPROTO_UNKNOWN;none;;
decode-event;;ALPROTO_UNKNOWN;IP only rule;;
flags;;ALPROTO_UNKNOWN;none;;
nfq_set_mark;;ALPROTO_UNKNOWN;none;;
http_raw_header;;ALPROTO_HTTP;payload inspecting rule;;
ssh.protoversion;;ALPROTO_SSH;none;;
ssh.softwareversion;;ALPROTO_SSH;none;;
ssl_version;;ALPROTO_TLS;none;;
ssl_state;;ALPROTO_TLS;none;;
byte_extract;;ALPROTO_UNKNOWN;payload inspecting rule;;
pkt_data;;ALPROTO_HTTP;none;;
app-layer-event;;ALPROTO_UNKNOWN;none;;
dce_iface;;ALPROTO_DCERPC;payload inspecting rule;;
dce_opnum;;ALPROTO_DCERPC;payload inspecting rule;;
dce_stub_data;;ALPROTO_DCERPC;payload inspecting rule;;
asn1;;ALPROTO_UNKNOWN;none;;
engine-event;;ALPROTO_UNKNOWN;none;;
stream-event;;ALPROTO_UNKNOWN;none;;
l3_proto;;ALPROTO_UNKNOWN;none;;
luajit;;ALPROTO_HTTP;none;;

By the way, last line is strange.

Actions #8

Updated by Victor Julien about 10 years ago

  • Target version changed from 1.4beta3 to 1.4rc1
Actions #9

Updated by Victor Julien about 10 years ago

  • Status changed from New to Closed
  • % Done changed from 80 to 100
Actions

Also available in: Atom PDF