Task #5666
open
rules: help to visualize how a Suricata rule matches (different contents/offsets)
Added by Philippe Antoine about 2 years ago.
Updated about 1 year ago.
Description
Have a Wireshark module/plugin that helps to visualize how a Suricata rule matches its different contents / pcres step by step
Related issues
4 (4 open — 0 closed)
- Related to Task #5488: Suricon 2022 brainstorm added
- Tracker changed from Optimization to Task
- Related to Task #4432: libsuricata: Wireshark plugin as an example added
How do you use gonids exactly ?
- Subject changed from Rules : help to visualize how a Suricata rule matches (different contents/offsets) to rules: help to visualize how a Suricata rule matches (different contents/offsets)
The way I see this ticket work is a new eve event type like "rule trace" or something, that would dump the matching steps from the detection engine, logging:
- prefilters called
- rule keywords called
- content inspection step my step, including matching offsets, etc
This could then be used to construct the "story" of how a match (or a non-match) came to be, and it could be used visualize outside of suri, like in Wireshark.
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Victor Julien
I have some very crude code for this around the "content inspection" code.
- Related to Task #6443: Suricon 2023 brainstorm added
Also available in: Atom
PDF