Project

General

Profile

Actions

Task #5181

open

detect/engine-analyzer: add rule analyzer warnings about rules that could use the frame keyword/semantics/feature

Added by Juliana Fajardini Reichow over 2 years ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

With the addition of frame support, the rule analyzer could now also check for rules with patterns like:
- For SMB traffic: check for content "|FF|" or "|FE|" (especially with "startswith")
- For TLS traffic: check for contents "|16 03 03|" (especially with "startswith")
- ... similar patterns for other protocols
And issue warnings that those can be converted to the new frame semantics.

This task must wait on the definition of the frame keyword/semantics syntax.


Related issues 1 (1 open0 closed)

Related to Suricata - Task #5050: rules/frames: settle on rule syntaxAssignedVictor JulienActions
Actions #1

Updated by Juliana Fajardini Reichow over 2 years ago

  • Related to Task #5050: rules/frames: settle on rule syntax added
Actions #2

Updated by Juliana Fajardini Reichow almost 2 years ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #3

Updated by Victor Julien 11 months ago

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev
Actions

Also available in: Atom PDF