Project

General

Profile

Actions
Copy link

Feature #435

closed
VJ EL

list keyword commandline options

Feature #435: list keyword commandline options

Added by Victor Julien about 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Low
Assignee:
Eric Leblond
Target version:
1.4rc1
Effort:
Difficulty:
Label:

Description

Option or options to list keywords available, including whether or not they are compatible with "ip only", if they inspect "state" etc. Maybe just a --list-keywords with output like:

Name        | Features           | Description
flowbits    | ip-only compatible | Set/check flowbits in a flow.
tls.subject | state inspecting   | Match TLS/SSL certificate Subject field

VJ Updated by Victor Julien almost 14 years ago Actions
Copy link
 #1

  • Target version changed from 1.3beta2 to 1.4

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #2

  • Target version changed from 1.4 to 1.4beta3

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #3

  • Priority changed from Normal to Low

EL Updated by Eric Leblond over 13 years ago Actions
Copy link
 #4

  • Assignee changed from OISF Dev to Eric Leblond

EL Updated by Eric Leblond over 13 years ago Actions
Copy link
 #5

  • % Done changed from 0 to 80

EL Updated by Eric Leblond over 13 years ago Actions
Copy link
 #6

  • % Done changed from 80 to 60

I forgot an important part: the keyword code has to be updated to add the features and description information.

EL Updated by Eric Leblond over 13 years ago Actions
Copy link
 #7

  • % Done changed from 60 to 80

Proposed update: https://github.com/inliniac/suricata/pull/195

A few keywords are missing:

tag;;ALPROTO_UNKNOWN;none;;
uricontent;;ALPROTO_HTTP;payload inspecting rule;;
replace;;ALPROTO_UNKNOWN;payload inspecting rule;;
rawbytes;;ALPROTO_UNKNOWN;No option:payload inspecting rule;;
byte_test;;ALPROTO_UNKNOWN;payload inspecting rule;;
byte_jump;;ALPROTO_UNKNOWN;payload inspecting rule;;
ftpbounce;;ALPROTO_FTP;none;;
flowvar;;ALPROTO_UNKNOWN;none;;
pktvar;;ALPROTO_UNKNOWN;payload inspecting rule;;
noalert;;ALPROTO_UNKNOWN;No option;;
ipv4-csum;;ALPROTO_UNKNOWN;none;;
tcpv4-csum;;ALPROTO_UNKNOWN;none;;
tcpv6-csum;;ALPROTO_UNKNOWN;none;;
udpv4-csum;;ALPROTO_UNKNOWN;none;;
udpv6-csum;;ALPROTO_UNKNOWN;none;;
icmpv4-csum;;ALPROTO_UNKNOWN;none;;
icmpv6-csum;;ALPROTO_UNKNOWN;none;;
tos;;ALPROTO_UNKNOWN;none;;
icmp_id;;ALPROTO_UNKNOWN;none;;
decode-event;;ALPROTO_UNKNOWN;IP only rule;;
flags;;ALPROTO_UNKNOWN;none;;
nfq_set_mark;;ALPROTO_UNKNOWN;none;;
http_raw_header;;ALPROTO_HTTP;payload inspecting rule;;
ssh.protoversion;;ALPROTO_SSH;none;;
ssh.softwareversion;;ALPROTO_SSH;none;;
ssl_version;;ALPROTO_TLS;none;;
ssl_state;;ALPROTO_TLS;none;;
byte_extract;;ALPROTO_UNKNOWN;payload inspecting rule;;
pkt_data;;ALPROTO_HTTP;none;;
app-layer-event;;ALPROTO_UNKNOWN;none;;
dce_iface;;ALPROTO_DCERPC;payload inspecting rule;;
dce_opnum;;ALPROTO_DCERPC;payload inspecting rule;;
dce_stub_data;;ALPROTO_DCERPC;payload inspecting rule;;
asn1;;ALPROTO_UNKNOWN;none;;
engine-event;;ALPROTO_UNKNOWN;none;;
stream-event;;ALPROTO_UNKNOWN;none;;
l3_proto;;ALPROTO_UNKNOWN;none;;
luajit;;ALPROTO_HTTP;none;;

By the way, last line is strange.

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #8

  • Target version changed from 1.4beta3 to 1.4rc1

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #9

  • Status changed from New to Closed
  • % Done changed from 80 to 100
Actions
Copy link

Also available in: PDF Atom