Project

General

Profile

Actions
Copy link

Task #4772

open

tracking: parity between fields logged and fields available for detection

Added by Victor Julien almost 3 years ago. Updated about 1 month ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
TBD
Effort:
Difficulty:
Label:

Subtasks 7 (5 open2 closed)

Feature #4153: app-layer: rust derive style macros to generate common codeAssignedJason IshActions
Optimization #4154: Rust Parsers: Abstract AppLayer events to a derive macroClosedJason IshActions
Feature #5642: DNS: parity between log fields and detectionNewJason IshActions
Feature #6621: dns: add keyword for dns rcode: dns.rcodeResolvedHadiqa Alamdar BukhariActions
Feature #6666: dns: add keyword for dns rrtype: dns.rrtypeClosedHadiqa Alamdar BukhariActions
Task #6476: ftp: parity of logging and detection buffersNewOISF DevActions
Story #6597: rules: impove rules keyword/output parityNewVictor JulienActions

Related issues 9 (7 open2 closed)

Related to Suricata - Task #4762: Suricon 2021 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #4174: tracking: app-layer frame inspection supportIn ProgressVictor JulienActions
Related to Suricata - Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as wellClosedPhilippe AntoineActions
Related to Suricata - Feature #5234: SSL/TLS Sticky Buffer for subjectAltNameClosedShivani BhardwajActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Task #6473: detect: smtp keyword coverageAssignedVictor JulienActions
Related to Suricata - Feature #4876: Additional FTP BuffersNewOISF DevActions
Related to Suricata - Task #6463: eve/output: investigate how to track coverage / parityNewOISF DevActions
Related to Suricata - Feature #7100: smb: additional keywordsNewOISF DevActions
Actions
Copy link
 #1

Updated by Victor Julien almost 3 years ago

  • Related to Feature #2021: doc: sha256 filesum extraction missing in documentation added
Actions
Copy link
 #2

Updated by Victor Julien almost 3 years ago

  • Related to deleted (Feature #2021: doc: sha256 filesum extraction missing in documentation)
Actions
Copy link
 #3

Updated by Victor Julien almost 3 years ago

  • Related to Task #4762: Suricon 2021 brainstorm added
Actions
Copy link
 #4

Updated by Victor Julien over 2 years ago

  • Related to Feature #4174: tracking: app-layer frame inspection support added
Actions
Copy link
 #5

Updated by Jason Ish over 1 year ago

  • Related to Feature #5642: DNS: parity between log fields and detection added
Actions
Copy link
 #6

Updated by Philippe Antoine over 1 year ago

My next thing here is to look into the schema.json for integers where there are no signature keywords, starting by the flow.nbpackets or such (as I did flow.age last)

Actions
Copy link
 #7

Updated by Philippe Antoine about 1 year ago

  • Related to Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as well added
Actions
Copy link
 #8

Updated by Juliana Fajardini Reichow 11 months ago

  • Related to Feature #5234: SSL/TLS Sticky Buffer for subjectAltName added
Actions
Copy link
 #9

Updated by Juliana Fajardini Reichow 11 months ago

Added #5234 as related as it seems that we parse and log the info, but it's not accessible to the rule language.

Actions
Copy link
 #10

Updated by Philippe Antoine 9 months ago

  • Related to Task #6443: Suricon 2023 brainstorm added
Actions
Copy link
 #11

Updated by Juliana Fajardini Reichow 9 months ago

  • Related to Task #6473: detect: smtp keyword coverage added
Actions
Copy link
 #12

Updated by Jason Ish 9 months ago

  • Subtask #6476 added
Actions
Copy link
 #13

Updated by Juliana Fajardini Reichow 9 months ago

Actions
Copy link
 #14

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Task #6463: eve/output: investigate how to track coverage / parity added
Actions
Copy link
 #15

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Story #6597: rules: impove rules keyword/output parity added
Actions
Copy link
 #16

Updated by Philippe Antoine 4 months ago

  • Target version set to TBD
Actions
Copy link
 #17

Updated by Victor Julien 4 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link
 #18

Updated by Victor Julien about 2 months ago

@Jason Ish has a script to dump all the eve fields. Perhaps we can use it to map it to rule keywords/buffers.

Actions
Copy link
 #19

Updated by Victor Julien about 1 month ago

Actions
Copy link
 #20

Updated by Victor Julien about 1 month ago

  • Target version changed from 8.0.0-beta1 to TBD
Actions
Copy link
 #21

Updated by Victor Julien about 1 month ago

  • Subtask #6597 added
Actions
Copy link
 #22

Updated by Victor Julien about 1 month ago

  • Subtask #5642 added
Actions
Copy link
 #23

Updated by Victor Julien about 1 month ago

  • Subtask #4153 added
Actions
Copy link

Also available in: Atom PDF