Project

General

Profile

Actions

Task #5666

open

rules: help to visualize how a Suricata rule matches (different contents/offsets)

Added by Philippe Antoine over 1 year ago. Updated 5 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Have a Wireshark module/plugin that helps to visualize how a Suricata rule matches its different contents / pcres step by step


Related issues 4 (4 open0 closed)

Related to Suricata - Task #5488: Suricon 2022 brainstormAssignedVictor JulienActions
Related to Suricata - Task #4432: libsuricata: Wireshark plugin as an exampleNewActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #5206: Buffer Dump UtilityNewOISF DevActions
Actions #1

Updated by Philippe Antoine over 1 year ago

  • Related to Task #5488: Suricon 2022 brainstorm added
Actions #2

Updated by Philippe Antoine over 1 year ago

  • Tracker changed from Optimization to Task
Actions #3

Updated by Philippe Antoine over 1 year ago

  • Related to Task #4432: libsuricata: Wireshark plugin as an example added
Actions #4

Updated by Anthony Verez over 1 year ago

As a workaround for now: https://github.com/google/gonids/blob/master/rule.go#L608 can match a part of a pcap matching with a rule (when the rule does already trigger the capture)

Actions #5

Updated by Philippe Antoine over 1 year ago

How do you use gonids exactly ?

Actions #6

Updated by Victor Julien over 1 year ago

  • Subject changed from Rules : help to visualize how a Suricata rule matches (different contents/offsets) to rules: help to visualize how a Suricata rule matches (different contents/offsets)
Actions #7

Updated by Victor Julien over 1 year ago

The way I see this ticket work is a new eve event type like "rule trace" or something, that would dump the matching steps from the detection engine, logging:
- prefilters called
- rule keywords called
- content inspection step my step, including matching offsets, etc

This could then be used to construct the "story" of how a match (or a non-match) came to be, and it could be used visualize outside of suri, like in Wireshark.

Actions #8

Updated by Victor Julien 5 months ago

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien

I have some very crude code for this around the "content inspection" code.

Actions #9

Updated by Philippe Antoine 5 months ago

  • Related to Task #6443: Suricon 2023 brainstorm added
Actions #10

Updated by Philippe Antoine 5 months ago

Actions

Also available in: Atom PDF