Project

General

Profile

Actions

Task #4772

open

tracking: parity between fields logged and fields available for detection

Added by Victor Julien about 3 years ago. Updated 5 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Subtasks 7 (5 open2 closed)

Feature #4153: app-layer: rust derive style macros to generate common codeAssignedJason IshActions
Optimization #4154: Rust Parsers: Abstract AppLayer events to a derive macroClosedJason IshActions
Feature #5642: DNS: parity between log fields and detectionAssignedJason IshActions
Feature #6621: dns: add keyword for dns rcode: dns.rcodeResolvedHadiqa Alamdar BukhariActions
Feature #6666: dns: add keyword for dns rrtype: dns.rrtypeClosedHadiqa Alamdar BukhariActions
Task #6476: ftp: parity of logging and detection buffersNewOISF DevActions
Story #6597: rules: improve rules keyword/output parityNewVictor JulienActions

Related issues 9 (7 open2 closed)

Related to Suricata - Task #4762: Suricon 2021 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #4174: tracking: app-layer frame inspection supportIn ProgressVictor JulienActions
Related to Suricata - Feature #6164: rules: allow matching on flow pkts and bytesClosedPhilippe AntoineActions
Related to Suricata - Feature #5234: SSL/TLS Sticky Buffer for subjectAltNameClosedShivani BhardwajActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Task #6473: detect: smtp keyword coverageAssignedVictor JulienActions
Related to Suricata - Feature #4876: Additional FTP BuffersNewOISF DevActions
Related to Suricata - Task #6463: eve/output: investigate how to track coverage / parityNewOISF DevActions
Related to Suricata - Feature #7100: smb: additional keywordsNewOISF DevActions
Actions #1

Updated by Victor Julien about 3 years ago

  • Related to Feature #2021: doc: sha256 filesum extraction missing in documentation added
Actions #2

Updated by Victor Julien about 3 years ago

  • Related to deleted (Feature #2021: doc: sha256 filesum extraction missing in documentation)
Actions #3

Updated by Victor Julien about 3 years ago

  • Related to Task #4762: Suricon 2021 brainstorm added
Actions #4

Updated by Victor Julien over 2 years ago

  • Related to Feature #4174: tracking: app-layer frame inspection support added
Actions #5

Updated by Jason Ish about 2 years ago

  • Related to Feature #5642: DNS: parity between log fields and detection added
Actions #6

Updated by Philippe Antoine about 2 years ago

My next thing here is to look into the schema.json for integers where there are no signature keywords, starting by the flow.nbpackets or such (as I did flow.age last)

Actions #7

Updated by Philippe Antoine over 1 year ago

  • Related to Feature #6164: rules: allow matching on flow pkts and bytes added
Actions #8

Updated by Juliana Fajardini Reichow about 1 year ago

  • Related to Feature #5234: SSL/TLS Sticky Buffer for subjectAltName added
Actions #9

Updated by Juliana Fajardini Reichow about 1 year ago

Added #5234 as related as it seems that we parse and log the info, but it's not accessible to the rule language.

Actions #10

Updated by Philippe Antoine about 1 year ago

  • Related to Task #6443: Suricon 2023 brainstorm added
Actions #11

Updated by Juliana Fajardini Reichow about 1 year ago

  • Related to Task #6473: detect: smtp keyword coverage added
Actions #12

Updated by Jason Ish about 1 year ago

  • Subtask #6476 added
Actions #13

Updated by Juliana Fajardini Reichow about 1 year ago

Actions #14

Updated by Juliana Fajardini Reichow 12 months ago

  • Related to Task #6463: eve/output: investigate how to track coverage / parity added
Actions #15

Updated by Juliana Fajardini Reichow 12 months ago

  • Related to Story #6597: rules: improve rules keyword/output parity added
Actions #16

Updated by Philippe Antoine 7 months ago

  • Target version set to TBD
Actions #17

Updated by Victor Julien 7 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #18

Updated by Victor Julien 6 months ago

@Jason Ish has a script to dump all the eve fields. Perhaps we can use it to map it to rule keywords/buffers.

Actions #19

Updated by Victor Julien 5 months ago

Actions #20

Updated by Victor Julien 5 months ago

  • Target version changed from 8.0.0-beta1 to TBD
Actions #21

Updated by Victor Julien 5 months ago

  • Subtask #6597 added
Actions #22

Updated by Victor Julien 5 months ago

  • Subtask #5642 added
Actions #23

Updated by Victor Julien 5 months ago

  • Subtask #4153 added
Actions

Also available in: Atom PDF