Project

General

Profile

Actions
Copy link

Task #4772

open
VJ VJ

tracking: parity between fields logged and fields available for detection

Task #4772: tracking: parity between fields logged and fields available for detection

Added by Victor Julien over 4 years ago. Updated 7 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
TBD
Effort:
Difficulty:
Label:

Subtasks 7 (3 open4 closed)

Feature #4153: app-layer: rust derive style macros to generate common codeAssignedJason IshActions
Optimization #4154: Rust Parsers: Abstract AppLayer events to a derive macroClosedJason IshActions
Feature #5642: DNS: parity between log fields and detectionAssignedJason IshActions
Feature #6621: dns: add keyword for dns rcode: dns.rcodeClosedHadiqa Alamdar BukhariActions
Feature #6666: dns: add keyword for dns rrtype: dns.rrtypeClosedHadiqa Alamdar BukhariActions
Task #6476: ftp: parity of logging and detection buffersIn ProgressJeff LucovskyActions
Story #6597: rules: improve rules keyword/output parityClosedVictor JulienActions

Related issues 9 (6 open3 closed)

Related to Suricata - Task #4762: Suricon 2021 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #4174: tracking: app-layer frame inspection supportIn ProgressVictor JulienActions
Related to Suricata - Feature #6164: rules: allow matching on flow pkts and bytesClosedPhilippe AntoineActions
Related to Suricata - Feature #5234: tls: subjectAltName bufferClosedShivani BhardwajActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Task #6473: detect: smtp keyword coverageAssignedVictor JulienActions
Related to Suricata - Feature #4876: Additional FTP BuffersNewJeff LucovskyActions
Related to Suricata - Task #6463: eve/output: investigate how to track coverage / parityClosedJason IshActions
Related to Suricata - Feature #7100: smb: additional keywordsNewOISF DevActions

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #1

  • Related to Feature #2021: doc: sha256 filesum extraction missing in documentation added

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #2

  • Related to deleted (Feature #2021: doc: sha256 filesum extraction missing in documentation)

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #3

  • Related to Task #4762: Suricon 2021 brainstorm added

VJ Updated by Victor Julien almost 4 years ago Actions
Copy link
 #4

  • Related to Feature #4174: tracking: app-layer frame inspection support added

JI Updated by Jason Ish over 3 years ago Actions
Copy link
 #5

  • Related to Feature #5642: DNS: parity between log fields and detection added

PA Updated by Philippe Antoine over 3 years ago Actions
Copy link
 #6

My next thing here is to look into the schema.json for integers where there are no signature keywords, starting by the flow.nbpackets or such (as I did flow.age last)

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
 #7

  • Related to Feature #6164: rules: allow matching on flow pkts and bytes added

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #8

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #9

Added #5234 as related as it seems that we parse and log the info, but it's not accessible to the rule language.

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #10

  • Related to Task #6443: Suricon 2023 brainstorm added

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #11

  • Related to Task #6473: detect: smtp keyword coverage added

JI Updated by Jason Ish over 2 years ago Actions
Copy link
 #12

  • Subtask #6476 added

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #13

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #14

  • Related to Task #6463: eve/output: investigate how to track coverage / parity added

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #15

  • Related to Story #6597: rules: improve rules keyword/output parity added

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #16

  • Target version set to TBD

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #17

  • Target version changed from TBD to 8.0.0-beta1

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #18

@Jason Ish has a script to dump all the eve fields. Perhaps we can use it to map it to rule keywords/buffers.

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #19

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #20

  • Target version changed from 8.0.0-beta1 to TBD

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #21

  • Subtask #6597 added

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #22

  • Subtask #5642 added

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #23

  • Subtask #4153 added
Actions
Copy link

Also available in: PDF Atom