Task #5181: detect/engine-analyzer: add rule analyzer warnings about rules that could use the frame keyword/semantics/feature - Suricata - Open Information Security Foundation

Actions

Copy link

Task #5181

open

detect/engine-analyzer: add rule analyzer warnings about rules that could use the frame keyword/semantics/feature

Added by Juliana Fajardini Reichow over 2 years ago. Updated 11 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

With the addition of frame support, the rule analyzer could now also check for rules with patterns like:
- For SMB traffic: check for content "|FF|" or "|FE|" (especially with "startswith")
- For TLS traffic: check for contents "|16 03 03|" (especially with "startswith")
- ... similar patterns for other protocols
And issue warnings that those can be converted to the new frame semantics.

This task must wait on the definition of the frame keyword/semantics syntax.

Related issues 1 (1 open — 0 closed)

History
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Task #5181

detect/engine-analyzer: add rule analyzer warnings about rules that could use the frame keyword/semantics/feature

Updated by Juliana Fajardini Reichow over 2 years ago

Updated by Juliana Fajardini Reichow almost 2 years ago

Updated by Victor Julien 11 months ago